Recent attacks on US tech giants SolarWinds and FireEye catapulted cybercrime to the front pages of the global media. However, misconceptions about the perpetrators behind these crimes are engraved within the collective consciousness, clouding how we see such criminals and act against them.
“The greatest misconception about cyber threats is that there’s some evil genius somewhere in Eastern Europe wearing a white lab coat that orchestrates all this stuff like in a James Bond movie,” a veteran cyber security professional and published author Greg Scott told CyberNews.
We sat down with Greg to talk about misconceptions surrounding cybercrime as well as his latest book, “Virus Bomb,” following an IT consultant caught in the middle of an act of cyberwar against the US.
The first question I would like to ask you is an obligatory question since it’s the end of the year. Could you pinpoint one or maybe two cybersecurity threats for 2021 that seem critical from your point of view?
We all know the biggie – the SolarWinds attack. We’re going to feel the aftermath of that for a long time. Of all the places for someone to get into and mess, that’s one of the worse ones. SolarWinds has tentacles everywhere. That’s a big deal. I’m still wrapping my head around that one.
The greatest misconception about cyber threats is that there’s some evil genius somewhere in Eastern Europe wearing a white lab coat that orchestrates all this stuff like in a James Bond movie,Greg Scott.
And anybody who was a SolarWinds customer, they’re victims. And so then anybody out in the world that uses their services, they’re potential victims, too. That stuff got inside the biggest ISPs in the world. Anybody who used the internet had somebody somewhere unfriendly listening in on all their conversations. I imagine someone was picking out the stuff that they wanted for it to use for attacks later.
So that’s going to spill over to the next year and significantly impact the cybersecurity space going on. And of course, we’ll see all the usual stuff too. We’ll see ransomware attacks, and mostly, we’ll see all kinds of schemes and all sorts of social engineering.
Another point I was wondering about was that cybercrime is sort of a daily event worldwide. Do you think societies, especially in the West, are well-informed about the scale of these operations, that these things happen daily?
No, the public is not well-informed about this stuff at all. I talked to people about things that we see everyday, and their jaws drop. They don’t believe me and say I have an overactive imagination.
Even with the SolarWinds attack, nobody in the press gets what’s really going on. There was an article on NPR about this attack, and the author of the article didn’t understand the attack itself. Talking about cybersecurity with people, it’s like arm twisting.
When you tell people about security, by the time you say the word “cybersecurity,” many of them have turned their body language sideways, and they’re trying to escape because they don’t want to hear these technology words.
On the other hand, state-sponsored cyberattacks are a completely different animal in this respect. These attacks seem to have become kind of mundane at this point. What would you say is the greatest misconception about large-scale cyber threats that people have?
The greatest misconception about cyber threats is that there’s some evil genius somewhere in Eastern Europe wearing a white lab coat that orchestrates all this stuff like in a James Bond movie. To my mind, that’s probably the biggest misconception and maybe this whole concept of Hollywood hackers.
Probably the biggest misconception is that the real world works the way Hollywood paints it to work. Now, I don’t have any academic studies or anything to back that up. I just live in the world and try to survive day by day, but from the people I talked to, Hollywood hackers seem to be the biggest misconception.
Critics and some cyber community members praised the US TV series Mr. Robot for accurately depicting hacking practices.
I’ve heard people talk about Mr. Robot, and I watched a few episodes. From what I saw, and I only saw a couple of episodes of that show, it seemed real but exaggerated. The protagonist’s research was too easy for him to find what he needed for his targets, but you have to fit that into an hour-long show. So, it’s got to be packaged all nice and neat, but at least they went to the lengths to make sure his research makes sense.
You have first-hand experience on how to portray hackers dealing with large-scale cyber-attacks. Your latest book, “Virus Bomb,” follows a fictional character trying to stop a major cyberattack against the US. Could you share a bit on how you created a fictional attack, was it based on any real-life events?
When I first envisioned “Virus Bomb,” and this is a thing about writing and writing fiction in general, you have to test everything to make sure that it works. When I first envisioned “Virus Bomb,” it was going to be a story about somebody attacking a nuclear facility. And it was somebody stealing nuclear waste and then turning it into a bomb to kill a bunch of people. So I started with that premise, and I did some homework, and I found out that these nuclear waste casts are as big as houses.
If enough people make enough noise and push hard enough, maybe law enforcement will lift a finger and care,Greg Scott.
And so I had to scrap that, and then the next thing was going to be about medical waste. You know, maybe you get a bunch of medical waste, some really, really nasty stuff, like perhaps Ebola or something like that. Maybe there’s an outbreak, and you get into it, and you steal some of Ebola away. Well, that doesn’t work either because the hospitals have this process called autoclaving and they clean all the nasty stuff right there at the hospital on-site, and then they incinerate it.
The premise that I came up with is where some bad guys tried to introduce Ebola into the country. And if you’re going to do that, how would you do it? Well, you need another outbreak and an attack.
The story follows Jerry Barkley, an IT contractor who gets caught up in the events surrounding him. Do you think that ordinary people with expertise in IT could become vital in a time of cyber warfare or less dramatic cyberattacks?
Yes. You hit on a misconception right there. You nailed it. Many people think that the CIA and the FBI and the NSA, and the US Department of Homeland security will do all of the cybersecurity work. They’re wrong.
Nobody from the CIA will be on my cell phone when I tap the wrong cell phone buttons and download malicious software into my phone, and use that to drain somebody’s bank account. Nobody from the Department of Homeland security is going to be there when that happens. It is up to ordinary people with skills – especially them – to handle this stuff.
The government does have a role in this because the government uses the internet. The government can do things that I can’t do. The US government has a $2 billion data center in Utah somewhere. I don’t have access to that stuff, but I have access to things that the government does not have access to.
If we’re going to be safe, it must be a partnership, and there’s gotta be regular people involved. Absolutely. If enough people make enough noise and push hard enough, maybe law enforcement will lift a finger and care. We can help catch these bad guys and, and get, send them to justice.
What skills do you think people should aim for if they want to get cybercriminals?
Learn how to think like an attacker and learn how the technology works. Of course, learn some basics of system administration and network administration, but then put on your attacker hat and put on your tester hat. So testers are geniuses at breaking stuff. They have a knack for finding ways to break things. So think like a tester, think like an attacker, think about ways to break stuff. And then look for it in the real world.