Siddhartha Ahluwalia 00:00

What is Jamtara?

 

Rahul Sasi 00:00

So this is actually a place in the country where a lot of scams originate. When the government announced that EV we are going to get a subsidiary, the demand for having an EV dealership went up. Now these attackers started putting up similar looking pages, which are accepting EV dealerships. And then they call you saying that, “Sir, your request is pending. It will be verified in a few days.’ And they call again, ‘Sir, you’re now eligible for the dealership. You have to pay a five lakh rupees down payment.’ You know the number of people who paid five lakh rupees?

 

Siddhartha Ahluwalia 00:30

How many?

 

Rahul Sasi 00:31

1000s.

 

Siddhartha Ahluwalia 00:31

Already paid.

 

Rahul Sasi 00:31

Yeah.

 

Siddhartha Ahluwalia 00:32

And got scammed.

 

Rahul Sasi 00:32

Yeah, exactly.

 

Rahul Sasi 00:34

We go to the doctor, we can buy the credit card of someone for $5. There will be listings like Amazon listing where you can actually buy data of any company and their employees and including their salary for maybe $20.

 

Siddhartha Ahluwalia 00:46

And why are the government not monitoring data or taking action against—

 

Rahul Sasi 00:49

Taking action is very difficult because it’s not a central system where the government can just say, you know, cut. In cybersecurity, we have a saying. You are either hacked or you don’t know you are hacked. It is like learning to swim online. That’s how most cybersecurity courses are. I will only see these things going up than coming down.

 

Siddhartha Ahluwalia 01:06

And there are Chinese loan app scams. What are they?

 

Rahul Sasi 01:09

So here what they’re doing is…

Siddhartha Ahluwalia 01:17

Hi, this is Siddhartha Ahluwalia. Welcome to the Neon Show. Today, I have a very dear friend, Rahul Sasi, founder of CloudSEK. I’m also super proud that the Neon Fund is a very early investor in CloudSEK. And I have worked very closely with Rahul over the last couple of years, right? We have shared some fond memories together. And we have seen the journeys very closely right from, you know, the journey when they were very a very small team to now you’re a very large team.

 

Rahul Sasi 01:45

When we met, we tripled. Three times.

 

Siddhartha Ahluwalia 01:48

Yes. Five times I would say.

 

Rahul Sasi 01:52

Yeah true. Yeah, correct.

 

Siddhartha Ahluwalia 01:58

And Rahul today, you know, first of all, welcome to the podcast. And very excited to discuss a few key trends on this podcast with you, right. So we are going to discuss cybersecurity, dark web security, and artificial intelligence. And you know, some basic things like Aadhaar data leaks in India. The recent cyber attacks in India, the WhatsApp base attacks, the phishing attacks. So I would just like to start with what is the dark web?

Rahul Sasi 02:31

So I mean, anything which is… the word dark web came into existence on the fact that criminal activity happens at night.

 

Siddhartha Ahluwalia 02:43

Dark Web like Dark Knight? (chuckles)

 

Rahul Sasi 02:44

So it’s basically like, you know, where the dark corner of the internet is, what is the meaning of the word dark web? So anything illegal that happens normally happens on the dark web. So that’s just one portion of what we do. You know, we kind of think that’s one of the sources we monitor to identify cyber risk.

 

Rahul Sasi 03:02

So before we dive more into the dark web, tell us what CloudSEK does.

 

Rahul Sasi 03:04

So CloudSEK is in the business of predicting cyber threats. We build technology that can foresee what is the next cyber attacks—

 

Siddhartha Ahluwalia 03:16

What is a cyber threat?

 

Rahul Sasi 03:19

I will give you a very simple example. That’s something which we had discovered last year. If you look at all the ATMs today, in the country, they are not managed by the banks. ATMs are managed by a vendor, third parties. We discovered a simple issue that allowed any ATM in the country to be monitored because the vendor who was managing that ATM had a mis-configuration in one of their audit applications and was exposed on the internet, which allowed anyone to see the live footage of the ATM. Wow much money they are loading into the ATM, when the truck driver is bringing in the cash. Now, we reported this to our customer, which is the largest bank in the country. They had reported it to the vendor.

 

Siddhartha Ahluwalia 04:04

Which is?

 

Rahul Sasi 04:04

I won’t name the largest, private bank in the country. But this prevented a bunch of malicious guys from attacking and getting this information. So we predicted that, and prevented it so that bad guys were not able to access the site.

 

Siddhartha Ahluwalia 04:27

And where was this information shared?

 

Rahul Sasi 04:29

It was not. That’s what I’m saying. We kind of identified the risk, how it would lead to this incident.

 

Siddhartha Ahluwalia 04:36

How did you identify this risk?

 

Rahul Sasi 04:37

So which is one of our monitors, it’s a supply chain monitoring solution. It monitors your vendors, because your data is not sitting in just your computer. Right? You have vendors, partners, who share this data. How do you know today whether any of your vendors was accidentally leaking your information? That’s what supply chain monitoring solution SVigil does. And we have different data sources which we collect to— you know it’s like how we predict rain today. How do we predict rain? We pass the data of rain through a mathematical model, which tells us how much it’s going to rain. It’s very— I’ll ask you a simple question. If I asked you to think of a pet bird, like think of pet bird, right, and people who are watching the podcast can also do the same thing for a minute of a pet bird, you might be thinking of a parrot. Yeah, right. So would a lot of people. Now, I just predicted what you’re thinking, right? That’s a smile on your face. Now, this is magic, but it’s science. Science based on data and statistics. Right? So if you gather enough data, and then you have a data set, data science models, mathematical models, machine learning models, which uses this to make these predictions, that’s what we do. So we tell accurately what is the next target, why it would be a target, and the reasons why they would be a target. And this information, this intelligence can be consumed by our customers to prevent a cyber attack, which will save them millions of rupees. You know, like, when an incident has happened. Imagine this data which I spoke about, it’s leaked already on the dark web then the incidents will happen. Our job is to stop it from happening in the first place. Not when it’s spilled onto the internet. So we build technologies around this space. We use artificial intelligence and that’s what from the very beginning of our existence we’ve been doing.

 

Siddhartha Ahluwalia 05:54

And you mentioned, you, you monitor vendors. You monitor the dark web. Where is this invisible web setting?

 

Rahul Sasi 06:41

Hmm. So the dark web is just one portion of the data we monitor, like I said, the invisible data sits in… Well, it sits in computers— it sits in computers in the end. But then to access those computers, you need to have a separate, it’s like a VPN network on top of the—

 

Siddhartha Ahluwalia 07:00

Our audience may not know what VPN is.

 

Rahul Sasi 07:01

So you need to install a torrent browser—

 

Siddhartha Ahluwalia 07:03

What’s a VPN?

 

Rahul Sasi 07:04

Okay, what is a VPN? It is actually a private internet, I would say. Something on top of the current Internet, where you have to tunnel your data through that particular traffic. It is like a world inside a world inside the internet world. So you need to use a particular tool called Tor to access the dark web. It’s a browser. So only using that particular browser, you can reach that part of the internet, where there’s a lot of illegal activities. In fact, if you go to the dark web, you can buy a credit card for $5. You can buy, there will be listings like Amazon listing where you can actually buy the data of any company and their employees, including their salary, pay slips and all that information for maybe $20.

 

Siddhartha Ahluwalia 07:55

And why is the government not monitoring the dark web or taking action against it?

 

Rahul Sasi 08:00

Monitoring is possible. Many of them are doing it. Some of them are— Government customers as well. So taking action is very difficult, because you can’t like I said, right, it’s not a central system where the government can just say, you know, cut. They can’t. They can’t take down things from there. It’s impossible. Same like why can’t you take down the Bitcoin network. It’s not only like a central database. It’s sitting on multiple people’s computers. And the Tor will give you access. So the Tor protocol is very interesting. You know, it kind of, you know, it actually routes your data through multiple nodes and exits to the final destination. So it’s very difficult to even track who is running those websites in the end.

Siddhartha Ahluwalia 08:50

And you mentioned that this dark web is sitting across multiple computers, which are hidden from normal people, like you can’t access these computers, and these might be in any country also. Right? So there is no legal enforcement on this data.

 

Rahul Sasi 09:07

Correct. It’s very difficult. It’s very difficult to take down something from the dark though it is possible. If you can identify which computer is sitting which is what the Tor network prevents you from identifying. You don’t know the real IP address of that machine. But if it is some way you are able to reveal it, then you will be able to take it down.

 

Siddhartha Ahluwalia 09:27

Okay. And there’s a lot of talk about cyber security. Could you explain in layman’s terms, what is cyber security?

 

Rahul Sasi 09:34

What is cyber security? Okay, so today you know, all your money is sitting in, in your bank account. And it’s not like money sitting there. It’s just a number of sitting in a computer which says that you have this much money. Today we have smart drones, which can fly around, capture pictures, etc, etc. Today we have and if you look at the war, which is happening, tanks. If you fire an RPG rocket onto that tank, the tank can automatically detect a missile coming to it and destroy it, when it’s close in a few seconds. What I’m trying to say is that these are all computers, in the end, a small computer which has some level of information or action sitting on it. The objective is to protect these things. If you didn’t lose your money in the last two years, that’s because of the work of a cybersecurity professional, who prevented it from happening, or prevented a bad guy from leaking it. If you see all the code copters and drones which are flying around, and they’re not crashing into each other, including the flight systems, that is because numerous security engineers worked on it, by fool proofing it. So cybersecurity is all about protecting the computers and how they should behave. Bad guys can actually, you know, reverse engineer control different actions of the computer and make it up to their own interest.

Siddhartha Ahluwalia 11:36

Give us a few examples, right where these bad guys have taken control of a large system to harm the last few years.

 

Rahul Sasi 11:44

Yeah, if you know about the Bangladesh bank heist, a billion dollar was exfiltrated from the bank, by presumed to be North Korean hackers and they worked on it for months. Again, you have to understand what a billion dollars is. So what they did is the SWIFT protocol— It’s like a technology which is used to transfer money between banks. So when you say that I want to transfer a million rupees from this bank to another bank, this protocol talks to each other and makes that happen. So front end and all your application internet banking, or, you know, you submitting a request, this is the front end. But these two technologies or these two computers talk to make sure that a billion dollars transfers to here. These attackers hacked into the SWIFT network of the bank, which they got access to, I’m not gonna deal with that. And then they started making requests. Because now you’re in the core technology, you don’t even need to take money from anyone. You can virtually generate money and say, send a billion dollars, split that into 25 transactions, send it to 25 different banks. And they did that. So now, they did that on a Saturday— on a Friday evening because Saturday, Sunday, the bank is on holidays, right. And they also did one more thing. So in the bank, every bank, they have a mechanism, a ledger, at the end of the day, or the next day in 24 hours, a ledger prints out every transaction which has happened so that they can reconcile it and see, ‘Hey, this is the actual authorised transaction. This is the transaction.’ They also hacked into the printer and made the printer unusable. So on Friday night, the person came to print, the printer is not working. Not restarting and rebooting. There may be some problem with the printer. So people went home, right? And then they came back on Monday. When they come back on Monday, and then they print the ledger, a billion dollars is out. And they are panicking, right. The whole bank is in panic mode. Now, the bank sends emails to the— because it has gone to other banks outside the country. They send an email saying that, ‘Hey, this is an unauthorised transaction. Block it. Don’t let it get withdrawn.’ Now the hackers also had access to the emails. So they responded to the email, which went out saying, ‘Yeah, sure, we’ll take care of it.’ which is a fake response because they were monitoring the whole cha— and they planned for it for months. There was also and this story is from a different era, there was also an instance where the attackers now have to understand where the money has to go into right because it has reached a bank. Someone has to withdraw it. In one of the scenarios, the attackers actually bought a bank. Sorry they bought a company. They bought a company, a private, limited company. And then the money eventually came to that company. And they purchased this company for the sole purpose of checking, you know, withdrawing these transactions. So I’m saying these things are happening. And your question, what do we do? Our work, not just mine or my companies, hundreds of cybersecurity professionals out there have prevented your money from being taken by bad guys. Because we did it in the background, you would never know or we’ll never get credit for some of the good things which have happened.

 

Siddhartha Ahluwalia 15:40

That’s almost like soldiers sitting at our borders. Right? Because citizens inside our country are leading a good life, we don’t know how many attacks these soldiers prevented.

 

Rahul Sasi 15:51

Yeah, I mean even if you look at the cases of terrorists caught. Number of terrorists they would capture would have prevented N number of bomb blasts from happening, but we will never know because it got prevented. That’s the state where we are as well.

Siddhartha Ahluwalia 16:08

And here in a case like cybersecurity, the scale of one incident could be like the attack on charge in Mumbai.

 

Rahul Sasi 16:16

Yeah. Yeah. Correct.

 

Siddhartha Ahluwalia 16:19

So many people lost lives. You know it’s getting more and more dangerous. Tell us what’s the role of artificial intelligence and what role it’s playing when bad guys use it to attack other people on the dark web.

 

Rahul Sasi 16:33

So that’s the future, by the way, right? I mean, with all the advancements in AI, today, humans hack machines. The future would be machines, hacking machines.

 

Siddhartha Ahluwalia 16:48

How can a machine hack another machine?

 

Rahul Sasi 16:52

So if you look at the advancement, which has happened in the AI space, right, in the large language models, they are capable of doing a task much better, a certain task much better than human beings. Many exams are being cracked by these large language models. In my perspective, you know, ChatGPT 4, four would be able to do X, but ChatGPT 10 would have much higher capabilities, which can replicate a human hacker and their behaviour. And people who have access to that can just reprogram that to compromise computers at mass scaling. Even today, it can, by the way. It is basically just automation. I’m just saying a machine tries every different thing till it gets access to another machine. It’s even possible today.

 

Siddhartha Ahluwalia 17:52

Like how does artificial intelligence do it?

 

Rahul Sasi 17:59

How is artificial intelligence— So I’ll give you a very simple example, right? Let’s take ChatGPT to browse the internet, find all the email addresses of an employee of my organisation. Fact of the internet is there are enough documents already leaked, where my employee information, email id, full name, and all those things are there. So ChatGPT can find that. Second instruction: Draft an email which pretends to be coming from the head of IT, asking them to change the password because their access is going to be restricted. It can draft that email. Second, ask it to create a web page which could potentially look like the IT system admin page of CloudSEK. It can do that. It can also make a code to send that email to all those people, which we identified. And even if a percentage of them click and fill the passwords, AI now has passwords to my inboxes, right? All those things today itself a machine can do. For right now. I’m just putting a very high level possibility of what could happen in the future. But a lot more things can happen.

Siddhartha Ahluwalia 19:31

And you’ve seen how many of these kinds of Dark Web hackers or unethical hackers would be there in India today?

 

Rahul Sasi 19:39

That’s a very difficult number to have. I don’t think there is any official data also on these because see in cybersecurity, we have a saying. You either hacked or you don’t know you are hacked. Similarly, if you don’t know you’re hacked, we don’t even know who would have actually done it in the first place. So it’s very difficult to actually conduct quantify and give a number to that

 

Siddhartha Ahluwalia 20:02

It’s like asking how many terrorists exist in—

 

Rahul Sasi 20:05

Yeah, I mean it’s not like they publish a database of— (chuckles)

 

Siddhartha Ahluwalia 20:11

But do you have data of how many ethical hackers are there in the country that prevent these kinds of attacks?

 

Rahul Sasi 20:15

I would say not enough. I don’t know the exact numbers.

 

Siddhartha Ahluwalia 20:19

But like 1000-10,000?

 

Rahul Sasi 20:21

In lakhs at this point of time. And what I know is the number of job opportunities, the number of skilled labour in this field is significantly less.

 

Siddhartha Ahluwalia 20:35

And why is India not able to develop enough of this ethical hacker talent that prevents these kinds of attacks?

 

Rahul Sasi 20:44

And what is the infra required to create like world class—

 

Rahul Sasi 20:44

Well, see, even if you look at the academies today, there are many colleges who teach cybersecurity but have nothing to do with the actual cybersecurity. The real world of cybersecurity. There are maybe a handful of colleges who give their students hands-on experience on what is happening. It is like learning to swim online. That’s how most cybersecurity courses are. You need to go in the river, ocean to swim, right? That infrastructure we don’t have today.

 

Rahul Sasi 20:55

I think IIT Kanpur has a lab and they have some really good professors who are passionate about some… Sandeep Shukla is one of them. First, you need to have a good teacher who understands the subject, right? The real subject, not just textbook subject, which was taught 20 years back, [inaudible] by the way, and then that person needs to have enough funding to build a lab and a system where people can actually practise things. That’s what I’m saying. Cybersecurity isn’t a topic you can read and learn from books. That’s like the most bullshit way of learning cybersecurity. It has to be practised. So for that, you need the lab facility or you have to look at real world scenarios. I think I would say it’s the adequate funding and the resources and someone to lead it at this point of time.

Siddhartha Ahluwalia 22:14

Which is the best nation in the world in terms of producing the best quality cybersecurity talent or dark web prevention talent?

 

Rahul Sasi 22:23

Cybersecurity… debatable. The U.S. is a large country so they have a lot of talent in space. Israel because of the nature that because cybersecurity then is part of defence under defence, and they are a country, they teach their citizens to have defensive capabilities and part of their life they’re also exposed to some level of cybersecurity.

 

Siddhartha Ahluwalia 22:50

I think in three countries in the world, I remember. One is Israel. Other is Singapore. Other is South Korea. Israel, Singapore and South Korea. Yes. There is a two year mandatory training after a plus two like when you’re 18 years old. Every citizen has to go two years of military training.

 

Rahul Sasi 23:07

Military training. Right. Right. So some of these military people are thinking about defending, protecting data, defending infrastructure, I think somewhere they are getting exposure to these things. But you can’t really say at this point of time that these countries have the best, or this wouldn’t have the best.

 

Siddhartha Ahluwalia 23:24

But let’s say today, if we see the number of companies in cybersecurity, Israel has the highest number and is the gold standard.

 

Rahul Sasi 23:32

Yeah, I mean, if you’ve got a number of startups in cybersecurity, they would have the most, which I said is because of the first point which I mentioned. But you can’t necessarily say that, yes, the concentration and the kind of people. They have good, skilled people. But you can’t now say that we don’t have those skilled people either. In the last 10 years, we have had a significant number of people coming up. In fact, if you look at Facebook, or Google’s bug bounty. Bug bounty is where companies pay security firms money to find a security incident. So Google typically pays $10,000, which is seven lakh for a good security bug. Now in the top three list of each of these or take the top 10, you’d see Indian security researchers. I’m not saying bug bounty is the thing to look at when you’re ranking security skills. It is one of the things you can look at. That data is publicly available. But I think down the line, we’ll have a lot more people coming.

 

Siddhartha Ahluwalia 24:46

Right now which are the top companies in India in the cybersecurity space? Startups or companies? Like Palo Alto Networks, I know is—

 

Rahul Sasi 24:56

That is because of their revenue in the U.S. I mean, in terms of revenue. India sees that’s one thing, the last company which got listed in the public market, and in the last 5-7 months is Qyuki. They got listed almost… Qyuki is an endpoint security, antivirus sort of security solution. It got listed almost 14 years back. A little more than that. But then I would say that the market did not support them enough. Because, you know, there’s still a lot of understanding in the commoners on, you know, the potential of space. But they are the only ones in my perspective, like a good product company, in my perspective a listed company. There are so many other small ones, but I would not name them.

Siddhartha Ahluwalia 25:47

There is a popular web series called Jamtara. Have you seen it?

 

Rahul Sasi 25:49

Yeah, I mean, seeing that I know I contributed to some of the data sets.

 

Siddhartha Ahluwalia 25:57

In Jamtara? What is Jamtara, for our audience?

 

Rahul Sasi 25:58

So this is actually a place in the country where a lot of scams originate. You would see people creating fake social media profiles and say, “This is from Ola.”. Now anyone who has an Ola account will go on twitter and say they have some issue with Ola. Someone will respond saying that they are calling from Ola customer support and to call them on a specific number. The poor people will call. This is not just Ola but every bank has this problem. Every consumer facing company has this problem. Now the poor guy will call and these guys will pick up and play along and have all the music in the background. They’ll even make the person hold for a few minutes and then say ‘Hi, what is the problem?.’ The customer will explain what the problem is and then they will send an OTP and ask them to verify which is an OTP request to make a transaction from your account.

 

Siddhartha Ahluwalia 26:35

But how did they get access to the account?

 

Rahul Sasi 27:15

You can actually use some portals. For example, you can connect your Paytm account to other online services, which provide OTP. I have a number. I can go put your phone number in that service. The verification has an OTP coming to you. So while on the call, I’m saying I’ve just triggered an OTP for you. Can you just quickly check. On the call, you’re not looking where this OTP is coming from. You will just read it out. And within seconds, they’ll just take all the money. So like this, they create fake call centre numbers. They create fake web pages. One of the things we solved for Ola particularly was that when the government announced that EV, electric vehicles are going to get a subsidiary. The demand for having an EV dealership went up. Now these attackers are putting up Ola similar looking pages, which are accepting EV dealerships. Now people are searching on the internet and seeing Ola dealership pages. They land up on those fake pages. You give all the information… phone number, full address, blah, blah, blah. And then they call you saying that, ‘Sir? Your request is pending. It will be verified in a few days.’ And they call again, ‘Sir, you’re now eligible for the dealership. You have to pay a five lakh rupees down payment.’ You know the number of people who paid five lakh rupees?

 

Siddhartha Ahluwalia 28:42

How many?

 

Rahul Sasi 28:43

1000s of people.

 

Siddhartha Ahluwalia 28:45

Already paid?

 

Rahul Sasi 28:45

Yeah.

 

Siddhartha Ahluwalia 28:46

And got scammed.

 

Rahul Sasi 28:46

Yeah, exactly. And so you know, we actually kind of now track these pages down the minister one register some of these pages. The minute someone registers some of these phone numbers, we help Ola take these things down proactively, so that good people don’t lose their money.

Siddhartha Ahluwalia 29:09

And why are these scams originating in tier two, tier three cities?

 

Rahul Sasi 29:12

So the Jamtara is a place where a lot of I’m sorry, a lot of these scammers operate from and why it is from Jamtara I forgot to mention. See one guy who has a skill becomes a teacher because they’re making money. Now one person makes money is influencing a lot of— see a cyber crime is inversely proportional to the economics. Right? When the economy goes down, crime goes up. So tier-2 cities the economy is bad. I mean, people are trying to feed their family, so they will do any sort of means to make that money.

 

Rahul Sasi 29:19

It was shown in the movie that in classrooms it’s taught how to scam people.

 

Rahul Sasi 29:56

Yeah. Yep, that’s right. Yeah, that’s it. [inaudible] It becomes an economics.

 

Siddhartha Ahluwalia 30:05

And why doesn’t the local police force and government take action against these people because they know them. The schools are running on ground, They’re not running on Cloud.

 

Rahul Sasi 30:14

See, I mean, there were many officers who might know who has worked on some of these cases. In fact, this morning, I was also with an IPS officer, who was part of the IB. He was telling me how some of their work or in their work influenced other police in different parts of the country to take down some of these scamsters. The problem is, the number of crimes is higher than the people we have, the officers who have to track them down. So you can only take down one or two, because the investigation will take time. And like you said, there are hundreds of people like that, how will you even tackle it? So that’s where we are at this point of time.

 

Siddhartha Ahluwalia 31:02

And can you give some stats how this is increasing year on year, in India and globally.

 

Rahul Sasi 31:12

See, like I said, every time when the economy goes down, we see this shooting up. Now, I can’t predict how or where the economy will be, you know, at the end of next year. But in my perspective, what I am seeing is that the information or the skill needed to do these things are now readily available. Which means even if in a 100 million population, 0.5% of the people are bad, that itself will become a sizable number to create enough havoc. So I will only see these things going up rather than coming down.

Siddhartha Ahluwalia 31:53

And there are Chinese loan app scams.

 

Rahul Sasi 31:58

That’s even crazier, by the way. So here, what they’re doing is, again, different forms of scam. Here… People— this all started with the COVID time, and I was also part of the RBI Committee, which has put this together. What was happening was that at the time of COVID, people in the workforce were at a shortage of cash, like they were not getting money. They needed urgent cash. So all these loan apps started coming up. The loan apps, you know, you just register with your PAN number. You install the app on your phone, they’ll instantly give you 10,000 rupees with a high interest rate of 25 percent or 30 percent, whatever. And what we saw was the app guys, now have literally full control of your contact, contact information, all your gallery, because the app is installed. You gave all the permissions to the app, at the time of getting their money credited. Now these guys have downloaded all— because once you give access to your gallery to an app, the app has full control on your gallery. Anytime the app can download data and take it home. So every person who took money, they literally went to their databases, downloaded all their contact information and images stored on their phone. Now when they defaulted, or in some cases, even not defaulting, they came back and said, ‘Well you took 10,000 rupees from us. Now you owe me 30,000 rupees. If you don’t pay me that money now, I’m going to send every person your contact details, your critical sensitive images, which you have.’ Or in some cases, in some cases they started morphing, also some of the images, and then creating WhatsApp groups with those 10 contacts and humiliating people. And people committed suicide because of this.

 

Siddhartha Ahluwalia 34:01

How many people would have committed suicide?

 

Rahul Sasi 34:03

I am aware of almost 10 different cases.

 

Siddhartha Ahluwalia 34:06

That’s why it became such a critical issue for the country. And this all data originating in China? Why was it called Chinese loan app scams?

 

Rahul Sasi 34:18

So what we saw was the money— because they were making huge returns. What we saw was that the owners of these apps were not actually sitting in India. The money was actually coming from outside and was going outside. It was like, you know, how the Hawala thing works or how money laundering works, right.

 

Siddhartha Ahluwalia 34:46

For example, tell our audience how Hawala or money laundering works.

 

Rahul Sasi 34:51

So let’s say they scammed a lot of people, and made one lakh rupees. Okay, I’m just saying hypothetically one lakh rupees. One lakh rupee has to go to their managers or the owner sitting in China. With our current regulations, you can’t send money out just like that. Now, Hawala money laundering works so I will not be able to put public evidence but part of the research we saw in Tirupati or some of those places where you sell hair. You donate hair, and this hair is eventually going somewhere and gets sold. So the commodity of hair is going out. So let’s say a Chinese buyer is buying their hair. So goods can go out but the payments to that goods are coming from the loan collection agents here. So they get their money here. So technically, Hawala money laundering has happened.

 

Siddhartha Ahluwalia 36:01

And was Bitcoin cryptocurrency also involved in this?

 

Rahul Sasi 36:05

Yes. So then what happened was when the cops tracked these people down— by the way moving money out is the most important thing, right? In some cases, what we’re seeing is that they were buying crypto coins, Bitcoins. Not actually buying to be honest. They were scamming users pretending to be giving them job offers. They reach out and say there was a part time job. And you give them a job. First what they do is, they say there is a job and they enrol. They do a job and they pay money also. They pay them 5000 rupees or something. So now the trust is there. Now you say that you want to do an advanced level job, buy Bitcoins worth one lakh rupees, invest in this business, and you can make more money once they establish the trust. So that way, individuals were converting money to Bitcoins, and then they were getting syphoned out as well. But so many things that way.

Siddhartha Ahluwalia 37:08

And there are other popular scams also right? Getting constant emails that I have money sitting in Kenya. I want to transfer it to you (chuckles).

 

Rahul Sasi 37:17

Yeah but those mostly are like, you know, those we don’t see anymore. It used to happen, like many years, but now there are more successful, you know, mechanisms. So we don’t see these very often these days. But still it works, you know. See you have to understand, they send this email to 10,000 people. There’ll be one gullible person who would, you know, believe that there is a Nigerian prince and fall for it. But we see a lot more of the ones which I’ve mentioned than the others today.

 

Siddhartha Ahluwalia 37:48

And this is one part of a phishing attack, right? You’ve also shared that hackers wrote emails to your employees, like, from a different email id attending as Rahul Sasi.

 

Rahul Sasi 38:05

Correct. That happens a lot, by the way. And this is also… We believe this is one group, which is, again, originating from China. or

 

Siddhartha Ahluwalia 38:15

This is a phishing attack?

 

Rahul Sasi 38:16

This can be a phishing thing where people are creating WhatsApp accounts with my photo, and then immediately reaching out to people on WhatsApp.

 

Siddhartha Ahluwalia 38:29

And how do they get access to your employee?

 

Rahul Sasi 38:32

There are enough lead generation platforms out there, which will give you the entire employee details and phone numbers of CloudSEK. Not just CloudSEK but any company. Lead gen platforms. So they scrape these data from these lead gen platforms actually and then they use it to—

 

Siddhartha Ahluwalia 38:49

Yeah, so a phishing attack is whenever a person pretends to be somebody else, right?

 

Rahul Sasi 38:54

Correct. There are different vishing attacks which are called voice. That means use the voice you call and if you know, there are enough AI tools, which you can, I can literally mimic your call because I have your podcast. I can get your audio. I can train an AI model to speak like you. Then I can make a phone call to your relatives and say I’m Siddhartha, the same way you speak. ‘I’m stuck in an airport. Can you just do a UPI translation of this amount?’ That’s happening now I said okay. So that is vishing, voice based phishing. Phishing means you know any other way of pretending to be someone.

 

Siddhartha Ahluwalia 39:36

And these attacks are increasing more and more.

 

Rahul Sasi 39:39

Because technology is growing. Now, like I said, right, AI can do these jobs much better. And phishing is one thing you would never see going down. One form or the other will always exist because humans are the weakest link in cybersecurity. There will always be one person who will make that mistake.

 

Siddhartha Ahluwalia 40:01

What is the Aadhaar data leak and some WhatsApp leaks?

 

Rahul Sasi 40:04

Yeah. So first of all, many places where they claim Aadhaar data leaked, you have to understand this data is not coming— Aadhaar infrastructure where we store all the data of Aadhaar people. Till date, we haven’t had an incident where the Aadhaar database has been breached. So people crying Aadhaar data breached, which is wrong. So that infrastructure was never breached, according to my knowledge. What has happened is people give their Aadhaar information to everyone— when you register a new phone, when you register for a new house, a new loan application, when you register for your insurance, people give their information to so many people, companies, small companies. These people store these data in a very insecure way. There was a case where you can actually browse to the website of one of the insurer brokers. Just browse through a particular website, particular folder, you can get all the Aadhaar data of everyone who has subscribed to that broker.

 

Siddhartha Ahluwalia 41:16

And, you know, so third party brokers are getting leaked because they have access to your Aadhaar.

 

Rahul Sasi 41:23

Correct. Correct. So all the Aadhaar data leaks you have been hearing is about leaking from all the third parties, whom you have given information to.

 

Siddhartha Ahluwalia 41:30

I registered on a cab ride using my Aadhaar for KYC. That KYC app gets hacked. The ride hailing app, then my Aadhaar data leaks.

 

Rahul Sasi 41:41

Exactly. That’s how all the leaks you’re hearing are coming from there. And there’s a lot of that.

Siddhartha Ahluwalia 41:47

So how does one person build a career in cybersecurity? When there’s so many incidents happening right, you mentioned practical knowledge is one but where does one attain this practical knowledge?

 

Rahul Sasi 41:58

See, like I keep saying, cybersecurity is one thing you should not be reading books. You should be having skills, not theoretical knowledge. You can read books, I’m not saying you should not. But this is like learning how to build a lock. You know the theory of how you build a lock and you’ve dismantled the lock knowing how the whole thing operates. Now by the virtue of you knowing the lock, you are a locksmith. Now you can unlock any locks and even suggest a better architecture to build a lock because you know it. So both here, theoretical obviously, and really good hands-on skill is required to be a good cybersecurity person.

 

Siddhartha Ahluwalia 42:41

How do people attain that hands-on information?

 

Rahul Sasi 42:41

For me, I spent my time in my college. Everyday after college, I used to go to my internet lab, skip my dinner. I still don’t eat dinner because of a habit I formed from college. So from four o’clock to 10 o’clock, because that’s when the internet lab closed, I hustled being in the lab, learning and whatever I learned I practised in whatever infrastructure I can find.

 

Siddhartha Ahluwalia 43:09

Another important thing you mentioned is that it can’t be learned from books because by the time [inaudible].

 

Rahul Sasi 43:17

Yeah it’s like, books are like very outdated because in cybersecurity, there is always a new way of doing things because the old way defenders would have fixed it. Now the attackers find a new way.

 

Siddhartha Ahluwalia 43:33

Almost you’re fighting a new rocket launcher with an old pistol.

 

Rahul Sasi 43:39

Yeah or everyday you learn to swim in your pond but the sea has, like much it’s much more difficult to swim in the sea so imagine now the sea concept every day. There’s a kind of wave where you don’t know how to swim.

 

Siddhartha Ahluwalia 44:02

And I want to talk more about artificial intelligence as part of this podcast. What inspired you to marry AI and cybersecurity in the first place?

 

Rahul Sasi 44:16

Long answer to this. See the whole AI thing right and in my perspective, it’s the next step to evolution. Like, it’s the next big thing to be honest. And I don’t know at this point, whether it’s gonna be a good thing or a bad thing. I’m excited. I also have this philosophy that if I don’t understand something, I should not fear it, but I should try to understand it. So I tell you why AI would be the next big thing and why we choose to build a company core on AI. If you look at evolution, and if you think evolution as an algorithm, what is an evolution algorithm? Survival of the fittest. If this guy is not strong enough, he perishes, which is simply a condition, a program. It’s an algorithm. Now that algorithm created the fish, the monkeys, the humans, right? Let’s say each of them is a version. Fishes, version one. Monkeys were version two. Humans were version three. But that algorithm created us. And if you look at, on the other end, a neural network, which is what powers an AI is also an algorithm. The outcome of that is ChatGPT 1, ChatGPT 2, ChatGPT 3.

 

Siddhartha Ahluwalia 45:40

What is a neural network?

 

Rahul Sasi 45:41

It is basically… Okay, so two parts. Neural network is how we show the neurons enough, it is basically a simulation of how the neurons in our head functions and how we make a decision. And then you tie up neural networks to reinforcement learning. Reinforcement learning is not telling you how to do something, I’m not writing a code to do something, rather, I’m giving you a goal. Go figure out how to play football and win a game. So the neural net along with reinforcement learning, we’ll keep playing football again and again, till it finally wins again. It keeps on learning, evolving till it finally gets there. So that is how the use of neural networks functions. Now, the outcome of the neural networks with a reinforcement learning is ChatGPT 1 and ChatGPT 2. And ChatGPT is like a large— it’s called LLM. So what they have done is they are teaching these machines to learn an abstract view of how the world communicates.

 

Siddhartha Ahluwalia 45:46

What is LLM?

 

Rahul Sasi 46:10

Yeah, well, one movie which inspired me, in fact, to even join computer science, for that matter. You know, yes, it talks so much about the concept. And yeah, absolutely.

 

Rahul Sasi 46:39

Large language models it’s called. Basically there’s one thing you know, let’s take every Wikipedia article. You use that to make a machine tell, let’s say, I say I. What is the next word that could happen? I am, I will, right? So the machines will be able to predict what is the next sequence of the best fit sequence of the word. Now you give a prompt. You write an article about something. Write an article about the Neon Show. Now, it will start with the Neon show. It is a great show. It will be able to put this thing together because it knows which is the best word to use to get to the goal. That’s how algorithms work. So now as of today, if you look at the current level of algorithms, it has an abstract view of what the world has spoken, or things about itself. And on top of that, they’re building more rules. They’re saying that you should do it this way. If this data comes, you should do it this way. And that’s how you see some of those outcomes, you know. It is able to write poems. It is able to do a lot of human tasks for us today. Now, back to my original point. Now you have to understand, evolution created us. Yeah, this is an algorithm. Neural Networks was reinforcement learning. Learning created these different models, who are capable of doing certain tasks like these guys are able to do. But the difference is this evolution took billions of years. ChatGPT 1 started in 2017. And we are four, which is one of the best models in 2023. In the computer world, things happen much faster. So whatever happened in these evolutionary steps, it took billions of years, but could happen in 10 years. So we might be able to create much smarter capable machines in a short period of time. So the thought is whether these smart good machines will be good to us or bad to us. That’s something I don’t know, at this point of time. I can’t decide. But this is my thinking also, at that point of time is when these smart machines evolve, which will happen at some point of time, and they are gonna start attacking all the machines which are out there. You would need machines controlled by us smarter like them to defend.

 

Siddhartha Ahluwalia 49:34

Exactly like the Matrix right?

 

Siddhartha Ahluwalia 49:49

It’s a fight between the machines that humans created are now controlling.

 

Rahul Sasi 49:55

I will also say that it might not— Okay, South Korea might have their own bad AI. Okay, that AI will try to destroy the enemies of South Korea. So it might not even be humanity vs machines. It might be machines vs machines controlled by countries as well. What I’m trying to say is that the future, and again, is unknown. I believe the future would be machines trying to attack machines, not humans anymore. So—

Siddhartha Ahluwalia 50:31

Why is that? Why will it attack humans while—

 

Rahul Sasi 50:32

Because they are much more capable of executing these tasks without getting tired.

 

Siddhartha Ahluwalia 50:39

There’s a popular narrative in Hollywood movies, especially action movies, that the machine takes control of the nukes. The nuclear missiles which every of these countries have. And then they fire on.

 

Rahul Sasi 50:52

Yeah, yeah. I mean, I guess it’s like I don’t know, at this point of time, whether it will be good for us. First, but but but if you simply put the geopolitical system today, yeah, Each governments can have their own versions, which is going

 

Siddhartha Ahluwalia 51:06

Right now. ChatGPT is very simple. Like, if so, what’s your understanding of ChatGPT? What is it?

 

Rahul Sasi 51:13

It’s basically, you know, what you and I know about the world. The same knowledge is represented in the form of a simple CSV file. It’s a single file, which is a comma separated file, which has got a lot of mathematical numbers, but eventually can do some of the tasks which you’re doing.

 

Siddhartha Ahluwalia 51:31

The writers have to write an essay, it can write an essay for me.

 

Rahul Sasi 51:35

Correct.

 

Siddhartha Ahluwalia 51:37

But that’s the limitation of where I want to create a page.

 

Rahul Sasi 51:40

It can do that, right? Yeah, it can do that.

 

Siddhartha Ahluwalia 51:44

It understands.

 

Rahul Sasi 51:45

Yes, that’s version four. I don’t know that’s, that’s the version four in four years, or 10. Imagine 10 years. And this for years, people didn’t see when I say people, literally few companies were building these LLMs. Okay, here to understand before only Academy MCs were doing new AI research. No private companies stepped into it. Academies have very limited resources. But Google has been doing AI for a long period of time, that’s something we have limited. Whether it’s Google, or there’s a few companies playing around with it. But mostly it was academics. But now Microsoft and ChatGPT showed the world that there’s so much more you can do. What is going to happen? There are like $200 billion companies who have a billion dollar cash reserves sitting, or what do you think they want to invest in? They’ll try to build their own versions of LLMs, or AI sitemap, for that matter? Each will have one version?

 

Siddhartha Ahluwalia 52:48

And do you think people will lose jobs because of it? Because a lot of human stuff repeatable stuff,

 

Rahul Sasi 52:52

See jobs…

 

Siddhartha Ahluwalia 52:56

If I train my model on the podcast of Neon Showand on your model on the podcast, then these two models can interact and do another podcast, which is just one machine.

 

Rahul Sasi 53:06

Yes, yes. Now so even much of the video editing tasks today, and you can create reels from this thing. Many AI tools even today can build that real out of edit, put some content in between. Build it. See one thing I can tell you. One thing I can immediately think of in the next few years, you will see people using AI to do their jobs better. At what level? So that is how it is going to be. People will transition to or use these tools to do their jobs better. And I think that the next 5678 years will be like that. I don’t know what time it will flip completely. It is quite difficult to make that—

 

Siddhartha Ahluwalia 53:54

I’m trying to imagine a world where I don’t have to reply to my emails or WhatsApp messages. Let’s say for example, as soon as I get an email, AI drafts an email for me and I just have to review.

 

Rahul Sasi 54:05

Technology can do that today. It’s just that you don’t have access to that technology, but ChatGPT has made API’s available. Now you can programmatically make that happen.

 

Siddhartha Ahluwalia 54:15

Every email that lands in the inbox, you are saying an automatic response will be drafted.

 

Rahul Sasi 54:20

Yes, accurate, very accurate responses. You can even teach the new models what they have done for us, you can actually teach them how Siddhartha Ahluwalia writes emails. So go through all your previous emails to see this is the way you respond. So it can make those even that’s possible today.

 

Siddhartha Ahluwalia 54:38

And is anybody using that?

 

Rahul Sasi 54:42

See only it takes some time for technology to be adopted. And when you see a bunch of people using it. We are in the early days, to be honest, but it will catch fire pretty fast.

Siddhartha Ahluwalia 55:00

And what’s a lot of debate on privacy going on? What’s it about in the world?

 

Rahul Sasi 55:07

Well see, privacy is fundamentally about having your data given to someone, you need to have the right to know what they’re going to use that data for.

 

Siddhartha Ahluwalia 55:17

Whether you can stop them using your data or not.

 

Rahul Sasi 55:19

Correct. Correct. I mean, you know, you see all the 2340 apps on your phone have some amount of access to your data. Now, like I said, how the Chinese guys are taking data without your permission. If one of your apps is doing that, that’s something you need to be told. So all the privacy locks are coming out is basically saying that if your data is being collected, people who are given the data should know how you want to use it, they should also have the right to destroy the data, your story is on a high level the principles of privacy. Under that comes security, right? I mean, you know, we collect data, store it securely, etcetera, etcetera, or sub categories, but this is on a high level, what privacy is all about?

 

Siddhartha Ahluwalia 56:01

And why so much debate on different governments having a different standard? Europe has a different standard of privacy. U.S a different standard,

 

Rahul Sasi 56:10

It’s all evolved from GDPR.

 

Siddhartha Ahluwalia 56:14

What is GDPR?

 

Rahul Sasi 56:16

I mean, this is the European Union version of privacy, data protection, Global Data Protection Act.

 

Siddhartha Ahluwalia 56:29

So Europe decided among themselves that they’ll follow GDPR?

 

Rahul Sasi 56:31

Yeah, yeah. And enforce anyone who has to do business with Europe to follow the same as well.

 

Siddhartha Ahluwalia 56:40

Does India have any form of privacy laws right now?

 

Rahul Sasi 56:42

A PDP bill, which is now passed as a variant of—

 

Siddhartha Ahluwalia 56:47

What is that?

 

Rahul Sasi 56:48

Basically thing sending, you know, just make sure consumers data is protected, not miss, you know, find that getting imposed right all over the world, like, yeah, Europe. Yeah, that’s cybersecurity. That’s funny. This market is actually driven by regulations, regulatory, if you look at the, if you look at this pace, the last 10 regulations that came is a headwind for marketing companies. Google Facebook, yeah. Their business is hampered by this. But the cybersecurity market is booming because of the same regulations. This is a headwind for us. Sorry, it would be a tailwind for us.

 

Siddhartha Ahluwalia 57:24

And that’s why we see the largest global company in the space is Palo Alto Networks, right. Yeah. Which became from $20 billion to $100 billion under Nikesh Arora.

 

Rahul Sasi 57:34

Yeah, yeah, yeah. Yeah. No. I follow them closely.

 

Siddhartha Ahluwalia 57:39

What are other companies that you look up to in this space?

 

Rahul Sasi 57:43

Cylus is there. They have been there for quite some time. But I mean, I look up to them, because, you know, they are not like that so there are a lot of startups who came, you know, grew pretty big. Then kind of like struggle because they are like an aggressive growth path. Cylus and then a couple of other companies. They’re not growing like an aggressive fast, but they’re very strong businesses. They like profitability is their growth. they’re obviously very strong winds and you know, just going to go down, like a house of cards. Those businesses have very strong unit economics. I was actually in the Palo Alto network. Met the CEO and they were telling me, and that business has been there for like, for 20 years, 20 plus years, plus years. They always look for the core unit economics of their business more than anything else.

Siddhartha Ahluwalia 58:53

Thanks a lot. I really enjoyed doing this podcast.We talked about various things. We talk about dark web security, we talk about artificial intelligence, we talk about various camps that are going on in India globally. Right and what kind of talent is required to bring India on the forefront? What is your last piece of advice for professionals who want to build a career in cybersecurity, talk with security? Right, you mentioned they have to get hands-on practical experience. But let’s say for the next 10 years what they have to do, yeah.

 

Rahul Sasi 59:25

If you ask me, which is the area I want to spend my next 20 years, I would say cybersecurity. While it creates wealth, for me and my family, my investors, my people, more than the wealth. It has the capability to protect the lives of people. Like I said, Tomorrow everything is going to be smart. Smart fridge, we have smart fridge, smart bulbs of homes are sitting. What is everything? Everything is a computer, right? And pacemakers today, you can actually remotely high, you know, destroy someone’s pacemaker and kill that person. Technically, now, our effort is not just protecting computers, but saving lives. So I believe the space is going to be like, going to have enormous potential in the future now and in the future, because it saves doing so much for the community. And I believe when you make money, while helping people, that’s the best way to make money. So that’s what I have huge respect for not every other cybersecurity professional, but everyone who’s supporting that ecosystem.

 

Siddhartha Ahluwalia 1:00:52

Gold. And you think that there’s no scope for beginners to learn the space in the next many years?

 

Rahul Sasi 1:00:58

No, absolutely. As long as computers are going to be there is always going to be something.

 

Siddhartha Ahluwalia 1:01:03

And even if let’s say tomorrow, CloudSEK, you get a good acquisition offer. You sell CloudSEK, you’re going to find another company in the same space of cybersecurity.

 

Rahul Sasi 1:01:10

See, I mean, selling, I think, I think we should only think about selling the company if you’re not able to perform right? As long as we are able to double our revenues every year.

 

Siddhartha Ahluwalia 1:01:20

And it’s something that if Palo Alto Networks hypothetically come to you tomorrow with a $1 billion offer, what can we do?

 

Rahul Sasi 1:01:30

The thing I mean is, listen, I enjoy what I’m doing right now. I don’t think about the question I always ask: what will I do with a billion dollars? But then if it adds value to my investors and my people who are supporting me, then I will also have to consider that but I would not say that will be my first interest. My first interest would be to build a Palo Alto then get acquired by Palo Alto.

 

Siddhartha Ahluwalia 1:01:59

And what is required for CloudSEK to become Palo Alto.

 

Rahul Sasi 1:02:01

I think doubling every year, or more than doubling, tripling year in revenue is definitely something. The headwinds are also going to help. Seeing large good businesses will take time to build and… forgetting the name of the company. It took them 13 years to do 10 million. And it took them another five years to do 800.

 

Siddhartha Ahluwalia 1:02:28

It’s Klaviyo or Atlassian. Which one?

 

Rahul Sasi 1:02:32

Let me get you the name. I’m bad with names. And I just shared this with the team yesterday. Yeah. It’s called Procore Procore. They’re at an 8 billion market cap today. It took them 13 years to reach 9.6 million revenue, eight years to reach 890 million. Procore is the company.

 

Siddhartha Ahluwalia 1:03:00

And this is in cybersecurity?

 

Rahul Sasi 1:03:02

Technology not cybersecurity, cybersecurity, again again, you know. At this pace we’re just growing. I mean, like I said every new regulation is actually a tailwind for us. So I would definitely put my next 10 years here. Yeah.

 

Siddhartha Ahluwalia 1:03:19

You are what, 36 right now? Today, your age.

 

Rahul Sasi 1:03:26

I’m 35.

 

Siddhartha Ahluwalia 1:03:28

Okay, yeah, you think you want to do it till you’re 50?

 

Rahul Sasi 1:03:31

Yeah I mean, what else will I do?

 

Siddhartha Ahluwalia 1:03:34

Thanks a lot Rahul. Highly enjoyed the conversation. Thank you so much.