EPISODE 17
The golden age for cyber-criminals

EP 17: The golden age for cyber-criminals

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

February 5, 2019

Kip Boyle, CEO of Cyber Risk Opportunities, talks with Jake Bernstein, JD and CyberSecurity Practice Lead at Newman DuWors LLP, about why this is a golden age for cyber criminals.

Tags:

Episode Transcript

Kip Boyle: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives become better cyber risk managers. We are your hosts, I'm Kip Boyle, CEO of Cyber Risk Opportunities.

Jake Bernstein: And I'm Jake Bernstein, cybersecurity counsel at the law firm of Newman Du Wors.

Kip Boyle: This is the show where we help you become a better cyber risk manager.

Jake Bernstein: The show is sponsored by Cyber Risk Opportunities and Newman Du Wors LLP. If you have questions about your cyber security related legal responsibilities,

Kip Boyle: And if you want to manage your cyber risks, just as thoughtfully as you manage risks in other areas of your business such as sales, accounts receivable, and order fulfillment, then you should become a member of our cyber risk managed program, which you can do for a fraction of the cost of hiring a single cybersecurity expert. You can find out more by visiting us at cyberriskopportunities.com and newmanlaw.com.

Jake Bernstein: So, Kip, what are we going to talk about today?

Kip Boyle: Jake, today we're going to talk about why this is a golden age for cyber-criminals.

Jake Bernstein: So is this the listener suggestion that you were telling me about?

Kip Boyle: Yeah, that's right. So we have a listener whose a chief technology officer for, believe it or not, a professional sports team here in the US. And he was listening to episode two of the podcast. That's the one that we called your newest competitor creates most of your cyber risk. And in that one, we were talking about the kinds of trouble that cyber criminals were causing to really anybody connected to the internet. And so our listener wanted to know, "Well, why are they doing so well? Where are the police? How come they're not putting a stop to this?" Which I thought was a great question.

Jake Bernstein: That is a great question. And that's something that you and I have talked a lot about quite a bit. So I'm excited to delve into this a bit deeper.

Kip Boyle: Yeah. So here we go, right? We're going to explain for our listeners, what exactly is going on here? Where are the cops and the judiciary and everybody else.

Jake Bernstein: Let's do that. Let's figure out why this is the wild wild West or the 1920s.

Kip Boyle: Yeah. Well, okay. So let's frame the conversation by first mentioning that the projected cost of all data breaches and cyber crimes worldwide in 2021, which is not that far away is $6 trillion. And I've never seen a trillion of anything. Have you Jake?

Jake Bernstein: Only the national debt.

Kip Boyle: Right. Heard about it.

Jake Bernstein: Heard about it.

Kip Boyle: Haven't actually seen it.

Jake Bernstein: Haven't seen it.

Kip Boyle: I think maybe on a beach, maybe I've seen a trillion grains of sand, I don't know. But 6 trillion is an enormous number and to put it into some kind of perspective, because it's such a big number. So just a couple of years ago, the prediction was $2.1 trillion. And in 2015 it was only 500 billion. So if you can, in your mind, like draw the curve going from 500 billion, 2.1 trillion, 6 trillion, and this thing is starting to look like a hockey stick, right?

This is the sort of thing that most people would die to have if it was their company or a stock that they just invested in. But this is crazy and we can only expect that that number is going to go up. So I think that is a great question. Where's the FBI?Where's the government in all of this?
And I think as Americans it's the kind of thing where you look around in your day to day life and this is a really law abiding country, right? I mean the idea that you're going to-

Jake Bernstein: Oh, it is.

Kip Boyle: I mean the idea that you're going to encounter a bank robber, toting a gun as you walk around city streets, I mean it's just ludicrous these days, the idea that something like that's going to happen. And so crime on the internet is so different by comparison. And you worked at the state attorney general's office, right? I mean you've got an even better perspective on how law abiding we are, probably than most people, right?

Jake Bernstein: Yeah. Certainly, street crime has been on the decline for 20 years. And in terms of overall levels of criminal behavior, it's really almost always tied to a substance abuse problem. So you don't see a lot of... You certainly don't see a lot of ... Let me put it this way, all the crimes that you hear about in the media are news stories because they're unusual.

Kip Boyle: Yes. Yes. Oh, I like that. That's a perfect way to say it. When you watch the news, the world seems really scary. But if you just walk around, it's not that scary at all.

Jake Bernstein: It's not, no.

Kip Boyle: Well, I wanted to... I had a question for you and I'm hoping that you can get some detail on here. But you were just saying that the projected cost of breaches and cyber crimes is $6 trillion by 2021. What does that mean? What is that cost? Are we talking about dollars stolen, dollars stolen plus the cost of responding and repairing, all of the above?

All the above, right? So it's a forecast made by a company called Cyber Ventures. I believe that was their name and they put it out in the last year. And that's the... what I think of as the total loaded cost. So it includes direct loss and it includes indirect loss. I believe when they did the forecast, they were also considering things like lost productivity and just anything you can think of, right? Now, Cyber Ventures is a company that's a little biased. They make investments in companies that sell cybersecurity related products so perhaps that number is a little big because they're kind of going all in. But I've looked around and there are not a lot of forecasts out there like this one.

Jake Bernstein: Well, you know what Kip, even if they are half wrong, it's still $3 trillion.

Kip Boyle: Right, yeah. Even if I doubled the estimate, it's still 3 trillion. It's a big number.

Jake Bernstein: I mean it doesn't... I mean you could cut into that... You call their estimate biased by five X and still have over a trillion dollars of damages.

Kip Boyle: It's a big number. Yeah.

Jake Bernstein: It's a big number. Okay. So back to the bank robbers and the cyber criminals, et cetera.

Kip Boyle: Yeah, so how come they're not catching them, right?

Jake Bernstein: Yeah, what is going on?

Kip Boyle: Right. Well, what we have here is something that, I love this phrase but it's become so trite, but we're really living through a paradigm shift. And a paradigm shift is when a lot of basic assumptions that you operate on change but you didn't change them, right?

So like the internet was a paradigm shift to begin with and companies that didn't figure out how to use the internet, met their demise, right? So I think of companies like Kodak, this phenomenal innovator, digital cameras and so forth, right? So when digital photography came along, even though they practically invented digital photography, they were so stuck in the world of film that they just could not adapt, right? So the paradigm around them shifted completely and they couldn't keep up. And so that's what we've got going on here is a paradigm shift.

So a lot of basic assumptions about crime and crime fighting and what it takes to deter criminals and punish criminals has changed. And so criminals are doing a fantastic job of riding that wave of change but governments have done, comparatively speaking, a lousy job of keeping up. And I'm not trying to be too harsh with governments because this paradigm change is huge. This is a huge change.

And we're going to talk about that a little bit, but I think just to be... Before we talk about that, I think it's helpful to rewind the clock, go back a hundred years. Because if you think about rural America in the 1930s, we actually had a similar paradigm shift. So if you've ever watched that movie, Bonnie and Clyde, or if you've ever read anything about gangsters of that era, just start thinking about old time cars and what it must have been like in the 1930s. And that's the last time that I know that we've had such a major shift in terms of criminality as we're seeing today.

And let me just give you... Let me just sort of sketch this out a little bit here. What were the things that happened back into the 1930s? So cars and guns and radios, right? So there was this huge technology shift. Coming out of world war one, all of a sudden we had the kinds of machine guns that you could carry around in the way that you never could before. Cars became very fast and criminals realized too that there was limited ability for police to work across state lines, right?

So you look at these revolutions in technology, you couple that with these limitations on police. And by the way, police back then, especially in rural areas in the United States had really terrible equipment. They had old cars, no radios if you can believe that. I mean they had no way to really talk to each other. So the sheriff of one town really had to get on the phone and try to track down the sheriff of another town if they actually ever talked to each other.

Jake Bernstein: Yeah. And they probably had civil war era guns, we're talking 50 years out of date at the time, if not more. And I think that it's-

Kip Boyle: They probably had the revolvers, right?

Jake Bernstein: They did, yeah. Government lags behind... Policing in general in that time period was relatively young. The balance of power had clearly shifted in favor of the gangs of the twenties.

Kip Boyle: Yes.

Jake Bernstein: Bank robbers and even... And of course the... during prohibition really absolutely created a perfect storm for all of that crime.

Kip Boyle: Right. Okay. So let's think about Bonnie and Clyde, right? That movie or really any movie like that. And you know kind of what the formula was, right? So you're a gangster, you got a really fast car, he got a machine gun and you pick a bank branch in a rural town in the South near a state line. You lightning strike that bank branch, you grab the money. And banks were completely unprepared for this as well, by the way, which I think is a really important aspect of this. Because it took a long, we're going to talk about this in a minute, but took a long time for bank branches to figure this out too. So you point the machine gun at the teller, they freak out, they give you all the money, you run out, jump in your car and you floor the accelerator and you head for the state line.

Now it's going to take a long time for the cops to even realize what happened. And by the time they start coming after you, you've got a really, really decent head start. And your car's probably faster than theirs are anyway. And even if they do catch up to you, right? He's in his old clunky car and as soon as you get the state line, I mean you can slap on the brakes and flip them off. There's really nothing that he could do. And he couldn't even tell anybody in the other state that you were coming because he had no radio, right? So totally outgunned, completely outclassed, right? They were practically powerless.

And from a labor point of view, they couldn't just put a police officer... station them in the bank branch I mean because they had other things they needed to do.

Jake Bernstein: Well, even so. The bad guys had machine guns and the police wouldn't have had any body armor of any kind and they would have had a... nothing effective. So it really would have just resulted in-

Kip Boyle: They would have been a material witness or they would have been dead.

Jake Bernstein: Yeah, exactly. No, it's true. I mean this is a... It's interesting to kind of begin to draw the parallels between things now. I mean you can think of rather than state lines, you have international jurisdictional issues-

Kip Boyle: Exactly.

Jake Bernstein: For pursuit. Well, frankly you have people who don't need to leave their basements or their military compounds or their office buildings depending upon who is doing the hacking.

Kip Boyle: Right. And these are people from other parts of the world.

Jake Bernstein: Other parts of the world. The very structure and nature of the internet, it was designed to make it difficult to shut pieces off. The whole point of it and the whole point of this IP network is it routes, regardless of where you're from or... I mean, you have to basically cut yourself off completely and that means all legitimate traffic. And I don't think that's tenable anymore. I mean it's clearly not but-

Kip Boyle: No. Even if you air gap, right? We talked about... Or people should know that there's this thing called an air gapped network, right? Where you've got a separate network that's not connected directly electronically to the internet. And so in order to move data back and forth, you've got to use like a USB drive or something like that. And so those are air gapped networks. But even now technology and human social engineering is such that if you want to target an air gapped network, you still can, right? That's how Stuxnet got into the nuclear... the uranium enrichment facility at Natanz in Iran is that it was an air gapped network.

And so what the Stuxnet authors did was distributed USB drives on the ground everywhere that they could figure out where people who worked in Natanz would see them, pick them up, take them in, plug them in. And that's how Stuxnet got in. So we absolutely have ways to attack air gapped network.

Jake Bernstein: And really you talk about your bank system, you can't air gap the banks. That would grind commerce to a screeching halt and everything would take days and days to do anything. That just doesn't work.

Kip Boyle: It doesn't work. The money in our country needs to have a high velocity, right? It's always been about how fast can we move money around. And air gapping bank networks, you're right, you're not only throwing sand in the gears of commerce but it's a lot worse than that. So, anyway, right. So the parallels, I think they're pretty striking you.

You don't need a fast car anymore because you've got the internet. So now you can move from Eastern Europe or Asia to North America in less than a second, right? Because you're talking about the speed of electrons or the speed of photons traveling across the world. You don't even have to get... push yourself away from your desk to try to rob a bank anymore. And because the internet is so abstract. I mean you can see a person coming into a bank branch, and it's pretty difficult to conceal that they are toting a gun or something like that.

But when you're attacking over the internet, it's invisible to human eyes, right? Unless you've got it instrumented, and you've got a technician watching, or you've got some kind of sophisticated intrusion detection system working for you. But really all those technologies are in their infancy. It's striking to me just how poorly we can detect intruders on our networks. It's just terrible. As a defender, we're falling behind there.

Jake Bernstein: It's the proverbial needle in the haystack. I mean the only way to catch a malicious actor on a network is to notice a pattern in that particular piece of network traffic that could indicate that it's illegitimate. But you have to remember that that's hiding within hundreds of millions, if not billions or hundreds of billions of transactions and communications taking place every hour. I mean sifting through that, it would be like finding one... a shard of glass on a beach full of sand. I mean good luck.

Kip Boyle: It's really hard. And so that's why... We've talked about this before but artificial intelligence, machine learning that's... This particular problem is one of the reasons why artificial intelligence and machine learning has become such a buzzword these days, because this problem space is so difficult to crack. And so we're thinking if we can teach machines who never get tired, who never take vacations and have endless ability to pay attention to what's going on and to understand patterns. If we can teach them to watch network traffic, then they can tell us 24/7 when they see something that doesn't look right.

But until we get that cracked, it's kind of like having a giant warehouse full of inventory. And you have no idea who's walking in, who's walking out or what they're taking, because you have no video surveillance. You haven't even posted a security guard with a flashlight in there, right? I mean we're so open to having people come onto our networks.

So a lot of parallels between what was going on in 1930s rural America, with the paradigm shift of technology and the antiquated government systems that used to do a pretty good job of preventing bank robberies. And don't forget the banks themselves, they did not have bulletproof glass. They didn't have silent alarms, no dye packs to put into the satchel of money that the robber takes off with. I mean think about all the things that we do today at a bank branch in order to deal with branch robberies and absolutely none of that existed.

And I did the research on this Jake because I was really interested. And I found out that it wasn't until the mid 1990s that bank branch robbery was finally driven down to what I think we could say is a negligible issue. And you do the math, 60 years, six, zero years from Bonnie and Clyde, 1930s until bank branch robbery was really not an issue anymore. And it took a lot, right? I mean we had to completely redo jurisdictional issues, right? We've needed to have federal laws, cops needed better tech use, they got radios, they got body armor, things like that.

And the banks themselves had to go through entire revolution in how they actually did banking for people coming in off the streets. And so it just blew my mind. I thought it was going to be like 10, 15 years but it ended up being 60 years. And I think that is so instructive to, in terms of setting our expectations, per what we can expect. It's going to take the length of time that it's going to take, even in this internet age at internet speed, I think it's still going to take 20 more years is my thinking. I don't know, what do you think to sort this out?

Jake Bernstein: I think that we solved the bank robbery problem just in time for it to become obsolete anyway. So we solved a problem that really doesn't exist anymore anyway because query is... Have we seen bank robberies in the physical world declined because we got better at preventing them or because people stopped doing them because it's easier and faster and better to do it online? I don't know, right?

We even shared it. So even if we charitably assume that it was our activities that stopped it, there's always going to be crime and malicious activity going after money. One thing that we haven't mentioned yet that I think is really an important difference between the gangster era of the twenties and cyber-crime right now is in the twenties, it really was criminal gangs. It was individual or small groups of people with a fairly simple agreed agenda.

Well, what do we do about the nation state actors, for example, North Korea, which has been... They don't have a good economy, they will conduct bank raids for money. In a different age, that's piracy you know. Might as well go back to the high seas and try to overtake some ships full of gold. It would be an act of war in a lot of ways. And yet it's happening on a regular basis and what are we doing about it?

Kip Boyle: Absolutely. They are countries like North Korea, that this is how they skirt sanctions, right? This is how they obtain the hard currency that they need to keep their countries floating and minimally operable in the face of economic sanctions. Gosh, espionage and the taking of hard currency, yeah, that's absolutely going on. Just like with bank robbers in the 1930s, our ability to control that is similarly restricted.

I think there's every reason to believe that North Korea was responsible for the attack on Sony studios a few years ago. Anybody who read up on that, you can go read the news stories even still. Wow, if somebody had dropped a bomb, a physical bomb, a kinetic weapon on Sony studios and caused all the damage that digitally was caused, that absolutely would be an act of war. So I don't know I feel like we're putting more logs on the fire of how come the police and the military can't seem to get control of this thing.

And what we do see though these days is what I would classify as acts of heroics on behalf of police and government. So, for example, not too long ago, there was a Russian who was apprehended, and he's the son of a member of the Russian parliament. And he got charged with crimes involving credit card theft and ultimately was sentenced to 30 years in US prison. Well, when you dig into that story and you realize just how hard we had to work to crack that case and physically bring this guy from another part of the world into the United States so that he could be charged, the amount of resources spent, must've been in the tens of millions of dollars.

Jake Bernstein: Yeah, well, it's actually [crosstalk 00:25:26]-

Kip Boyle: And that's not scalable.

Jake Bernstein: No. Well, it's also very similar to the heroic efforts that were done to catch the big name gangsters in the twenties and thirties.

Kip Boyle: Yes.

Jake Bernstein: It was the same type of thing where you had... I mean, it was national news. Bonnie and Clyde, and Al Capone, various gangsters, John Dillinger. I mean these were... There's been movies made about these people, multiple movies made. They became larger than life characters and catching them were acts of heroics. I mean the FBI was formed at this time. I mean you talk about the... an incredible act of effort and expenditure. It's very similar.

Kip Boyle: Yep. And how do we bring down mob bosses in Chicago? Well, we convicted them of tax evasion.

Jake Bernstein: Yep, which took a long time to build those cases.

Kip Boyle: It did. And if you think about it, right? At the time, people felt that bringing down a criminal because of tax evasion was the craziest thing they'd ever heard, but that's how innovative law enforcement and government had to become in order to figure out how in the world do we stop these gangsters? And I think we're going to have to come up with some kind of a similar innovation. And I don't know what that innovation looks like right now.

And I would love to have some listeners offer some suggestions or share what they may know. But we're going to have to figure out how to innovate our way out of this, because there's no obvious answers available for how are we going to systematize the identification of cyber-criminals and then somehow bring them to justice because no such system exists right now. And I just don't see any obvious answers on the way as far as how that's going to happen.

And so that's why I thought thinking about this as a golden age for cyber-criminals is so apt because there's practically nothing stopping them. We don't know what to do. And so they're going to continue to use the same technologies and patterns and methods that legitimate businesses like Amazon are using to compete with the likes of Walmart. And cyber-criminals who are just going to keep using that stuff.

And in the meantime, people like us who have to be on the internet because as we said before, the idea of not being on the internet isn't really feasible any longer. So how are we going to be on the internet and thrive in the face of these cyber-criminals when we have effectively no protection from the tax money that's collected from us. And so this kind of gets back to the whole idea of well, we've got to be a really good cyber risk managers and we have to take responsibility for keeping ourselves safe on the internet these days.

Jake Bernstein: Yeah. So this really goes to self-sufficiency, recognizing that the cavalry is not coming. The cavalry doesn't know where to go. So it's just not coming right.

Kip Boyle: Right. Well, and I have this image in my mind right now of a cop on horseback, right? Showing up to help you with your internet problems.

Jake Bernstein: It's actually fairly accurate in a lot of ways. That's kind of the technological barrier and the... Well, not necessarily technological but certainly societal and legal and international issues, is that it... I just kind of view it as these cavalry guys on horses, but the horses and men are just kind of meandering in a field eating grass because they don't know where to go or what to do. And there's nothing that they can catch.

And so for our listeners, I think the takeaway here is that taking into account the fact that the cavalry isn't coming and the fact that you're on your own is part of what constitutes reasonable cyber security. And when you are thinking about your investments in cybersecurity and cyber risk management, you need to understand that you absolutely are likely to be part of that $6 trillion cost in some small portion, hopefully small. That the government is not going to be able to help you and that you are really going to need to minimize your own-

Kip Boyle: Exposure.

Jake Bernstein: Essentially, you're going to have to mitigate your own exposure and your own risk. And you're going to have to do that by being thoughtful and mindful and with some investment.

Kip Boyle: Right. And then the last thought that I'll add too, is you've also got regulators who, like the federal trade commission, who's trying to enforce reasonable cybersecurity practices. And so I would say from a business executives point of view, not only do you have the cyber-criminals that you need to worry about but you've also got the regulators, right?

Because whether the cyber-criminals have taken $100,000 from you, or whether you get a regulatory sanction that causes you to pay $100,000 fine, at the end of the day, you've just lost a hundred thousand dollars.

Jake Bernstein: I think there's an unfortunate tendency to think about the regulation as a victim blaming game. And I want to very quickly, just mention that the FTC, they really go after data breaches that involve a lot of consumer information and consumer harm. Their jurisdiction is arguably limited to that, which means that if you don't have any consumer data and you are primarily B2B, you may think to yourself, "Well, gosh, my regulatory risk is low." And it might be low or at least lower. The problem is that your overall cyber risk really hasn't changed because cyber criminals want cash. And they don't really care where they get it from.

Kip Boyle: Right. Or they want data that they can convert into cash.

Jake Bernstein: Or they want, yes. Anything that's good enough to become cash. So it's really important to appreciate the necessity for managing your cyber risk, whether or not you are particularly susceptible to regulation. Because you will... We're all targets.

Kip Boyle: Right. Yep. Absolutely.

Jake Bernstein: I wanted to make that clear.

Kip Boyle: Yeah. If you've got a computer and the internet, you're a target. Well, that wraps up this episode of the Cyber Risk Management Podcast. And today we talked about why this is a golden age for cyber-criminals. We'll see you next time.

Jake Bernstein: See you next time.

Kip Boyle: Thanks everybody for joining us today on the Cyber Risk Management Podcast.

Jake Bernstein: Remember that cyber risk management is a team sport and needs to incorporate management, your legal department, HR, and IT for full effectiveness.

Kip Boyle: And management's goal should be to create an environment where practicing good cyber hygiene is supported and encouraged by every employee. So if you want to manage your cyber risks and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us and consider becoming a member of our cyber risk managed program.

Jake Bernstein: You can find out more by visiting us at cyberriskopportunities.com and newmanlaw.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.