Four things I’m reading this week:
International Arrests Highlight How Hard International Arrests Really Are: On March 1, FBI agents, working in coordination with other agencies and a range of foreign partners, arrested 17 people in the US and overseas for involvement in a massive cyber-fraud ring. The criminals initially focused on a fraud scheme where they tricked victims into buying non-existent cars online, and later branched out into other major financial frauds.
There are two important points about cybersecurity to draw from this story. First, lucrative crimes don’t have to involve hacking to exploit the Internet. It’s often more effective, and faster, to simply use the anonymity of online transactions to trick victims into giving their money up unwittingly. In this case, the criminals made off with millions – the indictments charged the targets with the theft of more than $13 million.
Second, while many criminals might seem to get away by hiding in foreign countries, determined law enforcement agents can still reach these criminals. But it is an expensive, complex process. In this case, the investigation stretched back to 2011, and involved thousands of agent-hours of investigation spread across multiple agencies and multiple countries. It is hard to slow down the rate of cybercrime if deterrence costs more than committing the crimes in the first place.
I’m reading: “19 Indicted in International Fraud and Money Laundering Schemes.”
Teen Vogue Weighs In On Encryption: Teen Vogue continues to write incisive pieces about security and technology in the modern era. On Thursday, they published a piece on how to keep messages secure, including input from Zeynep Tufekci, Moxie Marlinspike, and Alec Muffett. Quick and worthwhile read if you have questions about what messaging services you should use and how to protect your communications today.
I’m reading: “How to Keep Messages Secure.”
Words Matter. The Election Wasn’t Hacked, but Influence Operations Are Still a Really Big Deal: On Wednesday, Niloofar Razi Howe, currently Chief Strategy Officer at RSA, published an op-ed pointing out that Russia did not, in fact, “hack” our elections – by all accounts, no votes were changed, no voting systems broken into – and these claims to the contrary confuse the debate and undermine our security as much as improve it.
While this is not a new distinction, it is an important one that we need to keep making. There is no indication of vote hacking, which means that while improvements to voting security are always a good idea, we shouldn’t confuse them with actually addressing the problems we saw during the 2016 election.
But at the same time, let’s be clear: just because the actual votes weren’t hacked, doesn’t mean that the influence operation we saw carried out during 2016 wasn’t a big deal. It was. In fact, it exposes a critical fact about cybersecurity: you often don’t need to solve the hardest problem to get the biggest effect.
Hacking into distributed voting systems around the country, many of which would have required physical access, and changing just the right number of votes in just the right places to affect the outcome without being detected would have been incredibly hard. But stealing some incriminating information, leaking it in a way that influences ongoing debates, and using public messaging and rumors to influence opinion is much easier. And it means that, months after the election is over, far more people doubt the legitimacy of the vote than would have if a hack had been uncovered and remediated.
Cybersecurity is often about stopping a malicious actor that is looking to cause uncertainty. And uncertainty is as easy to create indirectly as through direct action. We need to secure our systems, but we also need to make sure we’re protecting ourselves against the most serious threats we face, even if they aren’t the most sophisticated or those we expect.
I’m reading: “Opinion: No, Russia didn't hack the election.”