The Making of a Cyber Hero - An Interview with Gary Berman, CEO of CyberMan Security.
Interview with Gary Berman, CEO of CyberMan Security:
Cyber Security Dispatch: Season 2
Episode 01
Show Notes:
On today’s episode of Cyber Security Dispatch we welcome Gary Berman, the CEO of CyberMan Security and the creator of cyber security comic book, The Cyber Heroes Adventures. Gary’s journey in the cyber security field is an unusual one and his professional story is one we are sure you will enjoy listening to. Fifteen years ago, after building a successful company with his wife, it was hacked from the inside by some of Gary’s employees, eventually leading to its the company’s demise. Gary bounced back from this and moved onto new ventures but was, after years disconnected from that organization, still plagued by cyber threats that seemed related. Gary chose to respond to this situation by learning about cyber security and effectively transferring his learnings into a comic book for others to utilize. Thus, the Cyber Heroes were born! The series will chronicle, super heroes of cyber crime for educational and helpful outcomes. Gary tells us all about his back story and then the genesis of the comic as well as his thoughts on the industry from his unique perspective. So for an extra special episode, be sure to tune in and get it all!
Key Points From This Episode:
- An introduction to Gary and his professional life.
- The tragic turn that Gary’s company took after it was hacked from the inside.
- How Gary and his wife handled the crimes that were committed against their company.
- The change of career that followed the downfall of the company.
- The hacks that persisted ten years after Gary left his original career.
- The decision to turn his lack of cyber knowledge into a lesson for anyone.
- The birth of the Cyber Heroes comic!
- Looking at the motivations of the employees who hacked Ben.
- The actual, legal ramifications of hacking.
- Thinking of new ways to strengthen the general public against hacks.
- And much more!
Links Mentioned in Today’s Episode:
Gary Berman LinkedIn — https://www.linkedin.com/in/gary-berman-8aa36475
The Cyber Hero Adventures — https://www.cyberheroescomics.com/
WPP — https://www.wpp.com/wpp/
Cyber Security for Dummies — https://www.amazon.com/Cybersecurity-Dummies-Symantec-Solutions-Special/dp/1118011376
Palo Alto Networks — https://www.paloaltonetworks.com/
Hack NYC — https://q22018.hacknyc.com/en/
Tom Brennan — https://www.linkedin.com/in/tombrennan/
Proactive Risk — https://www.proactiverisk.com/
Microsoft — https://www.microsoft.com/
Cyber Security Ventures — https://cybersecurityventures.com/
IROC2 — https://www.iroc2.org/
Public and Permanent — https://www.iroc2.org/113.html
GDPR — https://gdpr-info.eu/
National Institute for Cyber Security Education — https://www.nist.gov/itl/applied-cybersecurity/nice
NIST — https://www.nist.gov/
Introduction:
Welcome to another edition of Cyber Security Dispatch. This is your host Andy Anderson. In this episode, The Making of a Cyber Hero, we interview Gary Berman, CEO of CyberMan Security. He tells his unbelievable story of how company insiders used cyber attacks over more than a decade to destroy the company he built. And how that experience led him to create the cyber security themed comic series The Cyber Hero Adventures as a way to help prevent this from happening to anyone else.
It's an amazing story and one I think you’ll love hearing, I know I did.
TRANSCRIPT
[0:00:42.8] Andy Anderson: Gary, just to start, why don’t you just introduce yourself, your name, your company, those sorts of things.
[0:00:46.6] Gary Berman: Thanks Andy, I’m Gary Berman, the CEO of CyberMan Security and I’m probably one of the most reluctant people to be having this conversation with you because up until a couple of years ago, I didn’t know very much about technology and even less about cyber security but everything about what it means to be a victim of a series of insider cyber-attacks for incredible period of 15 years.
[0:01:18.0] AA: Yeah, we had a conversation before we were on the air when I met you and I think the story of kind of how you got pulled in, is a great one which is why I was so excited to have you on but I think that’s unfortunately the case with too many people, right? The amount of some damage that’s going on, people never should have imagined that they would get pulled in to thinking about these issues and are – whether that’s election officials or just individuals with credit cards, et cetera. We’re excited.
Just to dive right in, I want to kind of hear the story, how did you get pulled into this?
[0:01:49.7] GB: I was very fortunate, almost 25 years ago to have started a marketing communications company with my lovely bride who is the more intelligent one but that’s probably for another podcast and we were doing great, we have a company for about 10 years, we were very fortunate to then be able to sell 49% of the company to one of the largest smart communications companies in the world called the WPP Group based out of London and things were just going incredibly well after the sale went through.
We started from a small base we had several million dollars in billings and up to about a hundred employees - we were a small business - but we’re very fortunate to be on the cutting edge of this macro trend towards market segmentation and we were particularly well known for our work in demographic areas. So we looked at different segments of the population such as looking at the differences between men and women and young and old and people with different races and ethnicities and the LGBTQ community and veterans.
We developed, you know, a successful business looking at a subset of the total market for various companies like AT&T, Coca-Cola, Procter and Gamble, and many others. Things were going swimmingly and unfortunately, I had a serious injury, I was playing basketball in a Jewish league which is somewhat of an oxymoron but that’s for a different podcast too.
I blew out my knee, no big deal but then, one thing led to an other and I almost died because of a series of blood clots. During that time, I was out of my company for about six months or so and I noticed that they were starting to decline but I attributed to the fact that I was really the primary rainmaker of the company and it didn’t really bother me too much.
One day, of all places, I’ll give you a little more detail than you probably want but I happen to be in the bathroom and my phone rang - which at that time 15 years ago - I had one of those big phones that looked like a military walkie-talkies and –
[0:04:15.4] AA: Yeah, the brick.
[0:04:16.2] GB: Yeah, exactly. It didn’t ring very much, I didn’t used it very often, I just had it for important contacts and the phone rang and I noticed that it was the CEO of one of the companies that we had just merged with and she starts off the phone screaming at me, the call, “What the ‘blank’ is going on at your company?” It just took my breath away.
I said, “What are you talking about?” She replied, “Well, I just got a call from one of your people saying that there was widespread fraud between your operation and your data collection facility and that you are under investigation by the FBI and that I should not communicate with you any further”. It took my breath away.
I said, “What are you talking about?” Now, up until that point, I was very well-known nationally, you know, I hosted national conference - think tanks - bringing in these big thought leaders including CEOs of big companies and to hear something like that was - just overwhelming. I asked who called you and she said, “Well I’m not going to disclose that.” I said, “Okay, let me just get back to you by close of business.”
I proceeded to gather some key executives home which had been with me for a long time, you know, about this matter and so they acted like, “Well, let’s look into it,” and so we validated all of our research that we had going for some of our large clients. Without even asking, I refunded hundreds of thousands of dollars to these big clients because even the hint of any type of issue would be very damaging. Plus, just from an ethical standpoint, you know, I wanted to take care of our clients. I refunded a lot of money even though I was not asked to. We redid the projects and authenticated everything to be completely legitimate. This happened over a period of several weeks, then I got a call from a second client and it was the exact same discussion. Then a third, and then a fourth, and then a fifth.
Like layers of an onion, we started to realize that there was something really wrong going on here and the last thing I do was expect people that I trusted, you know? My right hand people. Months go by, the business now, it takes a precipitous decline because –
[0:07:00.5] AA: But before we move on, okay, these clients are calling and they’re getting these calls from someone or was the FBI but that calls from out of the blue and it’s not – there’s no basis for the allegation or there is one going on?
[0:07:17.8] GB: None whatsoever -100% validated all of our work.
[0:07:22.3] AA: There was no investigation, it was just someone essentially spreading a rumor?
[0:07:28.1] GB: It was some of my key executives, yes.
[0:07:30.4] AA: Working at your company, were calling in, telling them that there’s fraud going on. Wow.
[0:07:33.3] GB: Yes. An insider, there was two of them. Wow, two of them. None of the clients would let you –
[0:07:45.2] AA: It sounds like the first wouldn’t tell you but with any of these subsequent sort of reveal the source or -
[0:07:51.1] GB: No, I later learned they were told not to. I’m giving you just like sort of the first part of what has happened. Sorry.
[0:08:00.3] AA: Keep going.
[0:08:00.4] GB: No, I could have kept going, I appreciate your interest. You know, look, I am the first to tell you, this is not a believable story except it’s true. I was as skeptical as anyone.
Anyways, time goes by, well, I later learned one of our clients sent me a presentation of capabilities and she said, “Hey Gary, isn’t this from your company?” And I went, “Yes.”
To make a very complicated story shorter, they had actually opened up their own company by cloning us - using all of our intellectual property, all of our computer systems, they spoofed the website to look like ours so that when people thought they were coming to my company, were redirected to their company.
When anybody tried to make a phone call into my corporate office, the phones were redirected to their phone numbers - 19 attack vectors. Now, I sound like I know what I’m talking about now but at the time, you have to keep in mind, this was 15 years ago and a half team was not part of the zeitgeist of you know, of the world.
You know, there was hardly a Facebook and things like that so I had no idea what was going on anyways. One of the guys that was a collaborator in what the FBI referred to as espionage was really competent programmer, even 15 years ago, upon reflection, he said with some pride that he was one of the guys that helped develop a system architecture to stream pornography and you know, this guy was very advanced technologist, even 15 years ago.
Specifically with in the Mac operating system because he was an expert at Unix which of course lies below the Mac OS. One day, as I noticed that everyone seemed really interested in this meeting in a parking lot, I learned because I just got there very early that almost every morning, they were having the equivalent of their production meeting inside our parking lot before they came in my office to go over all the projects that they were working on under my name without me knowing it.
After that happened, one day, you know, I started seeing little things that I could tell were anomalies. One day I walked into one of my executive’s offices and he happened to be downloading some files from our central processing unit into an external hard drive and I said, “What are you doing?” He got all nervous and I looked at his computer and I saw he was downloading client information. So I disconnected the hard drive and I said, “You need to leave.”
I’ll never forget, boy, was this you know, foretelling. He pointed his finger right in my face and he said, “You have no idea what hacking is,” and he left. Again, like layers of an onion and he started to uncover some things. I hired a forensic firm, was able to document you know, some things that they done with some logs. They had deleted most of the logs but we found one and we took that evidence to an attorney.
We had a meeting with a couple of the culprits and their attorney and my wife and I, for personal reasons, the most important one being that we had a daughter with some special needs.
We decided that just to let it go. We do not want to put kind of the bad karma you know, in the world and they agreed to a cease and desist of these behaviors. That was my giant multi-million-dollar mistake.
[0:11:41.8] AA: You decided not to criminally prosecute or even civilly continue any action, you just were like, hey, if the stop - it will be the outcome that you wanted?
[0:11:54.3] GB: It was incredibly naïve upon reflection and but I thought I could rebuild, you know, I said fine, things happen, companies have problems all the time and I had you know, a lot of gas in my tank. We still you know, maybe 40 something years old, you know, my reputation I thought was intact, you know, but for these calls which I continue to hear about. Anyways, we kept the business going for several years and I basically depleted all of our personal savings to keep our employees on payroll including some of the culprits - at the time, I didn’t know.
[0:12:36.3] AA: How many total culprits were there in the end?
[0:12:38.5] GB: There were five people. We kept the business going, you know, as long as I could. Eventually, we had to close and I said, “Okay, then that’s chapter’s over,” and I then did the pivot, my wife and me, at first, I got into veteran’s causes, working on something called the Anthem Project which is designed to help warriors coming back from theater to help them reintegrate back into civil society.
Then after that, several years, my wife and I started a children’s education company to tutor kids. Then, about two years ago, here’s where the story gets incredibly interesting, we decided that I would test the waters to see if I could go back into the marketing communications industry that I had left ten years prior.
I made a few phone calls and I was very fortunate that I was actually to be the master of ceremonies of a big industry conference. There I was, shortly thereafter, giving you know, the keynote address and doing something similar to what I had done all those years earlier and it went great.
People, all these big clients and companies that knew me from before, many of them came up, “Where have you been? It’s been like ten years and what are you doing these days?” You know, it’s an incredibly uplifting experience because in addition to the welcome, I got a bunch of leads, you know, people came up to me and said, “Hey Gary, would you submit a proposal for this project,” and that?
That night that I was the master of ceremonies at this industry conference, after ten years of not having any interactions with them whatsoever, two of them checked my LinkedIn profile the same night and then the next day, the hack started happening. Boom, boom, boom. All these different things started happening literally from one day to the next.
You know, I had emails being deleted, accounts were being spoofed, my passwords were being changed, they spoofed a Google two factor authentication, there were 19 vectors as I mentioned previously and I went, “Holy cow, you know, this is nuts, this can’t be happening,” and after ten years, who would possibly keep that up?
Even if I knew who it was, why? At first, I can understand it was in economic motivation, they just started their own company and they went about it in a nefarious way but I understood that. Then it became something else, after ten years, my goodness.
I started gathering evidence using my iPhone and other devices to take pictures and videos of different anomalous things. When I first started into it, I would assess that I had maybe 25% correct in what I thought about 75% would have been false positives and just mistakes because I didn’t know what I was doing.
It was enough that I brought it to the FBI and they took a look at it and it was enough that they came to my house the next day. I had these two FBI agents looking over my shoulders that I was showing them some stuff on a laptop and this giant cursor, like 144 font, giant cursor came up and started moving around, closing and deleting files.
“Did you see that? Did you see that?” - “Yeah, we saw it.” That was sufficient for them to forward my amateur information to the attorney’s office and they declined to open up a case because of the amount of time that went by, even though these were new hacks, it was a relatively small crime, a few million dollars over time. And after going through all the emotions that anyone would, I mean, I was incredibly disillusioned and upset and angry.
And you know, I finally just got to this point where I said okay, I have to make a pivot, you know, I don’t want to live my life as a victim, there are many victims, all kinds of crimes and I said okay, I’m going to learn everything I can about hacking and cyber security.
Just about everyday, starting at four in the morning, that’s all I did - ten to twelve hours everyday. Listening to podcast, like yours, reading everything I could, going to conferences, just to see if there’s anything I could glean from it - Lo’ and behold, you know, I started to pick up a few things to start looking for and so my – I was definitely hyper aware that that’s different than kind of crossing this line into paranoia, you know?
Because paranoia is an unfounded concern, at least there was a basis for what I was looking at even though maybe I didn’t get it all correct. I mean, I know I didn’t but I got a lot of it correct. Anyways, I started getting more evidence and I brought it back to the FBI and still was not sufficient to open a federal case.
I went to local law enforcement, there were many stories, you know, about that. The big ‘aha moment’ came when as part of my learning, I got a book called Cyber Security for Dummies. You know, put up a Palo Alto network and said, “Okay, perfect. Cyber Security for Dummies, that’s great for me.” I started reading it and ten pages in, you know, I’m telling you, I was lost; ten pages in I was lost. I asked my wife to read it, “What do you get form this?” I said, “I don’t’ know.”
Coincidentally, I happen to speak to the CTO (Chief Technology Officer) of Palo Alto network and he laughed, he said, “Well, it’s really not for beginners.” - “Then why did you call it cyber security for dummies? What am I missing here?” Coincidentally, I happened to see Spider Man and it just hit me - super heroes - as a way to distill complex cyber security information because I figure, if a guy like me is lost, how is a mom who wants to protect her daughter from a webcam or a baby monitor or you know, a connected car or a smartphone going to protect themselves? I just figured there had to be a better way and Cyber Heroes was born.
[0:19:06.3] AA: Yeah, well, I want to get back to the story but just to finish this part. I met you at Hack NYC where it was the first time that you had released a version of your comic book, which is great. So tell people a little bit about that and then I have a couple more questions of the history too.
[0:19:25.5] GB: Sure, I was very fortunate at one of the cyber security conferences that I went to just to listen and learn, one of the panelists was incredibly impactful in the way he spoke - Tom Brennan from Proactive Risk and after he spoke, I kind of almost ran after him as he was leaving the conference, I saw him in the hallway and you know. I said, “Mr. Brennan thank you so much for your wonderful remarks and I was just wondering if I could run a couple of things by you real quickly.”
I put some photographic evidence into a little binder and some early prototypes of the superhero comic and things like that; I asked him if he be kind enough just to take a look at it and just see what he thought. He did, we ended up having this incredibly great conversation, the seed was planted to collaborate with the great folks that Hack NYC about launching the comic in New York and this was just last week and I was incredibly humbled and honored by the response from everybody.
Even for the first time ever, I think I blushed when some people wanted to get an autograph copy. I just started blushing, you know - “What? You want an autograph?” The feedback we’ve gotten since that has been incredible, including some big potential joint venture partners like Microsoft.
[0:20:52.9] AA: Yeah, the plan is to kind of come out with different issues to sort of tell the story of cyber security myth with support from corporates or –
[0:21:01.3] GB: Right, well, after doing a lot of listening and learning, you know, about this. We had to figure out - is this viable business. I was very fortunate that in my past careers, the marketing world, I created a series of syndicated research reports on various sectors of the economy.
It might be like automotive, or banking and finance, or healthcare, or telecommunications and my business model at that time was that I would have the leaders in each of those categories co-fund the contact. They would get not advertisements but - “AT&T is proud to be a proud sponsor of this work”, like that.
[0:21:43.9] AA: Got you.
[0:21:45.0] GB: Id did that very well and I gave them access to other relational databases so that it was a good value for what they did. That worked well. That’s what I’m doing and so this very first issue is really essentially an overview of the series, we’re going to be having four big issues - this one is about 50 pages. So actually, it’s much more akin to a graphic novel, you know, than a comic.
The content depicts real cyber security experts in it - we drew them in - and best practice advice from cyber security people. Even through the modalities of comic, the content is substantive. You know, what we’re doing with this first issue is what we did was introduce hacks, kind of anthropomorphize them, giving hacks, characteristics that would allow a reader to sort of get what a hack is because you know, as you well know, I mean, you can’t see hacks, you can see their effects, see them usually unless you’re a cyber security expert.
A regular person just can’t get their head around it, including me. We’ve created all these different characters like WannaCry and Virus-man and The Bugger and The Phisher and we took that – we drew in actual visual representations of what that hack would actually do in the wild. This first issue we’re actually giving away at no cost, we sent it out to 17,000 cyber security people two days ago, 700-800 of them read it already. I have some interesting little tidbit but as part of my listening and learning, starting in November, I went to LinkedIn which I didn’t really have much indication to use and I try to the words, you know, CSO.
Of course, I got all these CSOs. One at a time, I just invited them, you know, to connect with me on LinkedIn, it’s not like these guys need Gary Berman, you know, it’s like a connection. I didn’t know what to expect and now my LinkedIn page, all it had was a cover of the original version of the comic and I asked people to please send me blinded cyber security stories answering the question what happened, what were the consequences and most importantly, what were the lessons learned so that I could include that content inside of the comic. We did that, we included a story from that. I ran out of CSOs so I typed in CISO (Chief Information Security Officer) and I ran out of those and as of this morning, I have 21,000 followers on LinkedIn.
[0:24:26.5] AA: How many did you have when you started?
[0:24:28.2] GB: - Not even a year, I started November until this morning and by the way, I stopped the invitations in February because it was too many.
[0:24:36.1] AA: People just started to find you.
[0:24:38.2] GB: Yeah, everyday I mean I don’t know 20 to 50 people request connections and we have no – I’ve done no marketing, no social media, nothing yet.
[0:24:47.5] AA: Wow just asking for like good content.
[0:24:50.9] GB: Yeah.
[0:24:51.0] AA: Well I mean I think one, I think the number of - even individuals who are experts in the space because the space is just so – there is so much here, right? You need to be an expert in everything and so people are kind of constantly learning and to have kind of more fun ways, simple ways, understandable ways to talk about it I think is hugely valuable - but also I don’t know, I think you nailed it - this audience loves comics, right?
I mean whether that’s the T-shirts you wear, the things that you talked about - brilliant from a marketing perspective. I want to go back just a little bit because I think the audience would love to hear a little bit more about the story. I mean did you know, did you ever understand the most – I mean do you know who is doing it?
[0:25:39.4] GB: Yes, a 100%.
[0:25:42.4] AA: Have you any sense of their motivation for it?
[0:25:45.3] GB: Yes, at first - there’s two parts of that question. Part one, when they were working for me and then after, it was an economic crime. It was just money because they started their own company doing the exact same thing that I did while they were working for me being paid by my company full time. So that is an easy answer, it was just money and you could argue greed things like that.
The fact that they came back 10 years later, I don’t have an answer.
[0:26:14.6] AA: And were they successful? I mean is that company gone on to be successful in what they were doing?
[0:26:19.0] GB: Yeah. Yes, they have but interestingly and I have to be a little cautious here just because this is an on-going matter. So what I can – something interesting about that at the conference, at the Hack NYC Conference, I was talking to someone in cyber security and while I was just sitting there, he did some things and before I knew it, he had their website up which I had not seen for ten years. I mean I had no reason to look at them.
And he went to the website and went to click on the staff page - then only the staff page had been deleted and so he asked me, “Why isn’t there a staff pages?” And I said, “I don’t know,” and so he did some other things and we got the archived page back and I said, “Oh yeah, you know it looks familiar to me,” but that is about it, this an ongoing matter right now. I need to be respectful of the law and stuff. I don’t want to -
[0:27:16.3] AA: Yeah, of course. How about I mean the other thing and this is I don’t know if we can talk about it at all. I think for someone who hasn’t thought about legal issues like the ability for any sort of protection in the online world right? I have encountered weirdly, net friends who have also been victims of not online fraud but just traditional fraud and the ability to actually persecute it is incredibly difficult, right? It’s sad in terms of people could steal hundreds of thousands of dollars and millions and you can’t do anything.
So just for those who don’t know, what is the ability for law enforcement to help you, right?
[0:28:00.8] GB: Yeah, it is a great question.
[0:28:03.9] AA: And you don’t have to speak specifically about this but maybe just in general because I think people are interested.
[0:28:07.5] GB: Yeah, I learned a lot about this so I appreciate your question and it is true. Okay, so the first thing I would say about it is why don’t victims speak up. And then I’ll just go into your question about law enforcement.
So victims in cyber security don’t speak up for a number of reasons. One is reputational risk and who is going to want to work with a company that they know has been compromised? In my case for example, you know there was a presentation, a proposal that I wrote to a company, we throw a lot of money and you know the last slide as is in my custom would say something like, “Thank you,” and the, contact information - it was changed to swear words. So that’s not a way to try to close a deal if you could imagine.
“The people that I spoke to said, ‘Yeah, sure. You are being hacked,’ and I had people that I even wanted to show some of the evidence in the form of photographs that just didn’t want to hear about it or see it. So that’s why victims don’t speak up. I decided to speak up for the reasons that I’m saying which is to try to turn it into something good for other people.”
So you know what? I am going to modify something. Some of the motivation of part two of this has to be like just the thrill, manipulation in social engineering and to just screw with people. The people that do do that I’ve learned, you know? But anyways, going back to law enforcement. So reputational risk; loss of employee confidence; loss of perspective clients coming to your business; ignorance, in my case. I just didn’t know what was happening and I should have and then over the years, embarrassment and shame you know? I mean I just didn’t want to speak up and nobody believed me anyways right?
The people that I spoke to said, “Yeah, sure. You are being hacked,” and I had people that I even wanted to show some of the evidence in the form of photographs that just didn’t want to hear about it or see it. So that’s why victims don’t speak up. I decided to speak up for the reasons that I’m saying which is to try to turn it into something good for other people.
As it relates to law enforcement, I went to the FBI over a two and a half year period ten times and they knew me. I had to be very cognizant. I didn’t want to seem like I was being ridiculous but each time I had some significant developments from technology and things like that that I could show, I wanted someone to at least look at it. The FBI works on large cases and the way they define that - and it is not just the FBI - I think the FBI did a good job for me, the ball was dropped - or again I just didn’t have enough evidence for the US attorneys to open a case.
So it is very important that your listeners understand, I think the FBI did a really good job for me considering how little they had to go on and that we were so small. The US Attorney’s Office because of their workload and things like that just declined to open the case. I went to my local law reinforcement I don’t know, over a two year period. Also at least maybe five times, five or seven times, they don’t have cyber security capabilities.
You know it is a very unique set of skills, the resources are incredibly stretched and each of the law enforcement people that I interacted with were very empathetic. I thought they were really great but their hands were tied and so I just took that that was on me because I didn’t have sufficient attribution to open up a case and you know one only need to look at what’s going on with all the hacks and how difficult it is to attribute correctly someone’s IP address or other signatures and things like that, if someone is sophisticated and don’t want to be found.
So in the realm of cyber security especially small to medium businesses who can’t afford the latest in software and hardware technology solutions, or they can’t afford their own Chief Security Officer and things like that - they are incredibly vulnerable.
[0:32:14.8] AA: And how about – I mean so understandable in the criminal side, what about in the civil side, right? Because I mean sort of opportunities to sue for damages and what more?
[0:32:26.5] GB: Well there are two things. This is active right now - but damages, I mean well it is an interesting question because as I was thinking a lot here, what I am seeking is justice and if I am not able to get justice in my case, in the form of some verdict or compensatory or punitive damages, I still have a plan B which is the notion of this larger justice in the world that by putting something out there, if it ends up being a successful business that is just icing on the cake for me.
At this time in my life, I am focused on the advocacy part rather than the victim part. Having said that, I’ll just leave that this is still an open matter.
[0:33:16.9] AA: Yeah and I guess what I would and this is for our listeners and I rarely comment but I think one of the things that I actually heard a former Head of NATO actually and he was talking about sort of the issues at the geopolitical level, right? How do you think about, one, I think, of the biggest challenges is that the actors and I am talking about it at the nation state level, right? It is great if we put an indictment against some kid that is in a different country, right? But if they live in that other country, they’re never coming here. They’re never going to travel to - I mean sometimes they mess up and they travel to sort of a neutral country where we have subpoena powers or cross dictional - like we can arrest them and they can be – I forgot the word for that, they can be –
[0:34:07.1] GB: Extradited, yeah.
[0:34:08.4] AA: Extradited. But also the other thing that was really interesting is like for the black market to exists it has to interact with the white market as well and there is a huge amount of grey space and so what you’re trying to do is make it much more difficult for the black market to get the job done. And I think what you are talking about in terms of talking about it - but I think the reputational pieces, the assuring that individuals can never - because my hope is that you slowly reduce the ability for individuals to work in the white market if they truly are up to nefarious things, even if you can’t prove it in a criminal level at least in the civil level and the court of public opinion and reputation. Because I think there’s hopefully opportunities to do that. I think our country relies on the rule of law. That’s what ultimately what I think our society why we’ve been so successful and so my hope is that that gets resolved in some way.
[0:35:21.1] GB: Thank you. That is a really good thought and that I adhere to what you’re saying. But you know it is an interesting thing, I am reasonably sure they’ve seen this comic in electronic form already and they know they’re depicted and they know it’s them, even though I didn’t make it look like them and of course, I have blinded everything but they know what they did.
[0:35:41.5] AA: There’s karma, karma coming.
[0:35:44.0] GB: Yeah, yeah and just this great opportunity to talk with you in a small way will hopefully enlightens listeners and I am on the speaker circuit now and some companies are having me to come in to teach them about some of the things that we’ve been through. So I mean to me that is the right way to do this at this stage of my life. To turn it into something that helps other people and one of the things that I included in the inside cover of the comic was the dedication - a big thank you in addition to my family and stuff like that, I’ll paraphrase by saying you know - the only time that people hear about hacks is when the hackers are successful. You never hear about all of the countless people who toil in anonymity keeping us safe at home and at school and at work.
So I wrote, “This is dedicated to the unsung heroes in cyber security and law enforcement who keep us safe.” I didn’t just write that. I have a lot of experience listening and learning from some incredibly generous people. So it’s important I think - kind of a takeaway from this is you know, this is a cautionary tale to be sure, but there is way more good in the world than there is bad.
[0:37:05.2] AA: Yeah, I think evidenced by your 20,000 LinkedIn followers by one for sure. But I think also part of the reason we started this podcast was because so often a lot of the media attention is about kind of about the hack and you know this company and it is sort of like there is a sort of shaming of those individuals and those companies and look at how dumb they were to let this thing happen right?
But I think quietly behind closed doors as you talk with more and more people in cyber security its like: ‘No it’s just when is my number in terms of getting hacked’ and whether that’s – I think that’s almost every major organization out there right and so my hope is that it does at this stigma around it does start to fall and that people aren’t like this isn’t something that you did personally, it is just sort of the nature of the business and that talking about it and not focusing on just who got hacked today it begins to change that culture because it does in terms of exposing individuals and issues out there. Go ahead.
[0:38:14.5] GB: And let me just say something about that because we bring up a really important point. One of my takeaways and I am going to ask you to think that if it is valid or not. Comparatively speaking you know black hat hackers share information freely and fast. White hat hackers are a little bit less so and in part not just hackers but companies are reluctant to do so for a number of reasons besides reputational stuff but it is also their intellectual property, right?
So the hackers are horizontally structured and my sense is that you know, people in cyber security are vertically structured and I think it has to be horizontal sort of sharing and I know there are a lot of initiatives like Hack NYC that are designed for the free-flow exchange of information and there are all these databases with different threads that are listed and things like that. I mean that to me - its like a rising tide lifts all the ships, you know? And to what you are saying, the more victim – I don’t want to use that word victim, I mean the more people speak up and share their lessons learned, the better it is going to be for everyone.
The other thing about that that to me is incredibly interesting is that of the top, 500 cyber security firms according to - Cyber Security Ventures I think is the name - only 3% at least through a search of that database, 16 companies say they do education and training. So that means 83% of the top 500 companies offers software or hardware solutions - when 62% of the hacks are seemingly caused by simple human error.
And to me just as a marketing person that represents a gap that the companies understandably and rightly are spending, you know, a lot of money in software and technology solutions maybe not - I don’t know if it is money or the way they go about it but education and training needs to be right on par with it, from my perspective.
[0:40:27.9] AA: Yeah, I think I don’t know. I mean I had to debate a lot with people because I feel like - I think education certainly has a role but it’s also not a panacea right? I think currently where I see, I think a lot of it needs – I mean I think it is education or a change of thinking at every level, because and one of the biggest is just to expect people to continue to make mistakes, right? It is like a fundamental design of our systems and I’ve had lots of conversations about this.
I mean we don’t expect people when they’re driving to never get in an accident and we know that if people get in lots of accidents just the way in driving, safe driving has a role, also the design of the systems are such that we expect people to make mistake and it’s just how do we minimize the damage that they do when they make mistakes, right?
I think that is an equal value of education and there is some really good sort of thinking about system design, about maybe you change your strategy to expect penetrations, to expect kind of breakdown, to expect systems to go offline and think past those and that is more like a fundamental shift I think in outlook. Like a paradigm shift that you want to get like nerdy in terms of terminology.
[0:41:56.3] GB: Yeah. I mean that makes a lot of sense to me and I really just think that the people in cyber security need to be honored for what they do and law enforcement too.
[0:42:09.0] AA: Yeah, just before we close I think one of the things that I would be really interested in just because you are living it - do you have any sort of recommendations or places would point to for let’s say people like yourself. I mean you are an individual, you are not a company or you are concerned about being attacked potentially by some pretty amoral individuals, who seemed to be also skilled.
What would you recommend people do to try and protect themselves? Is there some place that you’d look which is giving really good guidance, etcetera?
[0:42:44.1] GB: Yeah, one of the first guys that I met in this ecosystem, his name is Richard Guerry, he has an organization called IROC2, iroc2.org and what he’s dedicated his life to is to teaching children about overall safety in which cyber security is a component part.
And every year, he does over 200 speeches to schools and communities all over the country and he came up with this concept that I really think makes tremendous sense and it’s called Public is Permanent. The idea as the name implies - it’s that once you put something out on the internet, it is public and it is permanent and so the first line of defense, don’t put anything online that you think it could ever be used to compromise you. Whether be as a business person and as an individual and you mentioned earlier. Andy, a paradigm shift while it has been a big one, of course it is customarily was everything was private unless you wanted to make it public.
Now everything is public unless you want to make it private. And even doing so, you are not really doing that as part of the testimony from Facebook. You have the big thing happening in about a week, two weeks, General Data Protection Regulations, GDPR.
Which is for the listeners who may not know is that it is an initiative originating out of Europe that basically guarantees rights for personal identifiable information and most importantly, severe economic consequences if those rights are violated. It is not just Europe but it’s any European person and it is any company that does business with Europe. So this is happening on May 25th and I think that should be a pretty big deal. So from a resource standpoint, if I were a mom interested in protecting my daughter from a prying webcam, public and permanent, iroc2.org is a great resource for children related things.
In terms of businesses, small business or even enterprises, there are incredible online resources. Both for victims but also for advocacy and the one that I think is extremely well done is put forth by the National Institute of Science and Technology, they have a sub-group that is referred to as NICE and it is the National Institute for Cyber Security Education and I think they are doing a really great job on providing resources that are easy to implement and follow, what they call the cyber security framework which is a way for the community, the country, the world even, to get organized around being safe online. So you can go to nice.org, I believe it is.
[0:45:51.1] AA: Yeah, we’ll put all the links to stuff in the notes for this. Yeah, that’s great. Gary this is terrific, anything else before we close? I mean this is just really one of my so different than a lot of our interviews although we really read some of the people from NIST that that’s the other direction we go but this is such a fun and great story.
[0:46:08.0] GB: Yeah, well thank you very much for your interest. We’re going to be selling these comics. If someone wants to get a copy, right now we are charging $10 and it’s got about I don’t know, $500 of training information in it I guess. It is hard to quantify but if you wanted to get a copy of the comic you can go to cyberheroescomics.com, those are plural. If you want to look me up on LinkedIn and if you have stories, you know true life blinded cybercrime stories we’d love to run it by our team for future issues and we’re going to be doing animations too. So it is not just physical comics, these will be cartoons. We will be doing different languages and things like that but other than that, nothing going on.
[0:46:58.0] AA: No, it sounds like not that busy, right?
Gary this is terrific, really incredibly great story. I really enjoyed it, I mean I wish you all the success and we’ll definitely stay in touch. I love it, good stuff and send along anything you’ve got that you want to include with the notes.
[0:47:15.4] GB: Yep, thanks and this is a little thing that I am just starting to do but thanks for being a cyber-hero.