Kip Boyle: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives become better cyber risk managers. We are your hosts.

I'm Kip Boyle, CEO of Cyber Risk Opportunities.

Jake Bernstein: And I'm Jake Bernstein, Cyber Security Counsel at the Law Firm of Newman DuWors.

Kip Boyle: And this is a show where we help you become a better cyber risk manager.

Jake Bernstein: The show is sponsored by Cyber Risk Opportunities and Newman DuWors LLP. If you have questions about your cyber security related legal responsibilities-

Kip Boyle: And if you want to manager your cyber risks just as thoughtfully as you manage risks in other areas of your business such as sales, accounts receivable and order fulfillment, then you should become a member of our cyber risk managed program. Which you can do for a fraction of the cost of hiring a single cyber security expert.

You could find out more by visiting us at CyberRiskOpporutnities.com. And Newmanlaw.com.

Jake Bernstein: Kip what are we going to talk about today?

Kip Boyle: Jake, today we're going to talk about who's causing all the trouble on the internet that our customers are having that we can see, and in other words why will the global cost of cyber security failures reach six trillion dollars by the year 2021.

Jake Bernstein: Did you mean billion or did you actually mean trillion?

Kip Boyle: Yeah trillion with a T. It's funny I've never seen a trillion of anything, how about you?

Jake Bernstein: No.

Kip Boyle: I've never seen a trillion of anything and so when six trillion is the estimate that's thrown around, I mean it just really boggles the mind. But that's worldwide global cost of cyber failures in aggregates. It's amazing. And today in 2018, it's around two trillion and about three years ago, it was five hundred billion.

Jake Bernstein: Wow. So it's really growing fast.

Kip Boyle: It's escalating. And yet and so, you just have to wonder right? What in the world's causing all this, right? What is the story behind the trend? And so I thought our listeners would enjoy getting a little peak at that and so we've got a little side presentation that we want to share with you guys today, our listeners. And we call this anatomy of a hack, the internet age of criminals.

Because guess what, that's exactly what's going on, is a criminality is a big driver behind what's happening today. And so we thought we'd start by just giving you a couple of examples of the kind of things that are happening. So I don't know if anybody ever heard of Code Spaces before.

I hadn't quite frankly until something really terrible happened to them. But in 2010 or sorry in 2014, this company which had 200 business customers and provided cloud storage for their customers source code and different kinds of hosting capabilities. 200 customers and in 2014 they went out of business in 12 hours.

Can you believe it? Due to a hack. And I don't know if I ever shared this, the details with you Jake, but what happened was is Code Spaces used Amazon's EC2 in order to build out their infrastructure rather than rack and stack their own servers and buy their own space in a data center.

So what happened was, they had a control panel on their EC2 product and it got broken into and-

Jake Bernstein: What's an EC2 product for those who don't know?

Kip Boyle: Yeah so that's Elastic Compute and what that means is that rather than buy a fixed number of servers, if you're going to offer a technology service on the open market, you can go to Amazon and you can buy an unlimited, practically unlimited amount of CPU and memory. And so you can just buy it as a service and so as your computing demands go up and down, you can buy more or buy less CPU and memory.

And it's a very cost effective way to do computing, it turns computing into like buying electricity, right? Turns it into a utility. So I mean that's a very wonderful thing.

Jake Bernstein: That's a great example of a cloud based infrastructure.

Kip Boyle: Yep, yep. Yep. Yeah and so Code Spaces had this all working for them and somebody broke into their control panel and left some pretty heavy extortion demands on them. Which they refused to comply with and so because these are very tech savvy people, they actually attempted to fight back and regain control over their control panel.

And but the extortionists were watching and said, "Oh you want to fight back? Well then we're going to pull the plug on you." And the extortioners deleted all the data. All the data belonging to Code Spaces and all the data belonging to the customers.

And the cost of recovering from that just rapidly was out of reach for them and they threw in the towel and shut down. So what you're seeing here is a screen capture of their website just before they folded, it's an amazing story. And it's interesting because it's so under reported, I mean I don't remember seeing this in the newspapers.

Jake Bernstein: No I don't recall either.

Kip Boyle: But it just kind of goes to the heart of what kinds of things can happen to you on the internet these days in terms of cyber risk. I thought another example, another recent example would be helpful here. So this is a screen shot of a news story about Hancock Regional Hospital and like other hospitals, they got hit with a pretty hurtful ransomware attack, right?

So their computers were encrypted, many of them were. And they were unable to keep their doors open and serve patients fully. And so the CEO of the hospital had to choose whether he was going to pay ransom, a 55 thousand dollar ransom to get control of his computers back or whether he was going to attempt to regain control of his computers on his own.

And so this just happened earlier this year and unfortunately for our online community, this CEO decided to pay the ransom. And to me, that's like casting 55 thousand votes for more attacks online. So I've never been in a situation where I've had to make that kind of decision, so I hesitate to say that he was completely wrong in every way. But I just know that those kinds of decisions are not good for our online community.

And again, what a terrible situation to find yourself in, you know. These kinds of cyber risks that threaten your organization so thoroughly.

Jake Bernstein: Yeah and it's the 55 thousand dollars doesn't seem like much and I would say that unfortunately, what might not be obvioulsy was these ransomware purveyors started off asking for 500 dollars. So if you think of it in an escalation numbers, they're up to 10 times, 100 times what they used to be.

Kip Boyle: Yeah. Yeah it's going up.

Jake Bernstein: And it's going up. So it's probably not too long before we start seeing ransom demands for so called real money.

Kip Boyle: Yeah well and it wouldn't be surprising in the sense that if you look at it from the other side, you know, what we have is the cost of recovering from an attack like this. If you choose not the pay the ransom, can be in the millions of dollars.

Right? This is not trivial. You're going to have direct costs of millions of dollars. You're going to have the opportunity cost of not serving customers and not generating revenue during the period of time in which you are recovering. And we've seen other medical centers refuse to pay the ransom and to elect to recover on their own and it can take weeks.

And while that's happening, they're either not serving patients or they're going back to old time methods of pen and paper record keeping. And then, even if they can figure out how to do that, once the systems come back online, they've got a closet full of paper records that they now have to digitize.

Right? So I mean it's a big burden, I totally get it.

Jake Bernstein: Absolutely.

Kip Boyle: All right so let's talk for a few minutes about what's going on here. Like why is this happening, what's going on behind the scenes. And I don't know if you remember the 1983 movie, War Games with Matthew Broderick, but you know that movie really kind of thrust this stereotype onto the main stage of the world.

This idea of a bored but curious teenager who has a computer and more time on his hands than he knows what to do with, and accidentally almost starts World War three.

And this perspective is just still stuck in a lot of people's minds. People still think this is what cyber risks on the internet are all about.

Jake Bernstein: Which is not true.

Kip Boyle: No not at all, which we can see.

Jake Bernstein: So who are the actual threat actors?

Kip Boyle: Well and before we get to that, another point here which is, Hollywood is still churning out movies and television shows that perpetuate this stereotype so if you've seen the Mr. Robot show on the USA network which is a really wonderful show but they're still focusing on a lone person, a hacker in a hoodie, going around and causing all these problems.

And of course the newspapers are talking a lot about Anonymous. Which is the hacker collective that's caused some real damage. But you know, all together these individuals who are causing trouble, these hacktivists, none of them really in aggregate are causing that six trillion dollar damage estimate.

Really, it's mostly being driven by what I call the millennial mobster. And on the FBI's most wanted list is in fact a guy named Bogachev who oddly enough was born in 1983, the same year that the War Games movie came out. And really it's online criminals that are really driving, they're the protagonists in all this.

Jake Bernstein: And it's not just criminal gangs but it's criminal gangs that are in some, I should say in many countries if not outright supported by potentially hostile governments then certainly not prosecuted, arrested or controlled.

Kip Boyle: Right. So you've got online criminals in league with foreign intelligence services in the case of Bogachev. We've got lots of evidence to suggest that he's being protected and supported by the Russian intelligence services. And so, and it's a really, it's unfortunate but it's a really great mash up for them to be working together because here you've got a guy who's writing malicious code who can break into banks silently and steal so much money.

So much more than you could ever steal with a gun and a getaway car, right? He's stolen over 100 million dollars just from U.S. banks in the pervious eight years. But when he's in there stealing money, you've got people looking over his shoulder from the foreign intelligence service saying, "Hey while you're in here stealing the money, could we have that file and that file and oh, can we have that database? And we'll take the information, thank you."

And so it's a great cover, right, for the intelligence services because they're not the ones that are actually doing any of the breaking and entering. So I mean, what a deal, huh?

Jake Bernstein: Yeah.

Kip Boyle: So we've got this new normal going on. And they're the ones that are really driving the six trillion dollars in damages that we talked about. And in fact, for our listeners, you know, if you're an executive or if you work with or for an executive, you can actually consider Bogachev to be a competitor in a sense. Because cyber crime has become an amazingly profitable business.

Just one, just by using one exploit kit and a lot of virtual servers and a highly scripted, highly automated set of attacks, you know, you can generate 34 million dollars in a single year with just a simple ransomware campaign. And if you know how to steal a credit card, your cost of goods sold is practically zero.

So it's just stunning the amount of money at play here. And when you add it all up, you now begin to understand where the six trillion dollar figure is coming from.

Jake Bernstein: You really do Kip. And you know what's fascinating is how these criminals operate. They don't operate like frankly you would expect criminals to operate. Instead, they operate like in some cases, very well oiled businesses.

Kip Boyle: Oh, absolutely. They have well lit office spaces right? They're not huddled in the basement of abandoned buildings or anything like that. They have people on their payroll. They've got human resources departments and benefits and payroll and-

Jake Bernstein: And they have some of the best customer service that you'll find.

Kip Boyle: That's right.

Jake Bernstein: We'll talk about that. So we like to look at it as us the dark value chain is, you know value chain is just how industries create value among their different components and oftentimes through specialization. For example, us. We are specialized in helping our clients manage their cyber risks.

Kip Boyle: Right.

Jake Bernstein: You're going to go elsewhere, you're going to go to an accountant, or a tax lawyer to deal with those risks and those issues, right, so-

Kip Boyle: Yeah and even with cyber risk, you know, if our customer needs a vulnerability scan or if they need to upgrade their firewalls, we're going to bring other people into the situation to do that because we're not trying to be all things to all people.

So even we specialize within our niche.

Jake Bernstein: We do. And the thing to know about the way this economy works is, you know, much like our favorite tech companies, these guys are doing R and D and they're constantly improving and evolving and changing their techniques. So when you look at cyber risk compared to for example, fire or flood risk, it's very different.

You know, we know, there's a limited number of ways that fires can start, flood data is very well kept over centuries right?

Kip Boyle: And analyzed in detail.

Jake Bernstein: Analyzed in detail. The problem with cyber risk is that it changes virtually every day, so you, it's much more difficult though not impossible to mitigate and prevent and control-

Kip Boyle: Well the thing is, is that and as much as cyber risks are innovating all the time, your defenses have to innovate all the time.

Jake Bernstein: They do which means that cyber risk management isn't something that you just buy, it's something that you have to do and that is where Cyber Risk Opportunities gets its slogan from-

Kip Boyle: That's right, that's right. Yeah.

Jake Bernstein: This is a, you cannot ever rest on your laurels because the bad guys are constantly moving forward.

Kip Boyle: Yeah, yeah, yeah and they're like germs. Right? That's like the flu virus which is constantly mutating and we try our best to put a vaccine together every year but that vaccine has different amounts of ethicacy every year and we inconvenience ourselves to get a flu shot every year.

Even knowing that we might still get a strain of flu that the flu shot just really isn't effective against. But it's just part of our cyber hygiene, our actual physical hygiene but we need to have cyber hygiene, right? We need to have the equivalent of a flu shot and washing our hands multiple times a day to protect ourselves from germs and to protect other people from germs.

But back to this idea of specialization, right? So Satan is this really great example of specialization on the dark chain. Tell us about that Jake.

Jake Bernstein: So Satan is a, well its software is a service, which is a very common term here, and it is a, you can sign up for it like you would any other software system on the web.

Kip Boyle: If you can sign up for Netflix or Gmail, you can get this.

Jake Bernstein: Dropbox, even Amazon as we were, AWS as we were talking about earlier. There's even an option here to give a public key and turn on multi factor authentication so you see that the criminals are probably using very good cyber hygiene in a lot of ways.

Kip Boyle: Yeah they are. Yep absolutely. And right, so what's great about, if you're a would be criminal but you're not very technically savvy, you can go out and you can buy ransomware as a service from the fine people behind the Satan software as a service. And what's great about Satan is, is you don't even have to put money up front because just like the app store, they'll just share your revenue with you. Isn't that amazing?

Jake Bernstein: Revenue sharing is the way to go if you need to get some criminalized ransomware going. Because what it is is that it is a build your own malware attack. And you can, there's all kinds of ways to do it, you can see here that your cut, if you use this service is 70 percent. Which ironically happens to be the exact same percentage you get from Apple's App store.

Kip Boyle: Yeah so they're copying us right? I mean they're our new competitor, they're looking at what we're doing and they're saying, "That works well in the normal world so we're just going to use it here."

Jake Bernstein: Yeah and you know, what's fascinating is that these guys use marketing concepts that are straight out of your playbook.

Kip Boyle: Yep.

Jake Bernstein: So you look here at these plans and you can see that basically these, this ransomware provider, they know that they have other, you could use other ransomware providers. Maybe you don't want Satan, maybe you want a different one.

Kip Boyle: Right.

Jake Bernstein: And-

Kip Boyle: You can take your dark business anywhere.

Jake Bernstein: You can take your dark business anywhere. So here you are with your different choices, they have monthly costs, I mean really the point here isn't to make jokes about the criminal and how they are copying real business, the point is to be aware that this is what the criminals are doing and it's extremely effective.

And it's so easy that, like you said, you don't need to be Matthew Broderick from War Games, you don't need to be Mr. Robot, you can have basically no computer savvy at all. But if you know how to get online and do some basic setup, you can cause quite a bit of damage.

Kip Boyle: Yeah whether that's a ransomware attack or a distributed denial of service attack, right? You can now rent all the technology that you need to do these things and again, if you know how to steal a credit card or boost some bitcoin from somebody's wallet, then you're not even paying for any of this stuff. So the cost of entry is just so low.

Okay, so now that we kind of understand you know, what's driving the engine behind all this damage that's happening now and will continue to happen. I think our listeners are probably wondering, "what in the world can I do to deal with this," right.

And so one of the things that we talk about all the time with our customers is reasonable cyber security is what you really need to go for. So where does the idea of reasonable cyber security come from, Jake?

Jake Bernstein: So Kip, it comes from the federal trade commission which as you can see here is a law that was passed in 1914, it's an incredibly broad regulation that can be used in really almost anywhere in commerce. And you see here that this is the operative language which is deceptively in a sense, simple. But it is so powerful and so broad and the idea here was that, and there was actually testimony in congress about this when this act was passed, was that, sure you could write down every scam, trick,-

Kip Boyle: Yeah keep a catalog.

Jake Bernstein: Huckster you know generated whatever, but when you finished, you'd have to start over again. That's almost a direct quote from the congressional testimony around this time period. And that was before the internet. That was before electronics.

Kip Boyle: Right. I mean this was over 100 years ago in 1914.

Jake Bernstein: It was. And but it remains, it's just as true today as it was in 1914. And so this is what congress at the time came up with, which is, "We're going to say that you cannot engage in unfair or deceptive acts or practices."

And what people started seeing is that, "Hey we don't want to blame the victim," and I want to be clear on this point. But when it comes to cyber security, it is not that different that protecting your building against fire or flood. If you walk into a flood plain and you build your building there and take no precautions, it's not, it's kind of your fault when you get inevitably flooded.

Right? If you don't put in smoke alarms and you don't put in sprinklers into a building, well these days you won't be given the opportunity to inhabit that building because it will be deemed unsafe but that of course wasn't always the case.

All of these things that we take for granted, the flashing fire alarms, the noise, the many different types of fire suppression systems, all of this evolved over time.

Kip Boyle: That's right.

Jake Bernstein: And that is what we're trying to do with cyber security right now. And what the FTC has said is that, "reasonable security measures for cyber security are looked at from the perspective of an entity of similar size and sophistication to you. And you have to take into account the type, amount, and methods of data collected." And variations on this theme would include you also have to look at the state of the art, right?

So there was a time, 20 years ago when having a firewall would have been frankly impressive.

Kip Boyle: Yeah.

Jake Bernstein: 20 years ago having-

Kip Boyle: More than sufficient.

Jake Bernstein: More than sufficient. These days having a firewall is a lot like having sprinklers.

Kip Boyle: Yep.

Jake Bernstein: It's negligent and in some cases, if you were to be a landlord, and you were to run an apartment complex without adequate fire safety, it actually can become criminal.

Kip Boyle: Mm-hmm (affirmative).

Jake Bernstein: Right? Criminal negligence.

Kip Boyle: Yep.

Jake Bernstein: So we're not there yet with cyber security but we are, we do impose a civil duty, a responsibility to take reasonable security measures. And it, that just like fire safety and fire insurance and all those requirements in the building code, it is rapidly evolving.

Kip Boyle: Yeah. And reasonable means compared to other organizations of your size and the type and the amount and methods of the data that you collect. So if you're a small business the FTC isn't going to compare you to a large enterprise, right? They're not going to say, "Well you run a pizza shop, you should have the same type of reasonable security that Boeing the airplane manufacturer should have, right.

So you don't have to worry about that.

Jake Bernstein: You don't, but you do need to be careful there because you also don't have, you also can't just say, "Well oh, everyone's not doing anything so we're good." Like it doesn't, it doesn't work that way. It tends to be more that egregious acts by someone in your industry will push the bar forward a little bit.

And this tends to be how the law gets made in this arena. Which is bit by bit, case by case, things evolve.

Kip Boyle: Right. Well, so now for our listeners we should really kind of talk a little bit about, okay how do you take this FTC concept and how do you interpret it so that you can figure out what's reasonable for you. And what we talk to our customers about is that cyber security is how you travel, it's not just a product that you purchase, it's not a state that you will be able to achieve and then to be able to perpetuate because as we've said, the threat innovates all the time.

Even if you think you have great cyber security, just by standing still you can find yourself losing ground. Like we said, if you had a firewall 20 years ago, you were great. But if you are using 20 year old controls, technical controls today and you haven't modernized, then somebody's going to come around and eat your lunch for sure.

So we ask our customers and we would challenge you as a listener, to think about what's the quality of your cyber security journey. How are you getting around? And I often show a photograph of a train with men hanging off the side of it. The kind of picture you would see coming out of maybe India or Pakistan, you know, where this kind of behavior is considered common.

And hanging off the side of a train to me, seems like a very risky way to get where you're going but it's cheap and it probably doesn't smell as bad as being in a coach and I guess I can see why people might think it's a fun way to get around. But clearly when you're about to, when that train is going to enter into a tunnel, the last place you want to be is hanging off the side of it.

So think about, is that how your cyber security, is that how you're traveling? Where you're just hanging off the side of this train because you don't want to spend the money, you can't see what you get for it, that's all totally understandable. But you may need to actually buy a ticket and sit in a third class carriage.

You maybe don't need to spend the kind of money that a large organization spends but you need to figure out some way to make sure that your journey is sufficiently protected. And we also think that cyber security is a great management opportunity. And we talked a little bit before about how there's an upside to cyber risk, if you can do a good job of managing your cyber risks, then when something bad happens to a lot of different organizations at the same time, if you can stay in business while your competitors are struggling, then that's a win for you.

Because as we saw last summer when the NotPetya virus ran through Eastern Europe, FedEx, TNT overnight package delivery got hit really hard and couldn't actually deliver the packages they had. And they couldn't take new packages either but DHL who was competitor stayed in business and what we're seeing from the financial results that they're revealing in public now is that DHL really made a killing because all these people switched and they're probably not going to switch back anytime soon. Even after FedEx kind of gets back on its feet again.

So yeah what we tell customers is the best way to achieve reasonable cyber security, there's two basic strategies that you want to follow. And the first strategy is, you want to be a difficult target.

Most of these, most of the cyber criminals are looking for easy targets, right? They're like people checking out cars in a vast park and ride lot looking for the makes and models that are the easiest and fastest for them to get into and steal and make their getaway.

So if you just have a couple of things that are going to make it harder for somebody to steal your car, you've got a club on your steering wheel or something like that, the criminals are just going to keep walking. Not because the club is impossible to defeat, it's not, but just because there's easier targets, all right. So that's what you want to do is you don't want to be an easy target.

And you also want to become cyber resilient because the attacks that are coming at us today are so much more powerful and so much more effective than they have been in the past. That it's inevitable that we're all going to suffer a cyber attack sooner of later. And so what you want to make sure is that if you end up in a situation where you're being attacked, you want to resist that attack and you want to stay in business. And get back to normal as fast as possible.

So those are really the two things that you need to do operationally these days. And legally what would you add Jake?

Jake Bernstein: Well it's interesting. I think that I wanted to just talk about that resiliency concept and how that is actually becoming a legal requirement as well. I mean if you look at the European General Data protection regulation, the GDPR which goes into effective on May 25th, 2018 if you're watching this later, it's already in effect. And they have the traditional triad of security confidentiality, integrity and availability.

But they add resiliency. And so it's becoming perhaps more in vogue to talk about not so much the triad but the quadrad, I don't know what you call that.

Kip Boyle: Probably.

Jake Bernstein: And because now you're looking at confidentiality, integrity, availability and resiliency. And the very first example you gave of Code Spaces, they lacked resiliency.

Kip Boyle: Big time.

Jake Bernstein: Big time. They had zero resiliency. And it cost them everything. So-

Kip Boyle: And the data that they had was, remained confidential, it probably had great integrity, but it was never available again.

Jake Bernstein: Yeah because of a lack of resiliency.

Kip Boyle: Right.

Jake Bernstein: And so you can see how this kind of works together and part of becoming a difficult target and becoming cyber resilient is documenting your practices, getting procedures in place, practicing them. There's a lot of administrative quote legal requirements that are part of this. It is not just about configuring your firewall properly.

Kip Boyle: No not a bit.

Jake Bernstein: It is not just about making sure that your technicians are at the right place at the right time. It really is everybody in the organization as we said at the start of our podcast, the beginning episode. We're all foot soldiers in the cyber wars. And this kind of shows you why.

Kip Boyle: Yeah. Okay well thanks everybody for joining us today on the Cyber Risk Management Podcast.
Thanks everybody for joining us today on the Cyber Risk Management Podcast.

Jake Bernstein: Remember that cyber risk management is a team sport and needs to incorporate management, your legal department, HR and IT for full effectiveness.

Kip Boyle: And management's goal should be to create an environment where practicing good cyber hygiene is supported and encouraged by every employee. So if you want to mange your cyber risks and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us and consider becoming a member of our cyber risk managed program.

Jake Bernstein: You can find out more by visiting us at CyberRiskOpportunities.com and Newmanlaw.com.

Thanks for tuning in, see you next time.

(music)
(silence)