Is It Safe?

Harshul Joshi of DarkMatter gives an in-depth look at the world of cybersecurity, a crucial reality of today’s online sphere. He talks about the comprehensive service his firm offers along with the multiple problems that plague the internet and e-commerce today and how they can be combatted.


The name of your company is DarkMatter, what does that name constitute?

Our CEO Faisal Al Bannai came up with the name. According to scientists, “Dark Matter” is 70% of the universe; you don’t see it, but it exists and balances the universe. In cybersecurity, what we do is secure online data even though we cannot be seen. We’re virtually doing our jobs without interfering with the business. That’s where the name “DarkMatter” comes from. We might be invisible but are extremely significant for things to function properly.


For a project like DarkMatter, how does one assemble a team? What are some of your services?

The most critical part of any cybersecurity firm is having the right team. I came from California where I was working at, my counterparts came from places as diverse as Washington DC, Seoul, Australia etc. We’re a global team and we relocated to the UAE, working between our Dubai and Abu Dhabi offices. Each of us has decades’ worth of experience. Being able to get us all here and work locally, I think it’s an incredible feat and differentiates us from other firms.


In terms of services, DarkMatter is an advisory engineering solutions program. We don’t do just one thing; we do everything in the realm of cybersecurity. What I do, is Cyber Governance, Risk, and Compliance Regulation. We help a lot of cyber entities on a national level. Then we help the critical infrastructure of the country i.e. Oil & Gas, Defense etc. to asses that risk and medicate. We also do Active Penetration Testing and Forensics to make sure that our clients are prepared in case of attacks. There are also Managed Services, where we provide services from a managed standpoint. Just give us your logs and if anything’s wrong, we’ll tell you. Then we have Secure Communications where we develop our own encryptions on the phone for secure calls and chat. We have Infrastructure Workstream which is pulling the whole data center for the clients. We have from soup to nuts; from engineering to regulation to advisory.


Cyberattacks are so much more than just hacking. What are the clear present virtual dangers right now that companies should actively avoid?

Cyberattacks once used to be some kids trying to hack into something.

Nowadays, you have far more dangerous manifestations of that, from nationsponsored attacks to ‘hacktivism’. People want to steal credit card or bank account numbers, intellectual property, data from a pharmaceutical company to make a drug of their own, it’s all become fair game to them. Then there are nation sponsored attacks, the kind of cyberterrorism that can bring a nation to a screeching halt without leaving your basement. Think about that, people can hack into federal aviation systems or traffic lights without even leaving their rooms. Now everything is being connected digitally, in our field we refer to that as opening up your attack surface. If your home only has one door, you lock the door, but if you add two windows, you have three things to take care of, add five more windows and you have eight things to take care of and so on. That’s the new reality of the cyber world, more openings mean more chances for criminals to attack, and we call it cyberterrorism.


Based on your research, what kind of businesses are most at risk of cyberattacks?

The financial sector has the data from the motivation standpoint. If I get my hands on a million credit card accounts, I can do a lot of damage. Then we have businesses like intellectual property, which could even be something like Coca Cola and its recipe. Same thing with pharmaceuticals. So every business that has intellectual property, financial data, and national security data which can be abused or sold are all at risk.


From Anonymous to Edward Snowden to Samy Kamkar, the public image of a hacker has been getting more “heroic” rather than dangerous. Surely, that doesn’t help a cause like yours.

It doesn’t. When you look at the community, the good guys are still fighting an uphill battle of sharing information. If you are the Chief Security Officer of a bank, the last thing you do while fighting the fire is that you call and tell others how you were compromised so that they are better prepared. On the downside, the hackers actually have a far more sophisticated network of sharing something, if you write a virus-spreading malware, you share it around and everybody uses it. Even 10 years ago, if somebody had a firewall, they were the best. Today, prevention and detection is a must but we have to assume any kind of compromise. We have to make sure how we respond quickly and recover efficiently in the event of a breach.


Are there any cyber threats specifically pertaining to MENA? What are some of the common ones?

We’ve been working with the MENA region for quite some time and there are no differences in threats per se, but there are some differences in other aspects when compared to say Europe or the US. This region is still maturing in terms of cyber regulations so there’s that difference. In terms of payment structure, in the US there is something  called a Dynamic Risk-Based Algorithm that Visa and MasterCard would put in place. Here it’s a “Let’s not build this” rather than a “How can we manage this?” approach. It’s evolving in the MENA region. People compromise you for two things at the highest level. Either they don’t want you to function or they want to steal something from you that they can benefit from. MENA region is still learning how to make the data devalued so that even if you encounter a compromise, there’s nothing there. We call it ‘tokenization’ which is where we take the CAP number, and replace it with a 16-digit token which even if you steal won’t give you anything. So that’s the difference between the other countries and MENA region.


How much cooperation do you receive from local law enforcement and legal teams?

When it comes to law enforcement, we work very closely with cyber-regulators. A regulatory body releases a standard and tells the entities of a country how to do things. The enforcement comes from a sector regulating standpoint. If a standard is released \about how to sell mobile apps, the TRA is the


regulatory authority that will enforce the standard on Etisalat and Du. But creation is just not enough, adaption is key. If I go to five doctors today, and all of them tell me I have a cholesterol problem and I need to go to the gym, it would mean nothing if I don’t act on their advice and actually go work out. Likewise, there’s no point in releasing a standard if the industry is not adapting it.


How do you apply the concept of cybersecurity beyond the computer screen and into our domestic lives?

Cybersecurity stands on a three-legged stool: people, process, technology. Any of the breaches that you hear about in the news, I can guarantee that 98% of them were not because of the technology, it was the people and process. Technology seldom fails if configured correctly. It’s the people who either don’t know all the right processes or are trying to take shortcuts. So to me, a big piece of cybersecurity is peopleawareness. I can have all the controls on my side but if my end-user just keeps clicking on any link, then they will get compromised.


How do you plan on adapting a Silicon Valleystyle startup concept like DarkMatter for a place like the MENA region?

When people think of startups, they naturally think of Silicon Valley. But to me, DarkMatter is entirely different beast in a way that it was born mature and it’s the only partner of the national government to have not only regulation but execution of security controls. It comes back to having the right talent and location. It’s putting a process in place and doing it correctly. DarkMatter doesn’t just


give a consult and walk away. We can also execute and engineer products for you. Hardware, software, regulations, everything across the board. You would be hard-pressed to find a startup like that even in Silicon Valley.


In the beginning of 2015, IoT was named the highest cybersecurity risk. Has enough been done in the past year to curb that? Especially since our worlds are getting increasingly digital and converged?

Silicon Valley comes up with a buzzword every year: Outsourcing, Offshoring, Cloud Computing, Big Data, and now it’s the Internet of Things. It comes down to very simplistic principles which are that we are trying to generate more data to take smarter decisions. With IoT comes more connectivity, and thus more attack surfaces. IoT itself is having a maturity phase and with that security has to evolve as well. The more you are dependent on automated sensors for your life decisions, the more susceptible you are to a breach. Has enough been done to lower the risk? I’d say no. The appeal of features always races ahead of security. CEO’s always want to fast-track things and security will slow them down. You will see a lot of ramifications when it comes to IoT and security will have to catch up.


As more and more of human jobs get replaced with algorithms, what are we in store for?

95% of the information on the internet was created in just the last two years. These algorithms are based on that data, ignoring all the previous knowledge. And a lot of this data is white noise i.e. it’s not all logical information. We cannot create an algorithm that makes predictions based just on those two years as human behavior is thousands of years old. There is no representation or understanding of consumers from my generation or my parents’ generation. It will never work that way unless we have more mature data and a good understanding of the past.


For this coming year, Extortion Hacks, like the one on InvestBank in Dubai, are being considered the top cyber threat. What other threats do you think we’ll face in 2016?

As the industries move towards more connectivity of devices, more decisions are made by sensors instead of humans. Breach in any one entity can trickle down into the others and cause massive damage. To me, this impact is something we need to watch out for. In terms of national security, nation-sponsored attacks will be on the rise. There are organizations funded by nations that have very specific motivations. Every country has to make sure that there are right regulations in place that empower the industries to grow but with caution.


About Harshul Joshi

Harshul Joshi is the Senior Vice President, Cyber Governance, Risk and Compliance, DarkMatter LLC. He has over 17 years of experience in the fields of cloud-based technologies, regulatory compliance, governance, risk, and internal audit; which he applies today to DarkMatter’s ongoing advisory services to government and commercial entities. Harshul has a successful track record of working with various C-level executives; with state, national and multilateral bodies — including the US Securities and Exchange Commission and the PCI Security Standards Council. Prior to joining DarkMatter, he worked for and led the Security practice for PwC (Pricewaterhouse Coopers LLP) in the technology sector. He has also held various leadership roles with Sony Corporation of America, GTE Internetworking (currently Verizon) and KPMG LLP. He is a member of several Boards of Advisors to companies in Silicon Valley, is the Global Editor for ISO 27007, and is a regular contributor to various ISO and country-level cyber security standards.