Every 18 months, the International Conference on Cyber Security, or ICCS as it’s known, has convened leaders from academia, the private sector, and government to the University’s Lincoln Center campus. Past conferences have featured the heads of the CIA and the NSA, and this year’s gathering, which took place from July 22 to 25, concluded with remarks by FBI Director Christopher Wray.

Anthony Ferrante, FCRH ‘01, GSAS ‘04, a former FBI agent who was director of cyber incident response for the National Security Council from 2015 to 2017 and is currently global head of cybersecurity and senior managing director at FTI Consulting, participated in this year’s panel “The Tipping Point: Cyber Risks to Election Systems.” Fordham News caught up with him during a break in the action.

Listen here:

Full transcription below:

Anthony Ferrante It’s happening. It’s happening today. The question is, is at what point do we all sit up and take notice and take steps to really get in front of these threats and to make it a top priority?

Patrick Verel: Ten years ago Fordham and the FBI committed to bringing together the world’s best and brightest experts on law enforcement and computer science. Every 18 months, the International Conference on Cyber Security, or ICCS as it’s known, has convened leaders from academia, the private sector, and government to the University’s Lincoln Center Campus. Past conferences have featured the heads of the CIA and the NSA, and this year’s gathering, which took place from July 22nd to July 25th, concluded with remarks by FBI Director Christopher Wray.

Anthony Ferrante, a former FBI agent who was director of Cyber Incident Response for the National Security Council from 2015 to 2017 and currently global head of cybersecurity and senior managing director at FTI Consulting, participated in this year’s panel, The Tipping Point: Cyber Risks to Election Systems. Fordham News caught up with him during a break in the action.

Let’s talk about 2008. How and why did Fordham, which is your alma mater and the FBI, which you joined in 2005, team up to tackle cybersecurity?

AF: So the FBI and Fordham roots grow much deeper than cybersecurity. Believe it or not, when I was in the FBI in the New York field office in 2005 through 2013, there was always a consistent large, large consistent group of Fordham alumni in the field office. And when I say a large group, I would say anywhere from 50 to 100 Fordham alumni working in the New York field office, which is a large amount of alumni for a single field office. Myself, being a former alumni, studying computer science, always maintained excellent relationships with the faculty in the computer science department, and then of course in the university’s administration.

It was late 2007 when myself and a good friend Clavius Distinguished Professor of Computer Science, Frank Hsu—we’d regularly met for dinner right around that period of time, and we talked about the global implications of secure cyber networks, and how it’s more than just the responsibility of governments or private industry or academia. It’s actually in order to be successful in this space, we need a partnership between the three.

PV: I’m intrigued by this notion of bringing together the three different entities, that it’s not just about law enforcement. It’s not just about education. It’s not just about the private sector. It’s about all three working together. Is there something you can point to say like, this is, especially when you were with the FBI, that you could say having worked with somebody from an educational institution or a private sector at the time that you got out of the conference, like a contact that you made that you wouldn’t have made if the conference never had happened?

AF: Oh, absolutely. I mean, I could talk for hours about various cases, FBI cases that were enhanced just because of this event where representatives from Eurasia would come to this event and meet with their counterparts in Europe or the United States and they would break off and have meetings in private rooms where they would broker advancements in various investigations that they were working on. And it’s actually stories like that, that make me most proud of this event.

PV: You came here to talk about cyber risks in the election systems, which are obviously going to be on people’s minds next November. What’s your current take on the state of affairs now?

AF: I think it is definitely something significant that the entire country should set up and take notice. This is something we’re staring at as we enter into the election cycle, and risks to the electoral infrastructure should not be ignored. Not only should states and government officials be aware of the risks that they’re facing, but they should be equipped to handle those risks because in the world we live in today, there’s no way to avoid it. We have to confront it head on or suffer the repercussions.

PV: Scale of 1 to 10, 1 we’re completely unprepared, or 10 things are great, we’re doing in good shape. Where would you put us right now?

AF: I would say anywhere from four to six. I think that there are a lot of really important skilled people focused on the issue, but I also think there’s a lot of talk and not a lot of action, and I do think that the government today is spending a lot of time and making a lot of investments to prepare the states to confront this threat head on. But I also always think there’s room for improvement.

PV: It’s kind of crazy, right? I mean you’re talking about a system that relies upon 50 different states, all managing their own elections.

AF: Fifty different states and numerous different counties. I remember when I was at the White House actually doing preparedness and response in preparation for the 2016 presidential election, we learned some states actually conducted their voting hundreds of different ways throughout the state. So there was no single cookie-cutter solution for that single state, nevermind, as you just said, 49 other states. So it is a very complex issue, but the complexities of the issue actually give the United States a little bit of security just knowing that it is such diverse and distributed system, that there is no single point of failure per se, but there are many different little points of failure that the country needs to be aware of.

PV: If you learn to hack one system, you’re not going to be able to hack them all basically.

AF: It’s not going to be that easy. Right? And when I was working for the Obama Administration, we went to great lengths to study this and to look into this. And to hack an electoral system and actually manipulate votes without it being noticed is extremely hard, if not impossible. That is just one example of some of the built-in redundancies and securities of the system. However, like I said, there were just so many different systems and different ways to do, different ways for Americans to cast their vote that there are vulnerabilities throughout.

PV: Now for as long as I’ve been covering ICCS for Fordham, the Internet of things has been an area of concern with all sorts of devices being sold to the public that can easily be hacked. Have you seen any improvement in this area?

AF: No, absolutely not. Unfortunately, people ask me all the time, what is the greatest risk that you see or the biggest threat that you see, and you, some people will be, well some people say, “Oh goodness, the greatest risk I see is an attack on the electrical grid.” Don’t get me wrong, an attack in the electrical grid will have serious consequences, but that’s not the greatest risk.

PV: It’s Alexa, isn’t it? Alexa is going to take us all down, right?

AF: No. Alexa is a great tool, but it is an Internet of things tool. I will say my fear, the greatest risk when people ask me that question is I say is the Internet of things. You’re talking about 5.5 million devices coming online per day. I think the latest number I read was by 2025 there will be 50 billion devices, Internet of things devices online, on the public internet. Those can all be taken over and turned into armies of robots to conduct different adversarial activities.

I don’t even know where you’d begin regulating space like that, just given the fact that these technologies are designed and developed all over the globe, and sometimes it just comes that consumers look and they want to buy the cheapest device they can buy. And when you do that and you take that device home and you plug that into the global internet, you actually put a small computer online. And that small computer can be compromised and then turned into a robot that can be used to conduct any number of activities from conducting a denial-of-service against a major financial institution to exploiting a major vulnerability in a small tech company.

Don’t get me wrong, Internet of things devices are extremely convenient. They add certain comforts to one’s life. But what I always tell people, cybersecurity is risk management. You can’t properly manage risk if you don’t know the risk. So what I do is I get out and I speak to people about what the risks are. Once you know the risk, then it’s up to individuals to make the decision on their own. And believe it or not, when it comes to Internet of things devices, Americans today probably use two to three Internet of things devices and they don’t even know it. It’s-

PV: Give me an example. What would be something that people might be using and not even realize that is connected to the internet?

AF: If they subscribe to a major cable company and have cable at home and have a digital video recorder, a DVR.

PV: That would be me.

AF: That is an Internet of things device. A mobile phone is an Internet of things device, a smart watch, a Nest thermostat, an IP camera.

PV: The thing that seems the most frustrating is that the onus is on consumers to sort of be on top of the game when it comes to the security of these things. But most of us don’t have that kind of background, nor do we have the time to kind of look into these things. What are we supposed to do? Or how do you know exactly whether these things are secure?

AF: Yeah, I mean that’s a really fair question and it’s a question I’m asked all the time. For an average consumer, there is no one-stop shopping to know. Purchasing a certain device comes with these risks versus another one. It all depends on how the manufacturer markets their device and how easy they make it. And candidly, most consumers don’t care right now. I think that is the bigger question, is why don’t they care?

I’ve worked cybersecurity and cyber crime going on 20 years now and I’ve met with some of the biggest organizations on the planet to talk to them about significant cyber incidents that they were facing at that given moment. And they would work with me to help mitigate that risk and overcome it. But they really didn’t sit up and take notice until they realized that it was personally affecting them. It could be their personal machine or their personal safety or their bank accounts, their personal financial situation. And that’s something that I think, I think a lot of people, including our government is still grappling with today.

I can’t tell you how many times I heard in Washington that we just have not yet had a cyber 9/11 which is appalling for me to hear for two reasons. One is because I lived and worked in New York City on 9/11, and to even use that in a political statement of why we should not invest or take cybersecurity seriously is just appalling to me. But in another sense, I would say that we had a foreign entity partake in a massive campaign to affect the way the American people thought about certain issues in an attempt to influence their vote on Election Day, to literally undermine one of our bedrock principles, which is the right to conduct free and open elections, that so many of our forefathers and ancestors died for that right.

PV: If that’s not your 9/11 of cyber, what is exactly? I guess you have to shut down somebody’s electrical grid to get their attention.

AF: And that’s happened twice. It happened in Ukraine.

PV: That’s right overseas, yeah.

AF: Two days before Christmas, twice, two years in a row. So it’s happening. It’s happening today. The question is at what point do we all sit up and take notice and take steps to really get in front of these threats and to make it a top priority?

PV: What’s the greatest cybersecurity threat that Americans face that they’re not aware of, but they should be?

AF: The first two we’ve already heard about that. The third one I want to dig into a little bit. The first one is the Internet of things. They’re just coming online at exorbitant speeds. The second one we’ve also touched upon, which is the weaponizing of information. I think our adversaries have seen how this can have such a large scale effect on the way, the American way of life. The third and equally significant risk that people should be aware of is data.

Data is much more than just an asset. It can also be a huge liability. And data is being generated every single second. So much data is being generated by our smart devices, by our usage of a computer, by our searches on a computer, by our interactions with various Internet of things devices. And as we interact with these platforms, data is being generated. Whether it’s data on us, our habits, our family.

I’m not talking just data of documents and words in documents. I’m talking about the tone of our voice, the health of our voice, the different questions that we may be searching for on our devices or asking our smart devices for responses. All that is data that is being collected and harvested somewhere. And I think it’s important for people to understand the risks associated with that data.

I would say a fourth threat that definitely has me concerned is the threat of the insider. What is the insider threat? For different organizations it means different things. But the reality is, is the insider threat is someone living and working within your organization every single day, somebody who has an access ID, somebody who has a login to your network infrastructure, and someone who in theory has access to your data and in some cases your most sensitive data.

The insider threat has always been a threat, but now that I am in private practice, I am seeing more and more cases of insider threats crossing my desk, where organizations need help identifying rogue employees that are stealing information and potentially selling it to competitors, selling it to nation states, or conducting activities on their network to sabotage infrastructure.

PV: You know, what’s really funny? I think about data. This is weirdly enough, this is a question I thought of just this morning as kind of a joke, but I think it actually ties into what you were just saying.

AF: Yeah.

PV: Should I be using FaceApp?

AF: No comment.

“The title of this panel is ‘Critical Infrastructure Vulnerability: Real or Imagined?’” said Foye. “Spoiler alert: the answer is it’s real. It’s really serious, deadly serious.”

Foye said the vulnerability is an issue for every organization in the country—small, medium, and large. He said his own experience heading up the Port Authority of New York and New Jersey exposed him to the dangers and he continues to deal with them at the MTA.

He asked panelists what is the likelihood that some part of the nation’s critical infrastructure will be hacked in the next 36 months and the public will be denied access to electricity, public transit, water, or even their bank accounts.

“One hundred percent,” said Robert Galvin, chief technology officer of Port Authority of New York and New Jersey.

Jargon Must Go

Donna Dodson, Ph.D., chief cybersecurity advisor of the National Institute of Standards and Technology, stressed the need for tech experts to articulate the risks to the various sectors that they serve in language that they understand. She said it falls to those in the scientific and public infrastructure settings to begin to break silos and start speaking in layman’s terms so everyone can comprehend current threats, she said.

“We all have to get better, not cyber people talk to cyber people using 120 acronyms,” she said, noting that every agency, city hall, statehouse, and infrastructure agency uses its own set of letters that mean something to them alone. “If we’re really going to work with these organizations then we need to understand their use of terms, words, and jargons.”

She recalled a recent conversation with her own team about the Internet of things in a medical setting. A tech veteran, she said that when she heard the acronym ‘PAC,’ she assumed it meant Physical Access Control, when in actuality her team was talking about Picture Archive and Communication Systems (PACS) in radiology.

“It’s important to understand the environment and not force cyber to talk cyber and have everyone’s eyes glaze over,” she said.

Michael R. Singer, AVP of technology security at AT&T, agreed that in the process of designing resilience into tech systems “it’s important to be in touch on the human side. You need to continue to invest in your management capabilities.”

Glory, Not Money, as Motive

Gavin noted that the motivations to attack public sector infrastructure is rarely the same as in the commercial sector, where the primary motivator is money.

“In the public sphere it’s not data, but to make a name yourself, it’s ‘I’d love to be able to take over a train or the signage over the George Washington Bridge,’” he said.

He added the tech community could learn a lot from the engineering disciplines, which have been working together for hundreds of years.

“We have to come together as two different disciplines,” he said.

Cooperation is Key

Ben Miller, VP of threat operations at Dragos, concurred. He said that while most of the focus has been on the architecture behind systems to strengthen and fend off attacks, of equal importance is the staff that monitors the system through operational technology (OT). He said such defense cannot be shouldered by IT teams alone, it must include OT engineers who understand how the respective systems work, whether its water supplies or electrical grids.

“The fact that people think of technology in terms of smartphones and the computer at their desk is a real problem for us,” he said. “The plumbers, the electricians, the facility managers, all the people who are out doing work in industrial control systems don’t think of them as computers.”

He said OT systems can be hacked and that can shut down the facilities. Until OT engineers think of their systems as computers, then efforts to warn of cyber dangers fall flat. And, he said, the only way for IT people really understand what is going on is to go out become familiar with the work of OT.

Miller concurred and reiterated Dodson’s point on communication, particularly in educating the general public in terms they can understand. He cited the scientific community’s concerted effort to educate the public about the dangers of global warming as a model for the cybersecurity industry.

‘It Isn’t Magic’

“They [the scientists]embarked on a campaign; we need a similar effort in terms of tech, we need to teach everyone a little bit in terms they can understand,” he said. “For too long there’s been a guy in a black turtleneck sweater standing up saying ‘It is magic.’ It isn’t magic. It’s protocols, engineering, software, and hardware that’s all it is.”

“One of the things that we do in computer forensics, is we have to make connections—why does not this work?” said Stephen Flatley on July 25 at Fordham’s Lincoln Center campus.

Flatley, a senior forensic examiner at the FBI, explained that the booster rockets that were designed to carry the space shuttle into orbit were built in Utah. Because they had to be transported by train to the launch pad in Florida, they could only be as wide as the tunnels those tracks traveled through. Those tunnels were in turn built around the width of the tracks, which was derived from the width between carriages wheels, which were designed to accommodate the rear ends of two horses hitched up side by side.

“So the tunnel was only was so big because the tracks were only so wide because the horse’s ass is only so big,” he said to laughter at a panel presentation called “From Herding Cats to Device Encryption, a Look Back at 10 years of the International Conference on Cyber Security,” held on the third day of the International Conference on Cyber Security.

The horse-space shuttle story is helpful for understanding the ways that past decisions can impact current realities, he said. Up until 2005, he noted, computer hard drives could handle no more than two terabytes, because a key aspect of the Windows Operating System known as BIOS (Basic Input/Output System) was designed when the predominant file system was FAT32. FAT32 was never designed to handle that much information. But in 2005, Apple’s operating system began to catch up with Windows, and since it used a different system called EFI ( Extensible Firmware Interface), it did not suffer from this limitation. Modern PC’s no longer use FAT32 either, and today hard drives as large as 14 terabytes are available.

Flatley noted that when he first started in 2005, a suspect might have a single laptop the FBI needed to examine. Years later, a suspect might have multiple thumb drives, a cell phone, a laptop, and a desktop. Now? They might have everything they need on a single top-of-the-line iPhone, which has 512 gigabytes of storage. But while storage has increased, data transfer speeds have not.

“That makes our lives a lot more hanging around, just watching the progress bar, which is all well and good if you’re in a lab, and there’s a lot of coffee nearby. But if you’re out in some guy’s living room, or you’re in a parking lot somewhere, or at a baggage terminal at JFK, do you want to spend an hour there while you copy a one terabyte drive? Not really,” he said.

“We used to go out on a search, kick in some dentist’s office door at six in the morning, copy all the machines, and be home by 10:30, 11 in the morning. Now, we go out there and say look, ‘We can sit here for the next two days and have a conversation with you, or we can grab all this stuff, and bring it back to the lab, and bring it back in a day or two.’ They say, go ahead, take it.”

Both Shaw and Kennedy spent years using data to examine behaviors that led to white-collar crime. Kennedy said that there are personal predispositions that espouse concerning behaviors, and he referred to the four characteristics that make a white-collar criminal or someone who commits espionage the “dark tetrad.” The characteristics are narcissism, Machiavellianism, psychopathy, and sadism.

“When you have severe and prolonged emphasis in at least two of these four areas, you can bet you’re going to have somebody who is going to develop some significant problems,” said Kennedy.

Beyond being self-centered, narcissists believe they deserve special treatment and they don’t deserve criticism, he said. Machiavellians believe the ends justify the means, even if that means they coldly use others. They also use charm to mask their calculated efforts.

“People with these characteristics view people as instruments to use in their goals; they’re duplicitous,” he said.

Psychopaths violate rules and others’ rights and are callous of others feelings, but add “a heavy smattering of superficial charm.” Sadists, on the other hand, take pleasure in causing others emotional pain.

“We look at this as a witch’s brew of characteristics,” he said, noting that any combination of two of the characteristics spells trouble for an institution. However, one characteristic alone may actually be a good thing for a company. He noted that narcissists quite often make good leaders.

“I think psychopaths get a bad name,” said Shaw to much laughter.

He noted that sometimes a leader needs to be dispassionate and distant when they have to cut losses, cut jobs, and make harsh judgment calls.

Panelist Steve Garfinkel, senior vice president and senior program manager of Global Investigations at Citibank, said that many of the suspects he’s caught over the years exhibit a Machiavellian amiability.

“Many of the more successful fraudsters are very likeable, and that allows them to get other people they work with to do things for them and help them in their fraud,” said Garfinkel. “Those people are some of the more dangerous people as a risk to an institution.”

Peter Lapp, a special agent with the FBI, said he found the narcissism he’s observed among those engaged in espionage to be “unbelievable.” He cited the case of Ana Montes, who rose through the ranks at the Defense Intelligence Agency, all while relaying classified information to the Cuban government. He noted that her willingness to share that information usurped an authority that was well above her station.

Nevertheless, Montes rose through the ranks as a recognized expert on Latin American affairs. She was so trusted, agents embarking on dangerous assignments in the region would contact her before heading out on a mission. This was the case with one Green Beret who was eventually ambushed in the jungles of El Salvador and killed. Lapp was convinced that Montes had met him before, but when he interviewed her after the death, she dismissed it.

“Her response was, ‘I don’t remember meeting him. I don’t remember the name. However, if I knew who he was, I knew what he was doing, and I knew what his mission was, I would have told the Cubans. And if he died as a result of my espionage, that’s the risk that he wanted to take,’” he recalled her saying. “That’s some cold, cold stuff there. That’s narcissism.”

At The Red Team Experience, a panel discussion held the second day of the International Conference on Cyber Security, Michah Zenko shared that possible scenario with an audience of security professionals as an example of what red teams can prepare a firm for before it actually happens.

“I always think of the first ever red team meeting as an act of therapy,” said Zenko, the author of Red Team, How to Succeed By Thinking Like the Enemy (Basic Books, 2015).

“It’s having an honest conversation about what do you care about most, what degree of resources are you committed to protecting, how will you marshal resources, how good are you at putting out fires, and what is your relationship with third party responders and law enforcement, when a breach happens?”

The panel, which was moderated by Ed Stroz, GABELLI ’79, co-founder and president of Stroz Friedberg, (now known as now known as Aon Cyber Solutions) explored the intricacies involved in hiring an outside firm to try to break into ones’ own computer networks and stop just short of causing irreversible harm. Done right, Stroz said, a sustained attack, done without any of lower management’s knowledge, can provide valuable insight for employees who are willing to learn.

“If you were to draw a picture of a company’s computer network, they almost never show the people; they only show the devices. It’s not wrong; that’s how most networks maps look,” he said.

“But I think if you really want to do it correctly, you have to show the people, because they are part of the computer network.”

Jude Keenan, director at AON Cyber Solutions, said there is often confusion between penetration (or PEN) testing, and red team testing, with the former offering breadth, and the latter offering depth. Many companies falsely equate internal tests to be the same, he said.

“For us, we need to have buy in from executive level members, someone who has the authority to say, ‘I give you permission to steal really what is our company IP, crown jewels and have no one else to know about it,’” he said.

“It’s pretty important from that perspective, because if the blue team knows know someone is going to attack the, then it’s not really an accurate test.”

Stroz said the tricky part of red teaming, which takes its name from military exercises where red teams play offense and blue teams play defense, is balancing the need to show weaknesses in a company’s networks with the potential downside of embarrassing and demoralizing employees.

Often, he noted, red teams will discover flaws that a company’s IT staff was previously aware of, but couldn’t convince their superiors to address. Together though, everyone can work to address the issues before they become problems.

“In my experience, clients who are going through a real cyber-attack, everybody’s IQ drops about 20 points, because it’s human nature,” he said.

“You tighten up, you go back to primitive thinking, the reptile brain kicks in. Everybody does it, including me. But one way to minimize the bad side of that is to inoculate yourself and be aware of it and try through a bit of preparation. Any preparation that helps you build resilience is going to benefit you.”

“This is bigger than just protecting 2020. This is ultimately about defending democracy,” said Krebs, a keynote speaker on the last day of the 2019 International Conference on Cyber Security, held at Fordham Law School. 

Three years ago, the Russian government interfered with the U.S. presidential election through the creation of thousands of fake social media accounts, which spread fabricated information to all corners of the country. 

Krebs said his agency has been working to avoid similar strife in the upcoming elections. Over the past several months, he said CISA has been helping foreign countries improve their defenses against Russia, thereby gaining a deeper understanding of the techniques and tactics that the Russians use. Krebs anticipated that before the Russians strike the United States, they will most likely use somewhere in eastern Europe as a guinea pig, like Ukraine or Moldova. He also emphasized the importance of raising awareness of what the “threat environment” looks like and driving resources into defense methods, such as phishing campaign assessments. 

There are still problems at home. He said five states—Delaware, Georgia, Louisiana, New Jersey, and South Carolina—use voting machines that provide no paper trail of the votes. No paper ballots means no ability to audit the vote, he said. 

“We’ve got to get to a position where we can audit the vote, where we can understand what happened throughout the process,” Krebs said. “If you can’t audit the process, you can’t audit the network left or right, if you don’t know what happened … you’re not secure.” 

But there’s an easier way to combat Russian hackers—and it starts right at home. 

Last week, Krebs and his team released a website called war-on-pineapple.com: a simple, interactive five-step tutorial that shows Americans how Russian social-media efforts try to divide and troll them. 

“What we’re trying to do is raise critical thinking across the American people about how we’re being manipulated by foreign actors,” Krebs said. “We’re trying to engage the American people, educate on the tools, techniques, and capabilities. Not just Russia, but others that are getting into it.”

In the past and present, Russia has used social media to “undermine the very public conscious[ness]of the American people,” he said. They follow five steps: identify a divisive issue (one divisive issue is whether or not pineapple belongs on pizza, hence war-on-pineapple.com), create a conversation on social media, stir up angst, drive the topic into mainstream news, and then “take it real world.”

“They generate real-world activities. They actually get on social media platforms and schedule events,” Krebs said. “And not just a rally in favor of something—they also organize the counterprotests.”

He emphasized that more must be done to increase the resilience of the American people. The “war on pineapple” is only the beginning. 

“It’s up to every single one of us to engage, to increase awareness because it’s not one person. It’s not the federal government. It’s not a state or local official,” Krebs said. “It’s everyone that’s going to be in the effort to protect [the]2020 [elections]and defend democracy.” 

But the agency cannot go it alone.

“Just as technology has become a wonderful force multiplier for the good guys, it has become a force multiplier for all sorts of bad guys—for terrorists, hackers, child predators, and a lot more. User-controlled default encryption is a real challenge for law enforcement,” he said, echoing comments that U.S. Attorney General William P. Barr made at Fordham on Tuesday.

Wray’s appearance at Fordham’s School of Law closed out the 8th International Conference on Cyber Security (ICCS). He last visited Fordham in January, 2018, when he delivered the opening remarks for the 7th ICCS conference.

To illustrate the FBI’s ongoing efforts, Wray highlighted the Bureau’s involvement in the December take down of APT10, a hacking group associated with China’s Ministry of State Security. The group had compromised the networks of U.S. government agencies and 45 companies around the world.

Working with field offices around the country and agencies such as the Defense Criminal Investigative Service, and the Department of Homeland Security, the U.S. Department of Justice obtained criminal indictments against two members of the group.

“The indictments marked an important step in publicly exposing China’s continued practice of stealing intellectual property to give Chinese firms an unfair advantage in the marketplace,” he said, noting that it also let to the first formal declaration that China had violated the 2015 Cyber Commitments agreed to by the United States and China.

“By revealing the names and activities of hackers in cases like these, we limit their travel and job prospects, and we increase significantly their cost to operate. An indictment signals to our allies that we’re so confident in our assessment of culpability that we’re willing to put the full weight of the U.S. criminal justice system behind it.”

Wray addressed foreign influence in his remarks, noting that the bureau fully expects to see in 2020 efforts to target election infrastructure to exact ransoms, temporarily disrupt election operations, and undermine voter confidence in the electoral process.

“Happily, we’ve yet to see attacks manipulating or deleting election and voter-related data, or attacks that actually take election management systems offline. But we know our adversaries are relentless. So are we,” he said.

Equally important, he noted, was foreign investment. If adversaries can’t access our most valuable and sensitive information, he said, they may try to buy their way to it. Working with the Committee on Foreign Investment in the United States, the Bureau has access to data about sensitive industries unavailable to private citizens. Don’t overestimate the effectiveness of protections and countermeasures available to your company, he said.

“A decision to enter into a particular joint venture or contract with a particular vendor or cloud computing company may look good today – it may make a lot of money this quarter. But that decision might not look so great five years down the road, if you’re then in the throes of a slow bleed of data. Or, worse, if you’re then suffering a major hemorrhage of intellectual property,” he said.

“So you’ve got to take steps, and make hard choices, to safeguard your R&D, PII, and proprietary data even after a deal is done.”

The issue of lawful access to encrypted data was where he was most hopeful that the private sector and law enforcement could learn to cooperate. In a New England town last month, he said the FBI received a tip that a nine-year-old girl was being sexually abused, and that the abuser was using an app—which Wray declined to identify—to distribute images of her anonymously. Agents contacted the app provider, located the child in less than 24 hours, obtained multiple search warrants, rescued her and arrested the suspect.

“Law enforcement receives millions of tips like these every year. I don’t want to think about a world in which we lose the ability to detect dangerous criminal activity because a technology provider decides to encrypt this traffic – data “in motion” – in such a way that the content is cloaked and no longer available subject to our longstanding legal process,” he said.

The FBI has been “hearing increasingly” from cryptologists that there are solutions that could work to protect encryption and fulfill law enforcement’s need for accessing encrypted communications, he said, which gives him hope that a mutually acceptable solution may emerge soon.

“This is not just a national security issue, it’s a fundamental public safety issue. If it is not addressed, it impedes not only federal law enforcement, but our state and local partners as well,” Wray said.

The answer: IoT devices pose a major threat to our security, said Thaier Hayajneh, Ph.D., professor of computer and information sciences and director of the Fordham Center for Cybersecurity, at a July 24 panel on IoT Forensics and Privacy at the International Conference on Cyber Security.

An acronym for the “Internet of Things,” IoT refers to interconnected devices that are programmable and intelligent, accessible from anywhere, able to connect to the internet. The toaster that connects to your Wi-Fi to broadcast today’s weather to you is considered an IoT device. Yet with that functionality comes high security risk—as a result of the soaring scalability of IoT devices and increasing number of items a person is connecting to the internet in their home or business, there are exponentially more places of vulnerability leading to higher potential that a hacker can gain access to one’s secure data.

Andrew Johnston, FCRH ‘17, a proactive consultant at the Mandiant cybersecurity firm, spoke to how IoT devices can leave a corporation prone to security risk.

“These devices have Wi-Fi networks associated with them. They have default passwords. You can log in and potentially take control of some of those sensors. It’s obviously very clear how dangerous it can be,” he said. “You can take control of a phone or a conferencing equipment remotely and activate a microphone and that conferencing equipment is sitting on the desk with your CEO. That’s a tremendous, tremendous risk.”

It’s important to know how to defend a device by looking for its vulnerabilities, which is similar to trying to recover information in a forensic way. A user has to be skilled at reverse engineering and understand firmware to know how the device works and how information can be leaked, and therefore how one can move around that encryption. It can be challenging, but Johnston said that he’s now seeing a lot of vendors become more open about what information is stored on a device and how it can get out, and that is a step in the right direction.

Despite IoT devices seeming like 21st century invention, Hayajneh shared this prophetic quote from inventor Nikola Tesla back in 1926: “When wireless is perfectly applied the whole earth will be converted into a huge brain, which in fact it is, all things being particles of a real and rhythmic whole. We shall be able to communicate with one another instantly, irrespective of distance.” Hayajneh noted that even back then Tesla “had a vision of what we are approaching nowadays with IoT.” While it’s unclear if Tesla could have predicted the risk factors we have today, there’s hope that our ever-evolving technology can create both an interconnected and secure world.

Floor Jansen, Ph.D., advisor to the Dutch National High Tech Crime Unit, began with an in-depth description on how to identify cybercriminals.

The typical cybercriminal looks very different from the criminals of serious organized crime, she said. The average age of a cybercriminal is 19, as opposed to a drug trafficker’s 40 to 50 years of age. Their recidivism levels are also very low, and it doesn’t take much to deter them away from cyber offenses. Lastly, they quite often have autistic traits.

Cybercriminals have several key identifiable characteristics, Jansen went on to discuss.

Firstly, they have no clear distinction between what is right and wrong online because these boundaries in the online world are less obvious. As they hide behind computer screens, they typically never see the damage they inflict on victims. While most cybercriminals usually come from good families, their parents are unaware of the full scope of what their kids are doing online, she added.

They tend to be negatively influenced by their peers, who also spend hours online and are not within reach of the positive influence of parents or educators. Finally, while the reward for crime is primarily money, cybercriminals’ motivations are more intrinsic—some do it just for fun and because they know they can.

With low recidivism levels, interventions aimed at deterring cybercrime are important and effective. A “hack right” intervention aimed at first time offenders studies the offender and creates a tailored approach, which could include training about online boundaries, cyber based community service, coaching by ethical hackers, and presenting positive alternatives to cybercrimes.

When discussing rehabilitation of hackers, Jansen finds that a combined approach works best. They need social workers who have the right tools to talk to and educate kids, and they also need the help of cybersecurity experts to help understand where these boundaries between right and wrong lie. The two work together to fill in each other’s gaps.

Greg Francis, the Acting National Prevent Lead of the U.K.’s National Crime Agency, said he believes law enforcement is an important tool in deterring cybercrime.

“Law enforcement, sometimes I believe—and this is not an agency view, this is my view—can be so focused on the blood and thunder, the arrest and prosecution, they sometimes forget that their job is to also provide service.”

That’s where knock-and-talks come into the picture.

Knock-and-talks are a type of cease-and-desist where if someone is at the periphery of any type of crime, law enforcement will go into the individual’s house and give them a warning. These methods help raise the awareness of law enforcement online and increase perception of risk that is otherwise not visible. In fact, Francis said, “every single one we’ve delivered over the four years—up to 500 cease-and-desists have been signed—not one has pushed back. I think we’ve got only got one case where we can say that individual has gone back and committed a crime.”

“The question is what is a more productive response to a potential crime?” Francis asked. “To wait for it to happen, because that’s where the blood and thunder is, or to make sure that the ones that we’re investigating are there because they’ve made an informed choice?”

“Blockchains are not the panacea. They’re not the silver bullet,” he said. “But they can be useful for certain applications.” 

Mell’s lecture, “Can blockchain improve operational efficiency while enhancing trust?” explored the areas where blockchains, or append-only distributed ledgers linked by cryptography, may be useful in the future. Among them are identity management, random number production, and potential government-managed cryptocurrencies. 

He spoke in depth about the possibility of managing identities using both blockchains and smart contracts, a computer protocol that helps one exchange money while avoiding the services of a middleman. In other words, a smart contract is an immutable, publicly readable, and executable code that acts as a trusted third party in transactions, he said. 

“If we had such infrastructure that worked, that would be very powerful,” Mell said. 

It reminded him of the time an FBI special agent visited his home and asked Mell a few questions about a person of interest. Mell asked the agent to show him proof of his identity. The agent took out a black, leather wallet. Inside that was a “metal star.” 

“It looked very pretty. It looked very authentic … I answered personal questions about one of my friends to an absolute stranger because he had a metal star,” he said, to chuckles from the audience, including a few FBI special agents. “Now imagine with smart contracts … that special agent could come to me, and if I had an app on my phone and I gave him some identifier from my app, [he could]digitally prove to me that he was a special agent and authorized to be doing this kind of work.” 

At the end of his 30-minute lecture, he concluded that although blockchain technology isn’t a universal remedy, it holds great potential for the future.

“If we can overcome a lot of scalability issues and assure ourselves of security issues, then we can create a smart contract infrastructure that’s scalable and secure and can be used worldwide,” Mell said. 

The American attorneys general were both in agreement that at some point the government, likely through an act of Congress, is going to have to come to terms with “warrant proof” devices that are hindering investigations that run from murder to money laundering. Berman said that the government isn’t looking for a “back door” into a phone, nor are they even looking to possess the devices, they just want manufacturers to supply access to the data.

“We would never accept this in the physical world, so we should not accept it in the digital world,” said Donoghue.

He added that the only reason the government was able to bring down Joaquín “El Chapo” Guzmán was because they were able to get into his computer system.“We got it only by flipping the individual who set up the system,” he said.

Hartmann agreed that access is important, but he said the problem is much broader than access.

“There’s still much room for us to improve our way of dealing with the data. I agree with the issue, but the strategy should be more than asking companies for access,” he said.

Donoghue said for many nations, their experience with terrorism has shaped their experience in the cyber realm. All agreed that France, which has suffered several recent terrorist attacks, has taken the lead with companies, demanding that services cannot be sold unless they respond to judicial warrants. As cybercrime is often a borderless domain, he said it will be interesting to see how American companies comply.

But it’s not just the companies that make encrypted devices that don’t want to deal with the Department of Justice (DOJ), even companies that have been attacked are reticent to report the crime. Berman said that companies often don’t want to come forward because they buy into established myths about reporting cybercrime to the DOJ. These myths include losing proprietary information and being reported to regulators such as the Security and Exchange Commission—all of which Berman said does not happen.

“Digital evidence dissipates and we need access as soon as possible,” he said. “We treat companies as victims.”

Donoghue said companies will get hacked and will get attacked no matter what, so it’s important to have a plan in place on how to respond. He noted that threats come from near and far, citing one case in which Iranian hackers attacked 147 universities in 22 countries, and other cases where Chinese students and visiting professors were accused of stealing technology from universities. For most organizations, such security breaches can be a public relations embarrassment, but that’s unavoidable, said Hartmann.

“You have at least one employee or customer who will talk to the media and the case will become public,” he said.

He said that just as victims should coordinate with law enforcement after an attack, they should also coordinate and plan a response to the media. He noted that one hospital in Germany was very transparent after a breach and thanks to that transparency, the public perception was sympathetic.

In closing, Berman said backing up systems remains of utmost importance and that the backup should obviously be disconnected from the system.

“And by the way, don’t use ‘password’ as your password,” he said.