Photos by Chris Taggart

The Hollywood version of a hacker who infiltrates a computer system may look like someone hunched over a laptop in a dark remote location.

In fact, according to the FBI, between a quarter and half of all daily cyberthreats come from “insider threats.”

On March 16, law enforcement, private industry, and academic leaders convened at Fordham’s Lincoln Center campus for a day devoted exclusively to the challenges of stopping those threats.

The conference, “The Insider Threat: Before, During, and After an Incident,” featured three panel discussions and a “fireside chat” on bringing lawless “dark web” sites to justice.

The half-day event was jointly sponsored by Fordham and the FBI and served as a complement to the larger International Conference on Cyber Security (ICCS), held every 18 months at Fordham. The University also runs a Center for Cybersecurity and offers a master’s program in the subject.

In her welcoming address, Tania Tetlow, president of Fordham, noted that because universities are frequent targets of cyberattacks, they have a vested interest in working to stop them.

“We do it in that way that we’re so proud of in higher ed, and in particular, as a Jesuit institution, by being open to the answers, by constantly trying to challenge ourselves to think differently, to be one step ahead of those very creative enemies that we’re up against,” she said.

The Before

Testing and trust came up repeatedly in the first panel, which featured Dave Fitzgibbons, acting assistant director of the FBI’s Insider Threat Office; Richard Aborn, president of the Citizens Crime Commission of New York City; and Chris Farr; executive director of commercial strategy for the strategic intelligence firm Strider.

Aborn said in large organizations, programs that train employees to spot threats are only effective if they’re practiced zealously.

“I think it’s an oxymoron to say you train too much. You have to refresh, you have to train over and over and over again,” he said, noting that his organization had recently sent out test phishing e-mails to its own members.

“We had about a 35% failure rate, and I was pretty shocked at that. We train a lot.”

Behavioral Indicators

Farr said a common misconception is that the first place to start is in the technical realm. In fact, it’s far more important to focus on individuals and have in place a dedicated team to assess behavioral indicators and raise red flags about potential workplace violence, espionage, or fraud. Those indicators might include visits to websites that promote violence, unusual travel patterns, and inexplicable income increases.

The trick is to cultivate a culture of respect where it’s okay to alert a supervisor to a co-worker’s worrisome behavior. It’s tricky, given Americans’ expectations of privacy, but it can be done.

“Employees have to trust your process though,” he said. Programs that have anonymous reporting and policies of no retaliation are super important.”

In the Mix

A key lesson from the second panel, which featured Harold Chun, director of security legal at Google; Darron Smith, insider threat program manager at Bloomberg L.P., and Bill Claycomb, principal researcher at CERT Division’s National Insider Threat Center, was that any insider threat team should also have clear parameters about how to respond.

Is the threat from a full-time employee or a contract one? Is it a one-time issue or an ongoing problem? Is there a threat of physical violence? The response should be commensurate with the problem, said Smith.

“You may not want to raise the fire alarm immediately. It’s really important when you’re thinking about things like duty of care to the employee or privacy,” he said.

Learning from the Past

The final panel featured FBI supervisory special agents Scott Norwell, John Reynolds, and Paul F. Roberts Jr., who specialize in employee, state-sponsored, and white-collar insider threats, respectively. They shared the lessons that have been learned from past cases, such as the 2017 conviction of Kun Shan Chun, a longtime member of the bureau, of passing sensitive information to a Chinese government official.

In that case, Norwell said the bureau had learned that there is a long-term, concerted effort by the Chinese government to identify and recruit people, like Chun, who appear to be vulnerable to flattery, cajoling, or intimidation.

Lessons From the Dark Web

Ed Stroz, GABELLI ’79, co-founder and president of Stroz Friedberg and Fordham trustee, closed the day out with a discussion with Andy Greenberg, senior editor of Wired Magazine and the author of Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency (Penguin RandomHouse, 2022).

Greenberg’s book shows how agents were able to track down the founders of dark web marketplaces such as Silk Road by analyzing Blockchain, the technology that underlies the cryptocurrency that was being used to facilitate the sale of drugs, child pornography, and weapons.

Blockchain was thought by the site administrators to grant them anonymity, but it did not. The path to Silk Road’s demise also included the apprehension of two federal agents who were using the site to commit crimes. One of them was initially accused by an anonymous tipster.

“When people ask about insider programs, it’s easy to think ‘Oh, we’re going to get somebody in trouble,” said Stroz.

“But in many instances, it gets someone out of trouble, or it makes it easier … for people to have a way to raise something so that it can be pursued responsibly. ”

Students Learn from the Pros

Among those in attendance was Jakub Czaplicki, a senior at Fordham College at Lincoln Center working on a five-year, accelerated master’s degree in cybersecurity. He became interested in cybersecurity when he was in middle school, and hopes to join law enforcement after graduation.

He said he enjoyed the case studies in the third panel as well as Greenberg’s talk.

“When the FBI agent was talking about how there is this risk of China and different nation-state actors, it really got me thinking, yeah, we have to secure this. Even though it’s a low percentage, it is a genuine problem for large organizations and the FBI,” he said.

“I learned a lot about cryptocurrency, nation-state actors, and what to look out for.”

Czaplicki was one of six Fordham students who attended, said Thaier Hayajneh, Ph.D., university professor and founder and director of Fordham’s Center for Cybersecurity. Grants that the center won in 2019 from the National Security Agency and the Department of Defense made it possible for them to attend.

“We really want to expose them to the real world and also excite them to work with the executive branches of the federal government,” he said.

“Here, they saw the real cases, and they got to connect the theoretical, the technical, and the practical aspects of cybersecurity.”

Technology offers no guarantee of “absolute security” online, said Ed Stroz, GABELLI ’79, a former FBI agent and current co-president of the cybersecurity firm Stroz Friedberg LLC. He instead highlighted the human foibles that can leave computer networks and online bank accounts vulnerable.

“When you talk about people losing money, usually the root cause of that is that somebody was tricked,” he said. “If I call you and … talk you into believing that I’m from the bank and you should take the following steps, a technologist cannot fix that.”

He spoke in Manhattan on Feb. 23 as part of the Gabelli School of Business’ Flaum Leadership Lecture Series, founded by veteran business consultant and Fordham University President’s Council member Sander Flaum, who moderated the event.

The only way to completely avoid cyberthreats is to stay off the internet, Stroz said. He noted that the FBI and other “three-letter agencies” keep networks unhooked from the web if they want to ensure they won’t be hacked; to protect in-person conversations, they use secure rooms, usually windowless, where no mobile devices are allowed.

Staying off the internet isn’t an option for most of us, of course, any more than staying home all the time is a feasible way to keep from catching a cold, he said. But basic precautions can help manage the risk, he said: Don’t reuse passwords. Add more layers of authentication for your email and other online accounts. Also, he said, practice good “web hygiene” by downloading your computer’s updates when prompted—and not just for your own sake.

If hackers hijack your computer or other device to launch an attack on someone else, “you don’t want to be standing there saying, ‘Well, I didn’t think it was important to load the updates,’” he said.

While technology-related companies could be doing more to protect consumers, he said, “we all have an obligation to be good citizens, digital citizens.”

He said that cyberattacks on large retail chains in recent years got the companies’ attention because, unlike other security issues, they had a chilling effect on business. Asked about future threats, he said hackers will likely focus more on attacking data’s integrity.

“Let’s say you’re a medical organization and you have blood test results, and I change them and then I notify you and say, ‘I want this amount of money because I went in and changed the blood test results. You won’t know which ones. How much is it worth to you to get some type of satisfaction on that?’ The implications, I think, will be substantial.”

He also noted the importance of “measuring people” in a work setting, fostering a caring work environment and making sure that people who handle sensitive data can be trusted. “The insider risk is the thing that could hurt you the most,” he said

He spoke at the University Club before an audience of approximately 100 alumni, students, and friends of the Gabelli School. Asked about leadership, he said that while some are born with innate charisma that makes them natural leaders, anyone can develop leadership skills. But leadership starts with looking inward rather than outward.

“What do people see in another individual that makes them willing to follow?” he said. “You have to sort of evaluate yourself if you want to be a leader and say, ‘What am I projecting, and what does that mean?’”