tv Key Capitol Hill Hearings CSPAN December 18, 2014 5:30pm-7:31pm EST
thinrn i otaehe meo tcso othe opand v wahewatoma oth, t is milan a congn d sai t d. th he lis, er lg ip 2mitecpsau cot parce is mlato dgjdy e tyhothe jucaonfopeleho veeenlii itoula foyes. ey aduca eran, optyigs d eyl aiitorheretf h wod t doo ant kwy h reputi mayir i deernd the.kan rny i encure u wtc m the de. esgu a rllhnom sohecoaro aarng igeo ho o l lileo dis osth re tinfo o o cts d eyhndtm ne anreurs d llg e cara o a t w o pelereei ete, ean
ou a ra c. sohiis r ranc th eyenotein poe m d ma rkple th baes . th atlgpoecomean jo ts op swh dwe ? w t gssotlel d e eogil rscte n - s rmntisth ty rty? e eed oiam scols to fu er guntan sme peleknh ed ts d eyayh el anth op ant stinto th. y lk t vieote re50,000its ntat io. at n iigfinto esmeag a iornt nd stpoanythyre ocatg e ide. eyretanghe i h aronheen o o t ee reve itmdd an sango emeyooifou t y eaaot is esi th te ar tkiaole
mee owh t tthis intoelysmofhe armes cae m ppto y esbttsante denkg e isnrative t sols s endne fothfstim inheasocsial y o rt c slyndths vonghek hgi t omsrl eusrabu w a sinve son atentataeei brdct l erheor wi t hp siamdi inse bthsas invial thfit e eofand wasopul tt isid rett veogasttem agnshivio t tke abt e fathais go ofeoe atou b elqut atou a ndev tir ay a tirasngou mapole vouttey
rerulericsa y jo tm u ilbeahrec onwi tm. so al autteact u edo ink twe o th bau ielvesi pren t pfi ohmm a td. lastclrs yiss havi t hevls ofismistte anthefe itat justiebconsia locagrndanthloca ous inteerebat faa t igin wl. otr rfi ha say he ll w't o y kil th hkiedn ekile wot nwew ll. erwath gatcofio scbei rico sl an yo nd sayuti. isel ithmileas whe op asynghe i th dhomybewnklg diss efdi i pp
thia iskilgadhe suisei oreednd yi lteth iafit yoshldavnoarin inoinbucousn d ngoudvti. d he tres e aatat prceei reenc. henunsteon apetor ofeggods heak eryinfr t rus jih, e icies t jtis ecyan so as nuerf ndio fwissee t heleima a non shld ego v tre o he dentem ese arvryporf mns ve nueiascla b ththg th ndto to fhe eyeetobtlthmo pele th nd to he atrm atorvuerleeoe e leo arheesge.
sot e mmitlel gazaon s tto nd plne e nan teenonroamnd'd keo ayththss prenonf violt tris prra neretir oacny he iwainon ou ogam s uin rtrsp thur couy akolrs hl ahun seic o soo a o un geren itiniavend t cnt exute'oic d re yi the yng eoe an vuerle diduals a bere he eidtrat. th ss osiis er a tmegi y ccre ames foexplfoa t yng peletyreotfiar or en car on e p oth ne ddtial linth ev slm erth bie the isanyeorn a st nd i medyho u thinisard u. m otqte uwhheth
cos o actal tadio ril detainth the ts rytrsese th ren ianntralpar d rmnseasmiit denilyor oplat thn at d othg hatyong op nd ueran thason 's lal o trelo rio thythin it jt ougeina an ticket d 'snt t oaas ou ththiisbsuty lel. u n'gover toyr a fit. bu fo ma otm ey re al stoe he mge eyatt llg t buwh dty o oroe't ? atf d est sw tir prer ad e mascrg ntue atidhed wth th fein oporlsns d pessss mao em v erou obmsitauory. th d'reect her res. th d'tesct hotehe a tnho o u inokyeimrtt
lu h tres comple ckf epe f t letitela oauory thr ve wi te arae ses thmigbepseed an u lfxpraon chnuean movaonal ierewg g athe oofwhyheha the tideanor hvis an rtterhe owrd reeicly nmoll rpoib cic. a ls rintomper emitnoiontkislie exeson snwrin eorg inbi tre fo eipr we fli s, gr olti vientadbeng leo inu enl llssntthr erayndstdi owh itea tbe mto we retrinto e t ee kehecaovco t fein of orlsns. y c igiisay poantogeattesises rl sohadoe ? hodoesophercitnt
d h bngu oule imrtt in. ienon f dunnghe my imntne he' h issuofehethu.. veme sulge vlv inhedeogani sote spt hatw ddn wt op tgeitro. wh eio of slgo muimers d usim ut th c d igstoemwe thvoespeinouagns is wth is ubcing ei ari,gvg h soaled slltoethe sse t aorefcte wa. tnwerell eedod the ndofatits d ne tdoiin bi y. i' opngwe cadep o ndo a outeoven whheitoignas t mileasarhe ithwe th mivesou eleto reizwhil ds an fosoucas a on' anfob h am dos an fr hoin gcyf e prheintemsf ine r er odendg ci juicardensatg od raarct.
d or eenng ioen trisor ontinvile exemm ernestbmo fuinfocouny-sed ogms. alc thefudg om rcotyxeti w beev iouprraea bui init vy mprtt ers feel reivto e calel plni w theptrsps re moan inakgrth a panehisoteomni haancte len teenonndrentn peal whn he'an iolic sce anforthsef us o n ierntnse edle gueles the edo car idin authath tialscutytatear inheip ashtsn int re ofha ith violenexemm ra yoma undstd tms omidoruida ndci bwhtoetat me ithvienexemm acabt omthgmeanmy
licis ralet aos evy y. nd ttdreiv beee cmutyadaw eorment ndeflyor dicteso e arof edatn nt fer lel atiltrkldo tth steandth sulbe siinprra tt rent vien f ari a vuerlepputions peal streas t vienexemm. anyofoyo aenond lo fwa tyo qutis. anyo [alae] >>et srtitthauen qutis ea. ife ulthgelen gh he. tnkouermu f yr coen
rbt th uveitof rynd iwt o irt myquson t nioofn e e nd ha-dsssgtntn tseratialartis d enn e he nd ha pgrs ke ors whi arcuined tt al with e tuiathteet b sase tt tsawh hmke e ppl pontl crtsndtefc att n'kn eyca't lelltrelo ria ad sofort it semtoshhir igt a p twn e eogil mmitast edthe o e tulyryg erioli hiprentive pgr si'woergwt rtf ngemt ulyo suesororhaso o engents sslebewn the y w a tinto rkwhptti rrus? is great eson thk esse,i ol
uner othgshaar gog . thk ndbothtwh ey redinis fctg loofhed d nth oerdus atrentesd t jticaonefe ey a tyunte r jt t erye so hi it'sno at er isecsalycoec the avnabit for su b o meln rtul isryg adret muite rk cts. soieogye veluer on of et rk cts t ers soheth poica grvaessoolic acrs acrsthyhogil cts d onicacrs. weeeheascsrs s fto owhtwh iee yog op ithasoava ol s othotr cts ate edo drs. yr init rll imrtt athe boh d meiod ou
coercei'stti tse atrck ftheminre scla cintonid at ina ath vese fo ani n'kn ftt meinto wi geren th y e r mb ha wealroshs w ppin inhenid at a wju ne me tm. kn pplwe uri beusheasorfuinis ndnaonof xemma os od wco activiesntesngorof em >>an jt di e th pot hinengein omniescrs e ecum thon awtthismi coep t' t ug ifoudo llheothethng anyodot t cces 'slsnoengh. ffenfaoror ffen pelee into be o omen onte rle w ve a o a ngimuperani' gog iainve ouevrtisidtrs e rs itheaicee ge vy grt ,o i thtrh s foa t tse
dshe ino oh sam th d't ndrsnd thir lionnoh. eyg ivoedspiay wi coves t wa wt eyon ueranth id eragptreorhe th a dveby imete of epnaon ut hdo' ha qtenoh owdgas knlee se to ae ha aonrsion abwh the conctseay an. so tchg oeo rthmeti andisi eugh oge ndas mh tthnno beg leo ve coerti aut aul beustey sd a mein dn'enga authe eogil mpen war gog fl. c i skqtio wh knofesgee nto intohe ppl i ulbeelht ithese diduswo--he
itwjst bo dayg jid cae rein ea trtyitth eand thefe tith tatis ok tres ih ni n' hiktt'a aly rscte. kn f uwere ryngo vehethsklso lo th te aicipas t mastamnd oeelper beus i ai aotofus ve l sss oio ey feaened th fl saecd d dincnt whhe a h syem statg emor vaetofeans eierheca arege o thr res e t woko wh tyhv etagin nd soo whev t ce y i beevatea f ee toelmatemio tt pelendhas tju -s r mnrn >>ha bolel a ut e rh trerete. e rsst h t e uninmne f e g of thclf nato
sothg ile a t upis ivg tha roer wa- eogil rscte. e he hngs ehan' scseis l oth racazi fto tt ve enrod r lo i tt ntuetoeter,t prleofinty so othcoercei' be aenngttdi o o ththgsha oesp cont tecotrafr uny thva mory eoplwh ha ge fgh fo aluiicr d esoar fr bkehos. it aouermgrhi 'sotus en, t oen bua t i, t ws u a t ihatoo ths u ideoe o v n ve eecfoauory. er ar sesn e us the setngoiad anthsee f beoinan emween itshpeng aonxtit omhm
voti a p t cae testaanss beuswhev hape i is reon intiswolo tngi artewe' wwi b tainabt cas omow t percsisadhais ppinrit w. >>ir tnkou hordorr ai i' odin ho u yr panehi ithcot. antoha exed y fst a bngnfals nd nt se y wk t scolananhe ectf i isotuswoinwi t muim d bu ithe hol ntt rkg thhe nmli iswe t mli kiel xud d oled d raed
a lotf ople ht exanioofy de it t mtgercoty ecive. i otusm etr. it anlcmmtee ol cae bie t futis kean aryrin syem we aeno trintosgmiz thcouniebuescily thherceicinto foigfite acoves th he owupn hoe thatoenoprti iam dthy e dalinin retoixon ierlsn me aess 'snt k ty kn ttmh abut lm al o mels l ouhang mmitth neran wt e skacrsrends i ntne ecdi hhyre intoineen its ucintehe, ho unlorrcfce i
thpoceeptmt geer thhe fthomni panein n nsh d ree teenanpride thwih lpefe eyur toionc wereott racazaon ogm. a reenve acazaon ogm. >>e nto t nw an wh icaha a ucbeer pa a iou jt ghghma tesort pot outhshnkw nd - himeln h pt ersoonwodheo fopeodf mend radilid yteay mol. a tkiaboa e a a lfo o ekinom cases.
it ttt a aebka oparusanlfos c. d isasaditvaab inllin oys nd h tes hpeise e lkgabu-- e okt e stbead ds. op w a cceedbo beg dilid- ndwe a not vnalngo chth. o hd t'nerl at op an'pangttti tohiiseagin. unfortaty cae in a sob the- sne f thfi eatnsginisis d at ge bu iyolok ecoreiol esimie by.sofcis lking ou th a ylokerl excttlpeapas ida wh a t oti tad at t a dngo in thcnttotis cedle obm? ats r g sw? so gdsff trtec
ssinof e tae pame. nt tetg vy terestg i pt t cke. wuaguit a malpr ofheacgeut icon ifhas eoly i whe to tfoar ac'tehe cke. c bpa oth aka t gn meprt f lkg stacotr. 'seyemraicwhne toe racngent yng anaeioorerlile teioifouantoe gero iaseaen bwh y meiod esarsml ic ahe id n ty ncuerto e esblheregis thits t ab rl
t lyhajidi. t soheusm oerhood anat meoiytmacay u veitutnstat paicata e. i've psimtiabo tt. myueti iabt e it stes arweeeg vloen of lac dlieinhenid at? e seitheogcong omhe a iso ee this g fdi fm veth fa tt nefr t rio oingrootr dilid idloes c iadssheir cae thk aseing peal wh e an i egt asen or poti re ts. whheit a on i
n'thk hn b ls e sl pce foum. thk erisn ffrt alit mlcpa he pongors erisn fo t rand pmo aor moraeogani'e a mb oroheso ombo is yngorhe. catgeot o ay fothbt nkt relympta tha tt coecti wh teatna fire erisn crib muno an to thse ertial scla. ey ha ai thmlim mmit d enwtamic ism. he lfoowg. i n'kn iit aamic la avsi o tritnaism apd r era.
cvwa to hrwts eson utinihtfte reasofherpo. w ba d u ee e llt sà-v c ricizioas lls crtmt ri an fothe gazaoneang rosmn e dd et thheelsef thisror sof u n mmt tt lileit tnkouoromg. i veatlly, e' testg ufouthe rey peal osoal mea ao isowysow lilehihapledn e regi. ik at nt em on i otrng ou caeroltanhost thigogo cplat bupele expe di t reoneoe pe ts gog hpeotr conie arn ot eec h city pen
isvouy ryad e ctttwa acotr cainstatouels is waandopullydai thladranfit it ut, iss ate are ou th ia t ouwhwere isswoerlpogaa. erisoqustn sos dn wchadotng dwi a o hi. soisersowhh d thg dwtanots. rvsaesil rtose r opan ppos at eyc. i nelyon tnkhiis in e aicar suesulea bau ath enofheayhe ieriu a w r coi an a vi ts scsi outhe. adhe pt. y epafuanunmftae adg atnydyuthe care ts or
ts ty ofnnuy d crtityanapn nd wo trethe. t fer lelav d hdim getng the ciosivfa of veme wll inlved a iesin cboceswh t nvsaontaedeoe mendai st, deulyoargng o hoesitan l enrcen buyocat cuti thseliohi y ve he he sive fe of veme o treth its n he mmit engentr hepe o tity. exemtsyodot nt f anteengit u e y d en g inlv a d o sonein theomni wh g ve bn invven seillit rllal ndt.th firstce e g ome y-.no
heis ot puba. ouha hs,pame o edatn puin ck sainwen' ntto b tooinlv caewe n' ntu touriz ouretish tt a bl d onyts fedwthre tp-do struio a his ve heeshowy fral agtsinhedeptmt e gog fctn.bihs ct cn asily. athe td r egrs wk effecve a theedal velev just er of reiner mies, p oexisngfedal prra fm g tto whethe a whle patucud the tys osss,y m dertnt deptmt tasy withe fun ch naialitac whh,fomp, whe w en wup tinnot te w rlid te f heprlem werealed pplwern ctu t tomecacuur nype do nkn s fnanal lery, nkcotscret rd ec
pgrseha doin sechwe av doin he l-eorme fldin s at ar of dutiabt vien prveioangg prentn dbrghtht eonhisuth we ul be a lmo suesuly n,d r us arstoi it thlol veusg r cotytehde, d a rtatwve coun'suprttoll u to to tes ffen ouesbuy he t rlitehat inve coun a y iit es te p-wn >>e vea lotf rm r tcay op av repssth wn heca. d hebn cced degng ourum prra ak pplme rrd. dot owboutvyo se,ut mo ptmiica hef d tnk at ld is rymhn pat ne.asoplsejo tkig o ears ani ok rwdto seeg u ai ican pmi util be less opmiic ppudg]
> is ekend aorth roal out laonipeten licsnd mo stda sy ctes cael h moe e teieinch rticat ifcon pl toill rtke leerimonil eli ts mth ve roen apar atarrd unersityhe htald abt hwpoti flncisovs. i woulderma a ke at tin wllge a lah tat plica vithat i n'persal lie in bauight miht etedbo th e don'ntt lk up o tnk t ao eoplehoryto edr olic wfe thth arnfrltaet bth pitalcoecescrd thty av te un as wll as d an lica,and nkat if relo pele o ola aut atndthpop o n'ery fewof thee
ar cmping oui elaou a mt o heelewh etry haou y re crib ey vecplnabt al imen, iievy te yoma a e hau ow y heisik igly- heis alst li agroof plett ha acgave rdfo ke be vaid ndouus ntt gup ppl oito yh tng ane we yh thg.omim u' ay mein ou hat fes mo anju tse opl aidt ani d inth dins olizg etes ve ve desetng th i lt ke to apoge hav see op me ok ani'm ikye, mae ty sulapoge foth eyde jo tat yb enooar we scen ur moes lt,
d lt, d ina o elynis erear oktg t fard a prabinadas. by timty rch as nsptn ave lted tseut ifherke, wedinot enli i nd seo ilay setngtw i llla tom try to bnsiv. > tcthan re ve htebyhaar iversi omerlr is montsury igat9 ston-sn. ts nt is t tth annirsy rday riti prra atin annreestaon highlg s, fimaaninbl tnk trene co
individual victims from cyber security tax. the private sector, as you know, has proved to be an increasingly important partner in these efforts, but particularly in the cyber security issue. prosecutors from the cyber security unit we will be engaged in significant outreach to our private sector partners to facilitate cooperative relationships that we will help us both going forward. one example of the kind of outreach we do, earlier this year we had heard concerns from communication service providers about uncertainty over whether the electronic communications privacy act prohibits sharing certain
cyber threat information. that uncertainty was limiting the sharing of information that really could better protect networks from cyber threats. .. this kind of mistrust can seriously hamper our ability to conduct investigations particularly in the cybersecurity area. most of this distrust comes from misconception that it comes from
misconception about the technical ability of law enforcement tools and even more significantly comes from misconceptions about the manner in which we use the tools that are available to us and you'll be hearing later today from various people who are far more expert than i that they are very important. it plays a very important role in clarifying for the public what is law enforcement's role in cybersecurity and what law enforcement can do, what tools we have. we have manuals that are on line on its web site of cybercrim cybercrime.gov that are really probably the most helpful and far-reaching material you will see on the areas of topics like what are the laws governing seizing computers searching computers electronic surveillance prosecuting computer crime and for those of you who are interested in seeing what exactly those laws are a recommended gone to that web site. and again it's cybercrime.gov. i would like to briefly address
one overarching misconception and that is the apparent and unfortunately perhaps growing view that privacy and civil liberties are afterthoughts in criminal investigations. nothing could be further from the truth. in fact almost every decision we make during an investigation requires us to weigh the effects on privacy and civil liberties. we take those responsibilities very seriously. privacy concerns are not just tacked on or a box that gets checks during our investigations. they are baked into what we do and who we are. privacy concerns are at the core of the laws that set the ground rules for us to follow as criminal prosecutors. the department policies that govern our investigative prosecutorial conduct a privacy concerns at their core. the accountability that we must embrace them that they happily embrace when they bring a cybercrime case into court of
law and present our evidence to a judge or to a jury. privacy again is at the core of the values that we bring to all these things. it's also at the core of the proud culture of the department of justice not just in cyberspace but in all the criminal enforcement that we do. we not only carefully consider privacy implications throughout our investigations but we also dedicate significant resources to protecting the privacy of americans from hackers who would steal our information, our financial information or credit card information on line predators who would stalk and exploit our children, cyber thieves who steal the trade secrets of an innovative american companies. that's just one example of our recent efforts. we announced a danish citizen who announced spyware called stealth genii and app that can remotely monitor text calls and other predications on mobile phones without detection.
this app was specifically marketed to people who wanted to keep tabs on their partners or spouses who they thought were cheating on them and it was used as a stalking tool. similarly earlier this year the u.s. attorney's office in the southern district of new york and the fbi announced charges against the owner of a site called black shades. by the way we love these kinds of things like black shade which sold something called the black shades remote access tool. we played a significant role in the worldwide taken a much in the arrest of more than 90 people all over the world. the black shades tool stole account information to browse their personal photos and to monitor them through their own webcams. this is really one of the scariest invasions of privacy to date him one of the things i was doing was one hacker was using the tool to secretly captured and booklet -- photos of young
women including miss teen usa in the new use those photos that capture to extort the victims posting the photos on the internet and also he would extort them into sending additional photos and other incriminating things. those are just two examples of our work to protect privacy and prosecute people who would invade the privacy of unsuspecting citizens. we are doing cases that are protecting people's privacy everyday and thwarting attempts like the ones i just described to invade privacy. we are hoping those efforts will help combat misconceptions that people have about our efforts to protect the privacy of american citizens and others. the outreach that we do allows us to participate in the growing public debate about evolving technology and we really think this debate will benefit from information that we have the criminal division and sees that the section in the criminal division can contribute how technology is being used by criminals how we are leveraging
technology to investigate and disrupt criminal activity and how technology can be leveraged in the public and private sectors to enhance the increasingly important area of cybersecurity. without that information misconceptions and inaccuracies can take root and hamper law enforcement efforts, cybersecurity programs in our efforts to protect the privacy of all of you. georgetown and the department of justice design designed this program to bring together diverse views and our aim is to make sure a range of views are presented at the symposium. there will of course be limits to what specific things we can say about specific investigations that are ongoing and i preached -- appreciate that everyone will understand that but regardless we are excited about adding our voice to the discussion and grateful to georgetown and everyone here for supporting this effort. i hope and i expect this will be a great day for everyone and a very informative and i hope the
first of many conferences and thank you very much for coming. [applause] >> i'm going to ask the panel to come up and they have asked me to keep their introduction short because if i had to list all of their competition and we would not get to the content so if i can ask the panels to take their seats i'm going to stand up here long enough to give you a brief overview of who's talking to today and then i'm going to have a seat and let them carry the water from there. all away to my left we have dr. libicki the senior management scientist at rand. he's also a distinguished visiting professor at the naval academy and an adjunct professor at columbia university. he writes extensively on cybertopics including most relevant for today a publication
called hackers bizarre markets for cybercrime tools and stolen data. to dr. libicki's right we have and he said. the director of public safety for verizon. he is at a variety of different roles including serving with united states secret service and his company also publishes one of the most widely respected reports on cyber crime for verizon data breach report. to his right we have dino dai zovi. he has been a working information security for over a decade with experience and red-teaming, penetration testing software security. that all basically means he is a hacker. in 2008 -- named him one of the 50 most influential people in security. finally we have rick howard who is the chief security officer
for palo alto networks. he has had a variety of different jobs. he is currently providing oversight to palo alto networks threat intelligence team and served for 23 years in the united states army including two years as the chief of the army's computer emergency response team. please welcome our panel. [applause] today we are going to talk about the future of cyber crime but i want to start us out by talking about where we are today and where we are going into the future. andy why do you start us out with what cyber crime looks like today. >> thank you for letting me spend the next hour and a half with you today. it's going to get fun. hopefully we'll have a nice discussion today bilaterally. from my perspective cybercrime today is filled with
entrepreneurial minded criminals in a global -- global industrialized service that harnesses their resources and collaborative manner depending on what their goals are. and i think it's a dynamic evolving environment. as we know it's constantly growing and i think what gets overlooked in the cyber criminal spaces that they are well-informed. they are well-informed of the privacy landscape and the regulatory environments in which businesses operate globally and i think it's important they also pay close attention to what law enforcement does and have learned from the lessons by those that have quote unquote fallen before them. i think that's important. as it evolves in growing and as technology is enabling us to interconnect and to enjoy the way we live and take advantage of the benefits they will evolve
with that. i'm looking forward today to see where we have the panel or a group field like this is going to look like in the future. >> martin we have seen some the biggest data breaches happening this year where we are seeing tens of millions of customer records being taken. what possible use could cyber criminals be putting to use all the data they are taking? >> we know the data have been taken from places and have been converted into cards basically and burned into cards for which people withdrew money. in the case of target i can say i was a victim of one of those things. when i got a -- from my bank noticing there were three grocery store, very large grocery store purchases made on my behalf. fortunately the bank was good enough after four or five interactions with them to take
the money off the account but this is a typical way they have of converting the data into the transfer of goods which typically has been a funneling issue in the world of cyber crime. in other words in order to actually make money and stealing that kind of information you have to transfer information. you have to transfer money and then you have got to somehow find a way of taking the money out of the banking system. it is the last two that criminals are becoming increasingly efficient. back in i think six to 10 years ago there was a data breach at heartland payment system in which 150 million records were stolen. the harm to the heartland payment system wasn't order of
magnitude of the harms of target corporation which i think his testimony among other things to be increased -- for which criminals can take information and earn money. >> how are cyber criminals doing this? >> there are a variety of methods and you are seeing sophistication. i think a lot of the cyber criminals are looking for opportunistic loopholes and most commonly weak internet infrastructure that is allowing them to get in and hard and credit card numbers over one of the things we have seen the last five years is they have gotten a lot more organized and determined. for instance from my knowledge of the heartland payment system breached the hackers were
systematically going through some of the largest retailers and largest payment processors investigating which point-of-sale system to use and specifically targeting them and in some cases using types of attacks that were generally considered only the tools of sophisticated penetration testers like security researchers and buy wireless to look at the encryption of wireless networks. this group was able to use that to breach the internal network of retailers and then compromise the internal systems and looking at a variety of internal networks over my career we remarked how a lot of our defenses are hard on the outside and soft on the inside. we are still seeing this today in all of the big-name breaches you have read about it with
this. >> correct how did we get here? >> that's a great question and i have worked on this project unless the report is called the cybersecurity project. it's a list that we think all cybersecurity practitioner should read so they know their craft well. the three books deal with cybercrime that i would like to point out. the first one is called fatal system error covers from 1995 to 2007, the first use of distributive extortion in the first successes from the british high-tech crimes and arresting early hackers. the second one i like is a fantastic book that gives deep inside about the business process operation of criminal organizations dealing with som some -- they get the and bolts about how they go about doing their business and it's a real integral look at that and the unofficial hero that comes out of brian's book is microsoft
about them taking on the infrastructure criminal organizations legally to take them off-line so that's a pretty interesting read. my favorite is kevin paulson' paulson's -- covers from 2006 to 2007. the main story is a hacker by the name of max butler. he is a fantastic story writer and is going to make a great movie someday. his transmission. his transition from white hat hacker to black hat hacker is really interesting. his claim to fame is that there was four or five main underground informer selling credit cards and he didn't like the way they were operating so he decided to fi fix it in the y he did it was a marathon session from 48 hours of hacking and took down all of those web sites that criminals were using to control the data put them on his own underground forum and put a banner across the four web site saying come to my site. if he was a good guy we would be
high-fiving everyone that did that. his downfall was that he had one of the site temple traded by the fbi. asia mullarkey moved up in the ranks of an underground forum and was the administrator of that web site. he kept meticulous backup so he was able to come back up on line quickly compared to the others. because of that operation he was able to figure out who max butler was. those three books take on the history of how we got here with cybercrime. >> a quick question about macs. i was familiar with his vision at the time like the late 90s are the 2000's. he wrote a dnf form. do not fold ability and hacked a bunch of open systems with unpatched vulnerabilities and one of the things he did was fix
the vulnerability but he also left a backdoor for himself just in case. i think he went to jail for th that. he went to jail for that and when he came out was when he started credit card hacking. >> the thing about his story as you realize how hard it is to make money doing this. cyber criminals -- but rank-and-file are just making a living wage. stealing credit card information is probably relatively easy compared to learning -- converting that information into money paid in max's story how they were doing it was they had a whole credit card subsystem in california and they were stealing credit card information and putting it on blank plastic and then i would hire young ladies in california to give them a credit cards and they go to high-end retail stores find
adjusting things and sell them on ebay and that was the way they would make money. that's not an easy way to make a million dollars. >> think about this for a second. we think about the infrastructure. the top-tier cybercriminals helps coordinate those investigations with federal law enforcement. those are the top-tier cybercriminals in the world to drive the economy of cyber crime. we have highlighted a couple but at the end of the day max has it right in every major data breach that you read about in the news there's a street-level component to it. somebody knows somebody within the chain and eventually it leads to a hacker or a vendor of that media. when you look at cybercrime and one of the things especially my role in the private law enforcement was especially during the 2008 breaches the payment system being part of it when you start to put a face to cybercrime it changes the
perspective. traditionally companies, regulators legislators didn't have a good understanding of what is cyber, what is cyber security and what is cyber crime when you hear about the victims but we don't truly have a good understanding of who is behind it. i think the work that is being done today over the last three -- few years has increasingly become more successful. they are in packs that to every major crime that we read about and we call it a data breach but every crime has a bad actor to live somewhere who interacts with people. and i think we have focused heavily on the technology aspects of it. we focus on words. we talk about the cloud and we talk about mobility and data analytics. the end of the day the things we do in security and the evolution of cybercriminals some of these guys the one we care about at
the top-tier level that drive the economy are the ones that outlive technology. they find a way to do their mission to make money or whatever it is they want to do regardless of what is in place. so they understand the motivation behind it. i would argue some of the differences between cyber criminals today in the u.s. versus a max butler is that some of them especially albert had access to the russian speaking infrastructure that specifically drive cybercrime and other parts of the world as well but financially motivated attackers driving that infrastructure is very well protected and coordinated and they move wherever they need to. so u.s. hackers having access to that to be able to monetize their information and steel very quickly is becoming more limited
due to the successes around the world. i think it's important to highlight two things. one law enforcement is having success and there has been an impact. in our data breach report year-over-year we see things that i could map back to law enforcement successes whether it was packet sniffers in 2,072,008 and switching to malware tucson job databases targeting point-of-sale criminals around the world and harnessing that information in an automated scripted opportunistic way. the impact of law enforcement has impacted and the folks who are mentioning highlight that effort. they highlight the fact that we are making progressive steps towards winning the fight however we need to consistently work on it. >> i do want to talk about some of the trends that people have
started to mention. what are some of the trends that you are seeing today that you think are going to be important for us in 2020 and when we start with you this time martin. >> the trends, we are seeing a trend towards more consolidation in other words a more efficient markets. we are seeing a trend towards a lot more use of computers in the sense they can control more and more things. more and more connections among them and if you look at the trendline with the exception of law enforcement it looks like the world is getting worse. i want to point out something that gets us beyond the world of crime and punishment. we have erected an information architecture based on computers that easily change their
instruction. when people talk about malware they are talking about a hacker's ability to persuade your computer to run their instructions and in most cases those instructions have been placed into your computer for the computer to run. some of them are -- a large part of them are not. in many ways this is an artifact of the way we have built computers 30 years ago when we thought we were an innocent world and which we wanted to be open to third-party software. computers that we had 30 years ago using architecture vastly different that than almost any other electronic device around because very few electronic devices in the early 80s allowed construction to be changed so radically. you have a great deal of malware and although malware is not
necessary for carrying out cyber crime it's indicated in most of it in a world in which we don't have to have an architecture that works that way. and so the question that comes to my mind is how bad do things have to get before people start going either forward or backwards depending on your perspective to computer architecture that makes a lot of this crime very difficult to do. there were a series of articles yesterday in "the new york times" which touched on this issue and having talked to someone at darpa and of course darpa wants to push technology forward. there's an item to be made that in some cases they want to turn the technology backwards but that's a marked touchy issue but the question is when do we reach that point? i don't think we have reached that point yet. in other words they think things are going to have to get a lot worse before they get much better. whether things actually get a lot worse, that's a different question.
>> i think we are at that point already and we have been for a few years if you look closely in smartphones. we have tubing platforms made with different choices. for instance what you talk about technically is either a self modifying code or code signing and nonapple platforms either of these are allowed technologically. it's built in the architecture that all software that runs on it has to be signed and approved by apple and that's permeated deep into the system where is on android-based devices it's a much more open environment and you can run software and the software can monetize itself like a traditional computer system and we have seen very different stories about malware on platforms and very different approaches. i think what will be interesting to see over the next six years
is we go into 2020s you think about it six years ago very few people at smartphones. that is a last six years thing. the next six years what are the devices that people have right now that they aren't going to have in 2020 so maybe it's it divides in our home like a drop cam or maybe a smarter conditioner. maybe that is what will happen. what you need in platforms are learning lessons from smartphones today about how open they want to be with the software they run. do they want an existing open model or a more locked down model and that affects the crime that we see. >> that's really interesting and i want to get somebody there the panelists to focus on the term that has taken over the internet of things that we are going to have more and more devices, things that were never connected
to the internet before. i want to start with a closed versus open platform. we have seen two different models in the smartphone market. which of those models do you think from a consumer perspective and from a crime perspective is more likely to take hold going forward for the internet? rick do you have a thought on that? >> consumers, technicians love the apple product because it's mine -- shiny and smooth and it looks cool and it you look like you know what you are doing. so the guys, we will go for an apple product because it makes us look smarter. ..
potentially opens more security holes. bring your own device. >> the technology is looming right now that we need to really pay attention to as we wire up your cars. as the high-tech models come in there is a olympics box on your dashboard. you can do facebook, all of that stuff, and stuff, and the computer manufacturers are great engineers but they are not security engineers. come back to the clock and look at the applications we all use like adobe and microsoft, those guys know how to program securely and still have issues with their software. now we look at software development, manufacture shall have no idea how to do this and we need to start thinking about it. it is kind of scary. one manufacturer has put his onboard computer runs.
tiebreaks and they are back in the it does pandora on the same computer system. i can't even imagine what a service attack would do for that when you're driving down the road. i think that is the technology that is looming right now. >> actually, rick answer my question. i live in new york city. but an interesting.about the consumer price difference for android versus apple products. if you look objectively at the amount of malware there has been virtually none on apple products. that extra price differential makes security a luxury good. are we going to see that same dynamic play out in connected cars? are the higher-end manufacturer is going to build, you know, invest
resources to lockdown infrastructure and on the lower end models we we will have the malware problem. >> the one truth, truth, no consumer pays for security. there is no money in it. apple built well-defined machines and gave a a security. the consumer did not think he was paying for security. >> let me jump in on you because i find the deep irony. five years ago one of the things that mac advertised was that it was more virus free. if you look technically at the differences, it is six to 1, half dozen the other. other. basically there is not a great difference between the two. the apple ios versus android where there is a huge difference, apple is in advertising that. and i think that gets to the. if we really were in a.of
crisis people would be willing to pay an extra dollar or extra hundred dollars or whatever it cost. but the but the consumer has not felt that crisis it. there is a much different dynamic at work: the federal government. start thinking about what the recalls look like when you start having security issues in the guise of safety issues and think of the carmakers basically saying wouldn't it be nice if we could fix all of the recalls remotely which opens you up to remote code changing which gives you back into the entire circle again. >> which we are already seeing. seeing. there is a car manufacturer that is relatively recent, silicon valley entrepreneurial company, tesla. and and they have done
remote updates over the air updates. is that a good idea? are we ready to have outbreaks and steering connected to the internet? >> how did the average consumer buying a car, how do they make an informed decision about the level of safety? are want to come back to safety versus security later. martin is raising all my favorite points. the emails. but for cars we have star rating systems, way of testing the safety which gives consumers a
chance to make informed decisions. we don't have that for software security, cyber security. so, cyber security. so how is the average consumer supposed to no how the risk of tesla's remote update versus some other system that may be better, maybe worse. >> i would like to try to drag us back to topic. these are all interesting things, but how does the cyber criminal take advantage of the internet of things? now there are way more places for them to insert themselves to collect your data. so if you are going to
be operating out of your car, your internet access.from now on, that is the knew place for criminals to insert themselves. >> and is that going themselves. >> and is that going to be the business model? stealing your data or is it something else? we heard the assistant attorney general talk about rent somewhere. is that something we should be worried about with the internet of things? do i need to worry that my refrigerator will be hacked and i have to pay to save my meat in my freezer? >> i think so. we have already seen rent somewhere target off-line storage devices. i think that is a business model that is going to scale. especially as we get increasing control over a lot of payment fraud and traditional cybercrime business models. i think you raise the.of cybercrime is like a business, entrepreneurs with a slightly increased appetite for legal risk. and like any other business they are only going to shift markets when a knew market is -- better returns than the existing market or the existing market goes away to the.that we have to look for new business models. the example of a car, if the price is low enough and you can pay with bit coin over your phone and you just want to get to work in your car doesn't start. that might be a thing. >> can we talk about that? that is interesting. the business process is heavy on customer service because they don't want --
if they don't let you go after you pay the ransom it ruins the business model. they are good at undoing once you pay them. i find that fascinating. the guilt -- are good at giving you customer service once you pay them. >> becoming more efficient and leveraging technology and doing renewables, but at the end of the day they are still not managing their own risk. personal. personal freedom. i think that is important when we start looking at and made to thousands and as the evolution goes more and more customer service is baked into the online form in the vending of data online, that online, that is a measure to help about and minimize exposure. and as you start to see the shift in the.that is a model that is going to start to minimize the risk.
your computer, stealing your credentials. for me to be on the street exposing risk or creating risk for myself as an actor. as we look at the business models we ought to also look at the infrastructure that supports them and what -- how are they going to get access to the money that they are making for themselves? where are the points of exposure? just as much as we are looking at security architecture, how we want to do network defense, looking at where the risk points for that person doing the crime is an important part of the ecosystem as we have this conversation because like, you know, said as soon as we employee embassy or chip and pin the card present fraud will start to diminish.
the card not present fraud will go up dramatically. constantly looking at the business model and how i evade detection, evade my own personal risk of being apprehended through that process. and i think including that of the conversation is important. >> the next innovation. it does not have to be credit cards involved in the attack. as the us moves to chip and signature. by signature. by the way, we are way behind everyone else on the planet. one of the reason why credit card theft is easy. it will be a little bit better, but, but ransom where is the next thing that comes. the consumer will get that and you will see a lot more complaints. credit card fraud, banks cover the. it's kind of scary when you
told your credit card has been hacked and you get a knew one in the mail but it does not affect you financially that much. wait until they start giving you 20 bucks a month. >> am wondering if my car knows anything interesting about me. >> your car becomes your computer. that is where we're headed. google may change that for us. what us. what does your car now? may know where you got.
the possibilities for law enforcement to get into the car. say look, there's a bad guy driving a tesla. a tesla. i want this guy apprehended. the interplay among the three is the potential to be very interesting. maybe interesting. maybe a keep my honda for a few more years. >> i think we will here more about how the law we will have to change in order to strike the right balance when we talk about the government being able to deal with these new technologies and take advantage of the evidence that is created by them when appropriate to do so. for us with a focus on the technology we heard a lot about payment systems. bit coin and credit cards.
i want to follow-up little a little bit on payment systems. i guess i will ask, is the credit card with a magnetic a magnetic strip going to exist in 2020? >> i don't think so. moving to chip and signature ,, the industry is moving to something more substantial. >> i think that is the path. i think it is going to take a while for companies to get used to dealing with the technology and fine tuning the technology. you are already seeing in some countries that have moved to, you know, chip and ben that it is still as is a doing business in that model struggling with how i secure my network, configure my network. over time that we will start to diminish. >> your american credit card and go to france or europe and give it to a vendor.
what is this thing? it so far behind the european credit card system. >> and then mobile payments. at what.is it all going to be done on a mobile device? you see that parking here today. >> credit card fraud will get more difficult. that is what i am hearing. >> well, when we talk about business operations they absolutely need a way to do anonymous money transfers. they absolutely have to have that. and they have it now with bit coin another kinds of operations, and i don't i don't even no what the answer for law enforcement is. do you have an idea? >> certainly there have been successes over the years going back. there have been successes and then it falls back on banking regulations and the lack thereof from what that
company was doing. i think that has evolved. a lot more current knowledge. at the end of the day, you are right. they have to right. they have to find a way and have a mechanism to receive the benefits of their efforts. and, you know, i think over time, you know, they are going to consistently find a way to do that. i think, you know, they have already started that shift with the transfer stuff, the money movement stuff. the transfer stuff, the money movement stuff. and i think that is not going away. in fact from a financially motivated attacker and potentially state actor, from a network defense perspective it becomes harder to decipher because they are leveraging stolen credentials to do both. and so who is the actual actor becomes a very important part of making decisions. we need to minimize the risk, find ways to move
money. and for structures are in place, but it changes as law enforcement have successes and the regulatory landscape changes. they pay attention to it and have the same debate about it online amongst yourselves that we are having today. today. i mean, there is no doubt that they outlive that. i think that they have made good progress in setting themselves up for the future unfortunately. >> and just for those that don't know, can you briefly explain what you referred to? >> sure. a digital currency where it was bound, i think, to, to the gold and basically created an environment where you could move money and had a real value in digital form. and so it it did not have a know your customer
procedure from a banking regulatory perspective. that was awake, and we could improve or at least law enforcement to prove that the percentage of transactions was predominantly used by fraudulent activity. >> i think that we are saying that credit card fraud will slowly find its way out. so i think we are saying it is consumer personal information that is the value that we are worried about. is that true? more than just your credit card information, information, your name, where you live, social security number, medical history, is that more valuable? >> that is tough to monetize. >> it is sensitive, personal, but until there is like a good a good monetization i do not think that it we will be a threat i mean, we do do know criminals will find monetization pass before we we will. >> you brought up something interesting about social security numbers. five to ten years ago the
notion that everybody who knows my social security number is there for me has been a standard in the world of finance and it is an absurd idea given how many times we have to give our social security number,, how many poorly protected systems and sits on. maybe the problem is not the data. maybe the problem is the level of authentication that we give dated the position of data when we shouldn't. maybe maybe the problem is in the transaction. i mean, -- >> if you look at the data breach purportedly produced last year we looked at just over 63,000 security 63,000 security incidents, just over 1300 data breaches and 50 countries. and when you look at it consistently even as the data breach report is evolved authentication becomes a major issue. if we -- most folks, 90+ percent of all the things that we see would be resolved by leveraging
authentication. >> which is getting easier, much easier. >> so we have now reached 2020, and i want to talk about what cybercrime looks like in 2020. what does it take to be a cyber criminal and 2020? do i need a computer science degree? >> either that or from any credit cybercrime university. one thing that has differentiated cybercrime from a lot of other fields is a lot of the skills can be learned in the underground and can be learned just through those networks. and so computer science degrees of not been necessary. a lot of self-taught people have been able to do everything that they need. but i don't think criminals in the computer science
degrees because the level of sophistication of cybercrime is traditionally more optimistic than specialist. so, you know, from where i sit doing network penetration tests for clients and things like that , the practitioners and security fields generally use methods more sophisticated than we have seen in cyber crimes. and so it is kind of watching as they cut up. we always get in. someone else is going to eventually, to. i think i think that we will be a constant. because if cyber criminals just use very different gear they we will be different targets, unexpected targets, and i think that is where the innovation will come from, figuring out how to
monetize information that we start collecting. take a step back to what rick was saying about other information that we have, we now have our smartphones collecting our health information, collecting like my phone now collects my footsteps and tells me how many steps i walk in the day i don't think there's a way to monetize this i will hand it to you freely for a dollar. my data comes cheap. but as we start having these more connected devices we start collecting more and more data. some manufacturers will throw that data in the cloud, and data in aggregate always has more value than data dispersed to the endpoint because if you are collecting data to disperse to the endpoint it is labor intensive so it has to be more valuable to make it worth the effort. and that is what i think that we will see play out. what information that could be monetized will be aggregated and has become the new targets. >> what do we think in 2020, you know, cybercrime is all over the world, the bulk of practitioners seem to be in eastern europe, and there are good reasons for that.
i would like to throw out to this group, is that work still going to be? it is in eastern europe for lots of reasons because of legal reasons that they can operate freely. it is also their because their are smart people in that area of the world who are trained in some of the best universities in the world and did not have a job to go to so they migrated to this is a way to make a living. but does it stay in eastern europe? i am not sure. >> i think, you know, the russian infrastructure, they have embraced a discipline to there craft, and i don't think that it has made its way, permeated its way around the world. i think if you look at latin america, brazil, there is very a very early adopter of technology in banking and finance and telecommunications.
everyday life being embraced around the world. from a discipline standpoint the russians, the way that they have architected or permeated the discipline across the culture and the underground makes it harder to access unless they want you to access it and i think the mindset has not permeated itself around the world yet. so i think they will. what will be interesting as we look at it is i have no doubt that they are looking at the r&d of the future and looking at where we need to be down the road because they we will be the ones most likely they we will continue to drive the economy of cybercrime around the world whether it is
setting price copywriting the infrastructure. we talked a little bit and i hack i hack into a database and have access to all the types of data, what do i do with it now? well, well, they don't ask that question. i know exactly how they can move the data to monetize it. it is almost as if at times they hack for higher. they don't no who they are victimizing. they are looking for the types of data that they no they can monetize very quickly. we see that. we saw fishing and spam increase immediately. so having the infrastructure to permeate the crimes that you want to commit and that you no you we will be able to monetize quickly, and i don't think other groups are as organized as the russian
speaking bad guys. >> at depends on global economic shift. why i think that eastern new york is the center of cybercrime is partially network effect of the internet makes everyone a target equally. so you can target someone across the world. also, they don't have the silicon valley. the network effect of investors and company and talent. so they have they have a similar business network. and so that is a draw. if there is a rich technology industry nearby, that is, you know, you and at lower pay a stronger a stronger draw the criminal underworld. >> the united states persuaded an actor to take a vacation in the maldives because we had an extradition treaty, the hacker was apprehended.
somewhere in the justice system. here is a question. vladimir putin reacted to this by saying this was a great victory for cyber security or putting out a a list of countries were russians should not travel to. as long as he is in charge in russia or more broadly, as long as that attitude is in charge in russia and other countries it is going to be hard to make progress against us. this. what is criminal is often political. and it is russia's decreasing desire to see themselves identified as part of the west that has many ramifications and this is one of them. in brazil which has a lot of talented hackers, what is going to be important is the extent to which brazil sees
themselves cooperating with the west, which west, which i think they do now. in 2020. things can take place. so one thing that we talked about a bill was what crimes are going to be committed to going to be driven to a large degree what i am hearing is by financial motivation, and we talked about the difficulty of monetizing certain types of crime. i wonder what the research is showing about what has happened so far about what types of crimes we might expect going into the future >> well, i think ransom is going to be big. it will become larger. when you realize that rough order of magnitude 1/3 to and a half of all of all computers in this world support malware it is a wonder that so little of that ransom ware type of crime is taking place.
we are seeing a trend toward breaking a lot of computers. good friends in iran and north korea seem to beat them join us. this is one of the things that is not done until it is done and then everybody does it. it is one of those. i think people -- part of the problem of forecasting into 2020 is to try to figure out what innovations will take place in terms of monetizing information. about a week or so ago there was the report of a bunch of hackers who had gone after drug companies, not for information about how to build drugs which is fairly well patent protected, but to try to outguess the stock market because the success of drugs has a lot to do with the stock prices of firms. i bet that lit up a lot of light bulbs and they may be looking for information on mergers and acquisitions. i'm sure there's a much larger list. i predict in the next five years some people come up with an interesting way of monetizing information that none of us at a clue about. i just don't no what it is.
>> we will be in that business. >> i also think that we need to look at the rate of adoption. we are all talking about innovation and where we are projecting technology to be, debate, but let's talk about what adoption will be. it will be interesting to see how fast technology or technology -- technological advances are adopting in everyday life that make it more valuable than what is currently out there. i think six years away or so how fast will these innovations become mainstream to the.where the risk and the return on the investment. and and when we talk heavily about financially motivated attacks for you prosecuting cases, looking at intense motivation and financial loss. whether it is stealing payment card data to convert into money or if it is some
sort of distraction, the company has to put a dollar amount to the data that is been destroyed. so as we look at the evolution of cybercrime i would say from a private industry perspective when it is our thinking about how we can articulate the impact to us and our business it is easy to say a credit credit card is worth $500 or whatever it is. hope is that worth to you? start thinking internally. data will be the currency.