[INTRO MUSIC]
[00:00:06 Andrew Rose] Welcome to Cyber Savvy. This podcast was created by DTC to bring awareness, mitigation and response to cybersecurity threats companies and organizations face daily. Be prepared. Be cyber savvy.
Hello, my name is Andrew Rose and I'm excited to welcome Mike Urbanik from R.K Tongue here for our first podcast on the history of cybercrime.
And I know that Mike has spent a significant amount of time researching this, and I just can't wait to hear about how all this began. Because back in the early days it certainly wasn't as significant an issue as it is today, but in order for us to address the issues today, we need to know how we got to this point in time.
And Mike, quick question for you: R.K. Tongue- what is R.K. Tongue, and why is that relevant to this conversation?
[00:00:55 Michael Urbanik] Yeah, thank you, Andrew.
R.K. Tongue, we are an independent insurance broker based out of Baltimore, we're over 100 years old. And while I consider ourselves true insurance generalists, we found a niche with white collar industries; think CPAs, medical fields, doctors, lawyers. And you know, who we are, we're independent brokers. We are able to work with the client, whoever they are, understand their risk, their insurance needs, and then approach the marketplace and really customize and build them an insurance and risk transfer program that's going to fit them what their risks are for the right price and really let them do what they need to do to operate in today's world and feel protected that should something happen, we have their back. So that's who we are in a nutshell.
[00:01:41 Andrew Rose]: Well, it makes sense that we would partner with an organization like yours.
DTC is an elite managed service provider, so we take care of our clients I.T. computers, phones, email systems and make sure they run and operate effectively. And DTC is known in the community as being one of the elite providers of this service. And as such we try to partner with other elite providers of services, complementary to ours, and the risk management piece of cybersecurity is absolutely critical.
So, Mike I'm going to turn it over to you and let you talk a little about the history of cybercrime. Where do we begin?
[00:02:13 Michael Urbanik] Yeah, I think there's a good quote from Carl Sagan that would kick this off, he says, “You have to know the past to understand the present”. When it comes to cybercrime, this has been one of the vast, but most quick to evolving risk types out there, and you'll see that from the history as we go from 0 to 100 miles per hour within only 10-20 years, really. But there is some build up here to that so, we need to kind of understand what that shape is, to understand how we got to where we are today.
So, with that being said, I guess I'll frame it this way: you know, how big is the problem today? And I would say it's huge. One of the things that is difficult, it's very hard to put your finger exactly on the pulse because not all cybercrimes, not all types of data breaches, one are discovered or even known about, let alone reported.
So, we have an inherent challenge of understanding how big this issue is because of the lack of hard data; but, you know, we take the data points we have, and we speculate and estimate to the best of our ability around that.
Looking at the FBI IC3 report, cybercrime in the United States alone was estimated around 70 billion dollars. That's most likely on the low side, according to estimates by Statista’s cyber outlook; they think that worldwide cybercrime is closer to around 8.4 trillion dollars in damages, losses. And just to put that in perspective, you know, how big is 8.4 trillion dollars? Walmart is a 600 billion dollar business. So, we're talking 13 times larger than Walmart, who we all know is an incredibly ginormous corporation. So, the issue is vast. It is huge, and that's where we are today.
So, but the question is, how did we get here? And we kind of have some humble beginnings.. You know, the first computer wasn't built until 1822. We didn't really get the first modern or recognizable computer until 1945. And, you know, at these points, there were no computer viruses, it was very benign. There were only a few hundred computers in the world in this time period. They were all typically owned by governments or universities, colleges. Think MIT, think Harvard, Princeton, who were building these devices, they were not in the general public.
So where do we think the timeline really begins for cybercrime? Technically, the first one was in 1962, when one of the MIT students stole passwords so he could log more time on the school research computers. And the first crimes were really very benign and simple and were not monetarily devastating because there was very useful information on computers at that point. So, we fast forward from the sixties, we get to the eighties, and this is probably the biggest turning point for the world to come is the development of the Internet.
They moved from these internal communication computer systems to now computers being able to talk to one another on the Internet. And while I understand computers, I'm not going to try to attempt to define the Internet for what it is other than it's something we use all day, every day, and it connects the world and all things. And this is really the beginning.
So, 1980, the Internet has developed. Cybercrimes at this stage are still incredibly limited, incredibly isolated. They can take place via phone, not necessarily just computers- phones are computers in a way. And the type of people we're dealing with in the eighties to the nineties are a couple of state actors. What I'm going to call “hacktivists”. These people who use computers, cause chaos for maybe some political ideology purposes, or just to get reputation out there as being computer savvy, computer guru type person.
In 1981, maybe one of our first most infamous people comes around, and that's Ian Murphy, a.k.a., Captain Zap. And he was able to manipulate the AT&T phone system via pushing buttons in the dial tones to change their internal clocks to make phone calls for pennies on the dollar. And he caused a ton havoc in their system. But, you know, he wasn't really motivated by financial gain. He was really motivated just by showing off his technological skills.
In 1988, we get the first computer virus it was created by an MIT student. It was called the Morris worm, and it didn't have any malicious intent like we think viruses do today. You know, it was simply designed to reach out, feel around the beginning of the Internet, and was an attempt to map out the Internet as we know it. And while it did maliciously spread to computers, it didn't do major damage.
So I.T., cyber liability is very nonexistent in these early stages. And it really doesn't come around until the 1980s where we see a big rise in internet usage by corporations and other businesses.
Probably one of the most notable ones I wanted to bring up is a guy named Vladimir [Levin]. He was the first hacker who attempted to rob a bank. He transferred over 10 million from Citibank into various bank accounts in 1995. I think this is really notable because we're seeing now the first type of crime targeting a business.
As we all had lived and seen the Internet and computers grow in our lifetime, there was a fundamental change from paper to computers. Different industries transferred and made that jump at different times. But we see major corporations really start doing this in the 1990s and halfway through the nineties, we're seeing already someone attempt to rob a bank via computer.
As the internet spreads, as more and more businesses move to a digital platform, computers become more affordable. They're actually getting into the hands of more people. The problem just begins to spread, and we get into the 2000’s. And I think a great way to visualize this is if you're alive in the 2000s and maybe you have heard about it, but I think we all remember the Y2K bug.
And while nothing came of this, the idea that the world computer systems could not process the change from 1999 to 2000 and all the clocks would shut down and it would crash the entire world computer system. It just gave you that fear, that feeling, and knowing that so much of the world relied on computers at this point.
So, this is 23 years ago at this stage but we all—
[00:08:24 Andrew Rose] But Mike if I could add a little something too.. Some of those COBOL and Pascal early programmers actually became survivalists and moved out to the desert because they thought the world would end too. So, I think everyone was holding their breath as the clocks rolled around at that point. But you're right, that was an awakening I think in the major psyche of how important it is to have some oversight over your computer networks.
[00:08:45 Michael Urbanik] Yeah, absolutely. It was not just major government. It was localized fear. I mean, I remember my family bought extra cases of water because we didn't know what was going to happen. As silly as that sounds, we knew computers were integral to our life at this stage and, you know, an attack on them would be devastating. So that encapsulates 2000 and it just grows from there.
We're seeing more and more attacks on businesses, governments, and it's, again, the spread of the Internet, it's permeated more and more aspects of our life. More and more information has now been moved over to computers. Whether it is major banks, whether it is hospital systems, everything is beginning to be done on computers and all the information, the daily life is being digitized from this point on.
We have Michael Calce a.k.a., Mafiaboy in 2000 launching a DDoS [distributed denial-of-service] attack on major corporations. You know this guy shut down Amazon, CNN, Yahoo, eBay. An estimated tens of millions of dollars lost in revenue by these type of attacks.
We go to 2005, HSBC is attacked and it leaks 1.4 million MasterCard users information out there and what we have learned to be called PII (personally identifiable information), names, addresses, emails, phone numbers, socials, things that bad guys can use to impersonate you, open up credit cards and really cause havoc and commit further crimes. 2008, Heartland payments is attacked resulting in the data breach of 134 million users.
And these data breaches are occurring because these corporations, they haven't engaged with I.T. companies and really understood the landscape behind the scenes for I.T. infrastructure and properly guarding this. It's easy to gather information from people as they fill out applications, as they put information online, but they're not storing it correctly at this stage. And it's a lesson that slow to learn, I think even in 2023, corporations are still having to learn that lesson the hard way. But attacks grow, and you know that's just in the 2000’s.
Then when we get to 2010 through 2020 and just I can't name all the attacks of noticeable notoriety here, there are just too many, but we get things like this Stuxnet Worm in 2010, the first designed code. It was the code used to shut down the Iran nuclear facilities and shut down their enrichment processes. So, we see in 2010 computer code being used as basically warfare. We have same thing in 2010, the Zeus Trojan virus, email-based attack that targeted banks and stole over 70 million dollars from different banking associations.
Another one, 2013, a name that still comes up in today's news was Edward Snowden, and he revealed the extent via his leaks, which we all know highly controversial, but the extent of spyware being used in the world and what type of data was being collected. We get the first kind of hard-core malware computer shutdowns in 2017 with the WannaCry virus, which is still relevant today, still incredibly pervasive and damaging. Infected over 200,000 computers, one of which was the UK's national health system, and it shut down the whole UK national health computer system.
So, the variety of attacks in 2010, the targets, it becomes wide open. So, at this stage I'm going to call this maybe the golden era for development of cybercrime, cyber-attacks, because we see them being used in ways we've never seen before. And then 2020 on, what we've developed all these avenues for cybercrime to exist and then it's just fuel on the fire. You can pick any number of major stories and run with them.
2020, Neiman Marcus, 4.6 million users had their data compromised, gaining access to all their personal data. You know, no one safe in this time period, Kaseya, which is an I.T. security company based in Florida. They were victims of a ransomware attack that demanded 70 million in Bitcoin. So even the people who are supposed to be the smartest guys in the room are being attacked and have vulnerabilities to their system.
And this just illustrates the widespread of vulnerability businesses, even ones who engage in defense of other businesses have in this world. And then, you know, the icing on the cake is COVID 19. And as we transition more into this digital sphere, we're working from home, the number of cases just ramps up exponentially.
So that's a very truncated history of cybercrime. You know, we had these very humble roots with the development of computers, the development of the Internet. And really the story is as computers make their way into the mainstream world and more people get their hands on computers and more data value gets on the computers, the crimes just increase.
It's really as simple as that.
[00:13:48 Andrew Rose] And I think it even at a very basic level, it's simple. When the Internet was first created, it wasn't created for security; it was created for free flow of information, interoperability between research institutions and academic institutions and a few others. They weren't concerned because it was a trusted closed loop network, you know.
And really that was a beautiful framing of the history. And my goodness, you gave us an entire encyclopedia in gosh, less than an hour tip the hat there for you as well. A couple of things that I really do want to point out. Back in 1962, who was the fellow that did the first cybercrime when he was dealing time on the networks?
[00:14:22 Michael Urbanik] Yea in the 1962 was a guy named Allan Scherr. He created basically a punch card that tricked the computer systems at the school to let him log in as other users. With school computers, you could only get X number of hours per usage because, again, computers were so rare. So, he was basically impersonating other people to use their computer time.
[00:14:43 Andrew Rose] Wow, going back Just the humble roots of cybercrime, stealing time on networks. That's where these crypto thieves do today. They just sit there and park themselves sort of nefariously on your computer, you don't know that's running all the time, but they're stealing time off your computer to do their Bitcoin mining or whatever it is that they do.
And it sometimes is not even a computer. They might be in your motion sensor light outside because all this stuff is computer controlled. They can get in there and access that little processor as well.
And then another thing that you mentioned, Vladimir Levin, the cyber hacker that hit Citibank, he was trained in Saint Petersburg. He was one of the early Russian hackers so, I bet he's got his poster up and a bunch of Russian fanboy hacker walls somewhere there in Moscow and Saint Petersburg as well.
[00:15:25 Michael Urbanik] Yeah, absolutely. From the beginning that just the, I’ll say computer IQ’s out there, there were just a handful of people who knew enough about computers to do damage, and financial institutions were not the only ones who fell victim. I mean, plenty of times independent contractors infiltrated US computer systems and vice versa for Russia and China and UK. I mean, you name it, there is no impervious, perfect computer system out there. Given enough time and energy and users a will will find its way through. And that story just continues to repeat itself.
[00:15:59 Andrew Rose] You know, that's sobering to think about, but you're absolutely right, because even if we build the best computer of the best events, all of a sudden the quantum computer with the qubits comes along and cracks right through that password in 2 seconds.
One other thing I do want to put a little note on is the Stuxnet virus, because that was a very unique virus. It was a warfare directed virus to begin with. It was a joint operation between the U.S. and Israel. And we were able to infect the centrifuges in Iran that were enriching the uranium to create nuclear weapons. But it did it in such a way that it interrupted their operations on a randomness so they couldn't figure out why some would spin up and some would just stop. They look at them, they go through the code, they could not figure it out whatsoever, but it really crippled their nuclear ambitions for a period of time there, too.
[Un]fortunately, it got out in the wild. That's when the problems began and that's when we realized that we could air gap all we want. But again, where there's a will, there's a way.
[00:16:52 Michael Urbanik] Yeah, we'll definitely cover that in the later episodes, we’ll go into detail about each avenue or type of attack and what they're targeting and methods in which they achieve these attacks and types of crimes.
But to focus here on the history, the history of cybercrime is really tied to the history of the Internet and users on computers. I mean, in 1992 there was about a million Internet connected devices. Flash forward to 2022, we have about 14 billion devices attached to the Internet. So, almost twice the human population there are Internet connected devices. So, the means and avenues for cybercrime to exist have just exploded in the last 30 years. And as a result, we've seen the number of crimes explode. Simple as that.
[00:17:42 Andrew Rose] Indeed. Well, thank goodness there are organizations like yours and ours out there that are doing our best to protect our clients against things like this. Again, nothing is perfect, but the more variables you can manage, hopefully, the more certain or probable the outcomes are at that point in time.
[00:17:57 Michael Urbanik] Yeah, absolutely. And it’s tough from an organizational standpoint, you're being on the opposite side of the table, whether it's I.T. I feel like we're always a step behind. You know, I can speak for the insurance history. There was very little options for businesses when it came to cyber liability coverage in the early days.
You go to the 1990s, if a client wanted to purchase cyber liability policy, there just wasn't good coverage and insurance businesses were already beginning to peel out cybercrimes from policies as a type of coverage so, they were really left holding the bag. In the nineties we had early errors admissions policies for data processing corporations, but this were really the type of policies for computer program designing companies or businesses making software. This was not for banks to purchase to prevent themselves from attacks.
Then we get to the 2000’s, the policies begin to get better. They start covering some online media information, unauthorized accesses network security, some data loss, computer worm virus claims, but still lots of exclusions. And the story continues to the 2010’s and beyond that. First and third-party liability only becomes an option in the mid-2000’s.
So, there was always a gap between these cyber criminals, the attacks they commit, losses occurring and then industries like the insurance being able to develop products from the carrier’s side to provide coverage and indemnity for these businesses, because you can't snap your fingers and come up with an insurance product unfortunately. There's a lot of lag time and we're moving at 10,000 miles per hour in the digital space, instantaneous. You give a year of not providing coverage in this world and it results in billions of dollars of losses. So, it's a very challenging problem to get around when it comes to an insurance component.
[00:19:56 Andrew Rose] Wow that is an amazing point. I hadn't thought about the difficulty in bringing a new service line or product to market because it's not just getting a piece of paper. You, the insurer, is assuming a massive amount of risk on this thing unless you get it just right and the head is spinning trying to figure out the math that the actuaries have to plow through to try to figure that out and get ahead of the horizon a little bit on these things, boy.. Thanks for bringing that up.
[00:20:19 Michael Urbanik] Yeah, absolutely. And, you know, to bring this full circle, the history first ask the question, how big is the problem? The problem's significant, incredibly significant in size. We don't see this going anywhere. We've kind of experienced the perfect storm with the rise of the Internet, the transition from paper to a digital space with so much of our everyday data. We've had the rise in cryptocurrencies, which is just fuel on the fire.
It is the perfect financial medium for cybercrime to exist and grow. We've had a rise in bad actors, whether it's state actors who sponsored cyber criminals. Russia, North Korea is a notable one. Indications that China is doing the same who are targeting not just governments, but they are targeting individuals as a means of capturing monetary assets for their country.
It is a business for many countries now and then beyond that, we now have just more I.T. knowledge or computer knowledge, rather, for the everyday individual. So, committing a cybercrime is easier than it's ever been. You can go on the dark web and download WannaCry and get access to these malware computer systems very easily. Before, you had to understand how to create them and launch this attack yourself. Now you can just buy the software to commit crimes.
Couple that with slow government regulation and providing direction for businesses. Insurance industries struggling to develop a good product that will indemnify, in the ongoing battlefield between bad guys and good guys in the I.T. space kind of created a perfect storm for these criminals to run wild. And as we can tell, cause a lot of damage.
[00:22:04 Andrew Rose] You're right. And I don't want everyone to have a singular focus too that this is specifically a cyber adversary. We're primarily as a cyber adversary. We are seeing convergence as well. So, if it's somebody who is persistent and wants to get whatever it is that you have, sometimes it's not just a malicious code or a phishing email.
Going back to the history, it could be a phone call, someone impersonating a vendor trying to get credentials or, you know, maybe trying to impersonate a new employee that's coming on board. We saw that recently with Dragos, one of the top cybersecurity companies out there. So, it's going back to the history again. You know, it's a multi-channel way that folks are trying to get into our crown jewels.
And, you know, it reminds me of Smishing, the text message that people are getting is going back to your phone is now a computer that you have out there and you're talking about some of these folks around the world who are downloading this malicious software off the Darkweb so they can go out there and start their own business.
A lot of those folks are transacting this whole thing on their phones and they're typing in those tiny keyboards. So, let's not think that these are sophisticated adversaries in some instances that have giant computer systems behind them and fleets of people. These cyber criminals have access to a wide variety of tools at a very low-cost barrier to entry, so.. Mike again I appreciate your touching this point because I think it's important for our audience to know that.
[00:23:20 Michael Urbanik]
Absolutely yea, glad to share the history. I think it frames the problem at large and how we got here so quickly. And I say we start talking about the types of attacks. Let's get into the details on what's happening out there. What are the most common attacks? What do they look like and how you can prevent them and be aware of them?
[00:23:39 Andrew Rose] You know, that's a great segue into our next episode. How do these of these actors penetrate? How do they get inside? What's the special key they use? And oftentimes it's just as simple as an email, isn't it? And besides the wide array of tools that your organization, R.K. Tongue and DTC bring to the table, there are a lot of things that individuals and business owners can do themselves.
I laugh a little bit because the head of CISA, Jen Easterly, has said that if everyone MFA’d [multi-factor authentication] everything of value that would reduce our cyber-attacks by 99%. Whether that is hyperbolic or not, it is a telling number. And so, there are a lot of things that we can do as individuals to protect ourselves and mitigate against these attacks.
So Mike, I want to thank you so much for coming in here and letting us know about the history of cybercrime. It's important for our listeners to know what the roots were of the crimes and the techniques that we're going to view in the near future on our upcoming podcast.
And again, R.K. Tongue is the premier provider of risk management tools for your organization. I encourage you to either give them a call or send them an email, go to their website, learn more information about them.
And DTC is an elite managed service provider. So, for those of you who have concerns about your computers and networks, which I imagine as most people out there give DTC today a call or send us an email at AskUs@DTCtoday.com.
We'd love to hear from you. Thank you very much and have a wonderful day.
[OUTRO MUSIC]
[00:25:13 Andrew Rose] We would love to hear from you. Please email us your questions or comments to askus@DTCtoday.com. New episodes of Cyber Savvy are posted at the second Tuesday of every month. For more detailed information, visit our website at DTCtoday.com.
Be prepared. Be cyber savvy.