You Don’t Bring a Human to a Software Fight
James Trainor is one of those people who comes across as genuine and relaxed, but you immediately feel that you’re speaking with someone who has seen it all. It’s this type of confidence that is built on real skill and experience. His tolerance for nonsense? Probably very low. To a large extent, this may be due to the fact that he had a 20-year career with the FBI, where he most recently led the Cyber Division in Washington DC. Mr. Trainor was responsible for establishing the FBI’s national strategy for combatting cybercrime, as well as leading the FBI’s cyber workforce both at HQ and across 56 field offices, which had a combined personnel count of more than 1,000 people.
Today, James is Senior Vice President in the Cyber Solutions Group at Aon, one of the world’s largest providers of risk management, insurance brokerage and reinsurance brokerage solutions. Mr. Trainor, who holds a Master’s degree from the University of Connecticut, served in the U.S. Army as a military intelligence officer in Germany during the fall of the Berlin Wall. He has operational experience in cybersecurity, counterintelligence, counterterrorism and criminal investigations.
I had the honor to meet James during the 2018 Web Summit in Lisbon, where we talked about cybersecurity.
The interview has been lightly edited for clarity.
Albert: Is it easy to breach an organization these days?
James: Yes, sure. Just think about the scale and size of some of the big multinational corporations, some of which have a presence in over one hundred countries with tens of thousands of employees. That’s a lot of infrastructure, people, data, devices, and applications, and therefore a lot of vulnerabilities. A large part of preventing computer intrusions has to do with cyber hygiene. If you continuously keep your systems and networks clean and remain diligent about the routine work that needs to be done, like patch management, you will likely become a much harder target to penetrate. However, if you have a dedicated adversary — particularly a nation state actor — then the chances of a company keeping them out of their network is quite low.
“It’s not really organized crime, but rather disorganized crime.”
Albert: How are these criminals organized and are there any structures or actors who enable these kinds of activities?
James: When you consider that there is not necessarily one individual who has the skillsets to perform all the skills required to perpetrate cybercrime, administrators for various darknet marketplaces — such as Silk Road or AlphaBay — play a key function. They administer these forums, which serve partly as a marketplace for people to buy and sell hacking-as-a-service. Criminal groups go to these forums and identify the infrastructure they need to distribute their malware, whether that’s coders, malware checkers, or botnets. It’s not really organized crime, but rather disorganized crime. This has been the case for the past 10 years or so, with these activities coming from places like the Eastern European region and Russia.
On the other hand, business email compromise (BEC) activities that require social engineering to fool an executive into wire transferring money is where you’re getting broader in scope. You see that in Eastern European, as well as in countries throughout Africa.
Albert: How have these criminal actors evolved?
James: On the BEC side, which is coming predominantly from Nigeria or Western Africa, you see that the tradecraft has evolved. It’s still a relatively simple scheme, but the manner in which spear phishing is done today is becoming more accurate. Phishing emails are looking more and more legitimate, and it is easy to be fooled.
Cyber criminals are also appearing in scenarios where money is being moved, particularly in real estate transactions, where you have new people receiving funds, which gives cyber criminals the opportunity to try to interject themselves. So, in that respect, criminals are becoming more sophisticated — and since we’re talking about billions of dollars in losses per year, it is clear that this is a significant problem.
Criminal hackers, particularly those who act via ransomware, are a perfect example of how threats have evolved to the point where the entire payment transaction is facilitated through the Tor browser. We have seen hackers move away from targeting individuals to targeting organizations, which means they are also evolving to become extremely consequential, such as in the case of WannaCry. The threats, of course, do always evolve, but the tradecraft of an intrusion is similar because malware and the exploitation of vulnerabilities will always be the cyber hacker “game” to some extent.
Albert: Are the different actors also collaborating? And, is it always possible to clearly attribute attacks to a specific source?
James: You see collaboration with some countries, such as in Russia where the Russian intelligence service will leverage access and skills of Russian criminal actors as demonstrated in the Yahoo intrusion. Yet, attribution can certainly be challenging. For government agencies, it tends to be a little easier to follow and identify the source, because authorities are constantly collecting information on the threat environment, and there are different streams and resources available to the government in terms of getting the information needed to determine attribution and paint a picture of who is responsible. The tradecraft is pretty well established, and you can usually get a pretty good idea of who is responsible by looking at the malware and infrastructure that has been used and how the activity went on and off a network. It’s certainly challenging, but it’s not impossible.
Albert: Given the threat level, do you think that corporations give cyber security the attention it deserves?
James: It depends on the industry. The financial services sector clearly understands it, as their business is — for all intents and purposes — entirely dependent on the Internet and data. Companies in the financial industry also have the resources to heavily invest in the cybersecurity space.
In regard to other industries, I believe many do not fully understand the consequences of being unprepared for a cyberattack or breach. In my experience working with companies who have suffered a breach and witnessed the pain of an intrusion firsthand, they understand the importance. They have seen the financial costs, leadership changes that may occur as a result of an attack, board oversight, regulatory enforcement, civil litigation, and all the other consequences that follow. As a result, those players are open to allocating more resources to cybersecurity and invest in having appropriate risk transfer solutions in place.
Albert: The annual losses caused by cyber intrusions have recently been estimated to possibly reach $6 trillion*. Are there additional factors that may induce a real shift in our mindsets when it comes to cyber threats?
James: When we had some of the ransomware attacks on hospitals in the U.S. in 2016, I spoke with someone who works at a cybersecurity firm and was personally admitted to one of the affected facilities at the time. He couldn’t move to a different hospital because the platform with all the medical records was not available. Even though the attacks did not affect him physically, I think its these types of scenarios that we will start to see things changing. We really haven’t experienced that yet, but when you see a computer intrusion that results in the loss of a life, I think then we will see a significant mindset change.
“In my view cyber defense is all about automation and it is more of a software play than a hardware play.”
Albert: A common trope is that human error is underlying the majority of intrusions: somehow someone always clicks on something they shouldn’t have. Now, even if that’s true, isn’t this narrative possibly oversimplifying a very complex issue?
James: I think so. I served on the Public Sector Advisory Council of Palo Alto Networks, and we often said that “you don’t bring a human to a software fight.” There’s always going to be a human error component. At Aon, for example, we have 52,000 employees, so the chances that one of those people will make a mistake at some point is inevitable. Yet, in my view, cyber defense is all about automation and it is more of a software play than a hardware play. We’re all going to use machine learning (ML) and artificial intelligence (AI) when it comes to automation and there’s just no way a human being can keep up with these types of emerging technologies. So, you really have to improve your capabilities, evolving more towards “cybersecurity-as-a-service.” It’s all about more data and being in the cloud, analyzing that data, and then forcing those rules onto the different environments. That’s not a human issue. That’s a technology, software issue.
That said, I am certainly supportive of education and training because humans will absolutely remain critical in preventing cyber threats, but I’m not expecting that to somehow resolve all of the issues. We need to look at technology to help cybersecurity evolve, because that is what the cybercriminals and hackers are doing.
“To me, this is really all about the concept of a team sport.”
Albert: Should companies that have become the victim of an intrusion automatically bring law enforcement into the picture?
James: In the case of an intrusion on a large financial institution, for example, the firm will generally contact outside legal counsel and a cybersecurity firm to work side-by-side with their internal cybersecurity response team. In my opinion, you should have law enforcement involved as well, and the Federal Trade Commission has ruled that as a best practice too.
In the case of the FBI, you have the opportunity to work with people who have deep subject matter expertise and the bureau will not charge a firm for their services — it’s essentially free labor. So, why not take advantage of that and work together to clean up the damage as quickly as possible?
However, a lot of companies don’t bring in law enforcement, and instead clean up the mess and take care of required regulatory notifications on their own, and then they move on. I personally think that’s a mistake. It is in the best interest of everyone involved to work together collaboratively and share information to remediate the attack, get a bad actor off the network and get back to business. To me, this is really all about the concept of a team sport.
Albert: What are some of the reasons that companies may opt to not involve law enforcement?
James: They may not know who to call. They also, in some cases, might feel like they are going to lose control, or that law enforcement or a cybersecurity firm might second guess what they did in the first place, and thereby impact their potential civil litigation. I don’t believe any of those are not relevant concerns though. The FBI is treating companies like a victim who didn’t do anything wrong. It’s not the FBI’s role to second guess a company who has been attacked or breached, but rather to get the bad actor off the network and ultimately find out who was responsible. Many companies probably don’t know that but we did a really good job improving on this problem during my tenure at the FBI, and they’re still continuing those efforts to this day.
Albert: How important is speed in cyberattack response?
James: I am sure that banks, for instance, are targeted daily with these types of attacks. If you have one customer account or one computer that’s been taken over, that’s a problem — but it’s not as bad as a thousand or ten thousand being taken over. That said, if you wait too long to address a problem, it could get to that point. So, how quickly cybersecurity teams respond to these types of incidents is really, really important.
Albert: What does a sound cybersecurity strategy look like at its core?
James: You really have to treat cyber as an enterprise risk. Regardless of what framework you use, there are four fundamental areas to focus on. First, a company must increase visibility into their network and traffic, which means they need a full understanding of what applications they run. That’s really important, especially when you have thousands of employees and each one of them has several devices linked to the company’s network. Second, reducing the attack surface through, for instance, multi-step verification and network segmentation is a must. Third, companies must work to prevent known threats, which means having proper patch management and anti-virus software in place, in addition to establishing secure information sharing and other things along those lines. Lastly, companies have to prevent the unknown threats, which is where ML comes in, as well as partnerships with the government and intelligence firms, all with the goal of learning how a company could potentially be targeted.
At the end of the day, if those things fail — and they can fail — that’s where risk transfer and cyber insurance plays such an important role, which is really about balance sheet protection. That’s the place businesses need to consider the specific consequences of a data breach and the interruption a breach would have on the entire organization, at which time they can ask themselves how broad their cybersecurity policy can and should be.
Albert: What do you personally read to stay current on cyber?
James: I read a lot and cybersecurity is sort of like learning a foreign language: you’ve got to keep practicing it in order to get proficient, but it takes time and it can be complicated at times. I really like Palo Alto Networks’ CyberSecurity Canon, which is an up-to-date list of the best books about cyber security. I also subscribe to the WSJ Pro Cybersecurity Newsletter, which I read daily.
Note: *according to Steven Morgan of Cybersecurity Ventures.
I hope you have enjoyed this interview. For questions or comments, or if you want to receive updates, get in touch via Email info@connectingthedots.cx or Twitter @cngthedots.
