RED Hotel
Page 25
“Bigger.”
“Two thousand?” This time Reilly really posed it as a question. A number like that was scary.
“Are you sitting down?”
“No, for God’s sake. How many hacks do we get?”
“Hundreds of thousands,” the IT chief exclaimed.
“A year?” Reilly responded with amazement.
“No, a day. Robo on automatic.”
“Holy shit!”
“Remember, we’re talking about computers around the world programmed by geeks and governments that are constantly feeling out for soft spots. A hacker turns his PC on us and it keeps on going like the Energizer Bunny!”
“Jesus Christ. So how the hell do we block them?” Reilly realized he needed to learn more, and not just because of his personal concerns.
“Well, like other firms, we have unified threat management technology, UTMs, that can help stop attacks like that. The problem? As hard as we try to stay ahead of the hackers, they’re working twice as hard to trip us up and get to our proprietary content.”
Reilly realized Spike Boyce was telling him the same thing he had heard in the conference room.
“Of course,” Spike continued, “if they’re trying to freeze us up or wipe the memory, we’ve got backup.”
“In house?” Reilly followed up. “Aren’t we still exposed?”
“Way out of house. In a bombproof location.”
“Where?”
“Can’t tell you,” Boyce admitted.
“Really?”
“Honestly, I’m not allowed.” Boyce didn’t even hint at the location, which was a retired Utah salt mine. “You can’t even get it out of Alan Cannon. He’s not on the list either.”
“So what are the hackers after?”
“Most of the time credit card info, which we have to further encrypt, but they also probe for accounting, rewards, and corporate email.”
Corporate email. Boyce hit Reilly’s direct fear.
“Tell me about that,” Reilly said.
“Which?” Boyce asked.
“The email. What do you use to protect it?”
“UTMs again and something we call fault injection techniques.”
“What the hell is that?”
“We outsource with a number of ‘white hat’ firms that constantly test our systems at the hardware and software levels for ‘black hat’ penetration.”
“We trust them?” Reilly asked.
Boyce laughed. “We vet them,” was all he explained.
“Are we safe?”
“Today. For a while, yes. But 100 percent safe forever?”
“Try tomorrow,” Reilly said. He was becoming increasingly worried.
“We’ll never be 100 percent safe against cyberattacks. In fact, we’re most vulnerable through outside portals that do business with us.”
“Like?”
Boyce ran through a list. Reilly was not pleased with what he heard.
“If it’s any consolation, we have antispyware protection that’s updated daily; multiple times a day, in fact. But that only allows us to play a zero-sum match. Any of us can click on an attachment that has a virus or a worm that wiggles its way through the system and compromises everything.”
“I don’t think that’s the case,” Reilly volunteered. “What would it take for someone to hack into my email and contacts?”
“Finally something I can work with.”
“Come on, Spike. What would it take?”
“Someone very smart. Someone like me.”
MOSCOW
Andre Miklos took the stairs two at a time up to the Operational Reconnaissance office. He waited ten minutes before being allowed to enter and speak to the deputy director, which annoyed him all over again.
“Talk and make it count,” he demanded as he walked through the door.
“The cybersecurity division has been working on access,” Vasilev explained defensively. “Some road blocks.”
Miklos wondered if the American was onto him.
“Deputy Director, what don’t you understand about my request? Miklos stared long and hard at Vasilev.
“I understand completely. The directorate’s chief IT officer has prepared an interim brief and we’re diligently—”
“Show me!” Miklos demanded.
Vasilev handed the brief to Miklos.
Daniel Paul Reilly. Age 39. Former Army Major, served in Afghanistan, South Korea, and European posts. Decorated for saving a fellow officer. No details of the specific action. US Army retired. Accepted post in the US State Department. Research analyst. Washington office. No information on assignments.
“Of course,” Miklos whispered.
“Of course what?”
“Nothing,” Miklos said. But his mind went back to the Kremlin hallway as he continued to read the brief.
Employed by Kensington Royal Corp., Chicago, IL, USA. Senior vice president of the international division. Worldwide travel. Principal full-time office in Washington. Married. No children.
Miklos looked at the date. The last entry was two years old.
“What is your opinion?” The assassin wanted to see how committed Vasilev was to the inquiry and if he had even read the report.
“Definite military background that he parlayed into a cushy government job, likely taken to secure a second government retirement plan as Americans do. Used that position as a jumping-off point for a corporate job. A third retirement option. He keeps pretty public,” Vasilev said confidently. “So there’s little to hide.”
“Are you so sure?”
“Would you go on TV and expose yourself if you were trying to stay in the shadows?”
“What do you mean?”
“You can watch him on TV,” Vasilev proclaimed in a superior voice. “Here.” He gave Miklos a thumb drive. “The subject recently testified in the US Congress. We translated what he said, but you should listen to his tone. He’s defensive. A corporate shill under the lights. Entertaining viewing.”
Miklos took the external drive and the limited dossier, which included photographs from the KR website.
“He comes across serious, though,” Vasilev concluded.
“So am I,” Miklos said. “So am I.”
CHICAGO
Reilly didn’t immediately return to the meeting. He and Brenda worked on an Excel spreadsheet listing specific hotels around the globe, regional heads, and general managers. Before printing out copies, he gave it a final review. “God almighty,” he said. “We’ve got a lot of work to do fast.”
Back in the conference room Reilly distributed his latest work.
“What’s this?” Lou Tiano asked for the group.
“Hotels in cities where we have to step up security now.”
Members of the committee scanned the sheet. Alan Cannon remarked first. “Interesting grouping.”
“Yes, they are,” Reilly replied.
Chris Collins finished looking over the list and noted, “Some of these cities haven’t been cited as terrorist targets.”
“You’re absolutely right, Chris. They’re not. But they should be.” And Reilly explained why.
46
CHICAGO, IL
KENSINGTON ROYAL CORPORATE HEADQUARTERS
A week later, Edward Shaw requested that Tiano, Reilly, Collins, and Cannon brief him. They could bring endorsements and objections from the other stakeholders, but he wanted to keep the meeting manageable.
The executives waited in the corporate conference room for Shaw’s arrival. It was agreed that Reilly would take the lead with Cannon covering operational plans, Collins legal and Tiano financing. Tiano had notes on the 30,000-foot view, and what it would mean to the entire industry.
Prior to the meeting, Reilly placed two stacks of documents face down on the long conference table. One included five copies of a twenty-page bound PowerPoint deck. The flyover. The second contained an equal number of full plans, detailed in 120-pages. They’d start with deck.
Sha
w entered with a hearty greeting for everyone. “Okay, jackets off. Let’s roll up our sleeves and see what you have.”
Before handing out the PowerPoint presentation, Reilly delivered a preamble.
“We are targets. We must fully recognize that yesterday’s embassies are today’s hotels. Hotels and resorts are targeted by rouge nations, terrorist groups, and lone wolves. Some seek to disrupt and kill simply to say ‘look at us.’ Others attack to destabilize sitting governments. But there are other untold, unconsidered, and so far unimagined goals that terrorists of any stripe hold. The common denominator that puts us in the crosshairs? We’re vulnerable.”
Reilly turned over the deck. “You know I prefer these things one page at a time, right across the table. So let’s go through our initial assessment and what it means to Kensington Royal.”
He handed out the copies titled Crisis Management Plan: Possibilities, Procedures, and Prevention.
Alan Cannon, head of security, paraphrased the objectives. “Our first objective was to create a coordinated and effective handbook to deal with crisis situations—direct threats to our brand and personnel. These include kidnapping or hostage taking of any of our staff, their families, or guests; extortion against any associate; civil disturbances; bombing or the threat of bombing; biochem attacks; and even natural disasters. Having done that, as you’ll see in the detailed plan, we have two immediate goals. One, implement a four-tiered color-coded threat-assessment program that can be raised from low to high as threats demand stronger responses. Two—and even more immediate of a need—place a number of our properties on the top two threat levels now.”
Next, Alan Cannon summarized the third page of the deck. “Our plan represents a paradigm shift for us and the industry, taking existing precautions further than anyone has to date. It puts Kensington Royal in a go position, ready to move quickly to prevent loss of life and loss of property. Building on Dan’s introduction, we must operate on the principle that terrorist strikes will continue. Inevitably, we will be hit again.”
Shaw internalized the warning. He couldn’t hide the alarm it sounded.
“So we must invest at a substantial capital level that Lou will soon cover,” Cannon continued. “Failing to do so will put us at even greater risk. Now from a security point of view, a key component in launching an effective plan is establishing strong liaisons with local, regional, and national law enforcement departments. These include government intelligence agencies here and abroad. Dan focused on this at his Congressional hearing. We’ll need access to current and credible intelligence to vet risks, to determine whether our defense posture can stand up to perceived threats, and whether we have enough active protection in place to deter attacks.”
“How are we doing with NSA and CIA channels?” Shaw asked.
Reilly remained intentionally quiet. Cannon took the question.
“I’m working with my bureau contacts and having informal conversations with the other agencies. To be honest, we could use a friend to make some calls.”
Shaw smiled. “Like someone in this room who donated to the president’s campaign?”
“Precisely,” Cannon said smiling.
“What about you, Dan? Your State Department years give you any access?”
“Some, sir. I’m working on it.”
“Okay, go on,” Shaw said.
Cannon nodded. “Page four. Western-branded properties, luxury or not, are a symbolic target of American’s influence and affluence, our strengths and weaknesses. We house tourists, business executives, and diplomats. Facilities host celebrations, meetings, and conventions. We provide open, principally unfettered environments with multiple access points that create relative ease for pre-attack reconnaissance runs. Finally, we offer a virtually guaranteed high death toll.”
“Alan, I know the problem. Cut to solutions. How are we going to accomplish this? And then, I hate to say it, give me the cost.”
Cannon went through the threats: Blue, Yellow, Orange, and Red. Upon hearing each escalation, Shaw realized how lucky they’d been to date.
“Sir, launching our proposal will also require paid analysts,” Cannon continued. “We first thought Washington, Hong Kong, and London. Given instability throughout the world, we’re now recommending an even larger team that will include Brussels, Istanbul, and Buenos Aires. But we’ll need more expert intelligence to assess and evaluate security conditions on a worldwide basis; to determine where and when potential and active threats exist.”
“Lou, what’s the sticker price?” the august owner asked COO Tiano.
“Year one, we’re asking for $12 million as a fund to hire, instruct, build, and supervise.”
“Asking, Lou? What will it take to really do?”
Tiano had another number that they’d debated. Start lower with marked increases year-by-year, or higher from the start? Shaw’s question was right. What would it really take?
“Dependent on our future acquisitions or sales, a better number that comes with more confidence is $18.3 million, maybe rolling off two million over the next five years. We have snapshots of both starting on page twenty.”
“In all good conscience,” Reilly interrupted, “it could go up. It depends on what happens in the world. No one ever expected what we’ve been seeing on a global scale.”
Shaw read the Excel spreadsheet included in the PowerPoint deck. While he did, Reilly wrote a short note, ripped it off his pad, and folded it once.
“Dan’s right,” Tiano said. “Read the second chart, which has the escalations.”
Shaw’s tone of voice markedly changed. “To the best of your knowledge, are we today, right now, this minute, facing any threats?”
Tiano looked to the KR head of security.
“None that we know of,” said Cannon. “But we have no way to know without implementation of the committee plan.”
“Jesus,” Shaw exclaimed. “What is this world coming to?”
At that point Reilly slipped the note across the table to his boss. Shaw opened it and just stared at Reilly.
MOSCOW
Anatoly Zherdev sat in a virtual command center of his own design in the Lubyanka building, the FSB headquarters. He selected an interior room with no windows, thumbprint locks on his equipment, and a bank of ever-improving American computers. He preferred working on PCs, a combination of HP, Dell, and more that he had built from scratch.
Anyone who passed Anatoly Zherdev on the street, with his thin black tie, blue shirt, and jeans, would likely peg him as a bookish computer nerd. However, unless he was seen entering or exiting the FSB offices, which included the prison on the first floor, no one would ever think he was the Russian Federation’s smartest hacker.
Zherdev grew up in the service. He was recruited as a teenager by the FSB in the late 1990s. Now he was a decorated, though plain clothes, FSB officer. He didn’t carry a pistol—his battlefield was the internet, his weapon of choice, computer code. The FSB hacker was fluent in multiple computer languages: C, Python, Ruby, Perl, Bash, and a dozen others only in the beta stage.
He relished opening doors to other people’s private lives. He did that when they were poorly protected or when they hid behind complicated barriers. Some were so simple they were boring. But he lived for the challenges provided by individuals, corporations, and governments. He was as silent as a stealth hunter stalking a deer. And he had killer instinct.
Just for fun, he’d hacked successfully into Wall Street financial houses, American movie studios to screen movies long before release, the Queen of England’s email, and Las Vegas oddsmakers.
For work, Anatoly Zherdev penetrated the White House, 10 Downing Street, and even the Kremlin. He always proceeded patiently and methodically, searching targeted computers for ways to unlock ports and find acceptance as a user with administrative privileges.
So far Zherdev’s direct attacks on the Kensington Royal system were frustrated. Then again, he didn’t expect easy entry. Any corporation operating glob
ally had to have multiple rapidly changing defenses. The Sony hacking and the breaching of the New York Times firewalls had upped everyone’s game. Cyberattacks against the US State Department and the Democratic National Committee and Russia’s game playing in elections around the globe put governments on ever higher alert.
“So,” he said aloud, “perhaps you’ve left another door open for me.”
To find out, Zherdev went to Hoovers’ and Forbes’ public websites using a system of his own design that didn’t leave a trail of cookies or other traceable footprints. From there he checked out American SEC filings, legal actions on LexisNexis, plus a wide swath of newspaper and magazine article search engines. Zherdev had immense faith in his own special abilities as an FSB agent. He’d find a way into Kensington and prove they weren’t so royal.
CHICAGO
“What’s so important we couldn’t discuss it in the room?” Shaw asked, holding Reilly’s note.
“Relationships, sir. Confidential relationships that should be kept that way,” Reilly announced. He paused to see if Shaw even wanted to proceed.
“Oh boy. Take a seat. I have no idea what the hell you’re talking about, but it’s obviously important.”
Shaw sat on a leather chair in his office while Reilly settled onto the couch opposite him.
“We already have a well-placed contact with American intelligence services.”
Shaw raised an eyebrow. “I’m confused. During the Washington hearings you sought intelligence. That was your testimony.”
“Yes, it was, sir.” Reilly decidedly remained formal. “It’s developed since. I wanted to create an official route which, for now is only …” The next word was critical. “Unofficial.”
“How unofficial?” Shaw leaned forward.
“Extremely.”
Now silence. Reilly thought it would be up to Shaw if he wanted to learn more.
“Relationships that go back to your State Department work?”
“I’d prefer not to say,” Reilly volunteered.
“You’re being very careful with your words.”