People, Snowden, cyber, world, government, Ireland, happening, interview, law, united states, talking, works, relation, privacy, call, surveillance, nsa, fact, conversation, passes
Paul C Dwyer and Edward Snowden
Paul C Dwyer 00:10
Hey folks, welcome to the cyber Task Force podcast. This is the show about everything cyber, from embracing innovation to cybersecurity and everything in between. We can go from the very, very dark to the brightest bright topics. So listener discretion is advised. This is your host, Paul Dwyer. And on this episode, we’re going to look back at a conversation I have with none other than Edward Snowden. So if that’s something you’re interested in, great, keep listening.
This episode is sponsored by CyberPrism. CyberPrism is an award winning platform that allows you to measure and manage cyber risk in a really effective way. More about that later, and now on with our show.
Paul C Dwyer 00:57
So just to give you some context or background to the first public conversation that I had with Ed, it took place in Dublin in 2017, at the EU cyber summit, and it was over a video link. And, you know, when we announced that Edward Snowden had agreed to participate in this summit, it was obviously a great coup for the ICT ETF. But we felt it also brought with it a certain amount of burden and responsibility that we wanted to get it right, because we knew the name Snowden itself was quite a divisive term, especially in the world of cybersecurity. But obviously, you know, we had no idea at that stage, how much passion it was going to evoke in certain parts of the community in certain areas around the world. And myself, and Ed, we’d worked, I suppose, indirectly, in the same circles over the years. And I reached out to him via a trusted source that we had to find out and explore whether he’d be interested in participating in the EU cyber summit. And, you know, after I did that, for the next few days, we noticed that there’s been a significant amount of, I suppose you would now call it, you know, due diligence that was being done on myself personally, and the ICT ETF and those associated with us, where we spotted, for example, lots of doxing going on lots of these fake profiles, online, who were looking up our own profiles, and you know, those kinds of things we get alerted to all the time. And we saw this was going on, and we said, Well, okay, well, at least you know, he’s considering it, and we’ll find out what’s going on. And his people were doing their, their, their work around us as well to make sure that everything was kosher, so to speak. And that was all good, you know, and we’re starting to get really positive then was because it was pretty quickly when he came back. And he said, Yeah, look, I’m very supportive of your mission. Let’s do this. How would it work, all that good stuff. And I’d be lying if I didn’t say there wasn’t an instant connection, because we got on really well from the start. And that really helped things. Because when we were discussing how we would structure this, whether it would be a structured interview with set questions prepared in advance, or what way what way, would we do this? What approach would we take to it, we decided to go with a sort of no holds barred freestyle approach to the interview. And that, to me, was the best way. And you know, rather than just introduce somebody, like Snowden allowed to present that we wanted it to become something organic, something that would develop through the subject, and take advantage and play to our strengths of the fact is he was he was going to be interviewed by somebody who knew this stuff, obviously, obviously, I know the subject matter really, really well. And I was able to go with the flow of the conversation, respond to any answers he would give. And we would just take it wherever it was, was to go, you know, my initial impression about what when I started to talk to him was that this guy was so intelligent. He was not just around cyber, but just around so many different topics that would come up in the conversation. He was very articulate. But more than that, he was just so genuine. I mean, he seemed to wear his heart on the sleeve when it came to his beliefs and the subjects we were talking about. And that made everything so much easier. Because you weren’t talking to somebody who had just a contrived mission, you were talking to somebody who had a belief in what they were saying, and you could push it, and they would push back. And you could just develop the conversation from there. So that made my job a lot easier, because we might agree on some things we may disagree and other things, but we will respect wherever the conversation went. And that made things you know, as I say, a lot easier and more comfortable because you were talking to somebody who was on the same wavelength, so to speak. But as soon as we publicly announced the Snowden was going to do the live interview, so that one of the people in the office referred to this Well, that’s when all hell broke loose. And it really was, I mean, the events will always pop up. I mean, but this was our biggest one yet. I mean, in 2017, we had a capacity 2000 people to be at the event, which was the biggest event of its kind with that kind of target audience and everything else like that. But we decided the most prudent thing to do at this point after announcing Snowden, and this was based on the positive reaction we received around the world was we wanted to share it, we wanted to share not just known but all the other speakers who come from all over the world to participate in this event. So we decided we broadcasted live throughout the world for free. And this was fantastic, because it actually manifests itself in being 40,000 viewers. So it was quite something. But it wasn’t all positive. And then we got lots of negative attention as well. And that meant that this was manifests itself in ways such as DDoS attacks, really sinister emails, you know, trolling style kind of personally emails that myself and other people in the team and so on like that. And we dealt with that on a day to day basis. But as we grew closer to the event, we did have some high profile sponsors pull out, we did have some speakers pulled out. And we started thinking, Hey, is this house of cards coming down? Is this going to be a catalyst for the whole thing to fall apart because it was a huge amount of tension, pressure and stress going on? around this, this was the first time something like this had ever been pulled together with Snowden, in Ireland. And this kind of stage and with these kinds of other entities around it. And without even referring to the fact that you gotta remember that we had law enforcers from all over the world presenting this event, we had that sort of issue where we made lots of people uncomfortable with the fact that they were and to be honest with you, I relished in that, because I think that’s what drives debate. That’s what drives conversation. I mean, if the guy isn’t a convicted criminal in in Ireland, then why should law enforcement feel more comfortable being on stage and in fairness to our local law enforcement here in Chicago, she comment they didn’t. And they’ve always been so supportive of ICTTF, as well, I mean, and they just want for the rule of the law. So look, and that was all good. But a couple of things happen as well, at around the same time. And one of them was interesting, from the point of view of we literally, I think within a couple of hours of each other, we got two phone calls from two different countries, or the embassies represented two different countries. And they both invited me into their embassies to have a discussion about the interview. And that was being planned. So this is in advance of the interview a few days ahead of the interview. So I declined. And they seem basically confused at me refusing to go to an embassy. But look, I’ve been to embassies before, by invitation, you come in as a nice, warm, happy guest. But very soon, you realize you’re on foreign soil, and you are essentially being interrogated. So look, I declined respectfully. One of them came back and was a bit more insistent and said, Well, look, we’ll meet your neutral territory, we want to have discussion with you. And the in a Costa Coffee of all places, and I said, Look, no, I mean, this isn’t your country. And we’re gonna have the interview. And I don’t need this. So good look. And so that was that. But we were dealing with this sort of increased level of negative cyber threat actor activity from an opposition, if you like, anything that was linked back to me, even personal websites, it seems to be fair game to them. And they were attacking them in in all kinds of different ways. And one of them, I recall, now, as I’m making this recording was, it was an obituary website for my cousin that had died. And they attack that and there was child abuse imagery put in behind into folders. And, obviously, look, we’ve got lots of security, these kind of things, anything to me. So we were alerted, we dealt with all of those things. But it was a huge overhead, a huge burden dealing with these things in that way. And the threats and the warnings kept coming in. And we were starting to get fearful that these might manifest themselves from the cyber world, to the real world or the kinetic world. Because we didn’t know some of the entities behind these things. I mean, how serious they were where the where the state sponsored state condoned where they we had done a lot of talks about, you know, Qaeda and ISIS and all these kind of things. And this was just in the wake of the arena bombings in Manchester. So for all those reasons, we decided that it would be prudent and for safety reasons, and to reduce any risk to any of the people participating in the event to essentially double up on our physical security. And we did this in a number of ways. And one of those ways is that we actually employed a close Protection Unit, a specialist unit that works with embassies. And there, they came in and they swept the entire infrastructure for all kinds of devices from listening devices to bombs, and we had sniffer dogs in and we even got the claws protection team to sleep there the night before the event after was swept and sealed, so that nobody could essentially come in and sabotage the venue. And or even do worse. So you know, and so that that was the level of atmosphere intention before this thing, you know, that was going on. And so, you know, we decided then that, you know, from a technical perspective, we were probably most vulnerable around the link. So one of the tactics that we employed was that we put out a number of red herrings, we, we employed a number of different companies to set up different kinds of links and different kinds of services, we set up lots of different fake accounts. And the bank was taken because we were very articulate to the broader community, and especially what I would refer to some sort of people with a loose mouth on them that we knew that would carry that message off to whoever. And we were, we were sort of poisoning their, their source of intelligence by saying, this is how we’re going to do it. And this is the service we’re going to use and all that kind of stuff. But at the last minute, the real plan was to use just a Google Video call. And that’s what we did. And that’s what myself and Ed had agreed to us. And it went from a testing perspective really well from that point of view. But, you know, if I put some final context on this interview, so we’ll talk about the atmosphere of touch with the background of talk about the support and so on. But when we actually get into the interview, you can imagine it was a long day, you know, the tension that the build up to this, everything else like that. And then along came that the call itself. And one of the things we had close protection on was actually one of the speakers because one of the speakers was very, very articulate about how he disliked Snowden. And he was sending me pages and pages of emails about you know, all the reasons why I shouldn’t talk to Snowden and all the questions I should ask him all this kind of stuff, no matter what we do duplicate this guy wasn’t working. And we felt that if anybody was going to take a run of the stage or trying to Showboat or, or do something large independent would be this guy. So he didn’t know and probably still doesn’t To this day, unless it’s listened to this podcast, that we have close protection following him throughout the day, and also sitting beside him during my interview ready for him to pounce on any news, any of you that see the video of it, you will see me from time to time looking at a particular area of the frontal stage to this guy position himself right at the front. And we really felt he was going to make it one of the stage during the interview. But thankfully, he got so engrossed in the interview guys that he didn’t make a run for the stage. Or maybe he kept on that he would probably be tackled and midway. But anyway, back to some, some fun facts or things to look out for, in relation to this interview. So at the start of the interview, I talked to Snowden about the potential mass surveillance from a recent article that been in the Irish Times. And I brought this up as a subject because this was very relevant, and probably a nice easy way to start off the conversation. But the interesting to bring your attention to this is that we brought that up in 2017. And we discussed it. And about a year later, there’s a convicted murderer in Ireland called grain to wire no relation, by the way to similar surname, who’s using it as a defense because he was his metadata was essentially being surveilled and being used. And that was against the law. And that was used to track him. So that was an interesting component. The other thing that I’ll bring your attention to is the fact that I mentioned Stephen Colbert’s interview with Snowden, which never happened, because it was actually John Oliver. So if you get a chance, and maybe have a look on YouTube, but that John Oliver introduced out as well, because it’s really good and shows a great perspective of how the attitude towards Snowden has been changing in the United States over the years as well. But the final thing I’ll bring your attention to is at the very end of the interview, I was sending out trust signals, if you like to Snowden. And it was probably going both ways because we were picking up on certain points into words or points that were being made, and which was almost giving a permission to talk at deeper or to field trips to go deeper into a particular subject or area as we went through there. So at the end of the interview, if you listen out I use the word Cincinnatus. Right now. Cincinnatus again, that’s something you can google but Cincinnatus was a military leader and statesman but essentially a farmer who wants to just go back to his normal life after serving the country. And this was the codename that Snowden used when he originally reached out to the journalist Glenn Greenwald. So why was using things like this during the interview, which maybe a lot of the audience weren’t picking up? But certainly Snowden was, but I know a number of people asked me what I was talking about when I, I mentioned that character since analysis. So that’s what that’s about. So look, that’s some background. That’s some context. And I think it would be remiss of me not to have used the Snowden interview for this inaugural podcast 000 of the cyber task force for first one goes, and it’s a good way to reference it. But in the coming episodes that we’re going to have on this podcast, I’m going to talk to lots of different kinds of influences leaders,
Paul C Dwyer 14:49
security gurus, all kinds of people that I think have a valuable message that we could share with the greater audience. So look at this now I will just let you listen to the air interview that we had in 2017, with Edward Snowden, and hopefully you learn something from it. I know that as I was preparing for this podcast, and we listened to it, I was amazed how relevant everything still is. And then we’re talking about the elections we’re talking about. I suppose the new greater messaging this out there today is all around COVID messaging, and can you trust it? Can you believe it? Whereas before that the fear factor was all about terrorism, and Al Qaeda and ISIS and all that kind of stuff. So it’s all very relevant. And certainly some of the really salient points that Snowden makes, or as I call them now, because we’re buddies. Is, is still relevant today. So despite the fact this was an interview took place at the latter end, October 2017, who we are a few years later, and it’s all still very on topic.
Ladies and gentlemen, Edward Snowden
Paul C Dwyer 16:09
You have no idea how nervous I am. Hopefully, we’ll get an audio for you guys. We’re just gonna get a quick soundcheck. are we hearing it in the room?
This is not a check. Can you hear me now?
Paul C Dwyer 16:19
Great stuff. So listen, again, thank you so much, so much for agreeing to be part of this. And we have over 1000 people here, I know you’re not getting the visual on this. And we’ve had over 2000 people here today, talking about different aspects of cybersecurity, cyber threats with varying passions, if I can put it that way. And a lot of them have come up to me over the last few weeks and months. And obviously, as a character, you can cause controversy to their own opinion of you and your own history on what that’s about. And I explained to the audience this morning, that the reason I wanted you to participate in this because I believe you’re one of those people in the world that can really articulate and talk about security versus privacy. And because you’ve gone through that, yourself that that that kind of a journey. So if I start up all 3d, and we talk a little bit about let’s just talk about Ireland itself. Have you ever been to Ireland?
I have actually I spent a couple weeks in a tiny little town, I guess a village called Bally Valon, which is basically a tavern, a spar and a little art school. It’s over by Galway. But I haven’t been back since then.
Paul C Dwyer 17:36
Excellent. So there’s no Oh, Snowden here in Ireland. Is there the dynasty of, of distant relations. But but on a serious point, I mean, with your previous employers, would you’ve been involved or colleagues involved in spying on Irish entities?
Not in a specific targeted basis when I was with the CIA, or the NSA. But the idea to under understand here is mass surveillance is specifically on targeted, right? It’s collecting data, not just from Ireland, right. But from the UK, from Australia, from Canada from New Zealand. Anything that passes through those five eyes, countries gets dumped in a common bucket, right? And you just run very basic sort of IP categorization filters that go to a bunch of the public databases that you can lease and then a private database that NSA maintains, that goes, where are these ISP? Or sorry, these IP addresses? registered? Right? What is their sort of transit number on their network? there as is. And based on this, you just staple a little flag next to each entry, right? So you would see Irish packets just like you would see Chinese packets or Russian packets. And if you want to see them, all you have to do is click on them, right? You see them anyway, it’s in the list. It’s just do you want to see the content of the or do you just want to see the metadata there. So it’s all in the pile, right? That’s how XKeyscore, which you can think of it as sort of a Google for spies, how it basically works. You type in what you’re looking for. And everything that passes through those ingestion points. It throws that query out to each collection when they go search the internal buffers. Back, what we found happens to be from Ireland and this place and the other. Yeah, that happens every day.
Paul C Dwyer 19:41
Okay. And I don’t know if you’re aware from I can’t even imagine the lifestyle you have now in Moscow. Are you aware of what’s going on? And obviously you’ve got access to the internet and all that good stuff. But are you aware on a local level, what’s happening within Europe, for example, there was a recent story in the in the Irish Times. Newspaper here in Ireland, talking about the fact that undoes potentially, to mass surveillance on our citizens. And what would your thoughts be around that? And this is, again, collecting metadata, holding and storing it under more of this legislation. And the second part of the question that will follow on with but really, what is your advice, your experience your thoughts around states doing this? What are thinking of the consequences?
Yeah, so this is a very interesting story I did read, where we have a former Minister of Justice in Ireland, who was appointed to sort of look into the mass surveillance policies that were happening in Ireland. And he said, Look, this is unconstitutional. According to Irish law, according to sort of EU law. This is simply impermissible. We have the Irish government collecting in bulk, the communication records of everybody, regardless of whether they’re suspected of a crime or not, you know, when you make a phone call, you have an internet connection being made to a website, all of these things are just being stored in aggregate in bulk. And they were used in abusive manners to do things like look at who was calling, who journalists were interacting with. And this is a means of identifying their sources and other things. Now, he recommended that This, of course, be ended, and the current Minister of Justice, correct me if I’m wrong, folks in the room, I think it’s a guy named Flanagan. He goes, Oh, no, no, no, no, we will pass a new law. But this is not strictly unconstitutional. You know, this old Minister of Justice, he doesn’t know what he’s talking about, even though he sat in my chair before I did. Don’t listen to him. And this should actually be a sort of a teaching moment about where the flaws are in the mechanics of our systems of governance. People who are currently holding office are very much concerned about appearances, about image about popular support, because they live political lives in electoral systems, and they’ve got to worry about what’s going to happen next. Whereas when you have people who have left the system, they say things that are directly contradicting the people who are currently holding those offices, even though they did just in the recent past, the fundamental problem we have is there should be no surveillance that’s occurring today. That is happening in bulk, right? Traditionally, surveillance has always been a targeting problem, or a selection problem, if you will, the police go, we think this person or that person is a criminal, they’re up to no good, they are a terrorist, they go to a court, they show their evidence for thinking this to the judge, and the judge says this is reasonable grounds. And they authorize them to begin spying as much as they want. On this particular person, and they do that they go out and put taps on their phone in their office, you know, they put bugs in their house from the person’s out at work, whatever they want, they have extraordinary powers. But that has changed with the progress of technology. And everybody sitting in a room, right, who has even a small amount of technical capacity here, understands how that works. Every digital communication involves signaling, you have a transmitter and a receiver, even if it’s not happening wirelessly, right, you have a source and a destination. And in order to route these things, from one point to the other in the fastest, most efficient way without intentionally trying to manage this up and hide the origins and destinations. Anybody in that network path right is going to see where it came from, where it went to. So governments around the world and corporations, increasingly groups like Facebook are starting to go well, even internet service providers are going Why don’t we start keeping records of everything that passes our network. So we can either sell them as a service, or reorder the way society works for the preferences, the ease of use of law enforcement agencies, but what this ultimately results in his changing surveillance from a selection problem to a ranking problem, right? We used to joke about ending up on the list. Yeah, but now we’re all on the list, because the list is everyone. It’s just a question of how high up on it you are.
Paul C Dwyer 24:46
Sure. So I mean, I’m not it. I mean, it almost seems like the Internet has been turned into it’s been weaponized into just a mass surveillance system. And we’re all taking part in that without even realizing it. And I’m reminded have even seen the Stephen Colbert interview that you did where people didn’t seem to care to a certain point until they realized it may affect them personally in relation to, you know, the mundane dick pics and things like that when they actually brought it back to themselves. How do we make people aware? How do we get people involved in this debate that they should care about privacy? I mean, if we outlaw privacy, the famous phrase being that only the outlaws have privacy, we have Theresa May in the UK, asking technology providers to give up encryption keys. You know, what should we be doing as a nation state in
Paul C Dwyer 25:34
we host and house are the biggest technology companies in the world, the Facebook, the Twitter’s and LinkedIn, they are all here. But as a country, how can we how can we stabilize an ecosystem to protect people’s on their human right to privacy, but at the same time be secure?
I mean, that’s a difficult question to answer. Right. When we when we look at it, fundamentally there, there are two things to look at, is law, the right mechanism for sort of redressing grievances for enforcing our rights. In an increasingly globalized world, particularly in a global network. Yes, we in the West have the Theresa May problem, the Donald Trump problem, even the Barack Obama problem where he was predominantly seen, you know, as a progressive, very liberal president who would be respecting rights, but he campaigned on ending warrantless surveillance. And he in fact, expanded it. And this is just recognizing political realities. Everyone in politics is more afraid of being smeared as sort of soft on terror, then they are of actual terrorism. If you look at the number of lives that are lost in Western Europe, due to terrorism, right, which is a serious problem. It is far less today than it was in the 60s in the 70s and 80s, where we had a lot of domestic conflicts brewing, right. And the question here is, does it feel like that? Or do our political times seem to indicate to a lot of people, particularly the UK, that terrorism is actually a greater problem now than it was back then. And a lot of this is because of media and sort of how we talk and the way that every bad thing that happens in the world is made to light the living room of every home by the end of the evening, right. And so the question is, all right, if politics and law are becoming increasingly unreliable, even in what we would consider to be open societies, right, a free jurisdictions? How do we enforce the same human rights protections in places like Russia, in places like China, particularly when you see Russia is passing new and extremely aggressive and abusive surveillance laws? They did just last year, the Russians call it the big brother law, right? And the Russians are calling something the big brother laws, you know, it’s bad. But these things are increasingly modelled after the laws of the United States In the United Kingdom, China passed new counterterrorism law. And they explicitly said, we’re just catching up with the United States. That’s a problem. What if we could use technical means, right, our mastery of science and mathematics to enforce technical protections of our communications of our lives of our private records, without regard to jurisdictions and borders, right, we commonly publicly whether we’re talking about the Universal Declaration of Human Rights, whether we’re talking about different constitutions of EU member states or the EU as a whole. We have common agreements about people’s right to be free from unreasonable search and seizures of their private effects of their homes and the person’s violations of their dignity. And yet, we have precious few mechanisms for actually enforcing this. It’s hard enough for us to do this domestically, much less internationally, where we lose those mechanisms, particularly in societies that are more closed that have state controlled media. And the question is, Can people in this room, think about ways not to make surveillance easier, but to make it because that’s actually what benefits society in an increasingly safe, though still dangerous world when the primary threats when we’re talking specifically in the context of violations of the right to privacy, are increasingly state sponsored?
Paul C Dwyer 29:48
Sure, and that’s an interesting point he made as well about political figures coming in and out and how they changed their tone when they were in office or out of office. And I can’t help thinking that there’s a milestone on here, obviously after 911, George Bush came in, we had the Patriot Act come in, we had the Pfizer chords to 15, all of these things. And on one side, we had Barack Obama saying, Oh, yeah, that’s terrible stuff. Let’s not do that. But then it seemed to escalate when Barack Obama came in, came into, into power, if you like, and I know that’s part of your history as well, and how you saw this happening behind the scenes. But one of the great things about being in Ireland on the edge of Europe, we can look across at Americans see what’s coming down the line. And so I think, you know, there’s a certain concern around that. And I wonder Now, when we have this special creature, Donald Trump, in charge of power, right, who’s worried about the cyber and how he’ll downloaded from the cloud? That him not understanding the nature of attacks, how they pivot from locations that could Donald Trump, or do you think in your own opinion, is subjective that may become offensive from a cyber capability, and essentially, attack an innocent nation that’s pivoting an attack over to the United States of America, or to one of their assets that they’re protecting around the world? I mean, what What’s your feeling your perspective? and final part of that era? No, my questions alone. But I’m an Irish man, I talked for a while. But my final part of that is in relation to what protection Do we have to the deep state within the United States? Do you think those senior civil servants that have been there through the different administrations? Are they protecting us from the madness?
Yeah, I mean, you can’t bubble wrap the presidency. And this is where we start thinking about what can law do, right. And really, law is predominantly normative, people like to think of the law as establishing how governments work. But the law only has that effect insofar as the government provides by the law. When I came forward, the reason this had so much resonant impact around the world, was because the government was violating the laws in the United States, the UK was violating its laws in the kingdom. And this is why they all sort of tried to rush through ways to legalize what had been doing in a post facto manner. What we need to think about is not do we trust this president? Because of course we don’t of course we shouldn’t. But it’s a better question of should we trust any powerful institution any powerful authority. And of course, anybody who works in the security space would tell you that trust is always a vulnerability. Trust should not be necessary in a design, it is well designed, right? We don’t want to plan for angels, right? We want to plan for devils. And this is the way as sort of sort of a way you can think about the design for laws when you hear these things being debated in the newspaper. And you go, you know, alright, these things sound worrisome. But I’m a good citizen. I think the people in my government are good citizens, we’re presuming the best of times here. And because of this, even though this makes me a little bit uncomfortable, even though I see how this could be abused, I trust that they won’t abuse this. This is the wrong paradigm for looking at what laws should be doing. We need to be thinking about a kind of North Korea test. If the precisely same law were being passed in North Korea, would you think that would be a good or bad thing for the people of North Korea? This is the kind of dynamic that ensures governments are always able, are always required to use the least intrusive means necessary to achieve their investigative purpose. And this is what they have largely departed from. When we think about all the problems in the surveillance and security landscape, when we talk about lawful hacking in a way that it’s just starting cause these disastrous ransomware rapes around the world. We want to think about the fact that they said, because these new capabilities for surveillance have been opened, and they are cheap, and easy, and they scale very well. We should immediately adopt them, embrace them, extend them, use them and abused them, right. This is a mistake. The government is entitling itself. The power is largely that the public never grant we didn’t have a debate about we didn’t vote on this. It happened in secret without our knowledge without our consent because they knew It’s better to ask forgiveness and permission once they start doing something and say it’s necessary to keep you safe. Even if there are no numbers that established that is actually the case. You will be much more reluctant to doubt them. Because they say, Well, hey, if you’re wrong, and you doubted us incorrectly, you’re all gonna die. Right? And that’s regardless of whether we like it or not. It’s a very persuasive argument for a large portion of the population. Excellent.
Paul C Dwyer 35:30
And you mentioned things there you know, about North Korea, and so on. I’m intrigued about your view in relation to something like wanna cry. There’s so much ransomware going on from a cyber criminal perspective. I mean, the Europol was here earlier, I think the statistics are about 4000 cases a day are reported of ransomware. But the geopolitical aspect of some of these attacks seem to be almost weapons of mass destruction, or should I say weapons of mass destruction, and they seem to suit people like Mr. Trump sometimes. And if I use the example of one quick, you know, just as a as a mundane example, within 24 hours of him signing a cyber executive order, one a cry hits the world, and it was only by look, we dodged a bullet, and there was a kill switch found. But the reality is, it opens up so many topics there, because we’re talking about the fact that it suited the agenda of Mr. Trump in relation to the Boogey Man was now North Korea took the attention away from Russia, but also the NSA tools that we use to do that. It just seemed really like almost a geopolitical activity as opposed to a cyber criminal activity because it had no cashing out phase really on the crime and everything else that I’m intrigued and interest of what your view on that particular incident was, and particularly the geopolitical aspect of a lot of these big events that we’re seeing going on now. Maybe we can start delving into Cambridge analytical, maybe we’re looking at the whole Steve Bannon thing, then as we go with that, but I’d be interested in your view on that.
Cyber president.com is a cloud based platform that allows you to perform a cyber risk assessment across all or parts of your business, including the supply chain, it is a faster, more efficient and a much more cost effective way of performing assessments across your management framework, it is easy to use, and the dashboards can be leveraged by the boards to make informed decisions. It produces multiple regulatory reports, including maturity roadmap, the collaboration features, allows global teams to manage cyber risks, both maintaining social distancing, they can continually assess, mitigate and track performance on an ongoing basis. Remember, if you don’t measure cyber risk, you can’t manage us. Sign up now for your demo at cyber present.com.
Yeah, in general, I don’t like to speculate, I think we should have a conversation that’s bounded on evidence. And what we do know, is obviously these are tremendously disruptive attacks. They’re based on sophisticated exploits that originated from the NSA, NSA didn’t launch the attack, right, at least as far as we know. There’s no basis for it. But the bottom line is, this is an attack that never should have happened. Public analysis of the exploit payload says that this vulnerability had been discovered and held and used by the NSA, for something like over five years, right. And this was time that a patch could have been written, and alert could have been given to Microsoft. And this could have been dealt with before ransomware was even a thing, right. But they chose not to do that they developed an exploit that worked on, you know, almost every version of Windows, particularly at the time of discovery. And rather than closing this to increase the public security, not only of everybody in the world, but have their own systems in the United States, because hospitals were taken down in the US as well. Patient registration systems and whatnot, that we’re running on ancient XP boxes and whatnot, we’re taken off of line. And this is this is the kind of public calculus that is missing, right, as you say, we increasingly see geopolitical actors or at least geopolitical motives that are becoming at least suspected, if not proven in these sort of digital conflicts. But we don’t see very much action taken by any of the most important influential groups here in securing the public against them, right, because they’re going well, so long as we perceive we have a relative advantage in offensive operations. We want to use that for all it’s worth to hit our enemies as many times as we can, right And what this does is this, of course, teaches the enemy or competitor or adversary or whatever, that they need to be investing more and developing the same capabilities to do the same thing back, right. And, of course, we can’t teach states to stop fighting, they’re going to continue doing that. But what we can teach them and what is honestly mystifying, that they have not discovered for themselves yet is that they actually lose more engaging in constant offence at the expense of defense, particularly when they are larger, more developed, more connected, because they have more to lose, when the lights go out. And in the hospital registration system stops working, North Korea is not going to care that much of every computer in the system in the country is turned off, because they’re operating with, you know, 1980s level technology, we on the other hand, will have a very serious problem.
Paul C Dwyer 40:59
Sure, because we’re so reliant on technology that the impact is obviously far greater. And in relation to the sort of I often call them what when I talked to me about talking about warning shots across the bow, we see activity in Ukraine, JP Morgan taken down we see the Ukraine National Grid taken out those sorts of things. And I find it a struggle sometimes when talking to you know, the Board of a bank or business that they don’t see that this is real. This is real. There’s a cyber war going on whether we clarify this a cyber war, or simply that we roll into the theatre of all of this activity that’s geopolitically motivated. There’s ideologies of ISIS and a cyber Caliphate, whatever it happens to be, as well as criminals. How would you best describe what is really happening out there on the internet, in relation to what’s going on? Because, I mean, people see these things, but they almost disassociate themselves on what they see in the news in the media. And they find it hard to find some of these things actually really credible. But obviously, we know this is real, this is real businesses have been taken down, critical. infrastructure has been taken down. people’s lives have been destroyed over cybercrime, all of those sort of things. How do you best convince people that this is a real issue?
I mean, the this is an area actually where I don’t think hyperbole helps, right? I don’t think the cyber war sort of framing is particularly persuasive. What we need to do is we need to bound expectations show these bad things happen to these companies, particularly when we think about things like the Equifax hack, where we just had poor patch application, right, and everyone who works in infosec, patch management, properly applying quickly, is the reason most folks get home, right? zero days and state sponsored attacks are very sexy, right? But they’re also quite rare. If you are the highest of high value targets, right, you do need to think about these things. But you also need to think about what are the realistic worst cases. And a good example here is like the Saudi Aramco attack, where they had a light attack, and all of their systems, you know, basically have empty discs the next day. This is catastrophic for day to day operations, right. But it also is a good exercise for getting people to think well, do you have backups? How quickly? Can you restored? Right? Should you be using thin clients instead, and you know, all these things for how you would recover from these kind of disastrous things? It gets into the idea that one of the previous speakers mentioned about defense by design, where we talk about like these Equifax groups, and one of the big problems is why are these massive data stores being collected and handled in such negligent ways? And how they have their processes and their network design? And is this even a business model that really makes sense now convincing? a company that their business model is sort of exploitative and problematic, is probably not going to work as a sales pitch, right. But when you explain this to governments that do have a public interest in mind, although that is not largely the interest of every government nowadays, we might see better regulations began to coalesce because of that. A good example here is looking at the way the EU regulates privacy, particularly digital privacy relative to the US. The EU has a lot of different privacy regulations Say what you will about them, right, some, some may be good, some may be terrible. The US has no real meaningful general privacy regulation. When it comes to consumer records.
Paul C Dwyer 44:49
I often feel that because a lot of the leading technology and the solutions comes from North America towards Europe that we’re almost absorbing Their view of privacy, their tort of law around privacy, as opposed to what we’ve enjoyed in Europe with a human right to privacy. And I often see that as a clash as well of almost of cultures, and how that happens. And I mean, one of the things, I suppose I’m interested in is your own personal situation at the moment, what’s the future for Edward Snowden? I mean, you know, I, in my opening speech, I was talking about people like Auguste land master, and people that have stood up for what they believed in, because people can respect that even if they don’t maybe agree with what has happened. You find yourself in the situation you’re in. What’s the future for yourself? We see all this stuff in the media about you’re going to be gift wrapped by Putin and handed over to the lamb, you know, all of this sort of stuff. I mean, but what’s real? what’s real for you at the moment? What’s your life, like, at the moment?
Well, I live a pretty ordinary life, given the context of having to live somewhere that I never chose, right? It was not my plan to end up in Russia, for people who want the whole sort of backstory behind that it’s in the public domain. I was on route to Latin America, when the United States government froze my passport and trapped me here. Now, we don’t know why they chose to do that. We only know that they do. I applied for something in 21 different countries around the world, including Iran. Sure. And whenever one of these governments got close to saying, okay, you know, come over the Vice President, where the secretary of state would call their foreign minister and say, Look, if you do this, there’s gonna be consequences. And this is what you get into in this sort of, you know, our laws seem to descend from the United States policies and to be shaped by the United States. There is, unfortunately, a lack of independent policy. When it comes to competitive interests, right, the US has a lot of influence. And I’m not afraid to use it right. Now. Now, we can argue about whether this is a good thing or a bad thing. But the bottom line is, this is reality. Right? That’s how the world works. Now, as a dissident, I think it is absolutely tragic, even repulsive, that the only place an American whistleblower can be safe, is in Russia. And I think Europe would agree that this is not an ideal situation. And this is why, of course, I would still like to leave, I’d like to go home, right. And I told us, I have only a single condition for going back actually, in voluntary me for myself for a trial, which I certainly won’t win, because it certainly won’t be fair. And that’s that they allow me to make a public interest defense that I can tell the jury why it is that I did what they did. And they said they won’t agree to that. But they countered by saying they promised not to torture me. So we’ll say negotiations are ongoing. Right? I have that in writing from the Attorney General. But the basic idea here is, you know, what is life like in this new world? Right, where domestic critics are increasingly forced to live extra nationally, right? We have Russian dissidents in the United States. We have Chinese dissidents in the United States. Now we have us dissidents who have to go to other countries, right. And this is not a practice the United States should be emulating. It’s just the way of our world. But what is the positive of this? Well, previously, we have folks, Chinese dissidents like AI Wei, the famous sort of artist in human rights activist, who the Chinese government is saying, you know, as a fraud, evading taxes, and all these things and needs to be under house arrest. Once he leaves, he can be everywhere in the world all the time, thanks to the internet. It is the same with me. I have to lay down my head at night on a pillow in Russia. But I can be with you here on stage in Dublin. And when I finish this, I can have a conversation in San Francisco with the freedom of press foundation. So it borders are beginning to lose their meaning beyond the physical, and that’s a good thing. Not a bad one.
Paul C Dwyer 49:31
So to the uninitiated, they hear about whistleblowers leakers, and so on. And obviously a lot of this audience know the full detail of your history, your situation, but they see things like Chelsea Manning and so on. Why are you being treated so differently from others who have essentially being in the same ballpark in relation to activities that have happened? What do you feel you particularly became the I won’t say scapegoat but that that pariah for America to say, this person has betrayed us and as a trader and has put us all at risk, why was that is a one seminar thing that you think that you could put your finger on that there’s that one thing that they’re hanging on to? Are you did you just piss them off that you’re too clever, right that you were step ahead of them all the time.
I certainly haven’t made many friends in the United States government. But I’d actually like to disagree bit on that in the fact of exceptional treatment. Chelsea Manning was held in prison by the United States for seven years, under conditions that the United Nations said constituted torture. Thomas Drake, who’s senior executive at the NSA, who went through all of the proper channels, right that the government says is the right place to go through, was indicted and charged under precisely the same laws that I was the only reason that he’s not in prison for the rest of his life, as evidence came out that the government had so sort of ridiculously gone outside what was legal and reasonable in their handling of the case to try to railroad him that they couldn’t be part of same with Daniel Ellsberg. And that was in an entirely different world in the 1970s. Every whistleblower in the United States, including most recently reality winner, faces the same charges, which is under the SP, which is a special law that excludes you from being able to argue why you did what you did to the jury, which was what I touched on before, right. It doesn’t matter whether you were selling classified information to a foreign government, or whether you were providing it to the institutions of journalism, or to the public directly, or to Congress, in the right contexts. As long as you provided classified information to someone who is not in the government’s eyes, supposed to receive it, you’re guilty of a crime 10 years per count per document, right. And that’s what we’ve seen. Now, in terms of pariah, it’s actually unusual because my reputation in the United States seems to be improving with time when I came forward in 2013. The government said, You know, I would have blood on my hands, every journalist who’s party to this was helping terrorists, you know, people were going to die. Now, we’re sitting in 2017. None of that has come true. Congress investigating me for more than two years and could never show any evidence of harm. They’ve never shown anybody who has died as a result. You know, the heads of the NSA, the CIA, the FBI, have all been begged on both knees by every public part of government, to you know, show us the bodies show us the consequences here in the habit. But the consequences of those policies that they enacted the violations of our rights, and the infectious, contagious harm that this has been inflicting, upon every part of the Western world, and even our adversaries, by creating this new digital surveillance arms race has become more clear with each passing year. So his allegations of harm are shown to be baseless, right. And the evidence of harm to rights and the public dignity are shown to be happening again and again, just today, the US Department of Justice rolled back a policy that they defended rigorously in the wake of 2013. That were basically permanent gag orders after the US government shutdown a US tech company for four people’s data whether the US or where you need a warrant to get it, or anybody else in the world where you don’t need a warrant. Now they’re putting caps on how long these gag orders can be held for. And I guess this is what we see is history has a way of exonerating the right choices regardless of rhetoric.
Paul C Dwyer 54:20
So finally it is we conclude this interview keeping the mind Cincinnatus and I feel that your moral compass drove you to do you, you did and that we’ve all still you from afar. And what’s happened. I mean, I won’t use the word regrets. But are you fearful for what the future is for Edward Snowden? Do you feel you could become another political party in this game that’s going on? How do you feel about that aspect? And my final question to you Edward, before I say thank you and goodbye is would you like asylum in Ireland?
When I asked for one,
Paul C Dwyer 55:03
I’d say good.
But you know, look, the reality is this takes political will, we can have the support of every member of the public in Ireland. But if the Irish government isn’t willing to actually, you know, carry that forward, nothing’s going to change. And this is sort of my ultimate message. Right? But we want to have the best government we can, we want to have the best laws that we can. But we always have to remember that legality is not the same thing as morality, and every institution with a certain amount of power is going to abuse it given time, right? We might be fortunate, we might have a good administration here there, you know, for 30 years, but eventually, the dice are gonna roll and you’re gonna end up with a Donald Trump. And the only way we fix these things is through collective action. But that collective action starts with individual choices. looking around at the world, you live in the things that you see around us and recognizing that we all have lines of incivility in humanity and injustice, right? That we can accept that we can we can deal with, we can see the homeless, right that the panhandler and go not today, I can’t handle that. But then you see it again, then you see it again. And then eventually you feel driven to do something, there’s that one step beyond where you can no longer countenance being a part of that. And that is when you recognize that you have not just the right. But the duty the obligation to make this world better in whatever ways you can, you know, I’m not going to be able to prevent the President’s Russia and the United States from making dirty deals, right? I can’t worry about that. But I will worry about what I can. I will change what I can. And every day when I wake up the morning, I’m going to think about what I can do. And then I’m going to do it.
Paul C Dwyer 57:17
Good man. Thank you so much for having us today. is
a very warm welcome
here from Ireland has 1000 people here before you, thank you so much for your time.
I hope next year you’ll be
here. Yeah. Yeah. I
hope I’ll make it. Thank you. Thank you for having me. Thank you. Thank you.
Paul C Dwyer 57:52
Thank you for listening to the cyber Task Force podcast. We hope you enjoyed it. Please subscribe and perhaps share it with a friend or colleague. We welcome your reviews, feedback and ideas. We have many more interesting episodes planned, so subscribe now and don’t miss out. For more information, visit ICTTF.org.
This episode was brought to you by cyber prison.com Remember, you can find out more about how cyber prism can help you measure and manage cyber risk by signing up for a demo a cyber prison.com by visiting cyber prison comm You can find out more about the benefits, download the brochure, watch demo videos and even request a live demonstration with one of our experts.