Cyber crime: “a monumental problem”
Bob Anderson led the FBI investigation into Edward Snowden. Now a Managing Director at Navigant he explains why firms should admit they’ve been hacked.
How has cyber crime changed?
The complexity and sophistication of attacks increases almost daily. The bad guys are constantly refining their methods and can launch attacks very quickly, which puts us behind the eight ball because we have rules and laws which define how we can react and how we think. It’s a monumental problem and it’s not going to get any better. I’m not a glass-half-full kind of person when it comes to this issue.
I’m not a glass-half-full kind of person when it comes to this issue.
In the past, it was only very skilled hackers who carried out attacks. Now, hacking kits can easily be bought on the dark web, or you simply hire someone to carry out the attack for you. So the number of attacks has increased exponentially.
What is the biggest threat today?
It differs depending on the industry. Ransomware attacks on hospitals and other healthcare providers are rampant in the US, causing huge business interruption which results in losses running into millions of dollars. They’re an almost daily occurrence, and I can’t believe that won’t spread across the Atlantic.
This year, I predict we’ll see more attacks on law firms. They hold a lot of very sensitive data on their systems, and that’s exactly what criminals want, either to sell, to ransom or to use for extortion. Most law firms represent victims – they aren’t used to being victims themselves. But they really need to consider how they protect their data.
Rogue nations’ ability to launch attacks, either on private enterprises or other states, is a huge concern. Companies must now consider who may target them. Defending a low-grade criminal attack is a very different investment from defending an attack by a nation state. I’ve seen many private enterprises whose information security systems are pretty good against attacks by ordinary cyber criminals or hacktivists – but that might not be who’s attacking them. So, companies need to evaluate their potential attackers and build an information security system based on that assessment.
This year, I predict we’ll see more attacks on law firms.
How can companies identify their potential attackers and defend themselves appropriately?
They need to constantly evaluate their information and cyber security programmes to make sure their security systems are the most modern and robust available. The day you need to really worry if you’re a CEO is when your head of information security tells you: “Don’t worry about this, we’ve got this covered, we’re good.” The bad guys are constantly evaluating their methods of attack, so you need to do the same for your defence.
The risks vary according to industry, so in terms of nation states, the biggest threat to the healthcare sector comes from China, while in the energy sector it’s Russia, particularly for fracking.
It’s not about how much you spend on cyber security. A lot of the major breaches I was involved with at the FBI involved companies that had spent a lot on security, but their defences had been focused in the wrong direction because they hadn’t considered what their most sensitive data was and how to protect it.
How do the biggest cyber attacks you dealt with at the FBI highlight the changing threat?
The Office of Personnel Management breach involved the theft of personal data of around 23 million government employees, past and present, including members of the law enforcement and intelligence agencies. The US government said the attack came from China, and, although the Chinese government insisted it was not state sponsored, none of that stolen data has since turned up on the dark web for sale, unlike after other, similar attacks. That would suggest that the attack was carried out for specific intelligence-gathering purposes, rather than for money.
Another major attack I dealt with was that on Sony. It was conducted by another nation state, this time North Korea, but it wasn’t intended to steal anything – it was intended to destroy the company [for releasing the movie The Interview]. That took place very quickly [after threats of retribution were made if the company didn’t pull the movie] and brought the company to its knees within minutes.
Many companies still don’t admit that they’ve been hacked. How much of a problem is this?
I agree with you and the fact that no one is talking about it is to everyone’s detriment. It’s something I discussed with my counterparts in the UK intelligence community while I was at the FBI. I would liken the situation in the UK now to that in the US five years ago. An important way of combating this [reluctance to report breaches] is by educating people about the intelligence-gathering benefits of reporting attacks. A lot of companies think that they’re the only ones this is happening to, but in reality it’s happening to companies all around. By educating and talking about this you help each other. But it requires a cultural shift.
Work also needs to be done to coordinate and correlate the data that is already out there. There are a lot of private-sector data security consultancies that collate this information, as well as national intelligence agencies. If everyone can share information on the attacks that they’ve witnessed then that would help enable organisations to better prepare themselves for evolving attacks.
Using the US example, this process starts with education then evolves into alliances between private-sector companies and government agencies, which then grow into formal intelligence-sharing partnerships between companies and the law-enforcement community.
Now, the FBI and intelligence agencies will join forces with private security consultancies in responding to a major breach, sharing information right up to top-secret level. That would never have happened two or three years ago. But it’s taken that evolution to bring all those partners to the table. Everyone wants the same thing: to protect the company and to prevent sensitive data from leaving the country.
We also built the National Cyber Investigative Joint Taskforce to coordinate cyber threat investigations. It comprises the FBI along with all of the nationwide intelligence organisations, as well as the “five eyes” alliance members: the US, UK, Australia, New Zealand and Canada. That helped us enormously, because we had intelligence from all of these different sources as well as from our own agency. I think it would be useful for the UK to build a similar body.
Do law-enforcement agencies have the resources to cope with the rising tide of cyber attacks?
The reality is that you always have finite resources and you set your priorities according to your available resources. You could argue that you would never have enough resources: you could put an extra 1,000 or 10,000 people to work on tackling cyber crime and they’d still be overwhelmed by the workload. That’s why we need to educate enterprises about understanding what their most important data is and how to keep that safe, because that will mitigate the risk of cyber attacks.
Also, I think a set of international cyber principles needs to be drawn up, endorsed by the United Nations to which other countries have to sign up. There are too many countries today which do not view cyber attacks as being crimes.
What impact has Edward Snowden had on the fight against cyber crime?
Huge. I was in charge of the FBI investigation, so I know every tiny detail of the case. But what should have set off alarm bells everywhere is if the National Security Agency, probably one of the most sophisticated technical organisations in the world, could have an insider steal as much information as he did without anyone knowing about it, then it could happen to any organisation.
Has the move for greater encryption following his revelations made it harder for intelligence agencies?
Yes, it’s made for a tougher environment. But, as I said earlier, that’s why it’s so important to create a partnership between national intelligence agencies and private enterprises. Otherwise, you’ll always be behind the curve. It never will end well if the first time I, as a law enforcement agency, speak to you, a private company, is when there’s a crisis. I’m going to be pushy because I need to get information quickly because I’m worried about something going wrong, while you’re going to be very suspicious of me.
Do you think Snowden did anything positive?
No, I helped to indict him on espionage charges within 16 hours. He’s currently still wanted for being a spy and one day, I would like to have the chance to speak to him, because I think the way he did what he did hurt the US immeasurably. There was a process in place he could have followed to express his concerns, but he chose to not follow that at all.
What do you think the future holds?
I think it will be increasingly hard to stop cyber criminals, so it’s important for us to try to be ahead of this problem. Organisations need to evaluate every aspect of their data security policies.
I try to constantly impress on companies the need to ask themselves: “Am I out in front of the person who’s trying to steal my data?”
I think everyone needs to think of more proactive remedies, rather than trying to pick up the pieces after a disaster occurs. More companies are starting to think about it, but not too many are doing it right now. I try to constantly impress on companies the need to ask themselves: “Am I out in front of the person who’s trying to steal my data?”