[00:00:28] Tom Garrison: Hi, and welcome to In Technology podcast. I’m your host Tom Garrison with me as always as Camille Morhardt, my co-host. Today, our guest is Moty Kanias. He is VP of Cyber Strategy and Alliances of Nano Lock. He’s a veteran of the Israeli security forces. He’s also a colonel in reserve with lengthy experience in cyber security, counterintelligence, and insider’s threat.
He’s joining us today to discuss his views of the future cyber security landscape, which is in a word “chaotic.” So welcome to the podcast, Moty.
[00:01:04] Moty Kanias: Hi everyone. Thank you very much for hosting me here.
[00:01:08] Tom Garrison: Well, let’s just jump right into it. As I said there in your introduction, we’re gonna talk about the future cyber security landscape. So can you share your views on what we should be expecting?
[00:01:20] Moty Kanias: The beautiful world that we live in now–the cell phones that we have, the computers, the databases, and the future that we even imagine–all depends on different technologies that we use. We’re starting to think about AI doctors that will make operations and you know, we’re already having self-driving cars, so it’s all just a bunch of technologies that we see today and more in our future.
But the thing is that when you think about it, those technologies are built out of something that I see as very scary, which is a bunch of new and old software and new and legacy hardware. What this means is that all of this data that’s been going on in processes and in future computers is a bunch of code that people program that are filled with vulnerabilities.
When we think about the movies that at least I saw as a child and thinking about AI monsters as Skynet or The Matrix, my point of view is that that will never happen because the programming that people do nowadays, and the software and the hardware are so complex that they will just all be filled with vulnerabilities and the whole technology world will just collapse.
[00:02:49] Tom Garrison: Wow.
[00:02:50] Camille Morhardt: You mean you think that all of these technologies that are doing self-driving cars and running databases and all kinds of stuff are just going to fail, like have an epic failure because of the amount of vulnerabilities?
[00:03:02] Moty Kanias: It’s everything that we have and own right now that isn’t physical. Everything’s somewhere is connected to some cloud somewhere. When we have more coding lines–I’m talking about massive programming–we have more vulnerabilities. So every day we just open whatever podcast or newspaper and we hear and read about more vulnerabilities of more problems in different systems. And it’s only the beginning because systems are getting more complex. We’re using more code, we’re using more cloud.
[00:03:39] Tom Garrison: How this play out then? It’s a pretty pessimistic view of the future if I, if I do say so myself. But obviously things are all connected and, as you do point out, they all have some element of code.
[00:03:52] Moty Kanias: The problem is not only the vulnerabilities, the problem is of course, adversaries, attackers–but not only cyber crime attackers, but also cyber attackers of governments. People have been already used cyber in acts of war, but not only in war, but they use it every day, governments and adversaries in order to make money.
What happens nowadays in the world of programming–and this is where things get complicated–is that I think that people don’t take too much attention to cyber security. What runs the world nowadays is just making good profit. So a good product is a product that sells good. It doesn’t matter if it has cyber abilities at all. And I’ll say more than that. In the past years, we even found cyber security companies had adversaries taking advantage of them. If money’s driving the world and saving money is part of the atmosphere of the world, it means that we will have more and more things moved to the cloud, because there’s no need for operation people to deploy software–we can do that as a SaaS, like software as a service; and therefore it opens something that is even more complicated, Agile programming–sending away whatever, uh, software or version that is best to the date, but not best for the world. When I mean best of the world, I mean a secure code and it doesn’t matter if it’s a computer game, if it’s the next future PLC that will be in the cloud or even social media, anything newspapers.
[00:05:43] Camille Morhardt: Uh, I’m still interested in figuring out when Tom asked you like how you think it’s gonna play out, are you looking at gradual increase in attacks as we’ve seen them in across different industries, you know, targeted attacks, or are you thinking entire systems are gonna collapse within economies or regions? Like the taking down of, of a grid somewhere, or some giant failure of all autonomous vehicles.
[00:06:09] Moty Kanias: So I’ll tell you that the speed of the technology now and the speed of cyber security regulations and products is just a huge gap. So people don’t, or countries don’t tend to change regulations. But adversaries change every day. So I don’t know exactly when the last time the US as a country changed their regulations, but I can tell you that I don’t see effect on ransomware in the U.S. So something isn’t going the right path.
So the way it will happen, I’m sure that it will start from some war, but in some cases, maybe it even started now with, uh, Russia and Ukraine. The fighting itself is in Ukrainian land, but what’s happening in cyberspace? In the US and also in Europe is absolutely crazy. You see that in cyber insurance. See that in companies and the fact that now, uh, manufacturers became number one targets of ransomware and cyber attacks. So that’s the beginning. It’s already happening.
In future conflicts it could be China or even North Korea. There’ll be bigger vulnerabilities because of bigger software and more will of countries to use their weapons other than physically attacking something, it will be all of cyber war. And once a vulnerability is being used and software or dangerous software is, is being applied, it just goes anywhere.
So why do I say governments? Because when North Korea or the Chinese government work on attacking–whoever it is–they go after the biggest vendors.
Microsoft and Apple, and they try to find vulnerabilities in, I’d say, major systems that we all rely on. So it’s one thing thinking about, uh, a car, but it’s another thing thinking about Microsoft Windows. It’s all just there and it’s all just a bunch of software that is always connected also to hardware.
[00:08:20] Tom Garrison: I t seems like the future picture that you’re pointing out is one where there will be vulnerabilities and then people for whatever reason–whether it’s for economic reasons or for just sowing chaos into societies like warfare–they can use those vulnerabilities. But once a vulnerability is used once–especially cuz we’re talking about software–it’s then exposed and presumably the software is then hardened to whatever that vulnerability is, and then it becomes a search for the next vulnerability.
So at some point, while yes, there’s chaos in the moment or there’s, you know, economic loss in the moment, it feels as though the awareness will be raised, the vulnerabilities that are out there will be utilized and then fixed.
Do you agree with that? Do you think this is just a learning process we have to go through to get better and healthier, or is it something different?
[00:09:16] Moty Kanias: It gets more complex because it’s not only patching the patches or the vulnerabilities and fixing that there are still factories or production lines that use Windows XP, that Windows stopped supporting years ago. So it’s happening everywhere. It’s happening in hospitals. It’s happening in production lines. It’s always the connection between legacy and new, and it’s always legacy software and legacy hardware.
So let’s talk about just the coding from, from our point of view. When programmers write code, they use open source; so they don’t exactly know what part of code they’re taking from where. And those are all embedded softwares on different solutions that we live upon. So it’s hard to say, I’m just saying that the problem is more complex.
[00:10:10] Tom Garrison: Yeah.
[00:10:11] Camille Morhardt: You’re talking about kind of a horizontal problem, I f there’s a platform or code that goes into all kinds of different systems that could then be affected. It kind of reminds me of like Y2K, which was a different kind of a problem, but it affected almost everything, and yet somehow it turned out okay.
Why is this one different? I mean, it’s not new that technology is always ahead of regulations they usually follow. So why is this so different? Is it just that we’re so interconnected and we’re so reliant on these systems now?
[00:10:42] Moty Kanias: So we’re using more and more technologies, more and more complex code, more and more stronger computers. Quantum computer of tomorrow is dealing with encryption of today, so it’s all going there. We rely more on technology. Coding is more complicated and we have basically more and more vulnerabilities every day and every year it’s worse than the year before. And the amount of cyber attacks–if it’s from states or from cyber crime–are always increasing.
So there’s a true business there and a true value from their point of view to work and to attack the systems or grid or, or whatever. And, and it comes from the combined of software, hardware, and as I said before, human beings, people that make mistakes. People that sometimes are negligent; people that are somehow manipulated into doing things without them even understanding what they’re doing.
And when you take that factor, and that’s called an insider and put it in the environment of legacy and new software. This is the tipping point that I see that getting all together and putting the world of cyber into a great danger.
[00:12:01] Tom Garrison: Yeah. So Moty, you talk about the insider, and I think most people, when they hear the term an insider threat, I think most people sort of jump to the person who, who has nefarious intent, right? They’re, they’re trying to cause damage or whatever, exploited, vulnerability, whatever it happens to be. But there’s the whole spectrum of insider threats–from ignorance all the way through ill intent. And so how do you protect against that as a business?
There’s no obviously silver bullet or any single approach that can solve this, but what are some ideas based on your understanding of where the future threats are, all of your past experiences, what can companies do?
[00:12:47] Moty Kanias: So nowadays it’s hard to find even software products or cyber security products that deal with the insider threat because it’s complicated. And part of the problem that we see today is organizations trust and they have to trust their workers and therefore give them permissions usually to everything that they need.
It won’t be unheard of that every new employer will get full access to some kind of drive of a company, and that’s given almost automatically, uh, to every worker. And there really aren’t strong enough systems in order to change that. And in the world of, of IT, I have to say, it’s, it’s more complicated because computers that are connected are always exchanging information, changing information and data means that they have to use permissions to read and write data on their memories. And you know, the writing ability is exactly what an adversary would do to change configurations or to make a computer do something other than what it’s supposed to be doing.
In the OT world–which I’d say now doesn’t have almost any cyber security at all–everything is open there. So machines or devices in the OT are not really exchanging information between one or the other. In most cases, we can turn them into a read-only device that only does what it’s supposed to do, but the writing ability on the device itself will be prevented. That solution is just another word of saying zero trust. Make sure that we have good cyber security solutions that people already thought about them before, and to implement them every place possible, starting from my point of view in the OT world.
There’s no reason in the world that in RTU, that a PLC and even uh, robots that are always depending on some kind of RTU industrial computers, no reason in the world that they shouldn’t be locked and have efficient cyber security prevention layer that will just cut or destroy the adversaries or even the insider’s ability to, to change configurations or to upload a software that could be ransomware or to do even worse things.
[00:15:22] Camille Morhardt: Now that you’ve spent some time describing how to architect for it. I wonder if you could just take a moment and explain in your words what Zero Trust architecture is, or what Zero Trust is.
[00:15:34] Moty Kanias: So from my point of view, and you know a lot of papers about that, zero trust just means changing the way that we give privileges to others, starting from zero. Nobody has authorization to the data that they’re not supposed to see. In the OT world, it’s easier because there’s hard information that is moving from one area to the other. It’s doable. There are products and companies who do that.
[00:16:00] Camille Morhardt: Hey Moty, I’m curious. Earlier in the conversation you mentioned regulations and we really haven’t touched on that yet. Where do you think regulations fit in to your picture for the future cyber security landscape?
[00:16:13] Moty Kanias: Nowadays, according to the US regulation, you don’t need to lock level one devices. What you do need is to have a firewall. You need to have policies that are not digitalized, and all you kind of need to have in critical infrastructure is some kind of visibility tool. Well, visibility tool is always a too late solution for a problem that you had. I’d say that it’s worse if you have a production line and a visibility tool and you’ve stopped production, you don’t need, the cyber security product to tell you that. You’ll know that you stopped production.
So what we have there is lack of relevant regulation for the whole world, I’ll say, for OT cyber security. There is one country, small country, that changed that regulation about a few months ago, and that’s Singapore. Singapore are the. In the world to stay nowadays, and I think it has to start by next July, that their critical infrastructure must enable zero trust mechanism, again, on OT devices, which means making sure that they’re not writeable and that only a person who goes through a full system with multi-factor authentication and some other features there in the zero trust, to get full ability of changing configurations on the level one products devices.
[00:17:47] Tom Garrison: Thank you for joining us today, sharing your views on the future, and what we can do to protect ourselves.
[00:17:54] Moty Kanias: Happy to be here. Thank you.
