Listen to the podcast:
Cybercriminals aren’t all young hackers living in dark basements armed with their laptops and quaffing energy drinks. The new generation of cybercriminals have organizations that function much like startups, with CEOs and recruiters, and customer service agents. In her new book, Kate Fazzini, a cybersecurity professional and CNBC journalist, reveals the true nature of these cybercriminals beyond the headlines. She recently joined the Knowledge@Wharton radio show on SiriusXM, to talk about her book, Kingdom of Lies: Unnerving Adventures in the World of Cybercrime. (Listen to the podcast at the top of this page.)
An edited transcript of the conversation follows.
Knowledge@Wharton: Are top-level executives devoting enough resources to cybersecurity within their own companies?
Kate Fazzini: Except for the really large companies — the Fortune 20, Fortune 30 companies — we’re not even close yet. For most companies, the top cybersecurity official is reporting up through a technology organization that then probably reports up through one or two other people to the highest levels of the organization and the board.
That’s very problematic because the technology executive has a bit of a conflict of interest. They’re the ones who are doing the [software] applications for the company. They are the ones who are making the purchases. They want the budget that they’ve allocated to go through, and they don’t want a security person stopping them from doing what they want to do. For most companies, that’s a very old-fashioned way of doing things, and that cybersecurity person still doesn’t have the visibility at the highest C-level that they need to have.
Knowledge@Wharton: We hear stories about hackers in Russia, China and Eastern Europe. How much of this activity is happening inside the United States?
Fazzini: As much as we like to say that we aren’t able to catch these criminals, we have a much more robust law enforcement capability of catching these criminals. What makes us different in the United States is that the people who are doing cybercrime in this country, especially if it involves hands-on activities like going to an ATM or something like that, they’re much deeper underground than they are overseas.
That’s partially because in a lot of Eastern European nations, law enforcement just looks the other way on a lot of these crimes. In countries like Russia and in some Asian countries — not so much China — they will actually recruit criminals who show that they have a really good way of doing certain cyber activities. … That is not something that we do in the United States at all. You will never see the NSA (National Security Agency) recruiting a significant cybercriminal into their organization.
Knowledge@Wharton: You write in the book about a 19-year-old Romanian student who stumbled into cybercrime. Can you tell us more about that case?
Fazzini: Renee — her name is a pseudonym, of course — just happened upon lots of startups in her local community, not really realizing that those startups are actually criminal organizations. The reason why it’s so easy for her to go there, find a job, and then find out she’s working for something very different than what she signed up for is because, in Eastern Europe in particular, these organizations have become just like businesses.
They have business plans. They have CEOs. They have customer service representatives who will answer the phone and help guide you through what to do if you have been the victim of fraud perpetrated by them, and how you can pay them back and get your files back if it’s something that involves stolen files. So, the organizations that are working against us are mainly based overseas. They just mirror our corporations. They mirror our own small businesses. That’s something that would be helpful for people to understand so they know what we’re really up against.
“The organizations that are working against us are mainly based overseas. They just mirror our corporations.”
Knowledge@Wharton: The types of crimes are becoming more advanced, more daring. In some cases, it doesn’t really even include hacking, correct?
Fazzini: That’s absolutely true. There’s one word that I sometimes caution people from using, and that word is “sophisticated.” Because even as these crimes have become more prolific, the sophistication has been dialed back as you see a lot of people interested in making money this way looking to lower the bar for entry.
Where ransomware used to be a pretty difficult thing to pull off, now you can just go online, buy a kit. You don’t have to be somebody who’s very good at computers. It would be the same thing as you, a consumer, just buying antivirus software, installing it and using it. Maybe a better analogy would be some kind of business software that helps you do your business. You don’t have to have a degree in computer science to do that. And criminals are doing that in the same way.
Knowledge@Wharton: Is this the 21st century digital version of the old mafioso, where once you’re in, you’re in for life?
Fazzini: It is, and it isn’t. I spoke with a researcher recently who said something really interesting to me: When these criminal groups got too big and too businesslike, they were much easier to identify. There’s an advantage in being a really small, agile business where you’re changing hands all of the time. The other interesting thing with the criminal groups is, there’s very much a startup kind of culture in that you will see guys doing the startup. They pal up with either people in their town or people who they’ve met online in the dark web or otherwise.
They work together, and then they have falling-outs. They will have fights with each other. They will have intellectual property disputes. “I’m the one who made that malware, you can’t use it.” And then he’ll go off and start his own criminal ring. It’s very similar to what you see with the regular startup culture. That’s what differentiates it from the old-school mafioso where you’re tied to this greater organization. Even if the money is in some way flowing into those old-school organizations, it’s going to be separate in terms of how it’s being made.
Knowledge@Wharton: Is it fair to say that cybersecurity is paramount in the banking sector, where information must be closely guarded?
Fazzini: Certainly, that’s something that the banks have been thinking about for many years. It’s something that the Department of Treasury has been thinking about for many years. At the Treasury, it’s really the main organization that banks answer to on cybersecurity, which is different than many other sectors. There is a very interesting program that I’ve followed called Sheltered Harbor.
… You have Goldman Sachs, Wells Fargo and Bank of America saying, “We need a wider program to back up literally every transaction that is being made every day, somewhere offsite, so that in the event of a catastrophic cyberattack, we are able to say, ‘Kate has $100 in her savings account and we can reconcile all of those transactions,'” because that is really the worst-case scenario that they’re looking at. So, yes, they definitely have been thinking about the worst-case scenarios. They’ve been actively doing a lot of backing up and trying to work together collectively to make sure all of the institutions are on board with that.
“Where ransomware used to be a pretty difficult thing to pull off, now you can just go online, buy a kit.”
The financial sector is one, I think, that has benefited from the fact that they’ve had much more scrutiny than many of the others. You see the difference between the banks and what happened at Equifax, which would have been unheard of at a large bank. But because Equifax is a credit ratings agency, it wasn’t being regulated. It wasn’t under the same scrutiny, didn’t have as much access to what the financial services companies do. You see some of those things falling apart a little bit when you don’t have all that collective energy.
Knowledge@Wharton: What is the currently relationship between the U.S. government and these various business sectors? I would think that they need to rely upon each other to fight cybercrime.
Fazzini: There are a number of organizations that work with different sectors called ISACs, Information Sharing and Analysis Centers. The FS-ISAC is the financial services version of that. There are versions of that for the automotive sector, for health care, for hospitality, and so on. The Department of Homeland Security has designated a number of key areas — I think they’re at 16 now — sectors that they also are keeping an extra eye on.
They’re not regulating them. They include financial services, water, large venues like Madison Square Garden. The problem with that is there are huge gaps in between. For instance, one of the areas that nobody was covering was elections, and that was one area where we saw an enormous amount of activity. In one of his last acts in office, President Barack Obama did give elections infrastructure that DHS designation. But you can see where that’s certainly retroactive.
There are still gaps that exist. Credit ratings agencies were another gap that we saw that was enormously damaging. They’re also vertical. So, all the health care companies talking to each other, all the banks talking to each other. But there are certainly attacks, as we saw with WannaCry, with the big ransomware attacks that cut right across all of the sectors.
If somebody in health care, say Merck, is seeing a major industrial attack, I think the oil and gas companies would want to know what they are seeing on their industrial controls, right? But that doesn’t really exist today. That information sharing is just all [siloed] into those separate industries.
Knowledge@Wharton: Perhaps there are gaps because there are concerns around anything related to energy and power, and because a lot more of that is going digital?
Fazzini: It will be very interesting. I don’t know if you saw this recent story about the U.S. Customs and Border Protection, which had a breach involving about 100,000 data points that involved photos that had been used for facial recognition. That breach happened because a contractor, a third-party provider, further subcontracted out to another fourth-party provider. That is where the origins of the breach came from.
“In the case of Equifax, …. that data was stolen by a nation-state for espionage purposes. It has never been discovered for sale on the dark web.”
It appears that CBP didn’t realize the amount of subcontracting that was happening. But that’s the problem in the energy sector, too. You have software providers subcontracted to other subcontractors. The list goes on and on. It is very difficult, even for a really sophisticated company with a ton of money, to have visibility into all of their third parties. And attackers, especially nation-state attackers, are not just going after Con Edison. They’re going after the third, fourth, and fifth lines of subcontractors, and for a very good reason — because that’s where the weaknesses are. Nobody’s watching them.
Knowledge@Wharton: Where do you see the biggest threats to cybersecurity coming from in the next 10, 20 years?
Fazzini: There’s sort of two layers of threats. There’s the cyber 9/11 stuff that gets a lot of play in the news — what is the big thing that’s going to cause a lot of problems? And then, what is the personal thing that is causing people a lot of pain?
I really think the future of cybersecurity is going to be trying to stop some of these things that are causing individuals a lot of pain. … [For example,] people buying and selling homes last year lost about a $1 billion to wire fraud. The wire fraud involves emailing you — just as you’re about to close on your home — from an email account that looks like your lawyer’s account saying, “We’ve changed the routing information for the wire. You can send the down payment here.”
It’s something that simple. People have lost homes; they’ve lost hundreds of thousands of dollars in down payment money in a single shot. And it is almost impossible to get that money back. That ruins lives. That’s happened to a lot of people, and it’s not the kind of thing that is really hitting the news. That’s what I think we need to have the technology solutions for.
Knowledge@Wharton: What is missing in the media reporting of cybercrime?
Fazzini: It’s hard to get breaking news right, but there were a lot of inaccuracies, and it just focused on all of the wrong things such as making people worry about things that they didn’t have to worry about.
In the case of Equifax, we had a lot of companies trying to sell credit monitoring after that happened. But the truth is, as almost every single intelligence agency has asserted, and the company itself has asserted, that data was stolen by a nation-state for espionage purposes. It has never been discovered for sale on the dark web. Nobody has ever lost their identity because of it, in the sense that it was not stolen and then credit cards were taken out in their name. They have not had their identity stolen because of the Equifax breach.
But what do people think of when they think of that breach? They think of the thing that led to the sale of the credit-monitoring services, the fear that they have about their own personal credit. So, I want to correct some of those stories, and I have. I’ve written about the true story of what happened to the Equifax data.