There’s more opportunity in cybercrime than in pursuing a desk job - interview
There are 4M vacant positions in cybersecurity. Yet, the cybercrime world is not short of talent. “The idea of me as a CISO finding, hiring, and trusting a brilliant potential cybercriminal is a real stretch,” Ric Longenecker, CISO at Open Systems, told CyberNews.
Cybercriminals have become greedy with ransom demands hitting new records, somewhat PR-savvy. Meanwhile, law enforcement also celebrates some victories from time to time. For example, together with financial institutions, the FBI was able to retrieve around $500 million for victims last year alone.
The FBI urges any ransomware victim to report the crime. Otherwise, they “can’t help you.” Ragnar Locker, a notorious ransomware group, warns its victims not to dare use professional ransom negotiators.
We sat down with Longenecker to discuss the latest trends in ransomware developments and asked whether he would hire a cybercriminal as the dark world is filled with masterminds.
Recently, it seems that awfully many big and prominent organizations are being attacked. Accenture, Gigabyte, T-Mobile, AT&T (even though they haven’t confirmed a breach), to name just a few. What do you make out of this? Have cybercriminals become bolder and greedier? Is it a result of a hybrid work model, or is it just gaining more public attention now?
Yes, things are more public. But I think it’s a combination of many factors, some of which you’ve named. In reality, we still have a situation where cyber plays into international politics. And we have criminals who are able to live and operate in countries without fear of consequence. So, in the end, it really doesn’t matter who they attack.
What trends do you see in ransomware development?
It keeps growing, of course, due to potential payouts, and we've already seen "corporate" models spin up in the last few years. Now it takes a stronger turn in the sense that blackmail is taken into account – they start to simply threaten to leak confidential information.
Have Biden-Putin talks had any effect yet? Is it even wise to rely on policymakers and governments to tackle cybercrime?
Andy Greenberg published another great book back in 2019 – Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers. It talks about early days (post-Yeltsin, start Putin) U.S./Russian relations on cyber. Things haven't really changed – talks will have limited effect and are largely political.
There's a shortage of talent (4M worldwide) in cybersecurity. However, it doesn't seem that there's a shortage of brilliant minds in the cybercrime world. Why do people become criminals instead of using their skills and talents for good?
Why does anyone become a criminal? Opportunity, circumstances (environment), and timing. And right now, if you live in some countries and are smart, there's more opportunity in crime than in pursuing a desk job. While there continues to be a shortage of good people in the industry, there's a large trust factor that plays out, as well as traditional approaches to hiring still in play. The idea of me as a CISO finding, hiring, and trusting a brilliant potential cybercriminal – and keeping that person on the "whitehat" side – is a real stretch.
There are not many examples when cybercriminals are caught at the crime scene, are there? Do you anticipate that will change any time soon?
Quite frankly, as many know, it's actually really difficult to pinpoint or prove who has actually committed the crime in many cases. Beyond that, it takes a number of years and really strong international cooperation to arrest an individual or a group. I've sat in on a number of law enforcement groups working tirelessly across international lines through a case. It takes years and somewhat improves with time. However, don't expect change any time soon.
Though being instrumental in various uprisings, encrypted chat apps have also become a marketplace for illegal goods, such as ransomware-as-a-service, etc. Should privacy be bent to some extent in important law enforcement cases to fight cybercriminals more effectively?
There is quite a number of intelligence companies working covertly in different encrypted chat forums, etc., that currently work strongly with law enforcement. You can also consider the recent FBI and Australian "sting" operation, which seeded a fake encryption app to millions of criminals worldwide.
Overall, privacy for many remains a strong human right as a concept. And we always need a balance between the ability of law enforcement to do its job and individuals' rights.
Is the cybersecurity landscape evolving fast enough to tackle cybercrime? There are so many attack vectors nowadays, and the COVID-19 pandemic adds its own challenge with WFH, people being an easier target for fake news, etc.
I would say that cybersecurity has come quite a long way. There are now plenty of good supporting partners and services like Managed Detection and Response that allow the average organization to implement a strong degree of protection. However, many of the same security challenges that existed ten years ago exist today in companies. Preparedness starts with awareness and effort, implementation of good IT, and choosing to invest in a few folks to focus in this area and work with a partner.
Even though companies are encouraged not to pay the ransom, it may be the only obvious choice as doing otherwise would mean severe business disruption (for critical infrastructure) or the loss of a business overall for SMEs. What should be done before we can prohibit ransom payments by law?
We're almost getting to the point that payment will be illegal in some countries. It is actually more limited in possibility as insurance companies will stop paying for it in some cases. In short, we see a stronger amount of due diligence by insurance companies requiring companies to validate their level of security. This level of validation weighed against a potential payout can be a pretty good mechanism to encourage SMEs to be prepared, and I think it's a good direction.
Overall, as mentioned earlier, the industry has come a long way. And, in many cases, it's all about each individual organization doing its due diligence to realize potential risks, support some dedicated folks on the issue, or get out there and find a partner to help it strengthen its security posture. As we continue to be more and more digital, the problem of cyberattacks isn't going away. Hence, organizations need to be thinking proactively about what they can do to equip themselves better.
More from CyberNews:
Subscribe to our newsletter