Fazzini offers a look at the people who steal information, why they do it, and how they operate within their own code of ethics. Fazzini talks about the ethics of cybercriminals, what the people fighting them often fail to do, and why she thinks people who can manage children make good cybersecurity managers.
Give us a quick synopsis of your book, what did you write about?
I wrote about cybercriminals and cyberdefenders, who they are and what they actually do. When we see “hacking” portrayed in movies and on television, it’s always some guy doing genius stuff on a computer and messing with his enemies, who are often corporate stooges. There’s not a lot of structure, not a soup-to-nuts view of the players, and some of the bit players are actually quite fascinating.
The truth is, cybersecurity pros have to navigate cumbersome, sometimes frightening bureaucracies that are unique to cybersecurity. They have to take major personal and professional hits for their beliefs.
Criminals risk a lot, too. Sometimes these are hardened sociopaths who spend their lives scamming people. Many others are just dumb kids or patriotic teenagers who get in over their heads and have to find a way out. They have a story, too.
You’ve spent many hours talking to and observing people who commit serious cybercrimes. Despite their actions, some of these people seem to have a code of ethics--how would describe the rules that govern how cybercriminals interact with each other?
You know, this may have been true in the 1980s, but I think it’s important to make the distinction that there are now many codes of ethics among different cybercriminal groups. Some of those codes would scan to most of us as “no ethics.” Some are fully formed, similar to a corporation’s ethics. Most fall in between.
I’ve also seen plenty of people who do have a strict code of ethics to follow based on their professions, who may call themselves some version of “ethical hacker,” but who do really unethical things--like essentially extort companies to buy their product because they found a vulnerability. I’ve witnessed and heard of plenty of high-ranking cyber executives who tried to circumvent their own controls, sometimes just to do something mundane.
Were you surprised to see criminals have something resembling ethics?
No, because many cybercriminal organizations today fully resemble actual businesses. If you view the organizational chart of a nice-sized cybercriminal organization, and keep even the same names and titles, you would be unable to discern the criminal organization from a legit business.
Those legit businesses have codes of ethics, mission statements, values statements--so do the business-like criminal organizations. “Always unlock the data on time once a victim has paid,” or “Always give the victim a reasonable amount of time to pay before you jack up the price,” are boundaries that can help a single criminal group gain a “good” reputation.
We live in a world where law firms specialize in telling companies which criminal organizations have this “good” reputation, and should be paid.
What are two things people trying to stop cybercriminals should do that they don’t?
From a law enforcement front, it’s very difficult. There’s not much to do to force other countries to crack down on cybercrime in their countries as much as we’d like, which because of greater priorities or corruption may be impossible.
Employers should certainly recognize many cybercriminal groups succeed because they are so agile, and have lots of autonomy. Corporate security organizations should have more autonomy, too.
It is a very difficult job to do, for instance, if you are tied to an annual budget and the cybercriminal wave changes suddenly from ransomware to denial-of-service attacks. Now all your spend on ransomware protections is useless and you’re getting slammed in a different way. Companies need to understand that they have to be able to pivot like their adversaries.
You've said any person who can handle kids basically can manage a cybersecurity department? How so? Are people just scared of cyber stuff because it sounds complicated?
Well in many ways, yes. The skillset it takes to live an organized life in a chaotic world, to keep kids on task and on a firm schedule, are a necessity in any cybersecurity organization. People with these skills, who are great at planning--I’m not kidding--should seriously consider the field. Start as a project manager. Grow your technical skillset.
Technical skills are at a huge shortage, however. These can be learned. People shouldn’t be intimidated by the field because they don’t speak the language, or the people out there talking about cyber who use a lot of fancy, big words, and throw around the term “sophisticated” a lot.
This is where we are failing, on a larger scale, to do an adequate job of staffing cyber roles in the government and enterprises. On the one hand, everyone is saying there is a shortage, we desperately need people. On the other hand, many are pretending the jobs are too complicated for workers not steeped in IT security to grasp; or making the jobs so inflexible people won’t want to do them.
Should companies worry about ethics and compliance concerns when trying to stop the bad guys, or is stopping them more important than doing things in the right way?
Well, you have to do things in the right way, but I think for bigger reasons than fulfilling ethical obligations.
For instance, today, if one of your employees with a chip on his shoulder about a security breach tries to “hack back” against the perpetrator, that’s illegal. If the perpetrator or any proxy he used is in a foreign country, that’s an international incident. If the foreign country is China, that’s a CNBC chyron. You can expect a call from me.
So, yes, do it the right way, do it ethically, do your best to make sure you’re not inadvertently funding the North Korean government by constantly getting smacked with ransomware. And don’t hack back. If you get hit, you get hit. Gird yourself. Make sure your insurance is in order.
How important is training when it comes to educating employees about cyber risks? What should training include?
I go back and forth on this. Training is theoretically important. But how much do we pay attention to click-through training? Not much, obviously. There are stats on this, but I think it’s the sort of thing people understand better anecdotally.
I think the kind of training that sticks are real-world examples; that’s another reason I wrote the book. I wanted people to see the 360-degree view of what they are dealing with, and really be able to picture those scam artists trying to scam them when they are faced with said scam.
Let’s be honest, saying “A person in a similar role to you at another company caused $1 million in bonus funds to be sent to an offshore account because she clicked on a phishing email, and the company nearly struggled with bankruptcy” is much more effective than saying, “If you see a suspicious email, say something.”