WEBVTT 1 00:00:07.080 --> 00:00:09.480 Anna Delaney: Welcome to the ISMG Editors' panel. I'm Anna 2 00:00:09.480 --> 00:00:12.330 Delaney. Today, we'll be discussing recent international 3 00:00:12.330 --> 00:00:15.690 law enforcement efforts against Russian cybercrime, the latest 4 00:00:15.720 --> 00:00:18.630 U.S. healthcare cybersecurity bill and key takeaways from 5 00:00:18.660 --> 00:00:22.290 ISMG's Canada summit. The excellent team today includes 6 00:00:22.290 --> 00:00:25.800 Tom Field, senior vice president of editorial; Marianne Kolbasuk 7 00:00:25.800 --> 00:00:29.100 McGee, executive editor for HealthcareInfoSecurity; and 8 00:00:29.100 --> 00:00:32.100 Mathew Schwartz, executive editor of DataBreachToday and 9 00:00:32.100 --> 00:00:33.810 Europe. Very good to see you all. 10 00:00:34.410 --> 00:00:35.250 Tom Field: Thanks for having us over. 11 00:00:35.490 --> 00:00:35.970 Mathew Schwartz: Yeah. 12 00:00:37.020 --> 00:00:40.140 Anna Delaney: As you said Tom, it's the Battle of the Spires 13 00:00:40.170 --> 00:00:43.860 today. Where's your spot? I think it's in Toronto. Is it 14 00:00:43.860 --> 00:00:44.100 not? 15 00:00:44.160 --> 00:00:46.680 Tom Field: It is north of the U.S. border in Toronto, where I 16 00:00:46.680 --> 00:00:49.890 attended last week's East Canada Summit. And this was the 17 00:00:49.890 --> 00:00:52.590 beautiful view outside my hotel room, which is where I spent a 18 00:00:52.590 --> 00:00:53.100 lot of time. 19 00:00:53.910 --> 00:00:58.140 Anna Delaney: Excellent shot. Marianne, got to say, it's a 20 00:00:58.140 --> 00:01:00.210 gorgeous view there. Tell us more. 21 00:01:00.840 --> 00:01:06.180 Yeah, this is rainy Prague. I was there with my sister and my 22 00:01:06.180 --> 00:01:11.010 daughter couple of weeks ago. Went to Prague, Kraków and then 23 00:01:11.010 --> 00:01:15.000 Warsaw, Poland, which had better weather. But, it's Prague's ... 24 00:01:15.030 --> 00:01:17.790 first time I've been to all those cities - beautiful, all of 25 00:01:17.790 --> 00:01:20.400 them. So, rooftop view. 26 00:01:21.150 --> 00:01:25.170 I've been to nine of their city; so, they're on my list. You'll 27 00:01:25.170 --> 00:01:30.000 have to share recommendations soon when I go. Mat, I love this 28 00:01:30.180 --> 00:01:32.400 image. Is this taken this week? 29 00:01:33.110 --> 00:01:35.180 Mathew Schwartz: Yeah, just taken this week, just because 30 00:01:35.180 --> 00:01:39.740 it's so autumnal seeming here in Dundee, in Scotland. So, which 31 00:01:39.740 --> 00:01:44.000 is where this is set. So, yeah, we have the stack, this amazing 32 00:01:44.000 --> 00:01:46.730 landmark from the more industrial age, although it's 33 00:01:46.730 --> 00:01:51.350 still used. And then little church over here, obviously. And 34 00:01:51.350 --> 00:01:56.840 a little bit of autumnality, is that a word in the leaves that 35 00:01:56.840 --> 00:01:58.070 we're seeing around these parts. 36 00:01:59.330 --> 00:02:01.970 Anna Delaney: Great colors going on there. Well, yesterday, 37 00:02:02.000 --> 00:02:06.290 Marylebone Town Hall in London hosted truly remarkable event, I 38 00:02:06.290 --> 00:02:09.740 must say. 100 weddings in a single day to celebrate 100 39 00:02:09.770 --> 00:02:13.430 years since its first ceremony, and my friends were lucky enough 40 00:02:13.430 --> 00:02:17.420 to secure a spot and tie the knot there. So, the venue behind 41 00:02:17.420 --> 00:02:21.320 me is steeped in history, having hosted the weddings of Beatles' 42 00:02:21.560 --> 00:02:26.090 Paul McCartney twice - Ringo Starr, one of his weddings. And 43 00:02:26.120 --> 00:02:30.290 even the U.K.'s first same sex union. So, it was a beautiful, 44 00:02:30.530 --> 00:02:32.870 unforgettable moment, especially for a schoolmate. 45 00:02:33.830 --> 00:02:35.210 Tom Field: How many weddings did you sit through? 46 00:02:36.020 --> 00:02:38.750 Anna Delaney: Just one. But, they were live streamed as well. 47 00:02:38.750 --> 00:02:42.980 So, I did see a few that allowed themselves to be live streamed, 48 00:02:42.980 --> 00:02:48.050 and lots of brides and grooms and, you know, lovely dressed 49 00:02:48.050 --> 00:02:53.540 people walking around the town. Right, Mat, starting with you 50 00:02:53.540 --> 00:02:56.330 this week. It seems that international law enforcement is 51 00:02:56.330 --> 00:02:59.150 making significant strides against Russian cybercrime 52 00:02:59.180 --> 00:03:02.690 targeting notorious groups you've written about a plenty, 53 00:03:02.690 --> 00:03:07.520 like Evil Corp and LockBit, revealing a deep ties to Russian 54 00:03:07.520 --> 00:03:10.670 intelligence and resulting in key arrests and sanctions. So 55 00:03:11.120 --> 00:03:12.380 Mat, what do we need to know? 56 00:03:13.170 --> 00:03:15.810 Mathew Schwartz: I love the name Evil Corp. It's been around for 57 00:03:15.810 --> 00:03:19.080 about a decade. And I mean, not to give them too much due. Yeah, 58 00:03:19.350 --> 00:03:25.080 Tom is a cartoon villainy is what is suggested, which, you 59 00:03:25.080 --> 00:03:29.130 know, doesn't accurately assess the full amount of damage 60 00:03:29.130 --> 00:03:32.310 that group has caused. Government agencies, critical 61 00:03:32.310 --> 00:03:35.460 infrastructure, financial services, healthcare have all 62 00:03:35.460 --> 00:03:39.390 been hit by the group, especially with its ransomware. 63 00:03:39.510 --> 00:03:42.900 So, let's get to Evil Corp in a moment. They've been around for 64 00:03:42.900 --> 00:03:45.450 a long time. They're going to be around for a lot longer. So, 65 00:03:45.450 --> 00:03:48.030 we'll come back to them in just a second. But, what was 66 00:03:48.030 --> 00:03:54.270 interesting this week was the continuing trolling of LockBit 67 00:03:54.750 --> 00:04:00.750 that formerly notorious and well- regarded from a criminality 68 00:04:00.750 --> 00:04:06.450 standpoint ... ransomware group - so, it's been operating for 69 00:04:06.480 --> 00:04:11.940 multiple years now and had a very outspoken leader - 70 00:04:11.970 --> 00:04:17.130 LockBitSupp - who closely guarded his identity. Kudos to 71 00:04:17.130 --> 00:04:19.410 law enforcement. They've been dismantling all of that. They 72 00:04:19.410 --> 00:04:24.210 infiltrated LockBit In February and managed to obtain all of the 73 00:04:24.210 --> 00:04:29.400 chat logs between LockBit and its many victims. They found a 74 00:04:29.400 --> 00:04:32.910 lot of interesting things, such as even though LockBit would let 75 00:04:32.910 --> 00:04:36.420 a victim pay a ransom in return for a promise that stolen data 76 00:04:36.420 --> 00:04:40.140 would be deleted, the group hadn't deleted any data at all 77 00:04:40.200 --> 00:04:45.630 since at least the end of 2022, something thieves promises 78 00:04:45.660 --> 00:04:48.660 honoring. I don't know it escapes me. But you know, this 79 00:04:48.660 --> 00:04:51.780 is useful information. You pay for the promise of data 80 00:04:51.780 --> 00:04:55.080 deletion. You're a sucker. And we've seen this time and time 81 00:04:55.080 --> 00:04:59.610 again. So just like, you know, point of it is 103 like please 82 00:04:59.640 --> 00:05:03.840 learn, stop. So, aside from that, what's been really cool is 83 00:05:03.870 --> 00:05:06.780 law enforcement's been trolling LockBit. With all this 84 00:05:06.780 --> 00:05:09.420 information they obtained, they've been reaching out to 85 00:05:09.450 --> 00:05:13.470 affiliates, saying, "We know all of your handles now, because 86 00:05:13.500 --> 00:05:16.740 LockBit didn't secure it very well. Are you sure you really 87 00:05:16.740 --> 00:05:19.740 want to keep working with LockBit? We think maybe you 88 00:05:19.740 --> 00:05:24.060 should seek other forms of gainful employment," etc. So, 89 00:05:24.180 --> 00:05:27.630 lovely reversal, because ransomware groups have been 90 00:05:27.630 --> 00:05:31.230 really outspoken about saying things like, "Well, we've given 91 00:05:31.290 --> 00:05:34.770 security penetration testing to the world, and, you know, some 92 00:05:34.770 --> 00:05:37.320 people pay us for the privilege," and all this kind of 93 00:05:37.320 --> 00:05:40.560 nonsense. They're criminals. They've got no scruples, as 94 00:05:40.560 --> 00:05:43.830 Marianne continues to document. Unfortunately, they hit 95 00:05:43.830 --> 00:05:48.570 healthcare left, right and center to risk of human life. I mean, 96 00:05:48.600 --> 00:05:52.500 they're horrible people. So, kudos to law enforcement for 97 00:05:52.500 --> 00:05:57.270 finding new ways to disrupt these groups. With LockBit, they 98 00:05:57.270 --> 00:06:00.030 had a countdown this week saying there's going to be additional 99 00:06:00.030 --> 00:06:04.830 information, and there was, and timed with authorities in the 100 00:06:04.830 --> 00:06:09.690 U.S. and France and Spain and Australia. There's also a raft 101 00:06:09.720 --> 00:06:15.030 of new sanctions against LockBit operators. They already 102 00:06:15.030 --> 00:06:18.240 sanctioned the lead guy, but they found somebody that they 103 00:06:18.240 --> 00:06:21.840 didn't know who had been participating before, which 104 00:06:21.990 --> 00:06:26.550 turns out to have been the right-hand man to the head of Evil 105 00:06:26.550 --> 00:06:30.810 Corp. So, I'm going to not do any justice to these Russian names, 106 00:06:30.810 --> 00:06:36.330 but Aleksandr Ryzhenkov was an affiliate of LockBit, the 107 00:06:36.330 --> 00:06:39.300 authorities say. And before that, he was the number two 108 00:06:39.300 --> 00:06:44.820 person in Evil Corp, serving as the right-hand man to, again 109 00:06:44.820 --> 00:06:49.290 with the Russian names, well, let's say Yakubets, who's the 110 00:06:49.290 --> 00:06:54.360 guy who was in charge, aka Aqua. So, Aqua was in charge, and this 111 00:06:54.360 --> 00:06:57.780 guy was his right-hand man. And now it turns out that when the 112 00:06:57.780 --> 00:07:01.170 going got tough for Evil Corp, because they got sanctioned by 113 00:07:01.170 --> 00:07:05.490 the U.S. in 2019, both the organization and its leadership. 114 00:07:06.510 --> 00:07:09.150 Once they got sanctioned, it meant it was illegal to pay them 115 00:07:09.180 --> 00:07:15.360 a ransom. So, Evil Corp had been mixed up with BitPaymer - kind 116 00:07:15.360 --> 00:07:19.590 of ransomware - and then later on WastedLocker, amongst other 117 00:07:19.590 --> 00:07:23.550 strains of ransomware. They reacted to these sanctions, and 118 00:07:23.550 --> 00:07:26.700 according to the police, the sanctions have done some real 119 00:07:26.700 --> 00:07:30.060 damage. It led one of the key members to have a falling out 120 00:07:30.360 --> 00:07:34.680 with the head of Evil Corp, and German police are seeking him 121 00:07:34.680 --> 00:07:38.490 currently. But that weakened the group, and then its inability to 122 00:07:38.490 --> 00:07:41.370 get ransom payments meant that they had to change things up and 123 00:07:41.370 --> 00:07:45.450 try to get paid some other way. So, they tried disguising the 124 00:07:45.450 --> 00:07:49.260 ransomware as somebody else's, which didn't work. That's the 125 00:07:49.260 --> 00:07:51.330 long and short of that one. And then they've been trying to 126 00:07:51.330 --> 00:07:54.240 develop some other ransomware. And then, I don't know if he was 127 00:07:54.240 --> 00:07:56.880 moonlighting or what he was doing, but the number two guy 128 00:07:56.910 --> 00:08:00.870 ends up as an affiliate, allegedly, of LockBit. So, 129 00:08:00.900 --> 00:08:03.960 they've all now been named and shamed. Law enforcement 130 00:08:03.960 --> 00:08:07.020 continues, as I said, to go through all of the details of 131 00:08:07.020 --> 00:08:11.190 things they had seized, including LockBit's malware in 132 00:08:11.190 --> 00:08:14.700 development. So, you can imagine that whatever they had in store 133 00:08:14.760 --> 00:08:19.380 next has already been circulated to security firms. A little FYI 134 00:08:19.380 --> 00:08:22.440 from law enforcement saying, "Maybe just block this or the 135 00:08:22.440 --> 00:08:25.800 bits that you can see now, in case that they try to use this 136 00:08:25.800 --> 00:08:30.360 later." So, the long and short here, Anna, is we've had an 137 00:08:30.360 --> 00:08:33.180 ongoing law enforcement disruption of a group of 138 00:08:33.180 --> 00:08:36.960 criminals, namely Evil Corp, that's continued, more of them 139 00:08:36.960 --> 00:08:39.900 have got sanctioned, more of them have got indicted. Along 140 00:08:39.900 --> 00:08:44.040 the way, we've seen these ties with LockBit. We can talk for a 141 00:08:44.040 --> 00:08:47.340 moment, if you want, about why this group seems to have been so 142 00:08:47.340 --> 00:08:51.540 successful for so long inside Russia. But, the good news is 143 00:08:51.570 --> 00:08:53.280 they're getting disrupted. They're getting named and 144 00:08:53.280 --> 00:08:57.780 shamed. Their tools are getting intercepted, and law enforcement 145 00:08:57.780 --> 00:09:00.120 can't shut them down because they're in Russia, but they're 146 00:09:00.120 --> 00:09:01.350 doing the next best thing. 147 00:09:02.160 --> 00:09:04.380 Tom Field: And the minute they go on vacation to the Caribbean? 148 00:09:06.600 --> 00:09:09.420 Mathew Schwartz: Well, yeah, outside Russia. And the French 149 00:09:09.450 --> 00:09:14.700 police did affect the arrest of somebody we don't know in which 150 00:09:14.700 --> 00:09:18.480 country, and they won't name the suspect under French law, but 151 00:09:18.480 --> 00:09:21.060 there's somebody currently facing extradition to France, 152 00:09:21.150 --> 00:09:25.500 who they say is a key member of LockBit; arrested in August, 153 00:09:25.500 --> 00:09:26.100 I'll just say. 154 00:09:27.560 --> 00:09:29.630 Anna Delaney: Very good. And Mat, just a quick question on 155 00:09:29.720 --> 00:09:34.760 affiliates. So, how important are affiliates to the success of 156 00:09:35.060 --> 00:09:39.710 ransomware service models? Do you think the increased law 157 00:09:39.710 --> 00:09:43.550 enforcement actions will sort of push these groups toward more 158 00:09:43.550 --> 00:09:44.750 decentralization? 159 00:09:45.590 --> 00:09:48.800 Mathew Schwartz: Well, it looks like LockBit was faking having 160 00:09:48.800 --> 00:09:52.520 affiliates. Police said they were faking having victims. It 161 00:09:52.520 --> 00:09:56.030 said they were relisting victims left, right and center. So, the 162 00:09:56.030 --> 00:09:58.850 affiliate question is an interesting one. It definitely 163 00:09:58.850 --> 00:10:03.740 helped fuel LockBit. But, there's also public intelligence 164 00:10:03.740 --> 00:10:07.700 now that instead of using affiliates, LockBit had 165 00:10:07.730 --> 00:10:11.030 outsourced a lot of its attacks to an entirely different group, 166 00:10:11.180 --> 00:10:14.780 which was using the LockBit name. So, the short answer is, 167 00:10:15.110 --> 00:10:19.670 it's complicated but none of this does LockBit any favors. I 168 00:10:19.670 --> 00:10:23.210 think if you've been infiltrated by law enforcement, many fewer 169 00:10:23.210 --> 00:10:27.050 people are going to want to work with you. So, all of that is a 170 00:10:27.050 --> 00:10:32.180 very good thing. The tie-ins with Evil Corp are very 171 00:10:32.180 --> 00:10:35.990 interesting. It's not clear if it was just one of the members 172 00:10:35.990 --> 00:10:40.340 moonlighting or if things might have been more closely aligned. 173 00:10:41.030 --> 00:10:43.340 Intelligence released by the National Crime Agency here in 174 00:10:43.340 --> 00:10:47.090 Britain says that there were close ties between Evil Corp and 175 00:10:47.120 --> 00:10:50.720 the FSB, Russia's security service, namely, the 176 00:10:50.720 --> 00:10:53.930 guy-in-charge's father-in-law was a senior official formerly, 177 00:10:54.320 --> 00:10:57.320 apparently on a squad formerly with the KGB that carried out 178 00:10:57.320 --> 00:11:00.830 assassinations, to which he's maybe somehow still connected. 179 00:11:00.980 --> 00:11:05.600 So, deep state really connections here that helps 180 00:11:05.600 --> 00:11:08.690 explain also why some of these groups haven't been shut down 181 00:11:08.690 --> 00:11:11.450 for being maybe politically inexpedient. 182 00:11:12.140 --> 00:11:16.700 Anna Delaney: Great analysis, Mat, and great to hear this is a 183 00:11:16.790 --> 00:11:20.930 goal for law enforcement. Marianne, this week, you've 184 00:11:20.930 --> 00:11:23.780 covered the proposed U.S. healthcare cybersecurity bill 185 00:11:23.810 --> 00:11:27.530 aiming for stricter security and executive accountability. Can 186 00:11:27.530 --> 00:11:30.260 you just give us some background and the main highlights? 187 00:11:30.690 --> 00:11:36.120 Sure. As you said last week, two Democrat U.S. senators 188 00:11:36.120 --> 00:11:39.390 introduced this latest congressional Bill aiming to 189 00:11:39.390 --> 00:11:43.020 shore up cybersecurity in the healthcare sector. The Health 190 00:11:43.050 --> 00:11:47.190 Infrastructure Security and Accountability Act by Senate 191 00:11:47.190 --> 00:11:50.820 Finance Committee Chair Ron Wyden, who is a Democrat of 192 00:11:50.820 --> 00:11:55.920 Oregon, and Senator Mark Warner, a Democrat of Virginia, is the 193 00:11:55.920 --> 00:11:59.730 most sweeping of several other healthcare sector cyber bills 194 00:11:59.730 --> 00:12:03.450 that have been introduced in recent months. However, this 195 00:12:03.480 --> 00:12:07.590 bill from Wyden and Warner, unlike some of the others that 196 00:12:07.590 --> 00:12:12.360 are bipartisan, does not yet have any Republican co-sponsors. 197 00:12:12.390 --> 00:12:17.040 So, that might be an issue, but nonetheless, this Widen-Warner 198 00:12:17.070 --> 00:12:20.670 Bill appears to be the most comprehensive, and the bill 199 00:12:20.670 --> 00:12:25.020 contains some proposals that are already somewhat familiar to the 200 00:12:25.020 --> 00:12:27.690 healthcare sector, because the Department of Health and Human 201 00:12:27.690 --> 00:12:31.890 Services has been talking about some of these sorts of things 202 00:12:32.430 --> 00:12:36.570 that would be incorporated in some regulatory and rule-making 203 00:12:36.930 --> 00:12:41.400 proposals that are supposedly in the pipeline. Now, the bill, 204 00:12:41.460 --> 00:12:48.330 among other provisions, includes the mandatory requirement for 205 00:12:48.630 --> 00:12:53.070 healthcare sector entities to implement minimum and enhanced 206 00:12:53.100 --> 00:12:57.780 cybersecurity practices. And while the bill doesn't say what 207 00:12:57.780 --> 00:13:03.120 those practices are, it basically assigns HHS and also 208 00:13:03.120 --> 00:13:07.080 the Department of Homeland Securities, CISA agency, to 209 00:13:07.110 --> 00:13:10.920 figure that out. Again, behind the scenes, HHS has been working 210 00:13:10.920 --> 00:13:15.840 on these sorts of proposals. Nonetheless, under the bill, the 211 00:13:15.840 --> 00:13:19.980 minimum standards would apply to all covered organizations and 212 00:13:19.980 --> 00:13:24.390 business associates, while the enhanced security requirements 213 00:13:24.390 --> 00:13:28.170 would pertain to covered entities and business associates 214 00:13:28.170 --> 00:13:33.300 that are of systemic importance or are critical to national 215 00:13:33.300 --> 00:13:38.850 security, as determined by HHS and CISA. Under the bill, 216 00:13:38.880 --> 00:13:41.970 covered entities and business associates would be subject to 217 00:13:42.000 --> 00:13:46.650 annual independent cybersecurity audits, and some would also face 218 00:13:46.680 --> 00:13:50.280 stress tests to determine if they are capable of restoring 219 00:13:50.280 --> 00:13:55.920 services quickly after a cyber incident. The bill also requires 220 00:13:55.950 --> 00:14:02.730 HHS to proactively audit data security practices of at least 221 00:14:02.760 --> 00:14:07.680 20 regulated entities each year, focusing on providers of 222 00:14:07.680 --> 00:14:11.490 systemic importance, again, those that might have some sort 223 00:14:11.490 --> 00:14:15.540 of national security relevance as well. But, some of the more 224 00:14:15.540 --> 00:14:18.870 controversial provisions, as you kind of, you know, alluded to 225 00:14:18.870 --> 00:14:23.760 Anna, includes requiring executives to annually certify 226 00:14:23.760 --> 00:14:27.420 compliance with the security requirements, similar to how 227 00:14:27.420 --> 00:14:31.950 executives are expected to sign off on financial statements as 228 00:14:31.950 --> 00:14:36.510 part of Sarbanes-Oxley. Covered entities and business associates 229 00:14:36.510 --> 00:14:39.330 that failed to comply to the auditing, reporting and 230 00:14:39.330 --> 00:14:43.140 documentation requirements would be subject to fines of up to 231 00:14:43.140 --> 00:14:47.880 $5,000 or a day, but executives who are found guilty of 232 00:14:47.880 --> 00:14:51.390 knowingly submitting a report containing false information 233 00:14:51.420 --> 00:14:54.930 about their organization's compliance to the requirements 234 00:14:54.930 --> 00:15:00.600 would be subject to up to $1 million in a fine or criminal 235 00:15:00.600 --> 00:15:07.380 fine and imprisonment of up to 10 years in federal prison. The 236 00:15:07.380 --> 00:15:10.440 bill also provides, on the brighter side, I guess, for the 237 00:15:10.440 --> 00:15:15.000 healthcare sector, up to $1.3 billion in funding to help 238 00:15:15.000 --> 00:15:20.370 entities adopt these standards. But you know, as I said, HHS is 239 00:15:20.370 --> 00:15:23.670 already working on regulations that encompass at least some of 240 00:15:23.670 --> 00:15:27.810 what the senators are proposing and that includes possible 241 00:15:27.810 --> 00:15:30.930 cybersecurity mandates for hospitals and other healthcare 242 00:15:30.930 --> 00:15:34.740 providers. HHS is also working on an update to the HIPAA 243 00:15:34.740 --> 00:15:38.190 security rule that is also expected to include new 244 00:15:38.190 --> 00:15:41.640 cybersecurity requirements that might, you know, all be part of, 245 00:15:41.850 --> 00:15:46.440 you know, these proposals from HHS. Now, the healthcare sector 246 00:15:46.470 --> 00:15:49.230 has been getting a lot of attention from lawmakers and 247 00:15:49.230 --> 00:15:53.190 regulators for a while for cybersecurity, but that's 248 00:15:53.190 --> 00:15:56.850 definitely been ratcheting up this year in the wake of the 249 00:15:56.850 --> 00:16:00.510 Change Healthcare cybersecurity in February that disrupted 250 00:16:01.020 --> 00:16:07.620 thousands of healthcare entities in the sector for months. And 251 00:16:07.620 --> 00:16:13.320 while the healthcare sector is, you know, trying to improve 252 00:16:13.320 --> 00:16:15.600 security, you know, either they're being pushed by 253 00:16:15.600 --> 00:16:18.570 regulators or, you know, threatened by lawmakers. And 254 00:16:18.570 --> 00:16:24.690 this is a bipartisan sort of effort overall. The, you know, 255 00:16:24.690 --> 00:16:28.830 the chances of this Widen or, you know, Widen-Warner Bill, or 256 00:16:28.830 --> 00:16:32.070 any of the other bills really taking getting much traction 257 00:16:32.070 --> 00:16:34.770 this year is sort of kind of iffy, just because we're in an 258 00:16:34.770 --> 00:16:38.430 election year, but we'll see what happens. So, you know, 259 00:16:38.430 --> 00:16:41.730 it'll be interesting to see if, you know, these threats do much 260 00:16:41.760 --> 00:16:43.680 to kind of push the healthcare sector. 261 00:16:44.220 --> 00:16:47.640 For sure. And are there any early reactions from healthcare 262 00:16:47.790 --> 00:16:50.970 industry leaders or executives regarding the penalties for 263 00:16:50.970 --> 00:16:52.440 noncompliance in this bill? 264 00:16:52.000 --> 00:16:55.239 Yeah, you know, the reaction, you know, not surprisingly, is 265 00:16:52.000 --> 00:17:00.700 See how far it goes. Thank you, Marianne, so much. Tom, you 266 00:16:55.293 --> 00:16:58.371 sort of a mixed bag. You know, many are saying that these 267 00:16:58.425 --> 00:17:01.664 potential criminal and civil penalties are just another form 268 00:17:01.420 --> 00:17:18.220 moderated a day of panels, sessions at ISMG's Canada Summit 269 00:17:01.718 --> 00:17:04.688 of blaming the victim for attacks that are committed by 270 00:17:04.742 --> 00:17:07.981 cybercriminals. And then others think, well, you know, these 271 00:17:08.035 --> 00:17:11.437 potential penalties might help healthcare CISOs and their teams 272 00:17:11.491 --> 00:17:14.568 get needed attention from the board of directors. And you 273 00:17:14.622 --> 00:17:17.916 know, others that kind of hold the purse strings in terms of, 274 00:17:17.970 --> 00:17:20.885 you know, cybersecurity investments and resources and, 275 00:17:18.220 --> 00:17:45.430 last week in Toronto. So, what were the main themes or 276 00:17:20.939 --> 00:17:24.287 you know, that sort of thing. So, you know, it's good and bad. 277 00:17:24.341 --> 00:17:27.472 You know, whether this goes anywhere, we'll see, but it's, 278 00:17:27.526 --> 00:17:30.820 you know, definitely something that's on the radar screens of 279 00:17:30.874 --> 00:17:34.330 lawmakers, regulators and, you know, healthcare sector entities. 280 00:17:45.430 --> 00:17:48.370 takeaways regarding the current state of cybersecurity? 281 00:17:48.000 --> 00:17:50.160 Tom Field: That was a terrific event. And you know, I've been 282 00:17:50.160 --> 00:17:54.300 calling it the Zero-Day Summit, not because zero day was the 283 00:17:54.300 --> 00:17:57.810 topic, but because this was built into our summit schedule, 284 00:17:58.170 --> 00:18:00.810 was really completely overlooked and, in my opinion, 285 00:18:00.810 --> 00:18:04.950 understaffed, and then it just exploded upon us. We had the 286 00:18:04.950 --> 00:18:08.370 best attendance and best engagement I've seen at any of 287 00:18:08.370 --> 00:18:11.220 our events all year. And it really was a privilege to be 288 00:18:11.220 --> 00:18:14.190 able to be there and be a part of this to say, why was it so 289 00:18:14.190 --> 00:18:18.570 successful? I'd say in part, it was the topics. We were talking 290 00:18:18.570 --> 00:18:23.130 about privacy legislation - new and emerging in Canada, we were 291 00:18:23.130 --> 00:18:26.040 talking certainly about the impact and use cases of 292 00:18:26.040 --> 00:18:30.210 generative AI. We talked about software supply chain, about 293 00:18:30.210 --> 00:18:33.660 ransomware, about executive liability. I think Joe 294 00:18:33.660 --> 00:18:37.380 Sullivan's name might have come up in five of the seven sessions 295 00:18:37.380 --> 00:18:41.310 that we did. So, the topics were engaging, and part of was the 296 00:18:41.310 --> 00:18:45.810 speakers. We had attorneys Imran Ahmed and Ruth Promislow, who 297 00:18:45.810 --> 00:18:48.420 have been a part of our events for many years now, and they 298 00:18:48.420 --> 00:18:51.180 brought their latest updates about current and emerging 299 00:18:51.180 --> 00:18:55.830 legislation. We had CISOs such as Deniz Hanley and Robert 300 00:18:55.830 --> 00:18:59.820 Knoblauch, who made it practical for us and talked about the 301 00:18:59.820 --> 00:19:03.720 real-world impacts of threats and of legislation and of 302 00:19:03.720 --> 00:19:09.540 emerging regulations, and we had even from law enforcement Carl 303 00:19:09.540 --> 00:19:13.890 Montreuil of the RoyalCanadian Mounted Police. Now, I know that 304 00:19:14.100 --> 00:19:17.490 you've worked with law enforcement in London to do some 305 00:19:17.490 --> 00:19:20.160 of our solution room events. I've worked with the Secret 306 00:19:20.160 --> 00:19:24.060 Service in the FBI in the U.S. First opportunity to work with 307 00:19:24.060 --> 00:19:28.380 the RoyalCanadian Mounted Police and see how engaged they are in 308 00:19:28.380 --> 00:19:31.710 cybercrimes, particularly ransomware and business email 309 00:19:31.710 --> 00:19:35.850 compromise and the rise of deepfakes and extortion schemes. 310 00:19:36.450 --> 00:19:39.120 So, the speakers were a big part of the success, and it certainly 311 00:19:39.120 --> 00:19:42.870 was the crowd. They showed up early. They stayed throughout 312 00:19:42.870 --> 00:19:47.730 the day. They had questions for every session, all the speakers. 313 00:19:47.880 --> 00:19:51.600 They lined up after the event or the discussions to be able to 314 00:19:51.600 --> 00:19:54.660 meet with the speakers. And they were coming up and asking me 315 00:19:54.960 --> 00:19:58.140 questions about either content that we had published, or in 316 00:19:58.140 --> 00:20:02.100 some cases, they asked me about some of you, my fellow 317 00:20:02.100 --> 00:20:04.200 colleagues, and the work that you've done in places that 318 00:20:04.200 --> 00:20:08.340 they've engaged with you. And so they knew us well and had lots 319 00:20:08.340 --> 00:20:12.630 to say about the type of work that we've done. For me, lasting 320 00:20:12.630 --> 00:20:17.550 impressions of the event were just the reality of ... Canada 321 00:20:18.060 --> 00:20:22.260 is feeling woefully behind the U.S. when it comes to critical 322 00:20:22.260 --> 00:20:26.610 infrastructure protection and cybersecurity legislation. And 323 00:20:26.610 --> 00:20:29.670 so, there's a good deal of catch-up there to make sure that 324 00:20:29.670 --> 00:20:33.480 they aren't a weak link in any kind of supply chain attacks or 325 00:20:33.480 --> 00:20:39.240 issues going forward. There was the reality that AI use cases 326 00:20:39.330 --> 00:20:42.660 continue to develop, and I heard some good ones. We had a good AI 327 00:20:42.660 --> 00:20:48.690 panel with a CISO from a community, as well as a CISO 328 00:20:48.690 --> 00:20:52.740 from a financial institution. And we heard some good use cases 329 00:20:52.740 --> 00:20:57.420 about how cities are using gen AI to analyze city traffic, 330 00:20:57.420 --> 00:21:00.480 street traffic, and allocating street lights and crosswalks 331 00:21:00.480 --> 00:21:04.710 according where the traffic is, which is good. But, it strikes 332 00:21:04.710 --> 00:21:09.330 me that the good guys aren't putting gen AI to work as 333 00:21:09.330 --> 00:21:14.430 readily or as efficiently as the bad guys, and this continues to 334 00:21:14.430 --> 00:21:18.900 be a serious red flag. If organizations don't start to 335 00:21:19.140 --> 00:21:22.980 hasten their adoption and their experimentation, they're going 336 00:21:22.980 --> 00:21:26.220 to find themselves playing serious catch-up. And I think 337 00:21:26.220 --> 00:21:29.700 the other big takeaway is our solution room tabletop exercise, 338 00:21:29.700 --> 00:21:34.200 where we get everybody engaged in a crime about a deepfake 339 00:21:35.220 --> 00:21:39.300 robbery or exfiltration; continues to get people 340 00:21:39.330 --> 00:21:43.440 extremely engaged. They love being a part of this. They enjoy 341 00:21:43.440 --> 00:21:47.160 the networking. They enjoy diving into the case study, the 342 00:21:47.160 --> 00:21:49.920 relationships they forge while they're doing it. I think we 343 00:21:49.920 --> 00:21:53.610 need to find more ways to engage attendees as well as we do here. 344 00:21:53.820 --> 00:21:58.710 I think as we head into 2025, the message to me, and you may 345 00:21:58.710 --> 00:22:03.480 agree as well, we need to reinvent the in-person event. I 346 00:22:03.480 --> 00:22:06.870 think people aren't going to today take days off to come into 347 00:22:06.870 --> 00:22:11.610 the city for a PowerPoint presentation, for a buffet lunch 348 00:22:12.120 --> 00:22:15.870 or for panel discussions. We've got to reinvent the conference 349 00:22:15.870 --> 00:22:20.340 experience and use the solution room as a model. How can we get 350 00:22:20.340 --> 00:22:25.290 more hands-on and create more meaningful attendee engagement. 351 00:22:25.290 --> 00:22:28.560 If we can do that, then this won't be an anomaly. It won't 352 00:22:28.560 --> 00:22:31.320 just be a zero. They will have successful events like these in 353 00:22:31.320 --> 00:22:33.240 all geographies, and I look forward to that. 354 00:22:33.000 --> 00:22:35.430 Anna Delaney: You are absolutely right, and they have to be 355 00:22:35.430 --> 00:22:40.290 engaging. We ran the tabletop scenario recently in London at 356 00:22:40.290 --> 00:22:43.920 our summit last week, well, a couple of weeks ago now. There 357 00:22:43.920 --> 00:22:48.120 was a lot of focus, a lot more focus than in recent years on 358 00:22:48.120 --> 00:22:51.810 verifying authenticity, you know, in the era of deepfakes, 359 00:22:51.810 --> 00:22:54.330 and a lot of interest around that, and how can we improve 360 00:22:54.570 --> 00:22:58.950 verification processes to prevent costly mistakes. Also, 361 00:22:59.310 --> 00:23:03.240 another big theme is that how to improve the speed of 362 00:23:03.240 --> 00:23:07.230 communication across teams internally? So, we would, I 363 00:23:07.230 --> 00:23:10.830 think the conversation has matured to ... from we need to 364 00:23:10.830 --> 00:23:13.800 talk with law enforcement to really how do we dive in and 365 00:23:13.800 --> 00:23:17.610 improve the processes across teams and internally and 366 00:23:17.610 --> 00:23:21.030 externally. So, I'm glad to hear it resonated with the audience 367 00:23:21.030 --> 00:23:24.390 in Toronto. But, did you pick up on any new insights in that 368 00:23:24.390 --> 00:23:25.560 particular solution room? 369 00:23:26.580 --> 00:23:30.240 Tom Field: No, it's much the same as usual. As people come up 370 00:23:30.240 --> 00:23:34.050 with their ideas about how they need to change their own 371 00:23:34.050 --> 00:23:37.290 internal processes and have more than one person signing off on 372 00:23:37.890 --> 00:23:41.220 an expenditure such as that, and what they've got to do to update 373 00:23:41.220 --> 00:23:43.440 their own incident response plans, and as you say, break 374 00:23:43.440 --> 00:23:46.980 down some of those communication silos. Consistent themes. But, 375 00:23:46.980 --> 00:23:52.350 what's fun is just seeing people go into those exercises, network 376 00:23:52.350 --> 00:23:55.230 with people, essentially make new friends, and that energy 377 00:23:55.230 --> 00:23:57.930 carries forward into the subsequent sessions we have, and 378 00:23:58.290 --> 00:24:02.700 we just have to find a way to recreate that experience and 379 00:24:02.700 --> 00:24:05.460 have that extend throughout the day. So, if we're going to call 380 00:24:05.460 --> 00:24:08.160 these summits, which are meetings of minds, we make them 381 00:24:08.160 --> 00:24:09.390 truly summits. 382 00:24:09.870 --> 00:24:12.840 Anna Delaney: Here's to 2025 bringing more of the same there. 383 00:24:13.500 --> 00:24:18.060 Thanks Tom, that's great. And finally, and just for fun, if 384 00:24:18.060 --> 00:24:21.840 you have to pick a character from any movie or TV show to be 385 00:24:21.840 --> 00:24:25.290 the CISO of your organization, who would you choose and how do 386 00:24:25.290 --> 00:24:27.270 you think they'll handle the job? 387 00:24:29.400 --> 00:24:34.140 I was going to say Colonel Sherman Potter from M*A*S*H, who 388 00:24:34.140 --> 00:24:38.130 was a very level headed, empathetic leader, but he was 389 00:24:38.130 --> 00:24:41.520 also a physician. So, I think he would have a good understanding 390 00:24:41.520 --> 00:24:45.000 of the challenges and the mission of security. 391 00:24:46.980 --> 00:24:50.640 Excellent. Tom, you're going to go with Dwight, really? 392 00:24:50.450 --> 00:24:54.770 Tom Field: I have a suggestion - Dwight K Schrute from the 393 00:24:54.862 --> 00:24:59.917 Office, and the theme is going to be beets, botnets and 394 00:24:56.570 --> 00:25:05.720 At least, he'll be obsessive about it. 395 00:25:00.009 --> 00:25:01.940 Battlestar Galactica. 396 00:25:06.890 --> 00:25:08.540 No detail will be overlooked. 397 00:25:08.600 --> 00:25:13.730 Anna Delaney: Exactly. Fantastic and Mat, beat that. 398 00:25:14.660 --> 00:25:18.980 Mathew Schwartz: I know two great leadership icons there. 399 00:25:19.820 --> 00:25:23.300 I'm going to totally nerd out and pick Jean-Luc Picard from 400 00:25:23.300 --> 00:25:31.100 Star Trek. That collaborative type of engaged, adaptable, 401 00:25:31.130 --> 00:25:35.810 supportive and achievement-oriented leadership 402 00:25:35.810 --> 00:25:39.920 style, basically, when possible, figuring out what needs to be 403 00:25:39.920 --> 00:25:42.920 done and then saying, make it happen. I'm not going to do the 404 00:25:42.920 --> 00:25:46.040 line. You know, go make it happen. I have faith in you. 405 00:25:46.040 --> 00:25:49.760 Let's do this. And I think that collaborative sort of approach 406 00:25:49.790 --> 00:25:53.180 is really what's needed for CISOs today, given all the 407 00:25:53.180 --> 00:25:54.410 different functions they touch. 408 00:25:55.070 --> 00:25:56.930 Tom Field: Would it be make it CISO? 409 00:25:59.960 --> 00:26:00.560 Mathew Schwartz: Voila. 410 00:26:01.910 --> 00:26:05.090 Anna Delaney: All brilliant CISOs. Well, I'm going for Buzz 411 00:26:05.090 --> 00:26:08.900 Lightyear from Toy Story. You know, he's got this protect the 412 00:26:08.900 --> 00:26:13.940 Galaxy mindset. It be all about securing the network and 413 00:26:13.940 --> 00:26:17.870 fighting off threats with Space Ranger-level dedication. 414 00:26:18.410 --> 00:26:19.520 Tom Field: The Evil Corp and beyond. 415 00:26:19.780 --> 00:26:22.390 Anna Delaney: Yes, indeed. Well, thanks for playing along 416 00:26:22.390 --> 00:26:25.180 everybody. Thank you for your insights. Brilliant as always. 417 00:26:26.740 --> 00:26:27.280 And thanks so much. 418 00:26:27.280 --> 00:26:27.910 Mathew Schwartz: Thanks for having us. 419 00:26:28.480 --> 00:26:30.100 Anna Delaney: Thank you. Until next time.