DORA the New Era of Accountability with Paul C Dwyer

Show Notes

In this episode, cybersecurity expert Paul C Dwyer discusses the implications of the DORA regulation on digital resilience and operational accountability at the board level. He emphasizes the need for organizations to understand their responsibilities regarding cybersecurity and the importance of incident reporting and risk management. Paul also highlights the role of cryptography, the impact of AI on cyber warfare, and the geopolitical landscape of cyber threats. The discussion concludes with reflections on the influence of social media and the future of AI in cybersecurity.

Takeaways

• Digital resilience is about being prepared for incidents.
• Board members must understand their legal responsibilities under DORA.
• There are significant penalties for non-compliance with cybersecurity regulations.
• Organizations need to validate their operational resilience strategies.
• Cultural change is necessary for effective cybersecurity compliance.
• Cryptography is a critical component of cybersecurity strategy.
• AI is transforming the landscape of cyber warfare.
• Geopolitical tensions are influencing cyber threat dynamics.
• Social media can amplify misinformation and public unrest.
• AI should be viewed as a tool for intelligence augmentation.

Sound Bites

• "DORA places responsibility at a board level."
• "Leadership must understand ICT risks."
• "Cyber threats are about control and power."

Transcript

Francis Gorman (00:01.186)
Hi everyone. Welcome to the Entropy podcast. I'm your host, Francis Gorman. If you're enjoying our content, please take a moment to like and follow the show wherever it is you get your podcast from. Today, I'm delighted to have Paul C. Dwyer with me, one of the world's leading cybersecurity experts with over 30 years of experience across military, law enforcement, government, and the private sector. Paul is the CEO of Cyber Risk International and the visionary behind the establishment of the International Cyber Threat Task Force. Paul is a TEDx speaker, author of Cyber Risk Leadership, and a leading voice on regulatory frameworks like Dora and NIS2. Paul, it's great to have you with me here today.

Paul C Dwyer (00:43.365)
Lovely to be here, Francis. Thanks for the invitation.

Francis Gorman (00:46.52)
Paul, I think I want to talk a little bit about Dora to start off with and the shift in the conversation from cybersecurity to operation resilience. How do you define digital resilience and what are, what aspects of Dora are you really seeing coming to light now that the regulation has landed?

Paul C Dwyer (01:05.125)
Great question for us to start on. So resilience, for me, when you look at the terminology and the legalese that's within Dora, and that's one of the biggest challenges, we'll probably come back to that, is actually understanding what they're looking for. But I often read out this big, long piece of diatribe, which is their definition of resilience within Dora. But what resilience is from a digital perspective is knowing when something goes wrong, being prepared for it, minimizing the impact of that, and being able to recover.

That's essentially what it is. Knowing when it goes wrong, being prepared to begin to recover and being able to improve the efficiencies around all of that kind of area. So there's a lot to it, it'll be simplified. But when you look at the legalese catch-all statements and definitions within the likes of door regulations, even the level one regulation, it's frightening, it's challenging and obscure to try and understand and decipher.

Francis Gorman (02:00.132)
And Paul, one of the things that I often found interesting about Dora is it places responsibility at a board level. So what advice do you give directors to help them, I suppose, rise to that accountability or even understand it in the first place?

Paul C Dwyer (02:13.627)
So that's really one of the game changer pieces of this. So no longer is it something where, you know, somebody can sit around a boardroom and think that this is something being handled by a part of the business and say, oh, that's the cyber guys. So that's the IT guys or that's our vendors or whatever. Legal responsibility on the door, on the NIS2, on the UK Operation Resilience Act firmly sits with the management team. So, and they need to understand their obligations, the mandates that are associated with that.

the downsides, penalties, if you like, that go along with that and those significant responsibilities. And it starts with education. mean, they need to understand this. They don't need to become ICT experts, but they need to understand ICT risks. They need to understand the concepts. need to be able to challenge those people that are coming and saying that everything is fine and everything is great and rosy in the garden. But it is a paradigm shift. It's completely different from beforehand, where, yes, it might have been seen as in the realm of

of geeks and operational people and maybe compliance teams and all that good stuff and it was all down below them. They have to have their fingerprints all over digital resilience now. They have to understand what's going on as they are responsible for it.

Francis Gorman (03:23.974)
And you spoke about those penalties for anyone at that level listening that may not be fully aware of what those are. Can you bring that to light for me? What are the penalties for non-compliance?

Paul C Dwyer (03:33.455)
Well, a lot of the penalties are going to be defined. You know, the monetary parts of those penalties are going to be defined in the personal end of those. But when you get into Dora, there's criminal penalties, there's sanctions, there's authorization withdrawals, all of those kind of things. But if we look anecdotally at what happened, for example, in the UK around when the trustee savings bank was down for 232 days because a software upgrade went wrong.

That's the I know it took two years to go through regulation, yada yada yada, all that good stuff. But he was fined personally, 81,000 pounds sterling. So there is a personal consequence to not being good at your job. And I think that we're going to see more and more of that coming through door that people realize whether they're a Ned, whether they're a director, whether they're operation management, an executive team, whatever happens to be.

that they have responsibility. If they're at the top pinnacle of that organization, the book stops with them at the end of the day. Right through to third parties, right through to the fourth parties, everything else like that, they have responsibility for that. it's not something they put their head in the sand over.

Francis Gorman (04:40.28)
And that causes a problem strategically then, because you know, if you have your cyber strategy or your IT strategy or enterprise strategy, now you've got a real, I suppose, dedicated requirement to understand the different facets of those to make sure they're doing the right things for you in those areas. Because if you can't show transparency and traceability that you're addressing specific issues, not only around cybersecurity, but the underpinning resilience, then you're creating, creating headaches for yourself.

Are you seeing any shifts in how companies are starting to build their strategies? it bedded in you to the point where they have to kind of pivot slightly in the strategic space?

Paul C Dwyer (05:20.411)
Yeah, there's a lot changing, right? And they're probably in kind of different groups of people. There's organizations that were quite mature in what they were doing around operation resilience, digital resilience, cyber resilience, all those kinds of areas. And when they probably took a first look at the level one documentation, they probably got a comfort of thinking, oh, we're doing all this kind of stuff, no problem. But when you get into the level two documentation, the regular technical standards, there's a realization that we're not actually quite doing it to the level, or if we are, we can't produce evidence.

that we're doing it to the level. So I think a lot of the focus is now for those organizations on validating. They were all rushing to get to this deadline of getting the otherwise in the registers of information in it all became almost quite like a project for that and all these kinds of deadlines. But this is now business as usual. Being aligned and having a digital operation resilience strategy aligned with your business strategy is a legal requirement. Now you have to have a doors document. And that brings it to life because if that's something that's on board level,

they've got, excuse my phrase again, I suppose their fingerprints on it, they need to know that's something that they can sign off. They understand everything they're doing is in line and providing them digital operational resilience. And it is an all hazards approach. You kind of alluded to it there. It is an all hazards approach. So we're talking about global warming. We're talking about hackers. We're talking about system failure. We're talking about operational resilience. And I said for quite some time, it doesn't matter whether you're in the financial sector, this is a great blueprint on how to run the digital business in 2025.

There's not too much in there that people can point to and say, well, that's ridiculous. Why are they asking me to do that? A lot of it is kind of common sense stuff, but it also, because it's taken that holistic nature, Francis, is bringing everything together and getting everybody on the same page. And that's one of the powerful things of Dora. Leadership, taking responsibility, holistically pulling all these things together. People aren't operating in silos and taking that approach makes a massive difference, a massive difference to what an organization would do. And it can be a strategic advantage. We're seeing lots of organizations.

that are getting much more efficiencies out of this and driving much more efficiency. Therefore they can they can onboard more innovation.

Francis Gorman (07:24.526)
And I suppose that is an interesting piece because if you're, if you're a streamline and your technology to make sure that it's the right bit, a bit of kit to underpin your, your business services, you know, that you can probably get rid of a lot of the dead wood or the stuff that's been hanging around for many years, causing you headaches. There's one company in this space that I've always admired, which is Netflix and you know, their approach with chaos monkeys and you know, just randomly breaking stuff to make sure they can recover. And it'd be really good to see the industry kind of move towards that as a whole, you know, that you can, you can kind of, you can predict.

demarcation points across your network, across your service line and applications, et cetera, flick a switch. And it comes back up because you've taught that true at a level that's kind of an enterprise level that builds that resilience in. This two, Paul, though, as well, kind of underpinning this as well to an extent. They're very similar in their wording. But one part in this two that stood out to me was the improved incident report and the risk management piece that comes through there.

Paul C Dwyer (08:09.531)
Yeah.

Francis Gorman (08:23.766)
Is there any best practices you recommend for getting that aspect right?

Paul C Dwyer (08:28.219)
Yeah, absolutely. at the end of June, I think it was just the end of June, INISA released a technical implementation guidance document for NIS2. And that is plain English, great for ICT people that want to understand what am I meant to do and what not meant to do, because it maps it across to the likes of the NIST, Cybersecurity Framework 2.0, ISO, even the cyber fundamentals now that I see the National Cybersecurity Centre in Ireland has decided it's the best thing in the world.

all that kind of stuff. it's plain, you're not reading a legal document and trying to understand what am I meant to do as an engineer and architect? What am I meant to put in place here and tell the business that this is okay, that I'm meeting compliance requirements? It's specifically called out there in engineer speak, you know, so that's a powerful piece within itself. There's always going to be that kind of cultural change in relation to what all of this means for organizations as well, because as people realize,

that there's where the responsive measures lie and then that gets tested out in courts and all that good stuff. That's going to be a big piece of this as well, think, especially in relation to supply chains.

Francis Gorman (09:35.374)
and that's a watch item I suppose. won't really know what's gonna happen there till we get a couple of test cases through and see what the outcome is.

Paul C Dwyer (09:41.409)
Yeah, but I think even the man on the street can see that, know, Niztou or the woman on the street, the person on the street, let's say, can see that Niztou and Dora together, I often talk about the three roads that have come out because they all come out pretty similar and pretty close together. And they had similar aspects. But the key thing that those three roads and those three roads are Niztou, Dora and UK Operation Resilience Framework. And those three roads lead

to digital resilience. And you have to do that alongside AI. And they also have other common characteristics such as they now make leadership responsible for all of this. So that is going to create this cultural change across all of the pieces. And when you look at what was defined as a critical or important service under this too, very few businesses don't fall under that. So what we need now to make this most effective is clear understanding of what's required.

from organizations, you know, as I said, I've mentioned that the technical implementation guide and clarity around what's required and let everybody, it's a rising tide lifts all boats. And that's what in this interconnected independent nature of a digital ecosystem, which is the modern day economy, we all need, you know, you need to know your suppliers, not just the financial sector is secure, but all of their suppliers are secure and all the people they rely on are secure and so on. And that, that makes everything better for everybody. So I think that cultural piece we'll see probably a few test cases of,

the reality of people not being able to prove what they have in place. think that's what, when they get down to it, I've often talked to organizations, they'll say, oh yeah, we have this, we have that, we have the other, we've spent X million on this and all that kind of stuff. And they say, okay, show me the records, it's very basic stuff. Show me the evidence of the last time you carried out some change management and you're looking for logs and you're looking for the process that was followed and the evidence that process followed and they don't have it. So, you know, and that part of that cultural change, I think there is another part of the complexity here.

which is, dare I say, the elephant in the room is the kind of big four factor, the old fashioned consultancy approach to all of this, which is going in with finite lists and trying to say, oh, well, you didn't mention your asset ID in that policy, therefore it's a fail. Dora is conceptual. It's about having the concept in place. Yes, there are specific requirements from the RTS documents, but they're more interested in Jerry Cross who...

Paul C Dwyer (12:00.261)
who led a lot of this before his new role within the CBI, but led it across as the cross-functional former and Dora and so on, on the European side of things, was very pragmatic. And that came across in a lot of the guidance that we were receiving from the likes of the ESAs and the likes of the local companies and authorities and so on around all of this. So we can't lose sight of that. If we get caught down a rabbit hole,

of consultancy firms trying to make a killing thinking they can go in with a checklist of 200 things and find out that the Dora team have been working night and day and they missed out on 11 things that are subjectively found within it. That's crap. I'm on shit at the end of the day. And that's not what it's about. it's just, it is a concept of resilience at the end of the day. And it does have proportionality in there. It's the principle of proportionality. So what's proportionate? What's your risk appetite? What's your risk policy?

And as long as leadership has taught those things out, this isn't a regulation for the sake of regulation. This is needed. This is required. Look at the Marks and Spencer's attack and culturally that being almost accepted as being, yeah, but didn't they do a great job the way they responded? Are you joking me? How did it get that far? Right? And that's a billion. It wiped off the value of what? Wiped off the value of people's pensions.

It's not what Marks and Spencer's had to pay out for consultants and PR firms to make it look like they did a great job and all that kind of stuff. was people's, you know, worked all their lives, put money into pension policies that were investing into Marks and Spencer shares, and then it goes to shit. And that is the reality of what these attacks can have and how they manifest themselves into day to day life on people. So I think that the days of those kinds of attacks being acceptable, there's going to be a lot of scrutiny around that on leadership side, because

When you now look back at attacks, could that have happened if they followed NIS 2? Would the impact have been the same? Generally, the answer is going to be, well, no. If they had followed even the most basic guidance in the leg of NIS 2, or the basic guidance in the legs of Dora and so on, the impact certainly would have been the same. Stuff will still happen, but is the impact going to be as devastating?

Francis Gorman (14:16.578)
And yeah, that's a true reflection. And it's about time as well as we got to that, you know, that narrative that your attack surface is your attack surface and you can minimize it and you can isolate your key assets, but you need to be strategic in the placement of controls. You need to be strategic in your processes and you know, your governance and oversight. One thing about Dora that I find extremely interesting is it's explicit call out on cryptography. And I have a real interest in both quantum

readiness, but have a real interest in cryptography in its basis sense, as in it's the forgotten child of security. Everyone talks about your TLS handshakes and you need to encrypt stuff at rest and, you know, I'll make sure that, you know, that confidentiality, integrity and availability is maintained. And we use all of these words, but very few organizations can pull out an inventory of your cryptographic assets and very few organizations have a level of cryptographic agility.

that will be required for post quantum readiness that you can run hybrid modes of cryptography, besides classical and be ready for that transition. And I think Dora, without being explicit, has identified that as a problem and it's put it in there. you seen many organizations react to that aspect of it?

Paul C Dwyer (15:37.435)
I'm with you on this. on the same page with this because it's not too long ago that encryption was a munition and it was classified as a weapon. And then we had the likes of Baltimore doing so well here in Ireland and you know, all those things around the key exchanges with the United States and all of those kinds of things. And then it just became quite pedestrian for people to be able to use and not use as the case may be. But one of the most surprising

questions I've ever gotten, Dora was from one of the largest financial institutions. And it's not one that you've anything to do with in Ireland. And the Dora question to me was, do you have to encrypt? And he'd gone, seriously, guys, why do you have the steering wheel if you don't know how to drive? Like, what the f***? Like, honest to God. you know, it is one of the last strong weapons we have to defeat against

the bad guys and things happening, all those kinds of things. And you mentioned the CIA try out there. Within Doors is also authenticity as well and being able to make sure that things are authentic as well, which encryption could play a part in. So there's all of those things. I think that there has to be almost, that has to become basic, basic cyber approach or basic IT is understanding the laws of encryption and what the risks are. What's the difference between a ransomware attack and hiring a contractor?

that uses encryption keys badly wrongly within your environment. They can get a bus, so they go off and live in the Himalayas or whatever they decide to do and they've disappeared and you're not able to access things. So if it's not managed properly, it is a weapon. It'll blow up in your face. So it's something that isn't understood, broadly speaking, in most organizations is what I'm finding. And it is great to see it in the likes of...

being called out the likes of Dora and so on as a requirement because it will put focus there. People say, maybe we need specialists in this. Maybe we need specialist training around this. And maybe the developers need to understand more about it. The business may need to know more about it and so on. We need to get rid of this attitude of wiggling out of compliance requirements. Like, almost, you win if you don't do what the compliance piece is asking you to do.

Paul C Dwyer (17:55.099)
And that's still out there, unfortunately. So what can we get away with? know, well, would you rather get run somewhere or Dora? I mean, this is literally what I talked about at a conference recently because we're all going on about, well, was talking to the credit unions in Ireland and they got an exemption and then they've got a stay of execution, so to speak, for a few years. And they're all going, oh, it's terrible. We should just stuck with the exemption so we wouldn't have to do Dora. Well, would you prefer run somewhere?

Because if you're Dora compliant, the chances of getting it around somewhere are fairly negligible. Or if you did, it's not going to wipe you out. not understanding the principle and benefits of it, I think is a big challenge. There is a cultural change and a psychological change needs to be adapted within the environment. mean, obviously from a vendor's perspective, they're all rubbing their hands thinking, oh, this is great. We can do all these solutions now around Dora. I nothing to bang the drum with. But I think

It all starts leadership changes policies, policies change culture within an organization and we need to see it impact to the very top. And I hope that any of those supervisory audits and assessments that are going to go on probably around Q3 of this year that we will see them at the leadership level. Who on the board is trained on ICT risk? What qualifications do they have? How do they understand the reports they're reading?

Where's the doors document to what level? in at that level, I suppose to go into the architecture level or going into an operational level and going through a policy and getting the big four to tell you that you forgot to reference an asset ID tag somewhere deep in policy. Like, where's the benefits of that? The change is going to come from the top down. The tail will never wag the dog. So it has to come from leadership perspective.

Francis Gorman (19:40.558)
Fully agree Paul, you won't have any argument to that sediment here.

Paul C Dwyer (19:43.531)
Yeah, you know yourself, mean, and the thing is cryptography, it's one of those things because it's kind of an unknown science to most. You know, they understand printing, they understand the cloud, they understand files and so on. And they have a vague understanding of what encryption is. And then they see all the acronyms and all those kind of things. go, ooh, you know, NSA, all this kind of stuff. they go, oh, so what's the point? Someone else has the key and they can understand and get through it. not sure quantum's gonna decipher everything. All that kind of stuff.

Yeah, it can be one of the best weapons we can use, but like any weapon, it can cause you problems as well. So it has to be managed effectively and properly. And it's great to see any work that's being done around standardizing that. And know NIST in the States have done a lot of work around this as well. So there's lots of good guidance out there as well.

Francis Gorman (20:30.574)
There is, yeah, and on this have recently launched their quantum resilient algorithms. And I was on with Dusty Booty a while back on a talk on it. And, you know, there's some fascinating maths behind how that's all going to work. So I think that's a different that's a whole different conversation. We won't we won't get into it.

Paul C Dwyer (20:35.867)
Hmm.

Paul C Dwyer (20:46.423)
Yeah, it is. it's from a Dora perspective, it's way too far above where most of the Dora audience is. know, the Dora audience is there where leaderships are going, really, I'm hearing things about Dora. It's not just a lot of them just think it's GDPR and done the version of like a GDPR and they go, ah, yes, that'll be grand. So we pay a fine now and again, we get slapped the wrist with a verbal. And it's that mindset. Dora is completely different, as I'm sure you will know, completely different.

It's going to be, as soon as people see that it's real, it's come to life, it's business as usual, I think we'll see a lot more manifest itself out of that as well. And it's great to see it going alongside, as I mentioned, Neas too, and I mentioned the likes of the UK Operation Resilience Framework, because it's up in the game. And when Neas 1 came out in 2016, I remember reading that the estimates for that was it would add 500 billion onto the GDP of Europe. 500 billion onto the GDP. So when you think of that,

This is all about making Europe more secure, more efficient, more stable, economic advantage, especially in the geopolitical madness that we're living in at the moment.

Francis Gorman (21:55.823)
we are living in geopolitical madness at the moment. And I think you've used the word weaponized a couple of times there. So it might be a nice pivot to talk about some of your past work with NATO on hybrid threats and how prepared do you think Western nations are to defend against coordinated cyber and disinformation attacks in the geopolitical times we're living in at the moment?

Paul C Dwyer (22:16.699)
So I think that there's a different range of countries across Europe and again a different cultural view to what they see as threats on the preparedness level of course. So if you look at someone like Estonia, we'll be a lot more prepared than say Ireland is. are actually we'd be grand, we'd be grand. And I say that as a proud Irish person, but we do have the it'll be grand DNA gene in us that we all think actually won't happen to us, who'd give us any trouble and all the rest. But then you see the Russian propaganda saying well,

If you say anything pro-Ukraine, you're in the crosshairs of what we're doing. And then they're sending out simulated videos of setting off nuclear missiles off the coast of Donegal to create a tidal wave to take out London. So, you know, when you look at a hybrid threat, a hybrid threat would be in so far as, you know, maybe a Scatter-based system going down or just a control system being taken down and then causing a kinetic attack like an explosion and all those kinds of things. These things are happening on a daily basis.

not per se the explosions, but the attacks on industrial control systems, scatter based systems and all those kinds of things. And just one thing for the audience to understand on this, and we've mentioned CIA there, confidentiality, integrity, availability. So those three principles of security, you flip that on its head when you come to industrial control systems. You want availability is your primary, then you want integrity, then you want confidentiality. So the reality is most of these systems are really easy to break into.

And once you're in, they're actually just robust. And you can see tons of videos on that on YouTube and so on and all those kinds of things, the demonstrations of the main attack and everything else like that. But when you go back to what it's only a few months ago, when we had the electricity outage in Spain and that whole region. Now, without getting into conspiracy theories, NATO has its basically an air base. They're in communications, right in the center where all that went off.

It was around the same time as some things were going on with China and distraction in the media and all that kind of stuff. And there's been Russian attacks and Russian groups attacking critical infrastructure in Spain as well. So you're probably very aware as I am that a lot of these cyber skirmishes that take place, they have collateral damage in them and that collateral damage is private enterprise and organizations that need to be able to deal with this. Now let's have a look at something like Niz2 and Dora. What that does is it gives you that segue.

Paul C Dwyer (24:44.289)
into being able to access those kind of state level resources if required. And that's a real big bonus to Nizz to and to Dora because now if you're in that communication systems, information sharing business, intelligence and all those kinds of pieces and you find yourself in those crossroads, you're not in your own anymore. So if you're an airline and you're getting attacked, you go to Ngarosha Ikana? What do you do? Right? If you're not.

But now the processes are there in theory that the escalation, the triage can take place and it can be escalated up to get the right kind of intelligence, the right kind of resources, military level resources to help defend private enterprise if need be.

Francis Gorman (25:26.19)
I think Paul that shared threat intelligence really is a key part of the cyber industry that we need to do more of. There needs to be a lot more sharing at a sectorial level. Financial Institute share with them power plants and water companies, et cetera. If we look at what's happening with Ukraine and Russia and what's happening with Israel and Gaza and then the rhetoric from the states, Europe is piling money into

military spend and a large portion that is going into cyber defenses as well and artificial intelligence embedment in military drones and all of that sort of thing. And I kind of don't want to ask the question, but how big of a role do you think AI is going to play in the next frontier of warfare?

Paul C Dwyer (26:15.769)
Well, I think it's already playing a significant role, but I think what you find is that there's a human side and then there's the physical side of assets within warfare. And if you can control the human, you don't necessarily need to effectively blow up an asset or whatever it has to be. So if you think of the Russians, they would have like a process known as compromise, where they try and compromise an entity. So even when you get down to the likes of, I'm going to be real pedestrian, there's like romance scams and

phishing emails and all those kind of things and hooking someone in. The whole thing about Trump and the PP tapes and that he's a Russian asset and all that is that he's controlled because they have something on them. And we do see that kind of stuff happening all of the time. AI and that kind of almost, you know, dare I say a basic level of stuff. But then AI itself and being able to maybe do things faster, say better.

than humans in 24-7 and faster thinking and all of those kind of things. In certain military operations, that's going to be a massive advantage to use. I remember listening to an interview from the head of the Ukrainian cyber defence.

And he was talking about the fact that they were significantly now relying on AI, but he wanted, his main thing was he wanted to share with others and say, hey, listen, I'll tell you how you can do this to defend against this kind of stuff. mean, when you, again, listeners probably be very aware that a lot of threats are the same stuff just being done in a new way all the time. So, and it is a cat and mouse game between the good and bad guys, you know, I've gone along with those, but now you could have a game changer situation where AI can almost, you know.

knock the crap out of a lot of these kind of vectors of attack and stop them happening. Criminals are motivated by money, not nation state, they have different motivations, but criminals and if it's too hard and it's too difficult to do something, they move on to a different kind of scam, a different kind of attack vector, whatever, because they're just going with the money is. You look at ransomware, it's only a few years ago where the average ransomware attack blackmail was for maybe five or 10,000.

Paul C Dwyer (28:31.195)
euros now it's in the millions. Why? Because insurance companies start paying out and they won't fold. Excellent. There's money in this. So the criminals start putting all the resources into that. said, is where the money is. They're entrepreneurs, they're innovators and they're well funded and they're tech savvy and all the rest. So they're going to go where the money is. So yeah, there's an awful lot. There's not a lot of changing at the moment in that space. From the point of view of nation state threat actors, you've got all the big major players there.

You know, get unit 61398, for example, you People's Liberation Army, you've got the North Koreans, you've got Russia. I often do talks where I focus in on one, which is Vladimir Putin. And then we start showing that relation between the GRU and even from an Irish perspective, we break it down and show the link between him and the Conti Ransomers group that took out the HSE during COVID. You know, and there's lots and lots.

of evidence there to show those kind of relationships and everything that are going on and where it came from and where it spawned from and where does all the fake news come from and where are we undermining democracy itself and faith in new systems and everything else in that and it's coming from these bad actors. So cyber threats obviously we know are not just about somebody stealing someone's username and password or taking some money out of an account or something like that or selling your pictures or something like that. It's about other things. It's about control and power.

And that's where a lot of the bad actors are now. They're trying to garnish as much power as possible. And these bad actors, by the way, before I get on my soapbox here, they manifest themselves in different ways. did a Ted talk, know, called Ned Zuckerberg has been one of the bad actors in the whole area because this whole ecosystem of Facebook and how it supports criminality and how all of this could be, a lot of it could be stopped in a heartbeat, but it's not just criminality. It's predatory behaviour on children.

It's all those kind of bad areas, right? That if there was proper regulations in place, could be forced to stop all of that in a heartbeat because they have the choke points in all of this.

Francis Gorman (30:32.226)
And I think the Dublin riots probably summed that up where you can just whip up fear and a crowd and, know, create real life chaos on the streets through a vector of social media and misinformation and disinformation being pumped to the right people who, you know, are already bought into a certain ideology.

Paul C Dwyer (30:48.397)
Yeah. And even before, before the Dublin riots, mean, it was probably five or six years before that. live in, in Malahide and I was in Portmarnock and a race riot occurred from a load of tweets and Facebook posts and so on that were going on. And they stirred up a whole load of the gang fights were taking part down in Sutton. They were taking down in Portmarnock. And then all of sudden you had these mobs that were just landing on somewhere like Portmarnock.

losing out the done stores off license going down setting fire to a college all that kind of stuff. Whatever. So it's rabble rousing. mean, like when we look at groups like anonymous and we look at things like 4chan and the origins of all this kind of stuff, it's interesting with human behavior. And you always think of those when you see the birds flying in formation and then one changes direction, they all change direction behind it. That's what it's like from a cyber perspective. Many times they can bring a crowd with them. So

You know, going back to the 4chan stuff where they'd be going, somebody would go on as anonymous and they'd log on and say, oh, my boyfriend has cheated on me. He's been really mean. You got all these guys online. Also, we've got 10,000, 5,000 people. And then that manifests itself into things like low orbit, iron cannon and those apps targeting the CIA's website, trying to take those out and, and, MasterCard and all, and taking them down off of the internet. you know, and that was soccer moms who going, yeah, that's terrible. Scientology is terrible. So I put the app on my phone because, know,

I saw Tom Cruise in an interview and I hate all that kind of stuff. So if I put this on my phone, I'm doing some good, all that kind of stuff. So rabble rousing is, and the numbers that can be taken down. I don't think we've seen the half of it, to be honest, because it's like, I think it's probably about six years ago, there was the, attack that took out a CDN.

server in the States that took down Twitter and everything else like that around the time of the American election. So it's probably, I'm probably going back as far as 2016 and just for that. And that was all done based on the internet of things. And they called up all of the cameras that they had access to and use the bandwidth from the cameras then to attack the servers. And that was just off the scale of anything anybody ever seen before in relation to DDoS attack. So.

Francis Gorman (33:04.952)
Yeah.

Paul C Dwyer (33:05.019)
The power is there to them. When you scrape the surface on this as well, and for those who don't know, all of a sudden think you're being conspiracy theorists, but when you think of the supply chain that's been used in Ireland, Kaspersky is banned in some countries and not in others. have Huawei. You have all these things going on. It's maybe deserve a bit more scrutiny before they come into the public sector or before they come into the critical sector.

Francis Gorman (33:33.186)
Yeah, was conspiracy theorist. was an article I read was at the NSA warn about the BYD and the Chinese cars that potentially could have autonomous remote control from outside of Europe, let's say. Yeah, that's terrifying.

Paul C Dwyer (33:46.553)
Yeah.

Yeah, well, you know, the thing that will probably impact most people if they lost access to their TikTok or their Instagram or something like that, because like, I'm sure some of you have studied the impact socially on people and everything else would be far greater probably than they think that they couldn't get fresh water or they couldn't get transported, they couldn't get something else. It's kind of crazy times that we live in. But I thought it very interesting. I studied a lot around that power outage in Spain because that was kind of a real iconic example of

what it could look like if shit hits the fan, basically. And it was contained for a few days and what happened. But you had people that literally were realizing that the taps were electrically powered. They couldn't get water to wash their hands. They couldn't charge their phones. People from a health perspective, they couldn't charge their wheelchairs. They couldn't charge their health systems at home. All those things. They realized how much they depend on all of this. But the panic then sued in the Gen Z and so on because they couldn't access

know, Instagram or TikTok and all that was palpable as well. And, you know, people just don't know how to handle an analog world. I mean, they're handing over their brains to Google Maps rather than looking where they're going, you know, and this isn't a criticism, we all leverage AI and it's very handy and all the rest, but we need to understand that they're tools to help us do things. They're not a replacement for us.

Francis Gorman (35:09.774)
I think I talked about this with Chris Kubeka on the last podcast was the MIT report on cognitive decline from chat GPT users and the case study. I'm not sure if you're familiar with it Paul, that, you know, it's been doing the rounds, they basically did a case study on students who created assignment start to finish using generative AI. Chat GPT was the tool of choice. Students that use it to polish off the assessment, the students that didn't use it at all.

And kind of in the last group, the students didn't use it all. Lots of neurons firing, know, lots of healthy brain activity. Middle group, similar, but not as extensive. And then the start to finish group couldn't recall the detail of the assignment, you know, couldn't articulate the hypothesis and how they came to the conclusions, et cetera. And the neurons were almost minimal. There was a minimal fire in that critical thinking, that stage to part of the brain. it's a...

Yeah, I think if you offload your cognitive ability to a tool, there is a real risk there that, know, you know, it's kind of.

Paul C Dwyer (36:16.219)
Yeah, like I'm a big advocate of AI for the part of you that as a business person, we've really embraced it. know, we've faced it with our solution like cyber prism and things like that. But even our marketing teams, everything is now AI 24 seven, you know. But I try and look at it with the perspective of I flip the AI into IA, which is intelligence augmentation. Can I make myself smarter? Can I make myself more efficient and more productive by using it? If I can, great. Am I just being lazy?

by pacing something in and asking for a response. That's no good to me. So it's a bit like the electric screwdriver. You know, it's very handy to get through the work and to grunt your way through it, but you need to be able to know what you're doing at the end of the day and know what good looks like when it's finished. You know that you just have the amount of posts you see up on LinkedIn and it says insert date here and insert that. Just everything from the most basic posts to the work. Even over the weekend there, I did a post about

Everyone's going to be chachiBT 5 and my God, it's incredible. It's brilliant and all this, right? And I just, the first thing I typed into was how many controls are there in NIST, Stabilized Security Framework 2.0? And it came back and it said there's five functionaries, right? That's a six, right? So this echoed my point, which is chachiBT is like a drunk in a party, right? No matter what you ask it, it tells you it has the answer. And when you challenge it, doubles down. And I remember going into,

do a board briefing in with the health food sector. And it was on NISTU. And in preparing for that board briefing, I asked CHATGBT, can you give me a summary of any cybertext on the food sector in Ireland? And it came back and it told me all about this one on Dairygold. And I went, wow, that's significant to TAC. And so I asked her a few questions about it and gave me what their finds were, what ransomware tools used. It gave me all the details, everything else. So I went into another tab, went to Google, start searching for this thing. I go, I can't find anything.

about this, whatever. Literally went back into the tab on Chatchaboo Jean said, did you just make this up? And it said, my bad, sorry. That's all I said. Right. And I was going into the board of a major food sector and one of them was Xterry Gold and I would just came up with this absolute bullshit story about, yeah, do you remember Jerry Gold got hit four years ago and blah, blah, blah. all the current can maybe look at me going, this guy's crazy. Um, so it is hallucinogenic. Um, our own tools, for example,

Francis Gorman (38:20.302)
the

Francis Gorman (38:28.034)
Ha ha.

Paul C Dwyer (38:39.611)
We use rag-based tools in AI and we make sure all our data is contained. We know what's in there and it's not going off making up stuff like because open AI is fantastic and AI is great when you use properly, but when you don't know what you're doing, you're going to cause problems.

Francis Gorman (38:55.85)
Absolutely. And I see it in the course world as well. Create me a course on X, Y, and Z. And you're looking at this going, that's not accurate.

Paul C Dwyer (39:04.517)
Yeah, this is something like mumbo jumbo. Like a lot of the time it'll make up things. And I've tried and tested it around things like, for example, obviously, cybersecurity frameworks and things like that. can go, well, I've never heard of this control before. And it will look accurate. Like it will have the same breakdown of, you know, numeric and alpha and all that around the codes and everything. It's literally just making stuff up.

And when you realize that the penny drops, then you realize, yeah, this isn't a colleague I can trust. This is colleague that has good days and bad days. And yeah, so you just can't trust them. Exactly, yeah. So just go, the guy's a genius, but he has the moment.

Francis Gorman (39:36.008)
That's good way, yeah.

Francis Gorman (39:42.594)
My drunk colleague, yeah.

Francis Gorman (39:52.214)
Fantastic. Look, I think that's a nice way to wrap up. And it was a pleasure talking to you. It was a really great conversation. Hopefully listeners get lots of insights out of it and we'll chat again soon.

Paul C Dwyer (40:01.861)
Brady Francis, thank you so much. Cheers.

Francis Gorman (40:04.12)
Thanks, mate.