[00:57] Making Cyber Fun, Informative, and Worth Looking Forward To

Eric: I noticed our guest's podcast today has an explicit rating. We have a clean rating. We're going to do our best, but some things happen.

Graham: It's outrageous.

Rachael: I don't even know where to go from there. But, yes, I'm so excited to welcome today's guest. I have to admit I even have podcast envy from his Smashing Security Podcast. It makes cybersecurity fun, informative, and something that you look forward to learning more about. So thank you, Graham Cluley for bringing that to the world, and welcome to To the Point.

Graham: Well, what a lovely introduction that was. That was very kind. Thank you so much. It's nice to be here.

Eric: It's great to have you, Graham. It's even better because this is our second take. We get two of you, it's awesome.

Graham: Let's not talk about the first one and what went wrong that time.

Eric: We will not talk about it, but I do love the fact that you opened your doors and windows so your signal is stronger today. That was awesome.

Graham: Oh, yes. The internet let us down a bit. Actually, it's a bit like what happens in Britain when it snows or when there are leaves on the train line. The whole country comes to a halt if there's a tiny little bit of frost. Or, "Ooh, I wonder if leaves will fall off the trees this year or not," and, sure enough, they do.
 

The Old Mary Jane

Eric: Before we get started, I have a question from one of your shows that you've recently done. I was listening to it. I need a little Oxford English dictionary, maybe that is the way to look at it. Jazz cigarettes. We're talking marijuana there?
Graham: Yes, the old Mary Jane

Eric: Okay. I had never heard that term before. I don't know. Maybe it's just me,

Rachael: Hilarious.

Graham: Well, I'm proud to say I'm very, very square and so I've never indulged in such things. But there are a lot of different phrases for cigarettes, including ones of the narcotic kind as well. The illegal substances, maybe not so illegal now, actually, from the looks of it.

Eric: I was listening to the show, and I thought I caught it.

Rachael: Yes, not so illegal in the US, for sure.

Graham: Yes, no, at some stage.

Eric: I thought I caught that but I wasn't sure and I had my 13-year-old with me. And he loved the show. He was like, "This is so much better than yours, Dad."

Graham: Oh, I don't believe that for a second. 

Eric: Michael, why is it better? They curse and they're not you. 

Graham: I think it's more the second.

Eric: Okay, I'll take that. Thank you. It was great listening with him. But I wanted to qualify that, I wasn't quite sure.

Graham: Yes, we had one listener who contacted us who said that his nine-year-old was a huge fan of the show. Whenever they went out on the weekends, they would tune in and he actually requested it by name.

It’s Great Making Cyber Fun and Entertaining

Graham: I was just like, "I really don't think this is a good idea."

Eric: With titles like Booze, Nudes, and Insurance Dudes, how could you go wrong with the minors?

Graham: Well, I don't want people to get the wrong idea.

Eric: But listen, it's a great, entertaining show every week. Graham, I've got to tell you, it is such a fun show. I have no problem.

Eric: My 13-year-old's heard it all so maybe I'm an irresponsible parent. But at least he's learning about cybersecurity, ransomware and the like, and a little English culture.

Rachael: Yes, exactly.

Graham: Well, I think it's important. Isn't it? If we're going to succeed in the fight against cyber criminals, then it can't just be beard-y nerds. People wearing sandals who are fighting the bad guys. We need absolutely everyone to learn about these things and know how to protect themselves from scammers. So we just try and make it accessible to everyone and part of that is making cyber fun.

Eric: I think that's a huge part of it. This is going to turn into a generational thing. I think back to 10 years ago, trying to talk to your mom or somebody who's not in the space, who didn't grow up in the space. They don't have the capability even to recognize what's happening, what you're talking about. It's just not part of their upbringing. The kids know though.

Graham: Yes, they do because they've been brought up in it. Nowadays, many people sadly have become victims or it's really front-page news about some of the data breaches which are occurring. But, no, I think it's very easy sometimes.


The World Has Fundamentally Changed

Graham: Sometimes we look at our elderly relatives or our in-laws. We think, "Oh, crikey, you're so terrible at all these Zoom calls and things like this. You don't really know how to do it." You have to remember, the world has fundamentally changed an enormous amount in a very short period of time. The iPhone, for instance, is only 15 years old, less than 15 years I think.

Eric: Yes, 2007.

Graham: Yes, and so that has made a huge societal change. It changed every smartphone which came after it. Everyone now carries a camera with them all the time, everyone's installing apps. And everyone's on a social network of one kind or another, or doing banking online. That's extraordinary in such a short period of time.

Eric: It is, and I think the older you are, in many cases, depending on your background, what you do, how you learn, it makes it more difficult sometimes to understand, in that pace of change we see what's happening. How vulnerable you could be, how accessible your information is. And how even disinformation on the news is so much more fluid than it was 10 years ago.

Graham: Right, yes. See, that's the big scary thing, isn't it? I'm getting quite old myself and there are lots of things people talk about, like NFTs. Just, "Oh, for goodness sake." And the deepfake technology and all of this. You kind of think, "Oh, is the whole world going to hell in a hay cart? What on earth? How am I going to keep up with all this TikTok stuff or Clubhouse?" But there's always something new, isn't there?

 

[06:40] We Made It Through
 

Eric: Back in our day when we walked to school, uphill, both ways, in the snow, even in the summer, we somehow made it through.

Graham: We did. Life was better then. Kids today. You tell them that and they just wouldn't believe you.

Eric: It was always better then.

Rachael: But that's a really interesting point. Remember living offline? I remember when we didn't have call-waiting and it was a rotary phone, if I'm dating myself. And it was a simpler time for sure, and you wonder, "Do we need to get back to that to get safe?" We lose all the convenience but maybe there's a movement that needs to start kicking off here. I don't know.

Graham: Yes, I don't know if we're going to get the kids to buy into it or not. There's a great video on YouTube, isn't there? Where I think a parent takes two teenage boys, sits them in front of a rotary phone. Then says, "Work out how you make a phone call with that." And they just do not have a clue, and it's understandable they don't have a clue.

Eric: I haven't seen it.

Graham: It's been around a lot. I'll send you a link later. It's such a bizarre user-interface, if you think about it, the old rotary. How would you choose a number because they're looking for buttons to press, at the very least. Do you pick up the headset first? They're baffled by it, which is fun for us.

Eric: Well, even the dial tone. There's no dial tone anymore. On cell phones, there's no dial tone. I noticed, my oldest is almost 28 now, my youngest is 13, there’s a generational gap between the two of them.

The Old Fogies Podcast

Eric: My grandmother, before she passed, had a rotary phone. My youngest had no clue how to operate it. To your point, Graham.

Graham: No.

Eric: My oldest did.

Graham: Welcome to the old fogies podcast.

Eric: Yes, isn't it great? Rachael, young us up a little here. Give us something.

Graham: Please.

Rachael: Well, where to start? I do want to say, Graham, for all of those that are listening, that I love, love, love your reporting. It's almost like your security podcast as well. You make it accessible and interesting.
Graham: Oh, thank you.

Rachael: Hitting on all the things that we should be talking about today. I think Colonial Pipeline, I've seen your recent coverage on that, ransomware. Everyone can't stop talking about it. You wrote that great story, and the irony I think of the world that we live in today of AXA, the cyber insurance company. Like, "We're no longer going to support ransomware."

Rachael: And then what do you know? They get a ransomware attack but it gets to the heart of what we were talking about a little bit earlier with Nicole. If you stand up and bring your head above the fray, and you make yourself a target if you go bold and make a stand. It's really created an interesting dynamic for companies today, I think, on how do you navigate forward.

Graham: Yes, it's true. Of course, we've seen that before as well with some of the anonymous style hacktivism. If they take a dislike to your company, they might deface your webpage and steal your data.

Eric: And they're back now.

Graham: Well, I'm not sure they ever really went away. Did they?

Anonymous

Eric: No, they quieted down. Anonymous quieted down a little bit.

Graham: They quietened down. I think some of that was because people realized you could get into an awful lot of trouble doing these things. You could end up in prison for a significant period of time. Maybe it wasn't so good to do those kind of things as a joke.

Eric: There is that.

Graham: Not to say that the world isn't any less political than it was 10 years ago, maybe in some ways it is. But there is so much cybercrime going around. But you're right, with AXA, the cyber insurance firm. What they did in France, which I think is where their multinational base is. They said, "We're no longer going to write new policies to cover ransomware payments for our clients."

Graham: Then, within days, their branches in Asia were hit by a ransomware attack. You have to think, "Well, I wonder if AXA has insurance to pay that ransom with." I'm laughing, I shouldn't be laughing because obviously it's not funny. Well, it is funny. But, no, it's not. Well, it kind of is funny. 

Eric: And if you're self-insured, is that really insurance?

Graham: Yes, exactly. Oh, maybe they went to a different insurance firm. Who knows? But you do have to wonder, "Were they targeted because of that?" What we have seen are cyber criminals who specifically target cyber insurance companies. Not to hit them initially with ransomware but to steal details from them of who their clients are. Then they hit those clients.

Eric: It's the coverage policies too.

Bad Humor

Graham: Exactly, because they know they are likely to pay. Then at the end of that process, they then hit the insurance company. So maybe that's what happened with AXA.

Eric: Yes, I think it was either bad humor or it was, "Hey, we need to protect our business model here. We will show the whole insurance world, don't do this."

Rachael: Yes, don't cut off our money source.

Eric: You'll be next.

Graham: Yes, and there's a lot of pressure as well from governments and law enforcement agencies who are trying to encourage. There's quite a strong lobbying going on at the moment in the UK, from former members of the Intelligence Service. Saying, "We should never, ever pay ransomware and ransomware payments should be made illegal." So it might be that we begin to see that pressure happening elsewhere. We've just seen it with Colonial Pipeline.

Graham: They were hit by ransomware, they shut down the pipeline. Now, interestingly, lots of people initially assumed the ransomware attack had shut down the pipeline. It turns out, the bad guys never had access to the pipeline. What it turns out was that Colonial Pipeline, according to reports, their billing system was affected. So they thought, "Crikey, we aren't going to be able to charge people for the fuel. So we better turn off the fuel pipe because we are going to lose money." 

Eric: That's such a logical response.

Graham: It is.

Eric: We're a pipeline company, we can't give oil and petroleum products away for free.

Graham: Well, no, it's a dangerous precedent, isn't it? Hence, you saw all those ques and the panic buying.

Ransomware Gang

Graham: But now Colonial Pipeline ended up paying $5 million to the DarkSide ransomware gang which hasn't turned out to be the best advert for DarkSide. Because apparently, the decryption tool they gave Colonial didn't work very well. It wasn't quick enough or it was a bit clunky. So Colonial said, "Oh, all right. Then we'll go to our backups." Madness, isn't it?

Eric: Yes, it is. And then DarkSide disappeared.

Rachael: Yes. What is that? It's DarkSide and then another one I think went offline as well, I read.

Graham: Yes, I think when you see the president of the United States begin to talk about your ransomware gang, you begin to think, "Hang on a minute, this might be a spot of bother. Chances are, he's going to put the authorities into looking into who we are." So my guess is they just scarpered.

Rachael: Maybe don't put out a news release, Graham.

Graham: They did. They sort of said, "Oh, we know we're not political. Please don't do this." But it's curious. So their infrastructure has now gone down. Interestingly, is that the work of law enforcement? Is it the gang pretending it's the work of law enforcement because they don't want to have to give commission to the other criminals? Because that was ransomware as a service. Have they actually scarpered with other criminals' money and are trying to make it look like they've just been shut down by the Feds?

Rachael: Interesting.

Graham: Who knows?

Rachael: I was wondering if there's some ransomware gang oversight board. And they felt like DarkSide just didn't deliver on a good SLA with bad encryption.

Graham: I think you're thinking of Specter.

Rachael: So they're making us look bad.
 

[15:06] Operation Olympic Games

Graham: You've seen too many James Bond movies.

Eric: Or is it like Operation Olympic Games where somebody shut them down to try to prove a point?

Graham: It may be. Maybe we'll find out one day. Who knows? But it's certainly disappointing to spend $5 million and find that your decryption tool isn't really up to the job.

Rachael: I know. There should be some kind of refund or partial refund built into this.

Eric: Oh, you think crime should have these rules?

Rachael: Exactly. Why not?

Graham: You should be able to go to the better business bureau.

Rachael: If you're only in it for financial gain.

Graham: You should be able to make a complaint.

Eric: Yes, file a complaint. The laws of criminal behavior were violated.

Rachael: Because that's the whole construct for ransomware, right? 

Graham: Did they sign a contract with the ransomware gang? That's the interesting question.

Eric: So, Graham, you reacted when I talked about disinformation or misinformation. Deepfakes fall into that category. I know that's an area you've spent some time on. The way you reacted, you're similar to Rachael and I where this is a major concern for us. What are your thoughts there?

Graham: Well, I think it's horrifying. Not just from the cybersecurity point of view but from the societal point of view. We've had a situation in recent years, both here in the UK and in the United States. People are beginning to distrust the media and distrust politicians. They're getting their news more and more from social networks. And people will share around.

Eric: Or from the media they choose.
 

Making Cyber Fun and Interesting

Graham: Well, exactly. So they might watch a particular channel which has a particular point of view. Let's be fair, that can be right-wing or left-wing. It can go either way. If you only hear news from one particular point of view, there is a danger that you'll be swayed from it. But so many people don't go to legitimate news channels.

Graham: So many people will now go to social networks instead. They'll see their friends sharing a video, or sharing a link, or a YouTube video, or something like that. And people re-share these things without even watching them sometimes, or just having read the headline. 

Eric: No, exactly. The headline can be very misleading even.

Graham: Well, absolutely. Or the image could be Photoshopped. So the risk is that the lie will get around the world in no time at all. Even if it is debunked later, it'll then be a tiny percentage of people who hear about that.

Eric: Yes, it's too late. So I go to the BBC. Smart, not smart? When I want it up the middle, I tend to look to the BBC and I can't even tell you why. I just do that.

Graham: It's interesting because here in the UK, the BBC has become quite controversial with some of the newspapers. Some newspapers feel that it is very left-wing, other people think it's too right-wing. Poor old BBC is stuck in the middle.

Eric: And I think it's right up the middle.

Graham: Well, I think they try to be. So I'll explain the problem that we had during our whole Brexit shambles.


The BBC Likes to Be Impartial

Graham: The BBC likes to be impartial and so it likes to present multiple points of view. A lot of people, a lot of academics and the like, and economists were of the opinion that Brexit was a bad idea. But the BBC had to present a point of view which also opposed that. So there were certain people who weren't necessarily economists, or weren't necessarily academics. They would be given equal airtime to those who felt, you know.

Graham: I'm not sure they necessarily had the same weight. Or look at something like climate change. Most of us agree that we need to do something to look after the world and be more careful with climate. Now, with the BBC being impartial, you should, according to their guidelines, give equal weight. To those people who believe that climate change is a real danger, to those people who are climate change deniers.

Eric: Yes.

Graham: Even if 99% of scientists say climate change is a really serious problem and only 1% think it isn't. You have to give them equal weight on the BBC. And that's the dangerous thing.
Eric: But is that the answer to disinformation?

Graham: I'm not really sure what the answer is. I have to say, I do rely on the BBC a lot. But I think each of us maybe needs to learn to be a little bit more discriminating, ourselves. We need to have some editorial thing of, whoever we're getting our news from, just to question it, just to be a bit skeptical. There it does begin to lead into cybersecurity, doesn't it?

It’s Useful to Be Cynical

Graham: Because you should be skeptical about the links you are sent. You should be skeptical even if a friend has sent you an executable file. Is it safe to run or not? And we know that quite often it isn't safe to run. So it's quite a useful thing to be a little bit cynical and skeptical sometimes.

Eric: It is. But I find in our fast-paced society, there are so many people that just click on the link. Or they don't have time, or they don't think about it, or, "I'm not going to do the research. Because to do the research would take 45 minutes and I really don't care enough."

Eric: But then they believe that there are microchips that are being injected into their body through the COVID vaccines. They can't even question. Well, even if we could make one that small, Rachael, how would we power a microchip in the body?
Graham: And is Bill Gates really that interested in what I'm doing?

Eric: We don't question.

Graham: To be monitoring me all the time.

Rachael: Exactly. I understand the flip side because I too like to make sure that I'm cross-referencing sources when I read something. So that I can figure out where in the middle the truth lies. But there’s something oddly gratifying when you find these sources on social media that reaffirm all of this life perspective that you have.

Rachael: You're like, "My people, my tribe." And you just want to swim in it all day long because it's comfortable and it feels good. Because no one likes to really be challenged. I think that's the challenge there.

Making Cyber Fun Won’t Ruin the Mood

Eric: I love being challenged. I totally disagree with you. But I will say, the majority of the public might agree with you. They don't want to be challenged.

Graham: I don't want to ruin the mood, but be serious for a moment. When I was at university, I had a girlfriend who joined a religious cult and it's interesting. The parallels I see from what happened to me and what happened to her 30-odd years ago. To what I see happening in society now, where you see people who believe that they are being victimized.

Graham: Who believe that the media is against them, who believe that things which they believe are not being taken seriously. They're presented as crackpots and extremists. And you do end up, when you feel painted into that corner. If you were a member of that small group, you begin to fight back and you accelerate the views of the people who are in your group with you. 

Rachael: Yes, you feel attacked.

Graham: You give them more reinforcement. There's a lot we can learn about how best to communicate with the people who maybe don't share our political views. Or people who don't agree with us about COVID, or vaccines, or whatever it is. You shouldn't just call them idiots, you shouldn't because you've lost the argument if you do that.

Rachael: Exactly.

Graham: You have to try and approach them in a much more emotionally intelligent way, I think.

Eric: So, Graham, I just finished a book by Adam Grant. Rachael, you're going to hear this again and again, called Think Again. We're trying to get him on the show but that's exactly what he talks about. Listen to their perspective.

 

[23:19] Making Cyber Fun and Looking at It in a Different Light

Eric: Don't hit that full frontal, "You're crazy about whatever you believe," but look at it in a different light. Understand their perspective. It seems to be a lot more effective. He's got some great research in the book, it's a great read if you get some time.

Graham: That sounds really interesting. I totally agree with it. The old saying, isn't it? That you've got two ears and one mouth so maybe you should listen twice as much as you talk. Here we are on a podcast where the audience can't talk back to us. Fantastic.
Eric: I can't touch that. They can actually. They can subscribe and they can leave comments and ratings for us.

Eric: But you're right, they're absolutely silenced. But everybody has a perspective on things. I believe everybody has a reason to have that perspective. Get to that underpinning of why they believe that and then have a discussion.

Graham: Most people are fundamentally decent human beings. Most people are reasonably intelligent, and they care, and they're empathetic, and they're nice people. When you get to know them, people are nice and they're decent people.

Graham: There's some reason why they have formulated a particular view. But don't just go up to them screaming in their face or making some snide joke. I'm guilty of this sometimes. Sometimes I post sarcastic things up on Twitter. I admit it. Sometimes I think I'm being funny. But then you have to think, "Well, is that actually funny to the person who's receiving it? Or does it actually reinforce them into believing that they are being victimized?"


Making Cyber Fun Without Treating It as a Joke

Graham: "That they are being treated as a joke by the rest of society, which just tends to just radicalize them in a way?"

Eric: So maybe that's a component to fighting disinformation, information we know is just patently wrong or faked. In the case of Deepfakes, or somebody putting out information to skew a population, question more.

Graham: Yes, question more.

Eric: Research more.

Graham: Ask yourself, "Why? Why would they do that?" And ask yourself, "Well, what's the evidence for that and why has that person said that? What have they based that upon?" Too often these things can be built upon a house of cards. So when you do begin to question these things and don't be afraid to question. If you find the people around you are saying, "Of course it's true. This is the way it is." It's like I said, be skeptical. That's a healthy way to be.

Eric: Right. I think we're wrong more than we're right so questioning ourselves is healthy.

Graham: Oh, I definitely am.

Rachael: Speak for yourself, Eric.

Eric: Trust me, that clearly applies in my situation. I am wrong much more often than I'm right. Okay, Graham, you've been doing this a long time. Yesterday in the show, which we won't release because it didn't work out so well. We said it was too long but that's a different issue, what do you see coming up?

Eric: You've been in this industry for a little while, I'll leave it at that, as I and I think, Rachael, you have too. What do you see coming up over the next decade? And what are the things we need to think about, worry about? What scares you?

 

The Scale of the Cyber Problem

Graham: You see, people ask me this all the time.

Eric: Oh. Then we'll get you a different question.

Graham: Well, all I can say is, here I am. I'm very skeptical of people who try to predict the future. I don't think we would ever have predicted that we would be in the mess that we're in now. The scale of the cybercrime problem, 15 or 20 years ago. We knew it was possible for countries to write malware and state-sponsored attacks. But it was the plotline of a James Bond movie rather than something you really thought might be happening on a regular basis.

Graham: So the only thing I will say is, I think the criminals are going to be doing it more. They're going to be making more money. And a lot of the tricks which they will use, perhaps this is a surprising thing for some people. They’re tricks that we've seen many, many times before. 

Graham: Because they work. Why develop something, why invent a new kind of wheel if the old wheel works just fine? So if it's working, they will carry on doing it. It may come in different paints and it may be disguised in different ways. But fundamentally, I think this is not a technological problem, I believe it's a human problem. That's what the cyber criminals are exploiting.

Eric: So does the human ever overcome that to where we're much better at what we do than we are right now? Because I've got to tell you, you're right. Predictions are horrible but they're the number one downloaded asset on our webpage every year.

Annual Predictions

Eric: When we do the annual predictions, people love that over everything else we do.

Rachael: They sure do.

Eric: But we're always wrong.

Graham: People love horoscopes as well don't they? 

Rachael: Exactly. We want insights.

Graham: Let's turn to that page.

Eric: I may put a horoscope up this year, under my predictions column and see how it does. I'll get back to you on that.

Graham: Well, there are some things that I think we can be fairly confident about. I think ransomware is going to continue because, wow, they've really found an enormous stream of cash coming in that way.
Rachael: It's a money-maker, yes.

Graham: Business email compromise is going to carry on happening to steal hundreds of millions of dollars from people. The sheer glut of new malware coming out, I don't expect that to stop anytime soon either. But I don't want to be all doom and gloom. Maybe simply because they're getting hit more and more, people are getting more clued up about things. There are only so many times that you get punched in the nose before you learn how to duck when you see the fist coming.

Eric: Well, as long as it hurts. It's got to hurt. If you have insurance or you don't seem to care, the bank covers it.

Graham: Yes, but even if you have insurance it still hurts. 

Eric: Yes, I don't know if it really matters.

Graham: Because your insurance premium goes up.

Eric: Okay, fair, you have to do some work. You have to restore from backup or you have to buy new equipment and put it in. Agreed. But does it hurt enough? That would be my question.

 

[29:33] How Much Does It Have to Hurt Before Making Cyber Fun Again

Rachael: Well, that's the big question. How much does it have to hurt before you take some action?

Graham: I had an idea which I talked about on the Smashing Security podcast the other week. Maybe the government, rather than banning ransomware payments, should have a ransomware tax.

Eric: Yes, I heard that.

Graham: So if you make a ransomware payment, you also have to pay so much money into the treasury.

Rachael: Yes.

Graham: Maybe that could be rolled back into cybersecurity education or something. But it would just make it that little bit more painful perhaps.

Eric: A disincentive to do nothing. Okay. So future prediction, I'm going to make this very binary for you. Do insurance companies continue to pay ransomware, or two years from now, are they out of that business? Companies are on their own and have to figure it out? What have you got?

Graham: I don't think companies are going to be on their own. There will always be people who will be prepared to pay a ransom. Companies may find it difficult to pay the ransomware gangs because of sanctions and other measures. But I think there will be proxies and intermediaries who will offer to do it for you if that legislation applies.

Eric: No, I know they'll pay. The question I'm asking though is are the insurance companies in that game or do they just exclude it. Like an act of war or something else? We're not covering this anymore. Good luck companies. If you want to pay it, pay it. If you don't, you're on your own anyway. We're not covering this just like we wouldn't cover an act of war.

Anything for a Price

Graham: I'd be surprised if all insurance companies stopped doing that. I think there will be some insurance companies, maybe somewhere in the world, who will offer that service.

Eric: Okay. So it's almost like Lloyd's of London where they'll cover almost anything for a price.

Graham: Yes.

Eric: Got it, I think I'd agree with that. I think we're going to see them scale back but I would agree with that.

Graham: Yes, I think it will carry on. It may not be in your own country. You may have to work with people overseas to do it for you but I don't think it's going to go away.

Rachael: It's so profitable. We were talking about if you start regulating Bitcoin or the means by which they get paid. Are there other ways to impact the wallet so they can't walk away with the money they want? Because it's all the financial incentives. So how do you decrease the financial incentive and increase the risk? And I don't know that there's an easy answer for that.

Graham: I don't think there is an easy answer, not with anonymous cryptocurrency. There are companies who do very clever things in looking into transactions of cryptocurrency. To work out where things move to but there are also services which will help you launder your cryptocurrency. Or mix it in with other people's cryptocurrency so it's very hard to tell where one particular payment may have gone. So there's a lot of sophistication out there.

Eric: Well, we are in the States, seeing more regulatory pressure around that, disclosures from the major exchanges. Really more around a tax-ability than any kind of security or threat to the country or companies, or illicit activity.
 

Evading Taxes

Eric: Just evading taxes. But we are seeing more activity there, especially in the last, I'd say month or so. The month of April and May, I've seen a lot more interest there which I think would help. It's not going to eliminate the problem but I think it would help.

Graham: It would really help if certain countries where these ransomware attackers were based had any kind of willingness to actually apprehend these cyber criminals. Because some of them we know who they are, some of them we know where they're based. We even know what kind of cars they drive. Some of this is sometimes known but it may be that they have rather a cozy relationship with the local police force.

Eric: Or the national.

Graham: Yes, exactly. 

Eric: Look at the Colonial Pipeline, we may find out one day. We may never find out how involved the Russian government was. But it certainly wasn't against their interest for that to happen. They love disruption.

Graham: Yes, absolutely. A lot of the ransomware gangs will not attack companies and organizations based in their own country for that very reason. Because they know then the police will get involved but the police will turn a blind eye as long as it's happening, for instance, in America.

Eric: Or they can't. I was with an FBI, a senior FBI official five, six years ago. They had studied the internet bandwidth into Africa, the continent of Africa, and certain countries. It was all around elicit behavior and the government didn't have either the laws, or the inclination, or the ability to do anything. 

A Reason to Do Anything

Eric: They had so many problems in these African countries and the governments. They just didn't have the police force, they didn't have the understanding, there wasn't a reason to do anything. Big internet pipe was bringing some business there, the money was sometimes being distributed to the economy. But the bottom line was, there wasn't a cost to those governments so why do something? It was a fascinating talk.

Graham: And also, some of the organized criminal gangs have a lot of money. Maybe more than the typical policeman might have and you might not want to rock the boat if you work in law enforcement. These are guys who could make your life very difficult and that of your family as well.

Eric: Yes, I almost equate it to what I imagine dealing with a cartel in Mexico or a South American country. They have as much or more power than the government in many ways, certainly better funded. Keep your head down and don't make waves, seems to be effective.

Graham: It's interesting, isn't it? If you think about how much money people might make through drug dealing compared to cybercrime. With ransomware and business email compromise, it's easy to imagine that you could make more money that way. Probably put yourself at less physical risk at the same time.

Rachael: Absolutely.

Eric: Well, let's just call it less physical activity because a keyboard stroke is a lot easier than a swift boat. Or a helicopter flying something across a border, or working with a coyote to get something across a fence line. Certainly less physical activity.
Graham: Yes. So are we all doomed then?

 

[36:23] We’ll Figure Out Ways in Making Cyber Fun Again

Eric: No, we always end the podcast on a down-note. Let's pick it up. We will figure it out.

Graham: It's been cheery this, hasn't it? Talked about the old days and how old we are. How the world's gone all techular and we don't understand it all, and climate change. We did that one.

Rachael: There has to be optimism though. I really do believe the good guys win in the end. Just how long does it take to get there.

Eric: You keep saying that.

Rachael: I do keep saying that. It's my mantra because at some point, there's going to be that thing that happens, the wrong thing to the wrong person. Is that when it turns on a dime? Maybe I've been watching too many movies, that could explain a lot of that thinking. But I really do believe everything comes to a breaking point.

Rachael: We hope that that breaking point isn't utter devastation in the physical world. Where we truly have a lack of resources or this devastating physical attack. But I do feel like at some point, the tide has to turn, where we're going to crack the code. I don't know. Maybe I'm naïve but that's what I love to believe.

Graham: Yes, talk about cracking the code. I think cybercrime is here to stay.

Eric: Right. Since the beginning of time we've had crime, it's not going away.

Graham: So it's just another kind of crime. In fact, we'll find in the future, people will stop calling it cybercrime. It'll just be crime. It's just a different kind of crime. You are right.

Bad Guys Are Caught

Graham: It’s important to acknowledge that we do have successes and bad guys are caught. They're imprisoned, and sometimes they get hefty sentences. There are lots of very smart people who are working on the good side, writing security software and hardware. Creating things like that, working in law enforcement and they're doing an amazing job.

Eric: Doing podcasts.

Graham: Yes, podcasts. That's the most important thing of all. There’s lots of good stuff going on as well. I don't think we've got a 100% solution but there’s a cause to have some positivity as well.

Eric: Agreed. If we did solve this problem, I just want to remind both of you and our listeners, our shows would be out of business. We’d have to move, there'd be a different topic. We’ll have to change our podcasts which would be horrible. There are some benefits.

Rachael: We're a few years out from that, I would say.

Graham: Do you think there are any criminals out there who are doing podcasts about how to be a better ransomware or something like that.

Rachael: There have to be.

Eric: I’d love to get one on. Rachael, next week we're going to do the optimism episode. That's how we'll label it and it'll be nothing but good news in cybersecurity.
Graham: Good luck with that.

Eric: Graham, you keep taking me down. Really appreciate you joining the show. We are at the end of our time here. But one thing I realized, we read your bio yesterday when we did the first attempt. I don't think we intro'd you today, your background and everything. We'll do it on the backside of the show. Mix it up a little bit.

Rich History

Rachael: Where to start though? You have such a rich history.

Eric: Let's start with the award-winning security blogger.

Graham: I won a baby competition when I was about eight months old. Could we start with that?

Rachael: I love that. It puts you on your start.

Eric: But really, researcher, podcaster, award-winning security blogger, public speaker. I'm not sure if I mentioned but Smashing Security's a favorite of ours, for a good laugh and a good bit of education. You've got a background in the business and on this topic for more than 30 years.

Eric: You did part of the original Dr. Solomon's AV Toolkit for Windows, info security, European Hall of Fame in 2011. Really appreciate you spending your time with us today. Just talking through some simple things like ransomware and jazz cigarettes.

Rachael: I love this quote. I don't know if you've trade-marked it, but “The Cloud is just someone else's computer.” That's genius.

Graham: I didn't trademark it, but I was the first person to say it. I can't find any earlier record of anyone using that phrase. But someone else has made tee-shirts and stickers. Someone else is making money out of it, but not me.

Eric: Going back to your May 5th episode, 226, Crypto-crazies and NFTs, you should NFT that thing.

Rachael: There's money to be made there.

Eric: Thank you for putting out some great content and joining us.

Rachael: We love subscribers. Get a fresh episode every week delivered right to your inbox so smash that subscription button. We appreciate our listeners joining us on this journey and we always welcome feedback. We're happy to bring on new guests and make sure to talk about the things you care about. Until next week, be safe.

 

About Our Guest

Graham Cluley is an award-winning independent security blogger, researcher, podcaster, and public speaker.  He has been a well-known figure in the computer security industry since the early 1990s when he worked as a programmer, writing the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows.Since then he has been employed in senior roles by companies such as Sophos and McAfee.

Graham Cluley has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and his claim to fame is that he is the originator of the saying that “the cloud is just someone else’s computer” (but he hasn't managed to make any money out of it).