The government has information that companies can use to protect themselves from online threats, Mueller said on Day 3 of the International Conference on Cybersecurity (ICCS2015) co-hosted by Fordham and the FBI.

“We have a long ways to go in breaking down the barriers between the federal sector on the one hand and the private sector on the other, but any success we have in the future will be dependent on breaking down those barriers,” he said.

He recalled hard lessons learned in the wake of the terror attacks. Before Sept. 11, he said, “FBI did not speak to CIA, CIA did not speak to FBI, and neither of us spoke to anybody else, and the fact of the matter is, for us to develop any success in addressing counterterrorism we had to speak to each other.”

Partnerships among federal, state and local government agencies “were absolutely essential to any success we had in thwarting attacks,” he said.

Another lesson from his time as FBI director is the importance of having—and regularly meeting with—a chief information security officer who’s capable and has a prominent place in the organization.

Also important is having the right corporate structure, in part because cyberthreats can come from both without and within an organization. “We underrate the insider threat and the necessity for bringing in human resources when you’re preparing to prevent cyber attacks,” he said.

He emphasized the need to figure out ahead of time who will handle various tasks such as investigating a cyberattack, explaining it to board members and shareholders, and handling the media (including social media).

“What you see time and time again is the lack of preparation and the waste of valuable time in that critical period in the wake of the breach,” he said. “Inevitably, if there have not been preparations, one does not know at the outset who is in charge.”

He was immediately followed by another presenter who called for more forward-looking measures such as new computer hardware that’s more secure than the “leaky” systems in use today.

“We need to have customers say they want this, put some pressure on the hardware vendors,” said the speaker, Ruby Lee, Ph.D., the Forrest G. Hamrick Professor of Electrical Engineering and Computer Science at Princeton University.

“Cyberattackers are very smart people,” she said. “They know every trick that we as cyberdefenders know, and probably know it better. Every attack we know of, they probably already know. Every defense we know of, they probably also know.”

“We need to anticipate their moves,” she said. “We need to plan ahead.”

-Chris Gosier

Distinguished Panel
Experts Say Cyberthreat Not Unlike Bomb Threat

“Why is it not enough for the FBI director to say it’s them?” said Preet Bharara, U.S. District attorney for the Southern District of New York, referring to public doubts that North Korea is responsible for a state-sponsored cyber attack against Sony.

Bharara moderated a panel on Day 3 of ICCS 2015 in which members called the Sony attack a “game changer” in U.S. cyberattack responses. A day earlier, FBI Director James Comey had announced new evidence that the North Koreans were “definitively” responsible.

Lisa Monaco, assistant to the president for Homeland Security and Counterterrorism, said that most of the people doubting the assertion lacked the sensitive information that intelligence community holds.

“Given the potential for ramifications, the decision to release this information is not taken lightly,” said Manaco. “So to have doubt cast on the FBI can be counterproductive.”

Former Michigan congressman Michael J. Rogers, who chaired the House Intelligence Committee, said that his office was one of the first to publicly point a finger to a nation-state when it accused China of cyber attacks four years ago.

“At the time it was earth-shattering,” he said. But publicly calling them out lets the public know that the government is taking steps. He said that the process of identifying the perpetrators remains important even if the accused are not extradited.

“We’re the FBI, we’ll wait for them for 30 years,” said panelist Joseph Demarest, assistant director of the FBI’s cyber division.

Another reason to make attributions public is to make the private sector aware of the very real threat, said Rogers. Unfortunately, the public’s curiosity about the Sony hacking extended to gossipy emails and nude photos of actors; if a bomb had done the same damage to Sony’s data there would’ve been a very different reaction, he said.

Each of the respondents treaded carefully to Bharara’s question as to whether the Sony attack constituted an “act of war.”

“If you want to go punch your neighbor, you’d better hit the weight room first,” said Rogers, who faulted some of the private sector for too much swagger and not enough substance. “If you declare an act of war, the people who will get hurt the most won’t be the government or military, it’ll be private sector businesses—and our private sector is just not ready.”

Monaco suggested that while a bomb could kill innocent bystanders, the threat to life might be no less significant in a cyber attack.

“If that same type of activity was leveled against critical infrastructure, you can easily spin out that scenario,” she said. “The vast majority of our nation’s infrastructure is riding on privately owned networks.”

She added that the Sony case has proved that public-private partnerships will be critical to get ahead of the problem.

“The very real duty of the next congress will be an information-sharing bill,” she said.

Rogers sponsored the yet-to-be-passed Cyber Intelligence Sharing Protection Act, which aims to defend corporations from cyber attacks by foreign governments. But the bill has raised privacy and civil liberty concerns. He said that democratic debate might limit a coordinated approach.

“There’s capability [of cyber criminals]out there that ought to scare the bejesus out of everyone in this room, on Wall Street, and on Main Street,” he said. “But we are behind in making the public aware. We are a representative republic and if they’re not with us it’s not going to work.”
-Tom Stoelker

Taking Down Malware
Game Over for Gameover Zeus?

It’s not surprising that the malware Gameover Zeus(GOZ) is named after a God.

Famous worldwide for being omnipresent and seemingly omnipotent, the credential-stealing program proved so resilient that the normal template for taking down such threats was useless, said Ethan Arenson, a prosecutor for the U.S. Department of Justices’ Computer Crime and Intellectual Property Section’s criminal division, speaking at ICCS2015.

GOZ and other botnet programs form networks of “zombie” computers, infected without their owner’s knowledge. A rather exclusive, virulent variant of the old Zeus bank credential-stealing malware, GOZ had infected between 500,000 and a million computers internationally by 2014 and drained more than $64 million, mostly by robbing the bank accounts of small and mid-sized businesses, Arenson said.

“That’s where they got the biggest bang for the buck,” he said of the perpetrators of GOZ. “They could take hundreds of thousands, even millions, of dollars at a time as opposed to dealing with residential accounts.

“You log in to your bank, expect to see your account balance, and it will say ‘Something is wrong [with the server], please log back in in 30 minutes.’ During that 30 minutes, your money is being stolen.”

The program was tough to take down because it had three separate operating layers in which to penetrate—a peer-to-peer framework, many proxy nodes, and an algorithm that generated 1,000 domain names weekly. If one layer was penetrated, the system’s network could heal itself much in the same way that a worm will grow back its decapitated head.

“We called it the three-headed monster,” said Arenson. “And the only way to take GOZ down was to take all three heads off at the same time.”

That is exactly what the DOJ did, with help from the FBI, other nations, and several private companies. The team discovered ledgers of the addresses of the financial transactions, which it matched to the victims. It also discovered GOZ’s technical issues site, and collected information on staff members, including their IP addresses. (The name of the main perpetrator was Evgeniy M. Bogachev.) The FBI then set up a “sinkhole” computer and got a court order allowing them to redirect the GOZ’s domains back to that computer.

They were able to eventually indict Bogachev in 2014—on paper, at least.

The team is also working with private industries to offer the GOZ victims free software that will clean their machines and networks.

As for Mr. Bogachev, who is likely somewhere in Russia, the team asked for assistance from the Russian government in extraditing him to stand trial. So far they have not heard back.

“We are standing by,” said Arenson.

— Janet Sassi

Admiral Michael Rogers: NSA Director Offers Chilling Forecast for Cybersecurity

When asked to predict the state of U.S. cybersecurity in five years, National Security Agency Director Admiral Michael S. Rogers admitted that he was worried.

Despite our increasingly advanced technology and growing savvy in the cyberworld, “the trends are going in the wrong direction” when it comes to security, Rogers said at the Jan. 8 conclusion of ICCS2015.

“What worries me is that things are going to get much more destructive,” said Rogers, who is also the commander of the U.S. Cyber Command. “To date, the destructive acts directed against U.S. infrastructure have been relatively limited… But if we don’t change the dynamic, then in five years this is only going to increase.”

Rogers said that the rising threat of cyber warfare calls for a new strategy—one that will deter terrorists and hostile nation-states from engaging in cyberattacks, rather than one that is purely defensive. To do this, the United States needs to make clear to hackers and terrorists that either they will not be successful in their attempts at cybercrime, or they will pay so steep a price that even a successful attack isn’t worth the consequence.

The time to send this message is now, Rogers said, especially in light of the recent attack on Sony.

“The entire world is watching how we respond,” he said. “If we don’t acknowledge this situation and name names, then it will encourage others and [imply that]this isn’t a red line for the U.S. And that can’t be further from reality. It’s absolutely unacceptable and we need to communicate that to the world.”

In the meantime, the country also needs address pervasive trust issues internally. Rogers conceded that tactics such as the NSA’s use of big data analytics have caused deep concerns about privacy and have sullied alliances among government, the private sector, civilians, and other constituents. That said, that these methods are neither new nor unique.

“If you think the use of big data to understand personal behavior is a phenomenon [limited to]intelligence, I would asked you, ‘What world have you been living in for the past 15 years?’ Big data is foundational in the business sector as well as the world I live in,” he said.

“In the end, it’s about striking a balance between the safety and the rights of our citizens…We need to have a broader dialogue as a nation about what privacy means to us in the digital age and what we are comfortable with as a nation.”

Reconciling concerns about safety and privacy is especially important now that there is no longer a difference between the communication infrastructures used by hostile nation-states and terrorists and those used by the average citizen—which makes surveillance more complicated.

“Sydney, Ottawa, London, Madrid, Washington D.C., Shanksville, New York City, and very likely now Paris—in every single one of these instances, there was some measure of coordination [among actors]using the exact same communication paths, the exact same software, and the exact same social media platforms that the rest of use,” he said.

— Joanna Mercuri

Cognitive Computer Watson Designs Cocktail for ICCS Reception

On the final day of the 2015 International Conference on Cyber Security (ICCS), the farewell party featured a “smart” computer serving up drinks.

Watson, a cognitive technology developed by IBM, created a signature cocktail for the evening by gathering information from 9000 recipes from Bon Appetit and “learning” from that information. Watson was able to process the language from the recipes in order to hypothesize which ingredients, when combined, would make for a tasty and completely original drink.

The “Watson”, as the drink was named, contains a carefully calculated mixture of congnac, champagne, honey, ginger, banana nectar, apple juice, orange juice, and lemon juice.

-Rachel Roman

Comey said it is certain that the cyberattack was instigated by a North Korean-based group.

“There is not much in this life that I have high confidence about. I have very high confidence in this attribution, as does the entire intelligence community,” he said.

Comey first publicly laid responsibility for the hacking, which is believed to have come in response to the studio’s satirical film The Interview, on Dec. 19. He shared the new information about the attack on the second conference day of the 2015 International Conference on Cyber Security (ICCS2015), which offered three full days of conferences and talks co-hosted by Fordham and the FBI.

He told conference attendees that the “Guardians of Peace” a North Korean-based group that that was behind the hack, sent threatening e-mails to employees of Sony. Although most of the e-mails were sent via proxies that made the identities untraceable, the hackers got sloppy in some cases and revealed IP addresses that were exclusively used by North Korea.

In addition, malware used in the Sony attack bore striking similarities to a cyberattack that the North Koreans conducted in March of 2014 against South Korean banks and media outlets.

“Several times, either because they forgot or they had a technical problem, they connected directly—and we could see them,” he said. “They shut it off very quickly before they realized their mistake, but not before we saw it and knew where it was coming from.”

Comey said the FBI detected spear phishing attacks on Sony’s computer networks as recently as September, and that it seems likely to have been the method, or “vector,” of the attack.

Comey prefaced his remarks on Sony with an address about cybercrime, noting that the government’s decision to publicly name North Korea is part of a strategy to fight the biggest and baddest actors in what calls the “evil layer cake.”

Nation states sit at the top layer and are followed by terrorists, organized criminal actors, sophisticated worldwide hackers and botnets, “hack-tivists,” weirdos, bullies, pedophiles, and creeps.

Cisco has predicted that in five years, there will be 50 billion devices connected to the Internet, making protection against cybercrime more important every day. Comey said the FBI’s five-point strategy for combating it includes: Focus ourselves; Shrink the world; Impose real costs on bad actors; Improve relationships with state and local law enforcement; and Improve relationships with the private sector.

He compared the current changes in crime to the great vector change that happened in the 1920s and 1930s when automobiles and asphalt enabled criminals to move quickly, making it easy to rob banks across state lines.

“[Cybercrime] is that times a million. Dillinger or Bonnie and Clyde could not do a thousand robberies in all 50 states in the same day in their pajamas, from Belarus. That’s the challenge we face today,” he said.

—Patrick Verel

Director of National Intelligence on Sony:
“Most Serious Cyberattack Ever Made Against U.S.”

In the Day 2 opening keynote, U.S. Director of National Intelligence James R. Clapper cautioned those gathered not to underestimate North Korea’s cyber capabilities or national animosity, especially in light of the recent cyberattacks against Sony, which Clapper called “the most serious cyberattack ever made against U.S. interests.”

Clapper, who Fordham President Joseph M. McShane, S.J. said is “at the vortex of keeping things right for all of us” and who the New York Times described as “gruff, blunt-speaking… an unlikely diplomat, but perfect for the North Koreans,” offered as evidence a personal account of dealing with North Korean intelligence.

In November, Clapper traveled to the secluded country as a presidential envoy to retrieve two imprisoned Americans. Damaging their airplane’s tire while landing on a decrepit runway was only the first sign of “eerie” troubles that Clapper’s team would encounter during their two days in Pyongyang.

“From what I saw of downtown Pyongyang, I was struck by how impassive everyone was,” Clapper said. “They didn’t show emotion, didn’t stop to greet each other, didn’t nod hello, didn’t converse or laugh. They just went on about their business, almost like automatons.”

Later that night, Clapper and his team enjoyed an elaborate, 12-course dinner with the general of North Korea’s Reconnaissance General Bureau (RGB), who spent the meal railing against “American aggressors” aiding and abetting South Korea in provoking a war against the north, said Clapper.

The following morning, an emissary from the country’s state security arrived at Clapper’s hotel and informed him that North Korea no longer considered him a presidential envoy and thus could not guarantee his safety and security from the people of Pyongyang, who knew who he was and why he was there.

Four hours later, the same emissary returned and told Clapper that his team had 28 minutes to gather their luggage and check out of the hotel. From there, the team was ushered to a conference center where the two American prisoners were waiting. There, the North Korean minister of security read a proclamation from Kim Jong-un granting the prisoners amnesty.

“They were turned over to us, we got in our vehicles, and took off toward the airport,” Clapper said. “I can’t remember another time that an American airplane looked so good.”

Though not explicitly related to cyberterrorism, the incident offered important insights into North Korean hostility, Clapper said.

“The general I had dinner with is the one would have had to okay the cyberattack against Sony,” he said. “He is illustrative of the people we’re dealing with in the cyberworld. The vitriol he spewed at me over dinner was real. They really do believe they’re under siege from all directions. They paint us as an enemy about to invade their country every day… and they are deadly serious about fronts to their supreme leader, whom they consider to be a deity.”

Moreover, he added, North Korea is striving to be recognized as a world power. In the past, the country’s efforts to exert dominance involved amassing nuclear weapons. Now, it views cyberspace as the weapon of the future.

“Cyberwarfare is a powerful new realm for them, because they believe than can exert maximum influence at minimum cost,” Clapper said. “That’s why we have to push back. If there is no consequence, they will do it again and keep doing it. And others will follow suit.”

—Joanna Mercuri

Panelists Advocate for
Strong Privacy Safeguards

In the online world, security leads to privacy, obviously, but the reverse is also true: strong privacy safeguards are often the starting point for keeping cybercriminals out.

That’s according to one expert at ICCS2015 who spoke on a privacy panel moderated by Joel Reidenberg, Ph.D., professor of law and the founding director of  the Fordham Center on Law & Information Policy. In the words of Princeton University professor Edward Felten, Ph.D., “many standard privacy vulnerabilities … are useful to an adversary who wants to understand who we are and what we’re doing in order to target an attack.”

For instance, before attackers can successfully infiltrate a computer system via e-mail, they first have to craft a legitimate-seeming message that is likely to be opened.

“The more the attacker knows about that individual and their life and their schedule, who their associates are … the more accurately they can target that ‘spearfishing’ email” and mount a successful attack, said Felten, Princeton’s Robert E. Kahn Professor of Computer Science and Public Affairs and director of the Center on Information Technology Policy.

Felten and two other panelists grappled with how best to ensure privacy online and protect civil liberties while also managing the huge amounts of data that institutions of all types are collecting.

Disciplined data-gathering is another important privacy measure, panelists said. Institutions sometimes feel the need to “get on the Big Data bandwagon” before figuring out what they’ll do with all the data they wind up collecting, said Cameron Kerry, senior counsel at Sidley Austin LLP and former general counsel and acting secretary of the U.S. Department of Commerce.

“A lot of that data is not useful,” he said. “Making rigorous choices is an important part of the process.”

Without good data management, Felten said, “you may have all kinds of data sets that you didn’t know you had, and you may only be reminded of them when they show up in the press.”

Panelist David Medine, chairman of the Privacy and Civil Liberties Oversight Board in Washington, D.C., noted the potentially chilling effect of this large-scale data gathering by government agencies.

“If I’m a source and I want to call a reporter and be a whistleblower against the government, and then the government now has a phone record between me and a New York Times reporter, I may be less willing to do that,” he said.

—Chris Gosier

Hickton:
Industrial Infiltrations by Chinese Hackers
Leave U.S. Companies Vulnerable

When he started an investigation into trade-secret thefts, David Hickton wasn’t expecting to find a “thirst for industrial organization data.”

But in 2014, the U.S. district attorney for the Western District of Pennsylvania brought charges with the justice department against five Chinese Peoples Liberation Army officials for infiltrating the corporate computer systems of big-name companies—U.S. Steel, Westinghouse Electric, Alcoa, and others.

On Day 2 of ICCS 2015, Hickton gave a detailed presentation of his office’s investigation, which resulted in indictments handed down last year.

Much of the information that the Chinese were after seemed obvious, such as research and development, industry analysis, and deliberations of senior management. But some of it surprised Hickton.

“They wanted to know how often the [boards]met, what titles they had, and who reported to who,” he said. “There was also a huge interest in legal strategies.”

Hickton said the reality is that the Chinese don’t have MBA programs on a par with the United States; while they were most critically interested in product development, they also wanted to understand how American companies are run.

Joint ventures with Chinese state-owned businesses often left their American counterparts vulnerable, as was the case with U.S. Steel, he said. Just as the U.S. Steel was transforming from a “flat roll” steel company to one able to produce oil country seamless pipes that are used in fracking, the Chinese military stole proprietary design specifications of the pipes.

“U.S. Steel . . . spent a lot of money on research and design and like any company they need to make a return,” he said. “When they brought the pipe to market, the Chinese had already flooded the market with the same pipe at lower than cost.”

Normally, a complaint would be made against the Chinese hackers at the World Trade Organization. But before U.S. Steel lawyers could bring the case to the WTO, even their legal briefs were already in the possession of the Chinese.

“This is just a flavor of what was taken,” he said. “It is literally impossible to collect and report the total value of what was lost by American companies, but we know that it’s the largest wealth transfer in history.”

—Tom Stoelker

Experts Discuss Role of Language in Ferreting out Internal Threats

Some of the greatest cyberthreats to an organization actually come from within, as Chelsea Manning and Edward Snowden proved in 2010 and 2012, respectively.

At “Insider Threat,” a panel held Tuesday evening at ICCS2015, Ed Stroz, GSB ‘79, founder and co-president of Stroz Friedberg, detailed how the use of psycholinguistics, which is the study of how humans acquire, use, comprehend and produce language, can help identify employees who might commit cyber crime.

Stroz was joined by Stephen R. Rand, Ph.D., a consultant with Behavioral Intelligence Specialists, LLC; Eric Shaw, Ph.D., a Washington D.C.-based consulting psychologist; and Scott Weber, managing director, Stroz Friedberg.

Stroz said that in addition to monitoring an organization’s network for suspicious activity —for example, downloading inordinate amounts of data at odd hours—administrators can get a sense of an employee’s state of mind from the language they use. When he worked at the FBI, Stroz said it wasn’t hard to tell when someone on his team was experiencing stress in their personal lives—after all, they spent so much physical time together during a workday.

“In today’s environment, we often don’t have the same kind of personal interaction with each other, but we do get tons of communications through computers,” he said.

Moderating the panel, Stroz asked whether there was some way to “bring about that same sort kind of care that you would have with your co-workers” back when you were sitting next to them.

Shaw said he once helped a client sift through 10,000 e-mails that had been sent to prohibited countries, and isolated three concepts in particular within the language that indicated a potential violator. They are negative sentiment, feeling victimized, and having someone to blame.

Panelists said that a key blind spot for employers is “maladaptive organization response,” which occurs when an organization realizes an employee has engaged in improper behavior and moves to terminate them. Shaw noted that 80 percent of people who used computers to sabotage a company or steal from it did so after they’d been fired.

“The first thing we have to do in a lot of situations is convince corporate leaders and government sponsors to keep their friends close, but [keep]their enemies closer in some way, he said.

—Patrick Verel

Read coverage of Day 1 of ICCS 2015 here.

Read coverage of Day 3 of ICCS 2015 here.

It’s not here yet, but according to Wences Casares, it’s “inevitable.”

Casares, an entrepreneur and proponent of Bitcoin currency, will join the stellar lineup of cyber security experts for this year’s International Conference on Cyber Security, starting Jan. 5 at Fordham’s Lincoln Center campus.

Casares is the founder and CEO of Xapo, a company that created one of the first storage vaults for a new digital currency known as Bitcoin. The unique feature of this a software-based online payment system (besides the fact that it is exclusive to the digital world) is that it is exchanged peer-to-peer, rather than going through a central repository like a bank.

The exchange does not involve any kind of digital “coin” that is passed around, however. Instead, complex mathematical algorithms log the transaction and transfer the ownership of the Bitcoin from one owner (the spender) to the next (the supplier). The movement of ownership from one person to another is the transaction itself.

As of now, the majority of the six million current Bitcoin users are merely storing it, rather than using it to pay for something. Nevertheless, Casares believes that Bitcoin is destined to become a common payment mechanism.

At ICCS, Casares will explain how Bitcoin storage vaults work, why he believes Bitcoin will soon become a unit of account, and when he predicts Bitcoins will hit one billion users (spoiler alert: very soon).

Sponsored by the Federal Bureau of Investigation and Fordham University, ICCS 2015 is a four-day event featuring more than 60 unique lectures from keynote, distinguished, plenary, and parallel speakers in the disciplines of emerging technologies, operations and enforcement, and real-life experiences. ICCS 2015 presents exceptional opportunities to meet and talk with some of the greatest cybersecurity experts in the world.

Click here to register for ICCS 2015.