Threat Intelligence

    Get Cyber Resilient Ep 100 | True cybercrimes and the evolution of the Lazarus Hacking Group with Geoff White

    Geoff White, speaker, investigative journalist, author of The Lazarus Heist and co-creator of the Lazarus Heist podcast.


    Geoff White, speaker, investigative journalist, author of The Lazarus Heist and co-creator of the Lazarus Heist podcast, joins the show this week to take us on his journey of going behind the news articles and unpacking some of the biggest cyber events of the past few decades. 

    Geoff talks to the origins and evolution of the Lazarus Hacking Group and the impacts of their biggest cyber heists, how cyberattacks still sit in a grey area of warfare, the future of cybercrime including its impact on the Metaverse, how AI and facial recognition are solving crimes, and gives us a look at the flip side of some of the world’s biggest cyber heists. 

    Listen to Season 1 of the Lazarus Heist Podcast here

    Head to https://geoffwhite.tech/ to pre-order The Lazarus Heist book.


    The Get Cyber Resilient Show Episode #100 Transcript

    Garrett O'Hara: Welcome to the Get Cyber Resilient podcast, I'm Gar O'Hara. I am very excited that for our 100th episode, we are joined by Geoff White. Geoff is an author, speaker, investigative journalist, and podcast creator. He co-created and co-presented the Lazarus Heist podcast, which was #1 in UK podcasts and #7 in the US, and is up for a Peabody Award. He's an author of two books, Crime.com, and the soon to be released book of The Lazarus Heist, which I have on pre-order. He put out the Dark Web podcast, and co-created the show The Secret Life of Your Mobile Phone, which was a sellout at the Edinburgh Festival. Over to the conversation.

    Welcome to the Get Cyber Resilient podcast, I'm Gar O'Hara, and today we're joined by Geoff White, the author, speaker, investigative journalist, and podcast creator most famously known as the co-creator and co-presenter of the Lazarus Heist which is #1 in the UK podcasts, #7 in the US, and up for a Peabody Award as well, I believe. Welcome to the show, Geoff.

    Geoff White: Hi, thanks for having me.

    Garrett O'Hara: Absolute pleasure to to have you along today. I was saying just before we started recording that I, I know your voice all so well, I, I listened to the Lazarus Heist on a, a motorbike trip down the east coast of Australia last year on the way back from a local cybersecurity conference, so thank you for the entertainment, and, and excellent podcast.

    Geoff White: Glad you could hear me above the engine noise, that's good.

    Garrett O'Hara: Oh, I've got these amazing noise-canceling headphones Bose QC25s, a little plug for them if anyone's out there. Amazing for g- getting rid of the, the the engine noise and you can hear the voices perfectly, so ...

    Geoff White: [laughs]

    Garrett O'Hara: Little motorbike tip there. Jeff, bef- before we kinda get into the Lazarus Heist, the Lazarus Heist and, and some of the kind of work you're doing at the moment, and, and obviously the book launch, which is, imminent be great to just get a, a sense of how you've landed in the work you're doing today. Obviously you're investigative journalist and have been in the sorta tech and cyber crime space for, for quite some time. Be amazing to just, yeah, wh- what kinda drew you to tech and to cyber?

    Geoff White: Well, I d- I've worked for a tech company, an internet advertising agency, during the dotcom boom, and then obviously the dotcom crash. And so I knew a little bit about tech, and I think in newsrooms, there was, I don't know if it's still the case now, but there was a sense that technology was a, a very difficult subject, and you need to be a huge expert in it. So anybody in the newsroom who's, who had sort of tech experience and could understand this stuff sort of automatically got put on that beat.

    [laughs] so I ended up wor- covering tech stories, and then really just got kinda lucky. I mean, at the time I started, you know, the Anonymous movement started happening, then we had Edward Snowden, then we obviously had the hacking around the 2016 presidential election in the US, and we've just really not, not looked back since.

    So I started covering this stuff. Th- the way I became an investigative journalist was probably I'm obsessive. I, I never know when to stop looking into things, and, as a newsperson you're meant to just keep, keep working on the next story, you know. If it's Tuesday, it must be the Olympics, and if it's Wednesday it's you know, the Pope's visit to the UK, whatever it is. I, I, I could never leave the story behind. So whenever I did a story, I always wanted to know more about it and dig deeper into it, 'cause I never felt that we properly finished that story.

    And so that led me to investigation. And I think with cyber crime it's interesting, since one of the big problems with c- with cyber crime and cybersecurity as a news story is, a- as well as you'll know, when the thing happens, the hack happens, there's a big bang, you know, "This company's been hacked, this data's been leaked," et cetera, big news for a day, and then it disappears. And it's only really over the course of the subsequent weeks, months, sometimes even years, that you actually get the full story, and you actually understand what's happened, you know, who did it, and why. And so that needs investigation, and so inevitably with cyber crime stories, having covered the big bang of the initial hack, I was then really interested in doing the subsequent investigative work to work out wh- what had actually gone on. And I sort of felt that was as, kind of a service to the, to the listeners and readers and viewers.

    Garrett O'Hara: Yeah. And, and it really is an astonishing story. Like my wife, who's not in this industry at all, she works in sustainability, but is listening to it right now, and yeah, her, she used the word gripping [laughs] to describe the, you know, the story. But i- it, you pointed something that's really interesting in our industry, which is we, we absolutely are, we're just focused on, you know, technical outcomes, how do you fix the problem for now? And then we move on, and, you know, there's no real thought to what are the, the sorta social motivations, you know, the political motivations for, for crime.

    Look, I- I'm guessing the vast majority of people listening will know the Lazarus Heist, but for the maybe three people listening who don't already, you know, know what the, the podcast is about, can you k- kind of just very high level take us through what, what the pod is?

    Geoff White: Yeah, yeah. So basically the Lazarus Heist, the podcast, and, and the book, which is coming out fairly soon might already be out at the time people are listening to this, is about how North Korea, of all places, became a computer hacking superpower. I mean, if you ask, you know, the UK intelligence community to, to rank the nation-state threats against the UK, they'll generally put Russia, China, number one or two, and then in places three or four, interchangeably, it'll be Iran and North Korea. And obviously is a quite surprising result, I mean, North Korea y- you know, is a country where the vast, vast majority of the 25 million inhabitants have n- have no access to the internet and will probably never get it. And yet, this country is able to exert, you know, power on the cyber world stage, y- you know, that puts it in the sort of top tier.

    H- how did that come about? You know, what have they done with that power, and where will they go next? And that's really the subject, as I say, of, of the podcast which I co-hosted, and the book which I wrote which is which is coming out.

    Garrett O'Hara: Yeah, have the, the book is pre-ordered for me on Amazon, as I'm guessing it is for many, many people. I'd, I'd be very keen, and obviously you can't probably give too much away but, you know, a podcast has a format where I'm guessing you have to edit a lot of the sorta, the stories that are probably super interesting, but there's only so much time that's [laughs] available. Wha- what can we expect from the book?

    Geoff White: So the book goes far beyond series one of the podcast. So-

    Garrett O'Hara: [inaudible 00:05:58]-

    Geoff White: ... there will, there will be a second series of the Lazarus Heist podcast coming out later this year. Series one of the podcast stops the narrative in, in 2017, with the WannaCry cyber attack, which is obviously a huge, massively impactful ransomware attack, globally significant and attributed to North Korea's Lazarus hacking group. But there's been five subsequent years of hacking activity and it, frankly, the story just gets more and more bonkers.

    D- d- North Korea ends up w- working with organized crime gangs, not just organized cyber crime, but organized street gangs, basically b- a- around the world. Because, you know, computer hacking is just the start of it. You know, once you've got access to somebody's bank account, particularly if you're pulling out, y- you know, money in cash or, or you're using the traditional banking system, you have to have collaborators who are gonna help you launder that money. And those collaborators come from the world of organized crime.

    And so at one stage, y- y- the allegation is North Korea's hackers end up working with an Instagram influencer who's living in Dubai and has 2.3 million Instagram followers, and is posing in his Gucci pajamas one day and, and committing cyber crime the next. It's absolutely astonishing. And then we have, just when I thought things couldn't get any more remarkable, we have the most recent hack to be attributed to the North Korean hackers, which is the Axie Infinity Ronin Bridge attack, which is $625 million.

    I think, and I'm still waiting to be corrected on this, that's the biggest single hack in terms of the amount of money taken from one single victim in one single hack, half a billion dollars. A- and, and so it just keeps going on. So basically the book covers a whole bunch of that, and usefully, [inaudible 00:07:38] podcasts coming out wi- will cover the bits that I haven't managed to squeeze into the book.

    Garrett O'Hara: Phenomenal. Yeah, very much looking forward to that. The, the numbers are staggering, aren't they? They really are. You big part of the first series, is the, the Bank of Bangladesh, obviously, and, and the, you know, attempt to [inaudible 00:07:53] a billion from that. They're just a- astonishing amounts of money. One of the things that I find fascinating as somebody who's in the industry is, a- you know, and coming back to what I said earlier, we, we think about technical controls, and, you know, had a set of, you know, good security and, and organizations. But I don't really think we think that much about what happens [laughs] you know, after the money has left bank accounts, or, you know, post-breach, and I think that's the part that's been absolutely fascinating.

    So y- you've mentioned this already, you know, North Korea was, was incredibly far behind when it came to, to to tech in general, obviously, and, and sort of the internet and, and computers. And, and, and, like, as an aside, thank you for having the the CNC [inaudible 00:08:33] lodged forever in my brain, that's a really, really [inaudible 00:08:35]-

    Geoff White: Blame, blame my co-host Jean Lee for that, she was responsible.

    Garrett O'Hara: Oh.

    Geoff White: I didn't know that song existed until she-

    Garrett O'Hara: [laughs]

    Geoff White: ... brought it into all of our lives. Thanks Jean.

    Garrett O'Hara: Yeah, ver- very much appreciated. [laughs] but [laughs] you're k- I suppose being s- being serious wh- like what was their trajectory? I mean, they, they obviously went from standing still to, to what you've described as, you know, top four, you know, i- in, you know, sorta either third or fourth place. Wh- how did that happen?

    Geoff White: Well, it, There's a whole bunch of dynamics behind it, and the CNC story is a really interesting one. F- f- for the listeners who don't know about this, it's the, CNC stands for computerized numerical control, and what it basically means, it's, you put computers into factories and so those factories can then suddenly make very, very high-precision parts.

    Now, the reason that's significant in the North Korean context is that North Korea has been pushing into nuclear technology. North Korea's argument is, "Well, we need nuclear power because, you know, that's self-reliance for us." The argument is they are using this for nuclear weapons tests, and there have been nuclear weapons tests in North Korea.

    To make all that nuclear technology stuff, you need very, very high precision parts. And so to get computers into the factories to make that became a- an objective for North Korea. So there's all of that top- type of stuff. There's also the fact that Kim Jong-Un y- you know, painted himself as a sort of millennial leader, you know, he's young, lot younger than, than his father and his grandfather when they came to power in North Korea, and the dea was that North Korea would be a sort of forward-looking, you know, modern, technologically advanced society.

    And, you know, if you look at the USSR, you know, the USSR placed great emphasis on technical knowledge and engineering knowledge. So North Korea's sort of following in that idea of, you know, communism being able to remake ... Not that North Korea's a communist country, strictly speaking, but being able to remake society through technology.

    So you've got all of that stuff going on in the background, then you basically get North Korea looking at how it can exert power on the world stage, and how it can hit its enemies, either to get money or to embarrass them, you know, as they did with Sony Pictures Entertainment. You know, how do you go about doing that for the, for the last money available? What's the biggest bang for your buck? And compared to buying nukes, you know, recruiting and training hackers and unleashing them on the world stage is a cheap option. You know, it's not just North Korea who's realized that, loads of countries around the world have realized you can create mayhem on the world stage, deny it was ever you, and not have to pay much money, 'cause you're doing it all through, through computer hackers.

    So all of these sort of factors led to North Korea's escalation. And, you know, we see them in the course of th- the time really I've covered cybersecurity, from the 2010s, you know, the sort of defacement attacks they were doing, the DDoS attacks they were doing, fairly low-level stuff. And then suddenly you start to get this destructive malware, ransomware, huge theft, cryptocurrency thefts, and then culminating as I say in this recent hack, th- you know, the largest amount ever stolen. You can just see the trajectory, you can see the growth with it, it's quite frightening in hindsight.

    Garrett O'Hara: Yeah, we, you've sort of, interestingly started to tack on, onto like what I was gonna ask next, which is around like the asymmetry of cyber warfare, and again it's clearly attractive and I'd be very keen to get your thoughts on how that plays out in, in the sorta coming decades, and, and maybe more so through the lens of emerging economies and maybe emerging global powers, people we haven't really thought about maybe too much yet, but wh- how do you see, crystal balling here for a moment, like wh- what do you see happening?

    Geoff White: Yeah, I, I, I hate doing that, because the problem with that is, you know, if, if you're right, nobody remembers that it was you, [inaudible 00:11:57].

    Garrett O'Hara: [laughs]

    Geoff White: If you're wrong, you know, people, people, you know ... It's like the in- the, the journalist who said, "Oh, I don't think the internet will ever take off," you know. You have this a bit with the metaverse at the moment, I'm, I'm quite skeptical about the metaverse, and I do worry that in five years' time when we're all living in the metaverse, I'll be, my headline will be the one that appears on LinkedIn or whatever the metaverse version of LinkedIn is, you know, me, Geoff White, saying the metaverse will never take off. But anyway, it, it, no, it is, it is definitely the direction of travel.

    Y- y- we've got this really interesting picture at the moment whereby smaller countries are trying to work out how they can have an impact on the world stage, they're trying to work out how they can get out from under the authority, you know, of, of western countries. You see this with cryptocurrencies, an interesting one. Y- you know, smaller countries, you know, some of the South American countries, for example, and Iran, and actually North Korea, have looked to cryptocurrency to sort of get out from under th- you know, the, the, the global financial system that's been created and digitalized and still dominated by, by the US.

    And so you [inaudible 00:12:54] cyber through that particular prism as well, you know, how can we ... We can't out-spend places like the US and the EU and UK et cetera on, on, on traditional weapons, but we can outsmart them by recruiting and training hackers and unleashing those people.

    And the other thing is, you know, there are laws and rules and regulations around how war is conducted. You see this in th- the war in Ukraine at the moment, there are already war crimes investigations going on, because, you know, blowing up chemicals factories and, you know, torturing and killing ins- innocent civilians is, is, is against the rules, you know, you get caught for that. With cyber, the rules are still very flexible, still very gray. So again, if you're a smaller country looking to intimidate, dominate, y- you know, take action against your, your, your enemies, you've got so much more space in cyber t- to do that, a- and you're so much likely to get caught, and even if you do get caught, the ru- the rules around how you'll be prosecuted for that are still really, really gray and, and wooly.

    Garrett O'Hara: Yeah, most definitely. And [inaudible 00:13:50] in, in the last [inaudible 00:13:52] in the podcast, you you covered the, the North Korean training grounds, the hackers, and one of the, the chaps there talks about how like at a personal level he felt more quite scared about it, you know, that the, the potential for something to unleash damage that I think he even equated to kinda nuclear weaponry you know, and th- you know, this made him think about defecting from the [inaudible 00:14:13], et cetera. So like people were thinking in that way, like, clearly the, the im- the potential impact for, for severe damage.

    But we haven't really seen ... Well, we've seen some steries- serious stuff, but I wonder like what your take is on the potential impact that we maybe haven't seen so far, and what I'm thinking here is, you know, goverments maybe holding off on polli- you know, pulling off [inaudible 00:14:32] really bad, bringi- bringing down critical national infrastructure, you know, something really severe with huge loss of life, it's kinda held back a little bit. And we've even seen that in, in Ukraine. Do you think this is a, it's almost like the nuclear arms race where people hold back because they're afraid of, "Well, if we do it, then reprisals."

    Geoff White: It's really interesting, that question. I've been thinking about this a lot. I've, a- again, in the context of the war in Ukraine if you look at the WannaCry attack, 2017, you look at the NotPetya attack followed on fairly soon after, both destructive ransomware attacks where there, there was no ransom-

    Garrett O'Hara: Yeah.

    Geoff White: ... payment possible, really, I mean, i- i- they were just destructive. And, and globally spreading attacks. Also, I mean, if you look at Stuxnet as well a fair few years before that. Those attacks, it's interesting. They get, they get spotted fairly quickly certainly in the case of WannaCry, they get shut down fairly quickly, and sooner or later y- your fingerprints are on them. And, and the investigators catch up with you. So in Stuxnet, it's believed to be obviously the US and Israel behind that. Y- y- you know, much as Iran is an aggressor in the world, and I'm no friend of Iran, the idea that you drop indiscriminate malware that could spread outside th- the target to take that one target down, it's sort of the modern equivalent of carpet bombing, isn't it?

    So it's, it's not that we have rules that stop the countries doing that, it's just that I feel the countries, that [inaudible 00:15:53] those widespread, indiscriminate carpet bombing type attacks have realized it's a bum idea, because you get spotted and, and y- and it gives your opponents the ability to, to hit back and say, "Well, you know, they did this carpet bombing thing, we're going to do the same to them." So I feel i- th- th- the mechanics of it being worked out on the ground, there's a bit of realpolitik going on.

    I mean, the Ukraine example's a really interesting one. You know, there is this narrative of, well, we haven't seen the cyber war, you know, in Ukraine. Well, you know, where was the cyber war in Ukraine? Well, for a start, [laughs] it's been going on since 2014, annexation of Crimea and before. So it's an ongoing milit- you know, cyber conflict between Russia and Ukraine, on both sides, you know, both hitting each other.

    Also people tend to concentrate in cyber war on the aspect of offensive activity. You know, "We haven't seen the attack." Well, we might not see the, the big, big attack, but we've seen a hell of a lot of defense. [laughs] You know, countries around the world are, are helping Ukraine defend itself and so there's a huge amount of work go- going into that. So w- yeah, the dynamics of it are really interesting and it's still being worked out. But I, I don't, I think we may have seen the high tide mark of those i- th- those sort of globally spreading, indiscriminate attacks where the aggressor just does not care how many people get infected and whether they get caught. I think y- y- y- we may have seen the back of those attacks. I hope, I hope, but never say never.

    Garrett O'Hara: Yeah, absolutely. I mean, and t- to your point, the, the fact that you can't necessarily control the, the target and we saw that with [inaudible 00:17:22] as well, right? 25% of the impacted organizations were international, they weren't sitting in Ukraine. But it was a dox, [inaudible 00:17:30] I think was the the supplier, you know, and the downstream effects. So of, yeah, sort of global shipping companies where you see the [laughs] photos of trucks backed up at ports and, you know, offices closed, it's quite astonishing. Y- you've sorta-

    Geoff White: I would, I would, sorry, I would just add to that.

    Garrett O'Hara: Yeah.

    Geoff White: You know, one of the terrifying things is realizing who [inaudible 00:17:52] and obviously the post-COVID stuff we've got at the moment, and the war in [inaudible 00:17:56] to disruption, and I'm sure computers are looking at that and thinking, "Okay, if we hit certain ports, if we hit certain airports, if we hit certain trucking companies, you know, th- we can have a huge impact, we can b- [laughs] bring things to a halt."

    Garrett O'Hara: Yeah, it's, it's frightening the, the impact that that stuff could have. Y- y- you sort of mentioned this as you were, you were talking just them about th- I suppose the attribution and how difficult that can be in cyber tech in the, in the world. But it also does feel to me, and I'm very keep to get your take on this, that we're seeing more aggressive stances by global goverments. We've seen that in Australia where our PM and, and literally he called a press conference and talk about our country north of us you know committing sustained attacks on us, and we saw in, in the Lazarus Heist you know, Obama calling out North Korea very directly for the Sony hack. But have you seen a shift in terms of that public attribution by nation-states on each other? And very keen to get your thoughts on that.

    Geoff White: Yeah, absolutely. When I first started doing cybersecurity, it was one of the, the great frustrations that nobody was, nobody's, nobody was attributing anything. Governments didn't really speak about it and when you talked to, you know, private security, you know, tech security companies their interest, as you say, was the technicality of it.

    And it was a bit like, you know, if there's a massive burglary, your house gets robbed, and somebody comes 'round and is obsessing over which Yale lock got used on the door and how they managed to break it in, you're like, "Well, I don't care. Who's got my telly?" You know [laughs] that's, that was the thing. Y- so y- y- the attribution piece, of the tech security companies, just wasn't their remit, they didn't feel it was their beat. But for me as a journalist, you know, who's done this and why is the question? You know, the technicalities of how it's done, whilst we can get those [inaudible 00:19:38] and whilst I do find those fascinating, for the general audience, without a sort of f- attribution at the back o fit, without some motivation at the back of it, the technicalities of the attack just don't make sense.

    You know, we talked about the technicalities of the attack on Bangladesh Bank in the podcast, and I go into it in the book, but it's only really because it's North Korea doing it [inaudible 00:19:56] done it that you really care about it, you know, you know the motivation. So the attribution piece was really important from a jouranlistic point of view.

    We then started getting, and I think that 2014 Sony Pictures Entertainment attribution by Barack Obama was really key. I, I must admit at the time, it surprised a lot of us, and I was a s- as skeptical as anybody else at the time. What's interesting about the US particularly is they're backing up these attributions with huge and very, very thorough legal documents, criminal complaints, indictments, and so on, that go into chapter and verse about how they think the attacks were done, how they claim the attacks were done.

    So it's the attribution, but it's also the backup as a sort of, you know, evidential material that they say supports that attribution that's really important. And for me as a journalist, again, that's a gold mine, you know. One of the reasons I was able to tell the Bangladesh Bank's story was because A, Bangladesh Bank sued, well, everybody [laughs] it's probably quicker to name the people they didn't sue rather than they ones they did, to get their money back, but the US government then put out a criminal complaint against a North Korean hacker they say is behind that attack, and that had huge amounts of detail, which of course dovetailed in with what Bangladesh Bank itself was saying. So I was able to put those two documents together and suddenly get a really good view of what happened.

    See, the attribution thing has, has absolutely changed. Again, you know, to, to put Packer's point of view, playing with attribution and, and false-flagging stuff I think is gonna be real interesting trajectory. We haven't seen as much of it as I thought we would have done. I mean, the Olympic Destroyer attack, I suppose, is the sort of object example in that. But, you know, I'm sure there are hacking groups at the moment thinking, "Right, now everybody's attributing these attacks to Iran, if we can carry out the same attack with the same malware, we'll just flag it as Iran and we'll be able to hide behind that." So attribution's good, but we have to be careful, I think, about it.

    Garrett O'Hara: Yeah. And to your point, well-documented, you know, not cavalier attribution, but actually, you know, well-researched, well-documented, and yeah, definitely take your point on that. A- a- one of the things that [laughs] really jumped out in, in the Lazarus Heist was how often it felt like chance played a part in ... Y- you know, th- the attackers not getting funds, for example, you know, the, the naming of Jupiter Street was just as- stonishing or, you know, spelling mistake in, in foundation. H- what was your perspective on that? You know, in, in our industry, we're so obsessed with building security controls and tryna control everything. And then you see all the money that woulda been spent on that, and then it turns out, literally the choice of a bank in, in Manila was the thing [laughs] that actually tripped up-

    Geoff White: I know, I know, yeah. So they, they, when they hit Bangladesh Bank, the hackers tried to transfer the money to a bank in the Philippines in Jupiter Street, and Jupiter just happened to be a word that was flagged at the New York Federal Reserve Bank, where Bangladesh kept its money for completely unrelated reasons. It's, it's a shipping, it's a vessel an Iranian vessel called Jupiter which was sanctioned. And as somebody, I hadn't really fully clocked this the other day, but somebody pointed out to me, it was, it was, th- th- probably the most valuable false flag, false positive that's ever happened, you know, i- it cost the hackers something like $900 million. Because th- the transactions got reversed, because they were going to this sort of sanctioned ... N- not a sanctioned entity, but an entity that had the same name as a sanctioned entity.

    And as you say, you know, transferred money to the Philippines, t- to Sri Lanka, rather, to a charity there called the Shalika Foundation, and the hackers spelled it wrong, spelled it fundation, and so that 20 million payment got, got turned down. Yeah, it's, it's really interesting, isn't it? That ... But I think, what's interesting, I mean, like, so we've got that Sri Lankan example. It was a, a, an, an employee in Pan-Asia Bank, I think, who looked at the amount that was being transferred to the charity and went, "Well, $20 million is a lot of money, let's have a closer look at this." I think bounced it back to Deutsche Bank, who were one of the correspondent banks, intermediary banks, who then spotted the spelling mistake. I think that's how it worked. D- Deutsche Bank and Pan-Asia didn't, didn't, didn't want to talk to the podcast, so I'm going off the back of public reporting there.

    But again, th- th- comes down to sort of defense in depth thing. You know, we often talk about defense in depth from technical point of view, you know, do you have perimeter defense, do you ... Excuse me. Do you have perimeter defense, do y- have you demarcated and delineated your information so people can't hop around inside your network? But, you know, defense in depth can also be h- having human beings, you know, looking over stuff can, can have slight human being checks, and almost random human being checks, just to make sure you're picking that stuff up. So, so it's an interesting sort of point that I think about about defensive attitude.

    Garrett O'Hara: I, I totally agree with that, and you know, one of the things that was very clearest was in listening to, to the podcast, I'm sure it's part of the book too, is just this sorta human component of this, where I think when you see the movies on TV, quite often, you know, the hacks and the attacks are s- like, super complex, or, or either completely ridiculous when you watch CSI, for example, but so often it's an email, and somebody opens an attachment and, you know, that attachment is the thing that kinda gets you in. And there's a weird expectation in my opinion on humans, you know, this, this idea of human error, h- humans are idiots, and I, I don't agree with that. I think people are very clever, but they're just not cybersecurity people, and that's not their job to be sorta hypervilig- vigilant.

    But I'd love to get your take. I mean, you've sort of alluded to it there, you know, this idea of defense in depth with humans, but like, wh- what do you see that role of, of humans versus technology and, and even process? Like how do you see that play out in, in sort of, when it's, when it's good.

    Geoff White: Yeah. We- we've done some sessions on this, and, you know, wi- will AI save the world, can AI do cybersecurity and, you know, save us all having to worry about it? Clearly the answer's no, I don't think anybody thinks that. But there is this sense of, well, th- there's, there's such a volume of attack, there's such a volume of data that we have to look at that obviously putting humans in charge of that just isn't gonna work. You need some technology behind it.

    There's an interesting, I think there's an interesting flow, the back and forth, back and forth with this, and I think it's, i- it's, I hate this phrase. It's, you know, it's a journey, not an end destination. Because yes, you have to have technology in place to do this, but you also have to have humans. But then, when the technology is missing things, if you're not pointing the technology in the right direction, if you're not controlling what the technology's in charge of looking at, well, you can get gaps.

    So, so you have to have this constant flow between giving priority to the humans and listening to them and, you know, putting the emphasis on them, then you maybe give priority to the technology for a little while, but then you look at where the gaps are. So it's, it's a constant ebb and flow between letting technology take the lead, because you can't have enough humans to keep up with it, but, but not letting technology always take the lead, you need to bring the humans back in and go, "Right, let's think about this from a human level, what do we, what do we not see, what do we now point the technology at?" So it's this back and forth between humans and, and, and technology.

    It's not that you put a system in place where you say, "Right, our technology does this, our people do that. That's it, we leave it." It's a constant sort of back and forth. Because as I say, the technology doesn't evolve like the human brain does. You know, the human brains will, will think of new ways in, and your humans in your organization will think about those new ways in as they go, we need to point the technology at it. So as I say, there's an ebb and flow, I think, back and forth between, between humans and tech.

    Garrett O'Hara: Yeah, that absolutely makes sense. A- a- gonna go on a little bunny trail here, 'cause you mentioned artificial intelligence, and it's sorta top of mind. I, I spoke to somebody at length about this [inaudible 00:26:55] the state of play with AI, things like facial recognition and use of that by the SEG Met police in in the UK, and Clearview AI, and some of those kinda larger, I suppose societal questions that we have to think about when it comes to the solving of crime through things like facial recognition, and then that impact to, I suppose, anonymity and, and what it means to be a human being. Huge question, but [laughs] like wh- wh- where do, where do you sit on, you know, the use of things like facial recognition and biometrics in, in crime investigation?

    Geoff White: It's, yeah, it's a real interesting one. I did a d- did a program for the BBC all about this, I've covered it. It, it, the facial recognition thing, from a technical point of view, i- technically, actually is really simple. A- anybody who's listening to this who's got a smartphone is already using facial recognition. You know, you point your smartphone at, at a f- at a f- you know, a sh- a shorter scene, and it will find the face and put it a little square around it. So facial recognition technically is really easy.

    So then it's like, "Well, what's, what's the controversial bit?" And the controversial bit, of course, is not just recognizing the face, it's uniquely identifying it and matching it against another face in a database. So the controversy around facial recognition isn't recognizing the face, it's what you do afterwards with matching. So there's questions about how you match, and how efficient that is, and how well it deals with minority ethnic faces Black and minority ethnic faces. There's also the question about where you get your database from. You know, it's a database of terrorists who've just blown up an airport, well tha- I think most people think, "Well, yeah, let's deploy as much technology as we can to find them, technology as we can to find them."

    I- if you're matching it against people who've got low-level offenses, o- or if you're just used as a dragnet to pick up people who don't want to be seen by the cameras, which is wh- what we saw in London in the trials at some stages, th- I think people would have a big problem with that.

    Facial recognition is a hugely powerful t- I mean, it's insanely powerful, at the point where you can do live matching. We've, we've had facial recognition for years. Th- th- th- you know, the UK police is able to take mug shots of arrestees and match them against, you know, mug shots of p- people who've previously been arrested. That's not new, it's in a way not controversial, I s- suppose. It's the live facial recognition, it's the fact you can do it as people walk past the camera. This is incredibly intrusive, it's blanket, and what really worries me is the, the words facial recognition, the term facial recognition, is not featured in any UK law whatsoever. We have had no debate on this, you know, as far as I can work out, imp- [inaudible 00:29:15] passed any laws in it. Don't know what the situation is in Australia. But i- it's, d- we need to get a handle on stuff, it is abs- this is Kryptonite, and we, we really, really need to get a handle on it.

    What worries me is the people making the money in this moment are law enforcement and technology companies, who, you know, perhaps obviously, are, are gung-ho for it. They're always gung-ho for it. Glove enforcement, see, they seen wrongdoing all around the world, 'cause that's what they, that's what they're, they're in touch with. We need other voices in the debate. We need civil liberties, we need, you know, ordinary person in the street to get involved with this and just thrash out what we think's okay. 'Cause at the moment, if the police are just gonna run this, the police are just gonna roll it out as much as they can. And I understand why they do that, I just don't think that should be the only voice in the room.

    Garrett O'Hara: Yep, I totally agree with you there. It frightens me more than many things, I think when I think about it from some of the stuff I think there's a company that does, y- as you said, the live facial recognition, but also retrospective, which I straightaway just thought of films like Minor- you know, Minority Report essentially where, you know, you can backtrack to CCTV, not just see where you are at the moment, but actually where were you, who were you with? And that just feels, as you say, just incredibly intrusive.

    I, as, as we're kinda, kinda getting towards the end here. I'd, I'd love to kinda get a sense of given your work, you know, and y-, you have the inside skinny, and probably know more than the vast [laughs] majority of the, the, the planet's population of the, the dark side when it comes to cyber crime, and, and, and y- sort of how easy this stuff can happen. And I use the word easy, you know, with air quotes here. Do you feel like there's some sense of do you as a person like worry about the, the stability of banking systems and, you know, the sorta structures of society, that there's a thin v- sorta veneer of cybersecurity or security that actually just, you know, could go wrong-

    Geoff White: [laughs]

    Garrett O'Hara: ... Quite easily.

    Geoff White: Yeah. It's a good question. I mean, I think, as I say, coronavirus and the war in Ukraine have exposed the fragility of a lot of the stuff that underpins our society, and, and the consequences that are gonna come about, you know, when, when those sort of fairly fragile threads start to, start to fray and fall apart.

    I, the Bangladesh Bank case was y- was astonishing, the idea that you break into a central bank, you know, a country's own bank 'cause Bangladesh Bank is, is the central bank of Bangladesh, obviously. Tha- that was astonishing. And you start to get into some very, very serious consequences. I mean, there was, o- one of the amazing quotes from one of the investigators, a guy called [inaudible 00:31:40], who was the first instant responder, really, called in for Bangladesh Bank. He, he said that at the point where they really did think a billion dollars had gone missing, that is an almost existential threat to Bangladesh. You know, you're talking about countries' credit rating being downgraded, prevents them from access to financial markets, prevents them being able to s- pay people, prevents them from being able to function as a government.

    And you w- you're talking about a country where trust in government is, is quite low in, in places like Bangladesh. You know, th- th- that has a really, really, really significant impac- impact. Wh- what does encourage me though, is, let's look at, again, the Bangladesh Bank example, it happened subsequently. SWIFT, who run the inter-bank transfers- -fer network for a lot of the banks, and that was targeted in the Bangladesh Bank attack, started putting in controls. Banks around the world started thinking, "Hang on, are we vulnerable?" And so on.

    So what's interesting is the, the further up the scale you get in terms of the, the impact of a hack, the bigger the response you elicit. So the WannaCry attack, again, is a perfect example. Globally significant attack, but when it happened, every cybersecurity researcher and their dog was all across that, trying to stop it, trying to, you know, the, the, the, the world's defense mechanism went into went into overdrive.

    S- s- so I, I do worry that, that, that, that there are, y- th- th- that the, the consequences of the attacks are getting more significant. And it worries me that people say, "Oh well, you know, cybersecurity." There's a time when s- they say, "Well, cybersecurity, c- computer hack, you know, it could never really, you know, bring down a hospital, it could never really, you know, stop the petrol pumps." Well, yeah, it did. [laughs] It did both of those things. So I feel like the bar for what's a significant cyber attack just keeps going up and up and up. "Yeah, it could never, you could never shut down a nuclear reactor." Well, yes, it did that. You know, each time somebody says cyber attacks could never do X, within a few years' time [laughs] they, they do that.

    So, so it does worry me that, that we've seen the escalation. But as I would say, there's a positive thing, which is that the bigger the consequence of the cyber hack cyber attack, th- th- the, the bigger the scale of the response I guess that's e- that's how I sleep at night. [laughs]

    Garrett O'Hara: The, the glass, the glass half full approach.

    Geoff White: Yes.


    Garrett O'Hara: So- [laughs] so, so from the, the worldview, then, maybe back down to, to sorta y- your view, and, you know, you had the show, the, the Secret Life of Your Mobile Phone some time ago, right, and it, you know, kind of showed a buncha data was being sent without people even kinda realizing. So I'm guessing you got a good sense of security, data privacy, and all those things. And obviously you spend, you know, 15 years plus doing investigative journalism in, in cybersecurity. All of that, like how, how has that sorta changed how you move through the world as a human being? Like, is there things that, you know, Geoff white the human being doesn't do anymore, or has changed because of all the, of, of your work?

    Geoff White: Yeah, yeah, yeah. I mean, I, you know, I've, I've been pretty paranoid from he beginning, because covering, you know, I started covering cyber crime and realized, you know, if these guys ... F- 'cause I, I, I started seeing the kind of a- tactics that got unleashed on people in terms of life ruin, which was the old Anonymous term for basically picking somebody almost at random in some cases, and just taking them apart. Getting their social media, you know, getting access to their photographs, and just ruining their life online. And as a journalist, it's not that I'm afraid of that per se, it's just the time it takes to deal with that stuff is time I should be spending on journalism.

    So I sort of felt, "Well, the better I can defend myself, the less of a mug I will look if it happens," you know. So I, from a very early stage, started separating out my home life from my, my work life. I've an absolute separation of that. Because again, I don't ... My friends and family shouldn't have to take cybersecurity steps any more than the, the, than anybody else simply because of the work that I do. They should be insulated from the risk that I, you know, bring home, in inverted commas.

    So separate those things out. Which again, y- all the stuff I do is the stuff that good corporates should do and probably are doing, you know, separation of information. You know, my, my credit cards you know, don't get used on certain services or certain, certain devices. The data that I have is stored offline in a USB stick. Y- you know, I have separate passwords for every service that I use, it's all the basics. I use two-factor authentication on stuff. So what I'm trying to do is do on a personal level the stuff that I see companies being advised to do on a, on a big corporate level.

    Because fundamentally, th- t- the threats that we're facing are, are global, they go across borders, across jurisdictions, and the hackers like it that way, because cross-jurisdictional crime is much harder for law enforcement to track down. And so goverments aren't able to do a lot about it, sometimes. Law enforcement isn't able to do a lot about it, because the offenders are in different jurisdictions. Your, you know, your company security, and great as products like [inaudible 00:36:28] are, you know, th- there's no silver bullet here. No one can-

    Garrett O'Hara: Yup.

    Geoff White: ... protect you. So it comes down to sort of protecting ourselves. It's quite a hard lesson for people, but I think, you know, there's that great phrase from Spider-Man, with, with great respons- great power comes great responsibility. And I think, you know, we have great power, you can check your internet banking in the middle of the night, you can message people around the world and Skype with them and Zoom with them and stuff. You know, wi- with that comes great responsibility, we've also opened up a can of worms. And so, you know, unfortunately we have to take security i- in our stride and add that to the things that we do. But on the plus side, if we get that right, we can, we can still have internet banking and, you know, instant communications and so on. So it's just the co- cost you pay.

    Garrett O'Hara: Yeah, absolutely. And some great recommendations there for things like password managers, certainly different passwords for different things and 2FA, everybody should be, should be doing that. Goeff, d- thank you so much for joining us today for conversation, absolutely fascinating to get to talk to you. Congratulations on the podcast, very much looking forward to season two, and cannot wait for the book which is the ninth of June, right, is, is when the book comes out? I, I think I've got the date [inaudible 00:37:32]-

    Geoff White: Correct, yeah. And that's physical book is, is in the UK, obviously you can get it shipped overseas, but if you want the, the audiobook and the, and the ebook are both available globally on the ninth of June. So if people are in places non-UK, they can get their hands on that directly, [inaudible 00:37:49] having to get the book shipped if they, if they need to.

    Garrett O'Hara: Brilliant. And we'll definitely include links in the show notes. And thank you so much, Geoff, have a, have a great day.

    Geoff White: Fantastic, and to you. Thanks for having me.

    Garrett O'Hara: Thanks so much to Geoff for joining us, and as always, thank you for listening to the Get Cyber Resilient podcast. Jump into our back catalog of episodes, and like, subscribe, and please do leave us a review. For now, stay safe, and I look forward to catching you on the next episode.


    Back to Top