Kingdom of Lies
Page 4
His father left when he was two. He learned how to use computers at a young age. Buried his heart and his life in them. He sank into them more deeply every time his alcoholic mother got drunk and ignored him. She could be sitting in the same room yet be locked far away in her head, farther even than Moscow.
He would grind, grind, grind into the code, plunging deeper into the internet just to see how deep it went. Digital technology slowly but assuredly began spreading its tendrils everywhere, giving him the pleasure of diving into an ocean that kept getting more interesting as he went. In those early years, it was so exciting to see it grow. Into shops and schools and private clubs, government agencies, other countries, other worlds.
Wherever the internet went, Valery could go, too. Into homes, gyms, and Army installations. Into ATMs and the little tiny boxes where people swipe their credit cards. Especially the little boxes.
He showed unusual proficiency with computers. His teachers optimistically talked about a nice job for him in technology. Maybe he could have a good paycheck right out of high school and help his mother, they said. He had bigger ambitions. To be an entrepreneur. Own a start-up. Have equity.
At the age of 17, Valery came home from school one day and found his mother had drowned in the bathtub. Whether it was deliberate or not made little difference to him.
After the funeral he accepted that his father was never coming back. With nobody left to love or hate, to impress or distress, Valery went in a different direction. Down, down, deeper into the internet, to a place with no bottom.
To his surprise, Valery found himself there. Many selves, actually. Cocky and poetic as his hero Tupac Shakur one day, smooth and cool as Drake the next. He kept stacks of cash in his closet. He drank too much vodka and sang the lyrics to his favorite Tupac song, “Starin’ Through My Rear View”:
Once a motherfucker get an understanding on the game
… Then the world ain’t no trick no more
The U.S. government was right. Valery knowingly and willfully invented the machinery that revolutionized how credit card numbers are stolen. Those who noticed a fraudulent charge on their credit card in those early years of the internet may have been reimbursed by the bank, but Valery was in on it, too. Every last-minute Christmas purchase and late-night Taco Bell run, Valery was there. He was inside every swipe of the card. He was everywhere and everyone and nobody at all.
He had a house in Bali, one in Rome, one in Tokyo. That one sat directly across the Sea of Japan from his old single-room dirt pit and the bathtub where his mother drowned in Vladivostok. He had beautiful women. Fistsfuls of cash. He had a child with one woman, then another kid with a different woman. Their mothers are ungrateful but good at raising children. An adequate choice. The world is my bitch, beginning at a time unknown.
Tupac went to prison, too, Valery thinks. He did around a year, and that was for a sex crime. Computer fraud isn’t nearly as bad. Valery hopes it won’t be that long for him. He’s made some notes for his lawyer. Government agents from four different three-letter organizations want to talk to him.
He knows so much that the government would like to hear, he expects they’ll let him out in five minutes with a pat on the back and a nice fish dinner at one of Seattle’s finest restaurants. They’ll want to learn about the Israelis doing that pump-and-dump scheme. He can describe to them precisely how he laundered his money. Give up some people he can characterize as big shots but who are, in reality, nobodies.
He has taught so many. Across Europe, Asia, the former Soviet states, America, too. He wasn’t just a carder, he didn’t just scam numbers, he was an educator. The people he instructed branched off, started their own operations, modified the code, and found their own niches to exploit. There are people who can modify the card-creating machines at banks, insiders who get jobs as restaurant servers to install malware on their busiest terminals. Swipe, swipe, swipe.
One of his most lucrative operations was in gift cards. He and his contemporaries used stolen credit card numbers to buy reams of the cards, then used those cards to buy commodities that could be cashed out. Tires, iPhones, gold, it didn’t matter. They bought and bought and bought. The government will want to know who those people are, he imagines.
Right now, he just wants to go back to Vladivostok and sit in a big room with a laptop warming his thighs and a very good internet connection. He is inside nothing now. He is outside. The analog world is strange and stupid. He hopes he won’t be out there for a whole fucking year. No way he would get a whole year, he thinks.
Valery is right. He won’t get a year. He’ll get almost 30.
* * *
Back at NOW Bank, Bob Raykoff is perched on an uncomfortable stool in a large conference room in New Jersey. He’s meeting his entire cybersecurity team for the first time. Caroline has just handed him the microphone.
His title is chief information security officer. He has two bosses, the chief information officer, who is his boss on paper, and a chief security officer, who was the person who brought him into the bank—another Air Force vet named Edward Smitty. Smitty is fairly new himself. He is there today, standing next to Raykoff. It’s the first time many of the bank’s cybersecurity staff have met him, as well.
“I have to say,” Raykoff says, halfway through his speech, “I wanted to do this job for one reason. I wanted to protect the people of this country, of the United States of America, and their money, their treasure. That’s their treasure, the people of this country, and I take that job very seriously, and I think it’s a very honorable job to protect those customers.”
The speech does not go over well. About a quarter of the people in the room are from London, where they oversee investments from European nations. The bank in London has no operations that involve deposits from individuals, and those workers have no American customers. There are a few people from Singapore who had dialed in by video conference. One of them looks puzzled and texts his colleague in New York an earnest message:
Is NOW Bank pulling out of Asia??? :-0
* * *
This is a problem. As I write this in 2018, at the time of the action in the book, and before then, too. Global corporations serve masters in many different countries. Militaries serve masters in one country. Corporations are loyal to their clients and shareholders. Militaries are loyal to their citizens. Corporations must bow to the rules of the jurisdictions where they want to operate. Militaries have strict protocols about showing deference to other nations.
Over the course of the past three decades, the digital battleground has shifted to take advantage of the muddy boundaries between these two factions.
Early in the history of hacking, government agencies enjoyed the relative simplicity of a unilateral back-and-forth—countries tried to hack them, and they tried to hack those countries back.
But corporations, with their complex international ties and information that proved to be just as valuable as the information being cached by governments, became much more interesting battlegrounds.
In many ways, the private sector has always been an easier environment to exploit. Surveillance and theft, if done quietly, fly under the radar. Executives don’t care if someone takes your money, if they even know, and if they do know, who would they tell and why? What does it get them? They are happy to be kept in the dark.
NOW Bank has major operations in China and Russia. The U.S. government wants banks to share information about nation-state attacks they receive from these countries. But NOW Bank must do business there. How does it reconcile this discrepancy?
When companies realized they were under a direct threat from nation-states, they woke up, but only slightly. They invited in, as NOW Bank did, as many military people as they could get their hands on, thinking that those sources could offer some valuable insights that didn’t exist in the private sector.
They were right in one regard. Few bankers have the ability to offer up valuable military battle strategies. Their values are tied up in
making money, not in military machinations.
And they were right in another regard: Military veterans make excellent cybersecurity employees, because they understand security so well. They are disciplined. They have insights into perimeter security and intelligence that traditional technologists usually do not.
But bringing in a lot of military brass introduced a great deal of unforeseen conflict, primarily because the criteria for rising to a top military position are not the same as climbing the corporate ranks. There are plenty of ex-military folks working in cybersecurity who have impressive skill sets, but they typically didn’t come from the upper echelon.
Then there are the charlatans. Steeped in jargon and tough talk, with little discernible real-world knowledge or experience to back it up, they quickly make a mess of things. In the hierarchal haven of the military, these individuals do just fine. They have countless staffers to prop them up and carry them through, to do research, to write detailed plans, to get coffee and run the printer. But these kinds of people don’t flourish in corporations, and most certainly not in cost centers.
Absent all those extra staffers, the charlatans often find themselves revealed in sharp relief. Like a pilot flying with no pants who suddenly has to eject.
3.
The Wall
The customer service rep on the other end of the line can’t be more than 20 years old, and she’s clearly reading from a script. But Victor Tanninberg’s brain doesn’t process information in that way.
“I’m never shopping at Home Depot again. These people, their arms grow out of their asses. You know, I just needed a fucking area rug for my fucking living room and now I’m going to have to spend the next fucking week waiting for a new credit card, Jesus fucking Christ.”
It’s now close to the end of July 2014.
“Sir, as I mentioned, we’re sorry for the inconvenience. We can expedite the new card. Unfortunately, there are many ways criminals can fraudulently obtain credit card numbers.”
Victor weighs the pros and cons of continuing the argument with the NOW Bank customer service rep.
An hour ago, he tried using his card at his neighborhood Habib Deli outside Princeton, New Jersey, to buy cigarettes and extra-sweet iced tea, and it was declined.
Thirty minutes later, someone from the bank’s credit fraud department calls Victor. Somebody tried to use his card number to buy tires in Germany so the bank locked up the card. Can’t unlock it. Have to get a new card. He has another card somewhere in a cabinet or a drawer, for emergencies. Maybe in the freezer? Packed away behind a stack of old, dusty laptops probably. No, stuck between the pages of a theoretical physics textbook on a high shelf. He can’t remember.
“Fuck.” Victor hangs up the phone.
Victor is a hacker, too. But he’s not some scumbag who steals credit card numbers, he’s a pro, and these people keep giving him a bad name. Making everyone think all hackers are criminals. He spots a pack of Marlboros, with a single cigarette left inside, hiding in the corner of the pack. Serendipity, at last. Thank Christ, he thinks. He lights it up and starts hunting for the spare credit card.
* * *
Back at NOW Bank, Caroline is packing a suitcase with clothes and scarves, toilet paper, baby diapers. One of her colleagues, a communications specialist named Frances, had a house fire. She’s bringing her the suitcase as a care package. She adds a striped shorts-and-shirt set with a smiling puppy on the front. Toddler size 3.
Something else is going on. It’s not the Home Depot thing. That’s just a standard breach, like the Target thing before it. This one is different.
A small flame has been started within the bank’s security team. A whisper of something wrong. A trip wire tripped. Some of the most technical staffers have been in closed-door meetings. Others, those not privy to the inside story, whisper speculation back and forth. It’s something Caroline recognizes as significant. But until somebody who determines who needs to know tells her she needs to know, she will not know. She wonders where Raykoff is on that list, if he is on it at all.
Caroline leaves the suitcase under the woman’s desk and walks out of the bank’s headquarters, hoping to catch a train back to the New Jersey office before 5 p.m.
* * *
After the DDoS attacks in 2012 and 2013, cybersecurity enjoyed an uptick in status at the bank. It gained political currency in the sense that the attacks were so high profile that executives knew promising to do something about them would create professional heft. It also saw an increase in real capital because the attacks were a catalyst for a bigger budget.
Both types of currency bought a new security operations center at the bank’s headquarters. That’s where Caroline parks the care package for her colleague, one of the new staffers she has hired to work there. Other new security employees, about 30 in all, have been hired or imported from New Jersey. Caroline keeps offices in both places.
In the security operations center, which they informally call the SOC, pronounced “sock,” the security team quietly buzzes away. Stretching their legs and bumping their knees under their desks. Squinting and rubbing their eyes. Most of them are still getting used to all the natural light that the new SOC gets.
It’s a move from the back office to the front office, at least that’s what executives keep saying. From the back burner to the front burner. For some of the team members, it’s an exciting change, getting noticed, coming to work at the corporate headquarters, where everyone dresses well and market-moving business decisions happen right under their noses. For others, it just feels like being on the burner.
The SOC has been over a year in the making. Everything was planned down to the last detail.
Inside the main room, which they call the secure room, 30 desks, each with four 20-inch widescreen monitors, are set up in a configuration they’ve tested on hackers in New Jersey to find just the right specs for left-right and up-down eye scanning. They look like this for each SOC employee:
Five 50-inch plasma screens span the east wall, one displaying scrubbed and fake data from an analytics software program called Splunk. The data is scrubbed or fake because the hackers working in the SOC, who are known officially as analysts, are deeply uncomfortable displaying real data on widescreen televisions. On the south wall, a 90-inch plasma screen plays CNBC on mute. Frances often watches it intently to see what they might be getting wrong.
The north wall is made up of 100 square feet of electrochromic glass. The analysts call this the fog wall. It has been constructed using a five-layer sandwich of ultra-thin glass and polymer layers, the middle layer being a separator with rows of thin, clear, invisible electrodes on either side. One of the layers is soaked in polycrystalline tungsten oxide. When someone flips a switch, lithium ions are attracted to one side of the sandwich, making the glass go white so it resembles a plain, opaque wall. Flip the switch again, and the glass goes clear, so you can see inside the SOC.
The fog wall is not meant as some kind of impermeable force field against cyberattacks, prying eyes, or malicious devices. It is meant to surprise and delight corporate clients who visit the bank.
The significant location, the fog wall, the blinking and blooping screens and high-tech computer setups serve one purpose: to entertain important clients coming through for a tour. Bankers talk to them in the sober confines of the walnut and forest-green atrium, then drop the lithium ion curtain and reveal those flashing, blinking plasma screens with their impressive graphics and all those young turks typing away feverishly on their keyboards. Keeping the financial sector safe from peril, live and in real time. That experience transforms a cost center into something more than what it is. Something valuable.
The fog wall faces an atrium on the twelfth floor of NOW Bank’s headquarters, an area that previously served as a pass-through to get from one bank of elevators to another. The hallway includes a sitting area, outfitted in sober dark-wood furniture with tasteful, academic dark green accents.
On either side of the pass
-through sits the company’s global physical security team, which includes the people who issue credentials to employees and monitor bank robberies. Farther down the hall, there is a hair salon, a wellness center, a “mother’s room” with three curtained stalls where nursing women pump breast milk throughout the day, conference rooms, a catering area, several meeting rooms, one fancy meeting room with soft couches, and lots of audiovisual equipment. Ensconced within these symbols of normalcy, the analysts inside the SOC prowl the bank’s systems, waiting for an enemy to strike.
They will not have to wait long.
4.
The Baby
Ultimately, the SOC is about function, not style. The analysts in the SOC are good, probably some of the best in New York. They were hand-selected and hired by Caroline, after all. The bank itself is great at security. NOW Bank is great at security in large part because of all the writing, all the documentation, all the clearly outlined rules for employees, for letting people into buildings, for hiring and firing, all the rules for software security and rules for vendors and rules for budget projections and rules for intelligence reports. Their security posture on paper is outstanding.
Paperwork, maybe paradoxically, is frequently proven to be one of the best lines of defense.
Attacks are inevitable. The Defense Department sustains them daily, and the Defense Department is a war machine. A bank is not a war machine. It can’t fight back, only defend. And even in that defense, the enterprise is constrained by the scenarios it has planned for. Those scenarios are recorded in the reams of paperwork. They are often theoretical, historical, or invisible—as in, nobody of significance will ever see that they happened—a fact that keeps the security function itself invisible.