New York attorney Arkay Bukh gives interview to Bloomberg BNA and shares his opinion on the recent events in the world of cybercrime. Bukh Law Firm, 14 Wall St, New York NY 10005, (212) 729-1632

1. Privacy & Security
Law Report®
VOL. 13, NO. 39 OCTOBER 6, 2014
Cybercrime
Arkady Bukh, Bukh & Associates PLLC
V i e w s o n C y b e r c r i m e , H a c k e r s a n d V i r t u a l C u r r e n c y
Recent high-profile hacking data breaches and international cybersecurity concerns have put cybercrime
issues in the public spotlight and influenced data security risk analysis by corporations.
Bloomberg BNA Privacy & Security Law Report Senior Legal Editor Donald G. Aplin posed a series of
questions to criminal defense attorney Arkady Bukh, of Bukh & Associates PLLC
(http://www.nyccriminallawyer.com/) in New York.
Among his other criminal defense work, Bukh has
represented high-profile alleged hackers.
BLOOMBERG BNA: It’s not unusual for corporate and
government cybersecurity analysts to say that it is nearly impossible
to stay ahead of hackers in trying to protect sensitive data. You have
represented several high-profile alleged hackers facing criminal
prosecution. What have you learned from that experience that might
assist companies looking to be more effective in their data security
efforts?
The companies cannot protect against human error. In some
instances, I’ve seen cases where the hackers send someone to
corporate offices just to get someone inside. The answer is of
course it’s hard, but the hackers anticipate what’s forthcoming
and are ready.
They are looking for an easy target. A company that is easy to
penetrate. The small companies can’t afford a high-tech security
system, and hackers know that. It is nearly impossible for them to
stay ahead of the hackers. They can barely afford to do
compliance.
Bukh: This is true. It’s very hard to fool-proof the sys-tem. The
hackers and Russian military are very bright people with doctorates in
math.
COPYRIGHT 2014 BY THE BUREAU OF NATIONAL AFFAIRS, INC. ISSN 1538-3423

2. 2
BLOOMBERG BNA: The level of interest in data
breaches—which seems to be routinely followed by a kind of breach
notification fatigue and declining attention—is at the higher end at the
moment in light of breaches at Target Corp. (12 PVLR 2133,
12/23/13), Home Depot Inc. (13 PVLR 1641, 9/22/14) and alleged
hacking attacks of banks. Are we seeing anything new in how these
data breach incidents occurred or in how companies are responding to
them?
Bukh: The efforts are focused around the idea of tracking the
activities of local protest groups and even extend the control to
‘‘general public.’’ This is a very good time for the Russian
government to issue a PA-TRIOT Act of their own to put tight
controls on the Internet.
The hackers will still be able to bypass any sort of regulation
unless Russia opts to completely disconnect from the Internet, an
idea which Russian Prime Minister Dmitry Medvedev has been
shopping around Bukh: Companies like Home Depot try to figure out how the as an ‘‘emergency’’ tool.
data breach came about, how the hackers got access. However, the
same type of attack will unlikely happen again, so preparing for an
identical data breach isn’t a smart move.
BLOOMBERG BNA: Do you think it is accurate, or fair, that
Russian hackers are cited as the source of so many cyberattacks, for
example in August when a data security consulting firm pointed the
finger at a ‘‘gang’’ of Russian hackers that allegedly stole 1.3 billion
pass-words or more recently when Russian hackers were suspected as
the source for attacks on JPMorgan Chase & Co. and four other banks
(13 PVLR 1549, 9/8/14)?
The hackers try to find any ‘‘hole’’ in the payment system in
order to obtain data. It’s enough for a hacker to find any weak
spot in the whole process. It’s not just Home Depot; it’s the other
third-party companies that can put them at risk, such as the
wireless Internet ser-vice providers they use.
There are hundreds and hundreds of attacks launched against
companies. The problem becomes ap-parent only when the
attacks are successful.
Bukh: When the authorities busted some major underground
criminal forums, they were able to retrieve the Internet protocol
addresses of most users. Although this data was partially biased by the
fact the hackers sometimes use proxies to access the forums, it still
con-firms the statistics that Russia, along with Ukraine, Ro-mania and
Indonesia, hold the lead as bases for hack-ers. As a matter of fact, the
vast majority of these online cybercrime boards are localized for a
Russian audience.
BLOOMBERG BNA: You have said that the recent cy-bercrime
report from the Center for Strategic and Inter-national
Studies—which concluded cybercrime was rampant on an
international level and predicted that trade theft due to computer
hackers would worsen (13 PVLR 1065, 6/16/14)—is noteworthy as
the first such re-port to ‘‘use precise economic modeling to find the
fig-ures for losses attributed to malicious cyber activity.’’ Would you
explain why you think this modeling distinc-tion is so important and
what the chief takeaway from the report is for companies?
Russia, along with Ukraine, Romania and
Indonesia, hold the lead as bases for hackers.
As a matter of fact, the vast majority of these
online cybercrime boards are localized for a
Russian audience.
Bukh: Previously, economic modeling has not taken into
account the rapid rise of cybercrime in territories within the former
Soviet Union. Some of the greatest economic minds have made best
guesses, but at the end of the day, they were just guesses.
The distinction in the new modeling is important be-cause it
provides real-world, quantifiable figures based on real-world,
quantifiable data.
While the outcome is too early to see with any degree of
certainty, it could be a game changer.
When I browse through new cybercrime indictments, I can see
a Russian name on literally any of them.
As a side note, I spoke to a few hackers back in Rus-sia about
stolen passwords. The way the hacker thinks, e-mail addresses
and passwords can later be traded. On the online forums, you can
sell an e-mail address for $100 or more.
BLOOMBERG BNA: Given your strong ties to Russia—
having been born in Moscow, having continuing ties to the Russian
ex-patriot community and representing criminal defendants from that
part of the world—do you have any insights into Russia’s recent
server localization effort, its steps to require that companies keep
certain personal data collected there on computer servers actually
located in the country (184 Privacy Law Watch, 9/23/14)(13 PVLR
1693, 9/29/14), allegedly undertaken in retaliation for international
sanctions related to Russia’s activities in the Ukraine?
If you have information on the person, you can sell that, too.
This is a huge market after the initial theft. They will be able to
sell stolen information for millions and millions of dollars for
years to come.
BLOOMBERG BNA: You accept bitcoin as a form of
compensation for your legal services. Does that practice raise any data
security or regulatory concerns for you,
To request permission to reuse or share this document, please contact permissions@bna.com. In your request, be sure to include the following in-formation:
(1) your name, company, mailing address, email and telephone number; (2) name of the document and/or a link to the document PDF; (3)
reason for request (what you want to do with the document); and (4) the approximate number of copies to be made or URL address (if posting to a
website).
10-6-14 COPYRIGHT 2014 BY THE BUREAU OF NATIONAL AFFAIRS, INC. PVLR ISSN 1538-3423

3. 3
particularly since you are in New York where the state
Department of Financial Services has taken a stronger interest in
such matters, at least as far as virtual currency businesses are
concerned (13 PVLR 1327, 7/28/14)?
The American Average Joe has yet to grasp the idea of bitcoin.
I was involved in the Egold case, so I am aware of le-gal points
accepting a virtual currency. Egold was the first successful digital
currency system to gain a wide-spread user base and merchant
adoption but was put out of business in 2008 after money
Bukh: Accepting bitcoin is more a marketing trick showing we laundering criminal charges.]
are open and willing to work with bitcoin clientele. This sends a
strong message to that specific community. However, with certain due
presents a rather safe choice. O
diligence and disclaimers, it
PRIVACY & SECURITY LAW REPORT ISSN 1538-3423 BNA 10-6-14