What a Former CTO of the FBI Cyber Division Thinks Should Keep You Up At Night
Part 1 of a three-part series
Even if you weren’t interested in cybersecurity, Milan Patel is the kind of guy you hope you get seated next to at a dinner party so you can listen to his stories. Currently the Chief Client Officer at BlueVoyant, Milan previously worked as the CTO of the FBI Cyber Division in charge of technology strategy. There, he organized and co-led the Joint Requirements Team, facilitated by the White House National Security Council. Prior to that, he was one of the FBI’s most senior cyber agents and led numerous global cyber investigations.
Like we said, he has good stories. Milan laughs as he tells the tale of his first FBI issued vehicle—which turned out to be a 1993 Ford van that looked like it was left in a war zone, part of the muffler was sitting in the passenger seat, next to a case of oil. A note instructed him to use one can of oil every hundred miles. Oh, yeah—only the high beams worked, not the “regular” headlights. That first night, he got pulled over for “high beaming” (and let go) by a police officer, who probably realized he didn’t want to throw salt on a wound. He’s still not sure if he was being pranked but he drove that van for four months.
As you’d guess, Milan also knows a lot about cybercrime and cybersecurity—and we got a chance to sit down and talk with him. Here’s what he had to say.
A: Yes, absolutely. 2009 to 2012 is the timeframe where cybercrime really took off and became a business, so to speak. Although these were different types of criminal activity with different motives, the common thread was sophistication. Cybercrime became an incredibly lucrative, low-risk business that is continuing to evolve. And then, like now, every business is at risk, regardless of size.
When you talk about the perpetrators, it wasn't just some guy in his basement, although that was still happening. While not motivated by money, you could even argue Anonymous was kids in their basement, but they could now organize over the Internet, and given their pace and speed, it was super-difficult for the government to keep up. This notion of crowdsourcing the very best people and the very best technology to launch attacks was happening in the dark and deep web way faster than the private sector could respond.
It became harder to compete against 20 super-smart individuals who all want to make money and have nowhere to direct their talent except for cybercrime. What we saw was an elevation in sophistication, coordination, and organization—particularly with Rove Digital, which I could argue was organized crime. There was a CEO of a front company, along with marketing folks, distribution folks, and tech support folks. Underneath that facade was an entire criminal organization designed just to generate illegal proceeds. So the common thread boils down to sophistication.
Q: What do you think facilitated the ability to organize with greater sophistication?
A: It was definitely a number of things with a major contributor being the evolution of the dark web and deep web. For years before the dark web, folks were just connecting to surface-web websites that were password- protected or encrypted. And it's not that they weren't available, they were just hard to find because they weren't indexed on Google. When the dark web, like Tor and ITP and Freenet, came into being, it made it that much more difficult for law enforcement or other good guys to go into those environments because there's no search engine. You don't know what you're looking for and you're just sort of poking around, hoping to find something.
And we started seeing the bad guys congregate there because they realized there was a good chance nobody would find them. In addition, there was fundamentally no way to trace them back unless you had some other identifying information. And so, when you put those two things together, the explosion of crowdsourcing of capabilities happens. This also created an environment where nation-states could co-opt, either overtly or surreptitiously, criminal actors to push the agenda of a nation-state with some other view beyond just gaining monetary value.
Q: Cybercrime is now more profitable than drug trafficking. Can you talk about what you think will happen in terms of cybercrime during the next decade?
A: Potentially in some instances – without diving into global drug trafficking operations (which is not my expertise) we’ve seen first-hand criminals used to engage in common street crimes like drug dealing, who transitioned to cybercrime because it was more profitable and less dangerous. And, frankly, if they get in trouble, the penalties are significantly lower than the ones for selling drugs.
Not only that, it’s totally anonymous. They can sell someone credit cards without even knowing who they’re interacting with and who is paying them. Plus, less sophisticated actors can get into this because they don't need to know computer programming or hacking to launch attacks. For example, you can buy or lease software, such as ransomware-as-a-service, from bad guys and the dark web. You don't need to be a coding expert to launch an attack, get paid, give some royalties back to the company who let you borrow the malware and move on.
Second, a more promising development is that directors of boards are asking critical questions to determine how well their companies are set up to defend themselves against a cyber-attack. It's a really good sign when you can get the c-suite and the board to unify their position on creating cyber resiliency plans inside of the organization.
Third, small and mid-size businesses will suffer more attacks. As you know, no company is immune to attacks; the threat against you is the same. A dollar from Citibank and a dollar from a regional bank is the same dollar to the bad guy. However, the bad guys realized that targeting hundreds of medium-sized banks has a way better outcome on ROI than targeting and sustaining an attack against, for example a global bank. The largest banks in the world spend hundreds of millions of dollars on cybersecurity, which is probably more than hundreds of small to mid-size banks combined. The challenge is that the speed of implementing change is still very slow.
How does regulation factor in?
If you talk to CISOs, they often say compliance is not security. They mean that compliance is not checking for all of the other things necessary to keep a network safe and usually is a review which is a point in time. Today we’re excited to say that federal regulators, whether it be in the financial services space or other critical sectors, ask critical questions about a company's ability to detect and respond to threats. The goal is to shrink the time to detect. When somebody gets into your network, how long before you realize? Then, how quickly can you figure out what it is and get it out of the network? Now, federal regulators are not only asking the questions, they're also examining how well banks and credit unions are doing. They look at written policy as well as the technology and process they use to actually do the work day-to-day.