Interview with Misha Glenny, Cybercrime Expert

In this interview, Misha Glenny, author of a recent book on cybercrime, discusses how technology has infiltrated every aspect of life, from our personal phones to complex infrastructure systems, giving cyber criminals more platforms and opportunities to strike at increasingly higher risks to the population at large.

The latest example of this is Stuxnet, the worm that infected two of Iran’s nuclear facilities in 2010 and is said by many to have started a cyber arms race. “What Stuxnet did was to accelerate those programs around the world,” Mr. Glenny says. “Basically, countries said, this stuff is out there, we have got to get engaged with this.”

However, there is no international framework or convention for developing these types of weapons. “Anyone can start developing cyber weapons,” he says. “It’s not that difficult.”

Competing priorities between countries is impacting the development of an international approach. “For the United States, the issue of intellectual copyright protection is extremely important,” he says. “For the Chinese, or for the Brazilians, they don’t really care about that.”

Mr. Glenny also discusses the real cost to consumers around credit card fraud, and how he justified hacking into his own daughter’s Facebook account, which would have made him a cyber criminal in the United States.

The interview was conducted by Warren Hoge, IPI Senior Adviser for External Relations.

Listen to interview (or download mp3):

Interview Transcript

Warren Hoge (WH): I am here today with Misha Glenny, a longtime BBC correspondent in central Europe and the author in 2008 of McMafia, a best-selling book on organized global crime. His new book explores the threats of cyber crime, cyber warfare, and cyber industrial espionage and portrays the creation, the function, and the ultimate shutdown of the vast criminal website known as DarkMarket. The book is appropriately entitled DarkMarket: Cyberthieves, Cybercops, and You.

Misha, the end of that title says “and you.” That implies that this is a problem that affects every one of us, and in the book you say it can no longer be swept under the carpet. Tell us about that.

Misha Glenny (MG): Well, what you have seen over the past, 10, 15, 20 years is the development of an exceptional dependence on networked computer systems and the Internet in every aspect of our lives, both in terms of the infrastructure of the countries we live, in terms of—you know, how your water gets to you, how your electricity is delivered, that sort of thing, but also, of course, in your own personal life.

One interesting thing is, I don’t know if you noticed, but we don’t remember telephone numbers anymore. They are all in our contact books, in our phones and, of course, if we have made the silly little mistake of failing to back up the data on our phones, we are lost, because we can’t tell—sometimes you can’t tell your own phone number anymore. That’s just a tiny example, but you can think about it in almost any aspect of your daily life.

So, with that, and given that each of us, with our own devices—and it used to be just one computer per family; we all have three or four devices of our own. Each of those devices is a vulnerability, is a device which digitally can come under attack. So, you have to know yourself.

Let me give you a brief example. When cars became popular and a mass-market commodity in the ‘40s, ‘50s, ‘60s, and ‘70s, if your car broke down, then the only persons inconvenienced by it would be you and your family, and the person you were going to visit. If your computer is attacked, and your computer comes under control of an organized crime syndicate or an intelligence agency, anyone who’s creating these things called botnets, which are the amassed computing power of devices that have been infected, then you are contributing to malfeasance, to bad stuff on the web; and, of course, you’re also risking your own personal data. You have to get wise to the fact; otherwise, you may find all your data splashed across the Internet, for anyone to chew over, as they will.

WH: Misha, the Stuxnet computer virus that has targeted and disabled Iranian nuclear facilities seems to be a key component in the Western effort to keep Iran from possessing a nuclear weapon. So we can probably expect to see more of that kind of thing going forward. But its creation and its successful deployment has really upped the ante and carries huge risk, hasn’t it?

MG: Yes, of course, though we don’t yet have definitive proof, except for those people who actually developed and deployed it. We don’t know who was responsible for the Stuxnet virus. We do know that that it affected two uranium enrichment facilities at Natanz and Bushehr, along with many other thousand Siemens systems—core industrial systems that Stuxnet infected—but the aim was clearly to go for the Iranian enrichment facilities, uranium enrichment facilities in Iran.

Now, was it the Israelis, was it the US, was it, as a minority position holds, the Chinese who developed Stuxnet? We don’t know for sure. We can sort of guess and extrapolate politically. In my opinion, it was probably the Israelis and/or the US, or the two in combination, some form of that. It was clearly part of attempts to disrupt Iranian nuclear development.

Now, once that had happened, what was important about Stuxnet, for me, politically, was first of all, a state, or states, invested a huge amount of time and money and human investment in developing this thing. It took months and months and months to develop, and then they deployed it. By deploying it, they would’ve been aware that it would come out at some point that it was deployed, they were saying to the rest of the world, “we’ve got these weapons and we’re prepared to use them.” What that did was, there were dozens of countries which already had nascent development capability of offensive cyber weaponry, but what the emergence of Stuxnet did was to accelerate those programs around the world. Basically, countries said, this stuff is out there, we have got to get engaged with this.

The interesting thing about cyber offensive capability is, there’s a relatively low level of entry into that sort of thing. Anyone can start developing cyber weapons. It’s not that difficult. Viruses are very easy to write, and so we now have this sort of cacophonous development in cyber warfare, cyber military, where people are making this stuff up outside of any international framework. There is no convention which regulates this stuff.

WH: If that means that we have a cyber arms race going on, is there yet any international consensus on how to control these arms, and keep them out of the hands of the bad guys? Is there any kind of a nonproliferation movement started yet in this area?

MG: Well, there are what one could describe as talks about talks about talks, but not much more than that. You know, although the technology is the same, the interests which individual countries have invested in that technology and how it might develop are very, very different. So, for example, for the United States, the issue of intellectual copyright protection is extremely important. The piracy of Hollywood films, and other creative industries, which are where the United States derives a lot of its money, they want that to be at the top of the agenda of the bad stuff that happens to the West.

For the Chinese, or for the Brazilians, they don’t really care about that. They don’t have a dog in that particular fight, and they don’t see why they should invest money chasing the criminals who are making them in China and Brazil. Actually, it’s not really impacting on their society, as it were. So there you see a real problem about how do you regulate something when you’re regulating different things? Because the Chinese, of course, do regulate the Internet — less to track down breaches of intellectual copyright and more to make sure that ordinary Chinese are not watching or listening to subversive political material on the web. So, you know, those interests don’t coincide.

You see that in the sort of commercial and political sphere, but it applies to the criminal, it applies to industrial espionage and it applies to military. Beginning to fashion even a sort of broad framework of what the discussion should be is proving very, very difficult. Although, attempts, as I said, are being made.

WH: I want to go back to personal use and ask you: people who get reimbursed by their banks when their accounts are hacked or get made whole by their credit card companies when their cards are compromised, they can go away thinking that this is a victimless crime. Why would they be wrong to think that?

MG: Well you know, it’s quite a traumatic thing if your Internet bank account has been hacked, as that usually assumes that somebody has rifled through your computer itself and the data on your computer. So it depends what level that you’re a victim of a cyber crime. If you can see that you data has been mined, that is very, very disturbing and upsetting, akin to a feeling of having your house broken into.

But for most people, experience of cyber crime is, as you suggest, having your credit or debit card compromised. As soon as that happens, you get a call from the bank, they have data systems which can spot unusual transactions, and they’ll get in touch with you straight away and say, “Have you been spending a lot of money on spas in Tanzania recently?” And you’ll say, “No, I’ve never been to Tanzania.” “That’s all right,” the bank will immediately say. “Your card has been compromised but don’t worry, we have reimbursed the $1600, which was a fraudulent payment from the Tanzanian spa and you didn’t think about it.” Of course, as a consumer and as an individual, you say, “Thank God for that. Phew, I have been let off here. Hurray.” And although it’s actually rather inconvenient waiting for a new card, that is a side issue. The question is, who is paying for that $1600? Is the bank paying for that $1600? My answer to that is, probably not, given the reluctance that we know banks have for paying out for anything, particularly if they’ve been up to no good themselves.

But that again, is a side issue. No, they get reimbursed by insurance companies, and the insurance companies then up the premium on the banks that they pay, and the banks pass those increased costs over to the consumer. So we are basically all paying for the cost of cyber crime, and those costs are rising steadily, particularly in the wake of the recession of 2008.

WH: Talk a little bit about who the hackers are, what their motivations are. Are they criminals? Can you prosecute them as a way of curbing this misbehavior?

MG: Some of them are criminals. Some of them have been prosecuted. Some of them are in jail. A lot of them have got away with it. Now what can you do about hackers? Well, this is a very difficult question because people’s motive for hacking varies tremendously. First of all, you have white hat hackers, people who hack but for what they consider to be ethically decent goals. Then you have groups like Anonymous who hack for political reasons. They don’t hack for financial gain. They hack to make a political point or to exact retribution as they see it, on state or corporate entities, which they feel are behaving unfairly. Then you have the criminal hackers.

How do you differentiate between them? At the moment, we don’t. We see them all as hackers who have exceeded their authorized access and therefore are liable to times in prison. I think the time has come to have some more research into the characters of hackers.

We know one or two things about hackers for sure. One is that 95 percent of them are male, which tells you a great deal in itself. The other is that hackers, unlike people involved in traditional organized crime, if we’re talking about criminal hackers, they don’t need to deploy violence to get in to the game. You don’t need a baseball bat to hack, which is for me, very important because it attracts a different type of character. And those characters tend to be young, they tend to be gifted at math, they tend to do poor socially in the outside world.

But these are huge generalizations, and the reason why they are generalizations is we have come across them in courts, we have come across them in hacking forums, and things like that. But nobody has yet invested the requisite research into what is a growing problem. We are now getting generations coming up for whom the Internet is second nature, and as a consequence, we are getting a proliferation of hackers. We are not dealing with them, we are not looking into them, we see them just as criminals, regardless of what the motivation is, that has got to change.

WH: Finally, what kind of man would hack into his own daughter’s Facebook? Why did you do that Misha, and has she forgiven you?

MG: She’s 19. She’s my daughter and I had to hack into her Facebook account because she went missing and it was the only way that we could track down, her mother and I, where she was. Her phone was turned off and she was due to leave for the airport; her mother was going to give her a lift a few hours later, and I just said, “Enough is enough. I need to know where she is,” and so I hacked into her Facebook account, which would’ve been an illegal act here in the United States—fortunately I was in the UK at the time—and put out a message saying where is she, this is her father, and as a consequence of that, we found her. All was sorted out. She, of course, for two weeks wouldn’t speak to me; she wouldn’t speak to me partly because she was very embarrassed, as well she might have been, and partly because she was furious with me for hacking into her Facebook account.

This is an interesting issue for children, it’s really paradoxical this. They’ll put out any old rubbish about themselves, really the most appalling stuff on Facebook, very, very personal and intimate stuff as well. But woe betide a parent who gets anywhere near their Facebook account.

WH: Misha Glenny, thank you very much for talking with the Global Observatory.

MG: Thank you.