Rafal Rohozinski untangles online crime schemes for a living, advising everyone from the BBC to the U.S. Department of State. When news broke that "spear phishers"-hackers who fool employees into giving away critical information-had breached networks at the Treasury Board of Canada, his phone started ringing. Rohozinski, the CEO of cyber consultancy SecDev Group and a senior fellow at the University of Toronto's Munk School of Global Affairs, delivers a sobering message to Ivor Tossell: Cybercrime is hitting bottom lines-and our days of worry-free global communication are numbered.
First off, what happened at Treasury? Networks within the Treasury Board, as well as several other departments, were infected with e-mail-based malware that seemed to be oriented toward extracting specific information. It spread by targeting gatekeepers-people in positions of responsibility. This is pretty common. If you look at what cybercrime has become, it's sort of like theft of high art. You have gangs that have become pretty good at breaking into confidential information at all sorts of institutions-banks, governments, corporations.
Do we have any idea what these hackers are looking for? We have strong suspicions that some of this is being commissioned by foreign intelligence services. We also think that some of this is being done on spec: People harvest documents and then see who might be interested in buying them.
Are most vulnerabilities technical or human? I think it's 50/50. Human vulnerability will give you access to just about any network. There's an infamous case, called Buckshot Yankee, in which U.S. Department of Defense computers were breached because a contractor happened to use an unauthorized USB key, which established a bridgehead for a piece of malware. The DoD instructed everyone to take some liquid cement and to gum up USB ports on computers so that thumb drives could not be used.
Computers can get hijacked after visiting a malicious Web page. But how do individual gatekeepers get conned? Using social networks of trust is a proven way of getting footholds into a network. Once I have access to someone's e-mail box, I have access to all the messages they've sent. I can resend a message, except injecting a virus into it. Now, if you were to get a duplicate e-mail from someone you really trusted, what would you think? He sent it twice, right? Click-and all of a sudden you're infected. Now, what we haven't seen-or at least what's not been made public-is how that would work if I was able to get control of five or six accounts of key traders, and I started generating fake messages-or adjusting messages a little bit.
If e-mail becomes a "trust nobody" proposition, what kind of changes to corporate culture are we looking at? There's a revolution coming. Not everyone within a business will be connected to the same network. A lot more thought will be given to creating closed networks. Perhaps e-mail will stop taking the form it has now, and you'll see more corporate, in-company e-mail. Everybody lives by their BlackBerry and Outlook. The fact that we can travel and still connect to the enterprise is a great asset. But perhaps that just isn't going to be realistic.
Are businesses paying enough attention to cybersecurity today? The reality is that businesses and governments have grown fat on the fact that computing power has been a major source of efficiency. There's a huge reluctance to reintroduce friction back into it. This will only be accepted if the liabilities of not dealing with it become a risk to business-when things move from the office of the CSO to the CFO. How that's going to change the nature of business is a good question. I don't have the crystal ball to say whether that will be a good thing or a bad thing, but I think it's inevitable.