Cyber Security Today February 2025 Month In Review - Cybersecurity Today

Summary7 min read

Podcast Summary: Cybersecurity Today – February 2025 Month In Review

Hosted by Jim Love

In the February 2025 episode of Cybersecurity Today, host Jim Love engages with industry experts Laura Payne from White Toque and David Shipley from Beaucer on Security to dissect the latest developments in the cybersecurity landscape. This comprehensive review delves into significant cyber threats, law enforcement efforts, governmental policy shifts, and emerging challenges posed by advancements in technology such as AI. Below is a detailed summary of the key discussions, insights, and conclusions from the episode.

1. Overview of February's Cybersecurity Landscape

Jim Love opens the discussion by highlighting the tumultuous nature of February in the cybersecurity realm. He notes that while the volume of attacks may not have spiked, the scale, complexity, and sophistication of cyber threats have significantly increased. Love remarks:

“...the attacks are bigger, badder and smarter.”
 — Jim Love [00:18]

David Shipley concurs, emphasizing both the challenges and rare positive developments within cybercrime enforcement.

2. Crackdown on Cyber Fraud in Canada

A major focus of the episode is the successful efforts by Canadian law enforcement agencies to tackle cyber-enabled fraud. Shipley shares encouraging news:

“...we're seeing some good and we are seeing some significant progress on finding folks.”
 — David Shipley [02:22]

He details operations by the Ontario RCMP and Toronto Police Service, which have apprehended individuals involved in large-scale fraud schemes, including a couple accused of defrauding over 500 victims. Love underscores the importance of inter-agency cooperation:

“...this informal cooperation between those police forces is so important because cybercriminals don't.”
 — Jim Love [05:59]

3. Unveiling Russian Ransomware Group Chats

The conversation shifts to the Black Basta ransomware gang, where leaked internal communications have shed light on their operations and internal conflicts. Shipley discusses how these leaks reveal strategic decisions within the group, such as targeting specific financial institutions to fund national objectives.

“North Korean hackers, man, they find a way.”
 — David Shipley [10:58]

He draws parallels with historical ransomware tactics, noting the evolution and increased sophistication of these groups.

4. North Korea's $1.5 Billion Cryptocurrency Heist

Laura Payne introduces a high-profile case involving the largest bank heist in history, where $1.5 billion in cryptocurrency was siphoned from a Dubai-based entity and diverted to North Korean leadership. This incident showcases the meticulous planning and advanced techniques employed by state-sponsored actors.

“This was a well thought out supply chain poison... the ocean's 11 of cyber, right.”
 — David Shipley [10:03]

Jim Love expresses astonishment at the speed and efficiency of laundering such a vast amount of cryptocurrency, questioning the resilience of existing financial safeguards.

5. Microsoft’s Vulnerable Account Management

Another alarming development discussed is the discovery of a botnet exploiting vulnerabilities within Microsoft software to conduct password spraying attacks, particularly targeting Microsoft 365 accounts. Love points out the persistence of legacy systems:

“...there was a botnet out there doing password spraying... Microsoft hasn't fully phased this out yet.”
 — Jim Love [14:16]

Shipley emphasizes the challenges posed by legacy authentication methods and the growing complexity of managing non-human identities such as service accounts and APIs.

6. Open Banking and Fintech Security Risks

The episode delves into the open banking movement and its associated security implications. Payne warns about the risks of screen scraping and the potential for fintech services to become vectors for cyberattacks if not properly regulated.

“If it's going to be true fintech integration, open banking, we're going to need to allow people to create these service accounts...”
 — Laura Payne [17:08]

Shipley adds that without balanced regulatory frameworks, the proliferation of insecure fintech integrations could exacerbate existing cybersecurity vulnerabilities.

7. Impact of US Government Cuts on Cybersecurity Agencies

A significant portion of the discussion centers on the detrimental effects of budget cuts to the Cybersecurity and Infrastructure Security Agency (CISA) in the United States. Shipley laments the loss of critical expertise and the broader implications for global cybersecurity collaboration.

“Gutting CISA is among the most short sighted and stupidest things...”
 — David Shipley [23:13]

Love highlights the potential fallout from these cuts, including weakened national defenses against cyber threats and diminished international cooperation.

8. Digital Identity and Government Trust Issues

The panel explores the contentious topic of digital identity, debating the balance between enhanced security and privacy concerns. Love advocates for robust digital ID systems to streamline secure transactions, while acknowledging public fears regarding government overreach.

“...digital identity is actually more secure and just. And we have a lot of technical people in our audience...”
 — Jim Love [35:03]

Payne counters by addressing the public's distrust and emphasizing the need for transparent and secure mechanisms to manage digital identities without compromising individual privacy.

9. Encryption Debates and Government Backdoors

The episode addresses the ongoing debate over encryption, particularly Apple's decision to limit encryption capabilities in the UK under governmental pressure. Payne and Shipley discuss the challenges of balancing law enforcement needs with privacy and security:

“...only access it under authorized circumstances. We may not tell you when a search warrant is executed...”
 — Laura Payne [43:13]

They argue for intelligent, legitimate processes to handle encryption without compromising overall cybersecurity.

10. AI in Cybersecurity: Opportunities and Risks

In the latter part of the episode, the conversation shifts to the role of Artificial Intelligence (AI) in cybersecurity. Love expresses concern over the irresponsible use and overhyping of AI tools, citing a recent case where an AI application led to significant personal and professional fallout for a user.

“No AI app is worth it.”
 — Jim Love [47:05]

Shipley echoes these sentiments, advocating for comprehensive security awareness programs and responsible AI experimentation within organizations to mitigate risks.

“Have a session with your team about responsible use of AI. It's the best thing you can do...”
 — David Shipley [50:20]

11. Concluding Thoughts and Future Outlook

The episode concludes with reflections on the necessity of education, regulatory frameworks, and proactive measures to navigate the evolving cybersecurity landscape. Payne underscores the importance of resilience and maintaining a balanced approach to innovation and security.

“You're either a person or not a person... we have to have the capacity and will to want to do it.”
 — David Shipley [53:05]

Jim Love emphasizes ongoing dialogue and awareness to prevent becoming casualties in the cyber arms race, urging listeners to stay informed and engaged.

“We need to have effective discussions about that and a meeting of minds.”
 — Jim Love [55:07]

Key Takeaways

Increased Sophistication of Cyberattacks: February saw fewer but more severe and intelligent cyber threats, necessitating enhanced defensive strategies.
Effective Law Enforcement Actions: Canadian police agencies made significant strides in combating cyber fraud, though the threat landscape continues to expand.
State-Sponsored Cyber Heists: North Korea's large-scale cryptocurrency thefts illustrate the growing capabilities of state actors in cyberspace.
Legacy Systems Remain Vulnerable: Outdated authentication methods in widely used platforms like Microsoft 365 continue to be exploited by malicious entities.
Open Banking Risks: While promoting financial innovation, open banking frameworks must address inherent security vulnerabilities to prevent misuse.
Diminishing Cybersecurity Expertise: Budget cuts to pivotal agencies like CISA threaten national and global cybersecurity resilience.
Digital Identity Challenges: Balancing security with privacy remains a contentious issue, requiring transparent and secure management systems.
Encryption Debates: Striking a balance between enabling law enforcement and preserving individual privacy is crucial in the encryption discourse.
AI's Double-Edged Sword: While AI offers potential advancements in cybersecurity, its misuse and overhyping pose significant risks that must be managed through responsible practices and education.

Notable Quotes:

“This was a well thought out supply chain poison... the ocean's 11 of cyber, right.”
 — David Shipley [10:03]

“Gutting CISA is among the most short sighted and stupidest things...”
 — David Shipley [23:13]

“No AI app is worth it.”
 — Jim Love [47:05]

“Have a session with your team about responsible use of AI. It's the best thing you can do...”
 — David Shipley [50:20]

Conclusion

The February 2025 episode of Cybersecurity Today provides a thorough examination of the current cybersecurity environment, highlighting both progress and persistent challenges. Through insightful dialogue, Jim Love, Laura Payne, and David Shipley offer listeners a nuanced understanding of the threats, policy implications, and technological advancements shaping the field. The discussions emphasize the need for continued vigilance, collaborative efforts, and informed strategies to safeguard against evolving cyber threats.

Loading summary

Transcript95 lines

[00:02]
Jim Love
This is our Cybersecurity Today month in review for the month of February. And welcome to Laura Payne from White Toque.
[00:11]
Laura Payne
Thanks Jim, nice to be here again.
[00:13]
Jim Love
And David Shipley from Beaucer on security. Good to see you David.
[00:16]
David Shipley
Always a pleasure to be here. Thank you.
[00:19]
Jim Love
It's been the month of months but actually I usually hate to say this but even though cybersecurity is depressing, some days I actually find it better than politics. But this month has been a pretty big shakeup and there's been a lot of things happening that have I found and maybe this is, this will come up as we talk through some of these stories. There doesn't seem to be the volume of attacks, but the attacks are bigger, badder and smarter. And that was if there was a theme for this month that was coming at me like a freight train.
[00:59]
David Shipley
Generally agree February has been a time, but I want to actually be the rare moments where I'm going to bring some good news into frame on the cybercrime site. I know legit what David's going to be. Still my fake of David.
[01:18]
Jim Love
Yeah, that's what I'm wondering. Who are you and what have you done with Shipley?
[01:23]
David Shipley
So listen, things going to be dark when you get. Normally the naysayer is going to say, you know what, there's some bright light here. But let's start off with some pretty huge wins in Canada by police agencies. So we've got work done by the Ontario rcmp, we have work being done by the Toronto Police Service and others rolling up fraudsters and cyber enabled fraud. The Overall story for 2024 in Canada, not good, up 20% from 570 million to 670 million. But seeing some of these locals in country folks nabbed for this with one couple allegedly and accused of potentially hitting as many as 500 plus victims and a substantial amount of money in a variety of different cybernetal fraud scams. Seeing them actually get some wins, this is good and we are seeing some significant progress on finding folks. The folks that they're rolling up have violated David's number one rule of cybercrime fight club, which is you don't hack in of jurisdiction that you actually live in because they will come get you. Glad we're seeing some action up. But we are also seeing more and more of these stories hit the media. There was one in Canadian national news of an individual who lost $750,000. They were trying to go find a better GIC rate. They were a senior, retired senior. This was their life's earnings and they went to Google, saw a ad for a better GIC for their financial institution. This particular financial institution actually didn't do that ad, it was a criminal placed ad and got himself caught up into a scam and the money's gone. We're seeing that. Your point about cybercrime activity? The flourishing amount of activity is happening at the individual cyber fraud level, the big cyber attacks, because they've been getting the whole of government response. This is the shift away from where the cops are going to be. So that's not necessarily the happy part of the good news. We are seeing police try and respond to this threat, but we are seeing the threat explode.
[03:30]
Jim Love
Yeah. And in Canada, my two things, one is, I think if we just go through. Let's just recap this story because this is an interesting story and I love your fight club analogy because I think it is. I, I hadn't thought about it in those terms but the. David is our culture critic so we have to. There was a couple, I think living in rather nondescript town, used the software, which was one of those hacking as a service things that allowed them to spoof numbers very effectively. And they'd gone through and fleeced a number of people, I think several hundred. They were in the top 28 in the world or something of users of this hacking service. But basically it was to defraud innocent people who probably can't even afford this and to rip off, rip them off for their retirement savings and all this sort of stuff. So they get my special place in hell award. But and this is what one of the things that. And I'm going to get semi political here when we talk about putting cops at the border and things like that's fine with me. But don't take them out of cybercrime.
[04:33]
David Shipley
You know and yeah, no. And I'll tell you right now, the RCMP is moving money out of anti fraud and other things into these frontline national security issues. Make no mistake, it was happening before. Dealt with that mentality before you give the mouse the cookie, they're going to want your national sovereignty. Whoops, sorry, I may have gone political. That was just.
[04:57]
Jim Love
Let's refocus. This is not political. This is not, this is just not being stupid. And when you leave, these people don't remember that for the cops to do this is five international police forces or whatever, two or three jurisdictions in Canada cooperating with each other and they'll spend 12 months where you know, sometimes off the side of their desk because they care so damn much. And and they'll put this whole thing together to catch these two people. And maybe. And for everybody who's listening out there, wherever you are, that informal cooperation between those police forces is so important because cybercriminals don't. They're not always as stupid to pee where they play or whatever. You don't mess around in your own home. They normally play around in another jurisdiction. So first of all, if they collaborate, we're in good shape. But also it takes just an amazing amount of dull work to pull off something like this.
[06:00]
David Shipley
And what's interesting is when you look at the Russian cybercriminal gangs and thanks to the black bastard chat leaks, which has been absolutely fascinating, someone actually dumped there was one of the Black Basta members, the Russian ransomware gangs. They had a bit of a spat as these things have now become the culture. When your ransomware group falls apart, you leak your internal chats. But when you look through that chat that the decision, controversial decision by this Russian oriented group to target a Russian financial institution generated significant consternation because a bunch of people really didn't want to get pushed out of the upper floors of an apartment building because that's how justice gets done there. And you used to see back in the day, early versions of ransomware and I don't know if you Laura, if you ever saw this, but they used to go do a language checker for the languages that were installed on the computers. And if you had Russian Cyrillic installed, they wouldn't execute the ransomware. They had a little bit of a trigger, which then a whole bunch of security people actually loaded Russian language defaults onto machines to act as a really cool security control. But the Russians have learned that you don't play in your own background rule painfully generally. Canadian cybercriminals have been smarter. But it is nice to see these wins.
[07:15]
Jim Love
Yeah. And for those who missed this story, this was another fascinating story that happened over the past couple of weeks. This was somebody in one of these groups got ticked off and they released a whole pile of chat of documents. And then here's. And you'll even like AI for this one, David. Somebody put together a GPT and we referred to it in our story and maybe I'll put a link to it in the notes so you can find it. But it's probably pretty easy to search if you use ChatGPT. But they. You can actually use AI to search all of these things. Just asking questions and finding out what these guys are talking about.
[07:52]
David Shipley
It's interesting because you've ever Wondered if your startup problems are common across other quote unquote. Yes, they are.
[08:02]
Jim Love
So what's, what's one of the stories that. That have been getting to you this month?
[08:08]
Laura Payne
Oh my goodness. I think there was a pretty interesting one actually. You don't want this is going to wait a little bit into the politics because it's nation state again. But we have our new biggest bank heist in history with $1.5 billion in cryptocurrency leaving the hands of somebody in Dubai and moving into the hands of the leader of North Korea.
[08:32]
Jim Love
Yeah and that's forget checking the go see if the gold is at Fort Knox. Find out if your cryptocurrency is still there. I still, I tried to follow this and this they have. They have cold wallets where they're detached and that's where they store the main parts. You're laughing. David, help me out on this.
[08:53]
David Shipley
So the philosophy of buying cold wallets is the same as whenever I hear someone tell me that our OT network is completely isolated from the Internet.
[09:02]
Jim Love
Okay So you have to. These cold wallets, you actually have to connect them to a warm wallet to do transfers. But a billion and a house dollar dollars worth of crypto. My question was what like wasn't somebody thinking maybe we should be really careful with this?
[09:24]
David Shipley
So in their defense there, there are a lot of things that were set up for this and this pains me. It's almost like a root canal. You gotta give it to the Lazarus group on this one. This was a well thought out supply chain poison. The software that's used for the multi signature required smart contract moving process from warm to cold wallet. These this is what an apt does. They've got planning time. They can think it through. They've got patience. They can go for the big score. This is the ocean's 11 of cyber, right. This is.
[10:03]
Jim Love
Could I be Dean Martin.
[10:05]
David Shipley
The handsome North Korean version of George Clooney and their little merry gang. They've done it. And Laura's right.
[10:11]
Jim Love
Thank you for updating it to the recent century.
[10:14]
David Shipley
Yeah, the. The previous sort of champion round for an attempt at a bank heist was the infamous Bangladeshi bank heist which is allegedly also a North Korean group which almost got 800 million but they only ended up with 50 million and they were some of that they recovered, et cetera. But that was old school compromised the wire transfer system that's used around the world. Horribly outdated. But again it was isolated air gap network. These folks find a way. And I'll end off with my usual Jurassic park reference. It's like that moment where Jeff Goldblum's character turns around and goes, life finds a way. North Korean hackers, man, they find a way.
[10:59]
Jim Love
I may edit this out, but how many times have you actually seen Jurassic Park?
[11:05]
David Shipley
Anytime.
[11:07]
Jim Love
You could recite the entire script almost.
[11:10]
Laura Payne
For those who aren't seeing it, David may have gestured about 15 times.
[11:15]
David Shipley
No, 30.
[11:16]
Laura Payne
Sorry. Double hands.
[11:21]
Jim Love
So let's go back on this one because I think there's a lot to unpack there that you said. First of all, this was an incredibly well planned piece. There were a lot of moving parts. They must have been thinking about this for quite a while. And they put a lot of things in place to beat the controls that they had. The other thing that amazed me was how fast you could disperse this money. Now, just to put back on this, there was a gold robbery this month and they think they'll never recover all the gold. Why? Because once you get gold, you melt it down. It's. It's. You can't tell your gold from somebody else's gold. So that's a big thing. But gold's heavy. You have to actually move it. They manage to get a billion and a half dollars worth of cryptocurrency and launder it in a matter of a day. I don't know. And to places where it won't come back from. There are some of these networks, and I can't figure out how that works, where you've got a network that's plugged into an international network of cryptocurrency and they can disperse stuff and they won't do anything to unroll a theft.
[12:28]
David Shipley
Yeah, it's brilliant in its execution. It's. You will probably find at the end of the day that it's three swirls in a phishing email is what started this off. And you get in, you do your reconnaissance, you understand the supply chain. But this is what resources do when you can think through a problem. And what's interesting about this is obviously there's a key financial need for North Korea to access currency to prop up its regime. It's the most isolated country in the world in terms of sanctions and other things. While it's made a boatload of money selling artillery shells to Russia and farming.
[13:07]
Jim Love
They got paid in rubles, though. That's the problem.
[13:09]
David Shipley
Right. It's almost. It's almost as bad as Canadian Tire money. I love my Canadian Tire money. For the record, I have bought many things.
[13:16]
Jim Love
Some days I'd rather have Canadian Tire money than Canadian money. Trust Me so.
[13:21]
David Shipley
Fair point. My point being they've gotten really good. The problem for all of us to think about is that when you get this good, when you have to be this good and you get this good and you're at that level, think what they can do now in critical infrastructure in other areas that are not trying to spend the money like I'm sure Bybit was spending to try and protect billions of dollars in cryptocurrency. And you're developing capabilities and skills and thought processes, these intangible things.
[13:53]
Jim Love
So we covered two stories. One, I think, does affect us. And for anybody who, like I said, if we're talking about cybercrime and fraud, everybody's got a relative, everybody's got somebody who's vulnerable. Even if that's not a corporate thing, I think you have to pay attention to that. This cryptocurrency thing is really an amazing story to watch. A couple of things that just hit close to home. One was, and I was shocked that this still existed in Microsoft software, but there was a botnet out there doing password spraying. The accounts that operate behind the scenes, and we don't see them all the time, but they're logging in for us and all these various APIs and all these things. And in some cases still with plain text and a password. And it's ubiquitous. You log into a website, you log into one page, you go to another page, you have to keep that alive. It either exchanges a token in some cases to keep an application alive, it'll keep logging in for you with a password and an id. So manipulating that, there's this huge botnet that's doing all this password spraying and being able to try and log in for you and take over your session. But they were taking over Microsoft 365 accounts. That was what was amazing. And that. And then I discovered Microsoft hasn't fully phased this out yet.
[15:16]
David Shipley
Thank you.
[15:17]
Laura Payne
Legacy interoperability. Yeah, and thanks to not giving us security settings by default, although I think that one maybe is now on by default, that's disabled. But there's a lot of accounts out there that were set up in earlier days of M365, and they have that still open and enabled and easy picking for anybody who just wants to brood it. Right?
[15:43]
David Shipley
Absolutely. And legacy is hard. Tech debt is real. You have this paradox where you may be turning off basic auth is the thing you have to do because the threat environment. But if you did that without a replacement, viable plan and testing of that replacement, you're going to actually cause more harm than potentially what's happening back and forth. And this attack surface and I do like the labeling of these, what they call non human identities, service accounts, API access, et cetera. We can't even get the flesh and blood identity and access management working well and then you're talking orders of magnitude more non human identities to try and manage. And then I will say this, the next layer is agents. All of this chatter about what AI and LLMs could do in terms of automating actions acting on our behalf, that's going to be another explosion in the amount of non human identities you had, humans Iot and systems and software and then boom, the atomic blast of what could be AI agents and that's going to shift the attack surface massively. And Laura probably speak better to this than me is the ability to attack software is still far faster, easier and better than the ability to defend software and services. I don't know if that makes sense.
[17:08]
Laura Payne
Yeah, what's hard to think of like the whole banking system in Canada and something that becomes a risk to it being pedestrian. But the times we're in, but the push towards some of the fintech adoption rules and the way it has been accomplished so far has basically been people just trust a service, hopefully it's a good one to take the credentials that they use for their banking, hold those credentials and then access their banking services. And I think, I hope it's obvious to our listeners, if you're not a first time listener, the reason that's bad is because that service, if it's compromised, can now act as you and do any of the actions you could perform in your banking. And that's been how interoperability, quote between these fintechs and banking has been done for years. If it's going to be true fintech integration, open banking, we're going to need to allow people to create these service accounts for their individual banking services. So we're actually now getting to where this was typically a problem of businesses. Right. But we're going to see, or we should, fingers crossed, we'll be seeing the right thing which will be all of these sub accounts starting to be created or these sub permissions being created by individuals too. So it's really going to be very interesting to see how open banking emerges in a way that doesn't just let services replicate the actual owners of the accounts fully going forward.
[18:38]
David Shipley
Yeah, and that gets interesting because the political pressure in Canada to push for open banking and to automatically dismiss valid concerns raised by incumbent banks about the risks that there is simply Them acting in their motivated self interest is that's going to take someone who in the middle of all this can look at that balanced approach that Laura just mentioned and go, okay, we got to balance these compute now. Now, right now, a lot of this is screen scrapers, which is even more terrifying. It's like you give your username and password in and it just tries to scrape and do things in a very dangerous way to a whole bunch of providers who are not held to the same security standards as the actual banks, which is fascinating. So it's not like we don't have a problem now, it's just that how we choose to implement it, if we don't listen to the really smart points that Laura just made about the nuances behind structuring these as permissions and making it a virtuous and consent driven cycle for the end user where they actually understand what they're giving up and what the risks are. We're in a lot of trouble, like a lot of trouble.
[19:45]
Jim Love
But I think it's the old thing of if you try to build a moat, you're just going to make things worse. I'm not sure where I am on the side of this. In one case I think we've got fintech and doing non secure things, screen scraping, these non interactive sign in log accounts and those non human accounts you've called them, David, you've got all of those things. But they're out innovating so they're not going to stop. And if we try and put a halt to it, we create an insecure situation. Really need to have a strategy where you can't stop innovation. You've got to have a strategy that's based on security and we're not paying enough attention to that. No.
[20:27]
Laura Payne
And I think it's a typical Canadian problem in the sense that we do end up with clusters of very large institutions and they tend to be in numbers that you can count on one hand and the fingers of one hand, maybe two hands. And so when problems like this come up where we want to innovate, we want to add services and those institutions themselves aren't the ones providing it, or just a healthy ecosystem is that you allow small companies to develop and poke at these ideas and create these services, the burden tends to be pushed from the government to the incumbents. It's not the fault of the incumbent that somebody else has come up with a really cool new idea and make it their problem to make sure that the cool new company is going to do their job properly. The public Appetite, I think needs to hopefully recognize that and then put some of the funding in place to do the regulatory oversight. And it has to be balanced. But I think to make the big incumbents the one who are responsible for the oversight, I hope that also is obvious.
[21:34]
Jim Love
But we're tackling this effectively. And for instance in Canada we have Interact, which is absolutely a very lean and very smart organization that keeps a lot of our transactions secure. And we don't, we're not thankful enough for it. I don't know if there's an American equivalent, if there's a listener out there, I'd love to hear what that is. But we also have standards and we have. The Digital Council of Canada has a standards creating body and in the US they had NIST at least up to last week. Destroying NIST is one of the stupidest moves anybody could ever make. We all depend on NIST for standards, but having standards for security and having organizations that can provide the interfaces is essential to us having financial innovation. And we don't.
[22:25]
Laura Payne
We do have payments Canada as well in the mix and things like that. But Jim, it's a great point about NIST will be slightly political leaning. Right. But Canada has relied for a long time on the resources of NIST and we've contributed to. A lot of people maybe don't realize that Canadian partners definitely contribute to the standards that get put in or published by nist. But I think recent history shows us the importance of maintaining a proper catalog of our own standards and the ability to develop them on our own for things that are uniquely Canadian or where Canadians care more than other countries about that particular aspect. And then once we have the standards having effective ways to make sure that they're being followed.
[23:08]
David Shipley
Right.
[23:09]
Laura Payne
Whether it's through a penalty framed enforcement or just a positive framed enforcement.
[23:13]
David Shipley
Right.
[23:14]
Laura Payne
You gotta be this tall to ride. And, and the people who will let you ride won't let you on unless you're that tall. Right? Like that's the simple framework, right?
[23:21]
Jim Love
Yep.
[23:23]
David Shipley
And I think the last thing on this particular point because I do want to talk about what's happening a bit in the United States and what risks that POS poses, not just to Canada, but globally. But the shared responsibility model has to be crystal clear. And it cannot be 100% incumbent bank risk because then it will just get farmed out as a cost model to all of us. And like what we saw with cyber insurance and ransomware, it will explode. And our research has shown is that if the individual banking customer does not feel that they own any of the risk and responsibility, they will behave in irresponsible ways. And if they don't understand their role that some AI based cyber tech solutions completely protected them, then they will also bear and behave in irresponsible ways. We have to have that clearly understood and we're going to have to get better at doing because your point is valid, Jim. We can't just sit around the campfire and go well I don't know what are we going to do? It's happening. We need to make it more secure than what's happening now. But we also can't just kick the gates open from a populist perspective and just go yolo, let's open banking it up. It's going to be great. I do want to talk a little bit about what we're seeing with the federal government cuts in the US and I was quite vocal about this on LinkedIn. It's important for people to use their voices when and where they can and certainly not always to my own personal or business benefit to be as vocal as I've been on certain topics. But gutting CISA is among the most short sighted and stupidest things in the current environment. It's not just gutting cisa. Remember they're still trying to understand how deep the Chinese got into now nine plus telecommunications carriers and the CSRB which was the investigative industry and CISA body that was helping put groundbreaking work. They were the traffic safety of the Internet was disbanded completely destroyed earlier this year and now the agency staffers. Now I'm sure there were folks on that probationary list who just weren't working out but that was not the 130 plus so far and what could come. And I think Jen Easterly has been doing a fantastic job, the former director CISA advocating and talking about this impact. And if you're a hiring company able to pick up some of this talent that's coming out of csa, you'd be dumb not to hire them because they're hardworking folks. But my point being is so much of the world, Canada included, has relied on the US leadership in this area and we have reaped the dividends from that investment and it's going away faster than my coffee at 8am in the morning. Like we are going to have to figure this out fast. And what frightens me is in conversations I've been having is that there's a business as usual attitude still percolating in Canada with respect to on our relationships with so and so and this agency and the five eyes and guys, world's changed and as dumb as this all seems, this is not going away.
[26:41]
Jim Love
And I wanted to get into this probationary thing just so people are really clear on, on firing probational, probationary employees. All that means is you're new, you could be the most knowledgeable person in cybersecurity and someone has convinced you to work for a government agency when you could make it a lot of bucks working somewhere else. I don't think any of these people, the strong security people from cisa, will have a moment's problem finding a job. If they do call me, I will personally phone six or seven CIOs and we'll get you set up in no time because there's such a dearth of talent. So they're not going to suffer. But what's going to suffer is our ability to manage cybersecurity in a way that CISA has been. I don't think people even appreciate how much that organization does.
[27:36]
David Shipley
Yeah, and you can also get probationary status. When you've been at an organization for a long time and you get promoted into a new leadership or management role, you've now changed classification. And so this is a great example of a couple of 25 year olds running around with a script and an AI just firing Willy nilly gets you firing the entire staff responsible for your nuclear weapons arsenal and stockpile security. Yeah, that happened that in normal times that should have been a scandal of such national security significance that heads would roll. Not job well done and oh, let's just push the undo button. And my only consolation for all this chaos is that Elon's Tesla stocks have shed significant money so far this year.
[28:26]
Jim Love
We are witnessing one of the biggest cybersecurity failures in modern history right now. And I'm again, it's, I don't care what you think about Trump or Elon or anything like that. We have people who had to be told in the security infrastructure not to name their colleagues in plain emails that were going to be sent out that were going to be seen by people between the age of 19 and 25. Nothing wrong with that. But most of us know not a great amount of cybersecurity experience in that group.
[29:07]
Laura Payne
You know, he doesn't want of any experience in that group. But I think this is the story and it does touch on a key theme and Jim, you said it, a lot of people didn't appreciate or understand what this group was doing. And I think that's actually the whole theme of what enabled this to come to be is that there's a lot of things that all the government departments were doing and were responsible for. And I'm sure there were some people who were coasting through. But we're not talking like 90% of people or even 50% of people coasting in their jobs. They all had very important services that they were providing, missions that they were working towards accomplishing. But if you don't tell the public enough information and you don't get their attention on things, it becomes very quick for the public to paint a picture of. I see a big price tag and I don't know what I'm getting for it. I don't have food on my table. I don't have a roof over my head or my road's not plowed. That's a Canadian comment.
[30:13]
Jim Love
Yep.
[30:13]
Laura Payne
And why is there all this money being spent and you don't understand what's going on around it? It's very hard. Of course, there's a lot of things happening. But that's also the chorus of cybersecurity budgets. Right. Everybody has a budget when there's been a breach. Because now I know what security does. Right. It would have helped me stop that breach. It's helping me clean up from that breach. It's going to make sure another breach doesn't happen. But before it happens, nobody knows what that security team is doing and the budget doesn't get allocated or nobody understands what the security team could be doing. That just brings back that importance, always, of understanding what your value is in your organization and being able to articulate it. It's not about scaring people with the boogeyman. It's about these are real risks. Not only that, they are more real now than they've ever been. And we need to do something now or we will have a cost in the future. And it will be tenfold, at least of what you're going to pay to get it dealt with upfront.
[31:13]
David Shipley
And I thought we had some interesting cultural moments with that Netflix movie with Julia Roberts and Marsha Lee where the cyber apocalypse happens. Netflix has got a new one out with Robert De Niro called Zero Days. But I think what's been interesting is people think that's the realm of fiction, fantasy. It's not real. It's not as real as My eggs cost too much. I think, Laura, you hit the nail on the head, is doing the hard work of clarifying why this matters in a world where I can't afford eggs is hard and it's not technical. And I think that's probably why Our field is struggling. We have always struggled. This is. But it's now moved from inside of the organization or the boardroom to a societal level struggle. I'll be honest, I'm gobsmacked. There were so many things that the US was doing amazing on creating cisa. The executive orders, the emphasis on secure by design, the csrb. Like from a policy nerd standpoint, this was amazing. And the fact that there was political will and momentum, but to see how quick it can grind to a halt and slam into reverse, that has been. It was like what was the base on the foundation that we built, the political capital for this? Or was it always this ephemeral, this insubstantial that it could just go like this? It's just that part. Stunning.
[32:44]
Jim Love
And if anybody thinks that the North Koreans aren't taking advantage of this, they're absolutely insane. I guarantee you that Big Balls or whatever he's called has been hacked. I guarantee you I will pay money to anybody who proves that he hasn't been. And all of them have. Why? Because smarter people than them are hacked. And so all of this stuff that they've been able to touch is in somebody else's hands now.
[33:18]
David Shipley
And there's a reason, by the way, probably get accused of ageism on this one. I'm going to be really clear is there's a reason why certain roles in society you got to be a minimum age. Like the presidency for example, though, no maximum age. That should probably get revisited at some point for generational continuity. But you don't know what you don't know between 19 and 25 and how. I grew up in my 30s, really grew up, really understood my limitations and other things. This is why we have people who have 20 years experience in senior roles running the federal bureaucracy, because you have learned and it takes time and experience to do that. And that's probably the last thing I'll note about this giant outflux. Because it's not just the probationary firing. Remember there's a number of folks who are taking bio packages to just get out of the circus. And the loss of that corporate, institutional, long term knowledge and the hard earned experience, we're all going to pay for that. It's frightening, but I won't even bring it full circle. Like in addition to gutting the critical agencies responsible for cybersecurity, we're also gutting the regulators that were trying to understand the future of the cryptocurrency market and what role regulation should play play on that. And we are going all in on fun ideas like a national strategic cryptocurrency reserve in the United States, which, I mean, North Korea is going to be like, oh, damn, there we go. We have funded our defense budget for the next 10 years. If we can raid the, the new digital crypto Fort Knox when they are so foolish as to do it. And I'm calling it here, I see that ship sailing out of Southampton and racing for the iceberg. And it's.
[35:04]
Jim Love
The other thing that, that, that they say there, this, there are a lot of victims to this, to what's happened here. Every time I do a show on digital id, I get inundated with emails and I'm going to get them again. People saying, the government's going to take over my identity, they're going to give up my information. And we've been fighting that good fight because in many cases a great digital ID structure, digital government is actually more secure and just. And we have a lot of technical people in our audience. But just to pass out to you, I don't have to pass my information to someone. I just have to pass the idea that it's absolutely certain that I have the authority to do what I'm doing. We will never, we will set back the idea of moving, getting to a digital ID or any sort of much safer ID than we have today. Why? Because who's going to believe you that your government is not, can't. That information you share with your government is not going to be shared with somebody politically, whether you agree with them politically or not, it should not be shared with anybody in a political state or for anything other than, God forbid, the reason you gave it to them and that they disclosed to you.
[36:25]
Laura Payne
It's, it's not something I spend a lot of time like digging into and researching, but it, it, it does, at least on the surface to me, feel like that false fear. Right. The government already controls your id. They issued it and they have a lot of information about you already. And it's not to say, oh, don't worry about it, it's just the change of format isn't maybe what's going to be the problem if you distress the government already? That is unfortunately part of living in a civil society. Right. Is that we enjoy government services that make it much easier for us to all benefit and live wealthier lives than anybody at any time in history. And so it's like staring down the barrel of the wrong problem, right?
[37:09]
Jim Love
Yeah. But even if you're in Estonia, I think a million population who already has digital government, government, if anybody in the government actually takes a look, or anybody who has access takes a look at my record. I see they did it right. You don't have that. Now Revenue Canada could be looking at. Everybody could be looking at anything of yours and you'll never know. That's the benefit of digital. And when I exchange information with them, I don't send my name, my birth date, all of those things across some sort of unencrypted line. Because I'm certain that when we're communicating all this great security stuff to Revenue Canada that a lot of it's plain text, just saying. But so I'm passing all that information to prove who I am when I could pass a token as I do with my bank card or anything else that says you know who I am. It's the Russ I call it the Russell Peters identification. This may only work for Canadians. Somebody gonna get a hurt real bad. I'm somebody. You know it. You don't have to know exactly who I am, but you know who we're talking about. Which is a great description of digital id. I actually like that.
[38:20]
David Shipley
I was driving before Christmas in Fredericton, heading uptown and there was this early 2000s red Toyota and they had two bumper stickers. One was Save the children and the other was say no to digital id. And that told me everything I needed to understand about information environment that person is existing in that I don't exist in. And how that has framed their perception of the relative risks and issues of the day. These are big weighty issues. These are the issues that we need the techno philosophers of our day. Our next Hobbes, our next Locke, our next actual thinking deeply about this because it has to.
[39:04]
Jim Love
And this is in Calvin and Hobbes for anybody who's out there. The real Hobbes. Yeah.
[39:09]
David Shipley
What I mean by this is we either have government for the people, by the people. To use an Americanism as a public good. It establishes identity and citizenship both physically and digitally, or you have corporatism. And so digital identity is controlled by the private sector, which it seems like a cyberpunk dystopia writ large. But that's where we're heading to. And that's the power. You're either a person or not a person. And if government, if we fail to be able to build publicly backed public good, public owned digital identity, innovation, to your point earlier, Jim, innovation will not stop. It will be provided alternatively. And we will have the meta insert bank name consortium identity. And you now exist. And you're able to use that because the problem Requires that solution. The attestation that Jim Love is actually Jim Love. So we, the typical thing in Canada for American listeners is that we love to talk about doing something, see a high speed rail in this country. We just announced a plan for a plan that will cost us 5 billion to maybe build high speed rail. The media covered it as we're getting high speed rail. It's no, it's I'm going to win the lottery. It's a concept of a plan. I'm going to go buy the lottery ticket maybe. No, like we actually have to regain the capacity to do stuff. And ironically, I think at its core this is what people thought they were signing up for. With the drain the swamp got the government. Let's make it run like a business approach that we're seeing down there. I don't think anyone would like caster ballot going. Can't wait to see what this reality TV show season's gonna look like. Maybe there were a few. But we actually do have to have that conversation and do it in a much more sane way. That's my thoughts on it.
[41:00]
Jim Love
Another place though the distrust breaks down and this was another story that happened this week is Apple has actually pulled encryption out of the uk. If you're in the uk, you cannot use Apple's encryption in its fullest in terms of its transfers to the cloud and all of that to protect your information. Why the government wanted a back door and Apple, possibly because of its experience in America, is not going to give a government a backdoor. The last time we had a backdoor was on the US Telco system where that was used to invade the entire system. This is going to be another place that we're going to be held back because I don't have a good answer. There is the idea of encryption. I get it. You could have child pornography, you could have terrible things that are protected by encryption. On the other hand, if we don't have end to end encryption that is unbreakable and doesn't have backdoors so that hackers can find them and use them, then we can't protect our own information. It's a place where you really do need to have an intelligent discussion. And we're now at a point where that breaks down as well.
[42:09]
Laura Payne
And it's not an easy one to answer because it's very much about how do you have a legitimate process, right, A search warrant process, for example, right. That says yes, this request has been reviewed, it's legitimate to invade this person's privacy because we have reasonable grounds to suspect that what they are doing is illegal. And so you're not putting in so much backdoor as a legitimate mechanism to say, you know what, you're not allowed to abuse our platform for illegal purposes. Right. And if you use our platform, understand that somebody comes to us with a properly authorized search warrant, we will share your information. That's in every EULA already, right? It's already there. I think it's more about how do you create that mechanism. It's public. It's in the privacy policy. We're not saying we don't have access to your information, we're saying we only access it under authorized circumstances. And we may not tell you about it because that's the law. We don't have to tell you when a search warrant is executed against you. That's also part of the rules. But if we're allowed to, we will.
[43:13]
David Shipley
Great.
[43:14]
Laura Payne
But I, and I think that's part of framing the discussion is to put that in place. I think it's also part of, and this is a challenge, right. Because people aren't great at risk management. But if you save something on your phone, I don't know anything you save digitally. I just. Sure it's something. You're okay if it gets out or you're gonna, you've got a plan how you're gonna deal with it. The Internet's not exactly the best at keeping secrets. And there's secrets that are super important to keep. We've talked about digital identity, we've talked about banking. Right. We certainly make the barrier to leaking those things as high as we possibly can. But at the end of the day, it's all, it's all digital and it's all at risk in a sense someday. So physicality is not not at risk either. It's not like just having a piece of paper isn't risky either.
[44:05]
David Shipley
Laura, I'm going to get a T shirt made. I'm going to go back and listen to the exact clips because I think it was just brilliant. It was like the Internet is terrible at keeping secret is it's going to need T shirt. Like I think that's a quotable right there. But I try and do it. 50 A brilliant point. The Internet is terrible at keeping secrets. I just wanted to go at this thinking about this issue of end to end encryption and I want to paint the business drivers here, Apple Meta and everyone else is not implementing end to end encryption because they are die hard privacy. This is, this is our line in the sand. Notwithstanding all the marketing, they're Doing it so they don't have to support investigations because that's expensive. It is far easier to just say can't do it privacy man. And you get rid of all of these trust teams, the MLAT Mutual legal aid assistance team responders, all of this cost center to making your money and you just encrypt the problem away. Great. This is, I'm sure there are some people that genuinely do care at those nature but I'm not understanding that the overall business drivers here, it's. It makes perfect sense on that side. On the other side of this, the CIA and the NSA in the United States, the what should be the two most secure organizations for keeping secrets lost their best tools in the last decade in spectacular insider leaks or levels of incompetence tied to Russian anti malware tools. That's a story for another day. They cannot keep a golden key secure. So you can't just give them a universal way to unlock everybody's stuff. Listen, like this whole conversation like ties well together in a very sort of confident way. Police agencies and intelligence agencies are also equally lazy about this issue. They don't want it. Even conversations I've had with cops and agencies, oh man, we gotta go get a warrant. That's a lot of work. Yeah, it should be. That's an important democratic process. And the amount of times they just want to go and cowboy in without anybody ever knowing they're there. Just on the spectrum gas without having judicial oversight ain't zero either. Or at best some secret closed door tribunal they never have to be accountable for. That's not okay either. And the reality is we have great technological examples where you can defeat end to end encryption half you own one of the ends. So if you can't own Apple's end, then you gotta get your malware on the end of the target that you want to receive. Or in the case of several hilarious criminal busts, you give them poison phones and poison encryption system and they just blab their world's good policing work can be done in encrypted world to target the really bad people, it just takes time and money. So what's hilarious is that our fundamental rights are caught between two groups who really don't want to spend time and.
[47:06]
Jim Love
Money on the problem just to keep things cheerful. I want to end with one story. And this is David Will recognize me. I'm the AI fanboy. I am out there. I believe we need to really experiment with this. We need to embrace it and all of that. But from a cybersecurity point of view. We gotta get smarter. And there's a story it was in the bite this week and the title of it was Man's entire life destroyed after Downloading AI software. And when I'm talking about I want you to experiment with AI, I want a sandbox set up somewhere, I want the tools to be vetted, I want these things to be made available to employees. But I don't want them downloading image generators on their phone and putting those onto their computer that then put malware on there that hack them and in this actual case put a leak in there so that their employer's information is lost so that they are not only wiped out financially because they're easy to take over their financial accounts, but also they get fired and if you're in the US lose their job, their bonus and their health care. No AI app is worth it.
[48:28]
David Shipley
But what's interesting is the meta narrative that's being driven right now is that all of our jobs are under this AI sort of danacles and only those that figure out first how to best use AI to be better at it are going to survive this. Coming up, Jim and I are on different sides of the equation on this and I'm on team AI industry has overhyped the ever living hell out of what they actually deliver. There is some value in these two perspectives. I will acknowledge that Jim is right on thumb issues here. Just so we're clear that I'm not an iconoclast on my particular perspective. But the psychological pressure we're putting people under that's directly tied to their economic survival that I feel like I have to adapt by this or the AI asteroid is going to wipe my dinosaur self off of the Earth. Is that that we're creating this problem and at the same time irresponsible use of technology and just dumping this stuff out there and then overhyping the hell of it for their share price and market interest are also tied into the destruction of this individual. And it reminds me back to this individual agency and responsibility has never been more important. And thinking through exactly what Jim just said is like what is this tool? Where is it coming from? Will it genuinely help me? How do I do this in a safe way has never been more important. And secondly, security awareness programs. I'm going to be a little selfish here. For love of God, stop doing password modules. In fact, have a session with your team about responsible use of AI. It's the best thing you can do to help prevent the next gal or guy doing exactly this. Because the pressures on them to do it are huge. And you need to enable them to do it safely so they can experiment and learn what value it can or cannot create for them.
[50:20]
Laura Payne
Yeah, okay. I think very much that it is overhyped. I agree with David that there's a lot of people who say AI is doing a lot of things, and it's questionable whether they. Even if they are doing it, whether it is doing it well or effectively or in the capacity that works reliably is certainly a challenge to discern. I will say a lot of the clients I'm working with are busy doing what their business does and are. If they're distrustful of AI, they're like, forget it. I'm just going to keep doing what I'm doing. And they're continuing to be successful. And the ones who are looking at AI or who are incorporating AI are actually saying, I'd like to be careful about it. Oh, we're starting to look at it. We're starting to bring it in. I would say in general. And now that's obviously going to be skewed because my clients actually care about security and that's why they have working with them. That's like a sample set of the general population that we see represented there.
[51:25]
Jim Love
You're like that old commercial, you call me now or call me later.
[51:29]
Laura Payne
We prefer calling now. That's our core business. Right. I think maybe the news there is that people who are naturally understanding of risk or want to understand risk are taking it a little bit more slowly with AI, or they're looking at how can they use it without exposing their data. If you want to use perplexity as an example, AI search engine, and just put in generic terms so you can more easily scrape information out of the Internet. Go for it. Because is that any more risky than using Google? I don't think so. It's just more efficient. So do that practice there. But, yeah, to start saying, you know what, I'm going to let it run rampant through all my corporate data and hope that my permission model is set up properly, then maybe not that.
[52:11]
Jim Love
And even if you're me and you believe that we're at the tail end of the Industrial revolution, and I live by the phrase, I'll go back to the importance of being earnest for our cultural critics. How do you go bankrupt? Slowly at first, then quickly when this accelerates, I believe it's going to accelerate at a level that nobody will understand. And I do believe jobs are going to be lost. I do believe people need skills. But let's Compare it to the last big revolution in transportation between the horse and the car. Just because I believe you should be embracing the car doesn't mean somebody shouldn't teach you to drive. And that shouldn't have breaks. And you shouldn't just toss somebody in the seat and say, go to town. So, David, I think you brought this up. We need an education and a discussion of AI from cybersecurity that I still don't see happening.
[53:06]
David Shipley
No, to your current analogy. How many decades did it take Ralph Nader and others to get seat belts in cars? You had all the car manufacturers in front of numerous government committees saying, we are going to go bankrupt if we have to put seatbelts in the car. And our inability to see the commonalities of past lessons that we've already learned when it comes to the changes that are coming to us as a result of new technology and our unwillingness to get beyond this black and white one or zero binary debate between innovation and safety. It can either be innovative or it can be safe. We can do both. But we have to have the capacity and will to want to do it. And it's because we believe capitalism functions best for its most Darwinian that the risk takers win big, the most out there. And that's the best for us. That we are probably predispositioned for a lot more horrors. What happened to that individual? And I would love to say that I am smarter than Ralph Nader and we can help drive faster adoption of safety technologies. I'm not.
[54:16]
Jim Love
I'm.
[54:17]
David Shipley
It's gonna. We are going to have a casualty rate. And what's really interesting is the same people that would get morally outraged when they would hear awful phrases in the military like collateral damage. This individual and millions more are going to be collateral damage on the race to AI. And the question for smart organizations is, are you going to be proactive and work with great folks like we like Duke and Laura on Security and Risk or Voceron on the awareness side so that you are inadvertently one of those casualties because nobody else is going to rein this chaos in.
[54:52]
Laura Payne
I think just to ride that car analogy, the limiting tip factor to how fast you can go isn't the size of the engine, it's the effectiveness of your brakes. And so keep that in mind. Right. Okay.
[55:07]
Jim Love
There's two T shirts for one show. But I do want to bring this up and I'll just. I'll leave this with our audience. You're not just admiring the problem. The reality is, and I think you brought it up, David, is we do need to think about education. Laura, you brought it up that you really do need to know how these things work in terms of where our guardrails and safety is and whether you believe in AI or not, whether you think it's going to take over the world or not. It's there as a force that is now the biggest movement of shadow it in our in IT history and we need to be having effective discussions about that and a meeting of minds. So I hope hopefully we can do a little bit. I did a show a couple weeks ago on the dark side of AI and where we left it was don't be afraid to ask questions.
[56:00]
David Shipley
Asking questions is an important part of critical thinking. And Jim, I will let you know I have been experimenting with the couple AI tools Leah, which is actually AI tool to do generation of online based computer based training using established pedagogies and improvements in language and there has been value there. I'm also using a tool called Heygen to experiment with AI driven expert level videos. It is not auto magic and push a button and my job is done. Is it giving me new capabilities and new things to think about in those areas? Yes, but it's also showing me the limitations of these things. So to your point, there is, there's change coming. What's here today ain't what that is and there's a way to do it safely and responsibly. But what's being sold for AI in the security industry and specifically in cybersecurity right now is a lot of hot garbage. So be careful of that.
[56:56]
Jim Love
So you're coming over to the dark side, are you? Wait till I lift my helmet and say David, I'm your father. This has been great guys. Thank you so much for joining. Thank you to everybody in the audience for joining us for this show. We're going to come back to this. Mr. Shipley, do you have a research project papercut report coming out? Is it through translation? What's happening with you?
[57:18]
David Shipley
It is, yes. So our annual report is out. It's available on our website in English and in Canadian, French and all of the things that we seeded. Although I will concede I got a couple of math points wrong. It wasn't a 50% higher risk is 140% higher risk. For those that think the tech's got my back, I don't need to worry about this stuff. So that's been been out there published the regular sort of interest points about industry, click rates, report rates, et cetera. We did see some interesting sort of Negative trends on click rates in specific industries, propensity to click went up. I think we got a good handle on some of the reasons why and we have lots of questions on others. And the other point that's probably interesting in it is the amount of time you spend on training matters and don't over train your employees.
[58:04]
Jim Love
Great.
[58:05]
David Shipley
Yeah.
[58:06]
Jim Love
Get you back in next week to walk through it now that it's available.
[58:09]
David Shipley
Yeah, yeah, I think I'll flip you a copy and we can go through it. But yeah, I think a lot of the stuff that we gave listeners earlier this year or late in 2024 are now there in writing for folks to chew on and it's interesting to look at.
[58:25]
Jim Love
I think it's time to do a review of that. Laura, what's happening with you?
[58:30]
Laura Payne
Oh, it's been a busy start to the year. We're really just helping folks with navigating the change in the landscape right now and which is you gotta stay optimistic, be pragmatic, be realistic. We talked about, you can't just take a laissez faire attitude and say, you know what, it's gonna be fine. The fire is burning around you, you've got your coffee cup in hand, but maybe you could wait, go find a fire extinguisher. Right. Or have a plan to get out of the room before it comes down. We're busy with that kind of stuff, but we keep doing what we're doing. These times are in ways unprecedented. But also anybody who's spent a lot of time in cybersecurity knows that there are stress cycles you go through and the way you manage your health and resilience through that is going to predict how you come out on the other side.
[59:17]
Jim Love
Yeah. And I think it's good advice, whether it's career advice or whatever, is when things get tense and when you. You're getting overwhelmed, what I do is the next thing on my desk because it at least I've moved forward and so hopefully we'll be doing that. Laura, thank you. David, thank you. And thank you to our audience. And we will catch you next week. I'm off for a weekend of rock and roll where you're hearing this. I'm off playing guitars with no AI at all. David, you'd be really happy. It's all acoustic.
[59:47]
David Shipley
The beauty of human creativity.
[59:49]
Laura Payne
Great, thanks, Jim.