Where does your fascination with cybersecurity come from?
I started my career 35 years ago as a deep tech programmer. At one point, I heard someone say that cybersecurity people think differently than other IT professionals, and that sounded interesting to me. So I started to learn more about concepts such as encryption and identification. At one point, however, I made the decision to look at the topic from another angle, namely the way it impacts businesses. Cybersecurity is an operational risk topic.

Do cybersecurity people really think differently?
Yes. Typical programmers want to build. They use software to make something that is efficient and helpful. Cybersecurity professionals look at the same from another perspective, the one of a bad guy. The bad guys want to steal, destroy, or benefit from these assets. Cybersecurity is a grand game of chess, and if you want to play well, you need to understand how your opponents think.

“Cybercriminals evolved from organized crime syndicates, the Mafias and Yakuzas of this world.”

How much do we actually know about the bad guys’ motivation?
We believe that we know a great deal about them. The first mostly harmless group are the activists. For some reason, be it religious, political, or something else, they don’t like what someone else does. For them, it’s personal, and an attack is how they want to annoy and prove that they’re better than their opponent.

The second much more dangerous group is cybercriminals. They’ve evolved from organized crime syndicates, the Mafias and Yakuzas of this world. In the past, they made money from drugs and prostitution, but they have realized that they can make a lot of money with a lot less risk from ransomware. This is software that encrypts data on the computers of their victims so that they can’t access it anymore until they pay a ransom in bitcoin. They don’t even have to steal the data!

The third group are nation-states. They attack other states for political gain and to disrupt them. They are much more sophisticated than typical cybercriminals. Sometimes, nation-states partner with cybercriminals and provide intelligence and cyberweapons to them to foster their own goals.

Let’s talk a bit more about these actors and their motivations. But first, what is a cyberweapon?
A cyberweapon is a piece of software that exploits the vulnerabilities of another software. For example, if you use a Macbook and Safari to browse the internet, this browser might have some security flaws. A programmer might have made a mistake and quality assurance didn’t pick it up. Such a flaw is known as Zero-day vulnerability. The bad guys search for those all the time. If they find one, they keep it secret and create software that will exploit it in order to successfully attack a system. Since this weakness isn’t known, and there hasn’t been a previous attack exploiting it, there is no protection available. Such knowledge is very valuable and will be kept in store until the right moment for an attack comes. You might have read about the security company FireEye which was recently attacked by a nation-state. During the attack, technology was stolen that can be used in future attacks.

As you mentioned, cybercriminals are motivated by financial gain. One way to make money for them is using ransomware that disrupts the functioning of a company by encrypting data. Do the victims actually pay the ransom or are there ways to get out of such a situation?
People say it’s wrong to pay but if the attack is well-executed, it is usually the only way. The alternatives are usually much more costly. Let me give you a few real-world examples. In Germany, a steel mill was attacked and a huge ransom was demanded. The company didn’t pay because they thought it was a bluff. This resulted in a shutdown of the production which in the end, cost much more than the ransom. Cybercriminals don’t care about the damage, even if people die, such as when they attack hospitals. Sometimes they don’t even encrypt anything. In one attack against a pharma company, they told the victim that they had made a few changes in a huge database which would result in some medications no longer having an effect. If you’ve invested billions of dollars in research and development of such drugs, you don’t think very long if you should preserve the value of this investment or not.

These examples sound really scary.
Welcome to my world.

So the ransom demands get higher and higher because the victims can’t say no?
Not necessarily. The cybercriminals will ask for a high amount but one the victim can actually afford. The total take of the cybercriminals has increased exponentially. And sometimes it’s evident why the victims don’t defend themselves better. As a hospital director, if you have some money left, you want to hire doctors and nurses and buy new kit, because you want to save lives. That’s your job. Cybersecurity doesn’t directly save lives.

What about calling the police?
Unfortunately, there isn’t much the police can do in most cases. It is easy to relay an attack through different countries to obfuscate where it comes from, and the attackers might be situated in countries where you can’t get to them easily. Interpol tries to establish communication between different countries but it’s an uphill battle. There are instances where the police can do something, for example, if cybercriminals create phishing sites, fake websites that try to steal passwords from unsuspecting clients or employees of a company. In such cases, the police can turn to the internet service providers that host these sites and order them to shut them down. But in the case of ransomware, there isn’t a lot they can do.

So companies just need to invest more in cybersecurity and the problem will go away?
If they hear cybersecurity, most people will think about antivirus programs, firewalls and the like. This is the limiting factor in their defense capability. They understand cybersecurity as a technological problem that can be solved by technology.

So what kind of problem is it?
Digital risk, which encompasses cybersecurity, privacy, and other elements, is a business problem. And in most cases, this isn’t recognized at the board level. Boards need to be aware of digital risks and receive regular updates on how they could affect business continuity. But usually, the chief information security officer (CISO) reports to the chief technology officer, which reinforces the perception that this is a technological issue instead of a governance question. Istari has started an academy with around 35 CISOs in Asia which we’ll roll out to Europe soon, and their answer as to what their biggest problem is is usually a lack of communication with the board.

The teams that CISOs have to deal with cyber threats, how large are they usually?
This depends a lot on the size and sophistication of an organization. Microsoft has thousands. UBS has a few hundred. Many banks that are big but less sophisticated just have 10 or so. But those who recognize that they need experts with very narrow knowledge usually have larger teams. Now, one big problem is the lack of talent. Google’s worldwide team for cybersecurity sits in Zurich, and they scoop up all the good people they can. This, in turn, leads to many companies finding less talent than they need. The solution here is to work with external firms, so-called managed security services, which will take care of cybersecurity for other organizations, and are big enough to hire a lot of specialists.

Isn’t it dangerous to outsource the response to what you just before called an essential business risk?
There is always a potential risk in such a step, and you have to be extremely careful in choosing such a provider. But the community of managed security services has evolved a lot and I have not seen an example so far of something bad happening.

A promising startup that provides a cyber defense tool to companies is Threatray, and you’re an advisor of this startup. How did you get in contact with them?
It was through my work with the Swiss finance industry. Together with the SIX Swiss Exchange, I’ve built a community of cybersecurity teams that work for banks and insurance groups. One goal of the group is to collectively look at emerging technologies in the field. One day, I was speaking at a conference and Endre Bangerter, co-founder of Threatray was speaking afterward. I was intrigued by what he presented and found the idea potentially wonderful. So I asked if I could help with the project by opening some doors. But it was only when I was invited to a board meeting that I understood the real potential, and then I got quite excited. What I do now is that I help shape the message of how they present the value of their software product to different types of customers. It is important to know which aspect to emphasize at what time.

What kind of arguments will resonate, say, with a large bank to use Threatray in cyber defense?
Banks are heavily regulated and especially in Switzerland, the regulator is very sophisticated. Finma wants to make sure banks are on top of cybersecurity. In order to do that, banks need to know what kind of attacks they face. They need to trace back attacks and derive intelligence from this process.

How does that work?
Imagine a bank receives an email that includes malware in the guise of an attachment to the email. It’s not enough to know that this is something fishy. You need something like a dictionary to make sense of it, and Threatray provides that. By using this software, you can find out, for example, that the attack is not really new, that there was a similar occurrence a month ago, and you start to understand what is really happening. You need such a sophisticated tool to really look into the malware and extract all the information that is hidden in it in order to get a clear picture of your enemies.

That sounds complicated.
The tool is very sophisticated and can’t be used by everyone. It is used by threat intelligence specialists that work in cybersecurity teams at large organizations, governments, banks, or telecom companies. SMEs don’t need such a tool, because they don’t need to know much about the attacks, they need a good defense with antivirus tools and firewalls.

When people think about cybersecurity capabilities, they might come up with countries such as the USA, Russia or Israel. How does Switzerland do in this regard?
There is world-class research in specific aspects of cybersecurity in Switzerland, and the engineering side is really strong. But Switzerland hasn’t had the same ability to transform good concepts into large successful companies.

You’ve spent a lot of time of your career in Asia. How do Asian countries compare in their cyber strength?
China is strong on the attack side, but not the most advanced in defense. The most sophisticated nation is Australia, with Singapore coming second. Taiwan is good at cyber defense because of China’s attacks.

How do you do assess these capabilities as most of these operations are behind closed doors?
I was Chief Security Officer of Microsoft in Asia and in this role have engaged with a lot of different people in governments and companies. This is how I witnessed the sophistication from questions people asked and needs they had. To be honest, it is more difficult to assess offensive capabilities than defense. But Microsoft and also other companies have pretty big intelligence organizations.

Some years ago I read the book “Blackout” where a cyber attack takes down the electricity in Europe. After a few days, all hell breaks loose. How scared should citizens be of such a devastating attack?
The bad news is that cyber attacks on nations will happen, but the risk varies a lot from one country to another. For Switzerland, there is very little risk, for Germany, already a bit more. For Ukraine, which was already the victim of crippling attacks, and others such as Lithuania, there is a lot of risks. But usually – unless there is outright war – nation-states don’t want to totally outright destroy infrastructure, they just want to disrupt the very efficient way the economies are organized in order to create fear and uncertainty. This is, if you take the place of an unemotional observer, a pretty clever way to play that grand game of chess. But attacks can and do backfire.

What do you mean by that?
You might have heard about the cyberattacks on the Iranian nuclear program in 2013, which was allegedly carried out by the US and Israel. It destroyed a lot of the nuclear centrifuges, and the way the attack was carried out was very shrewd. But there was an unforeseen consequence of it. Before the attack, Iran didn’t have any cyber offense capabilities to speak of, but the incident showed the countries leadership that it had s to invest. They did, and the results were seen a few years later in the Shamoon attack on Saudi Aramco, which most likely originated in Iran.

How does Threatray fit in this picture of cyberattacks between nations?
I would like to see Threatray’s technology used by all the countries in Europe, and perhaps in countries of the Middle East and Asia as well. Governments are faced with the need to protect their citizens, and if Threatray’s team does a good job, they should be able to become the provider of choice. There are competitors but I don’t believe that they have the same advanced capacities.

In this constant battle between the capabilities of cyber attackers and defenders, who has the upper hand at the moment?
If you think about it, the odds are very asymmetrical. As a defender, you have to win all the time. As an attacker, it is good enough if one of your attacks succeeds.