by Kate Fazzini
That’s why the DDoS attacks changed everything. Some executives have started to see the bank as a war machine. Some begin to view the bank as, at the very least, subject to a potentially high degree of embarrassment—called reputational risk in business speak—if it fails.
The cybersecurity staff got their chance to propose what they would do with a huge new budget. In response, Caroline and her team created one of the most ambitious series of PowerPoint budget proposals the world has ever seen. They asked for a lot of money and they got it. Many millions flowed into cybersecurity’s budget. They built up the SOC. Better people came to work there. Paper wins again.
Then things took an unexpected turn, way out of the control of any of the people who did the work of cybersecurity. The bank’s chief operations officer got his brother involved. Executives became obsessed with finding a marquee name to match the budget. Somebody who looked fantastic on paper, who had written books about cyberwar. Because they were a war machine now, right?
Enter Bob Raykoff.
There is a widely held view in the corporate world that luxurious, high-profile surroundings are necessary to keep the money flowing because money begets money.
But cybersecurity people, even the technical ones, don’t need, nor do they necessarily like, expensive technology. Movies and television have misled their audiences on this point, because so much of what the analysts do involves sitting in chairs, eyes darting back and forth, calculating risks based on variables that constantly change. You don’t need expensive accoutrements for that.
Impressive neon graphics and world maps with blinking lights representing attacks are just a veneer, code on code. What most of the workers in the SOC see all day looks more like the above.
They also aren’t terribly comfortable with being seen themselves. It quickly became a practical joke to flip the switch on the fog wall. Whenever this happened, rather than look out the clear glass, everyone simultaneously looked at the data on the plasma screens. They wanted to be sure nothing real incriminating was up there. Once safety was assured, then, perhaps, they would laugh.
Only a small handful of people truly care how the office looks, but it is one of Caroline’s many jobs to care about this. The appearance of success and power confers actual success and power. Expensive art lines the walls of even the most modest meeting space. The bank displays Teddy Roosevelt’s hunting rifle in a conference room on the fiftieth floor. The SOC is the cybersecurity equivalent of Teddy Roosevelt’s hunting rifle.
You can’t do good security without good security people, and really good, talented security people don’t generally want to work in a bank. It costs money to rip them away from Silicon Valley, away from start-ups, away from Google and Apple. It takes money to play keep away.
There is no sign marking the SOC yet. The glass stays opaque most of the time. In order to enter the SOC, you have to know it’s there. Then you need to notice the seam in the honey oak wall partition. That’s the door, but there’s no handle. There’s a small electronic strip where you can swipe your security badge, but if you’re not one of about 30 people out of 300,000 employees, you won’t get access. So you have to knock on the wall.
On this day, as on most, Raykoff is nowhere to be found. His new office is in the reception area. It holds a row of six chairs and six desks in trader formation all facing south toward the floor-to-ceiling windows. It’s so bright in there, the employees sometimes have trouble seeing their screens. There are usually only two people: a government relations person and the head of intelligence. They are support staff for the SOC. Government relations—a tall, angry Arab American ex-spook named Gabe who constantly drinks Red Bull—makes sure everyone from the FBI, NSA, DHS, branches of the military, and CIA feel like they are looped in. Gabe’s job is to hold their hands and make sure they are invited to luncheons.
The head of intelligence, a quiet, brilliant Korean American ex-spook named Tom, takes all of the news and information feeds from the guys inside the SOC and turns it into a predictive report about what the next threat will be and from whence it will come.
On this day, Caroline realizes she left her keys in the SOC. She sprints back, swipes her card four times to get back into the building, runs up the stairs, goes through security reception, and returns to the SOC, where she grabs her keys and quickly turns, glancing out the south-facing floor-to-ceiling windows. Sunlight floods the room and the view makes her catch her breath. It’s so clear you can see all the way down Vanderbilt Avenue. She sighs. This place is her baby, too.
This is the house that nation-state hackers built.
* * *
In August 1994, a hacker named Vladimir Levin transferred $10 million, the equivalent of $250 million in 2018 dollars, via the telecommunications network to accounts in Sweden and Denmark. He had infiltrated the core banking components of the interbank wire system and intercepted communications channels between Citibank and the Depository Trust & Clearing Corporation, an intermediary that monitors and approves international wire transactions. It wasn’t the first time somebody had stolen money from a bank using computers, but it was one of the biggest, most visible, and most highly publicized heists.
Citibank used a great deal of technology in 1995, but they had no cybersecurity department. They had a physical security staff. But the types of data breaches they’d dealt with in the past were more along the lines of an overturned truck on the New Jersey Turnpike that had been carrying data tapes to a storage facility.
The Levin incident would lead to the bank creating the first-ever chief information security office. The new department would help protect the bank’s money. Not the data of its people, not the intellectual property or proprietary trading information. The money. Because back then, that’s what people wanted to steal. Because they could. Russia allowed Levin to be extradited. He was later picked up at Heathrow Airport in London, flown to Manhattan, and sentenced to three years in jail for his crimes.
Hackers like Levin were 15 years ahead of the banks. Money is money, and when it’s gone, it’s gone. Citibank pumped funds into its new cybersecurity office, and other banks followed suit. In about a year, thefts of money directly out of bank coffers stopped almost completely.
Hackers had to find new things to steal in order to make money. It didn’t mean they stopped targeting the banks, it just meant that they eventually gave up on trying to break into them and steal dollars. They turned to other things they could monetize, then to other types of companies that dealt in financial transactions, then to other types of companies, period. The practice of intercepting financial communications never ended, only the practice of specifically trying to intercept communications between banks and clearinghouses. The targets changed but the tactics stayed the same.
Identities, bank account details, birth dates, credit card numbers, and maiden names became the new commodities. None of those things, of course, is money. When these things are stolen, they aren’t really gone; they can be replaced. Because they are perceived as less valuable than money, it’s harder to lock them down.
* * *
In May 2000, Vladimir Putin became president of Russia. The country had already established itself as one of the leading bastions of criminal hackers—like Levin—and one of the greatest sources of astonishingly gifted engineers and mathematicians. Those great engineers and mathematicians, builders of code, of cyberweapons, hackers of nation-states didn’t associate with common criminals. What they did was different. Many hackers, like the infamous German cyberoperatives who stole nuclear secrets from U.C. Berkeley computers in the 1980s, just went on to work desk jobs after their years of espionage.
But Putin saw the value in what hackers did, probably better than any other world leader. These criminals were incredibly sophisticated, some as much as the most gifted engineers, but they were messy and sloppy and weren’t motivated by patriotism. They wanted money and power and women and respect. But Putin believed patriotism could be cultivated, especially if it meant
gifted hackers would not get extradited, as Levin had, and their spoils turned into shared resources of the state.
Russia, both its government officials and certainly its criminals, turned its attention away from government assets in other nations and focused on business assets, which were poorly protected, if they were protected at all. Fewer and fewer cybercriminals were extradited. The state looked the other away when it came to taxing the hackers’ illicit earnings. But when Putin came knocking at the door for a slice of the information stolen from U.S. citizens, cybercriminals knew they had no choice but to give it up. It didn’t hurt their earnings and the state enjoyed the plausible deniability of being able to say it hadn’t ordered anybody to hack anything.
On April 27, 2007, Russia attacked Estonia over a dispute involving an elaborate bronze statue of a Russian soldier in a Tallinn cemetery. To exact revenge for the removal of the war memorial, Russian criminal and state resources banded together and, most likely aided by a private-sector telecommunications company, took down a great many of Estonia’s broadcast services and defaced many of its websites. This cyberwar, the first of its kind, would lead the North Atlantic Treaty Organization to establish its cybersecurity headquarters in Tallinn. The decision was more than a symbolic gesture; today Estonia is a cybersecurity heavyweight.
But when Russia brought Estonia offline, it caught the attention of the world’s militaries. And it emboldened young computer enthusiasts in Eastern Europe, especially Romania.
* * *
In 1994, when Vladimir Levin was stealing Citi’s money, René Kreutz was born in her mother’s bedroom in a communist bloc apartment in Arnica Valka, Romania. Mrs. Kreutz, a homemaker, and Mr. Kreutz, a police officer, had never seen a computer. They would give their daughter an abacus as a toy, in the hopes that she would take up mathematics. It would be the first thing she ever gripped in her tiny fist.
In 2000, when Vladimir Putin was sworn in as president of Russia, René saw a computer at a local library for the first time.
In 2007, the year René tried alcohol, she heard all about the Estonia attacks.
It was the Estonia event that made many of her young friends want to become hackers. Their motivation was half patriotic and half economic. Many of them hated the Russians for constantly using their digital might to assert themselves across borders. They also wanted to be rich and didn’t see a way to get there through a traditional career. They didn’t see themselves as criminals, just smart kids wanting to get one over on the world.
René would not follow in their footsteps, however. Computers didn’t interest her. Math didn’t interest her, to her parents’ great disappointment. She liked to talk and wanted to be around people. It didn’t mean she didn’t respect the fevered pursuit of money or understand it, she just didn’t take part. Some kids like soccer, some kids like dancing, and some like computers. René liked to party.
René’s schoolmates were no different from other kids across Eastern Europe and Russia, especially former Soviet states. These kids were competitive, anarchic, and untethered to their countries or their governments. In many of these former Soviet nations, few resources were dedicated to legal enforcement of computer crimes. It was like an open invitation for hackers. They had the same mind-set as someone who dreamed of Silicon Valley or the dormitories of Stanford, but they lacked the opportunity to pursue a career in tech. So they created their own opportunities.
The competition to make money was fun for René’s friends. It was unstructured. Online, they could match wits, swap techniques, and share code with Russians, Israelis, Iranians, Americans, Jews, Muslims, and Hindus. René thought it was more like World Cup soccer than cyberwarfare. This post-Soviet hacker culture solidified around a few ideals: making money is paramount; it’s much more dignified to outwit opponents with a new innovation than to beat them with brute force; you need to show your country a little loyalty for letting you get away with this stuff.
* * *
By July 2014, while Caroline admires a perfect sunset in Manhattan, René is heading off to class. She is studying marketing. This class is on making PowerPoint presentations. She is boring her pants off at Arnica Community College. She sometimes wishes she’d paid more attention to what her friends were doing and gotten into computers, too. Many of them already had good jobs in Bucharest or Tallinn.
But she resigns herself to the work ahead. A marketing job will be nice. She dreams of being a spokeswoman for something, a professional talker. Something that involves being around people. She hates being online, despises social media, except to share pictures with her friends. She barely checks her email, never goes on Facebook. Prefers instead working her job as a waitress in the evening.
PowerPoint class is boring but there is still a certain art to it that she appreciates. She pours as much energy as she has into making her slides look perfect. She worries she is wasting her time because nobody ever made millions off nice-looking PowerPoints. Though hers are beautiful, there’s no point in thinking that far ahead. There are hardly any businesses in Arnica Valka, or anywhere nearby, that need fancy PowerPoint presentations.
* * *
Bob Raykoff is lumbering his way around the SOC, introducing some important-looking businesspeople. According to some employees, his use of jargon from his prior position makes them uncomfortable and prone to distrust him.
Knowing glances have become currency in the SOC. Whenever Raykoff delivers a speech or tries to motivate them, the disconnection is so profound you can see the operators at their desks, completely motionless, only their eyes moving to meet with those of their deskmates. The unspoken message: “We’re fucked.”
Professionally, legally, even personally. Fucked because Raykoff is already bringing in second and third layers of executives from his pool of guvvy friends, people he knows well, an informant army of fall guys who will provide a cushion between him and the unpredictable staff.
Raising legitimate alarms up the corporate food chain will become harder, a huge problem in cybersecurity, as raw information will get filtered by the agendas of those in the middle before it reaches someone who can actually take action.
Raykoff goes back to his new office outside the SOC within earshot of a handful of employees. He logs onto his computer. Ten minutes later he is slamming the mouse down repeatedly. His administrative assistant enters the room.
“Everything OK?”
“Uh, ha.” He grins sheepishly. “I can’t get this thing to work.”
“What is it you’re trying to do?”
“Uh, this … onboarding training. For new employees.” He sighs. “Honestly, I don’t understand why someone in my position needs to do this.”
“Let’s have a look. You can’t navigate through the training?”
She steps up behind him and takes the mouse. The training is on privacy obligations of security professionals. She clicks on the correct answer on the screen, five red Xs disappear, and the training module progresses. She smiles, pretending to not know that all she did was provide the correct answer to the question. A happy accident.
“There you go,” she says, turning to leave the room.
“Wait a minute. Uh, I’m really slammed.” He turns to his desk, shuffles a pile of papers for effect. “Could you finish this for me?” Pause. “This Home Depot thing’s wild, right? Hopefully that’s the worst thing we see this year.”
She comes back to the desk. Glances at her colleagues standing outside the office. Currency is exchanged. She begins clicking through the correct answers, a tight smile on her face.
“No problem.”
* * *
A short, muscular Israeli with Russian roots, Victor Tanninberg has all kinds of reasons for why he can’t hold down an office job. He despises authority. Can’t stand working alongside other people. Hates answering questions. He has a PhD in string theory and sometimes can’t be bothered to say what he is thinking out loud; it takes much longer than simply doing it. He doesn’t do paperwork.
r /> So 12 years ago, he put his PhD in string theory to work by learning how to program and tweak the electronic control units of GM cars. He has three cars, all modified. A navy blue Corvette and a black Crown Victoria with a Corvette engine. The Crown Victoria has a push bar and police spotlights. Then there is the dusty old Chevy Lumina that he lets his sister drive around.
The Crown Vic is a monster. It drives fast and turns on a pin and takes up far more space than it should. It is what he prefers to drive out to Padraigh’s place in Newark. People tend to get out of his way when he drives the Crown Vic, which he appreciates.
* * *
Over those years, he’s watched as the networks that operate those cars proliferate and grow to a degree that is similar to the interwoven, sometimes dysfunctional networks supporting NOW Bank. In Victor’s case, the networks are made compact and introduce incredible complexity to each individual Malibu or Impala.
It’s a job that’s always challenging in some new way. A job that mostly always keeps him, blessedly, thankfully, out of contact with other people.
Now a reporter is bothering him. He hates reporters. The reporter is trying to get him to explain to her how car computers work and how they could be hacked. He explains, carefully, first that he is not a hacker. Then he describes how car computers have changed over the years to become more vulnerable. She treats Victor like he simultaneously represents every hacker, Russian and Israeli, who has ever lived.
“Have you heard anything about this breach at Home Depot?” she asks.
He hesitates. “No. From who?”
“From other hackers?”
“I am not a hacker, and I don’t know other hackers,” he says. Although, given his credit card issues, he wonders if it’s related.