“Having sounded the alarm bells, a group of benevolent white-hat hackers from the Ethereum community rapidly organized. They analyzed the attack and realized that there was no way to reverse the thefts, yet many more wallets were vulnerable. Time was of the essence, so they saw only one available option: hack the remaining wallets before the attacker did.”

A hacker stole $31M of Ether — how it happened, and what it means for Ethereum

They hacked multi – sig (like a 2-3 party joint account, where all users must provide their key to unlock) wallet, not because the cryptography was unsound, but because a dev left a bug that lets you factory reset the software.

This whole episode reinforces 3 things we know in Cybersecurity;

1. Cybersecurity has to begin at coding, that’s why we push the idea of DevSecOps.

2. Cybersecurity is not a afforded just from a tool or method, it is an ongoing battle and it requires situational awareness and rapid response to treats and attacks.

3. The real benefit of Open Source communities is the amplification of creativity and brain power in dealing with threats and exploits. The trade off between seeing the vulnerabilities in the source code are a minor cost compared to the benefit of the community bringing evolving improvements and resilience.

The incident

Singapore’s healthcare systems, provided by Singtel health was declared breached by MCI & MOH on 20/07/2018 with 1.6 Million non-medical personal records stolen and 160,000 patient prescription records stolen.

“Our goal has to be to prevent every single one of these attacks from succeeding. If we discover a breach, we must promptly put it right, improve our systems, and inform the people affected.

This is what we are doing in this case. We cannot go back to paper records and files. We have to go forward, to build a secure and smart nation.”

~Lee Hsien Loong, on the cyberattack that stole 1.6 million SingHealth patients’ non-medical records and 160,000 prescription records

We cannot go back

As LHL correctly points out, there is no going back for is from digital in healthcare, in case we forget in these dark moments of fear, let me remind you of why we cannot revert to a world before electronic records. We cannot move healthcare into the digital age without the electronic systems.

But why must healthcare move into the digital age and economy? To meet these 3 objectives;

1. Better allocation of resources to meet needs, better sharing, better parity, better capabilities to supply to long tail niches. In the digital age, healthcare will do better at matching supply to demand, providing personalisation and improving access to information, consultation and care beyond the limits of geography.

2. Better understanding of trends and patterns on a larger epidemiological scale, down to cohorts and even the individual. Digital will unlock insights at the speed of computers and assist care providers to make better decisions.

3. Better engagement of patients, putting them in control and driving behaviour towards healthier choices. Better experience for Clinicians and providers as well, providing more positive prevention and better strategies collaboratively with patients with a goal for better outcomes.

So this is not about electronic records but healthcare in this digital economy and world.

Malaysia take note

Highest profile medical record breach in Malaysia was that of the report from Doctors in Hospital Puswari of Mohd Saiful in the Anwar Ibrahim sodomy trial in 2008. This was a paper record – which is inherently not secure. You don’t have logs to determine if a paper record has been compromised or copied. So electronic records may increase the threat surface area, from those with physical access to anyone from the global network – but these risk can be mitigated and that access is precisely the same enabler of digital health. We cannot stop commercial air travel because terrorist crashed some planes – instead we learn and adapt and endeavour to prevent.

Malaysia needs to consider this incident and rush to prevent it from happening to us.

• We need a national CyberSecurity framework for healthcare from MOH the same way BNM has a framework for our banks

• Observe how even access to 1.6 million patient demographic data (or Patient ID. data) did not give access to the medical data. This looks like a well architectured design

• We need an evidence based approach to CyberSecurity instead of the current way we do things, for example, some providers feel their DataCenters on premise are more secure than that of a cloud provider – nevermind the fact that the cloud provider has better certifications to prove otherwise
• We need a national cyber threat monitoring centre and service for all healthcare and critical infrastructure, to provide that level of detection and response, to expensive and burdensome for an individual hospital or provider.

Every company that wants innovation, needs to begin with the Why question. If you aren’t already familiar with Simon Sinek’s Start with Why, please check it out here

Here are some typical why’s I’ve heard;

1. We are in a Kodak moment, our flagship product is going to be disrupted

2. We need to experiment with growth into new products and ventures, but in an agile and lean way so we don’t end up with too much sunk cost

3. There are all these emerging opportunities that we are not nimble enough to exploit

4. We worry about the impact of technology on our business, and becoming someone’s technical debt in the future

5. Not having a moonshot is going to exclude us from new talent

6. We just want to be proactive and innovate for our customers to keep them satisfied

7. The board says we can get more for less with new technology and practises

8. We need to survive in a post Amazon and Ali world

The What to do and How to do it only makes sense once we know how to get to the correct Why – not just the Why of the Board or owners of a company, but a Why that reflects the real sentiments of the Customer and Market as well.

Most companies have now realised that Digital Transformation is a must do and no longer a nice to do, as many industries and businesses are vulnerable to disruption. The market also knows that outsourcing technology investment to large cloud providers like AWS helps accelerate capabilities in agile software development, analytics and eventually applied artificial intelligence.

This has led to a convergence between the roles of the distributor, the systems integrator and the management consultants. All 3 find themselves fighting on the same turf to build and operate tools and capabilities for the large enterprise. The reality though is there is sufficient work for all 3 if we team up.

The Economist: AI providers will increasingly compete with management consultancies

Here’s my preliminary thoughts on this video

1. The ledger already exist, it’s called the social graph – by the sheer amount of digital breadcrumbs, of cognitive intents (when you search, when you respond to a link, an add), by our online social interactions and when we volunteer information (blogs, post, shares, retweets).

2. The idea here is related to Dennet’s Memetics, is the transmission of ideas and behaviour through generations. In comp science, there is a maxim that “information is substrate independent”, so in essence, the ledger we have influences our generations (kids, students, fans ) and the ethical question is if the community should be empowered to decide what survives and what does not.

3. We get angry with Google and Facebook at their omission when the ledger is used to influence for ill (like hacking elections, fake news), but now we will also get mad at the commission of trying to do the reverse.

4. The fear we have is who sets the volitional goals – but the reality is if we don’t decide, attempts at malicious and negative influence will always be there. Perhaps the answer is letting different communities set this for themselves and allowing goal immigration, where a citizen can leave his/her community to join another that matches his/her goals.

Common people getting hacked

You may be familiar with the famous tale of Mat Honan being hacked through a series of vulnerabilities from his daisy-chained Apple, Amazon and Google accounts. None of the individual systems were vulnerable to conventional hacking, but the hackers exploited the customer service of password recovery from all 3 services to get into his accounts. Symantec helps explain these kind of social engineering exploits in their 2016 Internet Security Threat Reports;

These real life examples demonstrate that security is increasingly complex and multifactorial, and as Gabi Siboni said;

“The multiplicity of threats in cyberspace and the ability of attackers to detect weaknesses and use them in operations requires a holistic view of organisational security.”

In the last 5 years, we have seen Big Data Analytics (BDA) employed effectively to better monitor threats, malware and intrusion events across various systems and heterogeneous data sources. We have also seen more specialised tools carrying out various functions in the total solution landscape.

But what we now have to progress further into is the employment of Artificial Intelligence (AI) tools to help improve our detection and response to these threats from the large BDA platforms. In the ISSA Journal, Keith Moore writes (1);

“Artificial Intelligence (AI), the paradigm shift that will revolutionise the cybersecurity industry. It is capable of acting as a human analyst, but tirelessly at machine speed.”

He goes on to say; “The use of domain generation algorithms (DGAs) and polymorphism make malware much more difficult to detect and have led to 78 percent of security analysts no longer trusting the efficacy of antivirus tools.” I will add to these technical reasons for more sophisticated and harder to detect threats, that the scope has increased as well, with the increased volume and exposure of users, reflecting the new shift to more digital lifestyles and services. Users often consume applications and data across a myriad of distributed heterogeneous repositories, making the challenge of protecting them even more difficult. Threat mitigation now requires speed and accuracy beyond the capabilities of human agents.

Detecting & responding to threats at the speed of AI 

Using the cyber kill chain model by Wirkuttis and Klein (2), the goal of most cyber security is to prevent the exploitation of vulnerabilities in the network and systems being protected and always working to eliminate all possibilities of exploitation for threats that may have  eluded detection. While there are specialised systems today that can detect a threat upon delivery, AI can significantly move the battle upstream, from detection to prevention. AI can even be used to predict possible exploits and vulnerabilities and work on mitigating any possibility of delivery. It can even be trained to spot attempts at reconnaissance and work on tracing the sleuth.

AI will be able to employ Deep Learning and Deep Neural Networks (DNN) to threats from known threat models and past examples, and spot anomalies by modelling normal from observation over time. Supervised learning and training can help minimise noise from false positives and ensure missed positives are iterated into the model.

Furthermore, AI will be able to provide unparalleled decision support and insights in the event of an attack to the human first responders. Because the AI Decision Support Expert Systems will be equipped with an understanding of a large compendium of previous attacks and threat playbooks from various sources with Case Based Reasoning algorithms that will assist in adapting the best strategy for mitigation. This is complemented with Rule Based Reasoning decision support, which when combined best model human cognition, with the added benefit of processing at the speed and throughput of computers. Once these models are mature, responses can be automated as well.

AI to assist and monitor the human agents 

Another application for AI systems is in finding vulnerabilities and assisting human agents in correctly configuring their security infrastructure. Many vulnerabilities come from the complex cascading of systems; sometimes the user is the only interface between two systems as shown in the example in the beginning. AI decision support tools could be employed to find threats and then convey them with recommendations to human agents and users, through self help and education applications. The IBM X-Force report below demonstrates how much of security incidents are caused by human error, this would be something AI decision support and education tools could mitigate.

AI concierge for my passwords 

We are also now beginning to see password management solutions sold to consumers, while Federated Identity Management and Single Sign On Services gain popularity in the enterprise. If we enhance these solutions with AI for Prevention and Detection, we could significantly improve how we monitor and educate users to keep them safe and even predict malicious agents before they can act. Data Leak Prevention can be taken to the next level if AI could automatically track and classify data, and understand the context of how the user should be using it. Policies could be monitored and managed automatically. Of course this does not have to feel like ‘big brother’, the AI could be given a friendly interface like an AI digital assistant or a chatbot and be valued by users as a helper and concierge. AI through IoT , biometrics and computer vision could automatically recognise users and federate the access  and privilege they need.

---

Footnotes

(1) Artificial Intelligence in Cybersecurity, by Nadine Wirkuttis and Hadas Klein – Cyber, Intelligence, and Security Journal, Volume 1, No. 1, January 2017

(2) “The Race against Cyber Crime Is Lost without Artificial Intelligence” by Keith Moore in ISSA Journal Volume 14, No. 11, November 16

The Economist published an article in January this year titled “2018 will the year that big, incumbent companies take on big tech” where they observed that 11 years on after the disruption from the likes of Netflix and Amazon, the methods and technology of startups are now available for all. This will result in the established and incumbent companies adapting digital strategies of their own and exploiting their existing base of customers, markets and data to provide the new wave of disruptive digital services themselves instead of leaving it to Silicon Valley.

So why did it take us so long to get here? What is it about corporate culture or realities that stops us from having reinvented ourselves like AirBnB, Uber, Netflix and Amazon? What is so inherently different about being a successful incumbent and being an upstart. This article by the Boston Consulting Group explains it well; 

“Traditional companies start with lots of built-in hurdles. Incumbents are not used to reinventing their business models; after years of industry stability, their managerial skills and talent are generally honed toward methodical and incremental improvements within the existing paradigm. Furthermore, longstanding beliefs about how the world works can blind these companies to challenges from insurgents. Because established organizations are often hardwired to deny the need for disruptive change, they resist business models that upset the status quo. In addition, economic models based on scale positions or competitive capabilities usually convey substantial advantage—­until they no longer do, and then they often actually work against a company’s ability to transform. It’s a tough combination for management to overcome.” 

I think the answer is a combination of factors;

1. • Timing and not doing a Kodak – what I mean by this is being caught in a Kodak moment, whereby an addiction to an old business model can make a company miss a chance to develop and invest a new one while there was still an opportunity. Selling film was too lucrative to Kodak, that they missed the digital camera opportunity even though they had produced some of the first working technology in their R&D. Kodak would try later but the timing was wrong and so they missed the moment.

1. • Confusing Innovation with R&D. Many organisations dealing with science and technology will invest in R&D, where the core assets and products continue to exploit new technology and science and get better. We call this the technology push – the push of new abilities to enrich our offerings, like using machine learning to derive patterns of user behaviour automatically. Technology push however is not always the same as market pull – or what the market actually wants. A good example of this were the Google Glasses, the technology made it possible but consumers did not want it. Innovation works best when you reinvent your offerings to meet the demands of the market, and if you can do so exploiting new technology pushes, you really break new ground. So R&D starts on what is possible but innovation starts from the perspective of the markets and users. Sometimes the best innovators are able to tell what the markets want even before the markets have that realisation.  Disruption according to this article, takes things to a greater extreme, completely pushing the boundaries and daring to try radical change to products and business models.

1. • Not allocating resources to experiment and persevere – since we are trying to divine what markets want, it makes sense to experiment. To start with a small area, perhaps do a MVP experiment, or engage a really enthusiastic or passionate group of customers. This is the biggest blunder I see, organisations are so used to working on large 5-10 year blueprints and commitments, that they don’t make place and separate teams to run experiments and keep collecting data on what works and what does not.

1. • Having the right mix of talent. Finally the kind of team what will do these experiments well are very different. You are probably going to be competing with the Startups for them – so prepare to engage them like the Startups while offering them better benefits for working with an incumbent.
     

    

   • Making the right bets and bringing investors on for the ride. The Amazon investors are legendary for having trusted Jeff Bezos and his long term vision and bets, and most organisations will have the challenge of convincing its shareholders to be patient and wait for the predicted changes to occur. As the BCG article I shared above says;

“Investors that own stable businesses with predictable earnings typically value the large cash flows that such companies generate. And these investors often don’t appreciate the need for transformation—and the investment that accompanies such change—until the disruptive threat is affecting performance. Then they sell and move on, and the company’s valuation suffers the consequences.” 

We must remember the strength of being an incumbent is the legacy of perfected processes, relationships, brand equity, data and experience. This example is being demonstrated so clearly in the struggles of Tesla, perfectly explained in this Forbes article. Therefore incumbents should not squander this opportunity to take the lessons of disruption and pave their new futures now, while there is a window of opportunity. Of course if the BCG article is true, only 1/3 will make it.

In 2017, for every 5 new cars sold, 2 were a Malaysian (probably 2/3 to Perodua and 1/3 to Proton) and 1 was a Honda. It’s been a stellar run for Honda, they have been delivering value to Malaysians looking to graduate from the Malaysian made quality.

But the underlying spectre that haunts us is the mad rush to keep buying cars and overwhelming our roads and allowance for air pollution. Like our greed for palm oil money, we risk the depletion of our ecosystems ability to sustain us.

The Technology has caught up to help reduce the footprint – modern forward thinking manufacturers like Honda and Volkswagen are producing new turbo enhanced smaller and more efficient engines, Mazda took it to another level without even using the Turbo. Electric and hybrid cars are emerging and the infrastructure to support them is catching up. These more friendly fueled options will solve 1 of the 2 problems, the carbon footprint- but the other problem of congestion will remain.

Jakarta is a lesson for us all with the world’s worst traffic jams and some analyst predict it will grind to a halt in a few years if nothing changes. Meanwhile the Economist reported lately that most cars in the city spend 90% of their lifespan parked.

What we need to change is the business model of car ownership. All the electric cars in the world can’t save us if people have sunk cost in large carbon footprint fossil fuel legacy ones. Somehow we need to move towards a pay-per-use world of cars, where you can have a unit reserved longer term, or use them on demand or buy rides on demand.

The leadership most policy planners and Governments need to lead now is one around economics.

Many engineering teams know the struggle of facing down an angry business leader looking to deliver something incomplete to meet a deadline under the pretense of delivering an MVP and “not boiling the ocean“. The struggle and challenge is usually driven by these actors with these real considerations

1. The engineers want to make sure they deliver something of quality and usable and want to avoid business types from trading off quality for profit
2. The project managers want to meet deadlines
3. The business leaders want to bill progressively and avoid over engineering and runway project cost and timelines

Allow me to attempt to set some of rules for our thinking about MVPs so that we can try and find the right win/win for the actors above.

#1 – MVP does not mean what you think it does 

As Yevgeniy (Jim) Brikman of Ycombinator writes in this important article;

“It’s the same story again and again. First, a team comes up with an idea. Next, they build a minimum viable product (MVP) as a proof of concept, spending a lot of time arguing about which features to include or exclude from the MVP. Finally, if the MVP works well, they plan on building the full, mature, stable product.

So what’s wrong with this picture? Why does it all go wrong for so many startups?

The problem is that these teams do not understand the point of an MVP. An MVP is not just a product with half of the features chopped out, or a way to get the product out the door a little earlier. In fact, the MVP doesn’t have to be a product at all. And it’s not something you build only once, and then consider the job done.” 

MVP is not a compromise you make to rush a minimally acceptable product out the door to meet a timeline but an experiment to test your riskiest assumptions so that the product your building stays true to the reality of the market and the users you are trying to reach. He further explains; 

“An MVP is a process that you repeat over and over again: Identify your riskiest assumption, find the smallest possible experiment to test that assumption, and use the results of the experiment to course correct. When you build a product, you make many assumptions. You assume you know what users are looking for, how the design should work, what marketing strategy to use, what architecture will work most efficiently, which monetization strategy will make it sustainable, and which laws and regulations you have to comply with. No matter how good you are, some of your assumptions will be wrong. The problem is, you don’t know which ones.^1” 

Please do read the rest of this excellent article on Ycombinator

#2 – Whatever you deploy and deliver, must be usable at all times 

The picture below done by Henrik Kniberg explains it all better than words;

There is a very nice explanation of this image from Henrik Kniberg on the Crisp consultant’s blog.

It is ok to stagger deployment, to break things down to milestones constrained by resources and economic considerations, but at every step of the way, the product must be usable and of a baseline quality.

#3 – The Airbnb 100 people love rule for quality 

Brian Chesky, founder of Airbnb is famous for his 100 people love rule;

“The best piece of advice I ever got was from our first investor, Paul Graham. He said it’s better to have 100 people love you than a million people that sort of like you, so if you can find 100 people that love your product — as long as there are more people like them in the world — then you have an idea that I believe will spread around the world. But if you can’t get 100 people who absolutely love your product, then you do have a problem.” 

Therefore rules #2 and #3 tell us we should focus on staggering our steps and milestones to deliver steps that qualitatively reach fans and focus on slowly growing that fan base.

It is better to be focused on delivering higher quality to less people than lower quality to more people – if retention of users and the creation of fans is important to your overall business objectives. 

#4 – Embracing Agile 

The assumption behind the whole concept of MVP is that you are working on an agile methodology and not waterfall. Agile is all about breaking down the challenge to smaller steps that allow for better empowerment of small multidisciplinary teams to apply creativity to solving those challenges, about being more customer centric and consultative and about seeing solutions in more scenario based architectures then component based ones.

Harvard Business Review sums up the challenges and opportunities of embracing agile here and even throws in this useful diagram of what situations work best with agile and what does not;

#5 – Quality means planning for failure 

Netflix and it’s simian army has taught us the art and science of planning for failure ;

“The cloud is all about redundancy and fault-tolerance. Since no single component can guarantee 100% uptime (and even the most expensive hardware eventually fails), we have to design a cloud architecture where individual components can fail without affecting the availability of the entire system. In effect, we have to be stronger than our weakest link. We can use techniques like graceful degradation on dependency failures, as well as node-, rack-, datacenter-/availability-zone-, and even regionally-redundant deployments. But just designing a fault tolerant architecture is not enough. We have to constantly test our ability to actually survive these “once in a blue moon” failures.”

and today we have mature best practises for failure mapping and tools for planning for failure. Every application should also be designed for graceful degradation.

#6 – The importance of being timely 

If we agree on #1 to #5, we now need a reminder as builders that you can miss an opportunity if you take to long. That annoying business leader has a point, a company can miss an opportunity because it’s builders took too long.

 

Healthcare and telemedicine should take a lesson from the retail industry;

23 years later after Amazon begun* the experiment on shifting retail online, we have learned a few things;

1. Digital won’t fully replace physical – shoppers want a multichannel experience, browsing in a store and shopping online, or vice versa.

2. That running a multisided platform that matches retailers to shoppers requires complex and cutting edge IT, removing friction from the experience with endless automation and innovation. Just think of the wonder of telling Alexa to send you milk and having it show up at your doorstep in 2 hours.

3. The Economist reports that US retailers make razor thin 3% profit from physical retail and only 0.5% from online sales. This is because of the likes of Amazon having made free deliver an expected feature of buying online. Eventually these multisided platforms can only be sustainable at large scale monopolistic builds. So future retailers are better off thinking about having an Alibaba or Amazon strategy instead of trying to reproduce the crazy Infrastrucutre and technology needed to have an AI like Alexa send your verbal request to your doorstep in 2 hours.

Moving forward, in healthcare, we really should consider these realities as we rush to innovate around house calls and video consultations.

*and 18 years ago Alibaba begun its experiment on the opposite side of the world