Ransomware and Cybersecurity Cooperation
September 15, 2017
JAMES ANDREW LEWIS: Hey, good afternoon. My name is Jim Lewis. Welcome to CSIS.
Today’s event is on “Ransomware and Cybersecurity Cooperation.”
I’m not intending to do any work because we have such a great panel. So in fact, I was thinking of asking Dmitri to moderate and then I could just sit here. But we’ll go ahead and get started.
Let me introduce our panelists with their name and title. Their full bios are on our website, so you can find them after the – after the event.
We have – in the order in which they’re going to speak – Ben Vaughn, who’s the vice president and CISO, Hyatt Hotels Corporation; Dmitri Alperovitch, co-founder and CTO, CrowdStrike; Kristin Royster, senior vice president, Global Cyber Security Public Policy, Bank of America; and finally, John Lynch, chief, Computer Crime and Intellectual Property Section, Department of Justice, known to the rest of the world as CCIPS.
So with that, I think what we’re going to do is we’re going to have Ben, who had some direct experience with some of the bigger ransomware events, open it up. Then we’ll go to Dmitri to tell Ben where he got it wrong. And we’ll have Kristin talk and wind up with John, who can tell us what is going on in the law enforcement community. And I’m just going to be ornamental, which will be hard, I know. But Ben, why don’t you go ahead?
BENJAMIN VAUGHN: Sure. Good afternoon. Very pleased to be able to share with you our tale of woe regarding ransomware.
So, you know, we’ve been building out a very elaborate cybersecurity program at Hyatt for quite some time. And one of the great things that comes with building out that capability is having the right people in place to respond to the right things at the right time but also being able to institute the policy changes that are required at a large company to prevent things like ransomware from affecting your company dramatically.
And the reason why I say that is on June 27th – it was a normal day for me and my team – we get to work and we work our service desk tickets from the field, from our hotels, with various incidents – you know, a phishing campaign here, a virus infection there. And the team works the tickets every day. Well, we had one ticket regarding a hotel in Europe that had an infection on a computer server, a ransomware infection.
Now, a ransomware infection at a large corporation on one computer is actually a fairly common occurrence. So to us, it’s something that we work the way that we work through our incident response plan with every incident that we have. But there were a couple things that were weird.
So first, we had an infection on a computer server rather than a desktop. And then second, we started to hear all this tell, both in the news media and in private mailing lists that we participate in, of some sort of a global ransomware attack.
As my team is gathering information about that worldwide attack, you know, we give our IT manager at the property a very specific instruction, because we’ve dealt with this incident before, which is shut the computer off, restore it from our cloud backup service and move on.
What we learned throughout the day of the 27th was that this was the NotPetya cyberattack, that this was a highly virulent strain of malware that also had ransomware-esque capability and that the primary function of that ransomware was to do things other than just infect one computer – namely, infect multiple computers as a worm.
We were able to validate that our hotel and our enterprise wasn’t affected by those aspects of the malware because we were regularly patching against vulnerabilities, including the vulnerabilities that were being exploited by this software.
And then we settled in with my team. My team and I sat down, and I said, OK, so this is a ransomware infection. These usually begin with a Word document in somebody’s email. So where is the email, right? Everyone in the security community actually, in all these private mailing lists where information-sharing is being done, is asking, where is the email? Where is the web page? Where is the source of infection? And we couldn’t find it. Our infection was on a file server. Nobody is using that as a desktop. There is no email being read. There is no website being visited.
So I asked my team, look into this, figure out what the source of this was. And since we have some fairly advanced tooling deployed that allows us to see what may have happened in the past, we were able to identify the source of this infection as a malicious software update from a mandated tax accounting software package for the hotel that does its business in that – in that country.
That was very valuable information, of course, to us, right? We know the source of the infection. And that’s when we had an opportunity to make a decision, right? We were not affected by this attack. We were safe. Our guests were safe. Our colleagues were safe. We could call it a day.
Or alternately, we could make some phone calls. And we chose to do that. So we wrote up some detailed documentation about what we had found. We provided that information to Dmitri and to his organization and to a number of private mailing lists consisting of like-minded people who share information. And our understanding is that that information we provided was invaluable in protecting people. That’s the story, right?
But what I’m here to talk about today, the thing that I thought was so important about that was that we made a conscious decision to share some information and maybe protect others. So yeah.
MR. LEWIS: OK. Great. Thank you.
I should’ve mentioned at the beginning this event is being recorded, livestreamed. So you’re all out there in cyberspace. Wave to the camera.
DMITRI ALPEROVITCH: You want to take all that back, Ben? (Laughter.)
MR. VAUGHN: I was aware. I was aware.
MR. LEWIS: A bit slow on the uptake here, aren’t we?
MR. ALPEROVITCH: So I want to thank Ben for doing a number of things that are actually fortunately pretty rare in our community: one, to come here and talk about cybersecurity issue that he had at his organization. Virtually no one ever does that in our industry these days. You know, CrowdStrike gets hired a lot to do these investigations. Virtually every time now we get hired, we get hired not by the victim themselves but by their lawyers so that everything that we do is under privilege and can never be revealed. And that’s now sort of the default scenario. Everyone’s afraid of lawsuits and liabilities that can come as a result of these types of actions, and no one wants to talk about it.
Secondly, the information that Ben provided to us and others in the security community was absolutely invaluable and was – he was the first one to actually let people know that this was not a run-of-the-mill ransomware infection, that this came through the compromise of this tax software called MeDoc in Ukraine, and that was the original source of propagation.
In fact, so many companies initially assumed that if they’re fully patched, they’ll be fine. And that was not the case at all because the malware, while it was using some vulnerability, the same ones as the WannaCry malware that was released in May, it was also spreading through the MeDoc software and then proceed to steal credentials inside the organization and spread throughout the organization.
So we actually were called in by a number of very large companies over the course of the last two months to respond to breaches where the companies were fully patched and were also fully decimated by these attacks. A number of these companies were down for weeks not being able to serve customers, having to go and actually rebuild every server in the organization.
And just think about what that means. This attack was actually not ransomware. It was pretending to be ransomware, but the reality of – the goal of the attack was to be destructive in nature because one of the things that the malicious code did is encrypted all your files and then threw away the key. So you could pay ransom all day long, you will get your data back in most situations.
But the key thing here was that it also not only deleted your data, or encrypted your data and threw away the key, but it also overwrote what’s known the BIOS, right, the system software that’s responsible for booting up your machine, which means that every machine was effectively bricked, which means that you had to physically go to every machine and rebuild it from scratch. Now, imagine you’re a large company, 50,000 machines all over the world. You have to send people to every single location, manually go through each machine, taking hours to rebuild it, reinstall all the software, configure that software. You can imagine what a big problem that is.
And when I look at that situation – and we’ve now experienced it a couple times in the last two months – WannaCry, NotPetya – it strikes me that we are now in a new age. I remember for many years, whether it was the intelligence community estimates or private-sector estimates, we were talking about the fact that there was so much stuff going on, so much what’s known as CNE, computer network exploitation attacks, but God forbid one day we will have CNA, computer network attacks, right, actually destructive attacks.
Well, we’re here, and we haven’t even noticed. Literally in the last couples of months, we’ve had dozens of major companies completely destroyed, some with huge financial impacts. One company, shipping company that was impacted, put out their financial statement saying it will cost some $300 million to recover.
You may recall the last big attack like this on a U.S. company was Sony in 2014. At the time the president came out and did public attribution of this attack to North Korea from a press podium. It was all over the news. And Sony came out afterwards and said it will cost them about $15 million to recover. Here we have just one company, 300 million (dollars), right? And this is not even a big deal. So we’re – it strikes me that we’re in a completely new age now where this has now become routine, and people are expecting this, which is really, really disturbing.
The other thing I will say is that both of these attacks are suspected to have – WannaCry and NotPetya – a nation-state nexus. And neither of them were truly ransomware. They were actually more destructive in nature. WannaCry had more of a ransomware component than NotPetya.
But when I look at the landscape going forward, what worries me a great deal is criminals realizing that instead of spreading ransomware targeting individual computers, individual consumers and asking for 300 (dollars), $500 from each person, a much better way, if I were to give them advice, would be to go after a company and take them down in this way. And they will cut a check in a heartbeat for millions of dollars to get back up and running. As we were dealing with these companies and trying to help them get recovered, we were getting daily peppered by the boards of directors of these companies, by the CEO, asking, can we pay ransom to get back up? In this case, you actually couldn’t, because the keys were thrown away. But if they could, I’m convinced that they would spend 10 (million dollars), $15 million in half a second to pay the ransom to bring their business back up because the reality is you are losing millions of dollars every day that you’re down, and you wouldn’t even think twice about it. So that is the huge threat that I see on the horizon is that this is going to become routine, and criminals in particular all over the world can realize how much money they make by going after these companies.
MR. LEWIS: Kristin.
KRISTIN ROYSTER: So working for Bank of America, we are part of the financial sector, which has long been the target of cybercriminals. I mean, it kind of goes back to that old adage or quote I think from Dillinger – you know, why do I rob banks? Because it’s where the money is.
So our sector has been having to deal with cybercriminals, you know, for a very long time. And I think because of that, we’ve have a lot of lessons learned. We’ve had to work through a number of different types of cyberattacks. Whether it’s true cybercriminals, or if you’re talking about DDoS attacks, now towards, you know, concerns over data integrity or data manipulation attacks, we’re a sector that has been constantly thinking about this and trying to get ahead of the threat actors.
And so what that – what that has enabled is a lot of sector partnership, a lot of information-sharing. So you can’t talk with someone from the financial sector without us mentioning the FS-ISAC. It’s actually a part of our membership agreement, I think. We have to talk about the ISAC and the benefits of it.
And since it started back in ’99, you know, it now has 7,000 members. And what that has done is that it’s built a lot of muscle memory into members of the financial sector sharing threat information with each other, so not seeing cybersecurity as any type of competitive issue but really what impacts one bank is likely going to impact the other bank. We are such an incredibly interconnected sector that it is in all of our best interests to make sure that that – that those systems stay up and running and that customers, clients and citizens have trust in said system.
So kind of to the points that have been made, there is no single – there is no silver bullet to solving this problem, you know. To the point that was made, patching isn’t going to solve it. But everyone needs to patch, you know. Strong authentication isn’t necessarily going to solve everything, but you need to have strong authentication.
So how can companies and sectors that have a lot of experience doing this start to really share those best practices and information with companies that aren’t used to being the targets of cybercriminals and convince them that these are things that they need to take seriously and that, you know, kind of to the livelihood of their company, need to start taking it seriously?
And so I think that’s where we start to look at partnerships within our sector. We look at partnerships across sectors with government partners, whether it’d be the FBI or through InfraGard, DHS and the National Cyber Security Alliance, working with chambers of commerce, both at the national level as well as the state and local level, and really how can we start to make the targets smaller, I guess, for the cyberthreat actors, make it more difficult for them to actually be successful at these cyberattacks.
And so that’s something that, you know, us as a member of our sector as well as just a member of kind of the global ecosystem I think are really trying to figure out what are the best ways to kind of spread the word about all of this and make everyone understand that, you know, they could be the recipient of an email asking for anywhere from 300 (dollars) to $3,000 for all of their information.
MR. LEWIS: Thanks, Kristin.
JOHN LYNCH: And I’m – of course deal with this from the – from the government side and the prosecution side. And, you know, we interact with all the types of groups represented by all three of the previous speakers. So I echo those comments to some extent.
When we’re getting involved in a case, it’s often after the bad thing has happened. In many cases, you know, Dmitri’s firm has been engaged for a few weeks. And then there is sort of a decision that, you know, they’re going to make a public announcement and call law enforcement. And we usually get involved at that point, FBI or Secret Service or another agency. And we’re now going to get in.
At that point, it’s hard to go back. Going upstream and trying to find where this all started is something that Dmitri’s group is very good at and does a lot of work in that – in that space, but it’s hard work.
So where we’ve tried to spend our resources and focus is more on the infrastructure that’s being built out there – the financial exchanges that support ransomware, the command-and-control channels that are supporting botnets, the virus check services that allow people to kind of make sure that they’re going to – their exploit, whatever it is, is going to get through the antivirus systems. And so that’s where we’ve tried to focus our work because frankly, once it’s happened, it’s more of a – it’s more of a cleanup problem and – than something that prosecutors can work directly on. It’s something that, of course, you’re – you know, we are very sympathetic. We’re talking to the victim. We’re trying to work through the issues. But the thing that the victim is going to be most concerned about after an incident has happened is more getting back up to speed, getting their infrastructure back up.
So we’ve tried to focus more on long-term work like botnet takedowns and trying to also develop some of the policy and legal infrastructure for that. One of the things we did in the last few years is get changes to Rule 41, which helped us to get legal authority to go after command and control and botnet channels. And that’s something that we’ve been working on. But for us – you know, we were talking just beforehand, you know, it would be nice if we can do a botnet takedown a week and – but in fact, these are – these are things that actually come in many cases – you know, there are – it’s hard work to get to the point where you can do a takedown.
And sometimes it’s just a matter of fortuity. Earlier this year we had an event where we had an individual who we believed to be responsible for a midsize botnet, a pretty significant one. And, you know, he was – he was located in European country. We were able to do an arrest. And at the same time we were able to undertake a takedown of the Kelihos botnet at the – at the same time. But that took – we were able to do that – put that together in about two weeks. The criminal case against the individual is still pending, so I’m not going to talk about that part, but we worked with the District of Connecticut. They handled the criminal side. District of Alaska handled the takedown side. And we were able to kind of put together a – put together a takedown plan and execute it in a couple of weeks. But it is something that was great deal of work and took a lot of explaining to the judges what – exactly what we were going to do, how we were going to make sure that victims weren’t going to be further victimized. And it’s something that we are continuing to work on. It’s something that without companies like Dmitri’s and others in that – in that field, we’re not going to be able to do that kind of work effectively. We have to – we’re really depending on that public-private partnership.
MR. LEWIS: What does that mean, John? I mean, when you say you’re going after the infrastructure and you work with the private companies, what does that actually entail?
MR. LYNCH: The private companies are out there mapping and getting a good understanding of where the command-and-control channels are. They are doing that sometimes through open-source research, sometimes through developing sources. They’re working with us, side by side at times; certainly law enforcement builds its sources as well.
But when it comes down to actually structuring a takedown, we’re going to have a technical piece of it where we’re going to have to have a solution that’s been tested. You know, the sort of nightmare scenario for the government is we go to a judge, we get the authority, we do a takedown, and something bad happens to a hospital computer in the worst-case scenario, but a business computer in another – in another scenario. And we end up doing more harm than good.
And so one of the things that we work with the private sector on is making sure that our – that we’re relatively sure that what solution we apply is going to be effective because we’re going to – my piece of it is I have to make sure that the legal authorities are in place. The FBI or Secret Service or other law enforcement agency is going to work with the private sector, in some cases literally in the same room, and they’re going to build the – build upon the expertise of maybe a private sector expert who has spent two years studying a particular botnet. And they’re going to – they’re going to have a pretty good sense of what techniques are going to – what techniques might – or are likely to work.
And, you know, in the case of Gameover ZeuS botnet, for example – that was a few years ago – you know, it was essentially a weekend of sitting in Pittsburgh. I wasn’t there, but my attorneys were up there with FBI agents and private sector people. And it was a sort of back-and-forth battle. We’d take a step, our adversary in Russia would take a countermeasure, and we’d – and we’d have to kind of take another countermeasure – but each one making sure we’re staying within the authority that we’ve been granted by the court and then – and then also trying to make sure that we don’t cause more damage than we’re remedying.
MR. ALPEROVITCH: Actually both the case of Kelihos botnet and Gameover ZeuS botnet was actually two of our researchers, Tillmann Werner and Brett Stone-Gross, who are some of the top botnet takedown experts in the world, that worked with the Alaska office in the case of Kelihos and Pittsburgh office, set up a unit there to do the actual technical takedown. So for the day they were sort of deputized to be working with law enforcement to execute the technical operation. And it was years in the planning. These are some of most sophisticated botnets in the world. They’re fully peer-to-peer and distributed, so you can’t just take down one node or two nodes. You have to poison the network and sort of take control over it and away from the adversary. It’s literally sort of a cat-and-mouse game for hours on end as they try to regain their control.
But the other thing that I’ll point out that I’m sure John will highlight as well is that we couldn’t have done alone, the government couldn’t have done alone. And the international cooperation was absolutely key because in some of these cases, you actually had to go physically take down a server. In the case of Gameover ZeuS takedown, I know there were partners all over the world, and in one case, even Ukrainian government that went into a war zone in Donetsk to take down a server that was critical. If that server had stayed up online, the botnet takedown would not have been successful. So really is a global effort to do these sorts of things.
MR. LEWIS: Kristin and Ben, what – do you map out darknet – what do you do in your day that makes you look at this stuff? Is it all reactive? Do you have proactive looking? I know B of A does a lot.
MR. VAUGHN: You've got about 10,000 people doing this. (Laughter.)
MS. ROYSTER: Not quite that many. No, we have – so we – so we have a strong cyberthreat intel team that looks at things from a tactical perspective, a strategic perspective. You know, we’re following different threat actors and adversaries. We’re looking at, you know, all the tactics, techniques and procedures and really trying to figure out not only how things are impacting the bank or where actors may be looking specifically at our bank but also where the threat’s coming towards the sector writ large.
And so again, through FS-ISAC, there is a threat intel committee that, you know, looks at a lot of these things. There is – you know, we have a new organization in the sector called the FSARC, which is the Financial Systemic Analysis and Resilience Center, which is also looking at some strategic intel sharing. And so it’s really about taking the abilities and capabilities of each individual firm and really kind of pooling them together to kind of make a stronger sector and really then be able to share that information not only within our sector but also with other partners in other critical infrastructures and other sectors writ large. I mean, you know, so Ben mentioned a lot of those mail lists and listserv that people of like minds participate in. So there are a lot of those going around. And so there is a lot of sharing that take place between these types of threat intel teams. And that is crucial.
MR. VAUGHN: Yeah, so, I mean, we’re a much smaller organization than a Bank of America, but we put a very high premium on indications and warning. We have a full-time intelligence analyst whose job it is every day to do this research, to try to understand from the disparate sources of information that we have, is – who’s going to show up tomorrow, right? And if they are going to show up tomorrow, how are they going to show up? And what are the useful countermeasures that we could apply to that person?
But it also – it takes two to tango, right? It’s a two-way street. And while we collect a lot of information from third-party intelligence sources, from open-source intelligence – vendor blogs are actually a great source of very valuable data.
MR. LEWIS: You mean antivirus vendors?
MR. VAUGHN: Yeah. They’ll blog about the cases that they’ve worked. And, you know, there is not an infinite number of computers in the world. So the attacker infrastructure that’s used for, you know, the Kelihos botnet might also be used for that attack on you on Saturday, right? So just to have that information and do something with it I think is valuable.
We participate in an ISAC as well, the Retail Cybersecurity Information Sharing Center, which I’m a huge fan of, you know. It gets organizations – those organizations get partner organizations into the mode of providing that data in a safe place. But then, like Kristin said, you know, there are these private mailing lists out there where people who are motivated and who care and can be vouched for by others will provide some valuable information that once again, if your organization chooses to do something with it, they can find value.
MR. LEWIS: So one of the – go ahead, Dmitri.
MR. ALPEROVITCH: Well, I just want to pick up on the comment that Ben made that there isn’t an infinite number of servers. And the other point is that there isn’t an infinite number of bad guys. So this individual that John and his team arrested was actually – it wasn’t his first botnet. He’s been involved in major, major cybercrime operations for the last 15 years. He was sort of one of the big cyber czars on the criminal side, if you will, engaged in pretty much every major criminal activity that was taking place in Eastern Europe in one way or another, providing infrastructure, helping with advice, developing malware, those sorts of things. So when you can identify those key nodes, just like in a terrorist network, and get them arrested and get them off the cybercrime battlefield, if you will, you really have a major impact on the entire ecosystem. And we absolutely need to do a lot more of those types of actions.
And I do think, as we were talking backstage, that a botnet takedown every-week challenge for the U.S. government and actually global governments is an incredibly good idea because it helps us to clean the Internet. And it’s not so easy to reconstitute these things. And if they’re literally spending all their time trying to reconstitute their infrastructure, that’s a time they’re not spending attacking Ben, the Bank of Americas of the world and everyone else.
MR. LEWIS: How did you get him, John? Did he – did he take a vacation in the Maldives? Or what did do?
MR. LYNCH: Vacationing – when we’re talking about people from, you know, countries that may not extradite the nations is – that’s their law – Russia, that’s the case – waiting and watching for somebody to go on vacation is, frankly, one of our strategies. It’s not, if you read the diplomatic notes, the most popular strategy with some governments, but it is the means by which we identified this person while they were on a vacation, and we were able to work with our international partners in Spain to get an arrest on these charges, which was – which was, as they say, a real challenge to kind of put it all together and pull together a case that had been kind of in the making for a long time.
MR. LEWIS: So if any cybercriminals are watching, remember, vacation in Sochi; forget the – forget the Maldives, so – (laughter) –
But a lot of this sounds like it’s an informal process. And one of the big efforts in the previous administration was to create a more government-centric approach or – remember ISAOs, which sounds like a porcine thing but actually turns out to be an information-sharing organization? Which is better – ad hoc, government? Do you have to blend? I don’t know. Maybe all of you could talk about that.
MR. LYNCH: I mean, I could start here. I mean, obviously, there are different – I think different strategies are going to work for different parts of the problem. When we’re – when we’re going after an individual target and we need to pool together the experts from the private sector and the governmental experts and the people who – from my shop and U.S. attorney’s offices who can get the authority, that’s going to be by its nature ad hoc, and – but you can’t have the ability to pool those people together unless you have the underlying organizations so that FBI can call up and say, hey, we have a line on this botnet. Who knows about it? And then we can go reach out through the information-sharing centers, through, you know, partners in the private forensics community and kind of build that team. So I think for different parts of the problem, you’re going to have different solutions. And they’re both – they’re both important.
MR. VAUGHN: Very much relationships.
MR. LEWIS: Really?
MR. VAUGHN: Sure.
MS. ROYSTER: I think it has to be a blended approach. I mean, in a former life, I was with the Department of Homeland Security and worked in the Office of Cybersecurity and Communications, which houses the NCCIC, which I watched kind of grow over the years and actually start to build a lot of strong relationships, not only with other government agencies, you know, within DOD, within FBI, within the intelligence community but also really start to build strong partnerships with the critical infrastructure sectors, kind of to the point where there are representatives from the sector sitting on the NCCIC fora on a daily basis, which, you know, again, it builds those trusted relationships.
So while it’s – while a lot of this, you know, comes down to relationships, you also need to be able to institutionalize those relationships so that they are not based on specific individuals. But again, you know, kind of giving the scope of the problem related to cybersecurity, there is no one entity that is going to be able to solve the problem. There is no one government agency, no one private sector company. So, you know, it’s going to be a blended approach, and it’s going to be – it’s going to have to be done through a partnership.
MR. LEWIS: Ben, did you want to add to that?
MR. VAUGHN: No. I would just say, you know, very often, the information that we provide, we provide to people because we’ve provided them information before, and they haven’t burned us, and we know that we’ve received something of value from them. And that relationship builds trust. They call them trust groups for that reason.
Outside of critical infrastructure, it’s harder to get buy-in for more mandatory or regulatory information-sharing organizations. You know, there’s a big difference between a hotel and a bank, right? And that is that, you know, if we don’t have our computers, we can still walk you to your room and make you a steak, but the – you know, the world financial system relies on those computers pretty profoundly. So there might be room for more regulatory based information sharing and enforced-based – enforced information sharing than there would be in other parts of the economy.
MS. ROYSTER: Strongly suggested.
MR. VAUGHN: Yes. (Laughter.) Please. I’m begging.
MR. LEWIS: And Dmitri, you tend to be in a lot of the center of a lot of these things. What do you do? How much do you work with government? How much is it with people you know? What’s the relationships right here?
MR. ALPEROVITCH: Yeah, I mean, we work very closely with law enforcement. We work closely with companies like Ben’s and others on these issues.
You know, the one challenge I see in information sharing, though, is that there is a truly big bifurcation across the community where you’ve got companies like Bank of America, like Hyatt that have really phenomenal people that understand those issues and can in trusted format share really valuable intelligence that’ll help each other.
And then there is a huge 90 percent swath of country out there, small businesses and others, that don’t have that level of sophistication. You can give them all the intelligence and all the information in the world, and they literally will not know what to do with it.
So we need to sometimes appreciate that. You know, financial sector, Hyatt, that’s not the whole country. And, you know, most of this country and most of our economy is small businesses that don’t have a chief information security officer, don’t have a security team; most of them don’t even have an IT department, so – and that was the case with some of the political organizations we worked last year during the election hacking.
MR. LEWIS: Do you have anyone in mind?
MR. LYNCH: (Chuckles.) They’ve been named enough, I think, in recent months.
But that I think is a huge problem, the huge underbelly of insecurity that we face as a country that we need to really solve. And information sharing unfortunately will not solve it because those people won’t benefit from the information because they just don’t have the skill sets, don’t have the people, don’t have the technologies.
MR. LEWIS: So you’re destroying one of my pet theories, though, which is this is Darwinian in some effect, that smart people who patch and update and do the right stuff and think about authentication are – they’re going to be less likely to be hacked. But from what I’m hearing is, one, people can intent – have good intentions, especially if they’re small and get whacked, or in this case, you could do everything right, and the thing still got around you because it was a download, right, not a – not the typical phishing email. How much of this is in the control of the user?
MR. VAUGHN: You know, Clint Eastwood escaped from Alcatraz in that movie.
MR. LEWIS: I did see that.
MR. VAUGHN: You did? Yeah, OK. You’re building as the blue team, right? As the defender. You are building a maze, right? You’re building your very own bank vault. And, you know, throughout history, you build a bank vault, and there is obviously somebody on the other side that’s going to want to get into that vault.
So it’s very difficult to provide a perfect level of security. But you can do the right things. And I think that you are generally rewarded for doing the right things. I can’t speak to the likelihood of something happening at any one organization versus another regarding how much they spend on security or how much on infrastructure they have, but it seems to me that the severity or duration of an event would be less if you had more infrastructure.
MR. LEWIS: Let’s put Dmitri and Kristin on the spot. Dmitri, how many of your clients have done all the stuff they need to do? Is it you tend to get people who are saying oops, or do you get people who were unfortunate?
MR. ALPEROVITCH: Unfortunately, it’s still sort of the sliver of the overall community that truly gets the problem, that understands that this is not just about buying the perfect widget or naming someone as a CISO, that it’s an entire process.
And I’ll give you one example of a company that we work a lot with who’s actually an investor in us, and that’s Google. And their approach is to say that we’re not going to have an information security team because the entire company is going to be an information security team. Every single person within the company, no matter what department they’re in and what their job title is, will have responsibility for securing Google. And we’ll contribute to that. Now, obviously, Google has the resource and the technical acumen that few organizations can replicate, but nevertheless, that type of thinking that it’s not just the problem of these folks, right?
And you can draw analogies to other sectors like HR. You know, the investment of people of the company, is not just the responsibility of the HR department, right? Every manager across the organization needs to think about development of their people, mentorship, et cetera. And that’s what we need to do with cybersecurity. And those types of companies tend to do very well. Are they perfect? No. But don’t let perfect be the enemy of the good. And usually they will survive those incidents very, very well.
So you look at Hyatt. And yes, they got hit by NotPetya, but it was a nonevent because of the things that Ben had implemented, and not just from a technology perspective but from a process perspective, understanding that as soon as I detect an incident, I understand what it is, let’s turn it off, let’s prevent it from spreading and so forth. So those types of things are really critical.
And unfortunately, you just don’t have the talent, the expertise or, frankly, the budgets to do this right in most organizations. And even in some of the most critical sectors we’ve got, like the defense industrial base, people often think of the big defense contractors, the Boeings and Lockheeds of the world, as the one building our weapons, but it’s really the small businesses that are building key components that they are then providing to these primes. And those businesses may have 10, 15 people that are building some critical technology that’s going to go into a naval warship. And guess what, there is no security. There is no IT department. And the threats that they face are pretty sophisticated because it’s all the nation-states that want to steal those secrets.
MR. LEWIS: And the flipside of that is that some of these smaller companies then get these regulations from DOD requiring them to do certain things. And I’ve had a few of them tell me, we’re just exiting the defense business because it’s just too expensive to do this anymore.
Kristin, what do you see with your customers? And before she answers, you should be thinking of questions because I’m going to call on you by name individually.
MS. ROYSTER: So I think that customers today actually are more security-minded that they were previously. I think technology is part of that. I think that, you know, kind of the fact that folks are using technology for banking and finance more has caused them to think more about cybersecurity.
You know, earlier we were talking about the Equifax data breach and the fact that, you know, I think all of us up on the stage have been impacted by multiple data breaches. And because of some of the targets of those data breach – no pun intended with Target – a lot of us probably in this room have been affected by a data breach. And so we’re starting to think about it more. We’re starting to take it a little bit more personally. And I have found that typically, when you’re impacted by something personally, you start to think about it a little bit more.
So in our organization we have a big security awareness problem, you know, not only for the folks who are in the information security team but also all employees across the enterprise because, you know, it’s not – it’s not just folks who are in the technology parts of the banks that are, you know, potentially the targets of cyber actors; it’s now the HR professionals. It’s the executives. It’s the executive assistants to the executives. And without ensuring that they can spot, you know, malicious emails and start to learn what not to click on, you’re not going to be able to truly secure those components of the bank. And so it’s really important to be looking at this from a holistic perspective.
What we’ve also found I think is that what you learn, you know, kind of as an employee through your annual security awareness training that many of us go through or, you know, when you have an ongoing program, is that the tools and techniques that you learn through that employer-based program, you’re going to start to take with you, you know, when you’re engaged in things online in your own personal life or on your phone, and so you’re starting to make your online activities more secure writ large.
So I think that, you know, the more that we can get – the more that we can get employees and customers thinking about security, both in their financial activities, their personal activities, their business activities, that will start to improve the cybersecurity posture kind of over all those platforms – maybe just a little bit, but I feel like very little bit helps in this case.
MR. LEWIS: Well, I have a temptation to put John on the spot here by asking him about Equifax, but I won’t.
MR. LYNCH: Good. Thank you.
MR. LEWIS: Yeah, because it would be a very short answer. But let’s put him on the spot anyhow and say, when you look at the trends, how do you think the trend line is going? Are we staying up with the trend in cybercrime? Are we pulling ahead a little bit? If I had to bet right now, I’d say even. But you tell me. And then let’s go down the row.
MR. LYNCH: Yeah, I’ve been doing it for 20 years now. And I think we are staying even. But it’s always been just a constant – you know, the criminality gets worse, and we try to catch up.
So, you know, we’re never – I’m never going to be able to declare victory. I’ve resigned myself that when I retire in whatever number of years, I’m not going to be able to say, I solved cybercrime between now and then. So I’m going to continue to work on it.
I do think we are getting better at the types of information sharing and sort of the preparing for the bad things to happen. I mean, I think we now have companies that have response plans, who know who to call. Even if it’s not necessarily law enforcement, they at least know they’re going to call their lawyer and they’re going to call their private forensics firm and so forth. And so that’s I think a positive – a positive impact.
But you have now, you know, transnational criminal groups that are collaborating easily across borders. And we’re still working on that problem ourselves. Dmitri made a great point. International cooperation is an important part of this. And police-to-police cooperation at places like EC3, the European Cybercrime Center, at FBIs and Secret Services, international platforms, they’re getting – they’re getting better at cooperation.
But it’s still just a simple fact that they – that the bad guys can – you know, they can collaborate across borders, and they don’t even need to care where they are. And, you know, that may mean that we now have to involve four different police services in four different countries, brief them all up on something, and to have them work in coordination with one another to do a takedown. That’s hard, and that’s still an open problem for us.
MR. ALPEROVITCH: From my perspective, Jim, I think there’s been massive changes night and day since I think probably around 2001 when law enforcement started treating us like an organized crime problem and realized that you need informants, you need to infiltrate these organizations, you need to understand their structure, who is in charge, in order to take them down effectively. And to a certain extent, it’s created a sort of Darwinism situation where you don’t see many really sophisticated criminal rings surviving for very long in the developed world, in the Western world, where the police powers are now significant to identify them and arrest them.
What you do have, however, are safe havens, just like with terrorism, where they can operate with immunity, understand how they’re being identified, knowing that those identifications do not result in arrest because of lack of extradition agreements, and they can improve over time and expand their empires, just like, you know, the Italian mafia developed in Sicily in the 1800s because of lack of law enforcement there and became a really formidable force to take down, even in our current day and age. The same thing is developing in Russia and other parts of the world where these organizations operate with impunity. And they can really build up a great deal of sophistication and understanding how to defeat ability of law enforcement to track them.
MR. LEWIS: Ben, you’ve been doing this for a while, so –
MR. VAUGHN: I think it’s very important to empathize with your adversary to understand who they are. And that analogy of, like, with Cosa Nostra to global cybercrime is missing one key component, which is in global cybercrime, two guys can get together over beers one night and write up NotPetya and then let it go, right? I’m not saying that that’s what happened, but that could happen, right? You’re only bound in this world by your own intellect.
And the – fortunately I think for many of these cybercrime actors, the computer science curriculum in their home country is actually pretty good. So you end up having a lot of people who are working for food. And I think it’s important that you – that we all remember that these people get to feed their families when they steal a dollar. And that’s a very powerful incentive for them. And so there’s not – this isn’t going to go away.
MR. ALPEROVITCH: So I’ll disagree with you, Ben, because it’s hard for me to empathize with those people that are driving 7 Series BMWs and Mercedes –
MR. VAUGHN: It’s a rental. (Laughter.)
MR. ALPEROVITCH: – and have private jets and other things. So I’m not sure that putting food on their table is a big concern for them given how much money they’re making.
MR. LEWIS: Maybe it’s a selection bias because I – maybe we only look at the guys who are really at the upper end. But I have to say the ones I’ve seen seem to be – Cyrillic-language ones I’ve seen seem to be doing pretty well.
MR. VAUGHN: They do.
MR. ALPEROVITCH: They’re not starving.
MR. LEWIS: Kristin, what do you think from the banks’ perspective? Better, worse, even?
MS. ROYSTER: So I think we’re getting better. I think to the point about we’re getting much better about information sharing, we’re getting much better about sector partnership, I think that while entities don’t necessarily come forward necessarily publicly about problems that they’re having, I think that there is – there is – there are a lot of trusted relationships where people will talk about things that they’re seeing so that they can basically, you know, put the word out to others.
However, as we’ve all seen, the threat is evolving. The technology is evolving. The fact that the number of Internet-facing devices is increasing with the Internet of things, you know, that’s going to make it harder. And I think you’re just going to start to see the threat vectors change. And so we just all have to be ready for those changes and understand what we can try and do to stay at least abreast.
MR. LEWIS: If you do have a question, just hold up your hand. But in the meantime, I’ll ask another one, which is, how sophisticated are the people you’re going up against? So I had a European intelligence official tell me once that there were 20 or 30 groups in Russia that were as good – better than most nation-states. When you look at what happens to your customers or to you or to the people you want to prosecute, how good are the other guys on the other side?
MR. LYNCH: Some of the ones we’ve gone after are very, very good. And, you know, it is a – it is a spectrum. Some people at the top can code and they can do very well. Occasionally, you’re going to get somebody who’s downloaded some tools off the Net, and they can do a lot of damage just having – being able to pull together code from – that somebody else wrote, you know. And you see people on forums, and one of the things that we’ve done as part of our strategy, infrastructure strategy, is, you know, go after the forums where the information is being shared. So the Darkode takedown in Pittsburgh a couple years ago was one example of that, you know.
So you do have I think a relatively small set of people who are authoring the code, that are finding the vulnerabilities, that are doing the research. But then that can trickle downward to people and to the, quote/unquote, “script kiddies.” I don’t want to underplay how much damage they can do by calling them, you know, kiddies, you know, but they may not be as – they don't have to be as sophisticated because, you know, if you can obtain an exploit and you can get readymade back-end code, you put those things together and you can get a pretty powerful package without too much trouble.
So it is a spectrum. You do definitely have the top-end people. Frankly, that’s what – part of our strategy is to go – try to go after the people who are authoring this stuff because there is a lot – there is a lot of talent there. But it’s a small group, hopefully.
MR. LEWIS: How much can you actually buy on the dark web? How much of this is bought, and how much of this is bespoke?
MR. LYNCH: I think from what we’ve seen, a fair amount can be bought. Maybe not stuff – you know, the sort of – the hot topic in the policy circles is the zero day and so forth. But you don’t necessarily need a zero day. You know, the WannaCry attack was – you know, was based upon something that had been patched. And a lot of the attacks just come from exploits that target different pieces of the infrastructure. You know, it doesn't always have to be a root level attack on a – on a OS kernel to be an effective means of getting – of getting data. So you can buy the – you know, we’ve seen marketplaces, and I’m sure Dmitri can talk about his company’s research as well – I mean, we see these places where this is bought and sold. The dark web – AlphaBay was one of the places where you could do this, and, you know, the Darkode forums where another place where this stuff was being bought and sold pretty openly.
MR. VAUGHN: So actually, a lot of this stuff, particularly ransomware, is actually built and distributed by one guy, and then he sells for – per day, per week, per month, he sells the botnet that distributes the ransomware to someone else. So you can actually find this person and make money off a ransomware without having to ever actually write a piece of code yourself. That’s commodity ransomware that you’ll see in your email inbox. That’s actually usually where that comes from. So someone in that – on the outside is making money off that.
MR. ALPEROVITCH: So this has been one of the innovations of the cybercrime business. So just like in technology companies, legitimate technology companies, they realized in recent years that it’s a great – it’s much better from a financial perspective to sell software as a service as opposed to do perpetual contracts because you get one customer to pay you some money, and then you never make any money from them again. It’s much better to sell them contract that every year they pay you a subscription, right? So the same way the criminals are now, instead of selling you the malware, they’ll rent it to you, and you have to pay them an ongoing fee if you want all the updates and for it to continue working. So it’s a great model for businesses. It’s a great model for cybercrime.
MR. VAUGHN: You’ll even see in the malware affiliate ID, right? And you can track who the customer is based on the –
MR. ALPEROVITCH: And the reseller. The whole reseller network as well.
MR. LEWIS: How do they do the money transfers? Kristin, do you want to touch that one? I was a little update with WannaCry, that whoever did it seemed to bungle the Bitcoin transfer. That was amateurship. What do you see when you – this is a market. How does it work? What do you look at when you think about the market?
You can dodge that one and pass it to John if you want to.
MS. ROYSTER: Yeah, dodge it to the – you know, either one of those guys. (Chuckles.)
MR. LYNCH: Yeah, I mean, we see the cryptocurrencies are a popular means of doing it. But, I mean, the way money gets transferred has evolved. And you still see Western Union transfers. You still see Green Dot occasionally transfers.
MR. : Mules.
MR. LYNCH: Yeah. And so this is – this is another way that things keep on evolving.
And again, you know, on the sort of good news side, we have, you know, an industry now of entities that are getting better at blockchain analysis and so forth. So, you know, and now you see the payment systems moving off so that the blockchain – or so that there is not as quite as public a ledger to analyze. And it’s just an arms race on that point. But on the payment side, we’re seeing a lot of the cryptocurrencies and – Bitcoin being the – kind of the flagship one, but a lot of different ones being used in this space.
MR. ALPEROVITCH: I mean, the cryptocurrencies are making it easier, but we’ve seen so much innovation in this space in terms of how to do money transfers. One way is to ship goods, right? You buy with stolen credit cards goods on Amazon. You ship them. You resell them in your own country.
One of the most innovative way I’ve seen to make money was from a hacking group that went after brokerage accounts, the retirement accounts, the 401(k)s, where, you know, you get access to a person’s account, but the problem is you can’t withdraw the money because there are all kinds of IRS penalties, you have to send your driver’s license in when you do withdrawal. It’s not like a regular bank account. So what they did is they actually instituted trades against stocks that they controlled but that they would short on the other end to actually withdraw the money through the stock trades.
MR. LEWIS: That’s pretty cool.
Where do you think the trends are in this? Has ransomware peaked? Is it over? Are we going to see more? I mean, what do you – when you – all of you, when you look at the future, what are you worried about here with – when it comes to ransomware? We can talk about cybercrime too, and I have a few on that, but let’s start with ransomware.
MR. ALPEROVITCH: I worry a great deal, as I mentioned, about this – what I call enterprise ransomware, going after companies and holding them hostage, because that’s where you can make massive amounts of money, and that’s where you can have, frankly, a huge effect on the economy.
MS. ROYSTER: Well, I think one of the things we talked about earlier is the repercussions or perhaps lack of repercussions. And so as long as ransomware attacks are going to be successful, there are going to be folks who are going to leverage them. And I think to Dmitri’s point, you know, when they start to really start going after the enterprises, then they’re making even more money. And so I think to his point, we might just see a shift away from individual targets and now enterprise targets.
MR. ALPEROVITCH: And this is, by the way, what we’ve seen in other areas, right? It used to be that a lot of these criminals were just going after individuals to steal your credit card, to steal your bank account. And then they realized, why not go after the bank itself and try to get a billion dollars as opposed to, you know, a few hundred?
MR. VAUGHN: Scaling up.
MR. ALPEROVITCH: Yes.
MR. LEWIS: Yeah, I saw that one of the AV companies put out a report on ransomware, and they said the average loss was $544 a person. And that’s – you’d have to do a lot of work to make a – maybe if you needed that dollar to feed your family, it’d be OK, but for anyone else, $544 is – you’d have to hit a lot of people.
We had a question. Please.
Q: Question for John and Dmitri. We’ve seen –
Sorry. Hi. For John and Dmitri. I saw a lot in the press as these summer ransomware events unfolded that one of the sectors may be more – most vulnerable is the oil and gas sector, for example, because it’s hard to access and patch those – some of those systems. Have you seen from that community, from that group, an increased willingness to share threat information, either among themselves or to cooperate with government to help ward off these threats?
MR. LYNCH: I have to say I haven’t had a direct contract with the oil and gas sector, you know, that – I tend to be at the back end of this. My understanding from just reading reports is that they are trying to – because of the exact problem you talked about, the embedded systems and so forth, that they are trying to get better at information sharing. But I don’t – but I really don’t know any more than the press on that one.
MR. ALPEROVITCH: Yeah, they’re worried about it. I mean, they’re not the only ones with highly distributed networks. I mean, you look at airlines that may have, you know, a terminal in Nigeria, for example, that’s running off a modem or, you know, a satellite connection. So there is a lot of industries like that that have very unique challenges with connectivity that worry about these sorts of things.
MR. LEWIS: Go ahead, please.
My new favorite, by the way, is shipping lines because it turns out that cargo ships aren’t actually – don’t actually steer themselves anymore. They’re steered remotely. And that’s why it’s – if you can have a smaller crew – one example would be as if you were about to run into a destroyer, you’d have to wake some guy up and run up to the bridge and turn something off. And by the time you actually got positive control, it might be a little late. But that’d be a lot of fun to take over a giant cargo ship and have it stay on circles or something or –
MR. VAUGHN: Or a cruise ship.
MR. ALPEROVITCH: Autonomous ships will solve that. (Laughter.)
MR. LEWIS: Well, they’re almost autonomous now, I mean. And that’s – a cruise ship would be interesting. I hadn’t thought about that.
MR. VAUGHN: It’s a good ransom. (Laughter.)
MR. LEWIS: Go ahead, please.
Q: Yes, so in thousands of millenniums, we had to face natural disasters as hurricanes, for example, but only in a matter of a few years, we have to abide by these new threats that is coming from what man has created. So the question really regards of the developing proactive cyber defense and what is important to advance the cybersecurity operations center, the CSOCs, their operational capabilities, and how to become more proactive to improve the agencies’ shared situational awareness in this world of smart infrastructure and Internet of things devices, especially when it comes to detecting the anomalies, the bandwidth safety and the cloud security that could be also related to cyberwarfare. Thanks.
MR. ALPEROVITCH: Yeah, I think it starts with attitude. And a healthy degree of paranoia is actually a really good thing in this field. And, you know, Ben calls me occasionally – although always sometimes on a Friday night – and says to me, you know, what haven’t I thought of, right? What I am missing, right? I’m doing X, Y, and Z. What else should I be doing to get myself in a better position? What am I missing? Why am I not seeing something? And that’s a really, really healthy thing to have I this field, because you should be paranoid. You should be thinking of where is the adversary on my network? You should operate under the assumption that they were inside. You need to practically hunt for them, to try to identify them. And that’s how you actually defeat them, right?
One of the things that, you know, we often talk about in cyber is that the adversary has the advantage, right? They can take as many attempts at your network as they wish, as they have time to. And they have to be right only once, as the adage goes, and you have to be right 100 percent of the time. But when you actually look at it from a defensive perspective, and look at it as – at your own network, if you have full visibility into everything that’s happening in your network, from systems perspective, network perspective, you know everything that’s going on and you’re continuously looking for potential attackers, you actually have the advantage, because they don’t know the terrain. This is the first time, hopefully, they are entering your network. They don’t know what’s inside. They don’t know where the valuable data is. They don’t know how to operate within that network. You should have every advantage to catch them and kick them out.
MR. VAUGHN: I think that’s a fair assessment, right. Get some – get the ability to make a detection, right? If you can’t make a detection, you can’t see the adversary. Second, enrich that detection with logs. Get the data. If you don’t have the data why have a security operations center, because what are they going to look at, right? And then once you have all of that data in one place, then you can start doing research on that data, responding to the alerts that you’re getting and generating your own novel alerts. That’s – because that’s what no security vendor can give you, which is your environment – your computing environment is different from every other – it’s, you know, like a fingerprint. And you have the opportunity to set environment up in such a way that you can see what bad behavior looks like very clearly, usually, if you make the effort.
MR. LEWIS: Kristin.
MS. ROYSTER: Well, it’s not paranoia if they actually are coming after you, so. (Laughs.) I think a lot of it has to do with culture, quite honestly, and really having an appreciation of the threats from the most senior levels – not only from a CEO perspective but for companies that have boards of directors, having a board of directors that understands the threats, that, you know, wants to support the organization in defending against those threats, and can really kind of help push everyone to understand that this is a priority. And that will then – you’ll then see the impacts of that from an investment perspective, a support perspective in both technology as well as human resources, and really being able to get those things that each organization needs to better defend themselves.
MR. LYNCH: Yeah, and I’d totally agree with that. I mean, certainly over the last four or five years, certainly after Target, saw a real uptick in boards of directors and investment in understanding this area, because it became sort of a core – a core requirement for a board to ask about and know about cybersecurity. So you saw just a real interest in that. I’ve seen a lot of that. The only thing I’d add is, you know, the agility and the response. You know, Jim and I have gone around and round on various things about, quote, “hack back” and so forth. But less than that is sort of taking active steps to respond. You can take actions on your network too, because you can grow it, as Ben said, to make it more difficult for the – for the attacker, because you can grow it, and you can prepare for those things. And those are things that are within your domain.
MR. VAUGHN: Always ruin their day. (Laughter.)
MR. LEWIS: One thing I learned though, is if you’re going to have a password file, don’t label it password. So there’s a free security tip for you.
MR. LYNCH: Also, admin/admin is not a good password combo.
MR. LEWIS: Oh, yeah.
MR. VAUGHN: I better write that one down.
MR. LEWIS: Yeah, that’s right. We’re just full of good advice here.
Did we have any other questions? We have one in the back – we have two in the back. Go ahead.
Q: Thank you. If a lot of small businesses and third-party vendors don’t have the resources or budgets to have the more sophisticated cybersecurity solutions what should they be doing? And what role can the government play to help them reach this goal?
MR. VAUGH: Does anybody want –
MS. ROYSTER: So I think that the government needs to help entities, kind of, of all sides appreciate one, that cybersecurity threats exist, but that different levels of cybersecurity risk also exist. And so I don’t think anyone is certainly asking, you know, small and medium sized businesses to have the types of defensive systems that we have. But there is – there needs to be some type of defense, some type of cyber risk management. I also think, you know, kind of to a point that was made before about smaller DIB contractors actually getting out of the defense industrial base because of the costs of having to have certain types of security systems and requirements.
That’s going to start to happen more. I mean, within the financial sector we are held to a pretty high standard by our regulators for our third party cyber risk assessments. And so in order to start – you know, to business with certain types of companies, you have to be able to demonstrate, you know, that you’re – that you have a certain set of security practices. But again, that’s very often risk-based. So I think, you know, whether it be the Department of Homeland Security, the Department of Commerce, the Small Business Administration, I think there just needs to be a more collective conversation about how best to communicate cyber threats and cyber risk to enterprises of all sizes, and to make it less scary.
I mean, quite honestly, cybersecurity is not an easy topic to talk about. It’s certainly not an easy topic to talk about if you are involved in it. And so I think – you know, things like the NIST Cybersecurity Framework when it came out, it made it a little bit easier to understand. And so I think we just need to kind of keep building upon those efforts to make it something that’s a little more tangible, a little more understandable, and also provide suggestions to entities of all sizes about how they can lower their cyber risk and better defend their networks.
MR. ALPEROVITCH: You know, I think this trend that we’re seeing, unfortunately, towards disruptive attacks, the positive element of it is going to be that businesses are going to take this more seriously. The problem we’ve had over the last couple of decades is most of the intrusions we’re seeing were just theft of information. And the financial sector was taken, obviously, very seriously because it was a direct hit to the bottom line, but a lot of companies I was seeing where IP was going out the door, they would say, well, I don’t know who’s going to take – who took it, I don’t know how it’s going to be used. It’s all very, you know, unpredictable. So I’m going to not worry about it much, right? Not everyone did that, but a lot of companies did.
And particularly in the DIB space, I remember having a call with a very small contractor that we actually notified because we were seeing data going out to China from their network. And they said, we don’t care. It’s not our data. It’s the U.S. government’s data, right? We’re not going to lose our contract to a Chinese firm. The U.S. government is going to continue buying from us. So, you know, that type of attitude was unfortunate, but when your network is actually down and you’re out of business, that’s going to hit everyone no matter what. And that’s going to force them to take it very seriously.
MR. VAUGHN: So the one thing that I would add, just more specifically, is that the Center for Internet Security does publish a variant of their critical security controls for small businesses. I think they updated an article, like, just last week about that. Generally, if you follow most of those controls, you can achieve them for free just with an IT guy. And that will go a long way to protecting you. Of course, it’s not perfect. But it’s something and it’s something that could be achieved at minimal cost.
MR. LEWIS: John, did you want to tag along?
MR. LYNCH: No, but this is something that we try to do as well. We try to put – you know, we put out sort of interacting law enforcement guides for – that are aimed more at the small and medium businesses because the big businesses already know how to get ahold of us. And that’s something that we’ve done. I mean, I think overall, I mean, this is something where hopefully the market is also going to help, you know, develop solutions so that the, you know, 10-person business isn’t going to need a 20-person IT staff to protect themselves.
And you’ll have – you know, you may lose some control over, you know, your infrastructure, but you may gain some overall security. Those are tradeoffs and choices that the individual entity is going to have to make. And some will, I think, go under that kind of regime. I think you’re already seeing some of the market developing that way.
MR. LEWIS: Before we get to that question, how much do you think this is maybe overhyped, mishyped? How much have we miscategorized the problem? I’m coming at it from a military perspective, which is, you know, maybe make a cruise ship sail around in circles would be fun, but everything else is sort of below that threshold. What would you describe – what I read sometimes in the press, it’s a little breathless. Is that useful, bad, good? Kristin, you said, you know, we wanted to make people – it’s frightening. Is this – how much of that is genuine fright and how much of that is –
MS. ROYSTER: So, I actually – I actually –
MR. LEWIS: And there’s really good media on the effect of media reporting on public attitudes towards risk, so.
MS. ROYSTER: I actually think the media reporting has shifted over the past several years as it relates to cyber security. I think it’s gotten a lot better and it’s gotten a lot more accurate than it used to be several years ago. And I think that’s actually been beneficial because it’s made it a little less the sky is falling. And I think that’s beneficial because as we all know we all have multiple devices in this room. We all have computers at our desk. Very few people are going to disconnect and, you know, bury all of their devices six feet under.
So I think that – I think that the media has actually helped, you know, kind of not make it more approachable, make it a little more understandable without, you know, kind of always framing it in, you know, a national security threat – which is it – or, that, you know, all of our networks are going to be taken down, or the grid is coming down. But I think it’s been beneficial.
MR. ALPEROVITCH: I do think – I agree with that, that the – sort of the – our society is going to get destroyed through a cyberattack, that that has thankfully subsided. But I still see a very I think unhealthy preoccupation with the breach of the week. I literally get a call from a reporter almost daily saying, hey, did you see Equifax, did you see this, did you see that? What’s your comment? I’m like, comment is the same as it was yesterday when you called me about the other breach, right? (Laughter.) It’s no different.
And, you know, most of these breaches – you know, Equifax notwithstanding, probably – actually don’t affect consumers that much, right? Target didn’t affect me personally one bit. OK, I got a new credit card in the mail. Any fraudulent transactions on those credit cards, the credit card company will eat. It affects me in no way, shape, or form. It’s just a little bit annoying, right? So you have to keep some of these things in perspective.
I think it’s much more of an impact to the business than it is to the consumer, unless, you know, they target your identity or do some other things that can be really helpful.
MR. LEWIS: And after OPM I got a very nice holiday card from the Chinese embassy. (Laughter.) But that’s about it.
John, did you want to –
MR. LYNCH: No.
MR. LEWIS: You’re going to just – no. You’re going to do what he does when the press calls, in which he’s going to say no comment.
MR. LYNCH: No comment. No, yeah, I agree. There has been a little bit of a – you know, a little bit less of the – hopefully the absolute – you know, the worst-case scenario stuff. But I do think that you’re seeing an undercurrent of more understanding of this through – you know, through the multiple breaches. You know, they’re asking – at least when they’re asking me the questions, I’m saying no comment to better informed questions. So that’s a – that’s a benefit for me.
MR. LEWIS: OK, we had one in the back and one in the front. So, Ian.
Q: I was wondering how you can get organizations that are victims of cybercrime or even stopping cybercrime to share that more openly? It seems like that’s really a key, from my perspective, that we see here at CSIS, to stopping these sorts of things. And yet, organizations don’t seem to want to do that.
MR. VAUGHN: Dmitri and I actually disagree about this, right? I think that there is –
MR. ALPEROVITCH: I’m just a realist. You’re an optimist. (Laughter.)
MR. VAUGHN: I’ve always been an optimist. I think everything’s going to be all right eventually. I think that it’s important that when someone goes into a bank and robs a bank, what does the bank do? They take the CCTV footage of the robber, and they put the picture at all of their branches, and then they give the picture to the FBI, and they give the picture to all of the other banks, who can then put the picture in their lobbies as well. So the next time the bank robber walks in, somebody sees them.
This doesn’t happen in cybercrime often enough. And we said earlier, there’s not an infinite amount of attacker infrastructure. There’s not an infinite amount of computers in the world. And if only a company that was attacked yesterday would tell everyone around them who attacked them, maybe that’s an opportunity to make the positive detection at another company the next day. How you encourage that is unclear to me, except for people arriving in positions of leadership who are committed to saying those things.
MR. ALPEROVITCH: Yeah. I mean, I think Ben is absolutely right. I mean, you, Ben, and you, Ian, you have a mindset of I want to help the world. And that’s not most people. And a lot of the people that I’ve met say, you know, what’s in it for me? If I share this there’s some risk, right, it’ll end up on the front page of the newspaper and I won’t get anything back. So why would I do it? And that’s the mentality that a lot of people have, unfortunately.
MR. LEWIS: Kristin, John?
MS. ROYSTER: I think it’s getting – I think it’s getting better. I mean, I think that people are sharing more incident information. I don’t necessarily think that they’re doing it publicly. But I think that there are an increasing number of trust-based channels where people are sharing more incident-based information.
MR. ALPEROVITCH: They share the ones where they won. (Laughter.)
MS. ROYSTER: It’s a start. (Laughter.)
MR. ALPEROVITCH: That’s true. It’s a start. It is.
MR. LYNCH: I agree. I mean, I think some of the places that this is happening are in the ISACs, the ISAOs, those channels, because, you know, for certainly – at the end of the day, I might have to, in a prosecution, say this was the entity that was harmed, because that’s just how I have to do my job. I have to say that you are accused of doing this. But for a lot of the protection stuff, you don’t need to know who exactly the victim was. You might – it might help to know their sector, it might help to know how it was done. So you’re getting that information in – sometimes in sanitized form. To some extent, at least from – at least I don’t have to deal with this – but it seems – you know, it’s sometimes – it’s cutting through that information and getting useful pieces out of it, as opposed to, you know, what often happens.
You know, in this case, I’ll get five different government agencies, maybe three different private sector agencies, all telling me that, you know, Equifax got – had a – had a recent hack. And you know, yes, I know. And it’s helpful sometimes, I’ll get a – glean a bit of information. But I think, you know, one of the things we have to work on is, you know, taking that big data – you know, taking the data set and turning it into useful information that people need to know about.
If it turns out that, you know, Struts is the thing you need to patch today in order to protect yourself tomorrow or, you know, I don’t know what it would be, then, you know, people – then that’s the thing that we need to convey to the – to the people who are doing the work, as opposed to the sort of more general this is a threat, you know, and so forth – getting those products to be more precise and sort of operational are – I think is still a struggle for us. And that’s – I’m saying that from the audience, in this case, because I’m not the person directly involved in that.
MR. LEWIS: I thought CTIIC and NCCIC were supposed to fix that? He’s going to dodge that one.
MS. ROYSTER: It’s getting better.
MR. ALPEROVITCH: Yeah. But you know, one of the big problems we still have is the blame the victim mentality that we don’t have in any other forms of crime. And you know, when you look at even the recent breaches and you say: Oh, my God. They didn’t patch. It’s their fault. You know, they’re stupid, et cetera. And that’s not helpful, right? And that’s not going to motivate them next time to came out say: This this what happened to us, and you should learn from it, right? What we should be doing is saying thank you for coming out, let’s all get together and learn some lessons from this. And unfortunately, our community is often snarky and not, you know, willing to really have compassion for some of these victims.
MR. LEWIS: We had one in the front here.
Q: Two questions. And there’s a little bit of observation on both of the questions. One is that the language of cybersecurity has been taken very much from the public health and medicine domain. We talk about infection. We talk about – and that is – from a medical or public health perspective – is inherent in our individual software, our genetic code. We got it. There’s not much we can do about it at this point, although people are working on that. From the cybersecurity perspective, is the analogy perfect or is the software and hardware that’s been developed – was never developed with cybersecurity in mind, and so how it’s always a question of catch up? And it could have been done better, but it wasn’t.
Second, and somewhat to your observation about sort of coming out, the analogy with respect to medicine and disease is very interesting, I think. And that is when one was looking to prevent some of the 20th century very infectious disease, the important thing was to eliminate the stigma that was associated with them, in order to encourage people to come out. And how that stigma can be reduced is very much, I think, an opportunity for industry.
And actually, the third observation is – and this has to do with the media stories that I think are more prevalent, because as an individual I’m trying to pay attention to this because I’ve got a computer at home, I’ve got a phone. What am going to do about all of this? It seems to me that the individual victims whose identities have been hacked and whose bank accounts have been ruined and whose credit has been ruined, they’re ultimately left to their own devices to get themselves fixed. The places that were hacked, the businesses that were hacked, where identity was stolen and has ruined their lives, don’t come to help them.
So I’d like some reflection on what might be done. Is regulation necessary in order to help those who’ve – whose credit has been ruined?
MR. VAUGHN: I want to take the first one.
MR. LEWIS: OK.
MR. VAUGHN: You know, my wife-to-be is a med student. And it was fascinating to us when we started dating that we were talking about the same things – rates of infection and how quick things needed to incubate and lateral movement from one person to another. And what we settled on that was – that was kind a real piece of commonality in that analogy is hygiene. A key component of preventing disease all over the world is hygiene. You know, if you are not brushing your teeth, if you are not – if you’re drinking dirty water, if you are living in a place where the environment itself is unclean, you’re more likely to get sick.
And so much of what I would say the successful cybersecurity programs around the world focus on is hygiene. That’s why people say, patch your stuff. That’s taking a shower. You know, make sure that you’re not hosting your website in the same VPS provider as where ransomware hosts hang out, right? These are – this is the basic hygiene I think that can make you – help make you far safer.
MR. ALPEROVITCH: You know, it’s interesting, the language actually started to change in the mid-2000s to the late 2000s, when we started to deal more with nation-states and targeted attacks than with sort of the run of the mill cybercrime. And the language started adopting more of a military language where we start talking about TTPs, is a military term, right, tactics, techniques and procedures. We started talking about adversaries and kill chains and all those sorts of things.
And I actually think that – when it comes to that threat that is the right model, because the one difference between health and cyber is that the adversary that you’re dealing with is a sentient being that is looking at what you’re doing and adapting very, very fast. Right, nature adapts ultimately over tens of thousands of years. Here you can have an adversary that adapts within minutes or hours, and is looking at what you’re doing. It’s much more of a game of chess than anything else. And that makes it very, very different, I think, from health care. Not to say that hygiene is not important.
MR. VAUGHN: Oh, yeah, of course.
MS. ROYSTER: I think the observation that you made about the code and the hardware and the software – you know, our genetic code is something that we, at least at this point, can’t really change. But software code and certainly hardware is something that is changeable and, you know, comes – is built. And so therefore you have the opportunity to actually build it with security in mind. And I, you know, hope that given the threats out there that as new software and new hardware is built, that there is more forethought into security when they are developing it.
To your observation or question about, you know, is legislation or regulation needed to help make people whole kind of after attacks, breaches like we’ve seen before, I think that’s going to be interesting to be seen, and to see what members of Congress do. I believe that Congressman Himes has actually introduced a bill today related to that topic, following the Equifax breach. So I think that is something that is definitely TBD.
MR. LYNCH: And I agree with the previous points. And to pick up on Dimitri’s point for a second, I mean, one with the attacker being sentient, we also – because we have to tell the story of the event, as prosecutors as guilty of this as anyone – you know, we sort of kind of raise the level of the attacker. You know, that’s the interesting story. How did they get in? Wow, that was smart. And so forth. But the story that often doesn’t get told is the great work that is being done on the security side, the defense. There is a tremendous work in the government, you know, at DHS, in the private sector, with forensics firms, that are fighting – you know, that are literally – you know, reacting in real time to some of these things. And part of what I think we can do is continue to tell those stories as well, because I think they’re good – they’re good things and they help, I think, raise the importance of good security. And it does take away a little bit from the sort of victim – the sort of victim narrative, and blaming the victim.
MR. ALPEROVITCH: We don’t talk – we don’t talk about every destroyer that doesn’t run into a tanker. (Laughter.)
MR. LEWIS: Unless you teach at the Naval Academy. (Laughter.)
So we’re at the end of our allotted time. The schedule was wrong. Anyone have any final questions? I have one, but this is your big chance. Speak now or forever hold your peace. Go ahead, please.
Q: Good afternoon. Christian Gellman (sp).
You talked about very – a good range of subjects. I totally agree with you, Dimitri. You’re talking my language. I’m a military guy. Using all the phrases that I’ve been using for the last 15, 16 years of my career – red teams, blue teams, TTPs, all that sort of stuff. I really do think the attacker and defender paradigm is the right one that we need to. But how we move this forward is getting to the heart of that sentient bang point. What motivates us to create better software that’s defensible, that doesn’t have the vulnerabilities? What motivates the criminal to conduct attacks, change the risk versus reward scale that somebody’s looking at? In the very recent – you know, since 2010 – if you look at the rates of attacks by Somali pirates in the Gulf of Aden, you’ve seen it go from, you know, peak attacks in 2012 through to practically no attacks for the last three years. Why? A series of things were done in that environment to make it too extensive, to make it too dangerous for a bunch of guys to grab some AKs, drive out, and do some stuff.
MR. ALPEROVITCH: So I’ll give you one example from the Somali pirate myself, because I do think it’s a very interesting example and I’m actually surprised it hasn’t been advertised much in the media. But about four or five years ago there was a Russian tanker that was kidnapped by the Somali pirates off the coast of Somalia. And the Russian naval ship was nearby and they managed to stream over there and rescue the crew. And then they said that they took the pirates, gave them their sloop back, and they went back to Somali, except that they never arrived.
And a few months later there was a YouTube video that showed up. This YouTube video, by the way, anyone can look it up, it has about 5 million views. And it’s set to sort of rock music. And it shows the crew of the Russian naval ship sort of aligning their runs as the sloops starts to go away, and they start shooting at it and they start getting closer and closer and closer, they don’t hit it right away. And it continues on for a few minutes. And then the whole thing blows up, right? And I don’t think there have been any Russian ship kidnappings ever since. (Laughs.)
So that’s one way to do deterrence, the Russian style. (Laughter.) But I do think there’s something to the fact that – and Captain Phillips is another example, right – that if you go after the adversary, if you make them pay, they are much less likely to think about doing this in the future. And that’s why law enforcement action is really, really critical. I think that just hardening thing is not going to make them go away. They’ll just keep trying again and again and again. So you actually do have to take them off the battlefield.
MR. LEWIS: Yeah, I think the trend in – I hope in this administration – is finding ways to impose consequences that are painful, reversible, but make the point, right? And it may not involve the use of force. It may not involve Title X authorities. So this is a positive development in the last couple months.
So I have two questions and then we’ll close. The first question is: You said there was one guy who writes most of the ransomware. Why don’t we offer him like immunity, a condo in Miami, and a salary, and then would the problem go away? You’re not going to answer that one. That’s what I’d do.
Lightning round – hackneyed phrase – but what are your top three things you’d want to do to fix the problem, ransomware, cybercrime? What are the top three things you’d want to see changed?
If you want a minute to think, I can tell stories from the Clinton administration. (Laughter.) Because we did – we actually knew it was vulnerable and decided – and we actually went through a long series of briefing on, like, SSL and this was Scott and Phil, that John will remember, and some other folks. We thought, well, you know what, yeah, we know it’s vulnerable. We’d rather – we think it’s better to deploy the technology now, get the benefit, and then worry about security later. I think all of us would admit, we didn’t expect it would be 25 years later, but nonetheless, it was a conscious decision.
MR. ALPEROVITCH: I have three. So the first one is, you know, we talk a lot about public-private partnership. But most of that relates to sharing information back and forth, which really means throwing it over the fence and hoping something gets done with it. What we need to do is actually take a joint action, like the botnet takedowns that we’ve done with Department of Justice. Again, the challenge that I put forward is let’s take a botnet down every week. Let’s take – and not just botnets, but you can do this with nation-state operations as well. Let’s really make it – make it hard for them to operate online. Let’s make our internet a safer place. So that’s one.
Two, healthy degree of paranoia is always a good thing in this space. Act like someone is in your network today. Try to find them. Always think like an adversary. Always be paranoid. And three, work with your community. Work with others in your industry, because they’re likely seeing the same attacks. You know, try to the extent that you can, share. You won’t always have the latitude from the legal counsel to do it, but try to educate. I know there are benefits of helping to protect everyone as opposed to just yourself.
MR. VAUGHN: I just have one. Extradition treaties. (Laughter.) Huge one. I’m serious.
MR. ALPEROVITCH: Those are hard, right?
MR. VAUGHN: How often do you see in the news media arrests for cybercrime? Large scale cybercrime of U.S. citizens, U.S. persons? How often does that happen right? Because they know, these guys are good at their jobs. They’re going to go put the bracelets on you. That doesn’t happen for a lot of the cybercrime. The source of all of this problem is that these people are operating, as Dimitri said, with impunity. So I would beg and plead for extradition treaties.
MR. LEWIS: Nyet. (Laughter.) Don’t misinterpret that.
Go ahead. (Laughs.)
MS. ROYSTER: So I echo Brian’s (sp) statement. I think that from both a resource perspective kind of law enforcement having more resources and capabilities and better partnership mechanisms with countries like that, so that – so that the folks at CCIP aren’t necessarily waiting for someone to go on vacation and then kind of hope that when they go on vacation they go on vacation to a country where the U.S. actually has an extradition treaty with them, because something tells me that there is a message board somewhere on the dark web that starts listing all of that information.
And I think also just better awareness, but not just awareness for the sake of awareness sake. You need awareness and then best practices and solutions and guidance on how to actually better defend yourselves as an entity. So I think that those two things hand-in-hand to entities of all size – all sizes from large enterprises, like ours, to small and medium-sized businesses is needed.
MR. LYNCH: Yeah. That – extradition treaties are hard. (Laughter.) And they’re hard when you have a constitutional system that prohibits extraditing your own nationals. But that is something we can – we continue to work on. But, you know, I guess the other – the only other thing I’d mention is, you know, just continuing to consider, as we build in the, you know, Internet of Things and we’re – and we’re kind of dealing with, in many cases, appliances that are – that are put together from, you know, the Linux kernel from five years ago, plus, you know, three add-ons on top of that. You know, that’s what’s going to be in the – you know, that’s what’s going to be the cheap thing in the market. And I think, you know, we need to continue to educate. We need to continue to make sure people understand there are going to be possibly greater costs from, you know, building those things into the – into the systems. And I think that’s something that we all have a responsibility to continue to communicate on.
MR. LEWIS: OK, great. Well, thank you very much for coming out. This has been a tremendous panel. And I’ve learned a lot. So please join me in thanking them. (Applause.)