Economist. Yassin and his bio he has a long career as a course on it in both russia and eastern europe. I should point out one book then im familiar with published in 2008 called in a cold war that came out with a revision in 2013 and 2014, which if you take a look at, you will see many of the things are even more true true now that were predicted back then. The subject is treated to. We will just have mr. Look at talk about this book. Then we will engage you in the audience and question you want to ask in the general discussion. We are good here until at least except not. With that, mr. Luke is. Thank you very much indeed for having me here and i presented the new quota for in 2008 and it was a pretty skeptical audience. That was the time when people still thought we were having an temporary difficulties our relationship with russia. I actually wish i had been proved wrong. No one would have been happier than me but the good relations with russia, allies, and to stay nonthreatening not invaded. Of this to turn out to be as well because my message is quite a gloomy one. We have designed the internet, putting convenient, innovation, flexibility is an absolute priority and we been doing that for 20, 30 years here but never really made security a priority. We have a huge amount of vulnerabilities in the system. Still using the hardware. We have baggage networks. We have vulnerabilities all over the place which can be exploited by any number as we have spies, hostile government, hostile military operations can lead over pieces of networks. Hooligans and activists, pranksters and although it makes sense to divide them into those categories when we are looking not to are looking at them as a threat of access, many of the tools they are using a really similar. I dated a possibility could be used by anyone. People did say to me when i first started writing this why are you turning your attention from European Security and many people think your wrong and that what you dont have a record out. And as i started researching this problem i became more and more aware of what weve built at the end of the cold war that was based on an assumption of good will and trust that we all basically get on with and this was a Security Order with a lot of cooperation dialogue. And thats pretty much the way we sent the internet at with academic purposes. We never thought about questions of identity and anonymity and we never thought about ecommerce. It was actually against the rules to use the internet for commercial purposes back in the beginning. If anyone said back then this is going to become the Central Nervous system, we are going to use the word messaging, ecommerce, physical infrastructure, all of these things. A lot of these people that really day said are you sure that you really want but we havent done it because the work. Its cheap, convenient, flexible. So now we are stuck. One of the first messages in my focus is going to get worse quite possibly to become habitually accustomed to really serious breaches. If i is that five, 10 years ago ibm will be hacked and 20 million files on Government Servants will be towed. People are first and ill say what is ibm. 10, 15 years ago they wouldve said what is hacked . All the time its quite a joke. My friend go to the news editor in may they been hacked. 12 million customer details gone. Maybe criminals and though we dont know. In most of this organization is the same old, same old, life at different from the story last week. We got used to the ideas. Tens of billions of dollars a year are flowing into our pockets into the criminal economy. Im very skeptical about was made by companies because theyve got an interest and also who really knows. People are talking about 500 billion a year. Thats not just a loss to us. A large chunk of that is going into the pocket of some of the worst people on the planet and people who do at times in other ways. What are we going to do about it . We can do about it and q a. We have to start speaking english or german or chinese or russian that normal people actually speak. The least important feature of this book and that may be what makes a what makes it different from any other book is ive not used any computer job. It appears only twice in the book. What i say this is the word may be used to come is rather than effeminate. Im a talk about public health, we dont talk about epidemiology, biology. We dont talk about details of the dna. We are very similar consequences. We have very simple messages which get across complicated ideas and change behavior. We have very simple messages. You dont need to know the difference between a gasket to be a safe driver of a safe car. And we are not arrogant on the internet. Fundamentally the solutions to the problems we have are not primary technical. Weve proven what we need to do when i get into that in the q a and the virtualization, and Better Network design. These characters thread is pretty much there. The topic is changing human behavior. They get into the criminal economy and disrupt it with the cost of doing business and the people who they dont feel are hurting and dont feel scared actually should be scared. Then they change their behaviors of other individuals, companies and the governments or anything else. So i look forward to particularly to your questions. If you read the book and think its rubbish, please tell me that. If you havent read the book and you still think its rubbish. Ask a question or two. We are going to kick off some question. If i could just sort of have you pursue some of the simple measures that take place. Although the gloomy prognosis, are we in a period now where we talk about the wild west western United States in the other wild west. Another was sorting these things out and it will take several years as these things become uncovered, based on where we were maybe five, 10 years ago and governments or personnel were we really are way ahead. The cruel economy is getting more and more sophisticated. When i first read about this book, the south or the dark weapon there is some kind after sales service. There were three tiers of customer support. Thats kind of how to make this work. Can you help me tweet it in this particular way and a fair cheer for under the hood, can you help . So the thread, the surface, and the number of things vulnerable to particularly the internet of things which are a tad love. The criminal economy is far more sophisticated and she is your wild west analogy, we dont have a pot. We dont really have visualization. This sounds for georgia, but we dont whats going to happen. Its just a counter reference. Weve got to start at a very basic level of making people feel this is different from any realworld analogy. A badly run computer may be doing something very bad to somebody else. The bullet which is something people find very hard to visualize a million state computers whose owners have no idea they may be kicked on that link is just taking a little bit of memory and is made that computer into something that can then do a huge attack another website to be used to spread more bow wave. Theres lots of things you can do in the environment. This may be cost me 5 cents a year in electricity. Does impede the function of my computer. Why should i worry . If you have multidrug persistence or a type of or Something Like that, you can be a carrier of the disease that is hurting you. Even in the most freedom loving states in america, if you have a communicable to these, they will lock you up in your house. They will say you get treatment. You dont go out until you are cured. Is there any country that is more ahead than say the United States for instance . When estonia had the massive had several years ago, have they taken any measures that appear to be forwarding the kind of measures . You have permission to praise your country. Obviously a huge part of this mothers three things really important here. One is a very crude kind of cyberattack from highend stuff you see in the hollywood screenplay. It impeded things, but they did not exceed in bringing the economy to a halt. It didnt do the things they thought they were going to do. Since then that the whole investment in terms of defending themselves. Obviously that. Like a small usaid. I think the most important thing predates this attack. That is the fundamental business of identity and that is that this thing in the local differences. This isnt a national i. D. Card. Your identity is in this chain. You didnt share that. Your data with all of the people who need to identify yourself to. It sends a signal saying yes, this is indeed edward lucas. Say i need to sign the document. And that is the Nuclear Binding signature. In this country or ask for an additional signature. What people do us a printout the document. They sign up at the signature and make a pdf of that pure in this country, identity and access are conflated. If you want a microphone system and you want that in britain, you hand over your address, date of birth and a copy of your drivers license. That is enough information to open a bank account. This is absolutely crazy. We are handing out our personal data. You would never get an update of earth. Youll never get another fingerprint. If you have that staff, we use this personal data all the time and away that is much better than the debate identity. I have not seen the system will be the one that wins because this agrees with the blue delegation that says this is great. We had to do this. The funny thing about government, people are unwilling to trust their own government. Maybe for good reasons. This is just a certain provide a government with an optin system. People have issued 10,000 of these. The Estonian Embassy just down the way for 14 or some small amount. This is one of our fundamental problems on the internet, which is proving who we are improving who we are doing business with. Civilization is based on the trust that people dont know each other well. We have all sorts as other cues which means we can do business with each other facetoface and these things that are developed. I can prove that it really mean. The two of us cant get together. This is one of the biggest weve got in the sort of systems can solve that. You mentioned at least three different aspects of the cyberphobia p1 as criminals training the times. The second is perhaps intelligence of getting opm data for whoever is on the purpose. Probably not for financial gain unless they sell it to someone. Third, let me use this as an example of an offense of use of this. I really cannot different actors, for an sense, states in some cases versus criminal individuals . In other words, are these very separate enterprises we can separate . Should they be seen as one . The easiest way to look at this and say there are some things that only governments can do. Highend National Intelligence services have gotten amazing capabilities. The committee for durkin said that that is something only government can do. Getting firmware into a keyboard that has a key lock on it with evidence typed in a keyboard and then getting that back to some control server in a secure way. Packs of mobile devices, plotting stuff on the computer olinda device. These are pretty sophisticated capabilities and you can buy some bits of them on the internet. You can buy very simple not where the text message. Theres quite a lot of stuff that every government can do. By an extensive vulnerabilities, software or hardware. 50,000, maybe 100,000 jobs. The good ones are expensive. You put those capabilities together and get something which only really government could do. The American Government is no longer really a secret before we get to that, too. But that i think is the least of our worries. There is a great film but they are not documentaries. No one in this room is jason bourne. We are attacked all the time and a much simpler way. Bb beside the heinz staff that so many vulnerabilities if i want to get onto the network, steal stuff from i. E. Due invoices, i want to steal some data on them may give in and change my grade. All sorts of reasons to get onto the network. They will go to linked in, find out who they were, send a gmail address and send a message, which youd like to take a look . It is very basic. Links and attachments can be used by anyone and i think the opm should start with a targeted spear fishing attack and of course youre all not work with sophisticated tools to try and get a network. You may be able to go to what is happening. Its a very big lot of simple vulnerabilities. Lets go to the audience. We have a microphone if you just raise your hand until the microphone get to you. If you just introduce yourself before you asked the question. Thank you very much, mr. Lucas for doing this. My name is marcus pedro. I work here in washington. What i am concerned about is more than the technical aspect of all of those things is the fact that the American Government applied someone who didnt even have a college degree. The most sensitive Government Systems and he could manage to get all of those things out and get away with it until now at least. So how do you think government of society can protect themselves from those kinds of breaches . The regular thing that people actually feel something. You didnt actually mention. It could have been some other. I think government likes to beat up in this tree and security. We dont share in remission better between Different Companies at the same industry. We need to do a much better job i protect the data that is entrusted to us. Whether its the data by employees or suppliers, customers or anybody else. I think it should be a serious penalty for people of the criminal liability and that is all fine. But if you want to see a really badly designed now part, youll find it in the public third date in the air. Its absolutely terrifying how bad they protect did their badly administered by default. This keeps happening again and again and again. One can make several points. This is a very good reason we should not support any government mandated attempts with encryption. If this is going to be government mandated commercially provided encryption, that will be a fantastic and i have zero confidence in this as its ever been in the country has to get a front door key to the government to make sure there is no front door key. All this front door key is neatly labeled, you dont have to be [inaudible] i think we should be very modest and just keep it a secret number should be much tougher and again coming back one of the beauties of the system is not only is it encrypted, but theres no single point of vulnerability. They have databases which are connected by something called the expert which works on a very simple, robust responses. So what would be really hard. Im not saying its impossible. Something like the opms have been really difficult. Lots and lots of people to do it very quickly. Some different point. The final points i make is fighting to keep all this stuff in the electronic databases anyway . This one just slipped my mind where they have to go into the registry and steal a file. David stays he would probably hack in. Then you have to physically get into the registry. You have to distract a person there to stop you copying files you have to get access physically locked in a mod out. In order to seal the documents, you have to attack the building with a Major Military force. Opm is like that. 20, 30 years ago the chinese wouldve needed trucks. One of the big lesson you think really cant you got convenience, absolutely. Is that really worth the vulnerability . One of the best stories ive come across is the intelligence agencies timeline. There is a saying from the security guard. You cant hack a steam engine. There is nothing to hack. Steam engines that actually survive. So we have to be quite crept about moving away from things that cant be hacked towards things that seem convenient. Thank you. Before i used to work for the Korean Government Agency doing cybersecurity policy. I think the recent International Political environment has kind of come to the state that International Norms go to these very important cyberspace. Hearing from your old in other east asian cases, it is not only to not only the states have different perceptions on cyberspace, but also the people of each state has different values and different cultural norms that they expect to cyberspace. I want to hear what you think about is it even necessary to build International Norms . Is it even possible or is it more part to call and does it make more sense when you have more after domestically on the National Boundaries . Which is a great question and i think we are developing. We leave to develop norms in the way of social media. I was looking at some emails that we were sending and receiving about 10, 15 years ago. A lot of people use capital lessons to show they were angry. That is become socially unacceptable. They started this way to interact. People tend to send very short emails. Its kind of rude to send her a long emails and expect people to read it. Any humor in our actions start developing. If you look at shipping, which was the first really global industry, we slowly develop norms about emergencies and the duty in distress. He do it for them. They do it for you. We have a development with messaging. We have flags put up. Would have been nice and americas engagement going after part endangering american shipping. So it builds up on a kind of casebycase basis. The fundamental problem is the internet as a means for doing other things. Theres other things that vary widely. You could quite easily get the acts of the world getting together saying we will have very tough rules about preventing people. The classic cybercrime is to get into some internet again and do something and steal their money. The money doesnt appear in your pocket. He transferred to another bank and another bank. At each point you to transfer, there is a point of vulnerability. And if you want to hijack one account and another count. I want put a physical person so i could quite easily imagine a lot of things getting together and saying we are going to set up lots of transfers that make it much easier to trace stolen monies. And if you dont play by our rules, we may stop transferring money to you and love russia, china can everywhere else in the world saying we want to be anonymous. I can see that happening. What is much harder is things like the use of information. Because if you look at the big push in russia and china to bring the inter