Category: Uncategorized

The Colorado Sun
Telling stories that matter in a dynamic, evolving state.
The pressure was on. Someone, somewhere, was attacking computer systems so customers couldn’t reach certain websites. In a windowless room in Denver, Zack Privette had worked all morning with his security team to figure out what the cyber strangers were up to. 
“What’s happened is that we have an attacker who has been going through our different websites and they found a vulnerability into our active directory and …,” Privette explained to Richard Mac Namee, identified as chief operating officer of the company under attack. 
“OK, I’m not technical. What does that mean?” interrupted Mac Namee, who is really the director of the new Cybersecurity Center at Metropolitan State University of Denver. And he’s actually quite technical. 
This was a simulation.
The makeshift “Cyber Range” command center inside MSU Denver’s Cybersecurity Center had multiple TV screens showing ominous maps of  live cyber threats. It’s part of a unique training ground for students, recent grads and people who don’t even attend the college but are interested in cybersecurity careers. 
Privette, who isn’t an MSU student, got to experience the Cyber Range program because it’s open to outsiders. The industry needs more outsiders. According to one estimate, there are 66 cybersecurity professionals for every 100 job openings nationwide. It’s tighter in Colorado, where there are 59 for every 100. And demand is growing faster than training programs like MSU can graduate. 
Mac Namee is behind the school’s Cybersecurity Center and getting the school designated as a National Centers of Academic Excellence in Cyber Defense in March. A former commander in the United Kingdom’s Special Forces who’s worked as a specialist in counterterrorism, Mac Namee keeps it practical. During the simulation, he pretends to be an ordinary company executive. Students must figure out how to explain the cyber mayhem to non-techies — and fast! 
“It is a giant database that … holds their DNS server. And what a DNS server does is when you type in Google.com, it will change that to the IP address that the computer actually reads. That went down, which is why people are not able to access websites correctly,” Privette told Mac Namee. “That was down at 3:30:29. We have since brought it back up at 3:44.”   
“So, 14 minutes of outage,” Mac Namee said. “Fourteen minutes with our athletes and the way they’re trying to log on, that’s quite a big problem. How will we resolve this?”
Privette went on to explain that there was a backup so the data is safe. But he acknowledged the attackers were still inside the system and his team was now trying to figure out if data had been stolen. His team thinks credentials were taken, but he doesn’t think the theft involved customers’ personally identifiable data, he said. Mac Namee gave him an hour to figure it out.
Targeted training programs have been popping up nationwide for the past decade as nearly every business with a website, ecommerce offering or other internet-based operation must deal with data breaches, ransomware and other cyber threats. 
According to the Identity Theft Resource Center, which tracks breaches and supports victims, the number of publicly reported data breaches in the U.S. more than doubled since 2015 to 1,862 last year. Regulations in Colorado and around the globe also put the onus on companies to protect customers’ personal data. 
Back in 1999, partly to address the lack of qualified professionals, the U.S. National Security Agency launched its National Centers of Academic Excellence program. It certifies schools with a cybersecurity curriculum for cyber research, defense education and cyber operations. There are now about 380 colleges and universities in the U.S. Such designations require standardized cybersecurity curriculum, active challenges and professional development. There are 13 schools in Colorado and include state, community and private colleges. 
The partnership with industry and MSU Denver is credited to Mac Namee, said Steve Beaty, a professor in the school’s computer science department. While Beaty started teaching cybersecurity courses in 2004, a cybersecurity degree debuted just four years ago. The new center and partnerships with private cybersecurity companies such as Atos, a European information technology firm that is now taking up space in the facility, really took off after Mac Namee arrived.
“He had the bandwidth. Some of us haven’t had the bandwidth to do a lot of this stuff. Atos is due to him,” Beaty said. “Richard is the one who put the fire under what’s going on here.”
And looking at the heat map of cybersecurity job openings at CyberSeek.org, the U.S. needs it.
In the past 12 months, 714,548 cybersecurity jobs were posted in the U.S. according to EMSI Burning Glass, a firm that analyzes job openings and labor data. EMSI partnered with the Computing Technology Industry Association (CompTIA) and the National Initiative for Cybersecurity Education on the CyberSeek effort to document the need for more trained workers. Colorado, among the top 10 states with the most openings, had 25,761 as of April.
“The field is just growing so fast that even if we churn out many graduates, which we have seen a significant uptick in, it still often doesn’t keep pace with the growth in demand,” said Will Markow, an EMSI Burning Glass cybersecurity expert. “We’ve seen about a 40%-50% increase in the number of graduates from cybersecurity programs across the country. The problem is that during the same timeframe, demand for cybersecurity workers grew about twice that rate.”
The industry has a number of unique issues that compound the shortage, Markow said. New threats erupt all the time, so the industry is constantly scrambling. Workers need a mix of different IT skill sets plus credentials, some that require years of experience. That makes it difficult for those starting out who have no experience. 
“Employers are also not offering many opportunities for people who either don’t have a bachelor’s degree or who don’t have at least three to five years of prior work experience,” Markow said. “What that means is that there aren’t many entry level opportunities (and that) presents a unique challenge for building the pipeline of cybersecurity workers.” 
Cybersecurity jobs stay open 20% longer than other tech jobs, which are already notoriously hard to fill, he added. And because of the required degrees and certifications, the jobs pay about $15,000 more compared to other IT jobs.
Government agencies are more open to hiring skilled workers without college backgrounds. That’s true with the state Governor’s Office of Information Technology. A paid apprenticeship for veterans requires “some IT experience but no degree,” said Ray Yepes, Colorado’s chief information security officer. 
“It’s also worth noting that for the majority of OIT positions we will accept years of experience as a substitute for education,” Yates said in an email.
With the growth of college programs, boot camps and other training programs, Markow said that it’s up to companies to adjust hiring requirements if they really want to fill openings and feed their own talent pipeline.
“I think that really the question is whether employers are going to be receptive (and) hire those workers,” he said. “They’re learning the right skills for cybersecurity. What we need are employers to also recognize that they need to take more of a skills-based lens towards recruiting cybersecurity workers as opposed to a credential- or experience-based lens which they have done historically.”
While security simulations were happening in one part of the room at MSU Denver, in another, Nathan Shelley was at work. Literally. The recent MSU graduate with a Bachelor of Science in cybersecurity was hired by Atos as an intern just before his December graduation. He became a full-time employee May 30. Atos is a massive European IT firm based in Paris. 
“We monitor public-sector clouds,” said Shelley, who grew up in Estes Park and was drawn to MSU Denver because of its new cybersecurity degree. “We are responsible for monitoring log traffic and determining if there are false positives or true positives.” 
Shelley was monitoring computer systems of actual government agencies that hire Atos to make sure what is stored in the internet cloud isn’t being compromised. Security analysts like Shelley spend hours watching the online activity and thanks to artificial intelligence and monitoring tools, they get alerts when something is awry and must determine if the issue is real. 
That may not seem very exciting but a cheery Shelley speaks enthusiastically about his gig, which includes plugging holes discovered only after software was released. In other words, bugs born on day zero that online mischief makers are constantly hunting for. 
“Probably the most active that I’ve been this week was yesterday when we were patching for a recently discovered CVE, that is a vulnerability with Follina, it’s a proliferating, zero-day exploit,” he said. “This is very widespread for the Microsoft environment. It’s an Office 365 zero-day vulnerability so that means (the software) was released with the vulnerability. It’s now flaring up in the cybersecurity realm. It allows remote code execution and that can be done through a certain domain.”
Microsoft had not yet issued a fix for Follina, named after an Italian village with a postal code that was found in the exploit.
The MSU Cybersecurity Center is a resource for others, too. Helping potential IT workers get hired is the mission of ActivateWork, a nonprofit IT recruiting and training organization that connects employers to the overlooked talent.
“We believe the traditional hiring process leaves extremely valuable talent out. We help employers solve talent gaps by finding underrepresented candidates and preparing them to excel in new careers,” said Susan Hobson, the nonprofit’s director of apprenticeships and evaluation.
Its first-ever 15-week security fundamentals course culminated last week with MSU Denver’s Cyber Range simulation. Hobson said ActivateWork focuses on the workforce employers need.
“We know that cybersecurity has a gap, especially here in the Denver area,” she said. “If you look at local area labor data, there were 13,000 open cybersecurity jobs as of March this year. We knew the need was there and we drive our course offerings based on local employer needs.”
ActivateWork’s learners aren’t typical students. Most don’t have a college credential. Many are unemployed or are looking for a better job in IT. The recent cohort of security fundamentals graduates left with CompTIA A+ certification and over 100 hours of soft skills and life skills training including resume reviews, interview prep and financial capability training. After graduation, ActivateWork helps them find a job in the field and coaches them for 12 months as they transition into a career. 
The organization also has a registered apprenticeship program with the U.S. Department of Labor and works with area employers to hire graduates from their boot camps. Three of the 20 graduates start cybersecurity apprenticeships this month, and ActivateWork is always looking for more companies to partner with to build a talent pipeline in cybersecurity. 
“They’re struggling to hire because they’re looking for individuals with three to five years of experience,” Hobson said. “This is a way to equip talent through 12-months of on-the-job learning with the exact skills an employer needs.”
Privette, who was part of the MSU Denver cybersecurity simulation, stopped the bug from wreaking more havoc. They brought back the websites and, well, he hopes he continues to keep learning more. He is very excited to start his ActivateWork cybersecurity apprenticeship on Monday as an information security analyst.
“I’ve been wanting to get into this since high school and I feel like ActivateWork has really given me the opportunity to pursue it,” said Privette, an electrician until he fell from the ceiling at one client location. “I didn’t have the money to afford college. And then I didn’t really realize the path to get to it (cybersecurity). I didn’t want to be an electrician forever. Falling through the ceiling gave me the opportunity to pursue this.”  
Tamara writes about businesses, technology and the local economy for The Colorado Sun. She also writes the "What's Working" column, available as a free newsletter at coloradosun.com/getww. Contact her at cosun.com/heyww,… More by Tamara Chuang
Got a story tip? Drop us a note at tips@coloradosun.com
The Colorado Sun is a journalist-owned, award-winning news outlet based in Denver that strives to cover all of Colorado so that our state — our community — can better understand itself.

source

The cybersecurity industry is ripe for an influx of new professionals entering the field. In fact, there are nearly three-quarters of a million cybersecurity positions left to be filled, according to a report by Emsi Burning Glass (now Lightcast), a market research company. 
And every year that demand continues to climb. Worldwide, the number of unfilled cybersecurity jobs jumped 350% between 2013 and 2021, from 1 million to 3.5 million, according to Cybersecurity Ventures. While there are more than enough positions to be filled, there aren’t nearly enough qualified personnel to fill them. 
Field jobs require specific training—whether it comes from certification programs, online courses, master’s degrees in cybersecurity, or other company training programs. A prime example of a company focused on growing a pipeline of cybersecurity talent is IBM, the Fortune 500 IT-management and hardware company. 
In August 2021, IBM Chairman and CEO Arvind Krishna announced a commitment to train more than 150,000 people in cybersecurity skills during the next three years as cybercrime continues to rise.
“Businesses and government share a collective responsibility to collaborate on preventing cyberattacks that could have a devastating impact or prompt national or global crises,” Krishna wrote in a statement. “We must join forces now to shore up the security of the critical infrastructure that keeps our society functioning.”
In conjunction with the White House’s National Cyber Workforce and Education Summit held in mid-July, IBM also announced the creation of more talent pipelines for cybersecurity jobs, including its new Cybersecurity Leadership Centers with historically Black colleges and universities (HBCUs) and minority serving institutions. IBM is also partnering with the American Council on Education to translate cybersecurity apprenticeships to college credits.
IBM has offered free skills training for professionals interested in a cybersecurity career for many years, along with other educational programs, says Justina Nixon-Saintil, vice president and global head of IBM corporate social responsibility. Anyone can take these courses; they’re not available only to employees.
“As part of IBM’s commitment to skill 30 million people globally by 2030, we are providing free education on key technologies like cybersecurity, with a focus on underrepresented communities,” Nixon-Saintil tells Fortune. “Whether learners are just entering the workforce or switching professions, IBM SkillsBuild equips them with the foundational skills to pursue high-demand, lucrative careers.” 
Students can visit IBM’s SkillsBuild platform to explore different course options based on jobs they’re interested in pursuing, including a cybersecurity analyst. To sign up for courses, students need to create an account with IBM, which asks for simple demographic information, skills, and interests. Then, students can search the platform for courses of interest.
IBM offers three levels of cybersecurity content. Basic training provides an overview about what cybersecurity is; the foundational level gets into key skills needed for cybersecurity jobs and understanding what jobs are out there; and the cybersecurity analyst program is “aligned to a junior cybersecurity analyst role and provides the learner with the skills and competencies to do the job,” Nixon-Saintil says. All courses are available in 12 languages, and the cybersecurity fundamentals training takes about six hours to complete.
Upon completion of the online skills training, students receive a digital badge that can be added to a resume or social media platform for potential employers to see. All of the courses were developed to align with existing cybersecurity jobs, Nixon-Saintil says. 
Through its SkillsBuild platform, IBM also offers free courses in artificial intelligence, cloud computing, blockchain, data science, quantum computing, and emerging technologies.
See how the schools you’re considering fared in Fortune’s rankings of the best computer science programs, cybersecurity programs, psychology programs, public health programs, business analytics programs, data science programs, and part-time, executive, full-time, and online MBA programs.

source

June 8, 2022
Demand for cybersecurity talent spiked more than 40% over the last year, with employers adding more than 714,000 job postings for cybersecurity roles during the 12-month period ending in April 2022, according to new data released Tuesday.
The findings come from CyberSeek, a joint initiative between the National Institute of Standards and Technology’s (NIST) National Initiative for Cybersecurity Education, job market analytics firm Emsi Burning Glass, and tech industry nonprofit CompTIA.
According to the data, nearly 40% of the new job postings came during the first four months of 2022, signaling a recent uptick in demand for cybersecurity workers. The finance and insurance industry accounted for the most postings — the first time in more than a decade that the professional, scientific and technical services industry wasn’t in the top spot for cybersecurity recruiting, according to the group. 
As the cyber threat landscape has become increasingly prevalent, industries across the board have been vulnerable to ransomware attacks and phishing campaigns, contributing to the heightened demand for cybersecurity talent. CyberSeek data shows a 43% demand increase for cyber-specific jobs as opposed to an 18% increase in demand across the broader employment market throughout the 12-month study.
National Cyber Director Chris Inglis spoke about the new data at the RSA conference on Tuesday, calling the increase in job postings “dramatic” and emphasizing the need to broaden the talent pool that the government and private sector recruits from. “We need to re-examine those jobs and understand which part of those people are attempting to substitute for technology,” he said. “It might not be that every one of those needs a computer science degree or electrical engineering degree… Let’s take a look at the other end of that and make sure that we’ve opened these possibilities to the broadest possible population.”
A number of organizations in the government and cybersecurity industry have launched initiatives in recent years to train more cybersecurity workers and expand the talent pool. Last week, for example, the Cyber Halo Innovation Research Program announced its first university partnership for a program that offers students a two-year route to a cybersecurity career at the U.S. Space Force or a partner organization.
But according to the data released Tuesday, some of the most in-demand jobs are at senior levels. Postings for IT managers and directors rose 224% year-over-year and postings for program managers rose 169%, while postings for software developers and engineers rose 92% during the same period.
Emma Vail is an editorial intern for The Record. She is currently studying anthropology and women, gender, and sexuality at Northeastern University. After creating her own blog in 2018, she decided to pursue journalism and further her experience by joining the team.

Threat Intelligence
Threat Intelligence Feeds
Threat Intelligence Platform
Payment Fraud Intelligence
© Copyright 2023 | The Record from Recorded Future News

source

Official website of the Cybersecurity and Infrastructure Security Agency
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
The NICCS Education and Training Catalog is a central location to help cybersecurity professionals of all skill levels find cybersecurity-related courses online and in person across the nation. Use the interactive map and filters to search to find courses that can increase your expertise, prepare to earn a certification, or even transition into a new career!
All of the courses are aligned to the specialty areas of The Workforce Framework for Cybersecurity (NICE Framework).
For organizations or academic institutions interested in listing courses on the NICCS Education and Training Catalog, apply to become a provider today.
Questions? Contact us at NICCS@hq.dhs.gov.
National Initiative for Cybersecurity Careers and Studies
A Cybersecurity & Infrastructure Security Agency program
©2013-2023

source

B.S.
Request Information
Purdue University Northwest’s (PNW) Bachelor of Science (B.S.) in Cybersecurity prepares you with the technical competency, knowledge and skills needed to protect networks, systems, software programs and data from criminal or unauthorized access. You will learn concepts, knowledge, skills, technologies and practices in a broad spectrum of cybersecurity areas, including the emerging fields of applied data science and artificial intelligence.
This program is hands-on and application-oriented. Upon the completion of the program, you’ll be ready to take highly sought-after industry certification exams.
Department of Computer Information Technology and Graphics
Upon completion, a student will:
You’ll take a balance of general education courses, College of Technology core courses and cybersecurity courses. This balance blends theory, applied research and experiential learning in all the vital aspects of IT, including networking, database administration, security and project management.
The cybersecurity program provides the specialized training you need for a career in this complex, in-demand field.
You can currently complete this degree at PNW’s Hammond campus.
First-year courses cover the basics of IT in areas such as organization, history, related informing disciplines, application domains, computer math and other IT-related topics.
Cybersecurity Course of Study
Sample Courses
Your second year covers in-depth discussions of networking, programming, database and fundamentals of information assurances.
Cybersecurity Course of Study
Sample Courses
Topics include administration, confidentiality, integrity, authentication, non-repudiation, intrusion detection, physical security, encryption and machine learning foundations.
Cybersecurity Course of Study
Sample Courses
In your final year, you’ll cover defensive programming techniques, bounds analysis, error handling, advanced testing techniques, detailed code auditing and software specification in a trusted assured environment.
Cybersecurity Course of Study
Sample Courses

Cybersecurity Degree Program Highlights
Cybersecurity workforce development is the key to assuring that the nation has adequate capacity to protect information and information systems.
This quickly growing field is both challenging and competitive. At PNW, we provide the tools you need to stand out, including US government-recognized curriculum and individualized attention from instructors.
Cybersecurity Degree Program Outcomes
Through classroom and lab interaction with experienced faculty, applied research and experiential learning, you’ll begin your professional work with the confidence and knowledge to be successful in a dynamic, competitive field.
Cybersecurity Degree Program Career Paths
This degree prepares you for a number of careers in the cybersecurity field, including:
Cybersecurity Degree Program Employers
Our alumni work with some of the most innovative organizations across the region and around the world, including:
Beyond the Cybersecurity Classroom
We encourage you to get involved in activities like:
Cybersecurity Degree Program Scholarships
In addition to the scholarships available to all PNW applicants, students seeking a bachelor’s degree in cybersecurity may also be considered for program-specific scholarship awards, such as:
See All Technology Scholarships
It was a class in Linux system administration that helped me the most…I was assigned a real-world problem and I applied my education and experience to solve it.
Lucas D’Antonio, ’23, Computer Information Technology—Concentration: Cybersecurity
All of the hands-on training I’m receiving at PNW is helping me narrow down exactly what I want to do once I graduate.
Joshua Phillips, ’22
Computer Information Technology: Cybersecurity
I was able to learn a little bit about everything – networking, programming, databases, security. It provided me a better understanding of how everything works together. It also gave me a wide variety of skills, not just for cybersecurity, that I can take with me into my career.
Travis McKinney, ’22, Computer Information Technology
Michael Tu, Ph.D.
Professor, Computer Information Technology

Michael Tu is a professor of computer information technology and director of the Center for Cybersecurity.
Ricardo A. Calix, Ph.D.
Associate Professor, Computer Information Technology and Graphics

Ricardo A. Calix, Ph.D. is an Associate Professor of Computer Information Technology at Purdue University Northwest.
Tae-Hoon Kim, Ph.D.
Associate Professor, Computer Information Technology and Graphics

Tae-Hoon Kim is associate professor of computer information technology in the department of Computer Information Technology and Graphics. His expertise includes computer network, security and data science.
Ying Luo, Ph.D.
Assistant Professor, Computer Information Technology and Graphics

Ying Luo is an assistant professor in the department of computer information technology and graphics. Her research and teaching focus on algorithm design, database management and cybersecurity.
Chuck DeCastro, M.S.
Lecturer, Computer Information Technology

Current responsibilities include teaching Networking, Operating System, Cyber Security and Computer Forensic Courses. I’m also the Advisor for the Gamers’ and Cyber ROAR Clubs.
Earn a Bachelor’s Degree in Cybersecurity at PNW
Purdue University Northwest’s Cybersecurity degree enables you to reach a genuine understanding of all aspects of the industry while building a solid foundation in technology through hands-on experiences.
To see how a Bachelor’s Degree in cybersecurity from PNW opens doors, from corporate boardrooms to non-profit leadership, take the next step today!
Request Info
Computer Information Technology
BS
Computer Graphics Technology
BS
Computer Engineering
BSCmpE
Hammond Campus
2200 169th Street
Hammond, IN 46323
(219) 989-2400
(855) 608-4600
Westville Campus
1401 S. U.S. 421
Westville, IN 46391
(219) 785-5200
(855) 608-4600
For assistance with accessibility issues while using this page, please contact Marketing and Communications at marketing@pnw.edu.

source

Advertisement
Supported by
Guest Essay
Send any friend a story
As a subscriber, you have 10 gift articles to give each month. Anyone can read what you share.
By Renee Dudley and Dan Golden
Ms. Dudley and Mr. Golden are reporters at ProPublica.
There are many factors behind the stunning rise of ransomware. Our reporting found that one of the most important is the Federal Bureau of Investigation’s outmoded approach to computer crime targeting people and institutions in the United States.
State and local police generally can’t handle a sophisticated international crime that locks victims’ data remotely — from patients’ medical histories and corporate trade secrets to police evidence and students’ performance records — and demands payment for a key. Many police departments have themselves been hamstrung by ransomware attacks. Federal investigators, especially the F.B.I., are responsible for containing the threat. They need to do better.
When ransomware gained traction a decade ago, individual attackers were hitting up home users for a few hundred dollars. In 2015, as the crime was evolving into something more, the bureau still dismissed ransomware as an “ankle biter.” That year, about a dozen frustrated Cyber Division agents warned James Comey, who was then the director of the F.B.I., that institutional lack of respect for their skills was spurring their departures. Now well-organized gangs, with hierarchies mirroring those of traditional businesses, are paralyzing the computer networks of high-profile targets and demanding millions of dollars in ransom.
The F.B.I. didn’t prioritize ransomware until May 2021, when an attack on the Colonial Pipeline halted the flow of nearly half of the fuel consumed on the East Coast. The F.B.I. director, Christopher Wray, compared ransomware to the Sept. 11 terrorist attacks, but by then the bureau was far behind the curve. Earlier this fall, when the Los Angeles Unified School District, the second largest in the nation, spurned a ransom demand, a hacker group leaked hundreds of thousands of stolen files. Last month’s attack on CommonSpirit Health, one of the country’s largest hospital operators, disrupted care and knocked patients’ health records offline.
The situation could turn even more dire. Evidence is mounting that some ransomware gangs are linked to and protected by enemy governments, such as those of Russia or Iran. Hackers who steal data before locking it could turn over the digital spoils to their patrons — giving foreign powers access to records that could compromise everything from intellectual property to national security.
One reason the F.B.I. can’t keep pace is that it lacks enough agents with advanced computer skills. It has not recruited as many of these people as it needs, and those it has hired often don’t stay long. Its deeply ingrained cultural standards, some dating to the bureau’s first director, J. Edgar Hoover, have prevented it from getting the right talent.
Emblematic of an organization stuck in the past is the F.B.I.’s longstanding expectation that agents should be able to do “any job, anywhere.” While other global law enforcement agencies have snatched up computer scientists, the F.B.I. tried to turn existing agents with no computer backgrounds into digital specialists, clinging to the “any job” mantra. It may be possible to turn an agent whose background is in accounting into a first-rate gang investigator, but it’s a lot harder to turn that same agent into a top-flight computer scientist.
The “any job” mantra also hinders recruitment. People who have spent years becoming computer experts may have little interest in pivoting to another assignment. Many may lack the aptitude for — or feel uneasy with — traditional law enforcement expectations, such as being in top physical fitness, handling a deadly force scenario or even interacting with the public.
The minority of agents with deep technical skills described the frustration of having to dumb down reports to superiors and needing to train colleagues who are not technically savvy, we found in our reporting. Plus, the F.B.I.’s macho culture has scorned digital skills. Cyber Division agents are nerds in a sea of jocks. The bureau has hired civilian computer scientists separately, but they are viewed as helpers, who typically command even less respect than Cyber Division agents.
The “anywhere” expectation is also misguided. Unlike agents on crimes such as bank robberies, cyberinvestigators usually don’t need to be near a crime scene to collect evidence. Still, F.B.I. agents typically span the country, changing posts every few years, for career advancement.
The F.B.I.’s emphasis on arrests, which are especially hard to come by in ransomware cases, similarly reflects its outdated approach to cybercrime. In the bureau, prestige often springs from being a successful trial agent, working on cases that result in indictments and convictions that make the news. But ransomware cases, by their nature, are long and complex, with a low likelihood of arrest. Even when suspects are identified, arresting them is nearly impossible if they’re located in countries that don’t have extradition agreements with the United States.
All of these aggravations cause computer experts to leave the F.B.I. It’s an easy transition because their skills are both immediately transferable to the private sector and in high demand.
The F.B.I. should study the success of the Dutch National Police’s High Tech Crime Unit. Because of its fast internet and favorable legal conditions, the Netherlands has long been a popular spot for hackers to set up the servers they use to commit crimes. The Dutch responded by launching the H.T.C.U. 15 years ago. Since then, it has become one of the world’s leading law enforcement forces in fighting cybercrime. Beyond arrests, it has prioritized anything that reduces hackers’ return on investment, seizing criminals’ servers, disrupting ransomware-spreading botnets and notifying victims of impending attacks.
From its early days, the H.T.C.U. hired tech experts with no background, or even interest, in traditional policing. When some talented digital recruits couldn’t pass the physical fitness tests or didn’t want to use weapons, H.T.C.U. leadership changed the requirements, allowing computer experts to join without passing the usual exams. But they left the job titles unchanged: Digital staff remained eligible for promotion to nearly any job in the H.T.C.U. 
The H.T.C.U. also specified that half its staff must be cyberexperts. Each one is paired with a traditional law enforcement officer, and they work cases as a team. As John Fokker, who once served as digital coordinator of the H.T.C.U.’s ransomware team, told us, “the old school with the new school made it work.”
That approach works for the Dutch. If it is willing to let go of the “any job, anywhere” mantra, it could work for the F.B.I., too.
Renee Dudley, a technology reporter at ProPublica, and Daniel Golden, a senior editor and reporter at ProPublica, are the authors of “The Ransomware Hunting Team: A Band of Misfits’ Improbable Crusade to Save the World From Cybercrime.”
The Times is committed to publishing a diversity of letters to the editor. We’d like to hear what you think about this or any of our articles. Here are some tips. And here’s our email: letters@nytimes.com.
Follow The New York Times Opinion section on Facebook, Twitter (@NYTopinion) and Instagram.
Advertisement

source

Law firms launch data breach legal case against Medibank. How will it work and who will benefit?
There is an emergency bushfire warning in place for Montrose, near Tara, in Queensland. For the latest information, search ABC Emergency
Three law firms have joined forces to launch a data breach legal case against health insurance company Medibank.
This comes after the personal data of about 9.7 million customers was leaked by hackers last year.  
Maurice Blackburn Lawyers, Bannister Law Class Actions and Centennial Lawyers have united for the case.  
Let's take a look at what the law firms are seeking and who will benefit. 
About 9.7 million current and former customers had their data accessed by criminals.
The law firms are seeking compensation for Medibank and ahm health insurance customers who had their names, emails, mental health information and other data leaked. 
A complaint was lodged with the Office of the Australian Information Commissioner by Maurice Blackburn in November.
The law firms say they will now pursue the complaint seeking compensation for those affected by the data breach.
Bannister Law Class Actions principal Charles Bannister says they believe the breach was a "betrayal" and a breach of the Privacy Act.
He says it exposed a "lack of safeguards" and Medibank had "failed policyholders". 
The firms say they have "tens of thousands of Medibank customers" registered for the class action.
Maurice Blackburn has also launched an investigation into a class action against Optus following its data breach first reported in September. 
It is expected this case will be quicker than a traditional adversarial class action.
University of New South Wales law professor Michael Legg says this is because it will not be going through the federal court. 
Instead, the breach will be pursued under the Privacy Act with the Office of the Australian Information Commissioner. 
Cyber security experts warn the latest data breach of a major company should have all companies and consumers worried about the seemingly innocuous collection of data.
This means it will not go through the federal court like a typical class action.
He says the commissioner needs to determine not just that Medibank is liable, but also the manner in which a customer is liable to establish how much compensation they are entitled to. 
The commissioner may require a standard amount be paid for each person who had particular types of data compromised and additional amounts depending on proof of particular losses, Professor Legg says. 
He says it will not be necessary for the law firms to name or say how many people are involved in the action.
But they will likely need to create a process where people can come forward and give information to establish their loss or damage.
Customers do not have to register with the law firms to benefit from the complaint, a Maurice Blackburn spokesperson says. 
However, they encourage people to register to help them understand the size of the complaint. 
Professor Legg says if a customer comes forward and provides the information necessary for compensation to be calculated, then they should be entitled to it.
However, he says the law firms will look specifically at the claims of those who have registered with them.
Therefore, if you did not register and had a case that was vastly different from anyone else, it may be difficult for that to be taken into account.
A Medibank spokesperson says the company will continue to cooperate with the OAIC and its going investigation.
Medibank says it will continue to support its customers from "the impact of this crime" through its cyber response support program.
The program includes mental health and wellbeing support, identity protection and financial hardship measures.
Professor Legg says this case has the ability to set a precedent for data breach cases in Australia, which is becoming an increasingly larger area of law.
He says the law firms will be interested in establishing a track record in this space.
It will also be noteworthy if the case fails or only a small compensation is granted.
Professor Legg says this may provide ammunition to call for a more effective course of action to pursue data breach complaints.
We acknowledge Aboriginal and Torres Strait Islander peoples as the First Australians and Traditional Custodians of the lands where we live, learn, and work.
This service may include material from Agence France-Presse (AFP), APTN, Reuters, AAP, CNN and the BBC World Service which is copyright and cannot be reproduced.
AEST = Australian Eastern Standard Time which is 10 hours ahead of GMT (Greenwich Mean Time)

source

By Austin R. Ramsey
Workplace retirement savers who fall victim to cyber crimes are finding they don’t always have an easy way to get their money back as employers and service providers grapple over who’s responsible.
The $19.8 trillion employer-sponsored retirement industry is ripe for web-based thieves, especially as portfolio management and distribution services shift online. Several high-profile federal lawsuits involving companies such as Abbott Laboratories Inc., Colgate-Palmolive Co., and Estee Lauder Cos. Inc. have shed light on the millions of dollars retirement savers are losing.
Those lawsuits also are exposing the extreme lengths to which workers and retirees must go to be made whole after a cyber breach. The insurance products that protect plan sponsors and service providers when they point fingers at each other in the event of a cyber crime don’t cover the actual benefits at the center of the US workplace retirement industry, but are usually designed to cover business and legal costs. Without additional protections, advisers say, participants may have little recourse against a growing threat online.
“One of if not the biggest threat for retirement plan assets are cyber attacks or cyber criminals,” said Kelly Geary, national executive risk and cyber practice leader at EPIC Insurance Brokers & Consultants, a subsidiary of Edgewood Partners Insurance Center Inc. “This is an incredibly lucrative target for criminals to go after, but, absent suing the company you do or used to work for, there are few avenues participants and beneficiaries have to be repaid.”
Private-sector retirement plan decision-makers are held to a strict fiduciary standard to ensure that appropriate processes are in place to mitigate risks, safeguard assets, and do business with reputable vendors.
The US Labor Department last year upped the ante for plan fiduciaries, issuing subregulatory guidance making it clearer that cyber protections were part of those routine duties. Emerging case law has split blame between fiduciaries and their vendors when crimes do occur.
The actual victims of those crimes don’t always have a clear path forward, said José Jara, an employee benefits attorney at Fox Rothschild LLP in Morristown, N.J.
“Participants and beneficiaries don’t have much control,” Jara said. “The service providers are selected by the plan sponsor, and they negotiate contracts. The participants don’t have any say on those contracts or the terms and conditions they cover.”
Plan sponsors purchase fiduciary liability insurance to protect against negligence or fiduciary misconduct in the event of litigation and sponsors and their service providers such as recordkeeping firms may purchase criminal liability or cyber insurance to protect against their own losses. But few companies purchase insurance on behalf of their participants.
The Employee Retirement Income Security Act of 1974 (Pub.L. 93-406) requires plan fiduciaries to purchase fidelity bonds that protect participants and beneficiaries from internal threats when the criminal involved is their own employer or benefits advisory panel. External threats, however, aren’t covered.
“What is a participant supposed to do when no one but the criminal is in the wrong?” said Daniel Aronowitz, managing principal and owner of Euclid Fiduciary Managers LLC.
Benefit protections for cyber crimes do exist, but they’re not popular among retirement plan fiduciaries focused on curtailing legal threats against themselves first and foremost.
The Labor Department has suggested that plan sponsors ask recordkeeping firms about cyber insurance they already have in place, which is a good place to start, Aronowitz said. Employers should demand a multifaceted security guarantee from their recordkeepers that includes both criminal and cybersecurity insurance designed to protect participants against fraudulent deferrals and social engineering, he added.
“There’s a reason you don’t hear about these kinds of flagrant cyber breaches from major recordkeeping financial institutions,” Aronowitz said. “It’s not that they aren’t occurring, it’s that they have systems in place to automatically pay back participants well before it goes to court.”
Next, plan sponsors themselves should consider taking out additional insurance policies that protect participants in addition to themselves, he added.
Geary and Jara have pushed for Congress to mandate additional plan sponsor coverage that protects participants from external threats the same way they are from their own employers. The pair authored an article for Bloomberg Tax’s Tax Management Compensation Planning Journal recommending swift action to bolster ERISA fidelity bond coverage.
“Fiduciaries have a responsibility to manage the plan prudently,” said Jara. “That doesn’t mean fiduciaries are FBI agents. They’re not in the business of protecting against crimes, especially more sophisticated crimes like cybersecurity.”
To contact the reporter on this story: Austin R. Ramsey in Washington at aramsey@bloombergindustry.com
To contact the editor responsible for this story: Martha Mueller Neff at mmuellerneff@bloomberglaw.com
To read more articles log in.
Learn more about a Bloomberg Law subscription

source

Thanks for signing up!
ProPublica is a nonprofit newsroom that investigates abuses of power. Sign up to receive our biggest stories as soon as they’re published.
Investigating cybercrime was supposed to be the FBI’s third-highest priority, behind terrorism and counterintelligence. Yet, in 2015, FBI Director James Comey realized that his Cyber Division faced a brain drain that was hamstringing its investigations.
Retention in the division had been a chronic problem, but in the spring of that year, it became acute. About a dozen young and midcareer cyber agents had given notice or were considering leaving, attracted by more lucrative jobs outside government. As the resignations piled up, Comey received an unsolicited email from Andre McGregor, one of the cyber agents who had quit. In his email, the young agent suggested ways to improve the Cyber Division. Comey routinely broadcast his open-door policy, but senior staff members were nevertheless aghast when they heard an agent with just six years’ experience in the bureau had actually taken him up on it. To their consternation, Comey took McGregor’s email and the other cyber agents’ departures seriously. “I want to meet these guys,” he said. He invited the agents to Washington from field offices nationwide for a private lunch. As news of the meeting circulated throughout headquarters, across divisions and into the field, senior staff openly scorned the cyber agents, dubbing them “the 12 Angry Men,” “the Dirty Dozen” or just “these assholes.” To the old-schoolers — including some who had risked their lives in service to the bureau — the cyber agents were spoiled prima donnas, not real FBI.
Subscribe to the Big Story newsletter.

Thanks for signing up. If you like our stories, mind sharing this with a friend?
For more ways to keep up, be sure to check out the rest of our newsletters.
Fact-based, independent journalism is needed now more than ever.
The cyber agents were as stunned as anyone to have an audience with Comey. Despite their extensive training in interrogation at the FBI Academy in Quantico, Virginia, many were anxious about what the director might ask them. “As an agent, you never meet the director,” said Milan Patel, an agent who attended the lunch. “You know the director, because he’s famous. But the director doesn’t know you.”
You also rarely, if ever, go to the J. Edgar Hoover Building’s seventh floor, where the executive offices are. But that day, the cyber agents — all men, mostly in their mid-30s, in suits, ties and fresh haircuts — strode single file down the seventh-floor hall to Comey’s private conference room. Stiffly, nervously, they stood waiting. Then Comey came in, shirt sleeves rolled up and bag lunch in hand.
“Have a seat, guys,” he told them. “Take off your coats. Get comfortable. Tell me who you are, where you live and why you’re leaving. I want to understand if you are happy and leaving, or disappointed and leaving.”
Around the room, everyone took a turn answering. Each agent professed to be happy, describing his admiration for the bureau’s mission.
“Well, that’s a good start,” Comey said.
Then sincerity prevailed. For the next hour, as they ate their lunches, the agents unloaded.
They told Comey that their skills were either disregarded or misunderstood by other agents and supervisors across the bureau. The FBI had cliques reminiscent of high school, and the cyber agents were derisively called the Geek Squad.
“What do you need a gun for?” SWAT team jocks would say. Or, from a senior leader, alluding to the physical fitness tests all agents were required to pass, “Do you have to do pushups with a keyboard in your backpack?” The jabs — which eroded an already tenuous sense of belonging — testified to the widespread belief that cyber agents played a less important role than others in the bureau.
At the meeting, the men also registered their opposition to some of the FBI’s ingrained cultural expectations, including the mantra that agents should be capable of doing “any job, anywhere.” Comey had embraced that credo, making it known during his tenure that he wanted everyone in the FBI to have computer skills. But the cyber agents believed this outlook was misguided. Although traditional skills, from source cultivation to undercover stings, were applicable to cybercrime cases, it was not feasible to turn someone with no interest or aptitude in computer science into a first-rate cyber investigator. The placement of nontechnical agents on cyber squads — a practice that dated to the 1990s — also led to a problem that the agents referred to as “reeducation fatigue.” They were constantly forced to put their investigations on hold to train newcomers, both supervisors and other cyber agents, who arrived with little or no technical expertise.
Other issues were personal. To be promoted, the FBI typically required agents to relocate. This transient lifestyle caused family heartache for agents across the bureau. One cyber agent lamented the lack of career opportunities for his spouse, a businesswoman, in far-flung offices like Wichita. The agents told Comey they didn’t have to deal with “the shuffle” around the country for professional advancement because their skills were immediately transferable to the private sector and in high demand. They had offers for high-profile jobs paying multiples of their FBI salaries. Unlike private employers worried about staying competitive, the FBI wasn’t about to disrupt its rigid pay scale to keep its top cyber agents. Feeling they had nothing to lose, the agents recommended changes. They told Comey that the FBI could improve retention by centralizing cyber agents in Washington instead of assigning them to the 56 field offices around the country. That made sense because, unlike investigating physical crimes like bank robbery, they didn’t necessarily need to be near the scene to collect evidence. Plus, suspects were often abroad.
Most important, they wanted the bureau’s respect.
Comey listened, asked questions and took notes. Then he led them to his private office. They glanced around, most of them knowing they were unlikely to be granted such access to power again. Comey’s desk featured framed photos of his wife and children, and the carpet was emblazoned with the FBI’s seal. The agents had such respect for the bureau that they huddled close so that no one had to step on any part of the seal.
Perhaps the most striking feature of the office was the whiteboard that sprawled across one of the walls. On it was an organizational chart of the bureau’s leadership with magnets featuring the names and headshots of FBI executives and special agents in charge of field offices. Many were terrorism experts who had risen through the hierarchy in the aftermath of the Sept. 11, 2001, attacks.
Comey was sympathetic to his visitors and recognized the importance of cyber expertise to the FBI’s future. At the same time, he wasn’t going to overhaul the bureau and alienate the powerful old guard to please a group of short-timers.
“Look, I know we’ve got a problem with leadership here,” Comey told the cyber agents as they studied the whiteboard, according to agents who were there. “I want to fix it, but I don’t have enough time to fix it. I’m only here for a limited amount of time; it’s going to take another generation to fix some of these cultural issues.” But the agents knew the FBI couldn’t afford to wait another generation to confront escalating cyberthreats like ransomware. Ransomware is the unholy marriage of hacking and cryptography. Typically, the attackers capitalize on a cybersecurity flaw or get an unsuspecting person to open an attachment or click a link. Once inside a computer system, ransomware encrypts the files, rendering them inaccessible without the right decryption key — the string of characters that can unlock the information — for which a ransom is demanded.
Although attacks were becoming more sophisticated, bureau officials told counterparts in the Department of Homeland Security and elsewhere in the federal government that ransomware wasn’t a priority because both the damages and the chances of catching suspects were too small. Instead of aggressively mobilizing against the threat, the FBI took the lead in compiling a “best practices” document that warned the public about ransomware, urged prevention and discouraged payments to hackers. Through an intermediary, Comey, fired from his FBI position by then-President Donald Trump in 2017, declined to comment on the meeting. The FBI acknowledged but did not respond to written questions.
To FBI leadership, ransomware was an “ankle-biter crime,” said an agent who attended the meeting with Comey.
“They viewed it as a Geek Squad thing, and therefore they viewed it as not important,” he said.
Many of the issues the FBI cyber agents raised during their meeting with Comey were nothing new. In fact, the bureau’s inertia in tackling cybercrime dated all the way back to a case involving the first documented state-sponsored computer intrusion.
In 1986, Cliff Stoll was working as a systems administrator at the Lawrence Berkeley National Laboratory when his boss asked him to resolve a 75-cent shortfall in the accounting system the lab used for charging for computing power. Stoll traced the error to an unauthorized user and ultimately unraveled a sprawling intrusion into computer systems of the U.S. government and military. Eventually, the trail led to German hackers paid by the Soviet Union’s intelligence service, the KGB. Stoll immortalized his crusade in the 1989 book “The Cuckoo’s Egg.” In the course of his investigation, he tried seven times to get the attention of the FBI but was rebuffed each time.
“Look, kid, did you lose more than a half million dollars?” the FBI asked him.
“Uh, no,” Stoll replied.
“Any classified information?”
“Uh, no.”
“Then go away, kid.”
Stoll later spoke with an Air Force investigator who summed up the FBI’s position: “Computer crimes aren’t easy — not like kidnapping or bank robbery, where there’s witnesses and obvious losses. Don’t blame them for shying away from a tough case with no clear solution.”
It wasn’t until almost a decade later that the federal government took its first significant step to organize against cyberthreats. After the 1995 bombing of the Alfred P. Murrah Federal Building in Oklahoma City, the Clinton administration called together a dozen officials from across the government to assess the vulnerability of the nation’s critical infrastructure. Since essential services such as health care and banking were moving online, the committee quickly turned its attention from physical threats, like Timothy McVeigh’s infamous Ryder truck, to computer-based ones.
The group helped establish what became known as the National Infrastructure Protection Center in 1998. With representatives from the FBI, the Secret Service, intelligence agencies and other federal departments, the NIPC was tasked with preventing and investigating computer intrusions. The FBI was selected to oversee the NIPC because it had the broadest legal authority to investigate crime.
Turf battles broke out immediately. The National Security Agency and the Pentagon were indignant about reporting to the FBI about sophisticated computer crimes that they believed the bureau was incapable of handling, said Michael Vatis, then a deputy U.S. attorney general who led the effort to launch the center.
“They said: ‘Oh, no, no, no. It can’t be the FBI,’” Vatis recalled. “‘All they know how to do is surround a crime scene with yellow tape and take down bad guys. And they’re notorious for not sharing information.’”
Meanwhile, infighting over resources roiled the FBI. “You had a lot of old-line people arguing about whether cybercrime was real and serious,” Vatis said. “People who came up through organized crime, or Russian counterintelligence. They were like: ‘This is just a nuisance from teenagers. It’s not real.’”
At the time, only a couple of dozen FBI agents had any experience or interest in investigating computer crime. There weren’t nearly enough tech-literate agents to fill the scores of new job openings in the NIPC. Needing warm bodies, the FBI summoned volunteers from within its ranks, regardless of background. Among them was the New Orleans-based agent Stacy Arruda. During her first squad meeting in 1999, as her supervisor talked about “Unix this, and Linux that,” she realized she was in over her head.
“Arruda, do you have any idea what I’m talking about?” the supervisor asked her.
“Nope.”
“Why are you nodding and smiling?”
“I don’t want to look stupid.”
It was an easy admission because most of the new NIPC agents were similarly uninformed about the world they would be investigating.
When the bureau ran out of volunteers to join the NIPC, agents were “volun-told” to join, Arruda said. That’s what happened to Scott Augenbaum. He said he was assigned to the NIPC because he was the only agent in his Syracuse, New York, office “who had any bit of a technology background,” meaning he “could take a laptop connected to a telephone jack and get online.” He was disappointed by the assignment because it was “not the cool and fun and sexy job to have within the FBI.” His friends in the bureau teased him. “They told me, ‘This cyber thing is going to hurt your career.’”
Following the Sept. 11, 2001, terrorist attacks, FBI Director Robert Mueller created the bureau’s Cyber Division to fight computer-based crime. The division took over the NIPC’s investigative work, while prevention efforts moved to the Department of Homeland Security, which was established in November 2002. The DHS, however, put the computer crime prevention mission on hold for years as it focused instead on deterring physical attacks.
To ramp up the new division, the FBI put a cyber squad in each field office and launched a training program to help existing agents switch tracks. It also benefited from the “patriot effect,” as talented computer experts who felt a call to service applied. Among them were Milan Patel and Anthony Ferrante, two of the agents who would attend the meeting with Comey.
Fresh out of college, Ferrante was working as a consultant at Ernst & Young on 9/11. From his office in a Midtown skyscraper, he watched the towers fall. In the days that followed, he resolved to use his computer skills to fight terrorism. While pursuing a master’s degree in computer science at Fordham University, he met with an FBI recruiter who was trying to hire digital experts for the new Cyber Division. The recruiter asked Ferrante what languages he knew.
“HTML, JavaScript, C++, Business Basic,” he answered.
“What are those?” the perplexed recruiter responded. “I mean, Russian, Spanish, French.”
It wouldn’t be the last time Ferrante felt misunderstood by the bureau. When he arrived at Quantico in 2004, he found himself in a firearms class of about 40 new agents-in-training. There, the instructor asked: “Who here has never shot a gun?”
With his gaze cast downward as he concentrated on taking notes, Ferrante raised his hand. The room became silent. He looked around and saw he was the only one. Everyone stared.
“What’s your background?” the instructor asked.
“I’m a computer hacker,” Ferrante said.
On a campus that recruits jokingly referred to as “college with guns,” his answer was not well received. The instructor shook his head, rolled his eyes and moved on.
Patel arrived at the FBI Academy in 2003 with a college degree in computer science from the New Jersey Institute of Technology. From Quantico, he was assigned to a cyber squad in New York, where his new boss didn’t quite know what to do with him. The supervisor handed him a beeper, a Rand McNally map and the keys to a 1993 Ford Aerostar van that “looked like it was bombed out in Baghdad,” Patel said. Another agent set him up with a computer running a long-outdated version of Windows.
“Oh my God, this is like the Stone Age,” he thought. As time went on, Patel discovered how cumbersome it was to brief supervisors about cyber cases. Since many of them knew little about computers, he had to write reports that he considered “borderline childish.”
“You had to try to relate computers to cars,” he said. “You’re speaking a foreign language to them, yet they’re in charge, making decisions over the health of what you do.”
Patel realized that most of his Cyber Division colleagues, like Arruda and Augenbaum, didn’t have a technical background. The bureau tried to turn traditional law enforcement officers into tech specialists while passing over computer scientists who could not meet its qualifications to become agents. “Is the person who can do 15 pull-ups and run 2 miles around the track in under 16 minutes the same guy that you want decrypting ransomware?” Patel said. “Typically people who write code and enjoy the passion of figuring out malware, they’re not in a gym cranking out squats.”
Some agents ended up in the Cyber Division because it had openings when they graduated from Quantico, or because it was a stop on the way to a promotion. In a popular move, many senior agents and supervisors pursued a final assignment in the division before becoming eligible for retirement at age 50, knowing it made them more attractive to private-sector employers for their post-FBI careers.
“On a bureau cyber squad, you typically have one or two people, if you’re lucky, who can decrypt and do network traffic analysis and programming and the really hard work,” Patel said. “And you’ve got two or three people who know how to investigate cybercrime and have a computer science degree. And the rest — half of the team — are in the cyber program, but they don’t really know anything about cyber.” Some of those agents made successful cases anyway, but they were the exception.
Despite the internal headwinds, Patel worked on some of the bureau’s marquee cybercrime cases. He led the investigation into Silk Road, the black-market bazaar where illegal goods and services were anonymously bought and sold. As part of a sprawling investigation into the dark web marketplace, law enforcement located six of Silk Road’s servers scattered across the globe and compromised the site before shutting it down in October 2013. Ross Ulbricht, of San Francisco, was later found guilty on narcotics and hacking charges for his role in creating and operating the site. He is serving two life sentences plus 40 years in prison. Patel was nominated for the FBI Director’s Award for Investigative Excellence; he became a Cyber Division unit chief, advising on technology strategy. Then, shortly after the Dirty Dozen meeting with Comey, he left the FBI for a higher-paying job in the private sector.
Ferrante was selected for the FBI’s Cyber Action Team, which deployed in response to the most critical cyber incidents globally. As a supervisory special agent, he became chief of staff of the FBI’s Cyber Division. After the meeting with Comey, Ferrante remained in the FBI for another two years. He left in 2017 to become global head of cybersecurity for FTI Consulting, where he worked with companies victimized by ransomware.
He kept tabs on the bureau’s public actions in fighting the crime. Despite occasional successes, he said in 2021 that he was disappointed by the small number of ransomware-related indictments in the years that followed Comey’s 2015 gathering.
“They would work cases, but those cases would just spin, spin, spin,” Ferrante said. “No, they’re not taking it seriously, so of course it’s out of control now because it’s gone unchecked for so many years. … Nobody understood it — nobody within the FBI, and nobody within the Department of Justice. Because they didn’t understand it, they didn’t put proper resources behind it. And because they didn’t put proper resources behind it, the cases that were worked never got any legs or never got the attention they deserved.”
By 2012, FBI leadership recognized that most crimes involved some technical element: the use of email or cellphones, for example. So that year, it began to prioritize hiring non-agent computer scientists to help on cases. These civilian cyber experts, who worked in field offices around the country, did not carry weapons and were not required to pass regular physical fitness tests. But respect for the non-gun-carrying technical experts was lacking. This widespread condescension was reflected in a nickname that Stacy Arruda, the early NIPC agent who went on to a career as a supervisor in the Cyber Division, had for them: dolphins.
“Someone who is highly intelligent and can’t communicate with humans,” said Arruda, who retired from the FBI in 2018. “When we would travel, we would bring our dolphins with us. And when the other party started squeaking, we would have our dolphins squeak right back at them.”
If agents like Patel and Ferrante had a hard time winning the institutional respect of the FBI, it seemed almost impossible for the dolphins to do so. They worked on technical aspects of all types of cases, not just cyber ones. Yet, despite the critical role they played in investigating cyber cases — sometimes as the sole person in a field office who understood the technical underpinnings of a case — these civilian computer scientists were often regarded as agents’ support staff and treated as second-class citizens.
Randy Pargman took a circuitous route to becoming the Seattle field office’s dolphin. As a kid in California, Pargman regularly hung out with his grandma, who was interested in technology. She bought magazines that contained basic code and helped Pargman copy it onto their Atari video game console. It was his introduction to computer programming. Later, as a teenager, Pargman was drawn to a booth of ham radio enthusiasts at a county fair and soon began saving up to buy his own $300 radio. It was the early 1990s, before most home users were online, so Pargman was thrilled when he used the radio to access pages from a library in Japan and send primitive emails.
After high school, Pargman put his radio skills to work when he became a Washington State Patrol dispatcher. Although it wasn’t a part of the job description, he created one computer program to improve the dispatch system’s efficiency and another to automate the state’s process for investigating fraud in vehicle registrations. The experience led him to study computer science at Mississippi State. In the summer of 2000, while still in college, Pargman completed an FBI internship, an experience that left him with a deep appreciation for the bureau’s mission. So, following brief stints working for the Department of Defense and as a private sector software engineer once he graduated, he applied to become an agent. He was hired in 2004, around the same time as Patel and Ferrante.
Like those two agents, Pargman was shocked by the digital Stone Age he found himself in upon arriving. At the FBI Academy, a computer instructor gave lessons on typing interviews and reports on WordPerfect, the word processing platform whose popularity had peaked in the late 1980s. To Pargman, even more outrageous than the FBI’s use of WordPerfect was the notion that agents would need instruction on such a basic program. The first week of class, the instructor delivered another surprise.
“OK, who are the IT nerds in here?” he asked.
After Pargman and a classmate raised their hands, the instructor addressed them directly.
“You’re not going to be working on cybercrimes. You’re going to be working on whatever the bureau needs you to do.”
The other tech-savvy recruit later confided to Pargman that he was dropping out of the FBI Academy to return to private industry. “This is not what I thought it was going to be,” he said.
Pargman was similarly torn. He believed in the FBI’s mission but wanted to work solely on cybercrime. Like Ferrante, he didn’t have experience with guns, and he was unsure about how he would handle that aspect of the job. He faced a reckoning when an FBI speaker led a sobering session about the toughest aspects of working for the bureau, from deadly force scenarios to the higher-than-average rates of suicide and divorce among agents.
After consulting with FBI counselors and a bureau chaplain, Pargman decided he didn’t want to become an agent. Instead, he stayed in the FBI as a civilian, working as a software developer at the FBI Academy. Eight years later, when the FBI launched the computer science track, Pargman eagerly applied. He became the Seattle field office’s dedicated computer scientist in October 2012.
“This is why I had gotten into the FBI to begin with,” Pargman said. “I can concentrate just on cybercrime investigations and not have to deal with the whole badge and gun.”
Once Pargman got to Seattle, he began to dream big. His vision: The FBI could model its Cyber Division after one of the world’s most successful computer crime-fighting law enforcement organizations, the Dutch High Tech Crime Unit. He knew how traditional and hidebound the bureau was, how different from the HTCU and its innovative culture. But, ever idealistic, he hoped that the HTCU’s remarkable track record would persuade the FBI to adopt elements of the Dutch approach.
Pargman had long been familiar with the HTCU’s reputation for arresting hackers and disrupting their infrastructure. When he met a Dutch officer through an FBI program for midcareer professionals, he asked her the secret to the HTCU’s success. Her response was straightforward: the HTCU was effective because it paired each traditional police officer with a computer scientist, partnerships that had been a founding priority of the unit. While the HTCU computer scientists weren’t required to pass police exams, meet physical fitness requirements, or handle weapons, they nonetheless were entitled to the same rank and promotions as their traditional counterparts. They also were not obligated to pivot to noncomputer work during their police careers.
The density of computer science experts in the HTCU astounded Pargman, who thought it was brilliant. He suggested the Dutch approach to managers in the FBI’s Operational Technology Division, which oversaw the new computer science track. They laughed.
“We can’t get funding for that many computer scientists,” one contact told him. “That would be crazy.”
Pargman acknowledged that, since the FBI’s Cyber Division was much larger than the Dutch Police’s HTCU, establishing a one-to-one partnership was a stretch. Yet the FBI’s setup all but ensured that its drastically outnumbered computer scientists would not find a collective voice, as the tech experts had done in the HTCU. As Pargman dug into cyber investigations in Seattle, he learned that the bureau’s staffing imbalance was straining its cyber experts, both civilian computer scientists and technically advanced agents like Patel and Ferrante.
Many of the cyber agents Pargman worked with in Seattle had prior careers as accountants, attorneys or police officers. To get acquainted with the digital world, they took crash courses offered by the SANS Institute, the bureau’s contractor for cybersecurity training; popular offerings included Introduction to Cyber Security and Security Essentials Bootcamp. From an institutional perspective, learning on the job to investigate computer crime was no different from learning on the job to investigate white-collar or gang crime. But FBI leadership didn’t take into account something that early leaders in the Dutch HTCU knew from the unit’s start: It’s not easy to teach advanced computer skills to someone who has no technical background.
Cyber agents routinely came to Pargman with basic tasks such as analyzing email headers, the technical details stored within messages that can contain helpful clues.
“This is easy, you need to learn how to do this,” Pargman told one agent. He produced the IP address from the headers.
“What does that mean?” the agent responded. “What is this IP address?”
Pargman had to make the time to help because, if he didn’t, the agent might do something embarrassing, like attempt to subpoena publicly available information “because they just didn’t know any better.”
In the FBI, investigations into specific ransomware strains were organized by field office. For example, Springfield, Illinois, investigated complaints involving a strain called Rapid, while Anchorage, Alaska, investigated those related to Russia-based Ryuk, one of the first ransomware gangs to routinely demand six-figure payments and to carefully select and research its targets. From time to time, Pargman learned of victim complaints to the Seattle office about emerging ransomware strains. Since cases weren’t assigned directly to computer scientists, he pushed the agents to take them on. “Oh boy, here’s one that nobody is working,” he told one colleague.
“Let’s jump on this.”
“That sounds amazing,” the agent responded. “But I’ll be so busy with that case that I won’t get to do anything else.”
In the early days of ransomware, when hackers demanded no more than a few hundred dollars, the FBI was uninterested because the damages were small — not unlike Cliff Stoll’s dilemma at Berkeley. Later, once losses grew to hundreds of thousands or even millions of dollars, agents had other reasons to want to avoid investigating ransomware. In the FBI, prestige springs from being a successful “trial agent,” working on cases that result in indictments and convictions that make the news. But ransomware cases, even with the enthusiastic support of a computer scientist like Pargman, were long and complex, with a low likelihood of arrest.
The fact that most ransomware hackers were outside the United States made the investigative process challenging from the start. To collect evidence from abroad, agents needed to coordinate with federal prosecutors, FBI legal attachés and international law enforcement agencies through the Mutual Legal Assistance Treaty process. Seemingly straightforward tasks, such as obtaining an image of a suspicious server, could take months. And if the server was in a hostile country such as Iran or North Korea, the agents were out of luck. Aware of this international labyrinth, even some federal prosecutors discouraged agents from pursuing complex cyber investigations.
During Pargman’s time as Seattle’s computer scientist, the field office took on a number of technically sophisticated cases. He was especially proud of one that led to the Justice Department’s indictment, unsealed in 2018, of hackers accused in the notorious Fin7 attacks. They breached more than 100 U.S. companies and led to the theft of more than 15 million customer credit card records. But during his seven years in Seattle, the office never got a handle on ransomware.
“If you spend all of your time chasing ransomware, and for years you never make a single arrest of anybody, you’re seen as a failure,” Pargman said. “Even if you’re doing a ton of good in the world, like sharing information and helping protect people, you’re still a failure as an investigator because you haven’t arrested anybody.” Despite its own inaction, the FBI feuded with the other federal agency responsible for investigating ransomware: the Secret Service. Although the Secret Service has been guarding presidents since 1894, its lesser-known mission of combating financial crimes dates back even longer — to the day in April 1865 that Abraham Lincoln was assassinated. Before heading to Ford’s Theatre, Lincoln signed legislation creating the agency and giving it the mandate to fight counterfeit currency. As financial crime evolved and moved online, the Secret Service and the FBI squabbled over cases. Although it, too, had a federal mandate to fight computer crime, the Secret Service was sometimes bigfooted by the FBI, said Mark Grantz, who was a supervisory special agent for the Secret Service in Washington.
“They’d say: ‘Yeah, we’ve got a case on that already. We were looking at him five years ago. Give us everything you’ve got and we’ll go from there.’ That was their M.O.,” Grantz said. It left him wondering: “You haven’t touched that case in five years, why are you asking me for my case file?”
Grantz led an investigation into a ransomware attack in January 2017, eight days before Donald Trump’s inauguration. The strike disabled computers linked to 126 street cameras in a video surveillance system monitoring public spaces across Washington, D.C., including along the presidential parade route. Instead of paying the five-figure ransom, the district scrambled to wipe and restart the cameras, which were back online three days before the swearing-in. Assisted by other law enforcement organizations, the Secret Service traced the hack to two Romanians, who were arrested in Europe, extradited to the United States and found guilty on wire fraud charges — an uncommon U.S. law enforcement success against ransomware operators.
Other Secret Service investigations sometimes stalled because agents had to rotate away for protective detail. “That’s where it gets frustrating,” Grantz said. “You’d train someone. They’d do digital forensics for five years. They’d get really good at it. And then you’d send them off to do presidential detail.”
Randy Pargman also grew frustrated by the FBI’s reluctance to engage meaningfully with private-sector cybersecurity researchers like the Ransomware Hunting Team. An elite, invitation-only group of tech wizards in seven countries, the team has uncovered keys to hundreds of ransomware strains, saving millions of individuals, businesses, schools and other victims from paying billions of dollars in ransom. When the FBI did connect with experts in the private sector, sensitive information typically flowed only in one direction — to the bureau.
Following large cyberattacks against U.S. targets, the FBI routinely affirmed its commitment to public-private partnerships to help prevent and gather intelligence on such strikes. But some agents believed the rhetoric was hollow, comparing it to public officials’ offering “thoughts and prayers” after mass shootings. The reality was that many people in the FBI had a deep distrust of private-sector researchers.
“There’s this feeling among most agents that if they share even a little bit of information with somebody in the private sector, that information will get out, broadcast over the internet — and the bad guys will definitely read it, and it will destroy the whole case,” Pargman said.
Even though he couldn’t work on ransomware cases, Pargman found ways to feel fulfilled in his job, including by helping organizations defend themselves against impending cyber intrusions. He examined malware command-and-control servers obtained through the MLAT process, then alerted potential victims to imminent attacks. “That was a really good feeling because we stopped a ton of those intrusions,” he said. FBI leadership rewarded his efforts: Pargman earned both the FBI Director’s Award for Excellence in Technical Advancement and the FBI Medal of Excellence.
Read More
But he grew tired of his subordinate role as an “agent helper,” and he thought about how things would be different if the FBI were more like the Dutch HTCU. In the bureau, he couldn’t be promoted since Cyber Division leadership roles were open only to agents. And while agents could retire at 50 with full pensions, he had to wait until age 62, and would receive less money. In 2019, Pargman resigned from the FBI, telling his supervisor he wanted to be in a role where he could enact changes rather than just suggest them.
“I love working for the FBI,” he told his supervisor. “It’s very meaningful and fulfilling. But there is no leadership spot for me to go to, only because I’m not an agent. So you cannot be upset that I’m going to get a job where I can be a leader, and make changes, and create a team to do big things.”
When it came to ransomware, the FBI didn’t have a lengthy roster of achievements to boast about. It would not be until after the May 2021 attack on the Colonial Pipeline, which shuttered gas stations across the Southeast, that the FBI would prioritize the ransomware threat and embrace assistance from private researchers like the Ransomware Hunting Team. But even with its new emphasis on ransomware, the FBI didn’t undertake fundamental reforms to expand its roster of cyber experts. It still wanted its cyber agents to be athletic college graduates with relevant job experience, who also had to be willing to shoot a gun, relocate their families and pivot away from investigating cybercrime as needed.
The bureau’s reluctance to adapt disappointed some former agents. “I think the next generation of cyber people in the bureau should be the type of people who want to be cyber first, and not agents at all,” said Patel, one of the agents who attended the 2015 meeting with Comey. “The bureau needs expertly trained technical programmers, cybersecurity engineers, that know how to write code, compile, dissect and investigate — and it has nothing to do with carrying a gun.”
Excerpted from “The Ransomware Hunting Team: A Band of Misfits’ Improbable Crusade to Save the World from Cybercrime” by Renee Dudley and Daniel Golden. Published by Farrar, Straus and Giroux. Copyright © 2022 by Renee Dudley and Daniel Golden. All rights reserved.
Filed under —
Renee Dudley is a tech reporter at ProPublica.
Daniel Golden is a Boston-based senior editor and reporter at ProPublica.

Thanks for signing up!
© Copyright 2023 Pro Publica Inc.
Creative Commons License (CC BY-NC-ND 3.0)
Thank you for your interest in republishing this story. You are free to republish it so long as you do the following:

source

Grace Buller, Campus Reporter|January 15, 2023
Some Calvin faculty and students may have been affected by a data breach at Hope College last fall.
On Sept. 27, 2022, Hope College discovered potential, unauthorized access to files containing sensitive information, according to a document released by Hope. This information was later determined to include individuals’ first and last names, in combination with their date of birth, Social Security number, driver’s license number, and student ID number. Financial information — such as credit card numbers — was unaffected. 
After Nov. 8, the college began sending out letters to those it believes to have been affected. While the college’s statement does not say how many were affected, a lawsuit filed on Dec. 26 alleges that up to 156,783 individuals were potentially affected by the breach, according to MLive. 
While Hope students and alumni are among those primarily affected, some Calvin faculty, staff and students may also have been affected. 
Many Calvin faculty who have spoken or taught at Hope are in Hope’s system from filing tax information. Rebecca DeYoung, professor of philosophy, said she received a letter saying she may have been impacted. DeYoung said her information was probably in Hope’s system from a talk she gave there in 2017. 
DeYoung, who has been affected by other data breaches, said she views data breaches as a “risk you take by operating online.”
Michael Dirksen, a teaching fellow and 2012 Hope graduate, also received a letter. Dirksen taught a class at Hope in 2020. Following news of the breach, he removed his banking information from Hope as a precaution. However, other information, such as his Social Security number, could not easily be removed. 
Like DeYoung, he does not view the Hope breach as an unusual situation.
“These kinds of problems are going to happen more and more frequently,” he said.
However, there are ways to prevent data breaches and minimize their effects.
According to Brian Paige, vice president and chief information officer, this includes using multifactor authentication and minimizing where Social Security numbers are stored. Paige said Calvin’s IT team “routinely practice[s] our responses to cyber incidents with tabletop exercises and scenario planning.”
Paige did not give details on how information is stored or protected. “Not disclosing the ‘playbook’ is part of the approach to preventing data breaches,” Paige said.  
Paige recommended that everyone follow good information security practices, such as using different passwords on every account and multifactor authentication as much as possible. 
He also said it is wise to “consider sharing less personal information on social media, making identity theft and impersonation more difficult.”
According to Attorney General Dana Nessel, those specifically affected by the Hope breach and other data breaches should monitor their credit, place a fraud alert on their credit report, and consider placing a credit freeze on their credit report. Hope College is offering free credit monitoring services to those affected for a year. 
If anyone has not received a letter but believes they may be impacted, they may contact 1-833-540-0798.
Campus & Community
Calvin University's official student newspaper since 1907
Cancel reply
Your email address will not be published. Required fields are marked *
Comment *
Name *
Email *

source