MBA alum leads FBI cybercops

FBI assistant director Gordon Snow
FBI assistant director Gordon Snow

Cell phones, cameras, and other electronic devices are forbidden in Pamplin alumnus Gordon Snow’s office.

Visitors to his building encounter an obstacle course of electronic scans, passes, and turnstiles before entering a vast lobby where they must wait to be escorted, through more electronically secured portals, into the inner warren of spaces. Hallway decor includes mug shots of America’s 10 most wanted fugitives, including Osama bin Laden, whose entry was stamped across with a conclusive update: “Deceased.”

Snow (MBA ’01) works at FBI headquarters in the J. Edgar Hoover Building in Washington, D.C., where he leads the bureau’s efforts in combating cybercrime and other computer-based threats as assistant director of its cyber division.

Cybersecurity is a growing worry for businesses and governments and has become one of the FBI’s highest priorities. High-profile hacking incidents this year targeted such institutions as the International Monetary Fund, Citigroup, Google, Lockheed Martin, Nintendo, Sony, and Nasdaq.

The number and sophistication of cyber attacks increased dramatically over the past five years and is expected to continue to grow, Snow says. “It’s easy for somebody, given enough time, energy, and funding, to penetrate any system that is accessible from the Internet. There really is no secure system out there.”

Usama bin Laden poster
Hallway decor includes mug shots of America’s 10 most wanted fugitives, including Osama bin Laden.

A former Marine, Snow has been with the FBI for nearly 20 years. Before being appointed to his current post in 2010, he worked on counterterrorism, counterintelligence, as well as cyber, white-collar, and violent crime assignments around the country and abroad (See article).

In this fall’s cover story, Snow talks about the FBI’s cybersecurity work with guest interviewer Wade Baker, director of risk intelligence at Verizon and a Pamplin doctoral student in business information technology (see article). Topics include the nature and extent of cybercrime, cybercriminals’ motives and methods, what businesses can do to manage their risks, and the benefits of his Pamplin MBA education.

Wade Baker: Is there a standard definition that the FBI uses for a cybercrime? What are the different types of crimes you would investigate? (see answer)

Gordon Snow: A cybercrime would be a crime committed using a computer or a computer network. The meat of our program is in intrusion or hacking — the definition of that type of crime would be under title 18 U.S.C. 1030.

We are focused on four strategic objectives related to reducing the cyber threat to the United States while protecting the freedom, privacy, and civil liberties of Americans: first and foremost, to stop those individuals, groups, or foreign powers behind the most serious computer intrusions and spread of malicious code; second, to identify and thwart online sexual predators or groups that sexually exploit children for personal or financial gain; third, to counteract operations that target U.S. intellectual property, endangering our national security and competitiveness; and fourth, to dismantle national and transnational criminal enterprises engaging in Internet fraud.

View a slideshow about these four objectives

Gordon Snow and Wade Baker
Gordon Snow, left, head of the FBI's cybercrime effort and Pamplin alumnus, talks with Wade Baker, risk intelligence director at Verizon and Pamplin Ph.D. student, about cybersecurity in business and government organizations.

The division’s priorities align with the strategic objectives, within which we stack our cyber intrusion cases, with the highest priority being counterterrorism, followed by counterintelligence — investigating state-sponsored entities seeking to steal information for the benefit of a foreign government — and then criminal intrusions. An individual or group with intrusion capabilities presents the most significant threat to our national security and national computer infrastructures, with the potential to impact the national economy. Child exploitation, intellectual property theft, and Internet fraud complete the cyber portfolio.

As both an intelligence and law enforcement agency, the FBI can address every facet of a case — from collecting intelligence on the subjects in order to learn more about their networks to dismantling those networks and prosecuting the perpetrators. The ability to take action on the information we collect is critical, because what may begin as a criminal investigation may become a national security threat.

Most of our money moves in zeros and ones across IT lines now, and as business processes become more dependent on information technology, I imagine the scope of what you’re trying to protect is increasing all the time. (see answer)

Absolutely. Financial crime is a huge portion of cybercrime and, given the potential impact on our financial infrastructure, it is also a national security concern for the country.

What’s the size of this problem? I’ve read that the financial losses from computer intrusions are larger than the drug trade. (see answer)

It’s really difficult to put a size on the problem. Many people and many organizations don’t report intrusions. They prefer not to disclose that their systems have been compromised, so they absorb the loss, making it impossible to accurately calculate damages. The best that the government and private sector can offer are estimates. Over the past five years, estimates of the costs of cybercrime to the U.S. economy have ranged from millions to hundreds of billions. A 2010 study by the Ponemon Institute estimated that the annual cost of cybercrime to an individual victim organization ranges from $1 million to $52 million. The cases range from very sophisticated intrusions to what many would consider unsophisticated fraud.

Understand that there really is no secure system, because there are so many vectors of access — remote, proximate, insider access, and supply chain — and all systems are interconnected.

But there are some things that individuals can do if they believe they are a victim of a crime. The FBI’s Internet Crime Complaint Center receives complaint information and makes links to other victims across the country. By aggregating these events, law enforcement entities are able to prosecute matters where victims had once been informed “there is nothing we can do to help you.” Our website “LooksTooGoodToBeTrue,” highlights examples of recurring scams, and the FBI web page is also a good starting point for people to sign up for fraud alerts and report crime.

Over the last five or six years, there have been more laws governing what types of cybercrime intrusions must be reported. These vary from state to state. Will there be centralized reporting? An equivalent of the National Transportation Safety Board for cybercrime events? A lot of the reporting now is about regulated data — personal information, payment card stuff; what’s not often reported is theft of intellectual property. (see answer)

You’re right, I think there are 47 different, distinct data breach laws at the state level. Currently, both the White House and Congress are working on legislation to address cybersecurity and data breach.

What are the main categories of cybercriminals and what drives them? (see answer)

We break it down to about three different arenas: cyberterrorists who would do damage to our critical infrastructure such as the electricity grid, financial sector, and transportation networks, and who have the same motives as those who carry out traditional physical attacks — they view the U.S. and its allies as their enemy; state-sponsored intrusion from foreign governments interested in the research and development of private industry and the defense industrial base that would give them a global advantage; and then those who do it for pure financial gain.

Cybercriminals have one thing in common — their realm is characterized by low risk, anonymity, and very large potential gain. The potential for considerable profits has resulted in the creation of a large underground economy. The cyber underground is a pervasive market governed by rules and logic that closely mimic those of the legitimate business world, including a unique language; a system of stratification based on knowledge and skill, activities, and reputation; and a set of expectations about conduct — so if you and I enter into an agreement, and you decide not to give me my share of the money, it’s a very close-knit community, I can make sure you don’t get a chance to work again.

Website forums are one means of communication within the cyber underground. On these forums, criminals buy and sell login credentials, phishing kits, malicious software, access to botnets, social security numbers, credit cards, and other sensitive information. Cybercriminals are increasingly professionalized, organized, and have specialized skills.

Crime was much more limited 100 years ago, in terms of the physical area or number of targets one criminal could attack. The interstate highway system expanded that territory. Now with the Internet, criminals in one country can attack victims in completely different countries on the same day. (see answer)

That’s a great analogy. Take, for example, the national and international drug trade and its distribution networks — think of all the material and personnel and logistics involved. On the information super highway, you don’t need to find somebody in another state to act as your proxy, you can get to that state from your living room or your business or wherever you operate. The cyber underground facilitates the exchange of resources, enabling criminal operations across multiple countries.

In late 2008, an international hacking ring carried out one of the most complicated and organized computer fraud attacks ever conducted. The group used sophisticated hacking techniques to compromise the encryption used to protect data on payroll debit cards, allowing a network of “cashers” to withdraw more than $9 million from ATMs in at least 280 cities worldwide, within 12 hours.

Not only are criminals advancing their abilities to attack a system remotely, but they are becoming adept at tricking victims into compromising their own systems. Social engineering — techniques based on exploiting human rather than computer weaknesses — is one of the less sophisticated but more effective and more pervasive means of entering somebody’s system right now. Find an e-mail that you believe somebody would open, find out a bit more about them, send that e-mail to them, and see if you can get them to click on a link.

The social engineering aspect is just one of the more difficult things to manage, from an organizational standpoint, because people like to click on things, they seem to like to trust other people. (see answer)

Well, trust is inherent in the Internet, it’s one of the reasons it’s such a great communication medium. Social networking site users fall victim to the schemes due to the higher level of trust typically displayed on such sites. Users often accept into their private sites people they do not actually know or sometimes fail to properly set privacy settings on their profile.

Individuals can misrepresent everything about themselves online, including gender, age, and location. One recent fraud scheme involves hacking into e-mail or social networking accounts to send messages to the users’ friends — “I’m stranded in Paris, somebody broke into my hotel room, I need $3,000 now” — and to ask the friends to wire money to an overseas account.

In the Robin Sage incident publicized last year, a security consultant created a fake profile on several social networking sites, posing as an attractive female intelligence analyst. He sent out about 300 friend invitations, mostly to government contractors, military, and other government personnel and got many good responses, including from several high-level government officials and a member of the military, who sent a photo of himself on patrol in Afghanistan that contained embedded data identifying his exact location. The consultant was seeking to make people understand that this is really a concern. But if it had been taken in another direction, it could have been the adversary knowing exactly where the patrol was or maybe their habits, and being able to target them.

There’s always a bricks and mortar analogy: you wouldn’t put a big sign on your front lawn advertising that you will be away, that your house will be vacant. Yet, on your social networking page, you say, “Hey, I’m taking off to Europe for two weeks. We’re going to have a great time, we won’t be back for a while.”

Mining the Internet for information on people is getting easier all the time, especially when we seem to be putting more of our lives up for public view, especially the younger generation. I think this is one of these trends we have to address in cybersecurity. I’m not a huge social networker, and I try to remember that it’s not a private medium. A lot of people think: “so I log in, anything I say there is private.” That’s just not the case. There’s a chance that (due to security holes) it may all become public. (see answer)

Social networking sites, as well as corporate websites in general, provide criminals with enormous amounts of information to use in e-mails to individual targets who have shown interest in specific subjects. The personal and detailed nature of the information in the fraudster’s e-mail erodes the victim’s sense of caution, leading them to click on links, which contains malicious software designed to give the sender control over the victim’s entire computer.

I would love to say to everybody that social networking is a huge security concern, but it would be hard for any organization not to use it. Organizations need to be in the media, they need to get their message out, whatever organization it is, including the U.S. government. Many people don’t have social networking web pages, but many people will — it’ll be something that’s just normal, like having a telephone number.

I think the better message is: make sure you understand the risk. Understand privacy controls and what you’re sharing. Somebody going through college right now doesn’t want their credit score ruined or their information stolen. When they get out of college, they don’t want to be fighting identity theft while looking for a job and trying to pay college bills.

How do businesses go about managing this problem? There are lots of technical solutions, but I think our biggest problem is in applying them — making business decisions on how to use them to improve security. You work with businesses on investigations, what are their most common mistakes? (see answer)

There has to be a cultural shift on how we view security. Traditionally, security has just been an expense that has decreased the bottom line. Also, because of a lack of understanding of what the threat is, many businesses are solving a problem that innovation has already surpassed, when they apply additional security solutions.

If we know there’s no such thing as a secure system, that we’re going to get hacked, and we may not even know that we’re hacked, that we have to prepare for critical information, networks and processes being unavailable — we have to get to a zone where we manage information more than we manage systems and hardware. Coca Cola’s formula is safe. Because it’s probably in a safe — on a piece of paper, not accessed by a network.

After 9/11, we watched the whole world try to evaluate the risks terrorism presented, a lot of people asking, “how do I protect my business, my home, my livelihood?” A lot of “what ifs,” a lot of good preparedness exercises. I don’t think we do that now in cybersecurity. There are many exercises, but they’re not an ingrained risk process.

Many of the most important things a business can do look obvious. They really need to see if good security procedures and practices are in place. Many times, we find out they’re not doing normal network hygiene. They’re not updating, they’re not patching, and even if they do or think they’re doing it correctly, they don’t understand their network architecture, their domain.

I always tell businesses that they need to understand their risk and their domain and then decide what they need to solve for that risk. And what is risk? The threat times the vulnerabilities times the consequence. And if you can move any of those variables to zero, then you can move risk to zero. I don’t think the threats are going to disappear anytime soon, and the vulnerabilities are numerous. If we can’t bring threat and vulnerability to zero, then what is the impact of the consequences? It has to be a multifaceted approach, using risk analysis.

For the Pamplin school, a point that’s very critical is that for any person that’s going to run a business or be responsible for information or for their company, to keep it a going concern, it’s essential that they understand cybersecurity and what their risks are: what are their threats, vulnerabilities, and consequences of cyber intrusion on their entity and everything they’ve built.

To truly understand how every facet of the education you are pursuing is integral to and strengthens the businesses you work for or will work in, you have to understand that cybersecurity is not only an organizational responsibility, it is the responsibility of each individual in the organization.

The shadow of a hand hovers over a keyboard lit by a creepy yellow light

Reducing cyber threats

Cyber threats reach into many areas of organizational and private life. Gordon Snow and the FBI cyber division have identified four objectives in reducing these threats. Read more about the threats with malicious computer code, sexual predators, protecting U.S. intellectual property, and dismantling national and international criminal organizations.

The trading floor of the New York Stock Exchange

1. Stop individuals, groups, and foreign powers behind the most serious computer intrusions and spread of malicious code.

Recent news about intrusions and malicious code includes reports on Google’s charges that hackers in China infiltrated the Gmail accounts of U.S. government officials and Chinese activists; the threats by hacker group, Anonymous, to take down the New York Stock Exchange with a denial-of-service attack; and the new focus of hackers – small firms, which are easier targets than large corporations.

Beijing Fires Back at Google

Anonymous Hack Attack on NYSE: Will They or Won’t They?

Hackers Shift Attacks to Small Firms

A young girl uses a computer in a dark kitchen

2. Identify and thwart online sexual predators or groups that sexually exploit children for personal or financial gain.

Law enforcement agencies all over the country and world have been busy in recent years catching and prosecuting individuals or groups that prey on or sexually exploit children online. In August of this year, the Department of Homeland Security began one of the largest take-downs of individuals associated with an online community responsible for producing and distributing graphic images of child sexual abuse all over the world. This is in addition to the hundreds of arrests local law enforcement agencies have made on individuals committing similar crimes in their areas.

Attorney General Announces Largest U.S. Prosecution Of Online Child Porn Community

Authorities File New Charges Against Suspected Online Child Predator

A Parent’s Guide to Internet Safety

A stack of patents leaning against a wall

3. To counteract operations that target U.S. intellectual property.

U.S. government sources estimate that approximately $300 billion of U.S. intellectual property is stolen annually. That’s out of a total value of about $5 trillion. News reports have identified China as one of the biggest offenders, and U.S. legislators and law enforcement officials are taking action.

The Real Problem with China

Geithner Blasts China’s Rampant Intellectual Property Theft

A magnifying glass with the word FRAUD in the center

4. Dismantle national and transnational criminal enterprises engaging in Internet fraud.

We’ve heard about the spam e-mail from a close friend trapped somewhere in Europe who only needs $1,500 to get back home, or the letter from the Nigerian prince who has decided to bequeath his fortune to us, if only we wire him $500 to start the process. While many of us may now be familiar with these types of traps and know to avoid them, cyber criminals are coming up with new ways every day to trick us into giving our money to them. From stealing a child’s identity to initiating bogus merchandise transactions to creating doppelganger domains, cyberscammers collect billions of dollars through their efforts.

Low-tech Internet scams harvest billions of dollars

Missing Dot in Email Address Could Be a Costly Mistake

As Kids Go Online, Identity Theft Claims More Victims

Next: Public service: A natural career choice.

Shadow for bottom of page