Cyber Security Today Weekend Panel: Month In Review, December 7th, 2024 - Cybersecurity Today

Summary6 min read

Cybersecurity Today Weekend Panel: Month In Review, December 7th, 2024

Hosted by Jim Love

In the December 7th, 2024 episode of Cybersecurity Today, host Jim Love convened his weekend panel featuring cybersecurity experts Terry Cutler from Psychology Labs in Montreal, David Shipley, Head of Boseron Securities, and John Pinard, a seasoned financial services and cybersecurity executive from Pickering. The panel delved into a comprehensive review of the month's most pressing cybersecurity threats, data breaches, and strategic defenses essential for businesses navigating an increasingly perilous digital landscape.

1. Introduction of the Panel

Jim Love opened the session by welcoming his panelists, setting a collegial tone for the in-depth discussions that would follow. The panelists shared brief personal updates, highlighting their ongoing projects and professional milestones, such as David Shipley's recent achievement of surpassing the one-million-user mark for Boseron Securities.

2. Innovative Phishing Campaigns: A New Frontier in Cyber Attacks

Timestamps: 00:00 – 06:02

Jim introduced the first major topic—a novel phishing campaign detailed by Bleeping Computer. This campaign employs corrupted Word documents designed to bypass traditional security measures by exploiting Windows' file restoration features. The attackers send incomplete files that Windows automatically fixes, inadvertently allowing malicious elements like barcodes to access sensitive information.

Jim Love noted, “It's a novel phishing campaign that uses corrupted Word documents to evade security” [02:02].

David Shipley responded, emphasizing the ingenuity of such attacks and the persistent cat-and-mouse game between defenders and attackers:

“There will never be a technological silver bullet to malware and phishing. Email filters are not stopping 99.9%.” [03:53]

Terry Cutler and John Pinard further elaborated on the sophistication of these attacks, underscoring the necessity for continuous vigilance and advanced detection methods. The panel unanimously agreed that human error remains a critical vulnerability, highlighting the need for robust security awareness programs.

3. Human Error in Off-boarding: The Disney Incident

Timestamps: 05:19 – 14:56

The second discussion revolved around the significant cybersecurity oversight at Disney, where a former employee retained system access post-departure. This lapse enabled the individual to execute a DDoS attack targeting internal systems, including altering critical safety information like peanut allergy warnings.

Jim Love expressed shock over the incident:

“I couldn't believe that could happen at a big business like Disney.” [10:01]

John Pinard reflected on similar experiences within financial institutions, emphasizing the importance of comprehensive onboarding and off-boarding checklists to prevent unauthorized access:

“It will always come down to human error. That and when human error, it's the human that clicks on it.” [07:08]

Terry Cutler advocated for automated solutions like identity and access management systems to streamline these processes, reducing the risk of such oversights.

4. Blue Yonder Ransomware: Vendor Responsibility in Cybersecurity

Timestamps: 19:53 – 22:32

The panel then addressed the Blue Yonder ransomware attack, which impacted major retailers like Starbucks and Walgreens. This incident raised critical questions about the responsibilities of businesses in managing third-party vendor risks.

John Pinard highlighted the shared responsibility:

“You can offload the work to somebody else, but you can't offload the responsibility and the ownership.” [22:06]

David Shipley expanded on the systemic risks posed by over-reliance on single vendors, urging for stringent vendor risk assessments and integration of third-party security into corporate incident response plans:

“We need to take the same approach to structural systemic risk in technology that we do in the global financial system.” [22:52]

5. City of Hamilton Cyber Attack: A Cautionary Tale

Timestamps: 26:38 – 34:15

A case study on the City of Hamilton’s cyber attack illustrated the devastating financial and operational repercussions of inadequate cybersecurity measures. The attack led to significant financial losses and ongoing challenges in system restoration, compounded by fraudulent activities during the recovery phase.

Terry Cutler stressed the importance of advanced detection technologies, noting that traditional log monitoring often fails to identify sophisticated intrusions:

“The average time that a hacker is in a Network undetected is 286 days.” [28:18]

John Pinard echoed the urgency for comprehensive response plans, emphasizing that delayed detection can escalate the damage inflicted by cybercriminals.

6. Andrew Tate’s Platform Breach: The Rise of Hacktivism

Timestamps: 34:15 – 39:50

The panel discussed the recent data breach of Andrew Tate’s platform, affecting nearly 800,000 users. This incident, driven by hacktivist motives rather than financial gain, highlighted the evolving nature of cyber threats targeting high-profile personalities and their communities.

David Shipley forecasted a resurgence in hacktivism:

“Hacktivism's back, baby. It's going to be back in a big way for the next couple of years.” [34:56]

Terry Cutler drew parallels between hacktivist attacks and disgruntled insider threats, underscoring the need for comprehensive security measures regardless of an organization's size.

7. Multi-Factor Authentication (MFA) and Session Cookie Vulnerabilities

Timestamps: 39:50 – 49:35

The discussion shifted to the vulnerabilities associated with MFA, particularly how attackers can bypass it by stealing session cookies. This method allows unauthorized access despite the presence of MFA by exploiting active sessions.

Terry Cutler explained the mechanics:

“Hackers have now become what's called a man in the middle. They've taken the session and now they can log in as you without ever knowing what that password was.” [45:06]

David Shipley and John Pinard debated advanced MFA solutions like biometrics, with John advocating for biometric-based MFA as the most secure method currently available.

8. AI in Cybersecurity: Tools vs. Human Creativity

Timestamps: 51:39 – 52:32

David Shipley critiqued GitLab’s overzealous promotion of AI tools like Copilot, arguing that while AI can assist in routine coding tasks, it lacks the creative problem-solving abilities of experienced developers:

“They are pretending that they're full self-driving cars... I guarantee you that will have the same result on the cyber highway as it does for many people on American highways today.” [51:39]

The panel agreed that AI should complement, not replace, human expertise in cybersecurity, reinforcing the necessity for skilled professionals to oversee and innovate beyond automated solutions.

9. Challenges in Canadian Cybersecurity Legislation

Timestamps: 53:01 – 56:32

The episode concluded with a critical examination of Canada’s cybersecurity legislation, specifically the C26 and C27 bills. David Shipley highlighted legislative inefficiencies, such as typographical errors that derail critical cybersecurity initiatives:

“The bill has a typographic error that has forced the Senate to send the bill back to the House of Commons… which has jeopardized the entire bill.” [54:30]

Jim Love expressed frustration over the government's lack of urgency, urging for more decisive action to protect critical infrastructure.

“If we don't get it soon, especially in Canada, we have become the... Dr. No.” [55:55]

The panelists unanimously condemned the sluggish legislative process, emphasizing that robust cybersecurity measures are as essential as physical defense mechanisms in safeguarding national interests.

10. Conclusion: The Unending Battle Against Cyber Threats

Jim Love wrapped up the episode by reiterating the absence of a "silver bullet" in cybersecurity. The collective insights from Terry, David, and John underscored the multifaceted approach required to mitigate risks—from advanced technological defenses and comprehensive internal processes to proactive legislative action and continuous education.

David Shipley aptly summarized the ongoing struggle:

“As long as technology is made by humans, it will be as beautifully flawed as we are.” [08:24]

The panel left listeners with a clear message: Cybersecurity is an evolving battlefield that demands constant vigilance, adaptability, and collaboration across all sectors to effectively defend against increasingly sophisticated threats.

Notable Quotes:

David Shipley: “As long as technology is made by humans, it will be as beautifully flawed as we are.” [08:24]
John Pinard: “You can offload the work to somebody else, but you can't offload the responsibility and the ownership.” [22:06]
Terry Cutler: “The average time that a hacker is in a Network undetected is 286 days.” [28:18]
David Shipley: “Hacktivism's back, baby. It's going to be back in a big way for the next couple of years.” [34:56]
Jim Love: “If we don't get it soon, especially in Canada, we have become the... Dr. No.” [55:55]

For more insights and detailed discussions on the latest in cybersecurity, tune into future episodes of Cybersecurity Today. Stay informed, stay secure.

Loading summary

Transcript123 lines

[00:01]
Jim Love
Welcome to Cybersecurity Today, our week in review panel. I'm your host, Jim Love. This week we have our regular panel. We have Terry Cutler, head of psyology labs in Montreal. Welcome, Terry.
[00:11]
Terry Cutler
Good morning. How are you?
[00:13]
Jim Love
I'm just fabulous. I'm lying, of course. We're recording this in the morning and I'm not. Of all things, I'm not a morning person. It's 8am but we can. Except for David Shipley, who lives in the future, so he's got to sleep in for an hour. Speaking of David Shipley, how you doing? Head of Boseron Securities.
[00:30]
David Shipley
I am well and I am enjoying the very last business trip of the year. Live from New York City. It's not Saturday night, but I can't wait to be home. So today is my last visit, giving the Psychology of Cyber Risk talk. And then back home for business planning and kicking off 2025.
[00:49]
Jim Love
So how's the growth coming? You topped your 1 million mark.
[00:52]
David Shipley
We passed the million. 15,000 people fished. I haven't got my McDonald's sign yet. More than 1,100 customers and I've done really well. Of course, all of the chaos that we're now seeing about this whole tariff thing is an interesting situation to be in as the only Canadian security awareness company at scale serving across the country. And so that's going to be fun because the Canadian dollar is diving down. Hey, my stuff's going to be even more affordable in US dollars to Canadian companies looking at their bills. Give me a call. We can get you a better solution.
[01:26]
Jim Love
Yeah, and you're traveling so you don't have to carry American Express checks. I don't remember those. Remember the. Carry the American Express check because if they're lost or stolen, they could be replaced. Now it's. I can't. I carry the Canadian dollar. If it's lost or stolen, who cares? John Pinard joins us this morning from beautiful downtown. Where are you here?
[01:43]
John Pinard
Pickering.
[01:44]
Jim Love
Pickering, yes, I'm Pickering. I've never pickered, but I'm sure you're there and welcome. And John is. He's been on the panel before. You've been here before. He's a financial services exec and cybersecurity executive. So he's just perfectly qualified to be here. He had a microphone that. That gets you on the show.
[02:02]
John Pinard
Yeah.
[02:03]
Jim Love
Good stuff. Okay, we're gonna get started. Everybody knows the format. This is, by the way, our penultimate show. I like to use the word penultimate. That's second last, I think. But we're gonna do a Christmas year in review show somewhere before we take our holiday, which is generally about the 20th of December. We go into reruns till the 4th, but we'll somewhere between there we'll do a year end show. This is our penultimate show and everybody by now should know the format. It's we all brought stories that we're going to talk about and the stories are interesting because they brought something from the past month that we can learn from or we can use or we can have a good discussion about. That's our start. I'm going to start out with the first story because I saw David, you actually put this one on LinkedIn as well. This got me going. There's a new hack that's gone out. Bleeping computer did the story first. We did a story on it as well. And it's a novel phishing campaign that uses corrupted Word documents to evade security. The reason I picked this up, I gave it a plus for creativity and that was what a crazy thing to think about. So the essence of it is I send you a broken file, incomplete in some aspect, and Windows dutifully restores that file. So it gets past any of your endpoint checking and it has no malware in it. It has a barcode or something that I'm going to click on or something that's going to draw me to another site and that's going to say, hey, you need to restore this document and get all your data back, so just please give me your username and password. That's a pretty fair assumption. But David, you as our phishing expert, the Phileo fish himself, the Are you seeing this? You put it on LinkedIn. Have you seen this campaign yet?
[03:53]
David Shipley
I haven't personally seen one of these attachments, but I am absolutely 1000% not shocked by this. This speaks to the continued battle of cleverness between defenders and attackers. And it's why there will never be a technological silver bullet to malware and phishing. Email filters are not stopping 99.9%. And I got into this debate earlier this month with very prominent ciso and on LinkedIn and there was this whole thing where they said the email filters catch it only let through 0.001%. I'm like, no man, it's a lot higher than that. We've seen it as high as 10% in the last six months in our actual hard data. Not surprised by all of this. And the challenges here are huge. Cause it's. Does this mean that all the email filter vendors are gonna have to license Microsoft Word So that they can sandbox detonate things when they are malformed file and then go from there. Like it's just gonna keep evolving. And it's not just word documents. Winrar files will also do this kind of self healing. And what the article pointed out is that there's elements inside the headers of these files that allow you to reconstitute and rebuild them. When you reconstitute and rebuild them, away we go. You say corruption, I say hilarious new form of encryption.
[05:19]
Jim Love
I'm going to use that one next time. I've got a cr. A really great encryption formula.
[05:25]
David Shipley
The super hilarious. But this is just the world we live in and expect more with AI. And we'll talk about. AI is really good at finding ways of just changing small bits. And that's one of the things is that I read a really interesting research paper and it talked about this concept of data drift and email filters and small changes can have dramatic impacts on how the AI scores something. So this is just people being clever. My the meme that came to mind when we were preparing for the show is that Jurassic park classic. Jurassic park, clever girl. Velociraptor that pops up because props, this was clever.
[06:02]
Jim Love
I thought we were losing you as culture critic there, David. You've come back. Okay, Jurassic park, here we go. Yep. Terry, you talk to me about this.
[06:10]
Terry Cutler
This is also known as Filas malware. So we've also seen. I've started seeing this back in what, 2018, where someone even tried to send me a file over LinkedIn saying, hey, there's this new role that just opened up. You'd be the perfect candidate for this. So then we put it in the simulator and next the file opens up correctly, everything's good. But of course you got the banner, do you want to enable macros? And of course, the moment you open that, it goes to the web, pulls down the malware and then tries to execute. And of course EDR just freaking lit up and said, what the hell are you doing here? Why is it opening up? Why is Word trying to open up a command prompt and try to run PowerShell scripts? That's not normal.
[06:50]
David Shipley
Cut it off.
[06:53]
Jim Love
John, are you thrilled to see this new creativity coming into your shop to a financial institution near you? Yeah.
[07:02]
John Pinard
Yeah. It's not a big deal, right? No, I'm kidding. That's right.
[07:05]
Jim Love
It's not a big deal. But John, you're the head of cybersecurity.
[07:08]
John Pinard
It reiterates the fact that no matter what you put in, David talked about it a minute ago that there is no silver bullet. At the end of the day it will always come down to human error. That and when human error, it's the human is the one that clicks on it. And so it really pushes the emphasis on needing to make sure that we educate our staff on what to look for. If you're not sure, ask. What we do is we've got that report phishing button in our outlook that if you're not sure, click Report phishing. It goes to my cybersecurity team. They will investigate it. They'll let you know if it's a problem or not.
[07:52]
Jim Love
If you have a small office, you can have a conversation and have that same policy that says hey, come on over, look at this. So just because you got a two to three person shop doesn't mean you still can't do that. It works very effectively even with 20 employers or more.
[08:05]
John Pinard
Yes.
[08:06]
Jim Love
Yep. So you're going to get into this psychological mumbo jumbo with David Shipley, eh? I'm looking for the. I want the silver bullet, the technical silver bullet, guys.
[08:16]
David Shipley
And listen, I'll say this. As long as technology is made by humans, it will be as beautifully flawed as we are.
[08:25]
John Pinard
Exactly.
[08:25]
David Shipley
The day that technology makes technology, what would Ray Kurzweil, Singularity Cybersecurity is no longer humanity's biggest problem. With technology, we will have a whole new problem.
[08:38]
Jim Love
Read my new book.
[08:40]
Terry Cutler
Have you ever seen the shirt, David, where there's. They used to give these out at conferences. There's no fix for humans to pity. Have you seen that one?
[08:46]
David Shipley
Okay, okay.
[08:47]
Jim Love
Shipley tries to be nice about it though.
[08:50]
David Shipley
Terry okay, there, there's actually something I'm working on a 3,000 word paper for the Canadian Cybersecurity Network. Go after this one point. Terian and I used to say the same things, but here's the truth of it. If an organization was truly full of stupid people, cybersecurity not the number one threat to the future of that organization. And they're not. Right. Most organizations, notwithstanding the creation of things like DOGE in the US are full of really good, smart, passionate people who want to do their jobs well. Our challenge is motivating them to apply knowledge that we disseminate through security, awareness and other things at the time when it matters the most. And so we don't have the stupid user fallacy we have. Why should I care about this motivational challenge? One of the scary things and Jim and I talked about this fall in the research that we've done is that people that think the tech tools completely protect them. So their email, their antivirus or email filters, they're 50% more likely to click. And so that's the number that you need to get down. And you tell people email filters aren't perfect. Trust your gut.
[10:02]
Jim Love
Yeah.
[10:02]
John Pinard
And I think tied in with that, the. The big fallacy to me in corporations is that cybersecurity is a corporate thing. Everybody that walks through the door and claims to be an employee needs to be responsible for cybersecurity. It will look after the back end of it. But every time you get an email, you need to look at it and go, could this potentially be malicious? Or when I get a file, could there be something in it? Is there this? Click here to enable macros. Should I be worried about that? I think it's everybody's responsibility, not just it.
[10:44]
Jim Love
So we're gonna go on to my second story, which is another one that's based on the Human factor. I read this story and it was just one of those things. I did a story on it for Cybersecurity Today because it just amazed me. We're always talking about the technical parts of this, but off boarding when someone leaves. And you think big companies must have that handled, right? Not exactly. Apparently Disney had an employee that left and they didn't remove him from the system for whatever reason, left him with his access to the systems, and he went in and did a DDoS attack on his fellow employees and hacked their menu system. And this is really like, on one hand it's weird, but on the other hand, if you wonder what damage a former employee could do, hacked their menu system so that he removed the peanut allergy warnings from foods in their restaurants or at least was attempting to. And that could kill people. I was flabbergasted to say, hey, I could understand if this is with tiny business, but a big business like Disney, nobody checks to see that a person we've fired left under bad circumstances has taken off all the systems. I couldn't believe that could happen.
[12:03]
John Pinard
I'm going to jump in for a second on that one because we're actually going through that is making sure that we have a thorough checklist for onboarding and offboarding. Because I was talking to an individual at another financial institution and they were telling me that they found recently an employee that had left the company 12 years ago still had access. Thank God it wasn't anything super critical, but they still had access and were still actively using their login credentials to get into a credit bureau system that they had from when they were an employee 12 years ago. And but like I said, the credit bureau thing, that's. It could have been a lot worse. So this is one of the things that we discussed as part of an audit and have gone through dramatic changes to our off boarding procedure to make sure that it's easy for us from an IT perspective that we can disable everybody's account that IT manages. But there's this little thing called shadow it. You may have heard of it. And so that's still a big problem. And what we've had to do is we've had to educate the managers within the organization to say, hey, when somebody leaves, we'll let you know that we have completed our portion of it. But you need to make sure that you're removing access to any system that they had that was managed by your team.
[13:33]
Terry Cutler
And this is. Yeah, you were implementing this. Back when I used to work for Novell, back in the day we had identity and access manager. This is where identity and enroll based administration works really well in situations like this. Because back in the day we had this thing called zero day start zero day stop. The moment you get hired, it creates you an accountant. Active directory in Novell Z directory finds an available extension in the phone system. Everything gets associated to you in one shot. In theory, right? But then eventually once you leave the company, everything gets shut down once you deactivate the account. So we need to start looking at more technology like this that can help automate these processes because things get forgotten. Or they'll say my last day is next Thursday. And then the IT guys forget about it or maybe there was an extension or maybe the guy was using somebody else's account. All these things need to be looked at.
[14:24]
John Pinard
And one of the things tied in with that too is that it's not just making sure that you disable or delete the person's account. But I'll pick Microsoft as an example. Somebody's got a OneDrive account. They've got all these files that are there. You need to make sure that they go to somebody. So there needs to be as part of that off boarding, where do you pass on the files? Old emails and those types of things too, so that they're still accessible for somebody within the organization that still needs them.
[14:56]
Jim Love
Getting the documents in is one thing. But you pointed out if you've got shadow IT or SaaS programs that are out there, you have to check your company credit cards too. I found this. Six months after somebody's gone, we're still paying for their LinkedIn account. So you've also got this expense item that's happening out there and in many cases it just flies under the radar. Don't get me started on automatic billings like that. I believe there should be a law that says once a year you should have to renew and get a positive approval for any billing. But that's. I'm a communist, so what can I.
[15:31]
Terry Cutler
Say in situations like this, We've seen cases when I used to work for private investigation firms, if companies, if employees still had access to the employer system without their knowledge, especially making changes to the systems, which could be criminal. We used to execute what are called Anton Pillar orders. We still show up at the guy's house unannounced. We knew about it like a day or two before. We knew that guy was gonna have a bad day on next Wednesday. Show up, take all his equipment and analyze it and then send him, take him to court kind of thing.
[16:00]
Jim Love
Would you like to have Cutler arrive at your doorstep with two other big guys behind him, say, we're here for your equipment. I knew that look wasn't exactly only from cybersecurity.
[16:11]
Terry Cutler
I always pay your bills on time.
[16:14]
David Shipley
That that Simpsons clip of Goons hired Goons hired IT Goons. We're here. I think the shadow IT thing is huge because the beauty of tying everything into single sign on and in as many systems as you can is that one ring to rule them all. And then you still have those other problems. The other part about this is this is why audits are so valuable and it's why we should speak possibly a little less adversarial about the audit process. And it's the external auditor probably really shouldn't be the external auditor finding these things, but your internal audit team saying, okay, last six months we've off boarded 10 employees. Let's look at three cases and just double check. All the work was done according to the checklist. And if they find a gap in the process or an error that's consistent, possibly consistent across all three, oh, we missed this. Then you improve your process. And one of the things that I worry about in this field is that we forget that continuous improvement is a good thing. Yes, we've got a thousand one problems and we tend to be reactive, but we're better always improving on that side. And I think for executives who might be listening to this or dear IT manager who needs to get this message to their executive, it's okay to find flaws in your internal audit and fix them and improve, and you should find them and you celebrate that.
[17:37]
John Pinard
That's Exactly, David. How we found the flaws or the limitations. I'll call them in our onboarding and offboarding process and 100% with you. I have no issues. I get strange looks at work sometimes because I consider our internal audit team my friend. I look forward to them coming in because they're either going to tell me I'm doing a good job or they're going to show me areas where we need to improve. And I'd much rather the audit team find that than cyber hackers.
[18:09]
Terry Cutler
We had a situation. We do a lot of work in healthcare. We just did one in a couple of months ago doing audit and active directory. There's 38,000 active accounts in the system. This is like an 18,000 employee shop. 38,000 active systems, but 21,000 of it haven't logged in over a month. Whoops.
[18:27]
Jim Love
Yeah, Okay. I want to go over this audit thing and we've been through this and Shipley will, Reverend Shipley will give you a sermon on this. So in partial place. If your internal audit group thinks their job is to catch you and make you squirm, they are doing the corporation a disservice. Their job is to help you make sure that things don't happen, not that they can find you, find them later and blame you.
[18:55]
David Shipley
And I'll give give another analogy. I'll share that I have a higher risk for colon cancer. So I have a five year screening program. And I don't dread. I don't say I'm excited by the colonoscopy, but I'm not running away in fear from that because the doctor's not there to cause me harm. He's there to go and find and see if there's something that needs to be dealt with that we can improve and that we can preventively catch early. And it's worth doing that now. Your internal audit is not like a colonoscopy every single time.
[19:30]
Terry Cutler
Why is it called a penetration test?
[19:33]
David Shipley
We need to have that collaborative care mentality about technology. And I think that's the important part. Wrapping up men's health. You're in that age group, guys. Go get checked.
[19:48]
Jim Love
We're going to go to your story next, John. Don't worry about from that story, John. You had a couple stories you wanted to bring to us.
[19:54]
John Pinard
Both of my stories are a little closer to home. The stories themselves are interesting and informative. The first story is talking about the blue yonder ransomware that had Starbucks manually scheduling people and writing them checks for their paychecks. It hit them. It hit Walgreens. There was large grocery chains in the UK that got affected. Apparently Anheuser, Bush and Ford both used them. But there's been no report of issues from there. Which doesn't mean that it hasn't happened, it just hasn't been reported. But I guess the big story for me about this is who's responsible? And what I mean by that is I'll pick on Starbucks for a minute. Starbucks used Blue Yonder. Does Starbucks own any responsibility in this? I think they do. I think that if you bring on a vendor, part of your vendor onboarding needs to be risk assessment and cyber readiness of that vendor. And you also need to incorporate these vendors in your incident response plans or your own cyber readiness. It's one thing to say, okay, if something happens to us, if we get hacked, here's what we're going to do. But as soon as you start having a reliance on third party vendors to run your business, they need to come under the umbrella of your corporate cyber readiness. When I was going through reading this, one of the things that came back to mind was the CrowdStrike incident. There was a lot of companies that were affected by that. There was a lot of airlines that were affected by that. But the one airline that seemed to be struggling and falling way behind was Delta. And so was that because Delta got hit worse than anyone else, or was it because Delta wasn't prepared the same way that others were? And so that's the. I guess my message behind this story is that you can offload the work to somebody else, but you can't offload the responsibility and the ownership.
[22:06]
Jim Love
There's another similar story that came up and it was, and this is going to be just run rampant in companies right now. Somebody got a chat bot, 600,000 records from a chatbot, an AI chatbot happened to have a whole pile of information in it. A SaaS program somebody put in there did not check this to see that this vendor did the basics and the basics. And I will tell you just for anybody, and Terry or somebody more technical can drop onto me from great heights, as we would say. But I've been through the AWS backend and I have. I absolutely amazed that anybody gets the security setup right. So you've got all these guys who've set up, they, they get an AWS account, they've got a chatbot, they're selling this service or this AI service and you don't even know if it's protected.
[22:53]
Terry Cutler
So that's a great point. So we do a lot of audits. Right. So Office 365 is another example. Another gate is not a hundred percent secure. There could be vulnerable plugins. 2fa is missing on certain accounts, whatever it is, and we'll sometimes get pushback.
[23:06]
Jim Love
Why?
[23:07]
Terry Cutler
Why do I want to audit somebody else's system? I want to see what's what my system looks like. I don't care about anything else. But they don't realize that everything's all tied in together.
[23:15]
John Pinard
Yep.
[23:16]
Terry Cutler
So you need to get that assessment done.
[23:18]
David Shipley
Over the past year, I've had a chance to meet with our senior law enforcement intelligence officials and we've talked a lot of things. The thing that really is catching a lot of attention right now is structural risk in the economy. And it was interesting to see a presentation where they were highlighting we don't know who the key players are that can have such a massive impact if you take them out. And for those listening, if you've seen that hilarious Lego block meme of everything depending on open source software, it's this one little tiny pillar. If you kick it over, the entire thing falls over. When attackers have realized it doesn't just apply to code, it applies to vendors. John, I was looking at blue yonder. 3,000 customers, huge needs here. We're talking grocery stores had their actual supply of food disrupted and the days are over where it is a cute little thing that is on the side of the organization. I was at a global bank customer and I walked by and it said in 1984, 83, we had 25 personal computers and that kind of scale. Not paying attention to these supply chain vulnerabilities is not material today. It's very material. But I would argue that we need to take the same approach to structural systemic risk in technology that we do in the global financial system. And I sure hope it doesn't take a 2008 style event in the tech ecosystem. But I feel like we're cruising for one of those because you've got Blue yonder, you've got CrowdStrike, you've got other things that have happened. Microsoft's attacks by the nation states and Russia and China. We actually do need to regulate tech. And the other part is that this also gets into complexities around market share. Do we. Is it really good idea that One company holds 3,000 enterprises worth of risk? Is that too much risk concentration from a societal perspective having those conversations? Because we still treat computers like they're the cute couple dozen microcomputers in the bank in 1984. And it's meant, no, this is the bank in fact, tech arguably is more important to the global economy than the financial system in and of itself. When you think about the potential for instability to cause chaos because the financial sector is now well regulated.
[25:53]
John Pinard
And you make a great point, David, that you talked about Blue Yonder hitting over like 3,000 customers. There's no regulation. It doesn't say that you have to do this. And I don't know whether it's. Once you get beyond. If you have more than a hundred customers, then you have to step up your game from an audit perspective or whatever. But yeah, it gets to where CrowdStrike was a faux pas internally. But look at the impact it had on companies globally. I go back and look at Rogers a couple of years ago when somebody made a mistake there and it brought everything down. And companies like Interac didn't have a backup, they only used Rogers. Interact transactions were not being processed.
[26:39]
Jim Love
And Interac is one of the best run organizations. Their technology in terms of preventing errors, they've been very good. They get caught. Anybody can get caught. That's. And look at Veeam last week. Veeam another. I don't think there's 3 or 4, 9 out of 10 CVE vulnerabilities get reported and Veeam has 80% of the market. This is. So the SaaS piece is something that people need to pay attention to for sure. I want to run to your next story on John and that's the city of Hamilton. Yes, the hits just keep on coming, as they say in FM radio for.
[27:14]
John Pinard
Those guys for sure. I mean this was back in February, so it's not a recent story, but they're still suffering from it. I have an acquaintance who has a family member that works for the city of Hamilton and they are still doing a lot of their processing manually. They've lost a lot of employee records and things like that that they have to recreate all of this. And so it's now 10 months later and they are $9.6 million into the battle. They are a long way from being finished. And to add insult to injury, in trying to bring their systems back up, they've been hit by over $800,000 worth of imposters, imposter vendors stealing money from them. And they don't know because if somebody sends in an invoice saying you're past due with this invoice, they have no systems to go back to. Look to see whether that's right or not.
[28:18]
Terry Cutler
This is an interesting point. I did a couple of keynote talks at a couple of municipality conferences. And the mayor for the city of Hamilton came out saying, okay, we're going to emphasize our commitment to a full review once these systems are fully restored, understand the breaches or origins, and implement a stronger system and protocols to prevent similar incidents in the future. They don't realize that most companies or businesses don't have the proper detection technology in place in order to hacker in there. And they don't have the proper response plan to get them out. But the challenge here is that the average time that a hacker is in a Network undetected is 286 days. And when they finally did the IR on the city, they found out that the hackers have been in the system since April 2019, most likely. A lot of companies use technology that relies on logs, and logs get delayed, logs get modified, Logs lie when an attack occurs. A lot of times these sims and whatever don't see this stuff. They need to rely on full packet capture technology to know there's a hacker in there. He's going to see these reconnaissance tools that are scanning the network. That's not normal. Why are these brute forces happening? Why are these privileged escalations happening? These logs aren't picking this up. So they really need to have better technology in place to know there's a hacker in there and they better have a good response plan to get them out.
[29:30]
Jim Love
Terry, I need to know, do you have a tattoo that says 286 days? You should get one man, you could. When you turn up on somebody's doorstep.
[29:38]
Terry Cutler
It'S been 286 days, Carrie.
[29:42]
David Shipley
286 Cutler. There you go. So, so? So one of the things I think a lot about this is if we picture the city ransomware attack in physical world as an arson attack and the building gets burned down, and all of a sudden you've got to rebuild the building, but you discover that the ground is also contaminated from a hundred years of history. And so you now have to do environmental reclamation while rebuilding your building while still running your organization. That's a lot. That's a lot to expect in organization. Now, what terrifies me is John, the very valid point that you made. That the business email compromise activity happening within this. And if criminals realize that this is a great diversionary attack, burn the system down. Okay, now there, maybe they won't pay the ransom, but we destroy the systems of record. Because as Terry notes, we've been dwelling for 286 times. We know who their suppliers are. We now know the right asks. We know the people to target. So as they're in bunker recovery mode. The actual money play here this feels like Ocean's fifteen Cyber is to actually go after the invoicing and it's terrifyingly frigging brilliant. But I will also say as the official semi official self appointed probably is the most accurate self appointed maintainer of Canadian cyber. Guinness World records that's now 9.6 million is the most has ever been publicly revealed by a Canadian municipality for an attack previously Saint John, New Brunswick at 3 million was the holder of this. And what's going to be really interesting is to what extent did they have cyber insurance? To what extent is cyber insurance going to cover that 9, 6 million. And what we just saw Terry. Terry and Jim, you'll love this. And John is Tullis just released their cyber insurance study and shockingly people are not getting the payout they expected from cyber insurance.
[31:46]
Terry Cutler
So I get this thing all the time. We get brought in to assess people's cyber insurance, the questionnaire and a lot of times yeah, we have this, we have all this stuff, no problem. They submit it and they get accepted. I'm like yes, of course you're going to get accepted. But when something happens and you check, yes. And we don't have it like log monitoring. Are you doing a penetration test once a year. But they've never had one done in their whole life and that's exactly why they're not getting their payouts.
[32:11]
John Pinard
I refer to it back as with automotive insurance and snow tires. Everybody says oh yeah, I've got snow tires because I want to get that discount. But the first time you go out and have an accident or something happens between that November 15th and April 15th and you don't have snow tires on, they won't cover you.
[32:33]
Jim Love
Yeah, it's like what I used to say. I was a non smoker for my life insurance. You always forget when you fall off the wagon. I haven't smoked in 20 years. Those are. Terry, what would you bring us?
[32:45]
Terry Cutler
One of them is the story about Andrew Tate. You may have heard of this name before online. Long story short, who Andrew Tate is a former athlete turned Internet personality and he's got a lot of controversial views about how men should act and how women should act. And it draws up a lot of both positive and negative attention. So what happened was his platform, which is called the Real World, suffered a hack this past month and it affected almost 800,000 users. So they got access to this, to the platform, obtained all the usernames and passwords and not only that, it accessed public chat rooms, private Chat servers and extracted all this stuff. And the hackers were at a point where, dude, this is like hilariously insecure. There's nothing here. You made my job so easy kind of thing. And they started going after all the users. So when you have, when you get affected by such a size of a data breach like this. And this is also a comment I get all the time from solopreneurs. I don't need, I don't need cybersecurity. Who's going to want to hack me? I'm solo. Like, I don't have a system. When something like this happens all of a sudden, now you wish you would have had it. So my gut is that because all these usernames and passwords have been extracted, they're going to go after the users, the user accounts that have registered with the platform. They're going to try and phish them, cause financial harm to them, scams, frauds, whatever it is, Change your password, make sure you got two step verification turned on, and monitor your credit scores. Of course.
[34:15]
David Shipley
This was not a financially motivated attack. This was folks who are allegedly, or at least on the surface, saying that they're pro LGBTQ issues. And Andrew Tate is seen from that perspective as the king of quote, unquote, toxic masculinity. And it's been a while since we've seen a really good hacktivist, everyone saddle up and take on a bad guy from their hacktivist perspective. And interesting to see that. And one of the things, if I delay a prediction for 2025, hacktivism's back, baby. It's going to be back in a big way for the next couple of years. And it's going to be hilariously awful for a lot of people.
[34:57]
Terry Cutler
That's like having a disgruntled employee in one way. Right? You say something that no one agrees with and all of a sudden you get hacked because no one likes what you said. So you really got to get protected all around.
[35:07]
David Shipley
Yeah, you got Kash Patel, the nominee for the FBI. And allegedly the Iranians were right on Old Cash's accounts. It's going to be fun times for non crime related cyber crime, non financially motivated cybercrime.
[35:23]
Jim Love
It is. I feel like the American Civil Liberties Union, who always gets. Because they'll always. They'll take on some loser that you just wish would disappear from the planet. You go, why are they doing this? And my first instinct for these guys is, oh, who cares? But the fact is that even cyber activism is, it hurts us all. And you can't take Any joy in watching these guys come down. But it's, it's like when the Chinese are hacking Donald Trump's phone and tell me they're not, you know. Yeah, we look at it and say, oh God, I hope he's not telling people, his friends what the nuclear codes are. We'll find out.
[36:04]
David Shipley
I on that point, it's just a note. We had all the stories earlier this fall about the Chinese sophisticated campaigns in the US telephone networks and we all assumed that all of us idiocy on my part. Oh it said they caught them and they kicked them out. And then this week they were like we still haven't successfully kicked the Chinese out of the U.S. telecommunications Service. So what we've known and has been publicly disclosed is numerous major big name US telecommunications operators were compromised by a Chinese state sponsored group allegedly leveraging the very inherent tools built into them for lawful intercepts for things like wiretaps, et cetera. Originally, when the story first broke in the fall, we thought that this was an opportunity for the Chinese to understand the American intelligence apparatus and who's they were looking at on their side. Since then we learned that the targeting was highly intentional targeting the political Campaigns of the U.S. presidential candidates at the time time. And this was as bad as it gets in terms of really trying to understand that. And you could understand why the Chinese state was so very invested in understanding what was being discussed amongst those campaigns considering they're now facing 60 to 100% tariffs and their economy is going to be even more battered than the 25% tariff threatened against Canada. Now what we learned this week was a lot of us had assumed that this has ended that stage one incident response, contain. And then of course you got to kick these kids out. And what we're hearing is we have not been able to fully kick them out of the networks. That is a stunning mission of failure that is unprecedented as far as I can tell in terms of these big hacks. Like if you go back to big national security hacks before the Microsoft ones, notably SolarWinds, you didn't have people come out and say and the Russians are still in solar winds. This is, it's bad. And it's particularly bad given the instability that we're experiencing geopolitically. We just saw South Korea almost have a military coup. No one saw it coming. And martial law declared things are not well in that part of the world right now or terribly stable. And if you're China going it's a month before he becomes president, maybe now's the time The American political system that it's most paralyzed. We just grab that Taiwan and wrap that in a bow and get that done. Oh, and we can just shut down the phones and the power and everything else. On the west coast, the FBI is recommending that people perhaps use their own secure end to end encryption communications. That. About face. I might need a new award category, Jim, next year for that. The 180. It's not a 286 from a Terry perspective, but it's the Cyber 180.
[38:53]
Terry Cutler
When you watch someone, the whole network is flawed.
[38:56]
Jim Love
Right.
[38:57]
Terry Cutler
There's a vulnerability that goes right across the nation which allows you to have SS7 attacks, which allows you to intercept phone calls. You could be on the other side of the planet and you'll still intercept it. But in order for that to be fixed, you need to change the entire infrastructure. Like in North America, you say vulnerability.
[39:14]
David Shipley
And I say feature undocumented.
[39:18]
Jim Love
Well, no, no, but the American government, that, that has like somewhere Snowden is sitting there in Russia. It's going. I had to live in Russia for the rest of my life because I told people they were hacking the US phone system and. But it's. Yes, I think it's preposterously insecure. But David, you're right. The 180 of now the FBI is saying maybe encryption is a good thing.
[39:42]
John Pinard
Yeah.
[39:43]
David Shipley
And also guys, you can't be trusted with the keys to that encryption for exactly the reason that Terry just said so. Yeah. Yeah.
[39:50]
Jim Love
Can you imagine though, if they had, if the government had insisted that they encrypt the phone system and they put in a back door and somebody got access to the back door.
[39:58]
David Shipley
I encourage your readers to go back to the ancient history of the first crypto war in the crypto not being cryptocurrency encryption, and learn about the clipper chip.
[40:07]
Terry Cutler
The intelligence agents have to have a backdoor to the encryption system because how are they going to monitor for terrorist threats? Like how are they gonna be able to do their job more efficiently? What if they can't see what's happening?
[40:17]
David Shipley
So I'll counterpoint on that they cannot be trusted with the keys to the back door because they have butterfingers and they lose the keys. Let's not forget that the NSA lost eternal blue. Yeah. And all the fun that came from WannaCry. So no, they cannot have the keys. They can never have the keys. What they can do is good old fashioned police intelligence work. All of these great encrypted phone busts that they've been having where they Actually seeded the technology. They created the startup company. They gave the phones to the criminals. Do that. Do exactly that. Create malware that can intercept the actual device. And if you own one end of the telephone string, end to end encryption, you don't need the damn crypto keys. You could listen live amazing.
[41:06]
Jim Love
Or do the Europeans did bust somebody take their phone and. And pretend you're them. What a. Yeah, they brought down an Europeans have just been going this month. Europe has had three or four big busts this year where they've broken up networks. Why do we never hear about a Canadian bust breaking up a network or a US one?
[41:27]
David Shipley
So I will tell you in the things that I've learned in the last two weeks that made my hair go grayer or balder or made me even angrier. Let's start with our embattled RC who are now being asked to magically protect the world's largest undefended border because shenanigans. The RCMP's National Cyber Crime Unit and the Canadian Anti Fraud center. They're the point agency for all cyber related fraud calls. They got 400,000 calls in 2023. They answered 30,000 because that's all their staff to do. So they have 7.5% answer rate. So I've always been wondering why they kept saying that reported fraud was 570 million, but we suspect it could be 10 times higher. It's because the. The 570 million comes from the phone calls they were able to answer. And that was only 7.5% of the total number of calls. And so we're not resourcing it. And one of the other things I found this line in the RCMP's 24 budget and it was interesting. It was like we're not cutting frontline policing, but we're going to cut policing administrative services. Dear friends. That's when they say we're cutting down on the nerves. And so that's why you're not seeing it because we're not resourcing it. And I have screamed from the hills literally in Parliament Hill about this. But I'm also tired. So I'm stopped showing up for these things because it's absolutely frightening. Yeah.
[42:48]
John Pinard
Because people aren't. Other than the five individuals that went into Hillcrest Mall yesterday and robbed people's jewelry store. Other than that they're not doing the face to face things anymore. It's all of the online backdoor hidden ways into systems. And when you've got an agency that you're being told that if you have an issue, you need to report it to them. And they're only reviewing or getting through 30,000 of 400 and some odd thousand reports. That's frightening. And all that's doing is telling these cyber criminals, hey, we got free reign.
[43:27]
Jim Love
No, but if you read a lot of mysteries like I do, there's always these cyber cops or there's always these people who report to, they'll be called as witnesses, and they do all these incredible things to find this person, do all of these great technical things. And the fact is that your average police force, even in the city of Toronto, may have a handful of these people, if you're lucky, if that.
[43:48]
David Shipley
And on the city of Toronto. So two weeks ago, we found out from the Globe and Mail that one of the most innocuous music nonprofits in the country, called Factor, they get something like 15 million a year for the federal government, had 9.5 million taken from a Scotiabank bank account. They're now suing Scotiabank. They're suing cryptocurrency, a crypto mining company, that the equipment was used to make this, or so this money was used to buy this cryptocurrency called money laundering kids 101. And according to the Globe Mill article, there wasn't even an investigator yet officially assigned to this $9.5 million threat. I used to joke with you, Jim, that it took $50,000 or more to get police out of bed. Apparently now the threshold is getting close to 10 million to get them excited. And when I was in one of those very uncomfortable meetings where I said, anyone know if North Korea got that money for their weapons program or to send troops to Russia? Because we don't track the money at a macro level in this country. And if you don't track the money, politicians don't care. If politicians don't care, you don't get money for cops.
[44:47]
Jim Love
Wow. Yeah. Terry, before you get away, I want to go back to one, because you brought up another story that I think is really important, and that is the ability of companies to get past two factor authentication by stealing session cookies was one of the stories you came up with. And I think this is a big one.
[45:04]
Terry Cutler
In fact, it actually.
[45:04]
Jim Love
You want to just run by that.
[45:06]
Terry Cutler
Yeah. In fact, it actually segues to the Andrew Tate story because now everybody's accounts, you know, users and passwords have now been taken. And a lot of people say, I got two step verification. I don't care about this stuff. But they don't realize that if they get a phishing email or they get A message on Facebook and they click on a link and. And it asks them to log into a service like Facebook. I'm already logged into Facebook. Why is it asking me to log back in again? Okay, I logged back in. Next, you know, his username, password, and the session token have now been stolen. The hackers have now become what's called a man in the middle. They've taken the session and now they can log in as you without ever knowing what that password was. And you get right in. And now they've taken over your account. They'll change your phone number, it'll change the password. You get kicked out.
[45:48]
Jim Love
Why do I care?
[45:49]
Terry Cutler
It's only my Facebook account. But if you're a business owner and you're running Facebook campaigns, if you're running the marketing stuff, all that gets taken away from you now. And now the content on your website becomes Arab. We've seen that. Or there's fake ads going out. And you're paying for all this because you can't access the account that changed your credit card. So it's a trickle down mess.
[46:10]
Jim Love
One of the things that I got from reading this story and just reading your notes on it was I may never click that checkbox again that says keep me logged in. That just keeps your session cookies alive for longer. Yep.
[46:22]
John Pinard
There are two things that frighten me about anything browser based. The keep me logged in is one. And the other one that makes my blood boil is people that say, save my password. You know, my wife's not here so I can say it. She does it all the time. And I keep telling her that it's less critical for her. But you get into a corporation where you've got people that are doing this and they travel and somebody steals their computer. Now they've got all your login capabilities. All they need to do is hack into your computer and they've got it all.
[47:00]
David Shipley
And the one thing I'll say is this ties back into how we sold multifactor authentication to get corporations to deploy and the compromises that we made how they can do things and save session cookies. Or if they're on premise, they're not MFA'd in. Because these were just different compromises made on the path to getting social acceptance within an organization of the security tools and gang. It's gonna be really hard to do the easy technology thing of saying we need to do more MFA challenges you're going to get. The greatest resistance in it is change management. And so what I would say is from this, use your phishing simulation Tests to start targeting your groups where you say, hey, you consistently fall victim to phishing. You're now going to have to do daily MFA challenges. Target your inconvenience to the areas of greater risk because you are not going to get carte blanche to roll this black back.
[48:03]
John Pinard
What we did, David, when we deployed MFA a year and a half ago is we went what I would consider one step further. We went Windows hello for business. And we're not passwordless yet, but we're going that way. But in order for people to log into their computer, they either have to use facial rec or fingerprint. And so it, to me, that's the best means of mfa because otherwise, if you've got a code or a pin, it's just another password. So it's better than not having it. But to me, the best way to do it is biometrics.
[48:41]
David Shipley
Yeah, I think the challenge is going to be the cat and mouse part of it. But most organizations, particularly those, are doing remote. If the laptop gets bored and the productivity impacts are down, making sure you got good processes to support exactly what you just said. Can we get equipment out the next day or within what the timelines are? But this is. Terry, like the exact same thing we saw with Genesis Marketplace. I think your points are valid, that it's going to be an interesting year ahead of us.
[49:06]
Jim Love
And one of the things that grabbed me about this was even if you've got passwordless access, you've got tokens, you've got some sort of other. If you've got a pass key, you can still get beat if somebody get a hold of your session cookies. And this is something, I think people have to step up and say, this is a real risk.
[49:25]
Terry Cutler
And this goes back to your point there's no silver bolt to stop a hacker.
[49:28]
Jim Love
Right.
[49:29]
Terry Cutler
You can only make it as hard as possible for them to get in, so they move on to someone else.
[49:32]
David Shipley
The guys with the two eight, six tattoos. Clever.
[49:36]
Jim Love
They're coming at you. Yeah, they're coming at you. Okay, Shipley, you've got. John and Terry brought up their stories. The pressure's on you now to up the game. What do you got for us?
[49:46]
David Shipley
Conscious of the time, but I would just raise the Stinky. The Stinky being our award for when vendors overly brag, et cetera. This one goes to GitLab, perhaps overly promoting the AI advantages of Copilot. Lies, damn lies and statistics. Dan Campano. The registers covered it really well. Where there were some bold claims about how great Copilot was at improving developer accuracy, efficiency. Campano points out you're talking about one of the simplest, most routine non creative tasks known demand, which is writing API endpoints with cruds. Their sample sizes were not, what we say, massively large. Their methodology was somewhat questioned. Dana viscerates various points made by this and I think there's some really good points. This isn't to say that AI tools helping developers can't be useful. There's a reason that stack overflows, traffic is nosediving and people are using these tools. However, they aren't better than people, particularly at the really tough creative coding tasks. What I'll say is this, in my time in technology and in the team that I have, the developers we have are not code translators from business analysts with requirements. They are creative problem solvers crafting well done solutions thoughtfully and carefully. And that requires a level of reasoning still not present in these automagic statistically driven generative AI solutions. So helpful tools. But they are like the driver aids, the blind side assist, the forward collision, all of those things with a good driver. They are not. They are pretending that they're full self driving cars like Teslas do and I guarantee you that will have the same result on the cyber highway as it does for many people on American highways today.
[51:40]
Jim Love
As a person who thought that programming was the introduction of errors to perfectly good code, I'm pleased to see that there's still hope. So David, did you have another story?
[51:52]
David Shipley
I think we actually covered the major stuff that I was looking for, which was the telephone hack, the fact that they're still not kicked out of the system. It's extraordinarily disquieting on that front and I think you raised some good questions. What about Canada? I think currently the best case scenario for us is we're not the interesting place to be spying on right now. And current currently we are simply the butt of jokes about being the 51st state, the best security for Canada being ignored right now because we are not prepared. So I will take this slight we're not cared about and I'm going to pray that's the case.
[52:31]
Jim Love
I'm not sure I thought about that and I was going to make the Canadian joke that nobody cares about us. I think they're in our networks as deeply as they are in the US and because of the fact we at least have some interesting stuff happening in government, I really think people should be standing up and demanding that we get more action from our government because I honestly believe we're probably as infiltrated as anywhere I'm going to actually send out a note to Rogers and Bell to see if anybody will give me any information on that. I'm not expecting that they're going to.
[53:01]
David Shipley
Tell me two things give me comfort that are different. I have the privilege of working with all these companies. So full disclosure on that side, they collaborate and talk and share because there's so few of them. Right. That's the difference between the they have this positive history of collaboration with the federal government through things called CStack. So I'm placing my hope and my faith in the people that I know on those side and the high level of collaboration. But in terms of the federal government, I will add this. Jim so I found out last night that C26, our critical cyber infrastructure bill, which I went in front of the Senate two weeks ago and testified and said, hey, it still has these flaws, but if you amend this bill to better deal with the CISO personal liability, which I think is still ridiculous, you're going to kick this back the House of Commons, it's probably not going to make it through and we're in the hole going to be worse off for it. So I went there, I pointed out there was no flaws that get it done, but come back and fix it. And then I found out a typographic error in the actual wording of the bill as it was passed on from the House of Commons to the Senate has forced the Senate to send the bill back to the House of Commons through all three stages with the corrected ordering number, which has jeopardized the entire bill. And that is to me, the most damning thing about Canadian cybersecurity they could possibly say is that when it comes to even the laws to protect critical infrastructure, we can't even get the wording right.
[54:30]
John Pinard
And it's frightening because you hear all these stories about them getting new warships and subs and helicopters and this and that and the other thing, but this is probably as critical, if not more critical, than any of that.
[54:46]
David Shipley
Jud, if you think it's a dumpster fire and the critical infrastructure law, take a look at our C27 and the absolute trash incinerator that is the current state of legislation.
[54:58]
Jim Love
But I'm going to leave a warning on this piece because it comes up. And as much as I don't want to be political with the show, but I got to say, I don't want some idiot running my government who comes in and says I'm from private industry slash, slash, get rid of all that bureaucracy. But we have to acknowledge, and if we don't get it soon, especially in Canada, we have become the. You remember when people would say that the, you know, the. It was Dr. No. Our government has become. Dr. No. And that is if we do nothing, then we will never be faulted. The fact that you can have a rule that forces you to take an important piece of legislation back to the ground and somebody doesn't stand up, all parties stand up, which they can do anytime, unanimously and say this is wrong, fix it now. Because they have no sense of urgency. They want to play those games. They want to do all of these things they want to do and they seem harmless. They are not.
[55:56]
David Shipley
When political survival is at stake and we decide we're going to do a half baked vote buying gst, HST rebate program. Holy crap. You can get legislation written up and passed to the House and Commons and six years critical infrastructure. And when people in the Senate were challenging me with my rhetoric, my hyperbole saying that the government does not care about cybersecurity. And I point out six years it takes to get this done and one week when their necks are on the line, even when it's really bad idea.
[56:32]
Jim Love
Yep. So to all of our American listeners who are looking at the insanity of their government, Canada joins you. But we're going to build a wall and the US Is going to pay for it. We have to wrap it up there and I hope this was good for our listeners as well. We had a great conversation. If there are topics you want us to do a deeper dive into, let me know. As well as any comments about the show, you can send those to editorialechnewsday ca. We are going to have an end of the year show and I want to thank our panel. Thanks to our guest, Terry Cutler.
[57:02]
Terry Cutler
Thanks for having me.
[57:03]
Jim Love
John Pinard, thank you for joining us.
[57:05]
John Pinard
Thank you for having me. It was nice chatting with you and David and Terry.
[57:11]
Jim Love
And David Shipley. Thank you.
[57:14]
David Shipley
Thank you so much. It was a pleasure talking with you and great to have you on the show. It's always great to hear from folks still in the field with really good experience. So yeah, this was fun.
[57:24]
Jim Love
And thanks to our listeners for spending part of your weekend with us. I'll be back in the cybersecurity news story desk on Monday morning. I'm your host, Jim Love. Have a great weekend.