André Pienaar: “Welcome to the C5 channel. C5 is a specialist venture capital firm that invests in Cyber Security, Artificial Intelligence, and Cloud Computing. My name is Andre Pienaar, and today to have a cup of tea with me here in London is Malcolm Taylor, who leads the Cyber Consulting practice at one of our portfolio companies, ITC Secure. Malcolm, you’ve had a very distinguished career in the British intelligence community before you joined the private sector. Today in cyber security one of the most pressing questions that one hears often is what is the threat from nation-states in the field of cyber security? What’s your view on this?”

Malcolm Taylor: “Thank you Andre, and good afternoon. There’s no question that intelligence agencies across the world are incredibly capable in the cyber sphere, But equally, the volume threat, the threat faced by everyday people, everyday organizations, is one really that is criminal in nature, rather than nation-state led. After crime actually, and crime in fact is just stealing something of value that criminals can sell, and everything has a value. Netflix accounts, list mining, online, 50 cents with a password. So everything has a value. After a crime, there’s a little bit of people who want to cause mischief, and below that, I would say the nation-states come in. We can’t ignore them, because they are so capable.”

André Pienaar: “50 cents for a Netflix account, that’s rather disturbing. Now I’m very worried about my own Netflix account. Of course, if you’ve bought a Netflix account for 50 cents, there’s a great deal you can learn about the user, just based on the information embedded in that account. And that, as you say, is all at the criminal level. So you would really put the nation-state threat, from an enterprise point of view, and from an individual’s point of view, as on the outer circle of threats, but a very important one that really matters. Have you seen it grow in its importance? What other kind of instances that you can share with us where nation-states have really impacted on corporations and enterprises where typically the clients have ITC support?”

Malcolm Taylor: “Yeah, so we’ve seen it change, or perhaps put another way, we’ve learned more about it. And it isn’t something that… Notwithstanding my opening comments, it’s not something that we ought to ignore. We’ve seen a number of changes over the past 18 months or so, really. First is a revelation that countries like Russia have effectively privatized their state capability. Fancy Bear, a hacking group that is responsible for a number of the biggest hacks globally, is now seen to be sponsored by, equipped by, funded by the GRU in Russia. So it is, de-facto, a state capability. It’s almost a cyber quango, if you like. So that’s the first way in that we can’t ignore nation-states. Secondly, there has been a number of really powerful state-level tools that have leaked into the private sector. Most famous of that is the Shadow Broker group who obtained, and nobody quite knows from where, but they obtained a group of powerful NSA tools, offered to sell them back to the US government, the US government demurred on that, and they have leaked out onto the internet, and they have been behind some of the most famous attacks that we’ve seen over the past 18 months or so. It’s worth saying too that countries like Russia and China are very aggressive in their use of cyber. Both will use cyber for economic espionage, which is not something that western intelligence agencies are founded to do, it’s not something that they do do, but China and Russia do. The Chinese have a big factory of very low sophistication, low skilled cyber attackers, who launch attacks on western companies looking for intellectual property to steal. We’ve had a number of clients who’ve come to us and said, my IP, very well protected, kept in the safe behind my desk perhaps, has appeared in China. Can you help us discover how that might have come about? And they suspect, and it is the case sometimes, that that is through a cyber attack. And the Russians have shown themselves incredibly aggressive. Novichok in Salisbury is of course one great example. Not a cyber attack, but the other, they attacked the OPCW in Holland, and in a fairly ham-fisted way it has to be said, but nonetheless, they were trying to capture the WIFI in the building. They do represent a threat, yeah.”

André Pienaar: “One of the things that Keith Alexander, one of the leaders of one of our other portfolio companies, INET, would always say is that China’s been engaged in one of the largest thefts of intellectual property in modern history, so in a way, what you’re saying, Malcolm, is that nation-states like China and Russia, are taking old lines of espionage, economic espionage, and they are digitizing it, accelerating it, broadening the reach and the grasp of those agencies through digital tools.”

Malcolm Taylor: “There are many benefits to being a cyber attacker, as opposed to any other kind of criminal, or intelligence officer. One is volume and speed. It’s easy, actually, to reach global targets with the click of a mouse, effectively, at great number, and some of them will. Some of them will succeed. It’s a volume game. The old 4-9 fraud, sometimes known as the Nigerian fraud, began life with a fax machine. People sending faxes saying, I’ve inherited a lot of money, I need you to help me realize it. That’s moved into cyber space, because they can do it in such volume. Although everybody already knows about that, and everybody laughs at it, it isn’t really taken seriously, still, somewhere between five and 10 percent of them get a payment. So cyber is a volume game. You know, a million emails is no more difficult to send than one email, effectively. You get your results that way.”

André Pienaar: “Malcolm, you lead a world-class team of cyber professionals at ITC Secure in your cyber consulting practice. So what is your team doing to help protect global corporations against this challenge of cyber security, and helping to protect their personnel, their infrastructure, but most importantly, as you’ve pointed out, their intellectual property?”

Malcolm Taylor: “The question that we get asked the most by clients, and potential clients is, I am the CEO, I have sleepless nights about a number of things, one of those increasingly is cyber. I read about it. It’s moved from the esoteric specialist press into the mainstream media. I worry about it, and one of the reasons I worry about it, is because I don’t understand it, I don’t know how to manage it. And the way that we approach cyber security is to help corporations understand and therefore be able to manage their cyber risk. So cyber security is effectively enterprise risk-management. Understand the problem. Make a decision around whether you’re willing to live with the risk and accept it, or deal with it, and then deal with it. And only when you get to that point do you really get down into the very technical, because some of the solutions are incredibly complex, and incredibly technical, but the sort of strategic-level management of cyber security shouldn’t be. Shouldn’t take an executive out of their comfort zone. And we don’t, we like to keep people in a place where they are able to understand, with our advice, the issues that they are facing and make the right investments, to take the right steps, make the right recruits, to put cyber security controls that are addressing their own threat, rather than what we sometimes see, with exactly the same individuals, who will come to us and say, actually, I’m worried about this, I don’t understand it, we’ll see they’ve invested half a million pounds in a group of security controls, they’ve applied it sort of ad hoc, without strategy or thought.”

André Pienaar: “So the key point you’re emphasizing, Malcolm, is that it’s not a boardroom issue, it’s a leadership issue, it requires a strategy, it requires an investment strategy, it requires governance, effective line management, and and all-of-enterprise effort.”

Malcolm Taylor: “I would almost go as far as to say that we’ve never seen good cyber security where those things don’t exist. Even with very good people further down the stack, who know what they’re doing, are skilled, without that board-level strategic engagement, you don’t get good cyber security. People who run businesses are good at managing risk. Financial risk, legal risk, political risk, physical risk sometimes. All those as well. Cyber security is another one of those. We put it into that stack. Give them the tools to manage it, at this level, and give them the help they need to manage it further down.”

André Pienaar: “Malcolm that’s terrific. The best of luck to you and your team.”

Malcolm Taylor: “Thank you.”

André Pienaar: “And thank you for what you are doing to help secure the digital world for the future.”

Malcolm Taylor: “Thank you.”