Jordan L. Strauss, Managing Director at Kroll, joins Yahoo Finance Live to discuss the Colonial Pipeline Senate hearing and outlook on the DOJ protecting the government and comapnies from cyberattacks.
ALEXIS CHRISTOFOROUS: I also want to mention that the FBI said that it was able to seize $2.3 million in Bitcoin paid to those Colonial Pipeline hackers. I want to talk about that more now with Jordan L Strauss, Managing Director at Kroll. Jordan, good to see you again. Let’s talk about that testimony from Colonial Pipeline’s CEO today– the fact that the FBI was able to get back some of that money that was paid in a ransom, do you think that’s going to deter future attacks– the fact that the FBI was able to essentially hack the hackers here?
JORDAN L. STRAUSS: Hey, Alexis. First of all, it’s great to be back. Second of all, I think what you’re seeing here is one part of a multilayered approach to deterring this kind of behavior, punishing this kind of behavior, and removing the profit motive. So we’ve seen a number of senior officials in the Biden administration and the Justice Department talk about how the ransomware problem, particularly as it pertains to critical infrastructure, needs to be addressed as seriously as terrorism.
And what they’re doing is they’re using the same tactics that were so effective against al-Qaeda and ISIS to address that problem. And that’s going to include things like making sure that it’s not profitable to engage in this kind of behavior, depriving wrongdoers of the shelter that stops them from being prosecuted, doing things to sow distrust inside the community to make it harder to conspire. You know, whether all of those elements coming together are going to be effective remains to be seen, but certainly making it harder to profit and making it more expensive, both personally and professionally, to engage in this kind of behavior, it’s definitely going to help.
ALEXIS CHRISTOFOROUS: And we’ve definitely heard experts say time and time again they believe these cyber threats are the number one threat to our country right now, even more so than terrorism. You just brought up terrorism. When you look at who is top dog at the DOJ right now, a lot of these people are coming from national– from the world of national security. How might that inform how they approach protecting our infrastructure, protecting the government and companies from cyber attacks?
JORDAN L. STRAUSS: It’s a great insight, Alexis. So if you look at Attorney General Garland, who came of age during the Oklahoma City bombing, Deputy Attorney General Lisa Monaco, who’s really taken the department’s lead on this, grew up at the FBI, and the Justice Department, and at the White House fighting al-Qaeda and ISIS– her deputy, John Carlin, is the same and Matt Olson, who has been nominated to lead the department’s National Security Division was previously the director of the National Counterterrorism Center. So all of these folks grew up dealing with the modern terrorism problem.
And the approach, which was largely effective over the last 20 to 30 years in dealing with terrorism, has been that multilayered model where you’re using things like your soft power and diplomatic power to encourage all nations to be good actors, and to cooperate, and share information. You’re depriving would-be cyber criminals of the ease of conspiracy– so making it hard for them to know how to trust.
You saw that with today’s announcement of this massive rollout where, evidently, the FBI was operating a tool that people believed was some sort of secure encryption– encrypted platform, selected strikes like you saw today, and then you’re going to see increases in prosecution– a lot of increased intelligence sharing both across governments, internationally, and in and amongst and with the private sector. And then finally, you’re going to see a lot of pressure, particularly on financial institutions and organizations that manage money to make sure that they know their customer, and that they’re filing suspicious activity reports in a timely basis.
So just like with terrorism, we wanted to choke off the flow of money that enabled serious terror attacks to happen. We want to do the same thing for criminals here. And that’s the policy the Justice Department announced and that the Biden administration has been hinting at for the last several months.
ALEXIS CHRISTOFOROUS: What do you make of the fact that the Colonial Pipeline CEO, when he testified before that Senate committee today, was unable to give lawmakers the amount of money his company has spent on protecting them from exactly what happened– that ransom attack?
JORDAN L. STRAUSS: So without commenting on any specific individual or company, effective cybersecurity programs embody physical security programs. They embody detection efforts, insider threats, cooperation with all levels of the company. So sometimes putting a real number on what your security spend is, right– it might not just be how much you do– you’re spending on things like firewalls and maintenance.
It might also be, are you training people to not allow people to follow them in with a bad badge? Are you training people not to click on phishing emails? Those can be elusive numbers.
ALEXIS CHRISTOFOROUS: OK. And you know, if you take a look at these cyber attacks, all of them, really, over the past few years have one thing in common– they’re all happening over the internet. What does this tell us about the way that we are using the internet? Should we find another way– another way to layer on top of or outside of the internet, because I think time and time again, it’s been proven that the internet is just not– is just not secure.
JORDAN L. STRAUSS: So I mean, really complicated question– out of band communication is a really good thing. So when I’m working with clients of all sorts to do things like stop wire fraud, you know, where somebody impersonates a senior official and emails the controller and says, hey, it’s the CEO, I need a quarter of a million dollars right now, send it, right? What we like to say is, use something that’s not email– that’s a separate communications method to confirm that things are happening.
For the last 20 or 30 years, security experts, not just in the cyberspace space, have been concerned about the security of SCADA networks, which are systems that control systems, right? Certain of those do operate on a separate, encrypted fabric. But I think that moving off of internet-enabled communications, even– for internet-enabled communications platforms, even for very highly secured systems is a pretty difficult lift.
ALEXIS CHRISTOFOROUS: All right, Jordan L Strauss, Managing Director at Kroll, thanks so much for being with us today.