Grand Theft Hushmoney
It's when I imagine myself standing in line to tomorrow's premiere of Jobs, that the idea begins to formulate in my mind. Like Steve Jobs himself, Robert Siciliano's keen appreciation and leveraging of pop culture is perhaps what makes him one of the keenest minds in cybersecurity.
When we get to the most meaningful part of the conversation, the line goes dead.
It's only a dropped call, what else could it be? But the time it takes for Robert Siciliano to dial back in is just the right amount for the paranoia to kick in. Is someone who shouldn't be monitoring this call, monitoring this call? Are we being hacked? Are we about to be? It's a definite maybe, with the odds only increasing the longer it takes for the call to re-up. What else should I have expected, with an interview about cyber-security and popculture?
Robert is a top-tier McAfee Security expert. We're on this interview because a little while back he ran a survey using McAfee's Siteadvisor and used this data to produce a list of the most "toxic" superheroes on the web. At the top of the list? Aquaman. Needless to say I was more than a little crushed. Aquaman is a favorite of mine, and the quality of writing put in by Geoff Johns on the newest book to feature the character (Aquaman, beginning in September 2011) has been nothing short of a testament to the inherent power of the character railing against earlier mediocrity of storytelling and high concept. But as Robert himself points out, this is a kind of backhanded compliment of Johns' work. Cyber-criminals don't leverage the boring or the mundane or the popculture that won't draw bucket-loads of attention. In the most cynical terms, Aquaman topping the list is a kind of moral victory for the high esteem in which Johns holds the character.
Just before the call dropped we'd moved from talking about Robert personally and how he came to be involved in the field of cyber-security to talking about the evolving nature of cybercrime. But because of the adaptive nature of Robert's intelligence, we'd approached this conversation through movies. I'd pointed to a kind of inherent '90s-era tension around hacking and cybercrime. Possibly the most accessible movie in the zeitgeist at the time was Hackers, an Angelina Jolie vehicle back from the time when Angelina Jolie still needed a vehicle. The movie was clean and sleek and it updated the secret-world-of-kids-as-heroes-confronting-the-villainous-world-of-adults-and-their-machinations dynamic that had become the very engine for '80s movies (and is still thought of fondly with respect to such movies as the Goonies or E. T. the Extra Terrestrial or Flight of the Navigator). In addition to upgrading the teenyboppers of the bygone decade to the tweenyboppers the then current, more sophisticated '90s, Hackers grounded the technologically aspirational elements of even the most dystopian scifi in the firm country of possibility. Even the farfetched tech that graced the pages of the best William Gibson was, after Hackers, tantalizingly within reach.
But Hackers felt like what it was, entertainment. Even if it was culturally sophisticated entertainment that updated our collective vision of ourselves in relation to our tech. For the hard-edged, documentary feel that imbued genuine tension and delivered a clear view of the actual stakes in play, you'd have to have reached for Takedown, a "based-on-a-true-story" that chronicled the cat-and-mouse game between hacker and security expert. Takedown shifts popcultural to give viewers a very different feel to the subculture. The drama of the movie plays out across a slew of low-rent motels and seedy phone-booths primed for becoming the staging area of '90s cybercrime. The targets? Banks and corporate databases, mostly, the kinds of targets that an individual hacker could benefit himself of without much of an infrastructure around him.
Robert recognizes the world pictured in Takedown, but it is not the world of cybercrime today. The cybercrime we run the risk of falling prey to is far deadlier, and far more pervasive. In many ways we've see the evolution of an infrastructure to cybercrime, Robert tells me, and… And the line goes dead.
It probably is nothing more than a dropped call, but it is an uncomfortable silence, and an uncomfortable period to have to wait. Uncomfortable because, given the circumstances of the conversation, it's hard not to begin to imagine some of the more unlikely reasons for the call having terminated so abruptly. File all of these under the general rubric of "tortious interference". But soon enough the call does pick up again, and Robert intones in a good-natured voice, "Ok, how much of that did you hear?"
There's a criminal ecosystem now, with all the role-diversification and sociological complexity of a multinational conglomerate, Robert continues. There are hackers who specialize in understanding and outwitting the tech, cybercriminals who focus on building networks of crackers ("hacker" is actually a value-neutral term for anyone who understands the system of coding for computers, "cracker" is the more villainous element that would put that knowledge to criminal use), and cybercriminals who, like CEOs simply focus their efforts on breaking into secure databases. The image of one lone cracker being pursued up and down the West Coast by one FBI team supported by one security consultant, while accurate for the '90s, is romantically dated today in the same way the Chicago World's Fair already was in the 1930s.
"In that hierarchy, half the mules have the goods," Robert continues where he left off talking about the role of mules in cybercrime rings, "And then they take it back to their operation, which might be a warehouse or a hotel room for that matter. And then somebody else is responsible for that, that those goods and products are on Craigslist or eBay and then that person is responsible for selling all that stuff and turning the products into cash. So everybody has their role. And everybody has their expertise. In an organized crime ring, that's what that might look like. And it's even bigger. Some of the operations we've seen, hundreds of individuals that perform all those jobs, and even that kingpin might start to organize people with all of these different credit or debit cards with PIN codes and place them at ATM machines at a certain time each day, all over the world. These people would then get a text message, and enter a code on the ATM machine, or punch in a PIN, and withdraw hundreds of dollars each, and with several thousands of people in the chain, that could equate to millions of dollars in less than a minute's worth of transactions.
"So we've seen a number of different levels of sophistication of crime rings engaged in some form of identity theft or account fraud or account takeover, and that is the way to go if you're after the big bucks. Then of course you have your meth addicts who are trying to feed drug habits, and you have your moms and pops who are just trying to survive and they might equate to hundreds of individual cases of identity theft. But you might have hundreds of thousands of identity theft rings, and their goal overall is fewer hits at hundreds of thousands or even millions of dollars, whereas individual identity thieves are trying to get to hundreds of thousands as opposed to hundreds of millions."
Cybercrime moving hard goods? Robert had gotten into this a few seconds before dropping the call. "Without a doubt organized crime syndicates have evolved to take advantage of the current state of affairs. And within organized crime, you have hierarchies, like any entrepreneurial venture, you have the guy at the top that has vision. And his talent, is organizing talent. He would surround himself with people that are smarter than him, that understand things better than he does. You have the kingpin, let's say, and then you have coders -- coders whose job is to develop certain technologies. Then you have penetration testers, their talent is working at certain networks, finding those networks' vulnerabilities and exploiting those vulnerabilities. You have social engineers, whose talent is to get on the phone and communicate with the systems administrators, to get additional information about system development. They need to extract from that system admin a password, be it via phone or email. So their job is to convince someone of something. And then you have mules. The mule is somebody who might actually take that data that has been hacked and extracted, and take it and print it on a credit card. Perhaps the mule would go into a retailer and make purchases, because they don't mind being on camera, the don't mind…"
The phone goes dead again, and in this all too brief a moment, I not only consider the possibility of tortious interference (a slim likelihood I know, but it is an elegantly romantic articulation), but also try to line up what Robert had just been saying with an line of thought he expressed earlier in the conversation. It's something to do with the transition from print to digital, that that transition isn't the only old-system-new-system problem to be found in the realm of cybersecurity and cybercrime. But an entirely different form of the problem creeps in with dated-legal-system versus rapid-to-evolve cybercrime rings that simply outwit legislative pursuit. This is something Robert picked up on in his 20/20 talk to the National Speakers Association [20 slides, 20 seconds a slide, see a youtube of the same below], but it's also something that I can't rightly get the words to, we've spoken about this the better part of an hour ago.
But remembering the exact words is a lot easier with a rewind button. We'd gotten to talking about old-system-new (system of digital-vee-print, but also legal-vee-cybercrime) by first commenting on one of the more shocking moments from Robert's NSA talk -- when he pulls up a slide with the Social Security Number, signature and ID photo of Porter Goss, former Director of the CIA. "Yeah, that was a public document posted online," Robert begins, "that is available to anyone that has access to the web. Here in the States, we're a little backwards to privacy issues, whereas in Europe and the UK they're much further advanced. They have a much tighter grip on citizen privacy, we have laws that make it difficult for privacy to be adhered to. And so that being said, many of our records, and when I say records I mean death records, birth records, tax records, marriage records and so on, are often public records. They're accessible to anyone. And it used to be, that you had to go to a government office to access those records. You had to provide a driver's license of some sorts just to prove who you were, and then for free or for a small fee, you could access any of these public records. And over the years, those public records were scanned, and they were posted to the internet to make it easy for consumers to check out those records. And the CIA Director's quick claim deed for his property was online, but the document also had his social security number and his signature. The quick claim deed for Colin Powell… his social security number and his wife's Thelma's was posted online. And Jeb Bush, obviously the brother of the president and the governor of Florida, his social was published online, with his wife's Columba. Both of theirs with their signatures. And that's just a few, [Donald] Trump's was posted online, many others in fact, as public records. And those are just a few of many American citizen's who's private data is readily, easily accessible over the internet. This is the most private, personal information and I would say at this point, just about every American's data in some way, shape or form has been breached. All of our data has been breached, multiple times, and now it's being sold to the black market in underground forums, to anybody that wants to turn the data into cash."
Robert continues, "So what this all boils down to, is, for convenience sake, we have taken the paper records that are in filing cabinets everywhere, in government offices, in corporate offices, in storage bins, we've taken our paper documents and we've digitized many of them. And again, that is simply for convenience sake, digital archives make it easier to access them in real time. And that convenience factor has overridden the security and privacy considerations. So that, all of that, coupled with the legal aspects that was on the books that makes certain data public further exasperates the problem, and then doubling the issue is, we have an entire generation today that wants information to be free. It was information to be open, it wants information to be available it wants information to public. And looking at people like Bradley Manning and Edward Snowden, granted their agenda was to expose truth, but at the same time, they're coming from a generation that all data about everyone, needs to be free.
"Even looking at somebody like Mark Zuckerberg, has taken our most private thoughts and process them through portals and make them publicly available. You've got so much information, more than anybody would ever want to hear or see or feed, being made publicly available. Y'know I just read a Facebook post of someone yesterday, who was going through a divorce. And she talked about how she couldn't walk through the supermarket without buying things that were for her husband that she's now estranged from. So she finds herself putting stuff in her cart that were for her husband that no longer lives with her. Now she's breaking down in the aisles of the supermarket buying these things. And it's that amount of exposure that we've become accustomed to, that goes from our most privates, personal, emotional thoughts, to the most private information that could jeopardize our safety and security and our financials that is now part of the public domain."
It's something you don't see at first, but it becomes perfectly clear once Robert puts it into a single frame: that even three high-profile personalities as diametrically opposed as Bradley Manning, Edward Snowden and Mark Zuckerberg share the same generational concerns, blatancy of information. It's this kind of intuition that secures Robert a place as perhaps one of the keenest minds in cybersecurity. And this keenness of perception doesn't come in spite of Robert's deep appreciation of the nuances of popular culture, but because of it.
If Hackers wasn't quite the right movie to gage the popculture around cybersecurity with, then maybe neither was Takedown. Perhaps what was called for was to step outside of the genre altogether and to reach back into the old film noir. Perhaps, The Third Man isn't to bad a fit. The Orson Welles movie certainly does offer some pithy insights into to the various uses that can be made of popculture (dime store Westerns written by Joseph Cotton's beautifully acted Martins) in accessing and engaging the world. And of course, Joseph Cotton simply neutralizes the pervasive mentality that leads back to almost every Vienna resident's casual acceptance of crime (not at all different from the illegal download culture that opens us up to more dangerous forms of cybercrime).
Going back through the interview, I realize there's a question I regret not having asked. A nerd moment, sure, and maybe it would have been more meaningful in 2006 when Apple launched MacBook and was building to the launch of the iPhone. "Which offers better security, Mac or PC?" But the guilt at not having asked that question is washed away by a deeper understanding of what's really at stake. And it's when I imagine myself standing in line to tomorrow's premier of Jobs, the biopic starring Ashton Kutcher, that an idea begins to form. Robert Siciliano and Steve Jobs are pretty alike, at least in one crucial aspect. Neither would obsess about the content of popular culture and be slavishly loyal to the characters and stories that come and go in waves of popularity. Rather both focus on the power of popular culture, Jobs saw inherent promise of mobilizing computers and integrating them into people's lives, just as Siciliano looks for the themes moments that have been made meaningful to us, and defends those against exploitation by cybercriminals.
In one of his last pieces ever written, French poststructuralist thinker Gilles Deleuze offered, "It is no longer a case of hope or fear, simply of finding better weapons." What's needed is a cultural shift that will engage with a broader cross-section of human experience and interaction. And if Robert is a watchmen on a new kind of wall of freedom, it is because he has a deep and appreciative understanding of the day-to-day operation of that freedom, in human terms.