Robin de Vries
Okay guys, welcome to a new episode of All Things Cyber with special guest today, David Smith. David, maybe a short introduction of yourself for our audience.
David Smith
I've been working in cybersecurity since 2008 when I started doing networks and firewalls for a global building supplies company.
I went to Airbus, which was the European Aeronautics Defense and Space Company, (EADS), German, French, and UK owned. That was my first sort of role in defense where I started with real security. SOCs were dawning and it was the dawn of SOCs and log monitoring.
But then for the last 11 years I've been with BAE Systems Digital Intelligence, which is a cybersecurity division of BAE Systems of around 5,000 people.
And we do a lot of the government work, government security work for most of the UK agencies. My main bread and butter within the organization is working with the governments of the Balkans, improving their cyber capacity building, looking at the problems that they have and trying to fix them, through people, process, and technology projects.
Robin de Vries
Great, thanks. And maybe a little bit of a philosophical question, but since 2008 and what you're doing now, how have you seen cyber evolving and what is ahead of us? Dave, because it's going at such a fast pace at the moment.
David Smith
Yeah. Well officially I started after university for Intel doing VPN technology, but that didn't last very long because it was really boring.
Yeah. And that was kind of security. My first real job that I stuck at, after doing programming and things like that was I found my place with networks and firewalls, literally because I could learn everything, the whole of the infrastructure right through to the software applications. Back then, it was literally just that networks and firewalls, they were very clunky and the GUIs were not very good.
Most of my life was spent just looking at firewall logs. Geez. Literally scrolling through day after day. PCAPs and real old school stuff, yes. But that's how I learned and that's given me a real understanding of how things were fitting together and how things were working at the base level without any of the nice tools, without any of the automations.
It was all manual, but I was still catching, I think I had five or six cold cases back in the day where I found people running illicit businesses through the corporate network, shall we say, some criminal activities as well. And the company actually pivoted and ended up employing a profit protection team to stop all of these illicit behaviors going on that we were seeing on the network, identifying through the firewall logs and that we were actually seeing. And that's, I think, why I got the call to go into defense and work in the defense sector, because I loved doing that and I was talking to the people at Airbus.
At a conference, a normal IT conference because IT security conferences didn't even exist, I told them a bit about what I was doing and my vision for security monitoring and these new things called SIEM platforms and they were like, what's that? Come and show us.
Stephane Konarkowski
I remember the, what you were saying about corporate networks and in like late nineties, beginning of 2000s, people were using those networks because they had fast internet like telcos to be able to put like DivX or movies.
David Smith
Yeah.
Stephane Konarkowski
So I'm pretty sure you were able to catch that in firewalls.
David Smith
It wasn't, funny enough, it kind of wasn't the computer side, computer crime. It wasn't really a thing then. It was things like they would have a warehouse and then there was a bunch of guys who ran and owned the warehouse who'd end up having a car mechanic shop in the back of it, even the love of the building company.
And then of course there was a lot of what we would come to say would be the dark web, even that was in its infancy.
Stephane Konarkowski
Yeah.
David Smith
And so you had a lot of pedophiles who were actually using the corporate network to go and access those sites and exchange those things on the corporate. Because there was no security. It was just a free for all. Like the whole internet.
Robin de Vries
So how has it changed?
David Smith
A bit, yeah. Now we have security and it's a different game. The thing that I like to tell people is, I sort of fell into security from the technology side, and I think that we disassociated cyber from actual technology too much. Understanding how systems work is the cornerstone and the fundamentals of being able to roll with the governance and the processes and the tools that we use for IT security now.
And a lot of the tools that we have coming out are, are basically, um, their main names are just to keep us. IT estate's like ThingsRecon, patchygs recom, patchy stuff.
Stephane Konarkowski
Yeah. So understanding how everything works is the most important. Because you have something in there. Oh, how does that work? Where does that go? Where does that connect to? People don't think that normally.
David Smith
Some people do. They're called hackers.
Stephane Konarkowski
Attackers.
Robin de Vries
And if you, if you look to the organizations and enterprises you work with day to day, what's the profile of the people you talk to on a daily basis and how are they impacted with cyber risks?
David Smith
Now I'm pretty much just in the space of government and CNIs. The projects I work on are funded through the UK government, capacity building is basically another word for foreign aid out to these organizations and for political reasons, which are much higher than my understanding. But usually it's geopolitical reasons. We go and help those organizations.
I'll be liaising with national cyber agencies, which in my region, have a mixed profile between some which are quite mature and some which are very, I can never say that word... Very immature. For instance, one of the countries only actually appointed their first ever minister for cyber last week.
Stephane Konarkowski
Oh wow.
David Smith
Yeah, so we've been waiting two years since they passed the law. It takes time to set up these institutions through the ministries. Ministries of Finance, Ministries of Foreign Affairs, Ministry for Tax, Ministry of Defense. And so you have these sort of sub-industries of, again, varying maturity right through the CNIs, and they have a widespread of different profiles and maturities. Some of them are actually really tech companies and some of them, they're still pulling levers and hitting big red buttons.
Robin de Vries
What is the difference between a critical national infrastructure in terms of operations and an enterprise? Do you see differences in the day-to-day operations or how they are organized operating?
David Smith
So you can classify the national infrastructure organizations in multiple ways: by sector, by purpose that they perform, or by whether they're publicly owned or privately owned. Because they can be privately owned.
If you look at what actually is a CNI organization, there's many different definitions, but for me it's something which has a societal impact, basically. Meaning that if it was to be stopped, the whole population would be affected in one way or another. And that could be from not being able to go to the hospital, not being able to place a telephone call, not being able to receive water, right through traffic lights stop working.
And so what is the profile of a national infrastructure? Varies differently. Telcos look a lot different to a water company, which looks a lot different to a hospital or a clinic, you know? So there's a wide difference. What I would say is that the national infrastructure organizations typically have a lot more IT and OT convergence.
So things like gas, electricity, water, transport, hospitals, you'll find a lot more OT in those organizations because there's more of a physical realm. I mean, not always the case. Telcos isn't the case. Their infrastructure is pretty much ICT, but then is a radio mast or a cell tower OT? It's a wifi router, right?
So the profile's different. Some of them, the public owned ones tend to be a bit older. They're not owned by shareholders. They have typically less investment. They're not able to pay competitive salaries for their IT staff, so they suffer with their maturity and their ability to transform.
Whereas some of them do have cutting edge technology now and they're quite good. I'm biased towards the Balkans, but I think it's kind of the same in the UK.
Robin de Vries
Do you have an example of the knock on effect of a CNI being under attack?
David Smith
In my opinion, the ones I’ve personally been involved with, last year, the municipality of Tirana in Albania, that's equivalent to mayor of London Sadiq Khan’s Institution, was attacked by the Iranians. They started wiping their servers on the same night that President Trump was bombing Iran. So we're not sure if that triggered it or there were some relations. Who knows? The impact of it was things like the public wifi in Tirana went down. And when we turned up to do the response, the police outside used the wifi on their mobile phones to talk to each other to help coordinate.
It's Albania. And they were very keen that we got the public wifi back up because also the traffic cameras were connected to the wifi. So they couldn't see where the traffic jams were, also the water bills were paid through the local municipality, so nobody could pay their water bills and there was a loss of revenue.
It was a big issue because it was the week that all new school registrations had to be made for your kids to go to kindergarten. Schools only have a two week window to register their kids, but people couldn't register their kids. They were worried that there were gonna be massive amounts of children who weren't able to register and go to school that year.
I wouldn't say that it was a massive impact, that one, but that was just the latest one that we were parachuted into the aid and help with the response. And it was a quick one.
Stephane Konarkowski
Did they respond by like geo-fencing any IPs from the outside, not to access anything from the inside?
David Smith
Yes. But the damage was pretty much done already. They went in hard and wiped a lot. But yeah, there's other things, like in Montenegro, they had a big, national cyber attack, which kind of went out and spread out to the CNIs or some of the CNI institutions, and the schools were taken offline.
They had to close all of the schools down because they couldn't pay the electric bills to keep the air conditioning going in the summer, so the classrooms were too hot for the kids. Yeah, there's the big famous ones you mentioned, Heathrow Airport at one point as well. A lot of people think that they go after air traffic control, or some of the ticketing services or the payment services.
But if you talk to Heathrow Airport, I designed the SOC in there actually, well, one iteration of the SOC, I think it's a new one now... Yeah, it’s the baggage systems. That's what kept the airports running and because they were, they're quite old and they're very physical and mechanical. There's a lot of moving parts, a lot of maintenance needs to happen on them, but they're all automated as well now. And so yeah, that was always a big focus and I never knew why until they had the fire at the airport. But yeah, it'll stop the airplanes. I dunno.
Stephane Konarkowski
The knock on effect. Also, of course, something we talk about daily is the supply chain and how everything is interconnected with each other. Do you really understand what you're connected to? So what you're explaining about Albania, that if something goes down, the wifi goes down, then the traffic lights go off...
It's one thing and then you have all the schools down, you cannot even register your kids. It's like, wow. Touching one thing, concentration exploits, it's crazy.
David Smith
Yeah, it's difficult to tell what the impact is. That's one of the big things as well as these secondary and tertiary impacts from an initial attack.
Unless you've mapped out where are all your connections, all your suppliers, and the recovery... Difficult conversations with a lot of people, yeah.
Robin de Vries
You mentioned geopolitical and the change there, that's obviously interesting for a lot of our audience here. People in TPRM, third party risk, who talk about that also on a daily basis, is there, is there a difference when you talk about countries and geopolitical risk? You think for enterprises, if they look at geopolitical risk?
David Smith
Yeah. Well, enterprises have one board. One governance model, one risk appetite, and usually one technical infrastructure
In the government, it's difficult for them to even know how many of each of those they have. Each ministry has a board, but those ministries are governed by others. Political parties get involved. You've got regulators, you've got CNIs involved as well beneath the CNIs. You've got third parties. The third parties within CNIs tend to be quite condensed and a lot of them overlap as well.
When I'm approaching a new country and I first go in, just figuring out the political landscape is the first place that I start, before I even start looking at the IT and the different institutions. You have strange rules as well, which are quite similar to organizations where you might have one organization who's responsible for all the procurement and the rollout, but then you'll have a law which excludes another parts of the government, such as the police or the prosecution service and the legals, because they wanna be separate from the government, because sometimes politicians break the law, you know? And I think one of the challenging things within my job now, and the interesting thing is that I kind of get the merge between the political aspects of government and how it's all working on that side.
And getting stuff done on the ground from a technology perspective, because enterprises, if they're attacked and if they lose service, it's usually customers and shareholders impacted. If a CNI or a government institution is attacked, then it's civil unrest and people can die. If it's hospitals or transport involved, it can lead to some pretty nasty, scary things.
So, you know, I think the big difference really would be on one side, you're worried about data. On the other side, you're worried about people dying. Worst case scenario.
Robin de Vries
Scary. Yeah.
David Smith
It's different to an enterprise for sure.
Robin de Vries
Direct impact on society, that's where it makes a huge difference.
Stephane Konarkowski
Yeah. But the fact that we see a lot of the digitized governments and agencies and so on, that have what I would call ‘things’ on the internet. Why do they need to have all this on the internet? Because sometimes, they will connect something, but they will not understand the knock-on effect that it could have if something breaks in that system. Because that system is connected to something that they were not even aware of.
David Smith
One of the problems that government has is it's publicly funded, which means that there's, people who probably aren't too in the know about what it takes to run an IT department and what the technology is in charge. But also it's difficult for them because they're not competitive, salary wise. Across the whole of the world, a public job in an institution, you get good benefits and good pensions, but you don't get such a competitive salary as working for a tech company or a financial institution. So they do suffer a little bit I think with regard to staff attrition and turnover.
Retaining staff, good staff, is difficult. Especially in some parts of the world where you have the draw of the West on top of that. But ultimately, the reason that they're putting things up there is because they want to be competitive. They want to make things simple. They want to, and they need to, provide services and more services.
The government services are changing. Gone are the days when we were filling in forms at the post office and putting them into the mail. Government in the UK is fully digitalized. Not that it always works, even in the UK, right? There's plenty government websites, which I've been to, which are nasty.
But that's the way it is, and people don't want to be doing the manual process. They want to be logging in and paying their taxes online, finding their permits or the regulations, filing, applying for new passports online. And the governments have a service to provide.
Stephane Konarkowski
That means that there's so much data we have about the public...
David Smith
Phenomenal amounts of data that most private sector organizations would kill for. The type of databases that you would find typically within a government organization would be births and deaths registrations. Why would you want to hack that? Well, if I can hack in and create 10 personas...
Stephane Konarkowski
Can they vote?
David Smith
You can vote 10 times. Yeah. I mean, we didn't even talk about electoral systems. I can set myself up with 10 personas and they're legitimate personas, and then I can get a national insurance number from those personas through the normal processes. I can then get IDs with those personas. I can then apply for bank accounts and bank loans. If somebody does cut and run and the police knock on my door and say, “you've been doing this”... I’ll say “no, that wasn't me. Look, this is me.” And they've got another person. So, yeah, we've got passports, mortgages, we can go into health records...
Stephane Konarkowski
And the thing is that those systems, or at least those organizations, talk between them. In terms of sharing data, some from time to time because of, let's say, to get a mortgage and so on. They have data about you, and it's like a profile of someone. But your profile is sitting in different entities.
David Smith
Yeah. Different ministries will attempt different databases, which sometimes overlap, sometimes they don't. Sometimes they have good comms between them, sometimes they don't. But they're not only just in one country. Sometimes they’re sharing data with other countries as well, you know?
For instance, passport records and airports, you'll find watch lists for terrorists and things like that. So not only at government level have you got sets of data, but you've got in the government data, which is transferred as well, especially from law enforcement and crime fighting agencies.
And that will have their own systems put in place by Interpol and the likes of those guys.
Robin de Vries
So how important is external visibility for those countries, and do you see different kinds of threat actors going after different countries?
David Smith
Yes, ecause of geopolitics. The situation in Albania is really interesting because the Iranians have been hammering the Albanians for three or four years now at every opportunity, because they have a camp of Iranian dissidents. Basically, people who oppose the regime who were re-homed by the Americans into Albania. And that's the main reason for all of the attacks. 35, 40 attacks in the last three years.
I can't comment on individual cases, but yeah, different countries, different profiles, different reasons for attacking. And different methodologies, as well. Sometimes you see them going in and being very destructive. Sometimes you see them sitting, watching, exfiltrating data. The more interesting ones.
Robin de Vries
Waiting for the right moment.
David Smith
I don't even think it's the right moment. They get such a good foothold and a wide foothold. It's like espionage. They spread quietly and thinly across the whole of everywhere. So removing those is much more difficult than the smash and grab ransomware attacks.
Robin de Vries
So resilience is a key thing for those countries, to bring that to a higher standard.
David Smith
Yeah, and they're increasing their attack surface. They're increasing the complexity and the technologies, they're increasing their third party supply into those systems. The amount of APIs and cloud misconfigurations are just increasing. And that's just natural, that's just going to go up. It's just gonna continue as more and more digitalization happens.
More tools go online. Governments find more innovative ways to service the population. Like any enterprise organization that's on the increase. And so with it expanding, we need to find new, innovative, efficient ways of stopping that and stopping the vulnerabilities and the exploits.
Robin de Vries
Maybe a question for Steph. You look at the data on a daily basis. You analyze it, you put your intelligence, you know, what kind of...
Stephane Konarkowski
Intelligence?
Robin de Vries
Yeah.
Stephane Konarkowski
Okay. Curiosity.
Robin de Vries
Curiosity. Yeah. Let's call it. It's changing from intelligence to curiosity, but what do you see if you look at the data and really try to bring something new with the view on supply chain and TPRM?
Stephane Konarkowski
Yeah.
Robin de Vries
It's not countries.
Stephane Konarkowski
It's not, yeah, you're talking about vulnerabilities, but what I see is a lot of misconfiguration and people using new technologies and configuring things without understanding what they're doing. And then by doing this, they're exposing, basically, doors or let's say things that you can open and then go from left to right, pivot and so on.
That's what I was saying to Robin just before, coming here. I'm saying today's hacker and the hacker of tomorrow are gonna be completely different people, because of the technology that we have today to be able to do things. You don't need to be someone who knows about code to understand how to hack things today. You could be basically sitting in your bedroom, asking some AI to build you a little thing... the moment that you know where to go and what to look for. So that curiosity of understanding how things are working, what you were talking about at the beginning, it's understanding how this Lego has been built... And, okay, if I do the reverse thing...? People who are building things or people who are curious are potentially the new hackers, because they can leverage all those technologies to basically look and just Google the whole thing. Oh, there's a little door open there...
Robin de Vries
Mm-hmm.
Stephane Konarkowski
And then the data that you can find behind is crazy. And then use that data to be able to create more sophisticated attacks that are not vulnerabilities. You don't always need to open the door with a vulnerability.
David Smith
Yeah. But again, you talk about it like, yes, there’s people who attack and are hacking, but, in my experience, most of the attacks which have happened are because... Not just because they've been innovative and clever about it, but a lot is just because people haven't done anything to escape them.
And you mentioned new things going in. Everybody all the time is doing transformations. When a company does transformation, changes their web form, wants to put some servers up into the cloud, wants to change a cloud provider, any kind of transformation... That's when they'll get you, that's when you make mistakes.
Stephane Konarkowski
Changes. Yeah.
David Smith
The change in your technology is good because it'll make you efficient. It might even make you more secure. Right. There's gonna be that in-between point, between state A and state B, where the engineer's configuring something and he thinks, oh, that's not a problem.
It's not fully built, it's not online yet. I'm gonna pop home for the evening 'cause I've had a long day and I'll pick it up in the morning. And it's not live yet, but it's exposed on the internet and it's not live yet. And somebody gets in and then it does go live and it's too late, you know?
That’s where you kind of want to have something which is continuously alerting you. And that's where automation and the traditional assessments and pen tests don't get that transitionary period. Everyone wants to do a pen test before. Do their transition and then pen test afterwards. Because it shows a nice state, a nice story, but they don't tell you when the risk has gone up or down within that transition. It normally goes up, right?
Robin de Vries
There's where you also see a lot of human errors still. Two weeks ago, I was in the Netherlands. 6.2 million consumers, seven data points hacked, just to a misconfiguration, where they could get some information from a service desk, calling the service desk, getting access, acting. And just from the inside, actually hacking them by human error.
Stephane Konarkowski
So, it's leveraging the data that you have access to. You can do so much with that. I mean, like you were saying in personification of things like, oh, I'm that user... Oh, hi. Yeah, I know exactly how the system works. Okay. That's the answer to this question... And then you're ‘true’. That's it. That's your firewall. Gone.
David Smith
I was at a law company a few years ago and they were moving to OWA. Somebody forgot to put authentication on it and went home and cost them 6.5 million pounds.
Robin de Vries
So we always end this podcast with a little outlook to the future. And I think the future is, you know...
Stephane Konarkowski
Very close.
Robin de Vries
Very close, getting closer because of the rapid change. How do you see that rapid change impacts you and your work?
David Smith
So, I have a battle on my hands. And the battle is that a lot of people think that the tools alone solve the problem.
And you probably wouldn't want to hear it, but here's how I would put it. It's the processes and the people and the governance are just as important as the tools. What the tools allow you to do is to mature and to get the best out of those. So the training of people on the tools is just as important as the tool itself.
The processes that are put in behind the tool, embedding those in, maturing them, and the governance as well around making sure that tasks are done. If you're identifying vulnerabilities, it's great to have the visibility. If you don't have visibility, then you have nothing. Number one, you can't fix anything if you don't know it's there.
But then when you can see your state, when you can see the problems, it's the people and the processes which are going to fix them. Automating those processes is where we're all at now, and everyone's looking at AI for quick and easy ways to automate. Let's see if that works. From my perspective, we still have a long way to go in my region and probably around the world into making sure that the governance is kept, to keep up with the fantastic new tools that we have, which allow us to take shortcuts, but we need to understand what we're doing. And that's a very biased view from a Balkans perspective. I'm still trying to get people to change their password policies so that they expire each month.
Stephane Konarkowski
Start somewhere.
David Smith
Yeah. And if I was approaching it with a clean slate in my normal advice to new organizations, new ministries, first of all is visibility. You can't protect what you don't know is there. And then also, once they have visibility, it's the remediation and the processes around hardening. And then following that, once you've done the protection, it's the detection and response piece, which comes in afterwards as well.
In my world, supply chain, I would say, isn't as diverse as other areas. I do see CNIs having a lot of overlap and a lot of similar concentration.
It's something that I do profess and I'm fortunate as well now that the new EU laws, the NIS2 laws and the new Cyber Resiliency Act in the UK consider, you know, supply chain as well into them. So it's been a very useful thing for my mantra with the ministries and the Balkans who all want EU accession that, you know, you don't even need to be compliant, but all of your third parties need to have ISO 27001 level compliance as well. And then they turn around and say, well, how do we know who our third party suppliers are?
Robin de Vries
I think it's an interesting point that you mentioned, and that's a conversation we often have with our customers. Being compliant doesn't mean that the risk is not there.
David Smith
No.
Robin de Vries
What do you see out there? Because I think there is a whole new, sort of shift that needs to happen even with the support of NIS2 and the Cyber Resiliency Act, that you need to be compliant. But that doesn't mean that you're secure.
David Smith
Yeah. Well, everybody has to start somewhere. If you are at the start of the journey or you're immature, then compliance is the first bar. It's kind of best practice, right? But it can be interpreted differently and you can cheat it a bit. Yes, but it's a good bar. I always say compliance is kind of there for the people who want to check boxes and get licenses to do things, but then if you want to do real security, you have to have morals.
Robin de Vries
I think that's a great way to end this podcast. Dave, thank you so much for taking the time. It's a pleasure. And also working together is really amazing. I think what we are doing together in the Balkans is great and it's gonna be greater while we are progressing with our CNI program. So thank you for today and thank you for your partnership.
David Smith
Thank you. Like I said, it's a pleasure to work with you guys. You've been able to enable things that weren't possible in the region. And the thing I would, I would leave the conversation on as well is that we're not doing enterprise level stuff here. The impacts are different to enterprises, and that's a good thing morally, right?
Robin de Vries
Yeah.
David Smith
Definitely. Yeah. Thank you.

