Roeland van Zeijst, global cybersecurity strategist, RovaZ.com and former digital crime officer, Interpol, discussed cybersecurity landscape and the steps taken by regulators and financial institutions to enhance industry resilience, integrity and stability
Here is the transcript:
Well, thank you very much for those kind words. Thank you. Yeah. Good morning everyone, or are we already saying 'afternoon'? Not sure.
It seems that this morning we were with the discussion with Sir Tim that on the internet nobody knows that you're a dog. It gives you like a certain idea of the role of the dog in the internet nowadays. When I went to school, sometimes when you didn't have your material you would say the dog ate my homework. Actually, in this case, the internet ate my presentation, so I'm doing it ... I'm just doing it from the top of my mind. It's good because I also get to respond a little bit to these very interesting presentations that we're going to do here.
So, ladies and gentleman, can I ask you who is here from China? And who is here from, let's say, Europe? Europeans in the house? Who is here from Iran? Anyone from Iran? Do you know that Iran is next door, actually, nowadays? Digitally. Iran is a neighboring country to China now, as is Kazakhstan, as is South Africa, as is any country. Specifically, cyber criminals know this already and I believe this as we heard from Stefan (Stefano Nappo, CISO of Societe Generale) how these criminals are networked, how they think, very globally, if you will. And they have seriously built business models to conduct business with each other, to work together, and to kind of divide their services so they each kind of specialize in a little sub-service to attacking maybe your institution.
Another question I would like to ask, this is called the Future of Finance Summit? I would assume there's many people here from financial industry? If you look around you, you might see some familiar faces. Maybe some unfamiliar faces. Faces from organizations that you know who they are. Can I get a raise of hands who feels that the other people in the room are their competitors? You're surrounded by competition? Are we all amongst friends? Is that wrong? The reason I am asking is that like Mr. Daniel told you this morning, I suppose you saw the lights on the sign. It said that China has become like a hot bed of both collaboration and competition. That's kind of what I'm alluding to. And I do feel that at this kind of summit it's really about how do we collaborate, especially when it comes to matters to cybersecurity, encountering cybercrime, and maybe competition are the bad guys out there who are doing their own thing innovating their business processes to get money from your bank, from your financial institution.
So then the question is how can we collaborate in a world that is so different? Where things ... pockets of crime might exist against your organization. Some of them might be hosted in Europe. Some might be hosted in Iran. Some might be hosted in China. Who knows? Then you see that there are all these marvelous, let's say, coincidences. So, yes, tonight I'm expecting great fireworks in Europe at midnight because that is finally GDPR date and everybody will be compliant. China has its own regulation. It's already been mentioned before, where there's like one addendum to it and then there's like the bunch that everybody does, and then for China, there might be important information, like specific asset that we need to look into. In Europe, there is the idea of very sensitive personal information. It's like extra protection. I'm not sure how to know balance this out between the two. It just seems like the main thing in between is just to share, let's say 80%. Shared 80% approach.
I just asked, jokingly, about Iran. But, actually, if you ask law enforcement in Iran, if you ask them about cybercrime, what hits them. You would say, "Well, it's Iran. They might have a very peculiar view. Something that might not be how we handle it." What they say, and I quote this from terror, is that 80% of their cybercrime is financial cybercrime. It's just people being scammed. Banks being attacked. Banking malware. It is the same. So there is like a big chunk of things that we have in common in the world that we need to find ways to work together on. As I was kindly introduced and explained, I worked with Interpol for a number of years. Interpol, which actually at the moment, has an excellent President from China, Mr. Meng Hongwei and Interpol, is as you totally know, the international collaboration body between police. It's officially called the International Criminal Police Organization, of which the cybercrime center, if you will, is located in Singapore.
Yesterday, I had a question from somebody in this building, asking me, 'What are the arrest powers of Interpol?' When this happens, what can Interpol do? The actual fact is that Interpol cannot do anything. It doesn't do anything. Interpol is an exchange mechanism for information to law enforcement. It literally just started. Perfect. It's an exchange mechanism between law enforcement. That means that each country's own law enforcement has special powers that they can use to combat crime together and to work on that internationally, there has to be exchange mechanism where, for example, this country finds that one of their national's passports has been stolen, then they can provide an alert. And then if that passport is used by a completely other country, then the alert pops up in that country, but it will be up to the local law enforcement there to do something about it.
Now that's the easy part because there's a lot of passports anybody understands. There's different crime types. Of course we find, throughout the world, there's different levels of punishment for different crime types. I want to give you an example of how you can work together on that. Then I'll actually talk a little bit more about banking. Don't worry about that.
So what is not the easiest topic, but that is child abuse on the internet. Of course that also happens, unfortunately. What you find is that different countries have different rules, different laws, defining what constitutes that. For example, if is a child is depicted, let's say how old is it to be of an illegal age? In some countries it is one age limit and in some there are others. There would be like a base line. There is a common ... they call it a greatest common denominator. There is a common way based on the what everyone in the world agrees that this is anything younger than this, that is a kid. So you should not have indecent images of these people. And that allowed Interpol to host a database of just hash values that any law enforcement in the world can use to confiscate like a hard base from a criminal that had been using children and they find images. They can just look at the hash values, they don't have to look at the images, look at the hash values, and then check them with the database so that they know that, in fact, yes this is considered to be illegal in any country. So, the good thing that comes from that, and here we go with my main message, is that then you can, for sure, initiate international cooperation. Plus, you know, that in any country that this person might be, or that they might have exchanged information with, they will be met with a punishable offense.
I know that in the realm of industry, larger corporations, Sir Tim also eluded to it this morning, there are regulatory boards, of course, that are always going to scrutinize what you do if it's compliant with everything; and also, especially, if you are not maybe collaborating too closely with your competitive. That's also an issue. There are some doubters there. I want to go a little bit to my own country of the Netherlands, which we already referred to when we had, we were just the first country to be connected to the internet outside the U.S., so we had kind of a head start to build more industry for that. So we have some experience with working together in some ways that might, you know, be a little bit in this context. So I think that one of the main successes in our country for collaboration between institutions is, and it's not a unique concept. I think we stole it from Australia. It's called the ISAC - the Information Sharing and Analysis Center. It's basically just your bi-monthly meeting between CIO's and CFO's of the large organizations in certain sectors. For example, it could be the financial industry, we have the financial board for network. It could be the telecom industry. I've been a member of the telecom industry ISAC and which basically is a group of eyes. What they will do in those kinds of boards is exchange information about security. Security strategies, maybe not so much. More the incidents that they see, the threats that they perceive, and what kinds of measures are they taking. I k now that as a member of, I think I can divulge this, a member of this Telecom ISAC, at some point they actually become a little bit weary that it's ... we're discussing a lot. Maybe like the anti-monopolies. They might get a little bit anxious about this. They actually sign like an extra agreement where they certified that they would only share security related information. It works quite well in it. I have to say. So because it allows you to exchange these relevant information and kind of also keep tabs on what is hitting everyone.
From a law enforcement perspective, we like to be at that table to just know what is going on because as the founder already eluded to, one of the issues all of you guys have is if a cybercrime hits you, you might want to keep it to yourself, because of your investments, your stock markets, your regulator, and they might not like to know, it might be bad for your reputation. And this is to law enforcement in the Netherlands because we have a few big banks and they are each of them are like too big to fail, so it's very difficult to make them do anything. At the same time, each of them is quite weary of that listing and they just would not come to the police and file a report even when big things happen. So what they thought of, and this was a number of years ago, was, okay, so what if we put like representatives or liaisons from those big banks and put them together in one room? And also put somebody from law enforcement? And also put someone in there from the public prosecutor's office? Then what they could do, and this is what's going to help them on a daily basis, is that these banks they discuss amongst each other to see what are the threats, what are the actors that are hitting them on a daily basis. They can just see that of course with their firewalls and whatever. Whenever there is something that hits more than one of them, they will - together - go to law enforcement and just file a report. And then, in the end, it becomes a court case. It will not be that one bank that wasn't safe. It will be at least two banks, maybe more, meaning that this is a phenomenon. This is not just a matter of bad cybersecurity of the bank. This has been working quite well, and the main reason why it's been working so well, is that there are like good, legal foundations for them to exchange this information. Because you can imagine that sometimes you then exchanging, I don't know, bank account information can related intrusion of details that you have to be sure that you're allowed to share those.
The final idea I want to just give you, it might be helpful, it's what we call Coordinated Vulnerability Disclosure. It is maybe the ultimate form of collaboration because it actually involves collaboration with hackers. And this is not your regular pen testing. Of course you can hire hackers to do some pen testing on you and that's fine. But what we've seen in the Netherlands, and it's been developing for a number of years now, is that, of course we have many kids who like to experiment and like to try to get into systems and sometimes this happens. And a few years ago, it happened really badly. Our biggest Telecom was owned by a punk, I have to say, and by a kid, minor who was then able to shut down like our mobile networks. He was able to shut down our emergency phone. Fortunately, he didn't do it. But it took law enforcement a lot of work to find this guy because he was using like servers in Korea, actually, Seoul. Even though, it turned out, he was just next door. It was like a ten minute drive from the Police station in the Netherlands, but we didn't know that because that's how the internet works. You don't know where these people are.
So when it comes to kind of upping your cyber security and allowing these kids to do like minimal things; not hack your computers, but just prove to you that you have the leak there. You should maybe fix it. I definitely propose what they call a practice of Coordinated Vulnerability Disclosure. And it's been adopted by so many organizations and companies in the Netherlands, now, that we are quite confident that; it's a little bit like the voluntary standard ... We've become quite confident that if like an organization or a business would not have it, and then a court case would come of it, I will explain a little bit of processes, but then the judge would say, "Everybody else has it, so you cannot prosecute or file charges against this kid."
So it's fairly simple. You just post like some terms and conditions on your website where you say, you know, you can hack us, you can penetrate our systems but just a little bit. And you cannot break anything, and if you are inside our system base you can make direct through dump, so you can prove to us that you you've been inside. But that's it. You send that to us and then we will fix it and then every new company can kind of decide what they want. Some companies they like to, Google of course, has these big rewards for bugs that you find. And then others don't like to spend quite a lot, so we normally give them t-shirts. And, what we actually found the Dutch government initiated this, and they actually printed beautiful t-shirts, just black t-shirts, because kids like black, and they just say 'I hacked my government and all I got was this lousy t-shirt.' These t-shirts became impossibly popular, because people wanted to prove that they had hacked the Dutch government.
Now surprisingly, if you want to guess where these people are coming from who are getting all these t-shirts, you're probably assuming they are Dutch teenagers. You would be completely wrong. Most of them live in India. These are kids in India who have proper ICT education, they know how to hack a little bit, and they need to work in their city and it's very good for their esteem if you can wear a t-shirt that actually shows that I hacked the Dutch government. I don't see how if you have such popular Dutch t-shirts why some of your institutions might not be starting any of, t-shirts for starters, maybe money later. But find the hackers to test, just a little bit, and find ways of collaborating together to fight cybercrime, to increase your own and each other's cyber security. Because, and this is my final thing, the people who collaborate on behalf of the banks, crimes passports, it was initiated in 2011, they said, You know, we love competition. This brings some bucks. This makes us stand out. We will not compete on cybersecurity. We have to do this together. Thank you.