Market Overview

Who's Waging All Those Cyber Attacks And Who's Going To Stop Them?

Share:
Who's Waging All Those Cyber Attacks And Who's Going To Stop Them?

Jeff Schmidt, CEO and founder of JAS Global Advisors, the company that discovered JASBUG, says three types of hackers are responsible for the majority of cyber attacks.

Benzinga spoke with Schmidt, who shared his thoughts on cybersecurity, responsibility for protection and the need for a common cybersecurity vocabulary at all levels of government and private enterprise.

Related Link: More Good News For Cybersecurity ETF

Benzinga: Cyber attacks seem to be coming from many directions. Who are the attackers?

Jeff Schmidt: There are three kinds of bad guys.

First, there are hooligans who just want to create mischief.

Then, there are criminals who steal information for a specific purpose – to make money.

Finally, there are people who steal information, not for a specific purpose but just for the sake of having it.

BZ: Which type is most prevalent?

JS: We've seen a lot of the second case (criminals) over the last 10 years. The new case is where we have people stealing tremendous volumes of information with no clear purpose and no follow-on extortion attempt. That's a new occurrence.

We saw this with Anthem and we've seen it, obviously, with the Office of Personnel Management that's been in the papers recently.

BZ: Why do you think this is happening?

JS: It's not clear who or why, and that's troubling. When it's your run-of-the-mill, everyday bad guy who follows up with fraudulent credit card charges or extortion attempts, that's kind of, okay. We get that. We understand that. It's annoying, but we get it.

However, the ones where the motive and the actors are not clear are actually scarier.

Some hypothesize that it's foreign intelligence services and that certainly matches the behavior of foreign intelligence services.

Another thing that’s starting to happen is extortion attempts that you don't hear about.

BZ: What do you mean?

JS: I'm familiar directly with cases where a criminal steals information from a company, particularly a Western company, contacts the organization and says, "Hey, I stole this, give me a million dollars and I'll delete it, or, I won't put it on Facebook or, I won't give it to the media."

Most times, those companies tend to call the FBI.

However, what the bad guys have found is that if you compromise somebody's corporate email account, there are potentially embarrassing things for the person in that email account – everything from performance reviews to personal emails.

The bad guys are reaching out, not to the entity, but to an actual person.

BZ: Why not just steal credit card numbers? That seems much simpler.

JS: Credit card companies have become much smarter and much more sophisticated with their proactive fraud detection. Because of this, the value of credit card numbers has gone down on the black market.

So, private extortion makes total sense when you look at it that way. That's a way that they're being effective and monetizing this stolen data.

BZ: What’s the difference between attacks against government entities and financial institutions?

JS: In particularly large Western financial institutions, there's almost no difference between attacking a "top five" bank or some agency of the U.S. government.

The sophistication required by the bad guys and the types of people who are interested is the same.

In addition, the defensive capabilities of large U.S. financial institutions are equal to if not superior to those of the U.S. government.

BZ: Why do so many of these attacks appear to be coming from China and Russia?

JS: Cyber is the ultimate asymmetric weapon. China and Russia, in particular, are countries that have a desire to match the U.S. in their ability to project strength militarily, but don't have any practical ability to do so.

I think that their strategists, and those of other countries – Iran and Syria come to mind, say, "Boy, cyber is a way we can really project power on to the U.S. when we don't have the capability to do that with traditional kinetic forces."

BZ: Who is responsible for the protection of public and private entities?

JS: That's the proverbial million-dollar question. We've been asking that question collectively as an industry and as a business community since the late 80s.

If I'm a small Wisconsin bolt manufacturer and a foreign government comes along and drops a bomb on my factory, it's clear there's going to a reaction from the (government).

If the same thing happens in the cyber realm, it's not at all clear who I call.

BZ: Are private entities – like banks – responsible for their own protection then?

JS: It's clear now that it is the responsibility of financial institutions to protect themselves up to a significant point.

The government has said, "We're not going to come in and run your firewalls and look through your logs, and things like that. We expect you to invest considerably to protect yourself in the same way that you invest in physical security."

BZ: So, the government has no responsibility at all?

JS: At some point it does actually become a national security issue, and the government will step in and help. Where that point is has become an energetic point of debate.

If you're a very large U.S.-based bank, at what point do you get to pick up the red phone and have the Feds swoop in and help? That is not clear right now.

Related Link: 9 Key Points Every Cybersecurity Investor Should Know

BZ: What needs to be done to fix this?

JS: Cyber is a very young science.

There's no science, sophistication or maturity yet in the cyber security realm. A question such as, "What is adequate security?" has no meaning.

We need to make progress toward standardization, a standard vocabulary and common levels (of security) and measures of risk.

I also think we're starting to see interest in insurance products both from the insurance companies as well as at the senior executive level.

At the time of this writing, Jim Probasco had no position in any mentioned securities.

Image Credit: Public Domain

 

Related Articles

View Comments and Join the Discussion!

Posted-In: Anthem China Facebook FBITop Stories Exclusives Tech Interview Best of Benzinga