Non-profit organizations work directly with the world’s most vulnerable communities. But with shoestring budgets, how should NGOs protect important data from cyber threats that range from hostile state actors to accidental leaks?
In this episode of Under CTRL, Tresorit’s Aaron Stillman talks with Jason Keller, digital strategy developer for Vistant, and James Eaton-Lee, CISO for NetHope, on how NGOs can protect their most important assets in the online age.
Non-profits are often used to working in demanding environments, but they also face unique challenges in the digital realm. Operating out in the field can strain connectivity, while an ever-changing roster of volunteers, freelancers, and partners poses problems for both security and accessibility. Most worrying of all is the increasing threat of state-backed actors, who can dedicate large amounts of resources to attack or discredit activist groups.
Together, Aaron, James, and Jason break down how NGOs can face these threats head-on by investing in technical tools such as encryption, as well as practical measures such as training and usability. We also look at the wider tech landscape, and how investing in security can help non-profits safeguard not only key assets, but also their ethical responsibilities and reputation.
[00:00:00.250] - Aaron Stillman
All right. Hello, everybody. Welcome to the next webinar in our series collaborating for a better world. Unleashing the power of encryption for NGOs. I am extremely delighted to be your host today, but before we start, I do have a couple of very quick housekeeping notes for you. We are going to be recording today's session and sharing it afterwards. We will also be taking questions at the end, so please don't hesitate to add your questions to the Q A section. We're going to do our best to answer all of them, but just in case we run out of time, I will answer them with the team here and share afterwards. So, without further ado, let us proceed with today's topic and meet our speakers. I'm Aaron. I'm the head of product marketing here at Tresorit. I started just a few months ago, born in the United States, but currently living in Europe, in Luxembourg, and very happy to be so. I'm joined by Jason Keller from Vistant, as well as James Eaton-Lee from NetHope. So, thank you for joining us. Just to kick it off, why don't we go ahead and do some introductions, tell our audience a little bit about the work you do.
[00:01:21.610] - James Eaton-Lee
Hi there. And thanks. Aaron. My name is James Eaton-Lee. I'm the chief Information security officer at an organization called NetHope. NetHope is a us. Based non-profit. We are about 20 years old. We're a member driven non-profit. Our members are the 60 or so largest development, humanitarian and conservation non-profits worldwide, working on a whole range of things from climate change to displacement, to protecting people in conflict. And that hope. I lead on something called the Digital Protection Program, which is our cybersecurity program for our members and our broader ecosystem, and where my role, essentially is to help large international non-profits to be more resilient, more respectful digital actors when they collect data. My background more broadly is cybersecurity recently in non-profits, but in government, retail, telecoms, software, long before that, going back a decade or two.
[00:02:13.210] - Aaron Stillman
All right, great. Jason?
[00:02:14.280] - Jason Keller
Good morning. Jason Keller here. I work day to day for a company called Vista, where I manage our client program, the Digital Apex program, through USAID. Outside that, I'm responsible for the me for the company's digital strategy. And then I also serve on the board of the National AI and Cybersecurity ISO. Previous to that, I was a federal employee and then also spent eight years in the US. Military in the special operations community as an intel analyst.
[00:02:50.630] - Aaron Stillman
All right, well, let's go ahead and dive in. It's been sort of enlightening having a chance to prepare for this with the two of you. I've been learning a lot, as I did just start working at Tresorit, so it's been a great experience. At Tresorit, we focus on the end to end encryption around storing, signing, sharing digital files, and that could be internally, externally, across time zones, internationally. It could be a picture, a video, a document, you name it. So, when we talk about the challenges for NGOs, what is really, in your opinion, the primary challenges that an NGO faces from a cybersecurity perspective when talking about these files? Jason, maybe you can kick us off.
[00:03:41.590] - Jason Keller
Yeah, I think the short answer is that we find many NGOs are possibly the most at risk in the broader community. It's something that's not talked a lot about across all the sectors, but at the same time, their resources are probably the lowest. So, they're facing nation state level actors with a budget that most small businesses would probably be happy to have pardon me, and vice versa. Most small businesses probably have more. So, it's a very significant issue, and it's one that's affecting how democracy is spread, how journalists get information out of harsh areas and a broad range of other issues.
[00:04:31.430] - Aaron Stillman
James, what would you add to that?
[00:04:34.070] - James Eaton-Lee
I think that's the right answer. The problem is big and the tools are small. Right. Non-profits are a huge and diverse space, and many of them do things that are potentially not particularly commercially interesting to attackers or where they're not working with at risk communities. But many of them are. Some non-profits work with the most vulnerable communities on the planet. People who, just by virtue of talking about problems, governance problems or human rights problems in their country, are at risk of targeting or of imprisonment or potentially even death. Or communities who've been displaced, who are fleeing conflict or human rights violations potentially in large numbers, being discriminated against. So, the data that many NGOs hold is extremely sensitive and extremely interesting to many state and non-state actors alike. And the tools that they have for protecting that data tend to be limited. We've seen a crunch worldwide in the last few years, particularly given sort of austerity and economic challenges in charitable giving. And the funding that NGOs have to invest in technology and by virtue also to invest in cybersecurity come out of an increasingly shrinking pot of funding which is heavily restricted and not unreasonably.
[00:05:48.580] - James Eaton-Lee
We want a large proportion of the funding that we give to sort of social impact causes or public good to go directly to the mission. But it also makes it very hard to allocate funding to make sure that that mission is undertaken with integrity and with safety. So, I joke sometimes with colleagues in the private sector that it's a bit like playing a video game with all the difficulty sliders set to maximum. And I think it's true. The challenge is huge. The tools are small, and then the way that NGOs work is very complex. They have very porous boundaries. They often have large networks of volunteers and partners. The data flows are very messy. And as Jason alluded to, there are an increasingly large stable of threat actors of states who have very sophisticated tools for targeting them. And frankly, can just out invest them, and whether the barrier for entry to attack is constantly decreasing. If you follow the news, you'll see the wave of spyware or ransomware attacks. All of these are supported by a huge commercial marketplace, either a grey market or an underground market, but actually also a commercial market of tools that 5, 10 years ago, we might have talked about state actors attacking sort of non-profits or corporations and thought of very wealthy, high income countries.
[00:07:01.290] - James Eaton-Lee
Actually. Now it's open to almost any state or even non-state actor who are party to conflict. And we're seeing that sort of targeting of NGOs has been a feature of almost every recent humanitarian crisis or conflict.
[00:07:15.690] - Aaron Stillman
Yeah, my big takeaway after hearing that and having a chance to talk to you guys is people in your position with your titles have to be even more creative and innovative than presumably others who maybe have a bigger budget to work with. So, this next question is a bit of a softball for the two of you, I know, but for the audience, it helps continue setting the stage today. And some might say, well, doesn't SSL just make this problem go away? Since encryption is already in, you know, we know what the answer is, but I think hitting the nail on the head and really calling it out will help for the rest of this conversation. So, James, why don't you answer first for this one?
[00:08:04.250] - James Eaton-Lee
Sure, yeah. Of course, we can end the web. No, I'm kidding. Of course, it doesn't make the problem different. Security safeguards do different things. When we say sort of TLSS/SSL, we're talking about the ubiquitous encryption that we use day to day when we interact with websites or other resources on the Internet. And sometimes if you talk to a cybersecurity professional, they'll talk about encryption at rest and encryption in transit. Clever math that protects data that we're working with when we send it somewhere in flight, or when we leave it somewhere when it's stored on a hard disk or a solid-state drive, or somewhere else where it's at rest, both using techniques that have been around since the that are a ubiquitous part of our modern life. They're great tools. They defend against certain things. If someone's sitting between you and your online bank and you've got the padlock in your web browser, you're using TLS SSL, then you can be reasonably sure that somebody isn't listening into what you're doing, provided they're not investing a huge amount of money into unpicking. That complex math. But I kind of alluded earlier on to threat actors.
[00:09:12.230] - James Eaton-Lee
We use these pieces of terminology in the cybersecurity space to think about the engineering, the composition of attacks, and the landscape around us. And we often talk about threat models. We talk about the things we want to defend against so that we can plan around them. And of course, if the data in between you and your online bank is encrypted, but somebody's on your laptop, it doesn't really matter. They can read it straight out of memory. They can read it off the disk. So, you have to match the safeguard to the problem. And that means encryption that potentially follows data around, and it means multiple layers of defense that mean that if one safeguard is compromised, others aren't. And so, no, of course, it's a little bit more nuanced than that. Is the short answer to the question.
[00:09:56.670] - Aaron Stillman
Yep. Jason, would you have anything to add?
[00:10:00.130] - Jason Keller
Yeah, I just put on my old national security hat and say that there's a reason why organizations, especially highly developed security offices, have classified information. We start with unclassified, we go up to confidential, secret, top secret in the US government context, and it all comes back to concepts of defense. In know, if you want to protect something that's in the house, you start out with a fence out on the porch, then you've got a camera, then you've got a lock on your doors, then you've got a lock on that bedroom. And then the data is in a safe. Well, if we really strive to keep people safe in these harsh environments, in these high threat environments, then we need to do more, especially with that data. That is the most sensitive.
[00:10:51.070] - Aaron Stillman
Yeah, I love that analogy that you use, and I would apply it to my own personal life. Right. There are some things that I could care less if Jason or James knows, but there are other things, maybe the pictures of my children that I don't really want anyone to be able to. So okay, the next is really about risk. And so, we've started talking about it a little bit. James mentioned the threat modeling. So, what is the risk for an NGO that does experience a cybersecurity attack resulting in these digital files being compromised? Jason, why don't you start us off on this?
[00:11:29.850] - Jason Keller
I mean, it's very broad because at the end of the day, the NGO community does just about everything that you can imagine. It kind of reminds me again of the military days. Know, the US Army is just such a massive organization that they have just about every type of business process you could think of, whether it's an organization doing an investigation against human rights abuses and they've got a source, and that source can be disappeared, if you will. Or you've got an NGO example. The Special Olympics were hit a few years back where I believe it was their New York chapter, and organizations got in and were sending out spoofed emails to their donor list and affecting the relationship with their donor. And anybody in the NGO community knows if you lose your monthly and annual donors, you've got a big problem. So, it really goes across the scope from the financial risk all the way to the real human life. Putting people in danger, that's the risk that exists in this space and encompasses just about everything that you can imagine.
[00:12:49.030] - Aaron Stillman
James, anything you would sort of tack.
[00:12:51.500] - James Eaton-Lee
On to mean I think that's the right answer. At their core, any non-profit has to be a commercial organization. It has to make funds for what it's doing. However, it does that, and if you're watching the news cycle at the moment, we can see the commercial consequences of large scale cyberattacks against businesses which start just with availability problems that you lose access, you lose the ability to transact. Maybe that means you lose the ability to take donations or sell goods which make you money to invest in your program. But the consequences then become more relational consequences. Any non-profit exists as a result of the good graces in which it's held by its donors, by public institutions that fund it, by philanthropic partners or other sorts of partners. And those relationships are built and brokered based on trust. Trust that the sort of time and treasure that it expends are going to be used wisely in order to produce social impact, in order to produce public good. And when we essentially lose control of what it is that we're doing, when we cause harm that we didn't mean to, or when we're ineffective, we lose that trust and not unreasonably.
[00:14:01.950] - James Eaton-Lee
So, the second problem there is trust, which many non-profits have invested decades or even longer in building up. And a colleague of mine said once, it's like rock climbing. It takes a long time to get up and it's very quick on the way down. If, you know, I think the North Star for many of us then, is absolutely the point Jason made, which is that the range of things non-profits do is vast. It includes running water and sanitation systems in refugee camps. It includes protecting people who are fleeing conflict, physically protecting them, protecting women and children from various sorts of abuse, working with human rights defenders in countries that really don't like human rights defenders or journalists or activists. It includes governance programs that are trying to ensure equitable, democratic governance in countries worldwide or monitor elections. It includes more things, really, than we've got time to discuss in the webinar, but where the consequences for individuals and communities are extremely real when things go wrong. There are many crises, unfortunately, on our planet, where there are populations who, for religious reasons or ethnic reasons, have been persecuted within the borders of their own countries for decades, and where if we lose data on them, we have a very real opportunity to cause very serious harm to those individuals.
[00:15:23.500] - James Eaton-Lee
And quite aside the trust piece or even the physical harm piece, we're organizations who have very deep roots in human rights, who hold principles of do no harm extremely dear, and the consequences to us, to individuals, and our ability to execute our mission if we break those principles are in some instances pretty unthinkable.
[00:15:45.230] - Aaron Stillman
Yeah, it really does remind me of a webinar that we did recently with Nobel Prize winner Ethan Gutman, who talked a lot about going into these crossing borders and going into different countries. And the risk that is run if the data is exposed, the files are compromised. Whether you're a reporter or someone who was talking to the reporter. So that really resonates. So, we know factually that regulations, compliance, politics impact NGOs in a lot of different ways and cybersecurity. And so, the question for you guys is if you had a magic wand that you could waive and make one change, what would that change be? And I keep going back and forth. I've lost track of who got to answer first last time. So, let's just start with James and we'll go from there.
[00:16:43.620] - James Eaton-Lee
Well, this of course is a very tricky problem and we've been talking, I suppose mostly so far through the lens of cybersecurity, which of course thinks about safeguarding assets and resources so that we can continue to do useful, necessary things. But for many organizations, these are also compliance problems. Compliance problems which are sometimes cybersecurity compliance, where we have regulations that say that we have to do those things for legal reasons far beyond our sort of moral or pragmatic inclination to do so, but also which relate to other principles of good or fair information processing. There are very few countries, I think, UNCTAD tracks 190 something countries of whom 130 something have data protection legislation. Data protection legislation is slightly broader and says that far from just safeguarding data, we also need to use it in a way that's fair and respectful and that means all sorts of things, from communicating how we use it to giving people rights over it. But frequently data protection legislation includes constraints on how we can transport data across borders. And in Europe, you watch the Schrems legislation, this has been appointed issue for many years, that when we move data sort of sort of downhill, as some people will say, from Europe to third countries, it loses protection.
[00:18:01.070] - James Eaton-Lee
And whatever your view of the Schrems litigation or these frameworks, almost every sort of developed data protection framework has some treatment of this problem, which intellectually is a good thing, but very complicated. And if you're a multinational, particularly if you're an NGO and you're working across borders, you may have dozens and dozens of different bits of regulation that you need to comply with. And some of them are less progressive, some of them will say don't take data outside our country's borders because we want to leverage it for economic benefit. Or very few legislative frameworks are quite this open, but because we want to surveil it, because we would really quite like to keep tabs on what it is that you're doing. And just in terms of cost, just in terms of administrative overhead, if you're a complex organization, this is messy. So, my magic wand, I'd love to make that go away I'd love to have a unified framework of equitable kind of socially cohesive privacy legislation that is fair for everybody and works across borders, which I suspect we're a little way off from. But in the meantime, there are other solutions that we can use to try and simplify the problem.
[00:19:11.550] - Aaron Stillman
Yeah, just a little way off from that. Jason, what would you wade your magic wand and make happen?
[00:19:20.530] - Jason Keller
That's a hard know. If I could do it just immediately, I would say just creating a CIO and CISO shop for essentially all of the different NGOs that we work with that have people at risk. And that's just the derivative of the next thing that I'll say is we need to try to look at opportunities to build in requirements to keep data safe and to keep operations safe from cyberattacks into as many funding vehicles as possible. There are countless organizations that provide support to other NGOs from the development community to foundations and others, and then all the corporate social responsibility organizations that are out there supporting different NGOs, the more that they can say, hey, yes, we want to help you digitize. We want to help you do the business that you do better with technology, but then we also want to protect those things. And that's becoming even more relevant as organizations come online and more threats are encountered every day.
[00:20:31.770] - Aaron Stillman
All right, well, I think now we're going to stop with the ping ponging and get really specific about these questions. So, this one is dedicated for you, James, understanding and getting to know you a little bit better. If you could talk through and describe a little bit the solutions that you've seen NGOs implement to mitigate the risk that we've been discussing today.
[00:20:59.490] - James Eaton-Lee
There are a whole variety and some technical and some non-technical actually picking up on something Jason said, and I'm sure we'll dig into this in further questions. Part of the solution to these problems are social or communal, that we align together, that we work together for better outcomes because it's a difficult problem that's outside the ability of any one organization to solve individually. But in terms of the technology, NGOs are very much like normal businesses. They use email, calendaring tools, word processing. Most of them will use productivity suites, their three six five suite or google workplace or something like that. And most of those platforms come with some kind of encryption based in. They almost all come with other security safeguards. But coming back to the question that we were chatting through earlier, the sort of arrest and in transit question, typically they leverage this type of encryption where from point to point between my laptop and between the cloud data is encrypted. And when we think about those defense in depth models, when we think about particularly some of the more challenging contexts in which we work, it doesn't always cut it. NGOs are actually fairly early adopters of the cloud in many instances, often for cost reasons, because it sort of reduces the sort of capital expenditure of their broader It programs.
[00:22:21.850] - James Eaton-Lee
It's quite good in many ways. They benefit from quite up to date modern safeguards and sort of well-integrated sort of threat hunting capabilities in the cloud. Often, they're not using some of the more sophisticated things in cloud platforms, data loss prevention tools or some of these kinds of more sophisticated sort of cryptographic techniques. Again, also often because of cost, like any industry will have our own tools that are sort of line of business tools. If you're a health NGO, of course you're going to have patient record management systems or systems for sort of dispatching staff in crises. If you're sort of an operationally deploying NGO in that sort of fast-moving environment, or if you're working longer term, you're probably going to have data collection tools for working with communities and gathering information on what they need or where they are or what needs fixing. Some of these tools integrate cryptography in other ways. Some of our more sophisticated tools sort of have data layer encryption. Going back to Jason's metaphor of the house, you think of the doors and windows maybe as your perimeter network, your firewalls, maybe your transport layer encryption. You lock your valuables in a safe.
[00:23:32.940] - James Eaton-Lee
And in the world of data encryption, that's perhaps encryption that follows the data around itself, whether at a sort of record level or at a file level, data is encrypted. So even if your laptop is compromised, or even if your mobile device is compromised, the data is sitting in an encrypted silo where it's less useful to an attacker. And we do have tools like that. They're not ubiquitous, they're not integrated. That kind of cryptography is not integrated into most of the tools that we work. And of course, there are a whole realm of different cryptographic techniques of homomorphic encryption, various promises with tools like blockchain or other kinds of privacy preserving technologies, whether or not they're strictly speaking cryptographic. And those show promise, but they're not widely implemented. I think for most NGOs, the state of the art currently is a relatively traditional sort of at rest and in transit encryption, often leveraging good sort of cloud tools that have it integrated end to end, which is good and it's absolutely tech that we should be adopting, but it doesn't necessarily put us in a great position to be able to respond to this sort of emerging storm of threats that we see with the kind of landscape that we were presenting.
[00:24:41.390] - James Eaton-Lee
In answer to some of the earlier.
[00:24:42.580] - Aaron Stillman
Questions, what's interesting about what you said from my perspective is even though I'm pretty new to Tresorit and I've only joined a few months ago, I've been digging into the data and talking to customers. And whether it's an NGO or not an NGO, what you said really resonates as far as the adoption of these productivity tools that don't always go as far as needed when it comes to the security, which is often why we end up having these conversations and they become customers of Treasure. It's also why from a strategy perspective, we've integrated with Microsoft and some of the other tools out there so that you can have the productivity but also have the safety. So, everything that you just said really aligns with what I've been seeing as I've been onboarding. This next question is now for you Jason. So, you're a bit more intimate and familiar with Treasure compared to James. So, if you could just talk through a little bit around the decision-making process and describing what led to the choosing Treasure It as a way to mitigate the risk that we've been talking about.
[00:25:55.010] - Jason Keller
You know, I think I highlighted know I wasn't quite around when we first started our relationship with Treasure. I'm still a little new like yourself, Aaron. But at the end of the know we have some customer sets that know, engaging with aggressive organizations, threat groups, whether they be domestic to themselves or when they're traveling abroad. And their data at rest, especially sitting on their laptops, phones and others, is absolutely something that can put their physical lives in danger. But also, the folks that they're working with. So that's one start. Outside of applying those tools, we definitely spend a lot of time on training as well, getting training to the individual employees across the organization just in basic information security obviously critical. But then when we're adopting tools like Tresorit or otherwise, making sure that we're training people up to show them how to properly employ those tools. Because if it's just sitting on the laptop and not being used as we've seen in other situations, it's not doing much to help the security situation. So, you not only have to provide tools, but you've got to get adoption. And adoption one of the biggest pieces is going to be training and then second from that is going to be the leadership and how they're putting a focus on information security.
[00:27:33.550] - Jason Keller
And it's got to start from the board level of the NGO flow through the CEO or the executive director and then the other responsible parties from there.
[00:27:44.390] - Aaron Stillman
Yeah, I think for all SaaS companies you could say usability is critical. But in particular within cybersecurity there's often this trade-off between trying to make sure it's user friendly and trying to make sure it's secure. And that's an area where I think companies really need to focus in order to ensure the adoption, the ease of use. And I know it's top of mind for us at Tresorit and probably other companies as well. I'm conscious of the time. So, we got two more minutes. I think we can squeeze in the last question and then I'll go to the Q A and see what the audience has for you. So, this last question is you're both very seasoned and experienced gentlemen. If there was one lesson related to the conversation we've been having today that you've learned in the past the hard way that you'd like to help people avoid, what would that lesson be?
[00:28:46.490] - James Eaton-Lee
James it's a good question. Maybe kind of tying many of these threads together. It's a difficult problem, non-profits. It's outside the ability of any one non-profit, even non-profits who are blessed with sort of unrestricted funding or discretionary funding to out invest attackers. The bottom line really is that we only win together. It's a team sport. We have to align, we have to integrate, we have to work through community and in quite a structured way. Tom Brand for me at Net Hope, we've been building communities of non-profits around technology issues for 20 years. For us, one of our flagship projects is a thing called NYSAC. Jason mentioned sort of Isaus earlier on, which are structured communities that band together to share information about threats and attacks in order that they can respond more effectively and then do other things to group procurement or offer other services to their members. One of our flagship projects at the moment is building one of these for the humanitarian ecosystem, which currently has no convening mechanism, no integration, no way of sharing information about attack and defense in any structured way in order that they can be stronger and better together.
[00:29:56.270] - James Eaton-Lee
There are lots of ways of working together and aligning. Isaacs are just one of them. We think that's a pretty good solution for this particular community of non-profits. But I think the team sport dimension is one of the most critical things that this problem is not going to get any smaller in the next sort of two, three, four, or five years. It's not going to go away. And for anyone who's kind of looking at the size of the mountain already and wondering how to climb it, get some friends, find a group of people who are already tackling the problem, join the rest of us. Or if you're another actor in the space and you're trying to work out how to make the problem smaller, come and invest in our climbing mission, and it will make the problem more malleable and make it more likely that we get to the top of the hill.
[00:30:39.250] - Aaron Stillman
Yeah, that's a life lesson. I feel like I could say that to my son about anything. All right, how about you, Jason? Anything that you would share as a lesson learned?
[00:30:54.110] - Jason Keller
What I would say is engaging in the conversation now versus later, whether whatever your position is within an organization, if you are cognizant that your organization is facing risks, which I am certain that they are, starting the conversation internally and sharing what you think needs to be done, that the organization needs to make investments. XYZ with regards to the technology stack and keeping it safe, awesome. Outside of that, I would say: be humble and ask. For help. We are a community. There is a real NGO community. And while some may be risk averse on how they interact with other organizations and how they reach out, how they share their story, I would say it's absolutely vital to do that in this space. Again, we have nation state level actors, highly advanced actors, going after these organizations and through organizations like the Global humanitarian ISAC, our Digital Apex program, and wealth of other resources that are out there. There's ways to get help. All people have to do is raise their hand and say, I'm willing to work with you to get something done to keep my operations flowing, to keep our beneficiaries safe.
[00:32:24.390] - Jason Keller
There's people out there that are willing to help, and all you got to do is stand up and be willing to accept it.
[00:32:31.310] - Aaron Stillman
All right, well, thank you both for going through all this. I'm going to pull up the Q and A right now and just see who from the audience has a question for us. Okay, it looks like we've got one question that we can squeeze in. I know we're three minutes over, so we'll take one and we'll follow up with everyone afterwards. So, the question here is, how will emerging technologies or generative AI impact NGOs in cybersecurity? So, I think the whole world is talking about this technology. What would you guys say in relation to NGOs and cybersecurity? Maybe, James, you can kick us off.
[00:33:24.640] - James Eaton-Lee
Sure. I mean, as with any emerging technology, these things are opportunities and challenges, right? And the challenge of the opportunity is harnessing it wisely. Many non-profits that we're working with at the moment are trying to figure out how they embrace these technologies and their missions to reduce cost or increase the scale and scope and effectiveness of what they do, which is great, but it's difficult to do that. It's difficult to work out how you embrace emerging technologies with sort of unique risks without kind of introducing more harm than the good that you're doing. And that problem remains pretty open with the sort of current generation of AI and machine learning technologies and from sort of biases when making judgments to all sorts of intellectual property issues, to how appropriate, how trained, how tailored, how tested some of these technologies are, particularly when they're developed sort of in the global north. And they're not trained on data from communities where they're often being used. It's very tricky to use them well and sort of alluding to some of the questions and challenges we were talking about before with resourcing, getting the governance right and non-profits to find the balance between innovation and responsibility is really difficult, distinguished between the cybersecurity risk and sort of other sort of compliance and ethical problems.
[00:34:55.140] - James Eaton-Lee
And this is just a whole minefield across those domains. But in terms of cybersecurity, people will sort of say things about chat GPT at the moment, writing really effective phishing emails and well, that might be true, but for me that's not really the point. The scale and speed of solutions fundamentally affects their quality. When we sort of invented the ability to weave cloth more effectively using machinery, it didn't just mean more shirts, it meant a fundamental change in the way that workforce kind of worked. And it's the same with this as an attacker, types of vulnerability, types of technical flaw that were very difficult to identify and exploit five or ten years ago that required very sophisticated individuals who were highly skilled. I worked in Attack for many years, and logic flaws or kind of authentication issues in servers have historically been harder to sort of exploit in an automated way than bugs like sort of SQL injection, things that are very sort of have patterns easy to recognize with basic logic. It's no longer the case. Even now, the sort of current generation of AI and ML is taking bugs that were previously difficult to exploit and making them much easier.
[00:36:07.710] - James Eaton-Lee
And what that means is the bar is much, much lower for Attack. We have a colleague at Cisco, Wendy Neva, who has this great line she will often repeat that the game used to be you don't need to run faster than the bear, you just need to run faster than the other hiker. And it's no longer true. It's absolutely the line. You can now, in a way that you couldn't five years ago, attack every host on the Internet, or discover flaws in every host on the Internet, or increasingly exploit every kind of bug with a button click. You can generate the code, you can automate, you can run at scale. And Attack and defense always run in these cycles where attack develops something and then defense catches up. And that's the cycle we're in at the moment where Attack is ramping up an AI. All of these tools represent opportunities for defense as well, data analytics and other stuff. But it's going to be messy until that cycle catches up. And I don't think it's quite in sight yet, particularly for organizations who will for a while have a subsistence level relationship with this technology, which is inaccessible to them and difficult to license and hard to use.
[00:37:10.840] - Aaron Stillman
Yeah, it's a new world, that's for sure. Jason, what would you say, if anything?
[00:37:19.150] - Jason Keller
Yeah, so on this topic, I would switch to the adoption piece. So, if your organization is spending $10 on it, you need to have spent money on security, on your data privacy program, on building secure APIs, et cetera, before you can take the step to adopting AIML. If I can go in and create an injection attack and change your data, the tool that you're using, I have no hesitation on being able to change the results of those tools. So that's a critical piece. And then second is that AIML has its own flaws baked in. I think we've seen a lot of that coming out around the adoption of Chat GPT and other tools. So, we've got to keep up on that, whether it's a physical world hack to shut down your driverless car or breaking in the back door, changing your data so that way your AI has heavy biases against certain ethnic groups. At the end of the day, the adoption of AI and ML introduces new technological risk to the organization, and that has to be understood before it's truly gainfully employed. And then second to that, just on the attack side, I have just been incredibly intrigued as to what tools have been built out with this.
[00:38:56.410] - Jason Keller
As James noted, just automatic scanning tools that can identify what is the easiest target out there to go after from a range of IP addresses. It's really scary on that end. And then with the antivirus tools that we've got now, they've actually shown that we can edit malware and introduce noise into malware to get past antivirus tools. So, while there's a lot of opportunity in these spaces, people need to understand that there's also new risks coming out each and every day, and that people are learning how to exploit those risks. So, we need to kind of band together and see what we can accomplish as a community to halt these problems.
[00:39:49.130] - Aaron Stillman
Yeah, I think that's spot on. And I just like to one more time thank the two of you for not only joining the webinar and talking to me, but all the time we had to talk prior to this webinar. It's been a real pleasure. Thanks, everyone who joined. I think that's a wrap for us. And so be on the lookout for the recording and don't hesitate to reach out if you do have follow up questions. I think that's it. Thanks, everybody.
[00:40:20.530] - Jason Keller
Thank you. Bye.