Between Two Nerds: Cyber's hard problems - Risky Bulletin

Summary5 min read

Risky Bulletin Podcast Summary

Episode: Between Two Nerds: Cyber's Hard Problems
Host/Authors: Tom Uren & Gruk
Release Date: May 26, 2025
Podcast: Risky Bulletin by risky.biz

1. Introduction

In this episode of Risky Bulletin, hosts Tom Uren and Gruk engage in a deep dive discussion titled "Between Two Nerds: Cyber's Hard Problems." The conversation revolves around the complex challenges facing the cybersecurity landscape, drawing insights from a policy paper titled "Focus Steps Towards a Resilient Digital Future" by the National Academies of Science.

2. Understanding Cyber Hard Problems

Tom introduces a compilation of papers about cyber hard problems, emphasizing that these issues are not merely technical but are deeply intertwined with policy and political will.

[00:59] Tom Uren: "Knowledge is no impediment or lack of knowledge is no impediment."

Gruk clarifies that the paper is aimed at policymakers and decision-makers to highlight high-level cybersecurity challenges.

[01:15] Gruk: "This paper is not meant for us. This is a policy paper meant to sort of introduce things at a high level to decision makers and politicians and stuff like that."

3. The Role of Political Will and Perceived Urgency

A central theme of the discussion is the lack of political will to address cybersecurity issues comprehensively. Tom posits that many cyber problems persist not because they are unsolvable but because they are not deemed urgent enough to warrant significant attention or resources.

[02:27] Gruk: "There's no political will because there's no urgency because it's basically working."

Tom echoes this sentiment, suggesting that the absence of frequent high-profile cybersecurity incidents downplays the perceived need for action.

[06:21] Gruk: "Everything's not bad enough that we have to. Like we're not on fire, I think is where we're at."

4. Industry Responses and Case Studies

The hosts examine how major industry players like Microsoft respond to cybersecurity threats. They highlight instances where significant security threats prompted top-level executives to prioritize security initiatives.

[15:05] Tom Uren: "Microsoft had a whole series of security incidents and Bill Gates at the time said that this is an existential threat and if we don't get it right."

Gruk notes that despite such high-profile responses, the industry often reverts to complacency once immediate threats subside.

[15:44] Gruk: "They just literally didn't care about security and they've now inherited a huge amount of legacy issues."

5. Open Source Security Challenges

The conversation shifts to the vulnerabilities inherent in open-source software. Tom references a Cybersafety Review Board report on Log4J, summarizing the key takeaway that while improvements are needed, there is a lack of centralized focus to implement these changes effectively.

[17:16] Tom Uren: "Security and Open Source is not very good, we need to do better, but there's nowhere to focus that."

Gruk elaborates on the double-edged nature of open-source projects—while decentralization prevents a single point of failure, it also hampers coordinated security enhancements.

[18:05] Gruk: "It's a double edged sword... there's a large number of projects which means that there's no single point of failure in security."

6. Incentives and Economic Factors

A significant portion of the discussion centers on the economic incentives (or lack thereof) that drive organizations to prioritize cybersecurity. Tom argues that many companies only invest adequately in security when a breach poses a direct financial threat.

[20:20] Gruk: "There's regulatory incentives to make sure that that happens as well."

They discuss a case involving an Australian mining company whose lackluster investment in cybersecurity led to massive financial losses despite ongoing profits.

[21:50] Tom Uren: "They knew the absolute bottom dollar, that it was acceptable... But the reporting was that the executives were like, well, we don't care because we still made a ton of money."

7. Balancing Security Effort and Investment

Tom and Gruk debate whether the current level of investment in cybersecurity is proportional to the threats faced. They suggest that many organizations operate on an "80/20" principle—allocating 20% of effort to achieve 80% of security benefits, deeming the remaining effort disproportionate to the perceived risks.

[12:43] Gruk: "We put in the 20% of effort that gets us the 80% of the results."

This approach, while pragmatic for many, raises concerns about the adequacy of defenses against sophisticated cyber threats.

8. The Equilibrium in Cybersecurity

The hosts contemplate whether the cybersecurity landscape has reached an equilibrium where improvements in defenses are matched by advancements in cybercriminal tactics, resulting in a status quo where constant breaches occur but without escalating into existential threats.

[25:20] Tom Uren: "So does this mean that we're in some sort of equilibrium where, in fact, this is about as good as it's going to be?"

[26:10] Gruk: "I think that's true in that all of the improvements that we make... are going to be matched by some changes in the criminal ecosystem to adapt to it."

This perspective suggests a persistent cycle of innovation in both defensive and offensive cybersecurity measures, maintaining a balance that neither side can decisively overcome.

9. Conclusion

In wrapping up, Tom and Gruk express a nuanced view of the current cybersecurity environment. While acknowledging significant strides and the effectiveness of certain security measures, they also recognize persistent vulnerabilities and the limitations imposed by political and economic factors. The discussion underscores the complexity of achieving a fully secure digital future, highlighting the interplay between technical solutions, human behavior, and systemic incentives.

[26:11] Gruk: "Thanks a lot, Tom."

Key Takeaways:

Cybersecurity Challenges: Many cybersecurity issues persist not due to technical impossibilities but because of insufficient political will and perceived lack of urgency.
Economic Incentives: Organizations often balance cybersecurity investments against immediate financial returns, leading to suboptimal security postures.
Industry Responses: High-profile incidents can trigger temporary security improvements, but sustained efforts are rare.
Open Source Vulnerabilities: The decentralized nature of open-source software presents both strengths and significant security challenges.
Equilibrium State: An ongoing balance between defensive advancements and offensive innovations keeps the cybersecurity landscape in a constant state of flux without definitive resolution.

This episode offers a thought-provoking examination of the multifaceted nature of cybersecurity challenges, emphasizing that technical solutions alone are insufficient without corresponding shifts in policy, economic incentives, and organizational priorities.

Loading summary

Transcript110 lines

[00:04]
Tom Uren
Hello everyone, this is Tom Uren. I'm here with another between two nerds discussion with the Grok. G' day, Gruk, how are you?
[00:10]
Gruk
G' day, Tom. Fine, and yourself?
[00:12]
Tom Uren
I'm good. This week's edition is brought to you by Sublime Security. Sublime is a new type of email security platform that allows you to see exactly what's going on. It's not a black box. So, Grukk, you sent to me this book, a collation of, I guess, papers about cyber hard problems. So it's from Cyber hard used to.
[00:40]
Gruk
Mean something very different in the 90s.
[00:45]
Tom Uren
Focus steps towards a resilient digital future. To be very clear about what we're talking about. So it's from the National Academies of. Of Science and look, I haven't read it, but I thought we'd just. I'd give you my first.
[01:00]
Gruk
But that's not going to stop us from discussing it. Yeah.
[01:04]
Tom Uren
Knowledge is no impediment or lack of knowledge is no impediment. So I thought it was interesting some of the topics that they have categorized as hard problems.
[01:16]
Gruk
So just briefly, I think we need to contextualize that this paper is not meant for us. This is a policy paper meant to sort of introduce things at a high level to decision makers and politicians and stuff like that.
[01:29]
Tom Uren
Right, right, right. So I thought it was interesting when I looked through the list of some of what they've classified as cyber hard problems, so risk assessment and trust, secure development, system composition, supply chain policy, establishing appropriate economic incentives. And so by that I think it means the Biden administration had an effort towards secure by design. And part of that was pointing out that companies essentially get away with making stuff that is vulnerable and selling it like there's no economic penalty.
[02:05]
Gruk
Right.
[02:06]
Tom Uren
Human system interactions, cyber physical systems and operational technology. Now, for most of those, and there's others for most of those, I had two thoughts. One of them was mostly things are kind of good enough. And so the reason these are difficult to fix is because no one feels that we need to fix them.
[02:28]
Gruk
Yeah. There's no political will because there's no urgency because it's basically working.
[02:34]
Tom Uren
Mostly, yeah.
[02:35]
Gruk
Mostly, yeah, yeah, yeah.
[02:37]
Tom Uren
So when we were sort of discussing this back and forth, I was like, you know, my life is not. My personal life is not beset with cybersecurity disasters never ending week after week. Now my professional life is. I write about them all the time, but fortunately, that's right, touch wood. That I think reflects the, like the underlying dynamic. Things are both totally fine and also all Screwed up. At the same time, I think for.
[03:09]
Gruk
The average person, cyber is just not a problem that they need to worry about. Right. If you're using a Microsoft Office suite like the. Particularly their cloud offering, if you're using Google Cloud stuff, the Google Docs, Google Mail, your security is going to be more than good enough. Against most things. It's going to take. It should take in many ways, like a deliberate effort. Like, you'll have to be specifically spearfished by someone who is deliberately targeting some system for it to happen.
[03:44]
Tom Uren
So now's the point where I put on my pushback hat.
[03:48]
Gruk
Yeah, but like that, specifically spearfish, obviously it's a problem. I don't think it's a tractable problem, though.
[03:55]
Tom Uren
You don't think it's a tractable problem?
[03:58]
Gruk
I don't think you can stop spear phishing. Humans are fallible. Humans make mistakes. Humans can be tricked. And I think we can make it harder for them by putting up more red flags and more hoops for the attacker to jump through. I'm reminded of the. There's a guy whose crypto got stolen when he was approached to do development work for some crypto game. So he joins, and there's a discord, which is apparently a marker of quality in these circles. And they had a website, so they said, great to have you on board. Have a look at the app, just to see sort of where we're at. And they send him a link. And Chrome's like, can't download. It's malware. So he writes back, he's like, hey, for some reason, it's accidentally flagged as malware. And the guy goes, okay, well, yeah, I don't know why that's happening. Give us a day and I'll get that fixed. So the next day, they sent him a different link. Same thing happens, and he goes, you know what? Chrome is getting in the way of me getting this job. So he disables checking for malware, forces the thing to download, he has to unzip it with a password, then he has to run it. And then when it's running, he suddenly goes, huh, there's no game coming up. This is a bit suspicious. At which point he sees that, yeah, like, all of his accounts are being drained immediately. And so he goes out to warn people against this clever trick which requires you to disable your security protections and deliberately run something from someone you don't know. Now, to be fair, okay, maybe that shouldn't be possible.
[05:36]
Tom Uren
But right. Right now, I'm putting on my pushback hat. Like I said, and there's also things like commodity malware or I guess commodity attacks, which do affect a large number of people. Right. So it doesn't seem quite right to say is fine. It still also feels like it. There's a land of opportunity for criminals out there. So I've got this sort of cognitive dissonance going on in my head that most of the time, like from a societal point of view, everything is fine here. You hardly ever see the cyber security minister on tv, like maybe two or three times over the last two or three years. Yet at the same time we do have a cyber security minister.
[06:21]
Gruk
You wouldn't have one if it was fine, right?
[06:24]
Tom Uren
Exactly. We don't have a minister for electricity.
[06:27]
Gruk
So many years ago a friend of mine, Roloff Temming, had a talk. If everything is hackable, how come not everything is hacked? Something along those lines, which is like, we all know that if someone tries to hack something, they will. It might not be this person specifically, but there is, there's a way to hack things. If, if someone applies themself, it's going to get hacked. So how come that doesn't happen to everything? How come most of the time nothing is being hacked? Like all of these websites exist that are complete garbage, but they're not all defaced all the time. And he was getting at some other point, which I completely forget. But to me, I think, I think it speaks to the fact that like, you know, if you're looking at people who are motivated to do hacking, you have hacktivists who, based on the literature, are motivated by things that they are against. So they're a little bit opportunistic. Then you have ransomware who are motivated by money. And unless you represent a source of money that they can exploit, they're not going to be interested. You have Lazarus who are motivated by crypto, so they're going after that. Like what else? Like states are motivated by state things, but they're not malicious in the same way. I guess that's what I'm getting at. Like it tends to be just espionage.
[07:42]
Tom Uren
Right. They're not malicious for the sake of malicious, malicious for state interests.
[07:47]
Gruk
Right. So they're malicious within a broader geopolitical context, which is way beyond the scope of cyber. Right. Like if you're in a war against Russia, the problem is not that you don't have multi factor authentication, it's not that the failed rollout of SSL or something, it's a much deeper issue. But yeah, I think it speaks to the fact that like, things are just mostly okay.
[08:13]
Tom Uren
So it feels like they're mostly okay in the sense that they're not bad enough to generate political will.
[08:22]
Gruk
Right.
[08:22]
Tom Uren
So they're hard problems because they're not bad enough. Maybe that's the way to think about it. It's not that things are fine, it's just that they're not too bad.
[08:37]
Gruk
Yeah. I think that's the point. I think if you look at all of the issues that they're sort of bringing up, pretty much all of them boil down to things could be better if there was the political will to address this issue.
[08:48]
Tom Uren
Yeah, yeah, That's. That's the ones I've mentioned. They mention other things where I think the dynamics a bit different.
[08:53]
Gruk
Right. But it's. I think for the majority of all of the stuff that they list, it's political will. There's. There's very few things that they come out with and say, this is a purely technical problem that needs to be addressed by some smart people and it will be fixed.
[09:06]
Tom Uren
Yeah. So one of them is supply chain. And if we were all willing to pay a whole heap more money for highly assured supply chains, we could have that.
[09:15]
Gruk
Right.
[09:16]
Tom Uren
But we just don't want to pay that much more extra money because it would be.
[09:20]
Gruk
People don't. Yeah. People don't want a $20,000 iPhone.
[09:23]
Tom Uren
Well, I think it would also be worth more than it's worth to the average person.
[09:28]
Gruk
Yeah.
[09:29]
Tom Uren
Is I think, what makes it hard. So I think there's some, like, departments of defense and stuff like that who do pay extra or over the odds for things that are notionally more secure. But it's probably. They're not paying 10 times as much, so they're getting stuff that is a bit more secure.
[09:48]
Gruk
Right. It'll be made in India instead of China or something like that, you know. But some of these are just intractable problems, like you've got a human involved and humans are fallible. So there's always going to be the problem of the human being tricked into doing something or convinced it's in their best interest to do something. For example, the recent Coinbase hack, where it turns out that people getting paid $70 a month are willing to take money to compromise the company that they work for.
[10:19]
Tom Uren
Shocker.
[10:21]
Gruk
I mean, who would have ever thought, like, that's just a human problem. You can't fix people. That's how we are. Some of the problems come down to just all of the advantages that hackers have, which is that they're operating under a sort of a Different set of win conditions and with better incentives for success. Okay, so like hackers have all these advantages which go from the planning preparation through to the execution phase. Right? So the planning phase, it's simplicity. They're just trying to break in and gain access to something and it's composed of things that they know how to do. Then there's security in that, like they're not announcing what they're doing beforehand, so you don't know that they're coming. And the result of that is that they achieve surprise, so that's good for them. Then they operate with speed because they know what they're doing. And then they operate with purpose because they have a goal and an objective in mind. So all of these things are the reason that special operations can succeed against much larger forces. So the same reason that the Navy Seals can beat a company of conscripted 18 year olds at 4 o' clock in the morning who've had two hours of sleep. Like all of the things that lead to success there are also playing in the favor of hackers. They just have their structural elements that work for their favor. And I don't think you can fix that.
[11:51]
Tom Uren
Right, right, yeah, I think I've described that slightly differently in when you're hacking, that's your number one priority and you're focused on that. Whereas an organization, its number one priority is never just to defend the organization. It's got some other purpose.
[12:06]
Gruk
I mean, if it was they just unplug and turn everything off and then cease to exist.
[12:10]
Tom Uren
And then yeah, yeah, yeah, you're unhackable, but you also achieve nothing. I think that's maybe a different way of saying this similar thing or a complementary thing.
[12:20]
Gruk
I think it arrives at the exact same conclusion.
[12:23]
Tom Uren
In that sense, what we're talking about are not hard problems, but they're in fact intractable problems because we've reached an equilibrium, I guess, where devoting a certain amount of effort to managing them rather than the amount of effort that would be required to eliminate them or drastically reduce them.
[12:43]
Gruk
I guess. Yes. So I think we're sort of at this 80, 20 point. Right. We put in the 20% of effort that gets us the 80% of the results.
[12:52]
Tom Uren
Right.
[12:52]
Gruk
And that's basically good enough. Right. Like for most people you don't need to do that extra 20% just to close the gap because the amount of effort involved is exponentially more complicated.
[13:04]
Tom Uren
Yeah, you don't need to do the extra 80% work to close the last 20%. Now, I guess thinking back to the secure by design. I always thought of that as a 10 or 15 year project where it was kind of incrementally changing standards over time. And it seems like if you're incrementally changing things, it's like a learning problem where there's no huge investment in any one year, but you're incrementally just changing things and getting to a better state. So that seems to be, that seemed to me to be fair enough, right? Like if you were to implement all the secure by design things all at once, that would be quite a lot of work today, right.
[13:45]
Gruk
If you had Secure by Design 2028, you'd probably have problems, right? Like there's just not enough time to implement it everywhere sufficiently.
[13:55]
Tom Uren
But if it's 2035, you would agree that it's not. Everything's fine, we can rest on our morals.
[14:06]
Gruk
Everything's not bad enough that we have to. Like we're not on fire, I think is where we're at. I think you did hit the nail on the head. It's like there's no political will to fix anything because there's no urgency because things are not on fire. If things were on fire, then there'd be the political will and there'd be rapid improvements because there would have to be. But we're not there, we're beyond that. I know there will be pushback from people who say, like it's that Brian Snow quote of your security exists not because of the skill of your defenders, but because of the forbearance of your adversaries. Like, they've decided not to trash everything. That's why it's not trashed. And yeah, that's true, but I mean, they've also decided not to trash everything because geopolitically that's not worth it for them.
[14:52]
Tom Uren
I can think of two examples where they've been times where the same company, Microsoft, has decided to prioritize security very highly. So the first one I think it was was 2002.
[15:05]
Gruk
Yeah.
[15:06]
Tom Uren
And that was Code Red.
[15:08]
Gruk
And the.
[15:08]
Tom Uren
Yeah, yeah, yeah. Microsoft had a whole series of security incidents and Bill Gates at the time said that this is an existential threat and if we don't get it right. And the second time was just last year after they had a whole series of security incidents. And Satya Nadella said, if we don't get security right, this is a big problem. So there have been times where a very significant player in the ecosystem has said this is priority number one. So we do seem to have these inflection points every now and then within the whole industry, but it takes 20.
[15:45]
Gruk
Years for security to peak and trough. I think.
[15:49]
Tom Uren
Yeah. So looking back it seems like, you know, you have 10 good years where security kind of seeps into the whole culture and then with changes of personnel.
[16:00]
Gruk
You reach a point, 10 years of sort of gradual decline.
[16:04]
Tom Uren
Yeah, well, you reach a point of success where you think, oh, it's clearly no longer a problem because we're doing things fine. Which in the context of the day seems fair enough. But we've never had that kind of whole of industry reckoning at the same time. Like it's been Microsoft.
[16:22]
Gruk
It's because most people are better than Microsoft.
[16:24]
Tom Uren
Yeah, well.
[16:27]
Gruk
I guess Microsoft will always say, oh, it's because we're the biggest, so we're the largest targets.
[16:32]
Tom Uren
Like.
[16:33]
Gruk
Yeah. But you know, that said, they just literally didn't care about security and they've now inherited a huge amount of legacy issues and so they're rolling out things which they're super proud of right now but are considered like bare minimum security requirements from 30 years ago.
[16:52]
Tom Uren
Right. I was wondering if some of it is that there's a concentrated point of political focus. So I guess thinking back to two of the Cybersafety Review Board reports, the first one was on log 4J and basically my very high level summary of the report was that security and Open Source is not very good, we need to do better, but there's nowhere to focus that.
[17:17]
Gruk
Right.
[17:17]
Tom Uren
That recommendation.
[17:18]
Gruk
There's no CEO of Open Source who's going to write a memo saying this is an existential threat. Open Source has to get better.
[17:25]
Tom Uren
Yep. And we're making it part of your performance plan and we're getting the right. Whereas one of the reports was Microsoft, your security sucks. And in that case there is a central point of focus.
[17:38]
Gruk
Right. That said, I think that Open Source has got a. Maybe it's a faster feedback loop. I think it's fair to say that's a. The federation is a double edged sword. So on the one hand there's a large number of projects and you can't organize them to all collectively devote time and resources to security because that's just like there's nowhere to go. But on the other hand, there's a large number of projects which means that there's no single point of failure in.
[18:05]
Tom Uren
The same way, except that everyone uses the same projects.
[18:11]
Gruk
Out of all of those large projects, everyone uses OpenSSH, everyone uses systemd, everyone uses. There's only one Linux kernel. Okay, so there you go. It's a double edged sword and they both point the same way.
[18:32]
Tom Uren
So do you think that this is a contrarian point of view that everything is kind of maybe not fine, but maybe not totally broken? Like it feels like it is, but I'm not sure.
[18:44]
Gruk
So I think that every year we get this crop of talks or papers saying that cyber is broken, we're failing as an industry, cyber security is not fit for purpose and on and on. And there's a grain of truth in those. But I think what they're talking about tends to be we could be better and we're not.
[19:02]
Tom Uren
I mean, there's a tremendous dynamic for everyone in the industry to portray it as bad and getting worse.
[19:08]
Gruk
Yeah. Because that's how you make sales. If you said everything's fine and it's just getting better.
[19:14]
Tom Uren
So, you know, yeah, we're not, we're not salesmen. So we can say everything. Well, maybe it's not fine, but it's not totally broken. You don't need to spend more stuff. Maybe you do, I don't know.
[19:28]
Gruk
Apparently we're not policymakers or decision makers either. Yeah. I think there is this deep consensus in a lot of places that the cybersecurity field is broken and we're not doing a good job. And I don't think that that's accurate. I think we're doing a good enough job. There's a lot of room for improvement, but I'm not sure that the juice is worth the squeeze. In most cases, the amount of improvement versus the amount of investment, it's not going to be worth it.
[19:59]
Tom Uren
Right. It's tremendously differently distributed. So at least a while ago in Australia the big banks were quite secure. And then apparently people would describe it to me is that you'd have the big banks and then the rest of the economy in terms of security and because they had financial incentives.
[20:21]
Gruk
Exactly. And also if they get hacked, that's an existential threat. Not just to them, but it could be to the state. Like if enough things go wrong with the financial system inside of a state, that could be a serious problem. So there's regulatory incentives to make sure that that happens as well. Right. If it wasn't happening, there would be a regulatory reason to make it happen. But that's not true for the majority. Like a design shop or a sticker manufacturer.
[20:53]
Tom Uren
Yeah. So one example of that, where even a big company is not necessarily incentivized to have top notch security. A big Australian mining company, I can't remember which one, but back in the day it would sell iron ore to China. And it would have once a year trade negotiations. And the story is that the Chinese hackers stole that mining company's negotiating position. So they knew the absolute bottom dollar, that it was acceptable. And in that year, that mining company still made a ton of money. But the story is that they lost billions in extra money. But, but the reporting was that the executives were like, well, we don't care because we still made a ton of money. And so it was like, the marginal loss was huge, but the overall profit was still huge.
[21:50]
Gruk
Well, okay, but I would then argue that hypothetically they missed out on $1 billion.
[21:57]
Tom Uren
I think that's still a huge loss.
[21:59]
Gruk
Yeah, yeah. Well, I was going to say, like, would it take a billion billion dollars in cybersecurity investment to keep the Chinese out? And. I don't think so. I think it would, it would take less than that.
[22:09]
Tom Uren
No, no, I think it's. I think it was more a dynamic of why they didn't spend more beforehand.
[22:17]
Gruk
Right.
[22:17]
Tom Uren
Like that that industry changed and so now it's all sold on the spot market. So there is no. It's a proper market rather than a negotiation.
[22:27]
Gruk
So it was fixed at a level other than cyber security. Right. There's just, there's no value now in stealing trade secrets like that. Because it doesn't.
[22:35]
Tom Uren
You can't make or save billions of dollars by doing it.
[22:38]
Gruk
Yeah. So they still don't have to invest in cyber security.
[22:46]
Tom Uren
Happiness.
[22:48]
Gruk
So if you're at the nsa, like you need to be secure against China and the Russians and whomever. Right. Like you need to have state level security. If you are a large corporation, like a bank, you need to be secure against criminals. And if you're none of those and you're just a, like if you're a regular small 50 person, 100 person company, you need to be minimally secure against someone who's just looking for an opportunity. Like, if you're not that opportunity, you're fine. Like, you just do not need state level security because KGB doesn't care.
[23:22]
Tom Uren
So what struck me about those different levels of actors, like the state actor, the big company, the small company, is that all of them are aiming for security that is just good enough. In fact, probably for some of them, just barely good enough. Even NSA security is a top priority, but it's not the top priority. And so they're all aiming to be just a cut above mediocre.
[23:46]
Gruk
There you go. They just need to be okay. I think.
[23:52]
Tom Uren
At a very high level, at a sort of meta society level, things are mostly Fine. It has resulted in tremendous efficiencies. There's lots of things we can do now that we couldn't do five, 10 years ago. But when you dive into the details, there's all these seams that provide opportunities for people. And so ransomware wasn't a field that existed, was it, 10 years ago? 10, 15 years ago.
[24:17]
Gruk
I mean, it's the first. Ransomware was from the 90s or something, but it wasn't an ecosystem, it wasn't an entire thing until relatively recently.
[24:27]
Tom Uren
I suppose the flip side of this question is, are we living in a golden age for cybercriminals?
[24:33]
Gruk
Is the noose tightening all the time? Right. Is secure by design going to actually get there eventually? Well, I mean, not because it's had all its funding cut, but there's still incentives for companies to do security, at least to a level to make it difficult enough. You know, it comes back to the joke of raising the bar. If you raise the bar enough, eventually people can't get over. But that's not really how it works with cyber, because once you've raised the bar, they automate the process of getting over the bar, and then everyone can get over the bar. So you have to do it again.
[25:05]
Tom Uren
Well, I think ransomware in particular seems to have a long tail because there's many companies that don't really take the threat all that seriously until they've been affected or had any. Miss?
[25:15]
Gruk
Yeah, because for them, everything's fine and they don't realize that there's, you know, a wolf at the door.
[25:20]
Tom Uren
Yeah. And I think that's the sort of flip side of most of the time everything's fine and just occasionally it's not. If it was bad for everyone all the time, then people would take action.
[25:30]
Gruk
Yeah.
[25:32]
Tom Uren
Yeah. So does this mean that we're in some sort of equilibrium where, in fact, this is about as good as it's going to be? There's going to be constant hacks. I'll have the ability to write a newsletter every week and have something interesting to say. This is reassuring to me.
[25:51]
Gruk
You know, I think that's true in that all of the improvements that we make, and I think there will be improvements, are going to be matched by some changes in the criminal ecosystem to adapt to it, and so things will get better and stay the same.
[26:10]
Tom Uren
Thanks, Croc.
[26:12]
Gruk
Thanks a lot, Tom.