Scott Schober, Cyber Expert, Author of "Hacked Again," and CEO of Berkeley Varitronics Systems, sits down with host David Braue to discuss how the Gulf Cooperation Council (GCC) is strengthening cyber resilience in today's digital age. The podcast can be listened to in its entirety below.
Welcome to the Data Security Podcast sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing forensic information on all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can learn more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
David: Joining us today is Scott Schober, cyber expert, CEO of Berkeley Varitronics Systems, and author of the popular books, "Hacked Again" and "Senior Cyber". Scott, thanks for joining me today.
Scott: Yeah, wonderful to be back with you here, David.
David: So we find ourselves at an interesting juncture in world development. There's currently quite a lot of interesting stuff going on in the Middle East. It's changing by the minute, but certainly some very interesting changes in the relationships there, and the political situation.
In that context, cybercrime is really one of many issues, I think, that's going on here. We are facing an upsurge of cyber activity in conjunction with some of the military stuff that's going on. Tell me a bit about your take on the situation over there.
Scott: Yeah, absolutely. And it has just in the past week or so, I think it's kind of really surged, and I'm hearing a lot of rumbles from different security groups and agencies about not just imminent threats with cyber attacks and things, but these are real things going on. And I know U.S. DoD is stepping it up and monitoring very closely with all that's transpiring, and in the Middle East.
It's not just, many people think maybe it's just Iran, but it's a lot of the allies. It's Russia, it's China, it's the usual players that I think there's concern with out there. And especially when you think about the Middle East, and we look at that, it's a bit different than maybe other economies because they're transitioning. They're moving a bit away from just a hundred percent oil dependency, because that's really their economy, and trying to really open up and have more of a digitized or digital economy.
And I think with that transformation opens up lots of vulnerabilities. I mean, all countries are vulnerable, but to different degrees. But I think as there's a shift that's going on there in the Middle East, it's becoming a big concern there for certainly cybercrime and all of the different type of breaches that are happening over there. That's something they really need to take initiative and do something about. And in a sense, it's kind of nice to see this GCC, the Gulf Cooperation Council, coming to fruition and countries over in the Middle East working together to really combat cybercrime as they migrate to this digital technology.
David: Well, it is so important, isn't it? I mean, you've got countries, as you said, that are kind of trying to diversify away from just the oil economy. As you start moving into a digital economy, which clearly is a very important part of that, you expose yourself in ways that probably haven't been as much of an issue in the past or perhaps were limited, for example, to cyber attacks on the oil infrastructure, that sort of thing.
It would be a different profile than a diversified economy, where you've got attacks going all over the place. But as the economy in a lot of these countries does change, I imagine it's exposing some of the vulnerabilities, and in terms of the weak spots, that maybe just have been there and really nobody noticed for a while.
Scott: And I think to your point, sometimes when we read about this or hear about it, it's hard for maybe us to relate based upon where we live, where our businesses are. But when we look from a global perspective, and kind of get the sense of how bad cybercrime is globally, to me it's an eye-opener. Just the one statistic, I think it was in that article there, and this was reported by Cybersecurity Ventures. It was an eye-opener. It is mentioned globally that cybercrime is now at $18 million per minute, which is about the equivalent of $9.5 trillion per year globally, and the damage cybercrime is causing. That's beyond most countries' budgets and everything else. It really is a true eye-opener how dangerous cybercrime has become if countries don't take it seriously and really start to work together, communicate, implement best practices, combat it, and fight against these cybercriminals.
David: This is so, so true. What we're seeing is that, as the situation has been even before this cooperation really ramped up, cybersecurity incidents have tended to be a lot more expensive in the Middle East. They're nearly twice as expensive at around $8.05 million per breach, which is nearly twice the global average of $4.45 million, so there's something clearly that is predisposing a lot of the Middle Eastern targets for cyber criminals to really lose a fair bit more when they're compromised. Why do you think that is? Is it just a case of weaker defenses?
Scott: It could be imparted about that, but it's a really good point you bring up there. I think a lot of things, when we focus on certain regions of the Middle East, you hear about smart cities and smart city development, so you've got very advanced infrastructure being built out quickly. When you have a digital dependency and it's all new, what happens? Cybercriminals flock to it. They can move in and say, "Hey, these are high targets that we're gonna go after 'cause it's gonna maximize our gain." I think that may be a big part of why the Middle East is so much higher on average, as to your point there, for cyber breaches, because you could really get a great return for the attacks. I mean, they're not chasing after pennies, they're chasing after big dollars there. When you talk about the average breach, I was surprised when I read that I said 8.05 million in the million. That's a big number. They need to act, and they need to act quickly.
David: No question about that. I mean, particularly in the context of the refinery operations of all these things that are very critical for the global economy, but also the more diversified elements of the economy, and even things like I know there's this project, for example, like the line. You know, this high-density housing development. The city that's being built I think is gonna hold something like 9 million people eventually in a very narrow toll and a hundred-mile-long city that's gonna be built. I mean, these are very ambitious plans. They're characteristic of the region. It's really doing moonshots in terms of really trying new stuff. That costs a lot of money, and in that sort of development, Cybersecurity is gonna be fundamentally important, isn't it? I mean, these things are gonna be so high tech and so well automated, you have to make sure that they can't be compromised.
Scott: Yeah, absolutely. And I think that's why, as they're developing this and really getting to this GCC, I think it's imperative that they have strong partnerships outside of the immediate region. And I think they're trying to develop that with NATO and Interpol and other global cybersecurity firms so they can really share threat intelligence, share best practices, get a better understanding. That way, they can react as these cyber crimes are being committed. And I think, you know, certainly within the United States, CISA and other organizations have attempted to do that despite the fact that, I guess, the current administration has really kind of tightened the reins and laid off a lot of people, and budget cutbacks are happening, so and so forth. But I still think there's about $3 billion allocated just within the United States alone for combating cybercrime, which is important. I think it should actually be raised, and they should actually grow in that capacity, but budgets are tight everywhere, and that's understandable. But the fact that they could share with other partners in the region is very powerful, and that will really help make a difference, not just in the Middle East, but really the surrounding countries as well.
David: Well, that's gonna be so important. You really have to take it as a regional effort. And, you know, there have been regional alliances in areas like APAC, for example. There's a lot of back and forth between the major powers to try to work together to keep a lid on some of the activity. Europe, clearly, is very proactive in this respect. So, you know, different pockets of mutual interests we could call it. Where people have said, okay, we just really need to improve our cyber standing right across the board. Qatar, I know, has launched a national cybersecurity strategy, and the UAE has just upgraded its strategy. Is there a sense that they're learning from, you know, the West, so to speak? Some of the more developed digital economies about how to do this really well. Does it need to take its own natural course over time and build up in the same way that it's built up in other countries as well? How, how do you think this is gonna mature over time?
Scott: I do think that's gonna happen with time, and it is good always to reflect upon other countries: what works, what doesn't work. And in a sense, we all have critical infrastructure from country to country, although it might be a little bit different, and obviously in the Middle East, it's more toward refineries and gas and production of that, and the flow of it is the core of their economy. I know within the US, there's always talk about monitoring the critical infrastructure, the energy, the water, the telecom, the finance, the transportation systems. And in part, because they're all so vulnerable because they're so old, they're dated and they're, and they've got a lot of old technology. To some degree, I think the advances in the Middle East with the smart cities and the build-out of things, they're using more modern technology. So perhaps some of the legacy systems and vulnerabilities, they're not gonna be plagued with, and that's a plus. So they'll probably focus on different areas than maybe United States might. But still, they need to spend the money in the right area, and they need to share that knowledge. So I think building up these different strategies and different agencies, it is pivotal for them to get into this digital economy that they're all striving to get into. And you look at something, maybe even like Qatar with the FIFA World Cup 2022. There's major sporting events and things like that. You can't just show up to the event and implement security. You have to prepare well in advance, and I know even United States is trying to do the same thing for this next year. It takes years, it takes manpower, and it takes a lot of computing power to properly secure this stuff. And I think it's good that it's spread out throughout the globe and there's a sharing of knowledge on what really works and what doesn't work so well. Not to mention where you start looking at some of these other things that are now in the equation, ever more so. I mean, cloud has been there, but I think AI and digital identity and citizen protection, there are a lot of other strategies that they really need to focus on as they're keeping this digital information secure.
David: Yeah, it's so very, very important, and particularly in the context of the quite unstable situation in the Middle East. In the past when this sort of situation was going on, countries would be looking to, you know, make sure they have a good supply of young people to, you know, to build up the army, to protect the country in that way. These days, in a digital economy, that means building the skills that they need to protect their systems, to build a pipeline of talent that's coming through. And a lot of the countries in the region have been investing very heavily to build that cyber workforce. To make sure that they have that, Saudi Arabia has invested around $1.2 billion to improve the digital skills of a hundred thousand young people in that country by 2030. I mean, they're tapping companies like Google and Apple to work with them to really build up these skills. When you have that kind of level of resources, do you think that they'll be able to build up a workforce that they need that quickly, when so many other countries have struggled with this?
Scott: I think really the talent gap is mirrored on a global scale. And I think entry-level jobs, they're probably prevalent, to have bodies to fill those jobs. To have those that have really deep experience in cyber, it's just much harder. But I always commend them when they try to do education and boot camps and scholarships and internships to get different ones involved—especially younger ones. And I know there's a big push for women also in the United States. That's a big, big push, and there's been improvement.
I'm proud to say that the efforts of many of us in the world of cyber, it's not gone to deaf ears. And I think the focus is more pushed on STEM, the science and mathematical aspects, that lure younger women and engineers and programmers and things like that into the realm of cybersecurity. And I think that's a good thing. It's never enough, probably, and there's always gonna be a little bit of challenge to fill certain roles. And I think especially those higher skill sets, we as a company struggle with it. It takes probably six months to sometimes a year to fill certain roles for the right person. Whereas more standard jobs within our organization, I could usually find somebody in two to four weeks. So it's a big, big difference.
So you're using maybe recruiters and you're using other things that you're trying to use at your grasp. Going to colleges, I've done that a lot recently, and work with different students that are doing some projects at the end and work with them as interns. And you can find and get really good talent with niche skillsets that compliment what your needs are. So I think countries need to do that as well. And oftentimes the pay is not there when it's done through government agencies, at least here in the US. So it's finding that right balance, challenging young ones to and their skillsets to bring them in, but also compensating them appropriately and they will find talent there.
We'll be right back after a quick word from our sponsor.
Cimcor develops innovative next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
And now back to the podcast.
David: Definitely there's a lot of options for them. It's interesting that there's such a focus, when it comes to cybersecurity, on building domestic capabilities, on training people, on building those pipelines. There's certainly quite a lot of IT talent in the world. I think I read a while back that India graduates something like 2 million IT graduates a year, bringing them into the workforce. So, I mean, if you need IT workers, they're certainly there—if you're happy to bring them in.
But a lot of these countries are focusing on that domestic capability. There's a sense that this is like a sovereign requirement, to be able to protect yourself. It's an interesting approach, and one that I guess could potentially backfire if a lot of these people have the skills and then decide to go elsewhere, leave the country, and go work in another place, even though they've been trained by their home countries.
Scott: And I think that does happen to some extent. And I think there's also a lot of misinformation. Recently, I've been hearing a lot locally, "The worst thing to do is to get a, you know, a cybersecurity degree or focus in this area or that area." And I'm saying, geez, that's crazy. I'm struggling to find people. Everybody else I talk to in the industry is trying to find good programmers and those with wireless capability and cybersecurity capability. They're not out there. They're hard to find. They're working at a good job now. If you want to find somebody that does web development or a mobile app or other more common skills, yeah, sure, you could find those. But for niche cybersecurity skills, I still tell people there is a huge demand.
And it's important for people, if they're listening to this, find your niche. Find what you enjoy. Excel at that. And then take that skillset, and then that will meet nicely with the right company, and you can really grow quickly. I think just having these general degrees, be it in computer science or certifications, is good for a base knowledge, and you build from there. But finding those niche skills, maybe it's penetration testing, maybe it's digital forensics, or some other areas. Maybe you wanna work in a SOC or whatever. Finding that area that makes you smile every day, and get up and you want to go to work and fight the cybercriminals, you will do very well and you'll grow rapidly in this field.
David: There's definitely gonna be opportunities. As we've seen just in the Middle East, the number of initiatives that are bringing people in, and the amount of funding that's being put to get people engaged, to get people thinking about cyber, getting those skills, and really supporting that defensive force is significant. And that's gonna continue as cyber becomes more and more part of the everyday conflict sphere.
On that note, I'm curious to hear your thoughts. I mean, the situation—Israel, Iran, the US. At the same time, we've got Russia and Ukraine continuing. I mean, it's a very politically unstable time, which I certainly don't need to tell you, but it's interesting to say the least. Particularly, I think from a cyber perspective. We hear the headlines about all these attacks and whatever, but I can only imagine the degree to which there's this shadow cyber war going on there. What's your sense about what's probably happening, and particularly in the context of these GCC countries? Could this be an early test for them of their cyber investments to date?
Scott: Yeah, I think absolutely. And, and I kind of laugh a little bit—in a sad way—thinking back a few years, I kind of said that we're on the verge of seeing World War III from a cyber perspective, the next time there's gonna be major conflicts. Because it's not necessarily going to be just guns and bullets and tanks and missiles, this and that.
Obviously, I wasn't really correct on that front because this is a serious war, and there are missiles flying and guns and people are getting killed, which is very sad. But at the same time, in the background, if you flash back in time and think about the United States and Israel, and I think about Stuxnet, which was one of the really early, if not the earliest to my memory, first really effective breach that was done, kind of nation-state sponsored attack against Iran to mess up the centrifuge.
And again, it was all toward messing up nuclear enrichment and things like that. They were making some progress, and it was pretty much successful. It really set them back. Now, fast forward to where we are today, one would be foolish to think that's not being done in the background. Now, it may not make the headlines, and we're not gonna hear all the little details of what's going on, but I can pretty much assure everyone—it's happening.
There is a cyber war going on now. With Israel is very advanced in it. United States is very advanced in it. And again, they don't really talk about it much. We tend to hear more about, "China's attacking the United States", or "Russia's attacking", or even other smaller third-world nations, or even Iran using cyber warfare. But it's happening with all countries, to different degrees. But I'm confident that the US and Israel are really honing in to cause major disruption and chaos for whatever has not been blown up as of yet.
David: Well, it's definitely gonna be interesting, to say the least. To you is a very bland and probably and inadequate word. But it's a shifting situation, and the cyber element is certainly gonna be there. And in the context of these GCC investments, it'll be interesting to see how well they're able to step up and protect their infrastructure and to become strategic partners in a cyber military sense, as they've done in a physical military sense for so long.
Scott: Certainly true. I think if we think about cybersecurity and conversations within companies, within countries now around the globe, it's no longer a luxury. It's no longer a back-office type of concern or chatter. Now it's truly a national security issue. It's economic, development imperative that all countries look closely at their cybersecurity posture and do all they can. And I think this article here, talking about the GCC and what's going on in the Middle East, is making some wise investments toward improving their cybersecurity posture.
David: I'm sure they'll pay off over time. Scott, thanks so much for your time today. Always a pleasure to talk.
Scott: Yeah, wonderful to be here with you again, David. Joining us today with Scott Schober, cyber expert, CEO of Berkeley, Veit Intronic Systems, and author of the popular books, hacked Again in Senior Cyber.
Joining us today was Scott Schober, cyber expert and CEO of Berkeley Varitronics Systems and author of the popular books, "Hacked Again" and "Senior Cyber."
The Data Security Podcast is sponsored by Cimcor.
Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
To hear our other podcasts and to watch our videos, visit us at cybercrimemagazine.com.
