Afternoon Cyber Tea with Ann Johnson 8.22.23
Ep 79 | 8.22.23

Cybercrime: A Multi-Billion-Dollar Industry


Ann Johnson: Welcome to "Afternoon Cyber Tea", where we explore the intersection of innovation and cybersecurity. I'm your host, Ann Johnson. From the front lines of digital defense to groundbreaking advancements shaping our digital future, we will bring you the latest insights, expert interviews, and captivating stories to stay one step ahead. Today I am joined by Michael Daniel, President and CEO of the Cyber Threat Alliance, an organization focused on cyber intelligence sharing across the digital ecosystem. Michael has been the President and CEO of the Alliance since early 2017. Prior to this, he served as the U.S. Cybersecurity Coordinator under the Obama administration. Michael has decades of leadership experience in the U.S. federal government and is a leading expert on ransomware and the disruption of cybercrime. He is also co-chair of the U.S. Joint Ransomware Task Force and is a leader on the World Economic Forum Partnership Against Cybercrime. Welcome to "Afternoon Cyber Tea", Michael.

Michael Daniel: Thanks for having me. I'm really happy to be here. So Michael, I am pretty familiar with the work that you do at the Cyber Threat Alliance and it sits at this crux of one of the most important aspects of cyber defense, data, and intelligence sharing, both public sector and private sector, private-to-private sector, public-to-public. And for those who are not familiar, though, can you tell us a little more about the Alliance? And I'd love to hear how you found your way into cybersecurity, and also, what made you choose the mission as being the Alliance CEO?

Michael Daniel: So the Cyber Threat Alliance is really based on this idea that even for cybersecurity providers, there is still a benefit to sharing threat intelligence, right? We're very familiar with the idea of the ISAC model, the Information Sharing and Analysis Center model for, say, financial services or healthcare, but the same principles actually operate in the cybersecurity industry as well. And so CTA is an association, so we have members that are cybersecurity providers and they agree to provide a certain amount of threat intelligence on a regular ongoing basis and then can draw on that shared threat intelligence and incorporate it into their products and services. The result is that everybody is actually, in fact, better off. The cybersecurity companies, their products and services are better, and their customers and clients are better protected, so the ecosystem as a whole is better off. That's really what CTA is about. I actually ended up getting into cybersecurity through kind of a strange sequence. I mean, like many people sort of our age and like we didn't start out in college saying, "Yes, cybersecurity," because it wasn't a thing then. But I actually started because I was overseeing the spending and budgeting for the U.S. intelligence community during the Bush administration, actually, in the mid-2000s. And the intelligence agencies for the U.S. government started rolling in and asking for billions of dollars for this thing called cyber. And nobody in the White House really knew what they were asking for. So the director of the Office of Management and Budget at the time looked at me and another guy and was like, "You two, go get smart on this cyber thing." And that kind of started me down this path that eventually led to joining CTA. When I left government in the end of the Obama administration, the reason I was attracted to CTA is because it's working on a really hard problem, which turns out to actually be a really hard problem, information sharing, but they can have a lot of really big benefits. And it really was a great opportunity for me to also learn how to build a private sector nonprofit organization from the ground up.

Ann Johnson: That's fantastic. The interesting thing that you said is, you know, we didn't have a career path into cybersecurity when we were young, right? It wasn't really a thing. And I love the fact that there's so much investment at the college and university level, military level, et cetera, for folks that are actually going to be cyber professionals from their early 20s, right? I think it's going to fundamentally change our industry and change the understanding of the industry. And also the work you're doing, you know, security is a team sport, right? It's about ecosystem and we're only better if we're together. And I don't mean that as a cliche. So I love the fact that you're driving, and I know you drive because we talk about it, right? You were driving people to share and to be more open and to be more transparent. So thank you for that.

Michael Daniel: You're quite welcome. And it's one of those things that it does require effort and intention, right? I joke that like CTA is the anti-Field of Dreams. Just because you build it does not mean they will share. You actually have to work at it. And I think that's one of the misconceptions about information sharing is that it just sort of happens and it doesn't just sort of happen. You actually have to work at it.

Ann Johnson: Yeah. And I think that's intentional and deliberate, right? I think that's important. And we can't take the focus off it because suddenly, you know, a couple of months passed and realize, "Oh, you know, I haven't talked to so-and-so lately, and we haven't shared any data with them either." It has to be intentional. It has to be deliberate. It has to be something we think about every single day.

Michael Daniel: Yeah, absolutely.

Ann Johnson: So the big picture, right? You know, I think it's still a little under-known about cybercrime and people don't understand what a big multi-trillion dollar business it is. And it's not just some, you know, hooded figure, you know, that we'd like to see hacking an individual computer by sitting in a basement in some remote part of the world. There's actually large cybercrime organizations that have CEOs and CFOs and they have leadership and they have HR people. They have everything you could think of that a large corporation has. What challenge does this new sophistication, this evolution from small-time crime to them actually becoming big business bring to the industry as a whole?

Michael Daniel: Yeah, and I think you're absolutely right to sort of focus on that. Like people's image of the hacker, right, is still that dude in the hoodie, you know, living in his mom's basement. And that is not what we're facing as the cybercriminal adversaries. I think that, you know, with that sophistication, it means that they can be much harder to defend against. They have access to a much wider array of tools. They have access to a lot more financing to support development of tools. So they can be more sophisticated when they need to be. They don't often need to be, unfortunately. And as a result, it means that these networks are much more challenging to tackle and they're much harder to defend against as a result. It also means that the problem, and you said it, I mean, the problem is actually, you know, very large. You know, obviously, exact estimates about the size of the criminal underworld are hard to come by, but certainly the size of the cybercriminal industry, if you will, is certainly measured with words that start with Bs, right, billions, if not into the trillions. And so it's a huge, enormous, sprawling business. And it also means it's much harder to disrupt because it's much more resilient. And simply arresting, you know, one person here or there is not going to really put a dent in cybercrime. And so as a result, it means that we're going to have to build new ways of tackling it. The other thing I would say is that cybercrime sort of inherently makes use of and exploits the seams and divisions that exist between organizations and between countries. It is an inherently international effort. And it relies very much on the fact that it's difficult for law enforcement agencies and others to work across those national boundaries, because they cooperate and collaborate across those boundaries quite easily.

Ann Johnson: I love the way you frame that it breaks down the boundaries, not just at the government level, right, but it also breaks down the boundaries in the industry level. You know, one of the things that I enjoy about being a cyber professional is that we have folks, as you know, that we compete with every day of the week. Right? But at the end of the day, we can we all -- people may not realize, we all talk to each other about common defense for our customers. Right? And we all share threats and we all have these relationships and we all are cyber professionals. And the fact that the industry is shaped that way is pretty unique as opposed to a lot of industries that even though we may be competing for a monetary sale to a customer or trying to bring a partner into our portfolio, we're also going to be together with something. If there is a large event, we're all going to come together and share intelligence. And then I see that, you know, extended obviously out to the government and the country level. And I think that's just something that's really special about the industry.

Michael Daniel: Now, I think that's absolutely right. And, you know, what's funny is I was just talking with an academic researcher this morning that was saying that they were having a hard time getting some editors to believe for some papers that they were trying to write, having trouble getting editors to believe that this much sharing actually happens in the industry. The editors were like, "No company would ever do that. That would undercut their business model and expose them and they'd have problems. And that wouldn't really happen." I was like, have they actually worked with the cybersecurity industry? Because, you know, we need more of it and we need to work on it. But it does happen all the time, as you said. So, yeah, I do think it's an unusual aspect of this industry.

Ann Johnson: Yeah, it's incredibly unique. So in your work with the alliance and your work with the Joint Ransomware Task Force and, of course, the World Economic Forum, you do a lot, right? You're I don't know how you do it all, by the way. You're incredibly busy, one of the busiest people I know. But you see all these emerging threat trends. What are you seeing in the way of emerging threats today for 2023? And are there persistent threats that remained over the last several years that continue to be an issue?

Michael Daniel: Yeah, I mean, I think actually one of the things that really strikes me is how consistent the threats are. Sort of at the broad level, if I was advising the leadership of a medium-sized company sort of anywhere, your two biggest threats are really ransomware and business email compromise. Right? Those continue to top the charts. There's some new aspects of ransomware in particular that we've gone beyond double extortion, which is the, not only are we going to encrypt your data, we're going to steal it and threaten to release it. But we're also going to go on to triple extortion and threaten to conduct a denial of service attack on your website if you don't pay up. You know, really, at a fundamental level, while the techniques change, those two sort of basic criminal activities remain very much the primary threats. I think the other way that the threats are continuing to evolve is just that, you know, there are more actors that are willing to get into the game, if you will, because the barriers are low and the return on investment is actually pretty high, and the risk is pretty minimal in a lot of situations. And so the result is that we are continuing to see an expansion of the number of cybercriminal groups, the number of nation states that are active in this area. And then the other thing that I would say about the emerging threats is just, you know, we continue to create new ways of being online, right? We continue to add more devices to the Internet in the form of the Internet of Things. We are conducting more processes on there. We've now seen the explosion in things like large language models and generative AI, which is also going to have some cybersecurity threats to it. So I think as that technology continues to evolve, you know, those threats are also -- anytime we deploy a new technology, we're also going to have threats that come with that technology.

Ann Johnson: And I do want to talk about generative AI in a moment. So let's come back to that. But let's talk about ransomware a bit more. And as my guests know, "Afternoon Cyber Tea" is pre-recorded, so I'll put a timestamp on this. We're recording this in the middle of July to launch sometime in the early, you know, late summer, early fall. I read an article this week that talked about how whilst ransomware payments were down a little bit in the year 2022, they've actually increased again in the first half of 2023. So can we talk about the numbers? How big of a problem? You know, you said ransomware and business email compromise are the biggest, but what impact is ransomware in particular having on organizations across the globe, and what's new about it? Right? What do you think is new from a defense standpoint or a tactic standpoint from the actors?

Michael Daniel: Well, I think there's a couple of things that are new. One is, as I was just mentioning, like the level of aggressiveness and the willingness to sort of engage in that double and triple extortion. Right? And even getting into threatening individuals, like sending harassing texts and making harassing phone calls to executives and executives' spouses at target companies, those like tactics they've gotten a lot -- the best word I can use for it is darker and more sort of criminal, blatantly criminal and not sort of with this fiction that like, oh, this is kind of this victimless crime and just kind of this white collar money thing. You know, they're making it much more personal. And so that's been a big -- I think that we're starting to see more and more of that. It's a big problem because it can cause a huge amount of disruption both to an individual organization, but also at a societal level. If you have a major school system that is the subject of ransomware, right, and the kids can't go to school, that has a big impact on a community. Right? Everyone in that community is affected as a parent, as a student. It can even have effects up to the national level, as we saw with Colonial Pipeline back in 2021. So, you know, ransomware is not just an individual problem. It's not even a community problem. It's a national security problem as a result of that. Now, of course, again, the estimates are hard to come by, but certainly the data I'm seeing, Ann, also reflects what you've been reading, which is that ransomware demands are trending up again. I think there's a lot of -- I think one of the other things that's different, though, is that many organizations have started to invest in better security against sort of that first wave of, you know, the encryption process. And that's one of the reasons why the actors have gotten more aggressive and darker, if you will, to try to force people to pay because of some of the publicity. I think that a percentage of organizations that were actually paying the ransoms was starting to go down. And so it'll be interesting to see if that trend continues or if these new tactics actually push the percentage of organizations that pay the ransom back up.

Ann Johnson: Yeah. And I think that the sectors that are most impacted, and you and I know this, you know, there's sectors that tend to have a lot of older systems, technical debt and maybe weren't as sophisticated in cyber like healthcare, though they're getting better, right, and education, and those are national security issues. Right? If you can't deliver health careservices -- and the biggest one, if you remember, you know, NHS in the U.K. and how they were impacted. But there have been many in the U.S., right? So I do think it's a national security issue. It's a societal issue.

Michael Daniel: Yeah.

Ann Johnson: If you can't deliver core basic services because some bad actor has attacked your organization and then there's this impetus to pay out, right? And that's huge.

Michael Daniel: And then if you do pay, right, you end up going on effectively the "list", right? You become known as a target that will pay. Right? So you become more likely to be targeted in the future. And certainly, you know, those payments are going to, you know, that's a drain on the economy. Right? That's taking money out of the productive economy and sending it into the criminal economy. So whether you're talking about it at an organizational level or at a societal level, while making a decision to pay a ransom may be understandable in sort of the immediate circumstances, it creates a lot of long-term problems as well.

Ann Johnson: It really, really does. But unfortunately, if you're an organization that, you know, can't perform an operation, right, you're going to pay.

Michael Daniel: Yeah.

Ann Johnson: You know, if somebody is waiting to get heart surgery and you can't do it because your systems are down -- the joke I'll make, and you're familiar with this joke, is that it's like the IRS. Right? If you're audited and you actually end up having to pay, you're more likely to be audited again.

Michael Daniel: Right.

Ann Johnson: So always a bad joke. But anyway, so I know you're an expert on a lot of things, but one of them is this disruption of cybercrime. So can we dive in for just a minute? I think most in the cyber security industry today recognize that effectively disrupting and effectively combating cybercrime is going to require the effort of everyone, every organization -- by the way, every individual and every consumer. But I find some get stuck on how and what do they need to do to fight off cybercrime. What are the top action actions you think we need to take as an industry?

Michael Daniel: Well, I think there's a couple of things. One is we actually need to build the institutional capacity for the public and private sectors to collaborate operationally. And that means synchronizing the actions of both sides in time and across activities to have the greatest impact. And you know, your own organization, Ann, is a leader in this space. But we need to build that, not to replace the personal relationships or humans. We always need the personal relationships. We need those personal relationships to be supported by institutional relationships and processes that enable that collaboration to take place in a way that everybody feels comfortable with. Right? And then we actually need to increase the cadence and scope of the disruption so that we're actually doing this at a pace that actually matters to the bad guys. Like I said, you know, arresting one or two people every couple of years is not going to put a dent in the problem. We need to recognize that we're not going to arrest our way out of the problem. And I give a lot of kudos to the U.S. government in particular and starting to make that shift in its mindset that, yes, it's great when we can put handcuffs on the bad guys, and we should still do that. But that's not always going to be the best option. Right? And there are other ways that we can reduce the money going to them, you know, make their lives more difficult. And then I think the last piece is just sort of like recognizing that we're never going to drive cybercrime to zero, but we need to get it down to a level that it's not posing the same level of existential threat to our economies and national security and public health and safety that it is right now. I think, you know, the specific mechanisms are really what still really needs to actually be hammered out. And I actually see this as kind of like one of the fundamental sort of public policy issues that we need to wrestle with over the next year or two years, three years is like exactly that question. What do those collaboration mechanisms look like? Right? How do we decide who gets to participate under what circumstances? What are going to be the rules that we're going to use? Right? And not again to put a straitjacket on people, but just so that there is a level of confidence and consistency and equity in our efforts to fight cybercrime. I'm convinced we can do it. It's just this is going to be a really hard problem.

Ann Johnson: Yeah, it is a really hard problem. And to your point and Nadav Zafrir and I were talking about the cyber poverty line, talking about it a lot. Right? And how do we raise every organization above the cyber poverty line by using things like collective defense and information sharing and being a lot more transparent? And you have this fantastic partnership model, right, in collective defense and ways we can do public-public and private-private sharing. Can you talk about that a little in the context of this concept of a cyber poverty line?

Michael Daniel: Sure. I think one of the -- and you actually see this in the National Cybersecurity Strategy that the Biden administration released in the spring of 2023. That there's this idea that we need to begin to realign where we put the security burden. Right? In effect, we've decided that we have pushed the security burden all the way out to the edge, to the every end user. And we've said, "Every end user, you are responsible for every aspect of your cybersecurity from beginning to end." And that's really just not an effective model. And what we really need to begin to do is think about, like, what pieces of cybersecurity do we want to centralize more and say, "Hey, this is the responsibility of the platform providers. This this aspect of cybersecurity is the responsibility of the Internet service providers. This part, we're still going to leave down at the individual level, because some responsibility will always be down at the individual level." And then as part of that, we need to begin thinking about, like, okay, so how do we actually make sure that the right entities are sharing the right information to actually make the decisions that they need to make to enable that? So, for example, one of CTA's sort of underlying premises is like, look, most organizations, most businesses, most companies are not going to be very good at sharing technical cyber threat data. And they're certainly not going to be very good at doing it at speed, at scale. And so we shouldn't expect them to. Instead, they should be expecting their cybersecurity provider to be doing that and participating in that ecosystem. And so we need to set up the mechanisms and processes for the cybersecurity providers to share that data, and then use that shared data to provide better services, provide better protection to their customers and clients. And so it's really about thinking more proactively and deliberately about where we want certain cybersecurity functions to be done in our broader ecosystem. And that's just not something we've really wrestled with from a policy standpoint. I should also note, Ann, in this area that I think that it also comes with, we can't just take the burden and say, "Ha, this is now yours, you know, Acme Company. This is now your problem." Right? Like there also has to be some pro quo that goes with the quid, right? There has to be some compensation for them. So in other words, just as we decided to, you know, during the Cold War, we would compensate the telecommunication companies for certain activities that they did in support of national security functions to ensure priority calling or things like that. We need to be doing that in Internet space, you know, in the cyber domain as well. And so this means sort of rethinking like some of the social contracts even that we have, if I can, you know, borrow that term from academia. So that may have been a bigger answer than you were really expecting, but this is where my mind is and how we think about this problem.

Ann Johnson: No, by the way, I completely agree. I mean, I think it's a big problem, but I also think that the solutions might be more simple than we realize. And we're not looking in the right places, right? We're trying to take traditional models and apply them, and this is going to require some ingenuity. It's going to require us to think a bit differently. So let's change course just a little bit. Our cyber defenders are exhausted, continually exhausted. What advice do you have for those that are working tirelessly to protect organizations, to protect consumers, to protect citizens?

Michael Daniel: My primary message is it's not, in fact, hopeless, right? And if I look at where we are now compared to where we were when I first got into the industry in the mid-2000s, we're in a very different place. And I think that we do have the opportunity to, and the capacity to turn things around. I also think that we have to think about our cybersecurity a little bit differently. If our model for success is the castle and moat idea, that the only definition of success is keeping the adversary out of our networks all of the time, then, yeah, you're right. You're never going to win at that and you're setting yourself up for failure. But if you think about it as preventing the adversaries from achieving their goals and managing our risk, then suddenly the problem becomes much more tractable. If we start thinking about the challenge as, how do we prevent the adversary from achieving their goals, then suddenly you get a lot more bites of the apple, right? Okay, yes, if you can keep them out of your network in the first place, that's great. But if they get in and they can't move anywhere because you've constructed your network well and it's segmented and you've got multi-factor authentication on, and so they basically can't do anything, then you still win. Even if they can move around a little bit, but they can't get the data out that they were trying to steal, hey, you still win. But maybe you've got it encrypted, so they get the data out and they can't do anything with it, so it's useless to them, right? You've still beaten them, right? You've still prevented them from achieving their goals. So all of this, what I'm trying to construct is if we start defining success a little bit differently, we can give ourselves more space to recognize the progress that we're making.

Ann Johnson: Yeah, I think that's right. I think we have to just step back. I talk about playing chess, and sometimes you have to step back from the board to see the game. I think it's the same thing here, right? And I think the cyber defenders -- and kudos to them, they're doing tremendous work, so I always call them out.

Michael Daniel: Absolutely.

Ann Johnson: But I think that they need to realize -- and I'll say this, I'm very optimistic about cybersecurity because I believe that the defenders are doing a brilliant job and they tend to be one step ahead, because I know that for every event we see in the news, there's thousands we have blocked. So you're busy, you have a lot going on based on everything we've been talking about. What are you working on right now? What's exciting to you?

Michael Daniel: Oh, there's a couple of things. One is we are finally moving forward with getting a project that we've been working with the World Economic Forum Center for Cybersecurity called the Cybercrime Atlas Project. And actually Microsoft's been heavily involved with this as well, in that this is a project to better collaborate and coordinate the intelligence, the information that we have on cybercrime and to try to compile it into different views, different maps, hence the name Atlas, right, that can be used by defenders to either better protect their own networks or be used by responsible governments to better target those criminals for disruption so that we have a better understanding of the terrain. And so I'm really excited about this because I think it can be a real force multiplier to those defenders, beleaguered defenders that you were mentioning. The other projects that we've had working are really around, you know, outside of my CTA work has been really on incident reporting. You know, there are many governments around the world that are moving to mandate that organizations report significant cyber incidents, particularly if they own or operate critical infrastructure IT. And, you know, we've been doing a lot of work with the Institute for Security and Technology and other nonprofits and some for-profit companies to develop some model versions of what that kind of incident reporting could look like. And if those incident reporting requirements are implemented properly, we can actually really start to get some data that we've been lacking about like incident rates and where are the incidents focused? And it can really improve the defenders' ability to allocate resources more effectively because we will understand what the adversaries are doing much better. So I really see that as a very exciting possibility.

Ann Johnson: Yeah, I think that it is an exciting possibility. And I love the fact that you're trying to make it really easy for the defenders to get that type of intelligence and to use it and to action it, because operationalizing things is typically the hardest thing. So I told you I'm an optimist. I always love to close out "Afternoon Cyber Tea" with a bit of optimism because I believe we are a step ahead of the bad guys in most cases. With that in mind, as we wrap, I'd love to hear what you're optimistic about and your perspective as we continue to come together and defend the digital world.

Michael Daniel: So I agree. I always have said for years that while it may seem like I'm the harbinger of doom when I give speeches and when I talk and things like that, that's actually not true. That, as I was saying earlier, cybersecurity is not a hopeless endeavor, whether you're talking about at the organizational level or at the society social level. Right? Fundamentally, humans created the Internet and many of its features that causes problems are the result of policy choices that we have made. And we can, in fact, make different policy choices that result in better security. Doesn't say that that's easy, but we can. And so I fundamentally think that we have that opportunity. The other thing that I always point out is that the Internet and cyberspace are still relatively new from a policy and just even human standpoint. These are still relatively new things and we're still learning. And so it shouldn't actually be surprising that we're still figuring out how to do things. And I think in the next decade or so, we're going to see some really huge advances in what governments are able to do, what level of institutional collaboration that will be built, the level of insight that we will gather. And once we have some of those tools in place, we'll be able to turn that on the adversaries. And I think they're going to find themselves in a much, much tougher place. Will we eliminate all cybercrime? As I said earlier, no. We're never going to eliminate it any more than we've eliminated physical crime in our societies, as much as we might like to. Are we going to eliminate espionage and nation states doing stuff online? No, but we can put in place the mechanisms to manage that and drive those activities to levels that societies can sustain and manage over time.

Ann Johnson: Yeah, I think that's fair. And I think that's a really good perspective in how you look at it. I know how busy you are. I want to thank you again for making the time to join me today.

Michael Daniel: Oh, thank you for having me. I really enjoyed the conversation. It was a lot of fun.

Ann Johnson: That's wonderful. I want to thank our audience for listening, and join us next time on "Afternoon Cyber Tea".

Ann Johnson: I invited Michael Daniel to join me on "Afternoon Cyber Tea" because he has such a breadth and depth of experience from working in the Obama administration to working with the World Economic Forum, the Joint Ransomware Task Force with the government. He's just this incredible individual. And now he's taken the helm since 2017 of the Cyber Threat Alliance, forcing -- literally forcing and pushing -- industry collaboration, threat sharing so that we can all be better from a public sector, private sector standpoint in defending all the assets around the globe. So it was a wonderful conversation. I think everyone will enjoy listening to it.