There’s always risk when using technology, but your perception of the exposure will determine how active you are at minimizing the danger. Today’s guest is Stephen Cobb. Stephen is a best-selling author and award winning technologist with over 30 years experience in digital security and data privacy. He has authored more than a dozen textbooks on PC and LAN security as well as software usage. As a CISSP since 1996, he co-founded two successful security startups and earned a Master’s in security and risk management. Stephen now researches harm caused by the abuse of digital technology.“Is the amount of security that we are achieving growing relative to the use and diversity of technology?” - Stephen Cobb Click To Tweet
- [1:02] – Stephen shares his background and how he wound up in the world of cyber security.
- [3:17] – In the earlier days of his career, he learned the niche of the risks of technology.
- [6:13] – Privacy violations were becoming a HIPPA category.
- [9:14] – Stephen shares more about the companies he worked for and his experience in cyber security.
- [10:44] – Stephen continues researching risk perception.
- [12:01] – Understanding the limits of technology and human behavior have helped guide his research.
- [13:02] – Covid was a very eye opening experience in that it revealed who was willing to exploit and who was willing to come together.
- [14:26] – The new ideas of solving problems are coming out of smaller companies.
- [15:41] – Growth of security is evolving but is it keeping up with the use and diversity of technology?
- [17:23] – Different countries have a different approach to tracking cyber crime.
- [19:05] – The data isn’t accurate as much cyber crime goes unreported.
- [20:23] – Stephen believes the amount of monetary loss from cyber crime can be doubled in individual wellbeing.
- [21:41] – The effect of being targeted has led to health problems.
- [24:30] – Some countries are doing a better job cracking down on cyber crime, but many kinds of scams, particularly romance scams, continue to go unreported.
- [25:50] – Crypto currency has been abused since it’s onset.
- [26:51] – Tech support scams are also going strong.
- [27:25] – Crypto scams are cumulative. They don’t replace a scam, they add to existing ones.
- [31:48] – People aren’t thinking about what a mess that malware will create in upcoming technology.
- [34:08] – Cyber crime is now organized crime.
- [37:04] – Stephen describes his experience showing NPR the industry of the Dark Web.
- [38:52] – People continue to be shocked and amazed by how organized the industry of cyber crime is.
- [40:10] – There has been a drop in enthusiasm and trust in technology companies from the general public.
- [44:10] – When we push technology on people who do not have a lot of experience with it, security becomes complicated and it becomes an ethical dilemma.
- [46:39] – Nothing has been done to make these ethical issues become morally reprimanded.
- [48:10] – Cyber crime is a huge challenge that is a relatively recent phenomenon.
- [50:40] – Although foreign scammers cannot be arrested in your country, Stephen still thinks they should be sought after.
- [52:08] – We need growing economies and full employment in all countries.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Stephen Cobb’s Website
- Stephen Cobb’s Twitter
Stephen, thank you so much for coming on The Easy Prey Podcast today.
Great to be here, Chris.
Can you give me and the audience a little bit of background on how you got involved in cybersecurity and what makes you tick?
At one point, I was going to write a novel or an autobiography along the lines of my life as a series of scams because I somehow encountered the tendency of humans to do bad things in a deceptive way quite early on in life. When I got involved in computers in the late '70s and early '80s, I actually came across a number of fraudulent activities early on.
When I was teaching people how to use computers, somebody who had been a pupil came to me to help with a stolen computer. That really got me thinking about the impact of having this one IBM PC in a one-person office, but it caused a lot of problems that somebody stole it. I started thinking about security and I had the opportunity. I was writing textbooks about computers, how to use 1, 2 ,3, and how to use a Quattro Pro.
I had an opportunity to write a book about security. I was selling tens of thousands of these books on how to use popular pieces of software. But I thought security in terms of PC and local area network security, there would be way more people interested in that because it wasn't one specific technology. I was really wrong.
I had sold like 80,000 copies of Using Quattro Pro. This book I did on security, the badly named Stephen Cobb Complete Book of PC and LAN Security, which was the publisher's choice, not mine. It sold 3000 or 4000 copies, but it was the 3000 or 4000 other people in the world who in 1991, 1992, were interested in security.
I met a lot of people. I started doing consulting engagements and really found a fascinating niche at the time, which is thinking about the risks of using the technology. My wife got involved. We were both working on antivirus testing, firewall testing in the early days when firewalls started. I spoke at the first firewall conference.One of the things that appealed to me was the fact that it was a never-ending subject. -Stephen Cobb Click To Tweet
One of the things that appealed to me was the fact that it was a never-ending subject. I didn't have an educational background in security. They didn't have a computer at my school. I'm that old.
Actually, I don't know if many people remember this, but in the '60s and '70s, computers, which were mainframes, were often thought of in a negative light. There were student protests at Berkeley about using computers. It was only when the personal computer came along that I got interested in it. You could clearly see how empowering it was and what great benefits there would be, but then you started to see there was a downside too.
There were disadvantages and risks that came in as this technology spread. Particularly, when you connected two computers together, you more than doubled the risk because still the core of network security is sharing some things with some people but not all the things with everybody. How you do that is a never-ending challenge as the sharing capabilities and the connections expand.Still the core of network security is sharing some things with some people but not all the things with everybody. -Stephen Cobb Click To Tweet
I got involved with some people consulting in security. We started a firm, which was acquired towards the end of the '90s. We started another firm, which we called a privacy company because we had a non-compete when it came to security. We did a lot of work and it was very fortuitous.
We did a lot of work on the spam problem, framing that in a way as theft of resources. We also did a lot of training, and the training side of things was always my focus—offering training courses, privacy training, at the time when the HIPAA was coming in. Both my wife and I did training of privacy people in security because that was very interesting.
The people who were put in charge of privacy—companies started to have chief privacy officers. When chief privacy officers started to happen, they would go to IT and say, “We need to do this and we need to segregate that.” And IT would say, “Oh, we can't do it.” I had classes where that came up.
It was explaining to privacy people what you could and couldn't do with computer security, and also sensitizing security people to these new challenges in privacy. HIPAA created this new risk category, which was a liability to the company or the organization for privacy violations.
The privacy company, we sold that as well. Then in 2011, I got this call from ESET to work in security there as initially a security evangelist was my title. That never really took off. Microsoft sort of diluted the evangelists term, because they applied it to all these marketing positions.
My job at ESET—bless them—was to talk about security without pushing the product. I was required to do vendor-neutral work, even though it was ESET footing the bill. I did quite a lot of awareness work, and then I had a small research team not doing malware reversing. ESET has brilliant malware reverses in Canada, Poland, and, obviously, Slovakia as well.
Our job was to look at emerging threats, and then in terms of malicious code, explain the implications of new discoveries. At one point, ESET uncovered a huge Linux malware network. That was difficult for organizations that were using Linux to get their head around. It was Linux malware exploiting their systems.
I was fortunate to have some really clever people on my team. We took part in a project at ESET called WeLiveSecurity, which is a standalone blog. My team was quite instrumental in setting that up and setting the ground rules there as a way to share ESET research—even the very, very technical stuff, but also provide practical advice across the board.
When the Target credit card hack happened, I think less on our team had the first article on what to do if your Target card was hacked, or what to do if you got a Target card. That was a pivotal event, because one of the other things that I did while I was working at ESET was involved in CompTIA, which is a fantastic organization.
You could do a whole program on what CompTIA does because it does a lot of stuff. But apart from the computer skill and security training that it does, it has a lobby and public policy side to it. Every year, they have a fly-in in February where you go and talk to Congress about matters of technology. Obviously, my side of it was the security side.
I was in Washington the February after the Target hack. Staffers for Congress people were running around trying to find out information. There were a lot of the questions was, “Well, will chip and PIN solve the problem.” Of course, they were being told by banks that chip and PIN would solve the problem.
I said, “Well, is this thing called crime displacement and it will change the problem? It won't solve the problem?” “No.” I just got further and further with ESET support in researching why we have these security problems that we have. I actually went back to school. I got a master's degree in security and risk management.
In 2016, I was able to do some original research on risk perception to try and understand why some people don't get the risk. There are some very interesting explanations for that. It was clear that you can have a really good security product. Not to be vendor-specific, but ESET is a very good security product, yet ESET has a support line.
I would be talking to people sometimes and they go, “Well, what's the support line for?” And I say, “Well, sometimes customers will call us and say, ‘We've got a virus or we've got malicious code.’” “You could tell people that. You're supposed to be securing.” You go, “Well, yeah.” It was never that case, really, that I knew that the security product failed. The use of the security product was not as it should be.
A classic would be, “Oh, well, we didn't have the security software in that department. Those computers—we hadn't put it on there yet or they were turned off to do an upgrade on a piece of software. We never turned them back on.” Understanding what the limits of the technology were and, clearly, human behavior then becomes a very big issue.
Since becoming semi-retired or a full-time independent researcher, I've gone further in that direction looking at human behavior as it relates to technology, and trying to explain to people the scale of the problem of malicious abuse of technology, which is now part of the global technology. It's part of technology.
COVID was so revealing in that sense. Here's a situation where the world as a whole needs to come together to solve a problem. In some ways, it did. To some extent, in certain ways, the world did work together. But also, we saw there were a lot of people prepared to exploit the pandemic for malicious and selfish reasons.
That really was very disappointing, but it also strengthened my argument that solving security is really a human behavior problem and a moral, ethical problem. If you were to have the number of people who were prepared to abuse technology for malicious and selfish purposes, security would become more than half as easy as it is.
What you could see dealing with customers, if you're assigning security software, was this sense of being overwhelmed, whether if they were a smaller organization, they were struggling with a lack of resources. But even larger organizations were struggling with a lack of resources relative to the complexity of the problem. You have this problem in security where the new ideas or the new ways of solving security problems come out of small companies with independent products.
The people who are doing security for an organization are always using numerous products. There's always juggling and a struggle with that. The smaller companies get acquired. We had two of those that we made that got acquired. The acquisition of a unifying of the tools never gets completed because you have more and more new technology coming along.
There's an interesting study. Is the amount of security that we're achieving growing relative to the use of technology and the diversity of technology? If you look at the statistics, and we've just recently had the latest numbers from the FBI from the IC3, the Internet Crime Complaint Center, they show this hockey stick growth in losses to internet crime. Knowing how much internet crime, how much cyber crime there was, was very important.
Fortunately, I was able to, at ESET, to do a lot of research on that. On the one hand, the world hasn't done and still isn't doing a very good job in quantifying the amount of crime there is. But that hockey stick, that's real. That rings true with all the other information.
I had this big argument for a long time that there had to be independent stats on cybercrime because companies like ESET and a lot of other computer security companies would do a study of how much crime there was and how many breaches there were. But when you cite that to politicians, when I started to get involved in the public policy side of things, they're just inflating the numbers to sell their product.
Frankly, that got insulting, and ESET is not the only company that has very responsible attitudes to these things, and yet the government itself wouldn't do the numbers. The US government gave up on trying to measure cybercrime. The UK government has done a somewhat better job, and the Canadian government has been doing a decent job, relatively speaking.
I wrote a whole paper, a journal article on the problem. The only good news is that we don't actually do a good job counting regular crime. Sadly, once you start looking at crime statistics, you start to see all sorts of holes. Obviously, criminologists will say there's always this dark figure of unreported crime.
I think that if you look at the IC3 statistics over time, they're a pretty good barometer. There are individuals and groups of individuals who are diligently exploiting both technical vulnerabilities and human vulnerabilities to make money, and lots and lots of money.
We're looking with the latest stats—was it $6 billion?
Yeah, $6.9 billion.
$6.9 billion and that was for 2021, or is that for a quarter and 2021?
That number gets its power from the fact it's fairly consistently reported over time by the IC3. I've got a chart that starts out in 2011. It was half a billion in 2011, and now it's at seven. Those are losses that have been checked.
You've got the stuff that's not reported. This has become one of my most recent concerns and biggest concerns. You have harm from crime, which isn't a measurable financial loss. Particularly, things that have happened during the pandemic, I've encountered people who've been targeted by fraud.
They've had a message that was seeking bank account information and they've started to fall for it to the point where they've had to call their bank or the banks had to claw money back to where they are then not a cybercrime statistic in the sense that a crime was carried all the way through.
There's a study that's just come out here in the UK. They reckon that the social and psychological harms in the UK annually are like 9 billion, and that's in pounds. I think you could easily double the 46.9 billion in actual losses in terms of psychological losses and health care losses.
An interesting thing that happens here in the UK because there is a national health system. We won't get into the politics of a national health system, but it does give this opportunity to see health in terms of individual well-being. Certainly, one part of your National Health Service is looking at what causes people to come to the doctor because somebody going to the doctor is a cost. How can we reduce that cost?
We don't want to discourage them from going to the doctor because then, that's not good for health, but why are people getting sick? There was a project done not too far from where I live where the health service provided funds to reduce fraud targeting the elderly and the council district.
It was really interesting. The effect, particularly on older people, of being targeted leads to more hospitalization, more health problems. If I had a budget to do some research, I think that's one of the things I would try and quantify that because certainly around privacy in America, you had this problem where it's still this problem where people say, they get a notice, “Your personal information has been compromised.” They're angry about it and they're upset by it, but they have no recourse because the case will be thrown out. They have no standing because they can show no financial loss.
I got quite involved in that because there have been one or two cases in Canada where a common law tort has been used. There have been some claims settled where a company had to pay in a breach of privacy for upsetting the person. If there was a case in America where a lawyer got victims of data theft compensated for the stress they suffered, that would really change a lot of things.
There was actually a gentleman that I worked with in San Diego about five years ago who got hit by the income tax filing scam where you go, and it's coming up fairly soon now, April 15th or actually, the 18th this year. He filed a tax return for his family and, oh no, “Your tax return has already been filed and your refund went to so and so.”
Of course, it wasn't his refund. That's kind of a misnomer. It got sorted out, but he was really shaken by it. All credit to him, he did an interview for us with the local news on the impact that it caused. You do have this loss of confidence in yourself and in institutions as well because even if you got the money back, you feel bad. There are many good reasons for countries doing a better job of cracking down on cybercrime.
It's particularly true of romance types of scams. They very seldom get reported because of the stigma and the embarrassment. They're like, “Well, I don't want people to think badly of me.” They have all this pent-up distrust of people of, “God, how do I know who I should and shouldn't trust because of this one great example in my life where I trusted someone and I was taken advantage of?” It comes back to your human issue versus a technology issue. One is not going to solve the other.
Right. Actually, I noticed in the IC3 report they highlighted a trend of romance scams and crypto scams. If you ever wanted a case study to prove that technology, whatever its benefits, always come with a lot of disadvantages and downsides is crypto. Never in human history has technology been so heavily attacked and abused right from day one.
What they were seeing in the reports coming into the Internet Crime Complaint Center was romance scams leading to fraudulent investments in crypto. You've got somebody's confidence. How are you going to get money out of them?
Traditionally, it's been, “Well, I need help. I've lost my passport. I'm trapped in a country. I'm trying to get money from that in a sympathy play on romance.” This is an opportunity to play where somebody's talking up. “If you just put $5000 into this, in months, it'll be worth lots more. You just can't miss out on this.”Crypto scams on their own as a category are huge now, but romance is continuing to be a problem. -Stephen Cobb Click To Tweet
Crypto scams on their own as a category are huge now, but romance is continuing to be a problem. Tech support scams are still going strong. One of the things that I tried to do a few years ago was to try and pull together broad lessons I've learned about security. One of them is that it's cumulative. Threats are cumulative and the challenges are cumulative.
We’ve still got romance scams. Crypto scams are new, but they don't replace those. They build on top of them. There was this recent arrest of teenagers doing ransomware and people are like, “Oh, it's kids in basements again.” Actually, they were in England. We don't have many basements here. They're in the attic.We’ve still got romance scams. Crypto scams are new, but they don't replace those. They build on top of them. -Stephen Cobb Click To Tweet
The teenager threat never went away. You would see this, whether it's the evolution of malware or the evolution of threats and threat actors. You've still got teenagers trying to have fun in a very misguided way, and you've still got organized criminal groups. You've got more and more state actor groups, which 20 years ago, wasn't a problem. The threats build and then the threat vectors build.
Bluetooth didn't use to be a problem. USB didn't use to be a problem. Everything that comes along, is eventually abused. I've written a little bit about things that I think will be abused. Just as I was winding down my work at ESET, the abusive building systems automation started to show up in some cases there.Bluetooth didn't use to be a problem. USB didn't use to be a problem. Everything that comes along, is eventually abused. -Stephen Cobb Click To Tweet
It's still not widespread, I don't think. But I called that siegeware. I thought that was good. It locks you out of your building. And then what I call jackware, which is hacking the electronics in the car, bricking the car until a ransom is paid, so the merging of ransomware and the vehicle.
Also, in the self-driving car, taking over the self-driving car and kidnapping people. For all that, you can say, “Oh, that'll never happen.” Or people say, “Well, we haven't seen that yet.” It's like, “No, just wait.” It may never happen if we don't cut out ransomware on regular systems using people's poorly configured services.
This is a thing that comes around a lot for researchers. Somebody will find a vulnerability. They'll say, “Look, this is really important or a potential attack vector.” People say, “Well, that's unlikely.” All they want to know is how likely it is. That depends on how we do on the other things. Criminals do not typically invest a lot more effort than they need to in anything.
My feeling certainly around building systems takeovers is that an easy way of monetizing that is not turned up. In one case I know, the company survived it. They said, “No, we're not going to pay you.” They did some fancy footwork and they had actually good backup systems.
Actually, one of the things that you would find in physical attacks is that in certain sectors anyway, physical security has been more what-do-we-do-if oriented than apps and other more ephemeral digital stuff.
The amount of cybercrime that's going on is depressing. It is not factored into forward-thinking to the extent it should be. If I had one concern at this point, it's that whether it's AI, whether it's planning for the next pandemic or self-driving vehicles, people aren't thinking about what a mess malware could make at that.
I tried to get people talking about the malware factor. If you look at AI, AI is made of chips, code, and data. The chips and code can certainly be hacked. I would have to say this: Artificial intelligence is getting a lot more scrutiny than it did, a lot more than some other technologies.
A lot of times, when people talk about AI abuse, they're looking at the data set, following the AI, and things like that. It's like, “Well, yeah, but what if I brick the server and you're using it for real-time analysis of something critical?”
Real-time market trading.
Or in a health-screening situation. I know this from experience. Scans are being analyzed by pathologists. There's a massive shortage of pathologists, a big push to have systems scan them and can do a very good job, apparently, on some scans.
You've got your AI scanning something medical and then you can't. There's a ransomware opportunity, but the people doing AI and people predicting how much good stuff will come out of AI are looking at the problems it will bring.
I have a question about that. I'm going to frame it from a conversation that I had with Lisa Plaggemier over at the National Cybersecurity Alliance. She referenced this concept. She wants to do this campaign of no more guys in hoodies when we talk about hackers because this builds this perception that, “Well, they're just some little fringe guys in their mom's basements.” When reality is, that's a part of it, but it's now big business. It's now organized crime.
They've got playbooks, systems, malware-incorporated, tech support scam-incorporated. The vast majority are not individuals just happenstance coming across something. When we were younger, kids were just going, “Oh, hey, look, I got into this.” But this has no business because of the money involved. She's right that we still have a lot of this view of this as just kids playing around. It's not a serious threat, but I think it is much more problematic than that.
One of the first things I did when I got to ESET in 2011 was thinking of ways to picture that. I actually came up with it. I had the graphics people make this poster and it was malware-incorporated. It was a series of gears in which the inputs were grinding up personal stolen information, and out were coming luxury vacations and Lamborghinis.
I spent quite a lot of time developing slide sets and doing awareness to business groups and organizations around this reality, but the hoodies wouldn't go away. We, security people, particularly malware people, can be sometimes more discerning than they need to or more accurate than they need to.
To your point, there are still people in hoodies. They haven't completely gone away. There is a lot of organized crime, but it's not like the mafia. It doesn't organize quite the same way. Actually, at one point, I had a slide. It was sort of an MBA slide about the way that cybercrime uses division of labor, uses marketing techniques, and uses the marketplace.
Some of the most efficient markets have been the dark markets, the dark web. At one point, I did a piece with Kai Ryssdal at NPR on exploring the dark web. It was great because, at one point, I was taking him through different websites and pages. He goes, “Well, this is like an industry.” I'm like, “Yes.”
From a criminological point of view, this is very significant, in a way. It has a division of labor, which enables a lot of the people who are inputs to the crime to distance themselves from it. There are some people who specialize in breaking into systems and breaking into companies.
I just broke in, but I didn't take anything.
Yeah, and they can sell that. Then there are people who are writing various parts of the malicious code, the encryption piece, the command and control piece. Stuff is broken out into different pieces. You sell them today, we'll suffer a malicious code attack, where it was done right from the beginning by one person all the way through.
The first piece of ransomware back in the day was the kind of crazy aids disk he made himself and mailed out. But now, you get this from there and this from there or you just essentially invest in ransomware as a service.
Every time I used visual aids to show how developed, industrialized, and business-like parts of cybercrime had become, people were shocked and amazed. But it still lingers in some people's minds as a fringe problem. This is something I've struggled with: How to get people to realize that abusive code and abusive systems is part of life.This is something I've struggled with: How to get people to realize that abusive code and abusive systems is part of life. -Stephen Cobb Click To Tweet
There's a malware infrastructure. It's a parallel infrastructure, which attacks parts of our actual real digital infrastructure. Infected apps are classic examples. You get an app with malicious code into an app store—Apple or Google—and you can get a whole bunch of downloads before it gets caught.
One of the ways I tried to get people's attention, certainly from a policy point of view, was what damage that does to technology. There's definitely been, in the last five years, a drop in enthusiasm or trust for technology companies in the general public. There are always areas of keenness. Teslas are great, space exploration is great, blockchain is great, and NFTs are amazing.
The average person, as they say, is a lot less keen on technology, in many ways. I had an ongoing saga helping my mom use her online banking. In the two years that we've been working with this, as the interface changes on a regular basis, we wrote out a list of what to do. It's a ridiculous list. It's what Bruce Schneier would call a security theater. It's the steps you have to go through to get into your account, which keep changing.
This is a lady who's got two sons and a daughter-in-law who was CISSPs. She proofread one edition to my security book. She's like, “I'm not going to use it anymore.” In fact, has a credit card she doesn't use because getting to the website to see what's going on with it just became a pain.
We've got an interesting thing going on locally in quite a few British cities: a big push to get fiber to the house, which means all the streets get dug up and our old paving stones replaced by tarmac as they go through. Then another company goes through because we're a private enterprise country now. Virgin fiber comes through and then BT fiber comes through.
I have a feeling the uptake is not anywhere near what people were hoping for. In fact, I had communication—I won't name it—from one fiber company. The language of which was like, “Please try us. You’ll love it.” If you do the bus stop poll of the senior citizens waiting for the first free bus of the morning, which comes after 9:30, a lot of them don't have it. There are some who've got it but don't use it much because it's slow. They've not been sold on upgrading it.
You go through the last two years, where just about every kind of way to scam a person on their mobile phone or over the internet has happened, text messages or voice. You start to wonder, “Well, could I recommend it to somebody?”
Something I've gotten involved in since moving back to Coventry is the carer community. In America, the word would be caregiver. People who are looking after somebody, a friend or a loved one, a family member, but not in a paid capacity. There's clearly a lot of good stuff that you can do online in supporting carers, but there are some who aren't online.
To say to somebody, “Well, it would be great if you could get online. You’d be able to access these resources.” But they don't have much history with technology. It starts to become an ethical dilemma. Security has become much more complicated. “Type in this, put your finger here, but don't press too hard. Now, take this number and add it to that number. What's the second digit of your secret number, which you didn't choose?”
You've got that and then you've got the fact that some of the scams are very convincing. The FBI numbers—I see three numbers showed a big increase in email accounts compromised, not just business email accounts, but personal email accounts. I saw several cases of that in the last year where somebody had received a message from a friend. “Could you do this for me?” They nearly did.
“Could you send £300 in Google Play cards to my niece in Australia? It's her birthday and I'm in the hospital.” Literally, the person who received that has had heart problems. “But wait a minute, if he's in the hospital, I would have heard about it from church. No, but he's a very private person and he does have a daughter in Australia.”
If somebody is in an individual's email account, they can send out messages, which are very convincing and play upon the kindness of friends, someone who's eager to help whenever they are asked for help. It's ethically very, very upsetting.
Certainly, I won't talk for all countries in the world, but in the UK and the US, nothing like enough has been done to make that kind of activity morally reprehensible. I have hope in something like drunk driving. Now, in many places, if you get caught drunk driving, you don't get sympathy from your friends anymore. If you get into an accident and hurt somebody drunk driving, that's generally accepted now as morally reprehensible.
There are obviously people for whom breaking into digital systems and abusing them for gain is not morally reprehensible, particularly, taking money off old people or ransoming hospital data.
It's one thing. I can legally go after the person who broke into my house because they were physically here. They are governed under the same laws that I'm governed under. When it comes to someone hacking my email, they could be in Serbia, they could be in Canada. All of a sudden, the process of going after that person is not as simple as calling my local law enforcement and saying, “Hey, someone stole something from me. Who do I call? Do I call someone in Canada?”
Don't get me wrong. Cybercrime is a huge challenge. When I did my master's degree, it wasn't in cyber security. It was security in general in the Criminology department at Leicester University because I wanted to see what traditional criminology had to say. Clearly, there are elements of cybercrime, prosecution, and deterrence, which are way different than traditional crime because of that remoteness.
I think on the ethical side of it, there are plenty of cyber criminals in the UK and in America, particularly fraud and scam stuff. In our society, we haven't made that an abhorrent thing to do. Together, in terms of prosecuting cybercrime, I think the FBI has come a long way.
I've certainly been very impressed with some of the sanctioning that's been done in regards to Russia's invasion of Ukraine and identifying people. I think this administration is trying to make up for lost time, because frankly, I wasn't pleased with the amount of progress under the Obama administration. If you could imagine having a president for whom validating the threat from cybercrime would be a threat to his legitimacy, it's very interesting for political historians.
There was a stump speech from Trump, which talked about unifying the law enforcement response to cybercrime. It was to be delivered to, if I've got this right, a meeting of veterans. He went off topic and didn't talk. I don't think he ever delivered the speech. I saw that and I was like, “Yes, if you do that, that is good.”
You had this situation where admitting that cybercrime happened could even be potentially a problem. Then it got all twisted up in the election and all that stuff. Cybercrime is a problem. We need to identify people. I do think there is value in identifying foreign actors. Even if you can't arrest them, it does make them stay in potentially a country that's cold and doesn't have nice beaches because then those countries go and annex the beaches.Cybercrime is a problem. We need to identify people. I do think there is value in identifying foreign actors. -Stephen Cobb Click To Tweet
There are at least five cyber criminals who were indicted in absentia and later arrested going on vacation. It puts a crimp in the style of a criminal. Again, I'm always mindful. I need to have things to pin some hopes on.
Cybercrime is a crime where desistance is quite possible. Desistance is this idea in crime that people give up. The classic example is someone who started doing burglaries when they were younger, but then they got married and they gave it up. Cybercriminals, almost by definition, have transferable skills. Breaking and entry, not so much. But cyber skills, yes.
In fact, a prosperous economy with fuller employment where the person who writes banking code during the day doesn't feel tempted to write encryption code for shady characters in the evening to make up their money. There is a pathway out of cybercrime, potentially. Again, it is very dependent on economic circumstances, which is why having thriving economies in all countries is a good idea.
Yeah. I think that's probably a good place to wrap it up as, “OK, everybody. Just make your economy great. That's all.”
We need growing economies moving to full employment and less with robots taking over jobs.
And people just being better people.
Yes, please. Yeah, be a better person. That would really help.
If people want to find you online, where can they find you online?
Actually, stephencobb.com belongs to me. That's a good place to find me.
With the PH?
Yes. Stephen Cobb with the PH. If you're into the whole brevity thing, as the dude would say, scobb.net—the same place.
Are you on social media?
Yes. I'm on Facebook. I don't use it as much as I use Twitter. On Twitter, I am @zcobb. Z because scobb was taken.
Everybody knows how you feel about that.
But yes, I'm quite active on Twitter.
Great. Thank you so much for coming on the podcast today.
It was a cake, Chris. I appreciate it.