Abstract

In this episode, we make the transition from discussions on private military to digital protection by having with us the chief executive officer of Blackpanda, a firm that started with ransom-negotiation services but has pivoted towards cyber security. One of the questions we will explore is: do physical and digital security services have much in common?

This podcast series is presented by Dr Alessandro Arduino, principal research fellow, and Dr Ameem Lutfi, research fellow, at Middle East Institute, National University of Singapore.

Listen to the full podcast here:

Full Transcript:

Alessandro Arduino (AA): Welcome to the ninth episode of the National University of Singapore’s Middle East Institute podcast series “Boots Off the Ground: Security in Transition in the Middle East and Beyond”. In this series, we look at the future of warfare, which will see uniformed soldiers, or boots on the ground, being replaced by private military companies, autonomous weapon systems and cyber weapons. Having discussed combat drones and private military companies in our previous podcast, today we will address the role of cybersecurity. My name is Alessandro Arduino, and I will be the co-host for this series, along with my colleague, Ameem Lutfi.

Today, we are extremely excited to have with us Gene Yu, a former US Special Forces (Green Beret) who has served in Iraq and the Philippines. Gene is also a Computer Studies graduate from West Point. Recently, he managed to combine these two fields as the CEO of Blackpanda. Founded initially as a niche “special risk insurance” consulting firm, Blackpanda is now pivoting to cybersecurity services here in Singapore. So, Gene, thank you very much for joining us today. Let me start by asking a question: Do kidnapping negotiations have anything in common with forensics, cybersecurity and ransomware? And thank you again for being with us today.

Gene Yu (GY): Thank you, Alex. It’s my pleasure to be here and happy to talk about this very niche topic in terms of the crossover between physical security and cybersecurity. To answer the question directly: Yes, I believe that the two are essentially in the same field. Because ultimately, as I always like to say at Blackpanda, cybersecurity is not an IT problem, it is a security problem, fundamentally. It’s not a computer that is hacking you from the other side – it’s a human being. That human being has friends, you know, possibly organisation, and may be even sponsored by the government. So, you know that aspect of that human element is always very important to understand when looking at cybersecurity – that it’s not an IT problem, it’s a security problem. So, when we look at something like ransomware negotiations, I like to say that this essentially is a kidnap and ransom, but of your data, right? Ultimately, from the attacker’s perspective, there’s no difference in the objective of extorting you of your money. It’s just about the avenue or approach they decide to take. If those are the tools that he has in his head, as in he really cares about the style that he or she was able to extort you, ultimately, they achieve their ultimate objective, which is extortion. So, when we look at kidnap and ransom negotiations, and ransomware negotiations, these are similar in the sense that both sides are counterparties that have no credit with each other and no desire for any long-term relationship. And so that’s going to change quite a bit the dynamics of the negotiations right off the bat, because both sides openly understand from the onset that they’re trying to get the better of each other in a one-time deal. It’s like playing poker with one hand.

Another aspect is that typical tactic that we use in our ransomware negotiations for our clients: Proof of life. There’s a proof of life procedure, in terms of the hackers actually demonstrating that they can decrypt the ransomware data set, and making sure that they actually can deliver and resolve the situation if you pay the ransom. Another aspect that I think that is oftentimes overlooked when looking at negotiations for both kidnap and ransom or ransomware is – actually the most difficult part – the actual exchange. The negotiation portion – yes, there are a lot of landmines that like I just commented are different from your typical business negotiation. But like in a kidnap and ransom, you imagine it’s quite dangerous when you actually exchange the money in exchange for the person. Likewise, how that procedure actually occurs, to make sure it’s done securely, and both sides have confidence in each other in the mechanism that they’re going to transact, that’s important as well. By way of like, how it’s done essentially, in an escrow manner with a ransomware facilitation third party and done in an again, secure manner. And then another aspect that tends to have a lot of parallels that I don’t see as often in cyber ransomware negotiations, but that we do at Blackpanda – because we’re the lead private sector partner for the United States Secret Service in the Asia-Pacific – is including international law enforcement and their capabilities early on in the negotiations. I know we’ll get to this a little bit later, but one of the major problems that arise with both kidnap and ransom as well as cyber ransomware situations is not knowing who the counter-party is, and potentially giving payments to sanctioned entities. There’s a recent US government OFAC advisory with quite stringent regulations around this. This is why it’s so important to include law enforcement so that you don’t accidentally, you know, become accused of terrorist financing, by way of your actions of just trying to save your loved one, or in this case, possibly, your data or your business.

And so, you know, it’s a bit of a long-winded answer, but there are a lot of parallels. But at the same time, I would caution that there are generally considered to be just about 100 people in the world who are true kidnap and ransom consultants. It’s not like you can just cross over into ransomware, there is a technical component of it – making sure that there’s a team behind you that understands the threat intelligence, that ransomware malware variant. Because the type of malware that is being used can change the tone of the negotiation as well. So, for instance, there’s such a thing these days, which I have talked about, often called “ransomware as a service”. You go into the dark web and you can actually, like a SaaS (Software as a Service) platform, subscribe and receive and purchase ransomware malware to come out and then deploy, even though you don’t know anything about hacking. We call these “script kiddies”. And my joke about that is that cyber criminals work from home, too. And so, you know, during Covid, these bad guys have to do something too to continue with their profession. So, when you get these types of “script kiddie”, “ransomware as a service” type of low level attacks, finding that they’re using some type of common ransomware variant that may have been reverse-engineered to find exploitations, and an Incident Response Team like Blackpanda, if they come in, may be able to find areas where you can thwart the malware, or know that you’re not dealing with an attacker who is a high-level hacker that may be changing the attack on the fly by writing new scripts and whatnot. This all plays into the calculus when it comes to the advice to the client of whether you should pay or not. Of course, if the client has prepared and actually used and deployed encrypted cloud data backup services like Acronis – one of our partners – this type of stuff makes the ransomware negotiation a much different one as well, because then it becomes less of an issue of, “Hey, if you don’t pay me, I’m going to destroy your entire business,” for instance, versus, “I may just embarrass you in front of all your clients by releasing this into the open Internet. But since you have a backup, all I can extort you for is that type of shame and exposure.” And that certainly has quite a bit of impact from a marketing and branding perspective. And certainly, clients are going to be quite upset seeing their data dumped out into the open like that, or sold on the dark web, or whatever. But I think we can all agree that it’s a different level, versus, if they are threatening, “we’re going to destroy your business entirely and you’ll never see your data again.” So, maybe I’ll pause there because I feel we will go down a rabbit hole here if I continue talking. But let’s pause there for now, Alex.

Ameem Lutfi (AL): Thank you, Gene. Thank you for joining us today and also for that very illuminating answer. I like that you said that even in a cyberattack, at the end of the computer is actually a human being. Now, I want to change the tone and ask you about the other human being – about your own trajectory, and how your career with the Green Berets actually shaped this too. And what really made you change to make this transition from private security to cyber security?

GY: Okay, fair question. I grew up in Cupertino, California, where Apple is headquartered. So, I’ve been around computers and computer science my whole life. I was coding in Fortran and Pascal when I was like 11, 12 years old, took computer science classes at the local community college as well as in high school. And then I had no question in my mind when I showed up at West Point that I was going to be a computer science undergrad and stacked as many courses as I could. I was quite passionate about it, and sometimes I joke around about my career decisions. But, you know, because I went to West Point, you have to be in the United States Army after you graduate. And I kind of caught on to the idea of, being a US Army officer, wanting to serve along those lines, and 9/11 happened I graduated in 2001. And I got kind of thrown into all the conflicts that the US participated in for the last 20 years. So, if you kind of look it from that, I have always had a very deep and strong passion for IT and computer science; both my parents are engineers. And for me, actually, in my life, I actually think that the whole detour into becoming Green Beret was a weird one in the course of my life.

Now, coming from the business of running a private security company or international security consulting company, and then transitioning into cybersecurity, that became more natural for me just in terms of considering myself a military tactician and being able to see that cybersecurity was essentially just the digital extension of the physical security world. In physical security, the basics and fundamentals, like terrain analysis, looking at obstacles, administering approach, cover and concealment, key terrain; these fundamentals don’t change when you look at cybersecurity. They have counterparts or equivalents in the cybersecurity world, and need to be accounted for when you’re looking at how to best posture yourself when it pertains to IT security. So, for me, seeing that these parallels existed, I thought that there was not that much of a difficulty for me to cross over, especially as a businessman, and understanding how to sell and market security. Having built a business around that, and particularly, again, tied to insurance, which is another facet, I actually feel that’s financial security – you know, securities are insurance and insurance is security – these sorts of things that we can delve into as well. But fundamentally, why I ended up changing and pivoting Blackpanda from a physical security business into cybersecurity is just, frankly, that cybersecurity is just so much more scaleable, and a much, much larger market in the longer-term view from my perspective. One of the things that I noticed was that we made great money with Blackpanda, and I’m very proud of the clients that we assembled, particularly in the Philippines, where we ended up signing the number one and number two companies in energy, mining, banking, integrated resorts, casinos, etc.

What I came to realise is that the way the world is facing the problems and the threat of cybersecurity is as though it lives in the conditions of Iraq, that type of operational environment. In the physical security world, to have that level of threat, and the willingness to pay in the market for this type of higher level security service, these really only exist in the more unstable and dangerous areas in the world, where the police and security apparatus, and military and the police cannot be fully relied upon, both due to resources as well as just the political conditions etc. That’s kind of like what the cybersecurity world is like, right? You can’t just call the police and expect that some tier one cybersecurity element is going to come and just solve your problem. As in, when you’re robbed, attacked, or threatened in the cyber world, there isn’t that type of 911 hotline you could call in a developed country. For instance, let’s say the United States, you know, the police will show up and generally you know that competent police are going to show up and generally resolve a situation when you’re being attacked, right? That doesn’t exist in the cybersecurity world. And I like to make a comparison to two high-risk areas. Essentially, the entire world is living in a high-risk area. When I came to realise that there was that much more business on the cybersecurity side as well as the ability to build tech products that could scale in a much larger way, then I saw a much larger business opportunity for us to gravitate towards that direction. So that’s fundamentally the opportunity that I saw.

AA: Right, so Gene, there are very intriguing similarities between private military and security companies and private cybersecurity companies. And first and foremost, as you’ve just mentioned, business is one of these commonalities. But I’m sure that in your previous private security career, personal physical risk was also an issue in the equation. When we started our chat about cybersecurity and ransomware, you mentioned financing terrorism and state-led actors. So, let’s move in this direction: If we have criminal or political-motivated actors using a ransomware virus attack, something like WannaCry, for example, and they could hold hostage not only, let’s say, military installations or corporations, but also civilian targets, such as hospitals. And in this case, it is not a matter of losing brand reputation or just losing money, you can even lose lives. But then you realise that some of the attackers or the attackers are not only state-led, but can be linked to terrorist organisations. And then in this case, we are talking about financial terrorism. Then, if we move from this, when you manage a crisis in a cyber war, there is much difference in assessing, mitigating and managing the crisis from, let’s say, the virtual world and the real world.

GY: Yeah, I would say that, to be honest, a lot of the elements are fundamentally the same when it comes down to making sure that during the crisis – in cyber we call them breach coaches or incident managers, in the physical world we call them the crisis commanders or the crisis consultants – all the different aspects of security are covered; by way of the proper advice in terms of managing crisis. But also what’s quite important to bring to bear is also the legal concerns as well, making sure that what the victim – especially if it’s corporate – what kind of concerns they have from their perspective, as well as crisis public relations, and making sure whatever messaging that needs to go out to the public is ideally something thought through and analysed prior to getting out there, and making sure that the message is on point.

So, I think that with any crisis, the key always comes in the preparation. The time to think about how to react to a crisis is not when it occurs, right? You are way late; you screwed up a long time ago, at that point, if you’ve never thought about the scenario. And to expect that some superhero is going to show up and just immediately understand how to solve your situation on short notice like that, having no context, with no plan in place, is a very tall order. And so, whether it is a physical or cyber crisis, I always emphasise the importance of having a proper response plan. What is your business continuity plan? Making, again, a simple analogy is fire, which is a type of physical crisis – well, not as spectacular as the ones we’re talking about here that are motivated and generated by an enemy – but if a fire breaks out, and nobody has any idea where the fire exits are, what the procedures are, any of that, you can imagine the mayhem and how people would die unnecessarily. And so, what it required was that, in most developed countries, there are mandatory fire drills, so that there’s no confusion. When the preparation that has already been put in place, everybody generally has an idea of what they’re supposed to do. One of the services that we provide is not only incident response plans, but bespoke plans, as well as playbooks, and also tabletop exercises; running through the actual crisis scenarios with the leadership of large organisations. And we’ve done this historically across Blackpanda, both in the physical and the cyber space, particularly with our niche that we can combine the two because we’ve actually seen and responded to crises where cyberattacks came in waves after physical attacks, as hackers around the world took advantage of a very spectacular headlining event.

You know, it is very difficult to come up with new ideas on the spot, particularly if you’ve never thought through them before, and especially in a post-crisis emotional state. And so, we’re very encouraging of companies that are interested in putting in the time in a tabletop exercise, or essentially a dress rehearsal of sorts. So, they can go through the process and think through: What would they do in this situation? What would they do if a ransomware attack occurs, and then they were hit with an extortion note, and if they didn’t pay it within 24 hours, it’s going to double every 24 hours going forward? And then if it hits three days all of your data is going to be destroyed – you’ll never see it again. I mean, just think through it as a leadership team and talk through it just once so that when it actually occurs, yes, you may rethink what you decided earlier, but at least you’ve thought through it. And a lot of that discussion has been processing and marinating in people’s head. What I’ve always discovered is, organisations anywhere, whether it is the military or the private sector – because look, I’ve been operating and working with crisis for the last 20 years of my career – it always comes down to the preparation. The folk that put in just a little bit of time, there’s a massive difference and massive ROI payout for even a little bit of time versus zero time. And, of course, you know, there’s diminishing returns as you continue – you can only prepare so much. But my point is that, from zero to just a little bit, there is a massive impact. And I think that if I could communicate anything, it is that the most important thing is just having a plan in place; having your fire sprinklers set up; having a fire alarm set up; knowing who to call. For the cyber world, the equivalents are your endpoint detection response platform, and having that software installed; having an instant response team like us or cyber firefighters; knowing our phone number; having us on retainer or signed contract or whatever. So, you know, at least you can call us and we’ll show up and not waste any time while your house is on fire. These are the points I would make.

AL: Gene, if I could take you back to a comment that you made to an earlier question about the cyber world maybe being a little bit like Iraq. Now, in the physical private security sector, Iraq is kind of like the Wild West. And though things have improved from the early days, because of new regulations and so on, is there something similar happening within the cybersecurity level particularly in terms of regulating the kind of companies who are involved? Is it still like the Wild West? And I ask this because the boundary between protection and racketeering is so vague. A security company could go and ask money for ransom as well. So, is there some work being done internationally or nationally at regulating who can be a cybersecurity firm?

GY: Yeah, so right now: no, as far as I can see. So, I would describe it, yes, as a little bit more like the Wild West, especially in the early days of the private military industry in the Middle East in the early 2000s. I would state that there are very respected international organisations with certain certifications and accreditations, for instance, SANS for the States and CREST for the UK. These are general gold standard accreditations that you’ll need as a cybersecurity company to legitimise your organisation; the fact that you have these certified and qualified individuals. So, I guess, to listeners, if you’re thinking about hiring a third-party vendor or cybersecurity expert company, these are the types of things that you have to look at – it’s generally those certifications. It’s interesting, right? Because cybersecurity is such a new field. There’s only a handful – I mean, there’s more and more these days – but with university programmes, it’s not a, generally speaking, formalised academic programme. Actually, at NUS, I’m aware there’s a cybersecurity programme. But that’s ahead of its time a little bit. It’s just starting to really catch on like that. We hire people at Blackpanda who haven’t graduated from university, but if they have the right certifications, then I know that they have the right skills of what we need. That’s the actual gold standard when it comes to regulation and standardisation.

I would segue and say that oftentimes, ransomware attackers will try to portray themselves as carrying out a service for the victim. They’ve figured out that the psychology of the ransomware negotiation is to try to frame themselves as though they are freelancing vigilante offensive security consultants who have found a vulnerability; they’ve demonstrated this, and are now owed some money because they have prevented that vulnerability from beng exploited by even more nefarious actors. That’s pretty funny, because what these people have discovered is that psychologically, sometimes they actually get these victims to pay more willingly, without engaging an incident response firm or law enforcement. But, certainly, I’m on the blue team side of the house. At Blackpanda, we just respond to a crisis. It’s very difficult for us to be construed as bad guys coming in and helping you after you’ve been attacked by somebody else. I can’t comment about the red team side of the house, the offensive security engineers who are essentially hackers; ethical hacker penetration testers. Really, the red teaming side is the more hardcore side. But generally speaking, we have partner companies that do that sort of work. I mean, I’d be remiss if I say I think that they cross a line. They’re completely above board. There’s plenty of business if you want to wander off into the dark web and be a cyber mercenary for hire and stuff like that, or be an actual black hat. Plenty of work for you down there. You don’t have to masquerade as a white hat during the daytime, so to speak.

AA: We want to stretch what you just mentioned with the zero-day exploit. I think there was a case just a few days ago, when a Bitcoin exchange was hacked for more than US$2 million. And then the same company offered the hacker an additional US$200,000 to pinpoint where the problem with their security was. If we move to Libya and Nagorno-Karabakh, we are witnessing an increase use of armoured UAVs that are better known as combat drones. These drones are creating new security, legal and ethical issues that require a swift response. It’s the same thing: Cyber weapons, cyber criminals, state-sponsored attacks online can wreak havoc – we’ve already realised that – but there is still no right or wrong rule of the game. So, let me go back to financing, and terrorist financing, especially. For example, if your company advised that a ransomware demand be paid off, and the funds ultimately wound up at a terrorist organisation. Are you, and I mean Blackpanda in this case, going to be liable for terrorism funding? What kind of lessons can you draw, applying, again, from the private military sector to the cyber one?

GY: So, this is an interesting one that I came across actually in the kidnap and ransom industry and discovered there are exclusion clauses, particularly when a life is on the line – if a ransom is paid, and even though it’s a sanctioned entity, like a terrorist organisation, there’s an out clause for that. The US government, or any government, doesn’t expect that if you are in that situation, you will allow a loved one to be killed, for instance. Now, of course, this becomes a grey area when it comes down to, okay, then how do you measure where that red line is? And that’s where it gets very muddled for cyber ransomware, because if a person’s entire business is on the line with, let’s say, hundreds of people on payroll and their means of providing for their families is all on the line. You’re not willing to release this payment, but then your entire company is going to be destroyed literally overnight, and maybe a lifetime of work with it. That gets quite grey as well, right?

I recently did a webinar with our partners at the US Secret Service. They have quite a wide purview and authority from the US government in terms of freezing bank accounts, investigating cyber financial crime, because almost all international financial transactions eventually touch a US financial institution or exchanged to the USD. Anyway, the reason why I bring that up is because what the Secret Service has said is that in these types of situations, this is why it’s so important to engage with law enforcement early on, so that they can help give advice. And there is a good faith type of attitude that is taken; something that’s called the “wilful blindness”, I think, is the term that they used, where right off the bat, when you realise it’s a sanctioned entity, you don’t do anything to try to mitigate, investigate, try to negotiate to try to avoid the situation. And you’re just like, whatever, I just want to get this done as quickly as possible, and then just hit send on that payment. That’s a very different situation with somebody else who has invested the resources to hire the lawyers, the instant responders, the threat intelligence, trying to figure out any way to get around this; engaging with law enforcement, getting the advice and walking all the way through to the point where there’s literally no choice and out of good faith that they had to make the decision. That was something that they said would be taken greatly into account in the case of proceedings afterwards. Of course, it has to be investigated and explored afterwards. But it’s something that they would be taking greatly into account.

From Blackpanda’s perspective, at the end of the day, we’re consultants; it’s the clients call as to how they want to handle that situation. And so, for us as well, if it did come down to a sanctioned entity we would be – as I described, we have a close relationship with the Secret Service – there’s no way we would do so without top cover and making sure that they were involved in and aware. And, you know, the thing that I would mention as well, is that a lot of people don’t realise it, but cryptocurrency can be traced. That is an urban legend or myth that continues to grow right now. There are a couple out there that really cannot be, but the Secret Service does have the technology to follow that. And so, they want to be involved because they want to track these guys down and put them behind bars. And so, when you’re on the blue team side of the house like this, for me, I think the lines are a lot more clear; it’s rare that people are upset when firefighters show up to help you put out the fire. And so, look, we’re just trying to help the client get through the crisis and get back on their feet and keep close coordination with the right authorities.

AL: Gene, I’m glad you brought up the Secret Service here, because my question is cyber security as an industry seems to be led by private industry. But would you say there’s still a role for state security agencies as well? I mean, we’ve seen the Space Force being formed under Trump, but there’s nothing similar, like cyber security police or cyber security army, something like that? Do you think there’s a possibility or there’s a need for states to invest in it themselves rather than going private?

GY: Well, actually, I would challenge that. I do think that there are military arms being built; there are cyber armies being built, or not even being built, but that exist and have been in existence for quite a while, actually. I’m talking like 20 years. China has its own cyber command. I believe – sorry if I misquote this – it’s on top of my mind right now, but I believe it’s part of the People’s Liberation Army, it’s a division of it. But I do recall that beven as a cadet at West Point, that was being talked about. There is such a thing as United States Cyber Command, which oversees the National Security Agency, and it’s essentially is the cyber military arm of the United States. Israel has the famous Unit 8200, etc. These organisations out there are meant, I believe, for warfare. At West Point, one of the things that stuck with me in terms of studying military history is the AirLand Battle doctrine developed by the Soviets in the 1980s. Which, simply said, is get air superiority first, control the skies and then come in on the land attack to limit damage and all that stuff. I think that we’re going to see that there’s going to be a word “cyber” added in front of AirLand doctrine – Cyber AirLand. Why wouldn’t you first take out the infrastructure of the opposing country’s military as well as their private sector before going in and softening the target. We saw this capability through Stuxnet, and various other attacks as well down the road that are widely believed to have been conducted by the US and Israel against Iranian nuclear power sites. And so, I think this sort of thing is cyber warfare.

At one point, also, I would say it’s happening already in a low to medium conflict intensity between great powers and nation-states. And I think that if hot conflict was to escalate, we would see that escalate into a much hotter status of attacks from one country to another; where they’re actually trying to take out each other’s power grids, disrupting financial systems; that sort of thing before a traditional conventional military attack. Why wouldn’t you if you have that capability at your fingertips? Why risk people’s, soldiers’, sailors’, airmen’s lives when you can just have a bunch of hackers in some safe air-conditioned building somewhere, deploying cyber weapons from afar like that, right?

AA: We were just discussing with Ameem, basically something that have already been seen for a while in terms of cyber warfare. From China, the doctrine is unrestricted warfare – if the translation from Chinese is correct. If we move to North Korea, we can say that there is a weaponisation of cryptocurrency. But, please, let me take it back from cyber warfare to the financial side, and the importance of cyber security in a global financial hub, especially because we are here in Singapore. But not only Singapore, I’m thinking something like in the Gulf, like Dubai, where securing digital financial market is essential; it’s critical for sustaining economic development. In this case, what are, in your opinion, he best practices for creating a safe cyberspace? And, again, if I recall correctly, you – and by you, I mean, Blackpanda – is cooperating with the Singapore Police Force on some projects, and I’m wondering if you could talk about some of the strategies that you think have been useful up to now. Thank you.

GY: Yeah, sure. I mean, when we talk about creating a safe cyberspace, it’s such a holistic question. Just like – again, I always want to bring this back to the analogy of physical security – how do we create a safe physical space for everybody as well? And for me, first and foremost, I would comment that our philosophy and mentality of Blackpanda is on the response side. Meaning that we don’t think it’s a matter of “if” you’re going to be hacked, it’s a matter of “when”. So, while there’s a lot of great products, software and services to help you build the castle walls around your house, the fact of the matter is, just like in the physical world, if I build a 10-metre tall wall around my house, if a bad guy wants to spend the money and buy a 10-metre tall ladder, and then put a ladder up and climb over my wall, what I do then? Maybe I build a 20-metre tall wall and invest the money and resources and time to build that. Then they respond, and both sides keep doing the same. If that person is well-resourced enough and motivated, he will build a 10,000-metre-tall ladder and still climb into my house. What I’m hoping – from a philosophy standpoint – is that if I build a 10,000-metre tall wall around my castle, I hope they go attack my neighbour, who has no walls. I’m sorry, but in this sense, it’s not about everybody being safe, it’s about not being the slowest gazelle on the Serengeti – that famous quote, you know, “when the sun rises in Africa,” or whatever. That’s more my mentality when it comes to cybersecurity right now. I would say that the ladders are going up exponentially faster than the walls. So, I’m playing a game in cybersecurity where I’m not part of the walls or the ladders, I’m standing off to the side in a horse stable with my cavalry, and after they’ve breached your walls, I’m coming in to try to help you and eject them back out of the wall again. From that perspective, I think that there doesn’t need to be close coordination with government.

I think that one of the things that we have missing – which is why I actually would like to make this comment in our conversation – is that Asia is vastly behind in cybersecurity awareness and posture in comparison to the US and Europe. And the reason, in my opinion, is lack of government regulation and data privacy fines. Singapore is actually leading the space in Asia. Just recently, the PDPA announced that it has raised the maximum fine for data privacy breach to 10 per cent of annual turnover. In comparison, for GDPR, which is considered to be the most stringent data privacy regulation in the world right now, the maximum fine is 4 per cent of annual turnover or 20 million EUR. Singapore’s is higher in theory, but we’ve never seen a real fine here in Singapore. There are a lot of data breaches – I’ll share that without obviously sharing client names. But there are a lot of data breaches. It’s not as though cybersecurity and hackers are not touching Asia; it’s that companies aren’t reporting it. They’re not reporting when client data is released into the dark web and sold. Now, PDPA just recently made it mandatory to notify the regulators of a breach, which is a huge step – as far as I’m tracking right now, it is the only Asian country that requires that. But there have not been the types of fines which cause companies to spend on cybersecurity. If you’re only fined S$10,000, which literally happened to one of the largest tech companies here – I’m not going to name them, but they were breached, I believe, for the fourth time – that doesn’t even cover a few days of our response work. So, if the fines aren’t commensurate with how much it costs for cyber security services and products to properly secure yourself, the companies are not incentivised to do so. Who suffers from that ultimately? It is just the average, common consumer.

We do have clients where this comes up. They’ve been breached, we come in, do about half the work sometimes and they say, “oh, the regulators don’t need this information; we don’t need to continue figuring out which one of our clients’ or customers’ data has been leaked because how would they know that it’s us?” It’s a little bit disturbing to share this sort of stuff. But this is the problem with government regulation not being stringent enough in Asia. And so, when you ask that question about how to make a safe, secure space: It starts from the government and policy, and making sure that companies are accountable for cybersecurity protecting their customers and clients. I can’t stand it when I see announcements of breaches here in Asia and all my credit card information I know is out there and I’m out there cancelling my cards; and my passport information is out there, all this type of stuff. It’s quite an irritant. Anyway, the focal point of my answer to that would start from government regulation and it can trickle down from there in terms of making sure companies are going forward and investing the proper resources in prevention, detection, response, insurance – making sure that they have the resiliency to stay afloat even if they got hacked.

AL: It’s kind of worrying if relatively well-to-do countries in Asia with thriving financial markets are not investing in it. If this is so, is there any hope developing countries that might not have very a large online market space as this? And are there even, for some of these developing countries, some sort of cheaper products that cost less than, you know, $10,000 for a few days?

GY: I would say that, number one: Yes, it’s a huge challenge for developing countries and that is a much larger problem… you know, the developed countries have to lead; if they can’t solve it, then how can the developing countries? The Philippines is, I think, rated the number three or number four most cyber-attacked country in the world. Partly, the reason for this, I believe, is because of the close ties between the banks and the casinos and the junkets – kind of a shadow banking system. But that’s a situation or environment where we at Blackpanda have a longstanding presence. There is a big problem there because the general infrastructure itself is so underdeveloped and it’s very difficult to kind of climb out of that to deal with these cyber issues.

Are there cheaper options? Unfortunately, no. There’s a major shortage of cybersecurity professionals in the world. This is not something where you can just send somebody on a two-week course and then come out and now, they’re a cyber incident responder. This is a highly technical skill set, which compounds the problem even further. According to the last statistics I saw, I think there are three million jobs waiting to be filled in cyber security right now, globally. And it’s just increasing every day. Fundamentally, when you think about why cybersecurity is such a problem and why it’s growing every day, tech is advancing at an unbelievable pace. Companies are rushing to the digital realm because they have to, or they’ll get wiped out by the competition. They rush the product into the market without the proper QA/QC or secure code review, and this is introducing security flaws into the market, as well as connecting and being interconnected with so many different third party apps. Every single one of those connections has its own problems, with security flaws and vulnerabilities, and this just continues to grow and grow and grow. So, I apologise, I can only paint a dim picture; a precarious picture for developing countries, especially frontier markets.

You know, already, I feel that in developed countries, rather than living in a fortified house with a compound and walls and doormen, most people are living in bamboo huts with maybe a little latch key as your lock. It’s very, very open out there right now. Now, one aspect that is somewhat heartening, I guess, is that cyberattacks require technical skills as well, and there are only a certain number of people who can carry out complex attacks on a large scale, and they’re generally going after the developed markets, because that’s where the money is.

AA: Gene, previously you mentioned “taller wall” and a “taller ladder”. Especially for me, coming from Turin, before it was even a republic, there was a time when the walls were so tall that the siege artillery of the invading army was not able to breach them. So, the competition was between a thicker wall and a bigger gun. But at the end of the day, it changed into tunnel warfare – it was mine and countermine. So, moving on to this, I’m asking you, to end this interview, the million-dollar question. And it’s basically a question that we ask all of our guests. In your opinion, what will the future of cyber security management in a complex environment going to look like in the coming 30 years?

GY: I think that, certainly there’s a lot of investment going in from the West and like I said, Singapore is leading the space in Asia. I think that we will eventually, over the next 30 years, train enough cybersecurity professionals that the government will start having to take a hand in this, just like in physical security. Again, my analogy is that where cybersecurity is concerned, we are living in a time where there are no police, no firefighters; everything is privatised, and only the wealthy can afford to have any security. It’s like when I’m in the Philippines, and all the wealthy have armies of bodyguards around them and private security at their homes, because they can’t rely fully on the police and the apparatus to protect them. Just like in the physical world, this area will grow in developed countries, and eventually the government will provide that type of service to the general populace.

The other comment I have is that, unfortunately, since the first human met another human, we have learnt how to hurt each other and take things by force or whatnot. Just like in the physical security world, where once the good guys figure out a tactic that thwarts the bad guys, the bad guys figure out a new one. And then it’s just a tit-for-tat, as both sides play this never-ending game. It’s one of the oldest professions in the world: Soldiering. So, I think that this is just another battlefield.
If there’s any message that I’m trying to get out here in my whole story it is that it’s not actually a new thing. It’s just a different terrain and new playing field. It’s the whole evolution just of one counter-action against the other – the good guys and the bad guys – as they figure out how to hurt each other, and it’s just continuing or extending now into the digital world. So, it’s actually just the same thing, but not everybody has made that mindset shift because they think it’s just an IT problem – it’s not. It’s a security problem.

AL: Well, thank you so much Gene for being with us here today. This was absolutely fascinating. And thank you so much for coming. We don’t always hear this perspective of cyber security in itself being an extension of an older problem. And I think that really brings a lot of clarity into the field. I hope all our listeners have enjoyed listening in to you today, and thank you everyone for tuning in. Until next time – thank you!