Welcome back to our course on FinTech Regulation and Security. We're going to talk today about computer security. Particularly from the perspective of data and technology, is to protect your data to make it more secure. We have with us Dr. Hilton Chan, who is today an adjunct professor at HKUST, along with me teaches that course on FinTech, but also he is the CEO of a FinTech company in [inaudible] , FinTech. So, Hilton, you have a strong background in cyber security. What's your prior position or role that you've worked in that related to cyber security? Oh yes, before I started my company, I have served in the Hong Kong police for over 23 years. And I set up the technology of crime and set up the computer forensic labs, and also dealt with a lot of hacking cases, industrial espionage cases, et cetera. And at our university, you helped to set up a masters program in forensics. Yes, of course. I did a forensics and cybercrime investigations. So, you've been working in this area for a long time, and you're pretty much a world-class expert in this area, wouldn't you say? Yes, I still go to Criminal Court to give evidence, regarding to a lot of the- So, you know a lot of criminals? Maybe they don't like to know you, but they get to one way or another. So, tell me what's different about cyber security and crime versus other kinds of crimes or other kind of police [inaudible]. Yes. Traditional crimes, very often most of the traditional crimes, the culprit or the criminal must be present at the scene of the crime. If you want to commit a crime, you want to steal something, you got to be physically there. But, for most of the cybercrime incidents, the criminal or the so-called hackers or the intruders, they're all always remote from the scene. Now obviously, some people may actually physically enter into a room to hack into a computer and delete, that could happen. But most the time we know that they must connect it from a remote places. Now, once they connect from a remote places, most likely that they are in different jurisdictions. So, that makes it harder because most crime are actually, almost all crime is national law. There's very little international crime. And also if I'm criminal, I know that I want to attack a drill system in your country, I'll make sure that our government don't talk to each other, or maybe I could go for third parties countries to yours. So, that when you think, "Oh it's from that countries we have no dialogue with". So for example, a cyber hacker from North Korea in an expose and one of the biggest business magazines recently, and he said, "I was a hacker for North Korea", and when describing his job he said, "The first thing I did was go to China, and then I set up a company in China, and then I set up a hacking operation from China". So it's not looking like it's part of North Korea. Right. Another thing is I could initiate a crime from Hong Kong against UK but go through North Korea. And you think- It's really just a smart guy who's hiding his identity. Right. Exactly. That's why for a lot of cyber crime especially when you think about that from the security perspective. How am I going to prevent all these people attacking my system? It's very different, you've got to think globally. It's not like traditional, a lot of those petty cash crime, a lot of those crimes that we consider local criminals. If you're going to catch somebody committing a crime, and they have broken Hong Kong law and you're the Hong Kong police. And you can prove that they broke this law, but they are not in Hong Kong. Can you arrest them? At the present moment, a lot of government already changed their legislation to address that. But the difficult part is, what happens if that criminal act kind of truncated into different component? So, for example, let's say they committed acts. It Involve five steps, each steps in a different country. Now if you look at the steps itself there's no crime. Not unless all five add together and say, "Oh, gee this is that. " So each piece is part of a conspiracy to commit a major crime, but each element maybe, if it is a crime maybe it's a minor misdemeanor crime not a major felonious act. So, for several like DDos attack, Distributed Dos attack. So, initially the criminal may be able to. And DDos means, denial. Distributed Denial of Service. Distributed Denial of Service. So, DDos attack, Distributed Denial of Service is an aggressive act against a company. And that's a crime? Yeah, okay for example, let's say there's different computers. Okay, they are poorly managed, there is loopholes there. Okay, people initially find a way to get in and you'll kind of plan something that it's a event or time trigger malware that you can plant in there [inaudible] It seems likes a crime. Okay, that could be trespassing. Electronic trespassing and you didn't do anything. You just placed something there. But it's a minor crime. Is it very minor as you haven't triggered anything yet. And for the company that you've then hit and you trigger it you're using some of their computing resources but they may say, "Yeah, whatever, don't care". And then not until let's say a particular date time or until a particular event every computer target and attack and send message to one computer system. Now then your target is in trouble. So, sometimes if you kind of break those steps into two or three steps, each steps may kind of, yeah maybe it's a very minor crime would be not even a crime, but aggregating it together, it becomes a very serious offense and victim will be- And how does that relate to FinTech? How does that connect into FinTech so as to solve computer crime?. For financial technology, they are part of the cyber world. So whatever cyber attack to them is very vulnerable. Okay, so let's say if I set up a wallet or set up an online banking service. Now, the computer crime model that is very commonly used is the CIA model. It is Confidentiality, Integrity, Availability. So, DDos is addressing the availability issue. So, whenever my service is not available, especially for banking, which is part of an essential service for people. If suddenly I want to make payment, and suddenly if the whole payment system is under DDos attack. My money is there, I can see there's a balance on my wallet, I just can't pay. So, it's very frustrating. Just imagine. I could imagine some kind of trading systems getting hit with a DDos at the wrong time, which we might be able to trigger by software instead of triggering a trade, trigger a DDos attack then hit with a strong trade then leave your target vulnerable to swings and currency or other things if you have enough capital to manipulate the market and do a DDos at the same time, you might be able to really put a crimp into a bank. Exactly. On the other hand, if you think of USA exchange. If there's a lot of high frequency trader. If they started within the market close period, let's say five minutes before the market close. Boom. All the transaction all trying to go through that internal exchange with high frequency. If the system is not big enough to cater for that, that's no difference from a DDos attack. Do I really know whether it's DDos or whether it's just a lot of traffic? It could be a trade, yeah it could be a proper trade or whatever there's suddenly a market news booze-up. Lets say, suddenly there was a war started in North Korea. And this relates to intent for example, I could say, "Let me trigger fifty thousand computers around the world to do a low latency stock trade all at the same instant that can overwhelm an exchange." Now each of those trades might be a legitimate trade for one share of stock. It's just a small amount. They're all legitimate trades but they're all synchronized, all hitting at the same time, and while that's happening I know I'm doing something else in a very different system that is a large volume money moving thing. I might be able to take advantage of the system being locked up. Yeah. Same thing. Yeah it's just like flooding the whole system. Let's say, when suddenly there's adverse news just break up and then people just respond to it. Now, a stock online using a keyboard to do it. Now we're talking about all of these are robo-traders. Once they pick up a news, immediately the computer would keep on-. Once they cannot make the deal, they fire the request to the exchange, if the deal bounce back saying that the deal not done, they immediately fired again with the lower volume and then you see they're triggering off the whole market. It's a snow-ball effect and you flood the market. So it looks like a DDos attack. Yes. So that's why even in the FinTech area, even for some of the legitimate trade, we have to look at the plausible DDos phenomena not necessarily meaning that is a criminal intent, but the behavior could be very similar. Then the issue is, is there an attempt to commit a crime? Or is it just a coincidence? Everybody's program looks the same. Yeah. So there's a lot of these issues that for cybersecurity you have to look at. Whether it's a genuine high-frequency trade just because of certain things trigger everybody or the system to trade at the same time which is genuine or it's just that your system cannot handle the capacity or whether there's some malicious attack or malicious intent or whatever. Okay, so being remote is part of the challenge for the law enforcement officer.
