Risky Business - Wide World of Cyber: State directed cybercrime
Episode Date: July 10, 2024In this podcast Alex Stamos, Chris Krebs and Patrick Gray discuss the relationship between cybercrime and the state, which is often more complicated than it should be. ...While the US Government and its allies fight the scourge of ransomware, other governments are using it to either raise revenue or irritate their foes. North Korea sees ransomware as a money spinner, while the Kremlin enjoys poking the west in the eye with it. Join us for a breakdown of the relationships between governments who should know better and the worst types of people on the planet.
Transcript
Discussion (0)
Hey everyone and welcome to Wide World of Cyber. My name is Patrick Gray. The Wide World
of Cyber is of course the podcast we do in conjunction with SentinelOne where we talk
about the big issues with SentinelOne's Chief Trust Officer Alex Stamos and its Chief Intelligence
and Public Policy Officer Chris Krebs. And today's topic is the relationship between ransomware and the state,
and I guess the relationship between cybercrime and the state more generally than that.
But ransomware is a great example. It's a great place to start.
The West is fighting it, the US and its allies.
We've got the counter-rans ransomware task forces and all sorts of
stuff. But some other governments have a different kind of relationship with ransomware. The Kremlin,
for example, seems to quite enjoy it because it gives tacit approval to ransomware crews to
hit targets in the West. No one's getting arrested, really. And, you know, they seem to find the ransomware epidemic quite delicious. North Korea
is dabbling in more direct like state-directed ransomware campaigns and you know we've seen
various Chinese cyber contractors also dabble in cybercrime. So states aren't just victims of
cybercrime they're also often the perpetrators of cybercrime.
Sometimes because they tacitly approve of these activities, and sometimes, like in the case of the North Koreans, because they're directing these crimes as a matter of policy.
So, what do we do about all of this?
And that's what this conversation is about.
So we'll kick things off here with Chris Krebs talking about the difference between state-sponsored
and state-sanctioned ransomware.
And he's the first voice you'll hear.
The other voice you'll hear, who isn't me, is Alex Stamos.
And I do hope you enjoy this conversation.
I think there's no question that we're seeing
with the ransomware emergence, explosion,
whatever you want to call it,
over the last, I'd say, six, seven, eight years,
that behaviors are changing.
And you can tie it directly to the sanctioning.
I don't know if I'd go as far as say sponsoring,
but sanctioning of the state, and particularly here,
we're talking about the Kremlin.
This is economic terrorism is one way to look at it.
It's state-sanctioned.
There was a great tweet the other day.
I can't remember who it was.
Somebody responded to me and said, state-sponsored economic disruption.
And I see it as state-sanctioned economic terrorism.
That's how it feels, right?
Particularly when you talk about hospitals.
This gets to the very core of people's existence. I do think one of the kind of interesting
absences from the conversation is the loss of life. There's got to be somewhere out there in
the data where someone has died as a result of a ransomware attack, but we just haven't
really surfaced that conversation yet.
I mean, I've seen that come up here and there.
There's been a few lawsuits alleging that ransomware has led to delays in care in hospitals.
So there's a couple of specific cases that I think have gone before the courts.
We've also seen some studies done which have looked at patient outcomes in hospitals that
have been ransomware.
So I think that is actually a settled debate is that ransomware does cost lives or certainly at least shorten them.
Yeah, absolutely.
I mean, the medical, there have been actual studies, especially in the UK, where, you know, if the National Health Service is down, that's it.
You don't have any other options, right?
So it's, you know, as messed up as the US health system is.
Well, I don't think anyone's actually taken down the entire nhs alex no but so what no not the entire nhs but during wanna cry there was significant impact and there actually
was a study i believe in the lancet yeah that showed that there's an increase in death rates
in ers for certain treatable diseases because doctors are overloaded and the treatment rates
the treatment weight went up.
And so like the, you know, just like the U.S., we have a bunch of these systems that don't make any sense,
the medical system, the election system, where you have this spectacular inefficiency
because it's so distributed and diverse.
The slight upside there is while we have attacks that are really bad in the U.S.,
you know, I think it is less likely that we're going to have that kind of, you know, study
be able to come out here. Because if one hospital is down, there's usually two or three, and they're
on disconnected systems, that is perhaps changing a little bit in that there's, you know, a handful
of EMR systems that are dominating, Epic being the most, the best example, and a bunch of stuff
is moving to the cloud. So I think there is a possibility in the u.s but certainly in the nationalized health services where you've had these downtimes
that have caused a significant backlog for doctors it has had a real human impact yeah yeah so look i
just want to go back to something you said uh chris which is that you were talking about how
this is sort of you know the russian stuff these days i think you can make a mount a reasonable
argument that you're right that it is sort of there's it receives tacit approval from the state, if not state direction, because what is bad for our enemies is good for us.
I think that's more the case now than it was, you know, in February 2022 before Russia had invaded Ukraine.
But then I look at what's going on with north korea now i i recently spoke about a um
about a write-up where a north korean apt crew that was tasked with intelligence collection
performed an operation where they broke into a network they stole a bunch of information then
they dropped ransomware for commercial benefit um so i spoke about this are special right like
they're the only of the state actors that we
know of that has a p and an l right like you know the est doesn't have to be profitable yeah i mean
i think we have seen this in among chinese contractors as well and um you know the isun
leaks have sort of helped us to gain a bit more insight there but uh yeah so i spoke about that
in the show recently i got in trouble with who's a, you know, who's a DPRK cyber expert
who was like, look, they've done this, you know, plenty of times before, right? So I was thinking,
you know, this was a big development, but he's like, no, no, we've seen this before. But,
you know, I stand by my comments at the time when I did talk about this, because I was saying,
if they really decide to embrace this, you know, it's a whole other level of trouble than even the
Russians doing it. Chris, I just wanted to get your thoughts initially on what, you know, on what you think of
the idea of North Korea truly embracing ransomware as a revenue raiser, because that gives me the
willies, if I'm honest. Yeah, I remember when you mentioned that, and you said it, that
harbinger of things to come, and we're all in a lot of trouble because they're quite effective and they've built the, you know, an entire nuclear weapons program on top of cybercrime.
I wouldn't necessarily confuse the objectives or, you know, merge the objectives of one state with another state.
They can use these capabilities uh for different purposes i mean we are seeing in fact in the
labs just released a report on chamo chamo gang which is a chinese apt group that's using ransomware
at the final stage of the kill chain for uh obfuscation counter ir counter forensics work
and i think that's entirely um i wouldn't say legitimate but you know
no i get you it's it's a ttp that's done designed to sort of obscure what's happened yeah right and
we have seen that over and over and over again for years and years and years what's different
about the north koreans is that they are trying to make money yeah well i mean and this is like
again goes to your priors of you know you don't have to hand it to them.
But, you know, once again, their industriousness, you know, they're they're able to tap into different.
Again, they've got their own objectives. They can do stuff for the state.
And then they probably have the ability after the fact to go make a little money too um i you know i think it goes to this overarching
question if you've got to look at how much of this is to your i think earlier point of you know
how much of this is state directed state sanctioned state allowed right russia's you know the gchq
out of the uk he said there's at least kind of a dotted line relationship where there's some sort of
oversight, maybe not direct tasking. I don't think we have enough visibility into what's
happening in North Korea. I don't think we have enough visibility certainly into what's happening
in China and how these tools are being used, particularly in Asia and elsewhere. But those
are things that I think you probably want to study going forward, particularly when it comes to targeting.
I want to explain for a moment why it is that I find the idea of North Korea doing this more troubling than I do of the Russians doing it.
Because I feel like Russia, Putin is a dictator, but the level of state control exerted on the general population of Russia
is not anywhere near
what it is in North Korea
and what that means is it's still possible to
actually cause trouble for ransomware
actors inside
Russia. I'm thinking of another
recent story we just saw that one of the people
who was involved in these scattered spider
attacks was arrested in Spain
this was a British citizen
arrested in Spain. Now the reason a British citizen arrested in Spain.
Now, the reason that British citizen was in Spain to begin with
is that they had fled England.
Their home had been invaded.
Their mother had been threatened.
You know, we've seen kidnappings and drama
and all of this sort of stuff involving
give me the keys to your cryptocurrency wallets
or we're going to kill you, right?
Now, those same types of problems that these criminals have found themselves in,
they could have the same problems in Russia, right?
And it would be entirely possible for West and SIGINT to engineer circumstances
in which they could find themselves getting rubber-hosed for the crypto passwords.
You cannot pull the same lever against a North Korean ransomware operator who actually works for the state.
That's just not even an option.
So that's why, I guess, you know, we don't have time to really go into this on the weekly
show every time.
But if people were wondering, why is he so worried about the North Koreans and not as
much about the Russians?
That's why.
There's nothing.
They're untouchable, completely untouchable in a way that the Russians aren't.
Right, well, Russians like to vacation.
I mean, they are touchable in that, you know,
Russia is a much more open country
than I think people assume, right?
There's still significant movement of people
between Russia and Europe.
There's lots of oligarch boats,
despite a couple of seizures.
There's lots of oligarchs parked in Monaco at all times.
But also the relationship between rich Russians and their government is very complicated, right?
Like, yes, they are operating just like with China.
If you've got a bunch of money and you're in Russia, you're probably thinking about how to get it out of there.
If you're a family person, you're trying to think about how to get your family into a safe place.
And so parking your money in Cyprus, parking in Switzerland, parking in London is the kind of thing that lots of rich Russians still do now I think you see that less of the
ransomware actors because you're talking about 22 year olds 23 year olds who aren't thinking
that much but like as these folks age as it becomes more of a big business I think you're
going to end up with oligarch like models of people who have accrued large fortunes and for
whom being stuck in russia and never be
able to vacation anywhere but russian belarus and kazakhstan um is going to be a problem because it
also puts them completely you know to have their families there and have their money there means
that they're completely at the beck and call of the fsp uh and of putin yes and like but not just
them also they're they're vulnerable to other criminals
wanting to do bad things to them, right?
And I just think, you know,
when we're talking about North Korea,
it's not the case in North Korea, right?
Because everything is on lockdown by the state.
Yeah, somehow you have to figure out
how to, like, get these guys shot
with an anti-aircraft cannon by, you know,
I guess you could try to place, like,
some pro-South Korean or anti-Kim Jong-un propaganda on somebody's computer.
That might be your best bet.
But yeah, realistically, since the only actor of importance is the government, unless you can somehow create a situation where you separate Lazarus Group operators from the government, there's very little that you could do to pressure them.
And these guys, they live the best lives probably in all of Korea, right?
Like they have internet access.
They have access to – they could probably watch Netflix. They have access to, you know, they can probably watch Netflix.
They have access to a certain amount of Western media.
They can probably play video games.
Like these guys are living something closer to a 21st century lifestyle than almost anybody else in North Korea.
We've previously seen, too, some of North Korea's hackers are not actually based in North Korea.
They are set up in places like Vietnam and the Philippines and wherever.
Right.
Yeah.
The DOJ indictment on that was fascinating.
Right.
And that like the North Koreans have a very interesting model of sending people overseas
to learn.
It does seem always with like family with a gun to their head.
Right.
So they're not stupid.
They're not just giving you a one way ticket to Vietnam.
No.
I mean, I guess, Patrick, my question for you is, where do you see, like, what's the ceiling here
that you're worried about?
Is it that they kind of get the aha moment
where they then professionalize it
within the security services in North Korea,
and now they do it at scale,
and it becomes a kind of a pirate state?
Yes.
Even more than it was before?
I feel like we're already there, though mean the north koreans are by far the biggest thieves of bitcoin in the world the
north koreans specifically their model is to steal money directly right so like you look at the
traditional model it was the wire transfer fraud it was the the very famous attempt to steal two
billion dollars from the bank of bigl Bangladesh, the swift fraud and such.
It's not you're extorting somebody, right? And I think that's actually,
this would be an interesting thing to dive into of like, what is it about the psychology of these
folks or the skill set that they have that means that they're not as good at communicating with
victims of extorting them, of negotiating such as their language skills, their cultural issue,
or just how they're trained, right? That they're trained that you do these operations
quietly. Yeah. So here's what concerns me is that it's been an easy time to go after crypto
exchanges, right? The money has been there, right? You've got a small team on it. They can go out,
they can steal these outrageous amounts of money. When you look at the
number of- Somebody stole my apes. Oh, no.
Yes, exactly. My apes, they're all gone. So, you've got this sort of small amount,
this small number of exchanges where there's a lot of money sort of and wealth concentrated,
right? And I think they're learning, they're getting better. You know, I know people who
work in that area and they're, you know, the ones who are experts in this, they're all over the
North Koreans. Like, they're not really a threat to the companies that are really focused on defeating that threat.
You know, there are plenty out there who are doing a good job and they're the ones getting owned sideways.
You know, what concerns me, though, is as this gets harder for them, they'll realize, hey, well, this ransomware thing's showing some promise.
And then they pivot. And then this is an activity that not only touches the real economy, but also touches real lives.
Like we already spoke about earlier about negative health outcomes from things like ransomware.
And I suppose the thing that makes me most concerned about this is North Korea is essentially immune to any sort of diplomatic coercion.
So I heard you wanted to jump in there chris i i mean look i i think
i think maybe the issue here is does this open up an entirely new a total addressable market to them
effectively you know to your point like they've been going after banks and things like that but
you know in the past with like all the hidden cobra stuff that out you know alex mentioned
lazarus i mean they they've kind of hit the broader economy, but now
they're doing it rather than just thievery. It's destruction. It's disruption and destruction. I
think the evolution of TTPs is, I think, where we're meeting of minds here. That would be
worrisome and concerning. So, you know, there's an example of where, you know, we could be concerned
that we'd have very limited response options, you know, there's an example of where, you know, we could be concerned that we'd
have very limited response options, you know, in the case of North Korea fully embracing ransomware
as a revenue raiser. But let's talk about what our response options are generally, because,
you know, this is something that's changed a lot over the last couple of years. We've seen
Western governments have a much more active role in trying to disrupt ransomware orgs. I feel like it's having some sort of impact, although it's
difficult to quantify. You know, what do you guys think about the, you know, recent actions from
various law enforcement and intelligence bodies around the world that have been designed to,
you know, disrupt this activity? Do you think it's having an impact? I do. I mean, my general view of ransomware is it exists for three reasons. One
is there's a vulnerable, misconfigured, soft underbelly, particularly in the United States,
but in the West as well, that these guys secondarily have figured out how to monetize
through cryptocurrency. Outside of the eye of
the regulators and the fiat economy where you can actually put some controls over the movement of
treasure, they've sidestepped that. And then the third is they're allowed to
continue these activities under the watchful eye of the Kremlin and Red Square. And that is a little
bit more complicated of a situation and that's where you
actually have to unpack why is this happening why does the kremlin allow it again three reasons as
i see it one is that it actually builds a strategic cyber force for them and gets hands on keyboard
uh it builds up capacity the second is it brings in just a ton of money to Russia that otherwise is not bringing
in a whole lot of money and suffering economically. And the third is that it aligns with this
conversation now. It aligns with the geopolitical goals. Okay, so that then flips back to the
earlier part of the conversation of what do we need to do in response? What are the options we
have available? You can either fix that first leg of the stool through regulations by improving security posture at the install base here in the U.S. and elsewhere.
But even that's not going to fix things because even in regulated industries like banks and power companies, things like that, you still have security events.
So you're going to have to go to that classic deterrence by
imposition of cost. And this is to your point, the National Crime Agency, the FBI, they go and
they take down LockBit. LockBit might be back. But you're constantly putting pressure on the
adversary to invest in themselves. So they're not always on the attack instead they're on the rnd loop they are um you
know that they're not actually out there well not just rnd but they're spending a lot of time
rebuilding infrastructure re-establishing identities just busy work basically but yeah
yeah trust yeah and that's the weird thing is like in the you know the guild of cyber criminals there's still an element where
trust matters and you know making sure you know who you're doing business with is important so
i mean i think that you know you've been on this one for for half a decade now um like literally
you've been talking about this for five years plus which is crazy uh but going after the bad
guys and the relationships and connections between
them i'm a big big fan of that and exposing them uh in and having the nastier animals out there
in the jungle go after them well this is this is why i mentioned that scattered spider kid
who had fled the uk to spain i'm guessing that disrupted his cybercrime activities.
Now, you know, I'm not, am I suggesting we feed some of this information to the jungle
and let the laws of the jungle sort it out?
I mean, kind of.
I get why that would be legally a little bit problematic for some people to, for some organizations
to do this sort of level of doxing and whatever.
But I think that's ultimately going to have an effect.
I mean, what do you think here, Alex?
Because it seems to me that the Brits and the Americans in particular
started off quite conservatively doing some of these disruption actions
and then have ramped them up to the point now where they're like,
no, we're going to dox you.
We're going to make your life miserable.
You know, perhaps harm will come to you from other people because they're going to know that
you hold immense amounts of cryptocurrency. It really does feel like this response from the
West is escalating. Would you agree? Yeah, I do agree. And I agree with it.
Unfortunately, the problem is, our whole discussion here is about ransomware and
geopolitics. And the ransomware actions falls into this weird gray area where it is not just criminal activity that happens within a framework in which laws can be enforced.
The unfortunate truth is that, I'll just use the United States as an example.
In the U.S., our law enforcement agencies are very poorly set up to deal with the wave of cybercrime that people are facing.
Not just ransomware, but all the prosaic things that happen to people day to day, the sextortions, the account takeovers, the password sprays end up with people losing money from their accounts and such.
Partially because the vast majority of law enforcement manpower in the United States is local cops, right? But we've centralized almost all of our skill set in this area in the FBI, which the FBI is tiny compared to just the NYPD, right?
Like the NYPD by itself or the LAPD is much larger than the entire FBI covering the entire country.
And so you end up with the FBI only going after the real big game.
And I think that's great. I think it's fine for them to do these disruptions and take them months and they go to the Eastern District of Virginia and
they take their DNS names or they go use O'Day and they take over their tour sites and they screw
with these guys. And I think that's fine. But the truth is, is going after that big game is not
having a ton of effect because there's a massive, massive long tail of actors here, right? To be a
ransomware actor, all you have to be is like an asshole with a laptop right like you don't need you don't have
to have a team you don't have to have special as a specialized skill it's what a lot of these folks
have demonstrated is that you know very basic skills are enough to go after well smaller kinds
of they're enough to be an affiliate but they're not enough to develop some of the ransomware
strains that are used here i mean if you want to get yeah but it's not always to develop some of the ransomware strains that are used here. I mean, if you want to get...
Yeah, but it's not always...
But that's the thing.
We're seeing less and less of the custom malware, right?
And you're seeing more of the OpenS3 buckets and the password sprays against VPN
or against somebody's Azure AD, and you steal a bunch of their data.
But that's not ransomware.
And you're not able to lock them up because you don't have custom...
It's not ransomware, but it's...
It's not as costly.
It doesn't cause any disruption. It doesn't lead to the sort of loss of life that we were
talking about previously it's a personal annoyance right for me when people call this stuff ransomware
and you see it in the press these people were subjected to a ransomware attack no they weren't
some data was exfiltrated and it's being offered for sale but it's the same people right like the
same groups will use multiple mechanisms of pressure to get people to pay.
So no, I say it's important.
It is disruptive.
If you're a 50 person architecture firm and you end up having to pay $2 million, that
is disruptive to your business.
Even if all your-
People don't pay.
That's the thing.
You look at the numbers, you look at how those people are able to convert based off stolen
data.
People don't pay. I mean, one of the reasons people pay here, there is an issue where it's
a legal interpretation in some states, like in New York, where if it's PII, some lawyers will say,
well, according to this statute in New York state law, you need to pay because it's a mitigating
action. You know, it's various AGs going out. A lot of people are paying because, one,
it gives you a good factoid for both litigation and for dealing with AGs, and second, because
your insurance will pay something. Back to your original question, my point being, we don't handle
these issues very well because unless you are MGM and you're a victim of one of the top 10 groups,
your ability to get law enforcement support is pretty minimal, right? And so I do
think that there is a little bit, I am glad that law enforcement is being more aggressive. I think
there's also a little bit of compensation here for them understanding that they only touch 4%
of the cases, right? Like, there's no other crime, like sexual assault, murder, carjacking
is not only a 96% of the crimes are, are ignored on the front end.
Right. Like even if your clearance rate's not that great, at least they'll take your report.
Right. And so like, I think sexual assault is not the best example there. Cause there's a,
there's an awful lot of unreported sexual assault, but yes, I do take your broad.
I'm saying if you, if you, if you call the cops, he'll take your report. Whereas like,
if you call the cops, you've only lost a million dollars in a pig butchering scam, for for a few reasons, right? Because it does connect
to this conversation we're having,
which is the interaction between,
you know, states, geopolitics and cybercrime.
Because we're in this crazy situation
where according to, you know, NGO reporting,
the pig butchering facilities
that are in Laos, Cambodia and Myanmar
generate enough revenue,
like that if you look at that revenue
as a percentage of the GDP of those countries combined, it's something like 40% of the equivalent
to 40% of the GDP of those three countries combined. And then you think, well, how on earth
could those countries be expected to police something that is so immensely profitable?
Now, of course, the people who are being forced to do
these pig butchering scams are being human trafficked there. I remember years ago talking to
a friend who works for a job website that does business in the Philippines, and they had people
going missing. So they had candidates turning up for job interviews, and they were getting shoved
into vans and taken God knows where. At that time, they didn't even know where those people were being kidnapped to.
But, you know, since then, as it transpires, this is one of the ways that these pig butchering farm operators would get the people to take them to these facilities to do this illegal work.
So, you know, in this case, we've seen a lot of law enforcement activity targeting
ransomware. It seems like, to a degree, you could apply a similar template to targeting these sorts
of operations in that you could target their infrastructure, you could target the individuals
who sit at the top of this with sanctions, doxing, identification, seizure of assets,
things like that.
So this is one thing that I find really interesting is that the ransomware approach might wind up being the new generic approach for targeting serious organized transnational cybercrime.
Chris, I want to get your thoughts on that.
What do you think?
What's the line you're connecting here?
Is it this more kinetic activity against TCO?
The line that I'm connecting here is that these criminals are operating from jurisdictions where Western law enforcement can't touch them, despite the fact that they are committing crimes in Western jurisdictions.
But I think the way I put it on a recent show is why do these people have functioning routers?
Why are they not disruptive attacks targeting their infrastructure designed to disrupt their activities?
Why are we not sanctioning the people that we can identify, you know, who are making money out of this?
And I tell you why. I tell you why that's the case is because there's just no political pressure there at the moment.
I really doubt there's a whole lot of effort going into identifying these folks just yet.
So, okay.
I mean, there are a couple different questions here.
One is the question of identifying and sanctioning.
And then there's the one of actual technical operations against their personal infrastructure.
Different people doing different things, right?
So when you talk about law enforcement,
you talk about treasury,
you talk about justice department,
a lot of these activities of identifying and sanctioning,
there is a significant administrative burden to that.
Now that could all be put into the proper context
with the right political pressure to your point,
but it would also kind of be a,
in part, a never-ending effort. And the second would be like, to what real end? Great, we threw
somebody on a sanctions list. We might see them transiting Malta at some point, and maybe we pick
them up. But it's, you know, there is, there's a lot of work for, I think, just a little bit of
gain. And I'm telling you, these are conversations that happen in Washington, is, there's a lot of work for, I think, just a little bit of gain.
And I'm telling you, these are conversations that happen in Washington, D.C. a lot.
It have happened in the last six to nine months on how we put more pressure and smack down ransomware.
Your second question about, you know, how do we knock down their personal infrastructure,
which is not exactly what you said, but I'm just kind of using it as an example.
There are all sorts of rule of law issues there. And how do these things get magnified?
And are we really willing to go to that extent to conduct a, you know, on network activity against a criminal in Russia, for instance, of the sort that we would prefer to use against a
intelligence service well but i mean that's happening already chris you and i both know
that that is actually happening and that western governments have popped shell on ransomware actors
i mean all i'm saying is that perhaps this is an action that we could extend to target people who
operate uh you know these sorts of criminal
organizations in Myanmar that are doing pig bullfring.
No, it absolutely happens.
It is, it absolutely happens.
There are, again, parameters placed around these things.
The political pressure can change those parameters and open up the scope.
My biggest concern here, though, is that by allowing ransomware to in the broader cyber
criminal ecosystem to expand over the last several years, we've taken effectively what's
a set of limited resources in the intelligence community, NSA, for example, and now we have
to detask them and retask them off of the SVR, off of the MSS, off of the really hairy stuff, and instead putting
them on cyber criminals.
This isn't, you know, I don't think anybody in the intelligence community is going to
have a much success going up to the U.S. Congress right now and asking for more resources.
It just, it's not happening these days.
This, I think, goes back to the, who the victim is to one of the, you know, the pig brood tree in the Myanmar, the Nigeria.
Those are individuals.
And so when you have a lot of individuals losing hundreds of thousands of dollars each versus a handful of companies losing 10, 15, 20 million dollars each, it's the latter where they hire a top lawyer who used to be DOJ, NSD, who has friends in FBI, who gets a case open.
So I think part of it, once again, I think part of it is the structure of law enforcement is not set up to deal with the big scam groups that are going after individuals.
Obviously, there are teams that do this, but it does seem to get a lot less resources and a lot less support from the IC
than the people who are going after the top five ransomware actors.
But I guess, let's just step back a second and go back to the original question, which is,
do we think that would be an appropriate response to different sorts of, not just ransomware,
but different sorts of serious organized transnational cybercrime. So if we think that's an appropriate response to these sorts of crimes, I understand that it's unrealistic to expect that an agency like NSA can just pull people off whatever, off serious national security work, and throw them against cybercrime.
But if we agree that this is the way, shouldn't we now actually look at how we can, you know, I think it was Chris who pointed
out that this would need to be a rolling engagement. It would need to be something done
continuously. If we all agree that this is the approach, what do we now need to do to get us to
a point where we can actually do it at scale, you know, in a rolling way? I mean, do we need a new
agency? Do we need a new unit of an agency? You know, how should this work?
God, no. No more agencies. We're done with the agencies.
No, I think it's likely a multinational effort.
I wouldn't want to say within Interpol or anything like that necessarily, but there are other partnerships that could pool together assets,
pool together intelligence, pull together intelligence,
pull together authorities and certain relationships.
And,
and yeah,
I mean,
really this,
again,
this goes to stuff that,
that Rob Joyce has said on the show before a friction,
what you're doing is you're putting sand in the gears,
you're slowing them down.
You're making them work on reconstituting operations rather than actually
putting harm out there on,
on organization. So I'm,
I think it makes sense. And I think once you get the playbooks together and you have the
effective authorities, then you can replicate and then you can start scaling.
Yeah. I think we don't need new agencies, but existing agencies and not just in the US and
the federal level.
My proposal here, and I've talked to folks here in California, is I think at the state level, we need cybercrime teams that don't need to carry guns.
That's one of the silly things here is the fact that you have to – the idea that to investigate these folks in Myanmar who are doing – or Nigeria who are doing sex abortion against American kids,
that you have to like pass pushup tests in Quantico is just ridiculous.
Just as ridiculous as Cyber Command wears camo.
Thankfully,
funnily enough,
it's not like that here.
You can be an Australian federal police cybercrime investigator and not be a sworn officer.
So yeah.
I mean,
they have analysts and such,
but like in the US,
there's still the sworn officers are everything.
And so I think the creation of units where the ratio is way different.
They have 20 or 30 analysts for every sworn officer.
And the sworn officer is signing the warrants and doing some of the final in the situation.
Well, I mean, this is how it works.
This is how it works at Fort Meade, right?
Where someone types in a command and then asks the guy in fatigues, can you please present it for me, sir?
And they do.
Right?
Right.
Captain, can you come over here?
Like, you know, with your national, with your letter in your hand.
Yeah, exactly.
With your amazing ability to execute state authority, project state authority, you know.
Do you know what this is?
This is a get out of jail free letter.
Do you have one of these?
Right.
Yeah.
This finger?
This finger is the u.s government i don't think we're suggesting that we want state level or provincial level uh officials conducting
extra territorial activities but you know i want them investigating and picking up the phone right
like i'd like somebody to take that report pulling pulling it together. And then when you go cybercom. From my perspective, the level of
human carnage is happening, especially like on the sex door shit and the pig butchering.
The pig butchering, you have people, it is so common. I've had multiple people that I went to
high school with come to me because their parents lost, in one case, a couple hundred thousand
dollars, in one case over one and a half million dollars. I'm actually doing a talk in my mother's building in her apartment building where she lives to all the
little old ladies who live in that building because one of them got ripped off and i'm
going to talk to them about how you know it's it's insane and that's why you know a little bit
alex when you were explaining that um you know the big company's getting whacked that means the
government's more likely to act i think the pig butchering stuff is getting so bad like kind of
everyone knows someone who's been uh who's been impacted and that creates its own sort of
political pressure people expect their governments to keep them safe but yeah anyway for old so i
just want to say for old people it's the pig butchering and it's it's it's boomers not able
to retire or having to live in poverty and then for young people it's sexortion and like they're
the number of kids who have committed suicide, mostly boys now. Right. Because sextortion used to be when I was at Facebook, we had financial sextortion, but
the ratio was probably 70 to 30 content based versus financial based.
Right.
70 percent of it was that the guy was a pedophile and wanted the content.
And as a result, the majority of the victims were female.
Now it's at least 80, 20 the other way.
Right.
And they mostly go after boys.
Now, they're not necessarily going after boys.
They're often going after men,
but they have a broad swath.
And the number of young men
who have ended up taking their lives
because they feel like it's over,
that there's no way out, is spectacular.
This is terrorism.
It is terrorism online.
And we should treat it like in any other situation.
If people were killing, taking, you know,
making old people live in shelters, basically,
or live in communal housing
because they stole their life savings,
or causing children to die,
we would invade that country, right?
Like, there's no other situation
in which we would not roll the F-22s.
So look, we all agree here,
and this is the interesting thing.
And this is where we've arrived.
And this is where we should probably wrap it up.
But we all agree that the disrupt, do anything you can approach is really what we need to
do.
And perhaps that's something for policymakers to think about, which is how do you actually
get yourself into a position where you can disrupt organizations like this that are doing this sort of stuff without it coming at a cost of other national security activities that are
very important. But I do have one very last question. Given all of what we've talked about,
do you see now why I worry about the North Korean thing? Because you cannot pull the same levers,
even on the disruption side, it's very difficult to pull the same levers against the North the north koreans they're a very difficult state to coerce do you get now
why it gives me the willies i you know what i actually i wonder if it doesn't make it easier
to respond because it's much more closer a lot closer aligned with the state and it opens up
a title 10 set of authorities that the government may otherwise be unwilling to use i mean they've self-selected into targeting that's a good point i mean it's true that like what are
what's left for us to do to punish north korea right short short of kinetic warfare and yeah
we have a lot fewer levers there than we have even with russia we're not using levers with russia but
there's still a lot there's still a significant amount of economic flow between Russia and the West.
And Russia has criminals where if you dox these guys
and say they have Bitcoin, people go around and beat them up.
That doesn't happen in North Korea. That's my point.
Where's the lever? I just don't know.
I think saying, this guy lives in this luxury apartment
and he has $50 million in his wallet,
go beat his ass, is
not, as a taxpayer,
I do not object to our government doing that.
Yeah, but that works in Russia.
It doesn't work in DPRK, which is my point again.
All right, so I'm going to wrap this up.
Alex Stamos, Chris Krebs, fascinating to talk to you both, as always,
about transnational organized crime, disruption, ransomware,
sadly, sextortion, pig butchering, human trafficking.
Oh, my God, we've covered it all.
A pleasure to chat to you both and
can't wait to do this again, Alex, Chris
thank you very much, thanks Patrick
thank you Patrick