I happpily gave a con artist five dollars a few months ago.
This man hesitantly approached me while I was fuelling my car and said that he’d been robbed and didn’t have enough petrol to get home. I knew that he was lying because I’ve heard the routine before, but I cheerfully paid him because this fellow’s performance was spectacular. Unlike most of the grifters who’ve tried this approach on me, this crook was clearly invested in his craft. His story was airtight. He convincingly portrayed embarrassment, desperation and vulnerability like a professional actor. I got to experience a great show, the performer got some cash, and we both left the encounter happy.
My wife thought I was crazy to waste a fiver this way. I argued that it wasn’t a waste; it was useful research. Working in the cyber-security field requires understanding and respecting your adversaries. A security practitioner who only studies technology is like a pilot who only studies aerospace manufacturing. A good cyber security tech has to invest time considering psychology, culture, law, criminology and human behaviour. The technologies that we install and manage are only part of a comprehensive defensive posture. The other aspects of effective cyber-defence all involve understanding people.
This broader approach to proficiency naturally inspires some empathy and respect for our adversaries. It’s about appreciating an adversary’s tactics, techniques and motivations. Just like in poker, you “read” your opponents and play against the people, not just the cards. That’s why we pore over the post-event analysis every time a baddie attempts (or pulls off!) a major crime, because we want to know not just what they did, but how and why they did it. The more that we know about the other side, the better we can detect their presence in our own environment and deploy effective countermeasures against them.
Take the recent hack against Bangladesh’s central bank, for example. This was one of the biggest cyber-heists of all time, a daring attempt to steal over $950million by subverting the inter-bank transfer system and compromising a weakly defended part of the global banking network. The crooks got away with over $81million. They might have got a lot more, but a sharp-eyed employee at Deutsche Bank spotted a typo in one of the fraudulent messages and sounded the alarm. Thanks to human intervention, more than 90 per cent of the theft attempt was thwarted.
This is a fantastic story and also a great teaching tool. Human attentiveness and insight are often the most important tools that we have for fighting modern fraud. Whistleblowers, auditors and network engineers are definitely important, but everyday employees are every bit as crucial. Fraud detection isn’t a function best left to the specialist staff; everyone in an organisation has the potential to meaningfully contribute.
In order to help turn every worker into an early warning sensor, we need to inculcate into our employees a healthy respect for the baddies. We don’t need to make cyber-criminals out to be twelve-foot tall titans with genius-level intellects. These are real people, not cartoon villains. Instead, we need to make teach our employees that the most dangerous baddies are skilled, practised and highly motivated craftsmen. They’re rational adults who take their jobs every bit as seriously as we take our own. In order to defeat them, we need to study them: we need to understand what they want, how they operate and how to recognise their shtick. There’s no place for arrogant contempt when millions of pounds and the company’s continued existence are at stake. Respect the other fellow, or get played for a fool.