Cyberattacks and ransomware are no longer burglary; they’re home invasion, expert says

0 Comments

More than 3.5 million people worldwide are needed to play defense against cyberattacks.

TechRepublic’s Karen Roby spoke with Tom Kellerman, head of cybersecurity strategy for VMware, about ransomware and cybersecurity. The following is an edited transcript of their conversation.

SEE: Security incident response policy (TechRepublic Premium)

More about cybersecurity

Karen Roby: I want you to give just a quick second to give our audience just a little insight into your background, as far as just how entrenched you are in the world of cybersecurity. I think it kind of helps to set the stage for your knowledge base and where you’re coming from.

Tom Kellerman: Sure. I’ve been in cybersecurity for 23 years. I’m a reformed hacker. A college professor turned me to the light. Been ta CISO for the World Bank and IMF. I’ve been an advisor to presidents, including President Obama and Bush on cybersecurity. I sit on the cyber crime investigations board currently for the Secret Service, which if you didn’t know, investigates all financial crimes, and I’m currently the head of cybersecurity strategy for VMware, which is basically the company behind cloud computing and modern applications.

Karen Roby: Tom, we were talking before I started recording here about some of the main points that we want to go over that you want to make sure we hit on today because this is obviously a really broad subject. And to try to get it down in just a few minutes is tough to do, but people are hearing more and more about this. I mean, you’ve been talking and investigating cybersecurity for many years, but the common person out there just doesn’t even really know what can happen when people are hacked and what is ransomware and all of those kind of things. So I think that it’s a good place to start, as you mentioned to me, is that the game has changed. What do you mean by that?

Tom Kellerman: The game has changed truly in two ways. One of which the cyberspace has become more punitive. It’s become more hostile. You’ve got cyber crime cartels that are willing to leverage destructive attacks like ransomware or wiper attacks against corporations and government agencies. And these same groups are protected by the various governments where they exist and they have untouchable status from Western law enforcement. It’s terrible and tragic to admit this, but prosecution rates are still less than 2% for cyber criminals. This is compounded by a fact that three years ago, it was all about stealing your intellectual property and stealing your money. Burglary. Now it’s changed. It’s really become home invasion.

SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)

They want to take over your infrastructure. They want to take over your corporate environment and they then want to launch attacks from your environment against your customers, your constituents, your board members, etc. And so when you think about Solar Winds, which we’re all familiar with, that didn’t occur in a vacuum. It’s actually happening more than 45% of the time. When we go in to investigate a situation inside an organization, you see that that organization, not only were they robbed, but their infrastructure is now being used to attack everyone who trusts them.

Karen Roby: That’s the really scary part, Tom, is just that the trickle-down effect and what happens when one thing starts and then continues to roll. And I know we’ve said it before and read it many places that, I mean, they will just keep targeting until they hit, right? I mean, they’re just throwing things up to see what sticks and what happens.

Tom Kellerman: Well, the most sophisticated cyber crime cartels who are hunting, essentially, the Fortune 5,000 and government agencies and state and local agencies and departments, they’re conducting reconnaissance on you for a good two to three weeks before they launched an attack against you. It used to be the fact that they would just keep shooting until they hit something and it stuck. And that’s typically for the neophytes, the non-sophisticated criminals who have gotten into cyber crime. But these cyber crime cartels are very sophisticated, very well structured, very well-funded and insulated, again, from Western law enforcement, because they’re seen as national assets by countries like Russia and others.

Karen Roby: Yeah. That’s really scary. Talk a little bit about that. Expand on as far as where we’re seeing these groups come from and how they’re being protected and you mentioned that the NATO charter having to be amended now to reinforce the fact that we have to help support each other.

Tom Kellerman: Yeah. Essentially the shift happened back in 2013. There was a very famous speech given by the head of Russian strategic command, General Gerasimov, about how to reassert Russian power on the world stage. And essentially they said the great weaknesses of the West, where their dependence on public opinion for trust and confidence in institutions and their dependence on technology. And at the same time, they looked around and they realized that their most talented technical folks in the country were essentially cyber criminals that had been breaking into U.S. banks for years. And you just hadn’t heard about it. And they essentially called upon these folks to be patriotic with their skillsets. And they said in exchange for that, we will give you untouchable status. So, if you look at ransomware, most ransomware is coded and created in Eastern Europe. And most ransomware will actually not detonate on any Cyrillic or Russian language keyboard.

SEE: Working at a safe distance, safely: Remote work at industrial sites brings extra cyber risk (TechRepublic)

That’s on purpose because basically the Pax Mafiosa that I’ve just described to you is based on three principles. You don’t hack anything within the former Soviet bloc. When called upon to be patriotic, you do so, and you share the access to the system that you’ve hacked. And when called to be patriotic, you will target a set bunch of targets that are identified by the government. And that’s really why the summit between President Biden and President Putin was so significant last week in such that president Biden laid out red lines across the critical infrastructures. And he did so just merely days after amending the article five of the NATO charter to say collective defense of NATO countries would now correspond to cyberattacks against critical infrastructures. So, that really does change the game because it allows our military to take the gloves off.

Karen Roby: When you talk about how vulnerable, Tom, we are, and a lot of our companies, and obviously Colonial Pipeline was out in front for people to see how this happened and the implications. When you look at our supply lines and I mean, there’s so much critical infrastructure out there that may be vulnerable. I mean, how much does that concern you?

Tom Kellerman: Oh, very much so. Particularly in pipelines and water and at the energy sector as a whole. You have to remember that Colonial Pipeline was purposely shut down by the operators of Colonial Pipeline after the successful ransomware attack, because they were concerned that the safety systems would have no visibility into any anomalies that could create environmental disasters or kinetic events, explosions of whatnot across the system, which would permanently damage the system. And when you realize now that this isn’t a question of science fiction or some movie that you just watched last night, you can destroy, physically destroy critical infrastructure in the U.S. With cyberattacks. And so, like I said, the digital world has now converged with the physical world. It’s not just a question of people spying on you. People who hack your organization or your own computers now can become omniscient, but they can also change the way you think because they can change the integrity of the data that you depend on. And the same thing corresponds to a critical infrastructure that is relying on computers to know when it’s working properly and to adjust itself accordingly specific to safety.

Karen Roby: Tom, when we talk about the amount of cybersecurity positions that are open, the supply and demand, it’s not keeping up, and do we have a pipeline strong enough of young people coming through school that can be cybersecurity experts and take on what we know is only going to be a growing problem. What do we do about that?

Tom Kellerman: It’s a huge problem. Over 3.5 million positions are currently open in cybersecurity in the world that can’t be filled. And then most technology companies or government agencies or big banks are stealing from their competitors the talent, essentially. What we have to appreciate here is that we need to get more girls and more minorities interested in cyber and just related to playing sports. Look, when you played sports, some people like to play offense; some people like to play defense. Who wants to play some defense? Because obviously there’s a lot of money to be made for you in cybersecurity. The average starting salary is six figures. But more importantly than that, you give and you’re giving back, and you’re really helping people. And it’s a really worthy cause, and it’s a worthy fight. But I will tell you right now, frankly, saddens me to say this, but we’re losing the war.

Essentially, there’s an insurgency going on in American cyberspace that needs to be dealt with. And not only do we need more people interested in cybersecurity, we need governance to change. Corporations must have a chief information security officer, but not only that, that person shouldn’t be reporting to the CIO. That’s like having a defensive coordinator report to your offensive coordinator. It doesn’t work out. That person must be reporting to the CEO directly, and they must have veto power over anything the CIO does that could increase the attack surface of the organization to the threats that I’ve described.

SEE: Apple supplier Quanta hit with $50 million ransomware attack from REvil (TechRepublic)

Karen Roby: I remember, Tom, and it wasn’t that long ago, maybe three years ago doing an interview with someone who had been in the military and was in cybersecurity. And he was saying, “We need to have more cybersecurity focused. People sitting on boards. We need more of them in the C-suite.” And then the other side, someone was saying, “Well, not really. We need this or that.” And it’s interesting to me now, because I can’t imagine that anyone would have the opposite view of that at this point. There needs to be more people at this level. And like you said, reporting to the right place when it comes to cybersecurity.

Tom Kellerman: This is about sustainable development. Sustainable development of your brand and your digital transformation. This is about being vigilant. The worst thing that can happen to you in today’s world is your technological transformation being used to attack your customers with ransomware. Imagine that. Well, that happens. And people don’t talk about it. And soon there’ll be lawsuits and class actions and shareholder lawsuits associated with the fact that senior leaders were negligent. And they tried to maintain this myth of plausible deniability, right? But that’s no longer the case. I think everyone’s well aware that cybersecurity should be viewed as a functionality of conducting business, not an expense.

Karen Roby: Most certainly. And you can’t bury your head in the sand anymore and say, “It’s just not something I want to hear about or talk about.” I mean, it’s out there. Well, what do we do? It’s a very broad question to say, “What do we do? How do we fix it? What companies need to do?” And again, that’s hard to pare all that down into one short segment here, but you talked about government involvement and regulation and things like that. But I mean, what does the average company need to do? I mean, make sure they have a CISO on board. I mean, where do they even start?

Tom Kellerman: I really think that they should understand that perimeter defense is ineffective against today’s threats. You can’t rely on firewalls and encryption and traditional antivirus to save you from what I’ve described. And so you need to proactively do things like conduct cyber threat hunting to ascertain whether you already have a presence within your system that is anomalous. That is it exhibits tendencies of criminal behavior and root it out. You should conduct micro-segmentation to limit the capacity of an adversary to move freely through your network, through your house metaphorically.

You should increase visibility across your infrastructure by integrating your network security capabilities with your endpoint protection platform. And then really, because everyone’s migrating to the cloud in some form, you need workload security. A lot of people make the assumption that that public cloud company is going to protect their data and all its regards. You have to remember, you’re buying a unit in a nice condo in a very tough neighborhood. And so you need to be able to protect your condo, your unit, effectively, and you need to be wary of your neighbors. And obviously what goes on around the building and that can only really be achieved through workload security.

Karen Roby: Yeah, most definitely. And Tom, before we wrap up here, let me just give you the floor for some final thoughts here, what you want people to know.

Tom Kellerman: Look, the U.S. government is overwhelmed by the threat that we’re facing today. And the insurgency in cyberspace is very real and we need to take it dead serious. And to that point, the future of your tendency to take this seriously will be based on the future, I think, of corporate responsibility and of sustainability of your brand. And most importantly, it’s a differentiator for you as a company. It provides you with comparative advantage when you look at your competitors who are not taking this issue seriously. And you should be proud, and you should publicize the fact that you do.

Also see