Transcript of a podcast in conjunction with The Open Group Conference in San Francisco on how foreign governments and criminal gangs are colluding to attack governments and businesses for profit and politics.
Overlapping Criminal and State Threats Pose Growing Cyber Security Threat to Global Internet Commerce, Says Open Group Conference Speaker
Overlapping Criminal and State Threats Pose Growing CyberSecurity Threat to Global Internet Commerce, Says OpenGroup Conference SpeakerTranscript of a podcast in conjunction with The Open Group Conference in San Francisco onhow foreign governments and criminal gangs are colluding to attack governments andbusinesses for proﬁt and politics.Listen to the podcast. Find it on iTunes/iPod. Sponsor: The Open Group To register for The Open Group Conference in San Francisco, January 30 - February 3, click here.Dana Gardner: Hello, and welcome to a special BrieﬁngsDirect Thought Leadership interview series coming to you in conjunction with The Open Group Conference this January in San Francisco. Im Dana Gardner, Principal Analyst at Interarbor Solutions and I will be your host throughout these discussions. The conference will focus on how IT and enterprise architecture support enterprise transformation. Speakers in conference events will also explore the latest in service oriented architecture (SOA), cloud computing, and security. [Disclosure: The Open Group is a sponsor of BrieﬁngsDirect podcasts.]Today, we’re here with one of the main speakers of the conference, Joseph Menn, Cyber SecurityCorrespondent for the Financial Times and author of Fatal System Error: The Hunt for the NewCrime Lords Who are Bringing Down the Internet.Joe has covered security since 1999 for both The Financial Times and then before that, for theLos Angeles Times. Fatal System Error is his third book, he also wrote All the Rave: The Riseand Fall of Shawn Fannings Napster.As a lead in to his Open Group presentation entitled "What Youre Up Against: Mobsters,Nation-States, and Blurry Lines," Joe and I are now going to explore the current cyber-crimelandscape, the underground cyber-gang movement, and the motive behind governmentscollaborating with organized crime in cyber space. So please join me now in welcoming JoeMenn to BrieﬁngsDirect.Joseph Menn: Hi. How are you?Gardner: Im great. You know, just starting off our discussion, it seems to me that there hadbeen some conventional wisdom about cyber crime and security that if there wasn’t much proﬁt
or if there was some risk and cost associated with it, and you could escalate the cost, then therewas self-regulation in place and the cost of cyber crime would outweigh the payoffs, and itstayed manageable.Has that changed? Have we entered a new period where just balancing risks and costs isnt asufﬁcient bulwark against burgeoning crime and risk?Menn: Im not sure that that was ever true, not after cyber crime metastasized beginning in 2003, when the bad-guy spammers in Russia wanted more IP addresses to send mail from after the blacklisting got effective. But, its increasingly less true than it ever was. Maybe you can make your enterprise little trickier to get into than the other guy’s enterprise, but crime pays very, very well, and in the big picture, their ecosystem is better than ours. They do capitalism better than we do. They specialize to a great extent. They reinvest in R&D.On our end, on the good guys’ side, its hard if youre a chief information security ofﬁcer (CISO)or a chief security ofﬁcer (CSO) to convince the top brass to pay more. You don’t really knowwhats working and what isnt. You don’t know if youve really been had by something that wecall advanced persistent threat (APT). Even the top security minds in the country cant be surewhether they’ve been had or not. So its hard to know what to spend on.More efﬁcientThe other side doesn’t have that problem. They’re getting more efﬁcient in the same way thatthey used to lead technical innovation. Theyre leading economic innovation. The freemiummodel is best evidenced by crimeware kits like ZeuS, where you can get versions that are prettyeffective and will help you steal a bunch of money for free. Then if you like that, you have theadd-on to pay extra for -- the latest and greatest that are sure to get through the antivirus systems.Gardner: When you say "they," who you are really talking about? Menn: They the bad guys. Its largely Eastern European organized crime. In some countries, they can be caught. In other countries they cant be caught, and there really isnt any point in trying.Its a geopolitical issue, which is something that is not widely understood, because in general,ofﬁcials don’t talk about it. Working on my book, and in reporting for the newspaper, Ive metreally good cyber investigators for the Secret Service and the FBI, but I’m yet to meet one thatthinks hes going to get promoted for calling a press conference and announcing that they can’tcatch anyone.
So the State Department, meanwhile, keeps hoping that the other side is going to turn a new leaf,but they’ve been hoping that for 10 or more years, and it hasn’t happened. So its incumbentupon the rest of us to call a spade a spade here. Whats really going on is that Russianintelligence and, depending on who is in ofﬁce at a given time, Ukrainian authorities areknowingly protecting some of the worst and most effective cyber criminals on the planet.Gardner: And what would be their motivation? In heaven’s name, why would a sovereignpower or an agency therein want to protect cyber criminals?Menn: As a starting point, the level of garden-variety corruption over there is absolutely mind-blowing. More than 50 percent of Russian citizens responding to the survey say that they hadpaid a bribe to somebody in the past 12 months. But its gone well beyond that.The same resources, human and technical, that are used to rob us blind are also being used inwhat is fairly called cyber war. The same criminal networks that are after our bank accountswere, for example, used in denial-of-service (DOS) attacks on Georgia and Estonian websitesbelonging to government, major media, and Estonia banks.Its the same guy, and its a "look-the-other-way" thing. You can do whatever crime you want,and when we call upon you to serve Mother Russia, you will do so. And that has accelerated. Justin the past couple of weeks, with the disputed elections in Russia, youve seen mass DOS attacksagainst opposition websites, mainstream media websites, and live journals. Its a pretty handytool to have at your disposal. I provide all the evidence that would be needed to convince thereasonable people in my book.Gardner: In your book you use the terms "Bringing Down the Internet." I suppose anotherconventional thought around security is that there is a sort of mutual assured destruction effectwhere bringing down the Internet would hurt everyone. Is that not the case? Are they really justlooking for people’s credit card numbers and petty crime or is this really a threat to the integrityof the Internet in general?Menn: Well integrity is the keyword there. No, I don’t think anybody is about to stop us all fromthe privilege of watching skateboarding dogs on YouTube. What I mean by that is the higher truston Internet in the way its come to be used, not the way it was designed, but the way it is usednow for online banking, ecommerce, and for increasingly storing corporate -- and heaven help usgovernment secrets -- in the cloud. That is in very, very great trouble.Not a prayerI don’t think that now you can even trust transactions not to be monitored and pilfered. Thelatest, greatest versions of ZeuS get past multi-factor authentication and are not detected by anyantivirus that’s out there. So consumers don’t have a prayer, in the words of Art Coviello, CEOof RSA, and corporations aren’t doing much better.
So the way the Internet is being used now is in very, very grave trouble and not reliable. That’swhat I mean by it. If they turned all the botnets in the world on a given target, that target is gone.For multiple root servers and DNS, they could do some serious damage. I don’t know if theycould stop the whole thing, but youre right, they don’t want to kill the golden goose. I don’t seea motivation for that.Gardner: I guess if we look at organized crime in historical context, we found that there is a lotof innovation over the decades, over the generations, about how to shake people down, createrackets, protection scams, and so forth. Is that playing out on the Internet as well? Is there somecontinuity around what organized crime tends to do in the physical world to what theyre nowattempting to do in the virtual world?Menn: Sure. The mob does well in any place where there is a market for something, and thereisn’t an effective regulatory framework that sustains it -- prohibition back in the day, prostitution,gambling, and that sort of thing. One of the things that’s interesting about the core narrative inmy book is that prostitution doesn’t travel very well. Liquor is pretty well legal in most of thecountry, but gambling travels very well.So the traditional ﬁve families Gambino-type mobs gravitated towards Internet gambling andthey run some very large enterprises that are offshore. And if you dont pay off, then yeah,somebody actually shows up and breaks your legs. Old school.The Russian and Ukrainian gangs went to extortion as an early model, and ironically, some of theﬁrst websites that they extorted with the threat were the offshore gambling ﬁrms. They were cashrich, they had pretty weak infrastructure, and they were wary about to go to the FBI. They startedby attacking those sites in 2003-04 and then they moved on to more garden-variety companies.Some of them paid off and some said, "This is going to look little awkward in our SEC ﬁlings"and they didn’t pay off.There are some people who say organized crime and the Internet dont really mix and dont knowhow it happened. Ive just told you how it happened in the US. Overseas its not like the mob hada meeting one day and said, "Bob, I think, this Internet thing shows promise. I want you to opena cyber division for it."The way things work in Russia is that even legitimate businesses have a local patron mobster thatthey pay tribute to. Its not so much because he is going to shut them down, but because you wantone guy to deal with all the other people that are going to shake you down -- other mobsters andcops who are on the take.Once the cyber gang got big enough, sooner or later, they also wanted the protection oftraditional organized crime, because those people had better connections inside the intelligenceagencies and the police force and could get them protection. Thats the way it worked. It was sortof an organic alliance, rather than "Let’s develop this promising area."
Gardner: Just as in past eras and with the need for protection, these cyber criminals look for asafe haven and perhaps pay off those people, whether its physical or virtual to protect thatenvironment, and then perhaps there is some added collusion along the way.Have we moved now beyond this "lets just get safe and payoff some people for protection," or isthere a two-way street where these cyber criminals are being contracted by some state agencies.How does this further collusion sort of come about?Proving their worthMenn: Exactly. That is what happens. Initially it was garden-variety payoffs and protection.Then, around 2007, with the attack on Estonia, these guys started proving their worth to theKremlin, and others saw that with the attacks that ran through their system.This has continued to evolve very rapidly. Now the DOS attacks are routinely used as the tool forpolitical repression all around the world --Vietnam, Iran and everywhere you’ll see critics thatare silent from DOS Attacks. In most cases, its not the spy agencies or whoever themselves, butits their contract agent. They just go to their friends and the similar gangs and say, "Hey do this."Whats interesting is that they are both in this gray area now, both Russia and China, which wehavent talked about as much.In China, hacking really started out as an expression of patriotism. Some of the biggest attacks,Code Red being one of them, were against targets in countries that were perceived to haveslighted China or had run into some sort of territorial ﬂap with China, and, lo and behold, theygot hacked.In the past several years, with this sort of patriotic hacking, the anti-defense establishmenthacking in the West that we are reading a lot about ﬁnally, those same guys have gone off anddecided to enrich themselves as well. There were actually disputes in some of the major Chinesehacking groups. Some people said it was unethical to just go after money, and some of theseearly groups split over that.In Russia, it went the other way. It started out with just a bunch of greedy criminals and then theysaid, "Hey. We can do even better and be protected. You have better protection if you do somehacking for the motherland." In China, its the other way. They started out hacking for themotherland and then added, "Hey. We can get rich while serving our country."So theyre both sort of in the same place, and unfortunately it makes it pretty close to impossiblefor law enforcement in this country to do anything about it, because it gets into politicalprotection. What you really need is White House-level dealing with this stuff. If Obama is goingto talk to his opposite numbers about Chinese currency, Russian support of something we don’tlike, or oil policy, this has got to be right up there or nothing is going to happen at all.Gardner: I suppose theres a difference between political gain by shutting down the oppositionor having political motives for undertaking these sorts of activities, but what about the pure
capitalism side, intellectual property (IP), taking over products in markets with the aid of thesenefarious means? I guess its hard to know. A lot of companies wont want to share details aboutthis, but how big a deal is this now for strictly enterprise and commercial organizations?Menn: It is much, much worse than anybody realizes. The US counterintelligence a few weeksago ﬁnally put out a report saying that Russia and China are deliberately stealing our IP, the IP ofour companies. Thats an open secret. Its been happening for years. Youre right. The man in thestreet doesn’t realize this, because companies aren’t used to fessing up. Therefore, there is littleoutrage and little pressure for retaliation or diplomatic engagement on these issues.Im cautiously optimistic that that is going to change a little bit. This year the Securities andExchange Commission (SEC) gave very detailed guidance about when you have to disclosewhen you’ve been hacked. If there is a material impact to your company, you have to disclose ithere and there, even if its unknown.Cant be boilerplateIf it might have, or is reasonably likely to have, a material impact, you have to spell it out. Andit cant be boiler plate. It cant just be, "We are an Internet retailer and therefore we are target ofhackers and therefore people’s credit cards might get out." No, without divulging what yourweaknesses are you have to say, "We have detected hacks in the past and we don’t know but oursource code might be gone."You have to be a little more explicit, and so far, its basically Google that has really spelled outhow badly they got hit. Were going to see a lot more companies say that, and I think that willhelp wake up Congress and the general public.Gardner: So the old adage of shining light on this probably is in the best interest of everyone. Istthe message that you take to corporate America or even global corporations that keeping thisquiet isn’t necessarily the right way to go? To register for The Open Group Conference in San Francisco, January 30 - February 3, click here.Menn: Not only is it not the right way to go, but its safer to come out of the woods and fess upnow. The stigma is almost gone. If you really blow the PR like Sony, then youre going to suffersome, but I haven’t heard a lot of people say, "Boy, Google is run by a bunch of stupid idiots.They got hacked by the Chinese."Its the deﬁnition of an asymmetrical ﬁght here. There is no company thats going to stand upagainst the might of the Chinese military, and nobody is going to fault them for getting nailed.Where we should fault them is for covering it up.
I think you should give the American people some credit. They realize that youre not the badguy, if you get nailed. As I said, nobody thinks that Google has a bunch of stupid engineers. It issomewhere between extremely difﬁcult to impossible to ward off against "zero-days" and thededicated teams working on social engineering, because the TCP/IP is fundamentally broken andit aint your fault.Gardner: Lets say that Im a leadership individual at a corporation, a Global 500 organization,and I am wondering to what extent this is a risk. Is this something that’s going to be anacceptable cost of doing business? Is this just something I have to deal with when I go todifferent markets around the world, or is this an existential threat?Were still seeing record proﬁts by many companies. Google is certainly not hurting. This hasn’tnecessarily attacked their bottom line in the same way it attacked their ﬁrewall. How serious isthis? How serious should it be considered?Menn: Its an existential threat not only to your company, but to our country and to our way oflife. It is that bad. One of the problems is that in the US, executives tend to think a quarter or twoahead. If your source code gets stolen, your blue prints get taken, nobody might know that for afew years, and heck, by then youre retired.With the new SEC guidelines and some national plans in the UK and in the US, that’s not goingto cut it anymore. Executives will be held accountable. This is some pretty drastic stuff. Thethings that you should be thinking about, if you’re in an IT-based business, include ﬁguring outthe absolutely critical crown jewel one, two, or three percent of your stuff, and keeping it offnetwork machines.Short-term priceYes, that is a current cost to doing things that might well make you less efﬁcient and that’s ashort-term price you have to pay to ensure long-term survival. You have to do that, and there aresome creative things that could be done.For example, say youve got a blueprint for the next widget that is absolutely going to smoke thecompetition, and it has got to be on a computer that other people can access for some reason. Iwould make 100 different similar blueprints of the next generation widget, and only a handful ofpeople you trust know which is the right one, and all the others are hooey.Therefore, if everything gets stolen, theyre going to waste a lot of cycles building the wrongwidget. That’s the sort of strategic spy-type thinking that I think garden-variety CEOs have got tostart engaging it.Gardner: That’s interesting. So we have to think differently, don’t we?Menn: Basically, regular companies have to start thinking like banks, and banks have to startthinking like intelligence agencies. Everybody has to level up here.
Gardner: What do the intelligence agencies have to start thinking about?Menn: The discussions that are going on now obviously include greatly increased monitoring,pushing responsibility for seeing suspicious stuff down to private enterprise, and obviouslygreater information sharing between private enterprise, and government ofﬁcials.But, theres some pretty outlandish stuff that’s getting kicked around, including looking the otherway if you, as a company, sniff something out in another country and decide to take retaliatoryaction on your own. There’s some pretty sea-change stuff that’s going on.Gardner: So that would be playing offense as well as defense?Menn: In the Defense Authorization Act that just passed, for the ﬁrst time, Congress ofﬁciallyblesses offensive cyber-warfare, which is something we’ve already been doing just quietly.We’re entering some pretty new areas here, and one of the things that’s going on is that the cyberwarfare stuff, which is happening, is basically run by intelligence folks, rather by a bunch oflawyers worrying about collateral damage and the like, and theres almost no oversight becauseintelligence agencies in general get low oversight.We’re probably also buying a whole bunch of cyber stuff, which is a waste. I mean, theyre goingto be equivalent of $500 toilet seats, and we’re not going to know about it, because this stuffdoesn’t get disclosed.Gardner: I know that we could go on to this separate subject for hours, but just very brieﬂy howabout the area of governance? We know whos in charge when it comes to interstate commerce.We know who is in charge when it comes to managing the monetary system and protectingagainst counterfeit bills?Do we really have anyone who is ofﬁcially in charge of protecting lets say, in this case, UScompanies, but it could vary of course from country to county, from outside cyber warfare? Isthere a defense, legal, or other framework under which the responsibility for protection falls.Its a messMenn: The short answer is its a mess. The Department of Homeland Security (DHS) isofﬁcially in charge of protecting the civilian-owned stuff with the assistance of the Departmentof Defense (DoD) and the National Security Agency (NSA). The bottom line is that this makes itvery tricky, because theres different frameworks involved.For example, the FBI gets called in to investigate a hack and they discover its criminal gang X,but that criminal gang may have been motivated to steal defense secrets more than the money.Then, theyre supposed to kick it over to the intelligence community, but its the same people. Sowere a lot more handcuffed in all this than our adversaries are.
Gardner: So its hard to say whose jurisdiction it is, under what circumstances, for how long,and then who gets the ultimate blame if things go right or wrong. I guess criminals would love tosee that, right?Menn: Yup.Gardner: Okay, we have to wrap up. Its a very fascinating subject obviously. Just quicklylooking to the future, we have some major trends. We have an increased movement towardsmobility. People using public networks through their mobile carriers increasingly for work andmore business-sensitive activities.We have the drive towards cloud computing. We’ll be putting more of your assets, data,processes, perhaps even IP in a third-party data center known as a cloud. We’re also seeing themovement towards outsourcing more IT and outsourcing applications in a software-as-a-service(SaaS) ﬁeld.Are these good, bad, indifferent? How does this set of big shifts in IT impact this whole cybersecurity issue?Menn: Well, there are some that are clearly dangerous, and there are some things that are amixed bag. Certainly, the inroads of social networking into the workplace are bad from a securitypoint of view. Perhaps worse is the consumerization of IT, the bring-your-own-device trend,which isnt going to go away. That’s bad, although there are obviously mitigating things you cando.The cloud itself is a mixed bag. Certainly, in theory, it could be made more secure than what youhave on premise. If you’re turning it over to the very best of the very best, they can do a lot morethings than you can in terms of protecting it, particularly if you’re a smaller business.If you look to the large scale banks and people with health records and that sort of thing thatreally have to be ultra-secure, theyre not going to do this yet, because the procedures are notreally set up to their specs yet. That may likely come in the future. But, cloud security, in myopinion, is not there yet. So that’s a mixed blessing.Gardner: Before we close out, it sounds as if its important for companies to educate themselveson what the real threats are, consider what to do if they are a victim, try to ﬁgure out who aretheir friends in government, and of the security of third-party private security organizations.Anything else that you think is important, Joe, in terms of getting started in moving towards bothdefense and offense in anticipating that these issues as you say are potentially existential?
Radical stepsMenn: As I said, you need to think strategically about this, and that includes some prettyradical steps. There are those who say there are two types of companies out there -- those thathave been hacked and those that don’t know that they’ve been hacked.Everybody needs to take a look at this stuff beyond their immediate corporate needs and thinkabout where we’re heading as a society and to the extent that people are already expert in thestuff or can become expert in this stuff. They need to share that knowledge, and that will oftenmean, saying "Yes, we got hacked" publicly, but it also means educating those around themabout the severity of the threat.One of the reasons I wrote my book, and spent years doing it, is not because I felt that I could tellevery senior executive what they needed to do. I wanted to educate a broader audience, becausethere are some pretty smart people, even in Washington who have known about this for years andhave been unable to do anything about it. We havent really passed anything thats substantial interms of legislation.As a matter of political philosophy, I feel that if enough people on the street realize whats goingon, then quite often leaders will get in front of them and at least attempt to do the right thing.Senior executives should be thinking about educating their customers, their peers, the generalpublic, and Washington to make sure that the stuff that passes isnt as bad as it might otherwisebe.Gardner: Very good. We have been talking with Joseph Menn, Cyber Security Correspondentfor The Financial Times and author of Fatal System Error: The Hunt for the New Crime LordsWho are Bringing Down the Internet.As a lead up to his Open Group presentation on, "What Youre Up Against: Mobsters, Nation-States and Blurry Lines," Joe and I have been exploring here the current cyber crime landscape,what can be done to better understand the threat and perhaps begin to work against it.This special BrieﬁngsDirect discussion comes to you in conjunction with The Open GroupConference from January 30-February 3 in San Francisco. Youll hear more from Joe and manyother global leaders on the ways that IT and enterprise architecture support enterprisetransformation.So thanks to you Joe Menn for a very fascinating discussion, and I look forward to yourpresentation in San Francisco. I also encourage our readers and listeners to attend the conferenceto learn more. Thanks, Joe.Menn: Thanks very much.
Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions, your host andmoderator through these thought leader interviews. Thanks again for listening, and come backnext time.Listen to the podcast. Find it on iTunes/iPod. Sponsor: The Open GroupTranscript of a podcast in conjunction with The Open Group Conference in San Francisco onhow foreign governments and criminal gangs are colluding to attack governments andbusinesses for proﬁt and politics. Copyright Interarbor Solutions, LLC, 2005-2011. All rightsreserved. To register for The Open Group Conference in San Francisco, January 30 - February 3, click here.You may also be interested in: • Exploring Business-IT Alignment: A 20-Year Struggle Culminating in the Role and Impact of Business Architecture • Enterprise Architects Increasingly Leverage Advanced TOGAF 9 for Innovation, Market Response, and Governance Beneﬁts • Open Group Cloud Panel Forecasts Cloud s Spurring Useful Transition Phase for Enterprise Architecture • The Open Groups Cloud Work Group Advances Understanding of Cloud-Use Beneﬁts for Enterprises • Exploring the Role and Impact of the Open Trusted Technology Forum to Ensure Secure IT Products in Global Supply Chains