As artificial intelligence technologies grow, the importance of safeguarding your information can become more critical. Listen as Chief Investment Officer Tony Roth and James Kaplan, partner and chief technology officer of McKinsey’s Enterprise Technology practice discuss how you can use AI to secure yourself, and how to stay protected from it.
References to specific securities and companies are merely for explaining the market view and should not be construed as investment advice or investment recommendations of those securities or companies and are not intended and should not be relied upon as the basis for anyone to buy, sell, or hold any security. Holdings and sector allocations may not be representative of the portfolio manager’s current or future investment and are subject to change at any time.
Third-party trademarks and brands are the property of their respective owners. Third parties referenced herein are independent companies and are not affiliated with M&T Bank or Wilmington Trust. Listing them does not suggest a recommendation or endorsement by Wilmington Trust.
Securing Tomorrow: The Power of AI in Cyber Defense
Tony Roth, Chief Investment Officer
James Kaplan, CTO Technology Practice, McKinsey & Co.
Tony Roth: This is Tony Roth, Chief Investment Officer of Wilmington Trust, and you are listening to Capital Considerations. Today we have a really terrific guest, a co-alumni of Brown University James Kaplan, the CTO of McKinsey Enterprise Technology Practice. You also have extensive experience across cybersecurity, cloud transformation, enterprise infrastructure. You do a lot of guest lecturing, do a lot of publishing, including McKinsey Quarterly, The Wall Street Journal, MIT Sloan Management Review.
You're the author, James, of Beyond Cybersecurity, Protecting Your Digital Business, which is a great read. You've been to Davos, Milliken Institute, and lots of other really great things. You have an MBA from Wharton, and you are eminently qualified to talk to us about cybersecurity and what's going on in that ecosystem.
So we do very much thank you for joining today. And it's been a while since we've released a new episode on capital considerations. And, I think there's no better topic that requires our attention than cybersecurity in today's world.
Tony Roth: So I want to get into, James, the whole question around the stability of our technology ecosystem. I mean, we've moved to a, Economy in a world where everything is now digital, and if someone were to turn the lights off on that, it would seem as if we would be in really tough shape as a society on lots of levels.
How fragile is the whole system to being taken down, being attacked, so on and so forth?
James Kaplan: I'd offer a couple of thoughts. One, there is no whole system. There are many, many, many, many systems. So the ability of any one attacker to take down the entire economy is very limited because we have many banks, we have electrical utilities, we have many manufacturing companies, we have many hospital networks, on and on.
The American economy is tremendously diversified. It would be hard for anyone to shut down the economy.
Tony Roth: It's not as if there's a master switch in the basement of the White House to just, you know, turn off something.
James Kaplan: If they've had, no one's told me about it.
Tony Roth: So that diversification, right, and we have that concept obviously in investing, where we want to stay diversified at all times because you don't want to be too exposed to any one thing.
I mean, that's very reassuring to hear. What about as it relates to what's probably most close to our hearts, which is our money. Is that one ecosystem or is that in and of itself many diverse ecosystems?
James Kaplan: That is many diverse ecosystems. I don't know of any, uh, regional bank. I don't know of any brokerage firm that has 90% or even 50% market share.
You know, you can correct me if that's wrong. Obviously, there are, um, you know, some critical notes in the U.S. Financial system, and I think there's a couple of things I would note. First of which is there's a tremendous increase in the level of technical sophistication and the level of seriousness which both the financial services industry and other industries have taken cybersecurity protections compared to 15 years ago.
Second, I would observe the regulators are, you know, scrutinizing what they call critical national infrastructure very seriously. And, you know, the regulators are not Always on target, but I would note that some of them have gotten very, very seriously, for example, recently about IT asset management, which I would say is foundational to many things about protecting against cyber attack and protecting or increasing technology resiliency.
So I think that's been broadly speaking, quite a productive turn of events.
Tony Roth: So we still have something to talk about though, right?
James Kaplan: Oh, absolutely.
Tony Roth: I mean, we've started ironically very positive and optimistic here, but let's go back a few months to this CrowdStrike incident that happened, which we call a crowd strike.
But Microsoft was very involved. They blamed CrowdStrike, CrowdStrike blamed some other people, but at the end of the day this had a pretty pervasive impact on the ability of banks, hospitals, airlines, etc. to provide the services that they are hired to provide, unfortunately. I don't think that it caused any ledgers and any banks to be wiped out so that we lost our savings or anything of that nature.
What happened there? And is that something that you worry will be repeated even on a bigger scale?
James Kaplan: Sure. And one thing I'd note is increasingly banks and other companies are thinking about technology risk and technology resiliency rather than just cyber attack and cybersecurity. Because that's a great example of something that created disruptions that in no way, shape or form was a cyber attack.
It was a mistake. It was a flaw…
Tony Roth: Right.
James Kaplan: …in somebody's architecture, somebody's, uh, operational practices and a couple of observations. One. Yeah. I mean, there's a lot of risk, third party risk, fourth party risk and party risk, both in technology and beyond technology. It's a tough, tough problem because any financial institution or any other type of institution will have a large number of vendors.
If you include all your vendors, it can be tens of thousands, and it's hard to keep track of what all the dependencies are. Now, the thing that I'll observe is, yes, there was disruption, but the world recovered. Some places it took a day, other places it took a couple of weeks. I think the world learned a lot from that incident about processes for rolling out updates.
Uh, certainly CrowdStrike learned a lot from that incident. So obviously it was incredibly painful. It was incredibly frustrating for, uh, people whose lives were disrupted because companies they did business with struggled to get their systems back online. But the impact was bounded, A, and B, the world learned from it.
I'm not trying to be peg lossing [RP1] here. Technology risk is a incredibly serious problem. Many, many, many, many smart people spend their entire careers working on it and banks and other institutions spend a lot of money on this, but there's a distinction between what could happen to any one institution and what could happen to the economy as a whole.
Tony Roth: So of everything you just said, the thing that I think is so most interesting is that this was a mistake that was made. essentially with the architecture or the program that was rolled out.
James Kaplan: Operational practice, right?
Tony Roth: And it wasn't actually, but, but, but certainly a cyber attack, one could imagine a cyber attack creating a similar outcome.
James Kaplan: And there have been other, you know, cyber attacks that have had downstream effects, but there's just one, one thing that you mentioned I would pick up on. You asked about a attack compromising the books and records of a bank.
Tony Roth: Right.
James Kaplan: Or the account structures of a bank. Are you familiar with Sheltered Harbor at all?
Tony Roth: No.
James Kaplan: Okay. So, every year, the Treasury Department runs something called the, uh, I think it's called the Hamilton War Game, which is a simulation of a cyber attack on the U.S. economy, the U.S. financial system. About 10 years ago, they got very concerned about an attack that would compromise the books and records or the account information for a retail bank.
And in particular, they got very concerned because if that happened at one bank, it might challenge confidence in the banking system as a whole, and people would withdraw money from banks and could create a liquidity event. So out of that, the White House, in partnership with a number of banks in the financial services industry, launched what became known as Sheltered Harbor.
So for, I think, last time I checked, I think it was for 80 percent of the retail accounts in the United States. Every day, at the end of the day, your account information, or every customer's account information, is transmitted to an immutable data store. So they know that Jane Doe has $5,022 in a retail checking account.
And nothing that happens can disrupt that information. So if there were a destructive attack, for example, on a, super regional bank or a regional bank, or even a larger bank, the secretary of treasury could go on TV and say, don't worry, it may take a few days, but your money, we know exactly how much money you had in the account and your money will be restored.
Tony Roth: Is there a way to know if our bank...
James Kaplan: Yeah, I think I think it's public information.
Tony Roth: So that's something that we'll have to track down for the more participants. Hopefully…
James Kaplan: That's and that's managed. That's now been transferred into FS ISAC.
And one of the things I'm very proud of is McKinsey as a pro bono effort, I led McKinsey support for the creation of Sheltered Harbor, which, you know, I would say, uh, at least as best I understand it dramatically increased the resiliency of the U.S. Financial system.
Tony Roth: What makes this overnight store immutable? Do they have, for example, a…
James Kaplan: It's a special type of disk that can't be overwritten.
Tony Roth: Does it reside in Fort Knox or in the Pentagon or someplace that is very safe?
James Kaplan: If I'm remembering the standard, it resides off site from the bank. So it's, yes, we were joking at the beginning when we did this that all the, uh You know, all the records would live in some data center surrounded by a moat lit sharks with laser beams…
Tony Roth: Right.
James Kaplan: …on their heads, but that's not the case for a number of reasons…
Tony Roth: Okay.
James Kaplan: …a distributed solution made more sense both operationally and also politically. I think there might have been some nervousness if every, even if the data were encrypted, I think there was a sense there might be some nervousness if, you know, 80 percent of the information, about 80 percent of the checking accounts in the United States were stored in one facility.
Tony Roth: So, you know, one of the things that's really interesting to me about the conversation, where we've gone so far, is that we've just talked about this, I think, incredibly reassuring feature of our system. And it doesn't just go to cyber attack, but it just goes to stability, generally. In other words, the…
James Kaplan: Yeah, diversity and stability.
And, you know, there's a bit of a dialectic here. Which is, there's risk to any individual company, but the diversity, you know, adds resiliency to the system, and then the resiliency in the system is in part created by the fact that each individual company continues to invest in security and disaster recovery and resilience and so forth.
Tony Roth: I haven't seen a big cyber attack. Maybe it's because You know, it's sort of like we get these things in the mail every day that says, well, you're, you know, your personal information may have been compromised. And we take those letters, we throw them away because it's three pages of very small type and disclosure.
And we don't know what to make of it. Each one of those essentially represents probably some type of technology failure could be a cyber attack, or it could just be a screw up. But they seem to be of less significance. I don't know if we've gotten ahead of the curve now. It was once talked to me that we're always falling behind the bad guys that are trying to figure out ways to hack our system.
But then someone else said to me, no, that's not really true. Our systems are getting inherently more secure. It's harder and harder to hack stuff. Where, where are you on that?
James Kaplan: It's a very complicated question. And the question I typically ask in response is, um, last time you went to use your credit card, did it work?
Tony Roth: It did work last time I used it.
Let's note that the digital economy around us tends to work most of the time. First thing.
Tony Roth: Yes.
James Kaplan: The second thing I would note is the people in the U.S. National Security Establishment hate it when we use the term cyber attack. They make a very serious distinction between cyber exploitation and cyber attack.
And it's a good distinction and one we should keep in mind. To them, a cyber exploitation is, in effect, stealing data, customer accounts, intellectual property, what have you, and that happens. And let's face it, cyber espionage is a real problem, cyber identity theft is a real problem, and this costs a lot of money, but it's a significant thing, but it has not to date prevented the digital economy from growing and functioning.
Tony Roth: Right.
James Kaplan: A cyber attack is an attempt to disrupt or attempt to destroy. If somebody tried to shut down the U.S. power grid or tried to stop a major bank from engaging in trading operations. People in the intelligence and security world will say that nation states engage in cyber espionage or cyber infiltration all the time.
Just as they engaged in espionage before our economies were largely digital. This is the game of nations. It happens. And it's not an act of war. In contrast, I don't think there's been a documented incident of cyber attack between great powers, at least not that I know of. That is, you know, a very good thing and there's a lot of reasons for that including deterrence and global standards and norms and what have you.
Now, could that change with a More fraught geopolitical environment. It absolutely could. There's many smart people working in many banks and other types of institutions worried. Okay, what happens if we enter an even tenser geopolitical situation? Could great powers start seeking to disrupt each other's economy via cyber attack?
And obviously that would be an act of war.
Tony Roth: So what is the advent of having our own personal data increasingly live in the cloud, which is to say, not on our own physical devices, but and I think that we perceive this to be something that's relatively recent, but it's actually probably been the case for a long time. How does that impact our exposure?
Our vulnerability.
James Kaplan: Personally or societally?
Tony Roth: Both.
James Kaplan: Let me start with a societal issue. One thing that I know regulators are very concerned about is concentration risk, which is something they've thought about for years and years and years. And even before cloud, they thought about geographic concentration, a small number of cloud providers between them have very high market share in the United States.
And regulators are asking, does that create some concentration risk again, especially if we're in a more fraught geopolitical environment? And that's a that's a tough, tough question. And in part because most companies I know have have increased their resiliency and increase their uptime by moving to cloud.
And if you have something that's very sensitive data or very sensitive process, you run it across multiple regions and multiple availability zones and you arrange for backup. And there's a lot of stuff you can do in the cloud to, um, support resiliency. But at some level, there are some control plane-type operations that I think for any cloud provider are very difficult to segregate
across different regions or different availability zones. I know the regulators are asking very tough questions about that. I expect one of the upshots is we'll have a broader range of cloud providers that large institutions will use. There will be reduced risk by having, again, more diversity in the cloud ecosystem.
Tony Roth: And when you talk about the segregation, that's basically atomizing pools of data so they're protected from failures.
James Kaplan: Two things. One, it's failover. So if you run in an application in multiple regions, so if there's a problem, one region fails over to another region. That's a very, very classic pattern, both on prem and in the cloud for ensuring resiliency.
And the other is backup at a region. So you back up your data to another region.
Tony Roth: Right? Okay.
James Kaplan: Now, There's some software that needs to do the coordination of moving things across regions and, you know, which necessarily can't be segregated…
Tony Roth: Right.
James Kaplan: …in the same way. And I think that may be what has the regulator slightly worried.
Now, the flip side of that is there's been many companies have added a lot of resiliency by moving things to the cloud.
Tony Roth: Let's wrap up our conversation by talking about artificial intelligence, and I'm sure that there are lots of ways in which the advent of AI changes the game in different respects, whether it's The fact that it puts even more data because AI is so dependent on data. It's taking even more data and putting it out there into the cloud and creating that vulnerability with respect to the data, or it's us being able to predict and see around the corner the bad guys because AI is going to tell us that, or if the bad guys using AI to combat us. What are the most significant byproducts of AI as it relates to safety and soundness?
James Kaplan: I divide the intersection of AI and cybersecurity into three components. The first component is the way in which Gen AI changes and expands the surface area and creates new types of risks. You have potentially much faster deployment of new code that becomes harder to protect against, right? And it becomes harder to, uh, interrogate the code potentially for vulnerabilities.
You have models that could be influenced inappropriately without changing the code, and that creates types of risk. So we're going to see massive change in the way IT operating models exist or the way that IT functions are run. And anytime you have change, that creates different types of vulnerabilities.
And there's going to have to be a ton of thought put into, okay, doing the threat modeling for the way that It is changed and sort of figuring out what protections need to put in place. And anybody who tells you that he or she is entirely figured that out, I think is either naive or not being entirely honest.
The second is, let's face it, the attackers will use AI. A simplistic example of this is traditionally, you know, most, many people could spot phishing attacks because they weren't terribly well written. Well, perhaps Gen AI can allow attackers to write better phishing attacks, and particularly targeted phishing attacks with us. There's a lot that they'll presumably be able to do in order to analyze data that IT environments throw off to identify vulnerabilities. And then third, then you have Gen AI in order for institutions to protect themselves, which will be equally important in the sense that it might help you write better code.
It might give more leverage to your better engineers. It will provide leverage to your cyber security analysts. And one of the most important use cases for Gen AI is converting unstructured data into structured data. So it can convert some of the unstructured data that an IT organization throws off into structured data, which can be analyzed for vulnerabilities.
Is that helpful?
Tony Roth: Yeah, it's very helpful. And all this activity takes geometrically more energy and more power. One of the limiters, if you will, on a lot of this activity is the is the cost Of being able to resource the computers that crunch the data. I think that's really an interesting dimension to this because...
James Kaplan: Oh, absolutely. Let's face it. Um, U.S.-generating capacity has not increased much in the past 10 years and off the top of my head. I think the Projections indicate that AI will drive data center demand from 3 percent to 10 percent or 12 percent of U. S. electrical demand. That's a big increase in demand. So there's lots of interesting stuff you see.
They're turning Three Mile Island back on.
Tony Roth: That's right.
James Kaplan: To provide nuclear power. You're also seeing a lot of discussion around, um, electrical generation behind the meter. Grid connections are one of the bottlenecks in electrical supply.
Tony Roth: That's right.
James Kaplan: So many people I know over building data centers with the idea that the, uh, generative capacity will be inside the data centers.
You don't have to connect the data center to the grid. There's A number of folks working on micro reactors. So you drop to 10 megawatt micro nuclear reactors into a data center, and then there's other folks who don't think that those will be ready in time. So therefore, you'll see things like combined cycle gas turbines powering data centers again behind the meter, so they don't need to be connected to the broader grid.
Tony Roth: Right.
James Kaplan: Yeah, I mean, what's going on in the electrical sector just now. It's just wild.
Tony Roth: So, James, fast forward a decade. How will our lives be different as a result of the increasingly data driven world, whether it be from a stability issue, living our lives differently, benefits? How do you think, as an expert in this whole ecosystem, not even just cyber security, how do you think that our lives will be different in 10 years compared to where we are today?
James Kaplan: Yeah, okay, so let me put aside any dramatic change in the geopolitical environment. I'm going for the sake of simplicity and we argue we're in 10 years from now in a geopolitical environment that's roughly similar to the one we're in today. In terms of level of risk, tension, what have you. I think a couple of things will be true.
We will be astonished in retrospect by the quality of data, access to data we have, both at home and at work. And if you think about, Everything in your life, both professionally and personally, there's all sorts of data in various places that, you know, you can't make much use of. At work it's, you know, business cases written in a word processing document that have been sitting in a file share for 10 years that's nobody's looked at and done trending on it.
At home it's, you know, your credit card history, your spending history, or the repair history for your house, and the ability to convert text into data that people can easily analyze, I think will be transformative and will create a tremendous amount of empowerment, both for individuals and for institutions.
And one way I might describe this is many people have talked about the extent to which the born digital companies have captured so much of the value creation from equity markets over the past decade or 20 years. A lot of that is because they have incredible telemetry into their organization. They have no data they can't access most more traditional institutions have lots of data they can't access.
So you may see a degree of a rebalancing of power, at least potentially. The other thing is I tend to be of the belief, and this is still very speculative that Gen AI will empower our most creative and talented people rather than make them less relevant. Which is to say, there will be the ability to create, cyborg is a, is a bad term, but to provide leverage to our most creative engineers or most creative, you know, financial analysts and what have you, and just give them the ability to do things quickly, I think will be very important and very transformative.
Tony Roth: There's one area that you didn't mention that I want to ask about specifically, which…
James Kaplan: Please.
Tony Roth: …which is health and longevity.
James Kaplan: Yeah, that's a great point. Sometimes I do work with hospital networks, and over the past decade, we've started capturing doctor's notes and electronic health records. That's all unstructured text.
So, nobody really knows whether the doctor at any given hospital or at most hospital networks is following treatment protocols. As a result, nobody knows whether the treatment protocols are any good, or it's very hard to know whether the treatment protocols are good with specificity and who they're good for versus not good.
So imagine if you could use Gen AI to convert the raw text that doctors enter or nurses enter into an electronic health record system to determine the extent to which the doctor is adhering to a treatment protocol so you can correlate adherence to a treatment protocol to health outcomes and then, my God, you'd know a hell of a lot more.
What if we took a lot of the guesswork out of medicine?
Tony Roth: Yeah, I mean, there's so many ways in which we could harness the empirical base that we've collected or are collecting for better outcomes. Whether it be…
James Kaplan: And then you tie that with things coming off a smartwatch or what have you. If we get this right 10 years from now, we could be living in a far more empirical society.
Tony Roth: That's right, because that's what we're talking about, right? It's all data driven, empirical…
James Kaplan: Yeah. and the distinction I draw is now we live in an information rich, but not a data rich society. I can use Wikipedia or use a search engine to look up anything. It's still very, very tough and very labor intensive to collect data, which is often disparate or hidden in various corners of an organization or an IT environment.
Aggregate that you'll normalize it and analyze it. That's really tough. I would argue at the moment we're still living for the most part in a data poor society. So imagine if we were living in a data rich society.
Tony Roth: The distinction between information and data being stated again for us.
James Kaplan: Ability to analyze information in the way of describing this. It's something you're it's an article you read. Data is a series of tables you could do analyses against to, uh, derive quantitative insights. And I would suggest to you, and this framing just occurred to me, we currently live in an information rich, data poor society.
Tony Roth: And that's really where the, the development and the excitement and the potential lies. Very fascinating. Last question. Is there anything that you're doing in your life that I'm not doing in my life as it relates to making sure that my data, my family's data is not misused in a way that would be upsetting to me, and I really don't care about privacy.
I just want to make sure that I don't get ripped off. I don't get...
James Kaplan: Yeah, I mean, here's the thing I do. There are a tiny, tiny number of accounts that really matter. to me. My brokerage account really, really matters to me. My food delivery account doesn't matter so much, right? So I pay a lot more attention to the security, including obviously two factor authentication, the strength of the password for the small number of accounts that matter a lot to me than the million accounts that don't matter as much to me.
Tony Roth: Well, I can't thank you enough for the time today. This has been a really interesting conversation. We've covered a lot of different territory and I wanted to invite all of our listeners to go on to only to wilmingtontrust.com for a full roundup of our latest thought leadership in the investing and planning spaces.
And thank you again, James.
DISCLOSURE:
This podcast is for educational purposes only and is not intended as an offer or solicitation for the sale of any financial product or service or recommendation or determination that any investment strategy is suitable for a specific investor. Investors should seek financial advice regarding the suitability of any investment strategy based on the investor's objectives, financial situation, and particular needs.
The information on Wilmington Trust's capital considerations with Tony Roth has been obtained from sources believed to be reliable, but its accuracy and completeness are not guaranteed. The opinions, estimates, and projections constitute the judgment of Wilmington Trust as of the date of this podcast and are subject to change without notice.
The opinions of any guests on the Capital Considerations podcast who are not employed by Wilmington Trust or M& T Bank are their own and do not necessarily represent those of M& T Bank Corporate or any of its affiliates. Wilmington Trust is not authorized to and does not provide legal or tax advice.
Our advice and recommendations provided to you is illustrative only and subject to the opinions and advice of your own attorney, tax advisor, or other professional advisor. Diversification does not ensure a profit or guarantee against a loss. There is no assurance that any investment strategy will be successful.
Past performance cannot guarantee future results. Investing involves a risk and you may incur a profit or a loss. Any reference to company names and/or specific securities mentioned in the podcast should not be constructed as investment advice or investment recommendations of those companies or securities. Third party trademarks and brands are the property of their respective owners.
Third parties referenced herein are independent companies and are not affiliated with M& T Bank or Wilmington Trust. Listing them does not suggest a recommendation or endorsement by Wilmington Trust. Private market investments are only available to investors that meet the U. S. Securities and Exchange Commission's definition of qualified purchaser and accredited investor.
Facts and views presented in this report have not been reviewed by and may not reflect information known to professionals in other business areas of Wilmington Trust or M& T Bank and may provide or seek to provide financial services to entities referred to in this report. M& T Bank and Wilmington Trust have established information barriers between their various business groups.
As a result, M& T Bank and Wilmington Trust do not disclose certain client relationships or compensation received from such entities in their reports. Investment products are not insured by the FDIC or any other governmental agency, are not deposits of or other obligations of or guaranteed by Wilmington Trust, M& T Bank or any other bank or entity, and are subject to risks including a possible loss of the principal amount invested.
Wilmington Trust is a registered service mark used in connection with various fiduciary and non fiduciary services offered by certain subsidiaries of M& T Bank Corporation including, but not limited to, Manufacturers and Traders Trust Company. M& T Bank, Wilmington Trust Company, WTC, operating in Delaware only.
Wilmington Trust NA, WTNA, Wilmington Trust Investment Advisors Inc., WTIA, Wilmington Funds Management Corporation, WFMC, Wilmington Trust Asset Management LLC, WTAM, and Wilmington Trust Investment Management LLC, WTIM. Such services include trustee, custodial, agency, investment management, and other services.
International corporate and institutional services are offered through M& T Bank Corporation's international subsidiaries. Loans, credit cards, retail and business deposits, and other business and personal banking services and products are offered by M& T Bank, member FDIC.
©2024 M& T Bank and its affiliates and subsidiaries. All rights reserved.
Please complete the form below and one of our advisors will reach out to you.
James Kaplan
Partner and Chief Technology Officer, Technology Practice
McKinsey & Co.
What can we help you with today