A recent presentation at Fordham’s cybersecurity conference last month helped illustrate why.

“When I asked the CEO of a major movie company recently, ‘What’s the craziest thing you can imagine will happen in the next two to three years?’ he said, ‘We will have a full cinematic feature starring zero actors, zero cinematography, zero lighting, and zero set design,” said Josh Wolfe, co-founder and managing director of Lux Capital at a keynote speech on Jan. 10.

“It will all be generated.”

As an example, Wolfe, whose firm invests in new technologies, screened a fan-made movie trailer that used AI to imagine what Star Wars would look like if it had been directed by Wes Anderson.

A Threat to Storytelling

James Jennewein, a senior lecturer in Fordham’s Department of Communication and Media Studies whose film-producing credits include Major League II, Getting Even with Dad, and Stay Tuned, said the prospect of AI-powered screenwriting is deeply concerning.

He called storytelling “soul nourishment” that teaches us what it means to be human.

“We’re still watching films and reading books from people who died centuries ago, and there’s something magical about an artist digging into their soul to find some kind of truth or find a unique way to express an old truth, to represent it to the culture, and I don’t think that AI is going to help make that happen more,” he said.

In many ways, AI has already infiltrated movies and TV; major crowd scenes in the show Ted Lasso were created using AI tools, for example. This summer, the directors of Indiana Jones and the Dial of Destiny used AI to render the nearly 80-year-old Harrison Ford to look like he was in his 20s.

The ability to use fewer actors in a crowd scene is obviously concerning to actors, but Jennewein said the strike was about more than just saving jobs–it’s about protecting creativity.

“We don’t want AI to create the illusion that something is original when it really is just a mashup of things that have been created before,” he said.

“Flesh-and-Blood” Films Coexisting with AI

Paul Levinson, Ph.D., a professor of communications, saw first-hand what AI can do to his own image and voice. A 2010 interview he did was recently altered by the journalist who conducted it to appear as if Levinson was speaking in Hindi.  But he is less concerned about AI taking over the industry.

He noted that when The Birth of a Nation was first screened in 1915, it was predicted that it would kill off the live theater.

Levinson predicted that in the future, the majority of what we watch will be AI-generated, but there will still be films that are made with live human actors. Just as theater co-exists with live movies, traditional movies will co-exist with AI content.

“I think we are going eventually to evolve into a situation where people aren’t going to care that much about whether or not it’s an AI-generated image or a real person,” he said.

Levinson acknowledged that AI could inflict real harm on the livelihood of actors and screenwriters, but said an equally important concern is whether those who work with AI tools get the credit they deserve.

“I’m sure people are going to think I’m out of my mind, but I don’t see a difference, ultimately, between a director who is directing actors in person and somebody who understands a sophisticated AI program well enough to be able to put together a feature-length movie,” he said.

“What could ultimately happen as AI-made films become more popular, is that films that are made with real flesh-and-blood actors will advertise themselves as such, and they’ll try to do things that maybe AI can’t quite yet do, just to push the envelope.”

And misinformation, they said, has the potential to do enormous damage.

“It’s a threat because what you’re trying to do is educate the citizenry about who would make the best leader for the future,” said Karen Greenberg, head of Fordham’s Center on National Security.

Greenberg, the author of Subtle Tools: The Dismantling of American Democracy from the War on Terror to Donald Trump (Princeton University Press, 2021), is currently co-editing the book Our Nation at Risk: Election Integrity as a National Security Issue, which will be published in July by NYU Press.

“You do want citizens to think there is a way to know what is real, and that’s the thing I think we’re struggling with,” she said.

At the International Conference on Cyber Security held at Fordham earlier this month, FBI Director Chris Wray and NSA Director General Paul Nakasone spoke about the possibility of misinformation leading to the chaos around the U.S. election in a fireside chat with NPR’s Mary Louise Kelly. But politics was also a theme in other ICCS sessions.

Anthony Ferrante, FCRH ‘01, GSAS ‘04, global head of cybersecurity for the management consulting firm FTI, predicted this year would be like no other, in part because of how easy artificial intelligence makes it to create false–but realistic—audio, video, and images, sometimes known as deepfakes.

The Deepfake Defense

“I think we should buckle up. I think we’re only seeing the tip of the iceberg, and that AI is going to change everything we do,” Ferrante said.

In another session, John Miller, chief law enforcement and intelligence analyst for CNN, said major news outlets are acutely aware of the danger of sharing deepfakes with viewers.

“We spend a lot of time on CNN getting some piece of dynamite with a fuse burning on it that’s really hot news, and we say, ‘Before we go with this, we really have to vet our way backward and make sure this is real,’” he said.

He noted that if former President Donald Trump were caught on tape bragging about sexually assaulting women, as he was in 2016, he would probably respond differently today.

“Rather than try to defend that statement as locker room talk, he would have simply said, ‘That’s the craziest thing anybody ever said; that’s a deepfake,” he said.

In fact, this month, political operative Roger Stone claimed this very defense when it was revealed that the F.B.I. is investigating remarks he made calling for the deaths of two Democratic lawmakers. And on Monday, it was reported that days before they would vote in their presidential primary elections, voters in New Hampshire received robocall messages in a voice that was most likely artificially generated to impersonate President Biden’s, urging them not to vote in the election.

A Reason for Hope

In spite of this, Greenberg is optimistic that forensic tools will continue to be developed that can weed out fakes, and that they contribute to people’s trust in their news sources.

“We have a lot of incredibly sophisticated people in the United States and elsewhere who understand the risks and know how to work together, and the ways in which the public sector and private sector have been able to share best practices give me hope,” she said.

“I’m hopeful we’re moving toward a conversation in which we can understand the threat and appreciate the ways in which we are protected.”

Once the exclusive domain of Hollywood thrillers, cyber crime is now a regular part of daily life in an increasingly online world. As a result, cybersecurity specialists are needed now more than ever to help organizations protect sensitive data and systems from adversaries working to compromise them.

But according to top leaders in the field, there are not enough trained professionals to meet that need. There are currently about 3.5 million unfilled jobs in cybersecurity globally, including an estimated 750,000 in the United States.

“We still struggle with talent,” Rich Baich, chief information security officer for AT&T, said at the International Conference for Cyber Security (ICCS) held at Fordham’s Lincoln Center campus on Jan. 10. Baich spoke alongside chief information officers from organizations such as Yahoo and Google about the growing challenges of staying ahead of evolving threats.

“We need more cyber operators and cyber professionals with operational experience—where they’ve been into battle with an adversary,” Baich said. “They need that understanding, so that they know how to make those risk-based calls.”

In Fordham Classrooms, Real-World Scenarios

Thaier Hayajneh, Ph.D., the founding director of the Fordham Center for Cybersecurity (FCC) and one of the conference organizers, emphasized that hands-on experience is especially crucial in cybersecurity roles because simple missteps can lead to disastrous consequences.

“Secrets, passwords, social security numbers, medical records—you name it. All this private information could be exposed if someone misses just one command…or forgets to close one loop,” he said. “Experts are hard to find, so we [at FCC]  are filling that gap.”

The center’s offerings include three master’s degree programs, an advanced certificate, and an undergraduate minor. All of them aim to prepare students through what Hayajneh calls a “competency-based model,” emphasizing equal parts theory and practical experience.

For example, students participate in cyber competitions such as digital “capture the flag” simulations, where they are tasked with stepping into the shoes of hackers to learn their methods from the inside out.

“These are very important components of cybersecurity. We expose the students to real-world scenarios,” Hayajneh said.

The growing need for positions requiring this type of training and experience means there’s no shortage of options for students entering the market.

“All of our graduates secure jobs because there is a big demand for cyber, but also for the quality of students we produce,” Hayajneh said.

Critical Partnerships

Designated in 2017 as a Center for Excellence in Cyber Security by the NSA and Department of Homeland Security, Fordham maintains strong partnerships with top corporations, as well as federal agencies who provide funding and support for students going into government work.

“We have probably been a funnel of graduates to the bureau for law enforcement for a very long time,” said Fordham President Tania Tetlow in her opening remarks at ICCS. “We teach our students to think really hard about justice and what it means to protect people.”

ICCS, held at Fordham since 2009, serves as a regular meeting point for exchanging knowledge and insights between government and private sectors. For Hayajneh, looping in academic institutions like Fordham is crucial for driving innovation and combating global threats.

“I think it’s key, we need the three elements together,” Hayajneh said. “They must support academic progress because we are the suppliers of future talent and manpower. They have to work in synchronization.”

Better English-Language Outreach

The use of artificial intelligence is both a pro and con for law enforcement, Joyce said.

“One of the first things [bad actors are] doing is they’re just generating better English language outreach to their victims [using AI]—whether it’s phishing emails or something more elaborative,” he said. “The second thing we’re starting to see is … less capable people use artificial intelligence to guide their hacking operations to make them better at the technical aspect of a hack.”

But Joyce said that “in the near term,” AI is “absolutely an advantage for the defense,” as law enforcement officials are using AI to get “better at finding malicious activity.”

For example, he said that the NSA has been watching Chinese officials attempt to disrupt critical infrastructure, such as pipelines and transportation systems, in the United States.

“They’re not using traditional malware, so there’s not the things that the antivirus flags,” Joyce said.

Instead, he said they’re “using flaws” in a system’s design to take over or create accounts that appear authorized.

“But machine learning AI helps us surface those activities because those accounts don’t behave like the normal business operators,” Joyce said.

‘Hacktivists’ Role in Israel-Hamas Conflict

Joyce said one of the biggest challenges for cybersecurity officials is understanding who is conducting cyber attacks and why. For example, while cyber officials have been seeing an uptick in “hacktivists,” or hackers who are activists, they’ve been seeing more foreign governments backing them and posing as them.

“The Israel-Hamas conflict going on right now—there’s a tremendous amount of hacktivist activity, and we see it on both sides of the equation,” Joyce said. “But the interesting piece in some of this is the nation-states are increasingly cloaking their activities in the thin veil of activists’ activity—they will go ahead and poke at a nation-state, poke at critical infrastructure, poke at a military or strategic target, and try to do that in a manner that looks to be this groundswell of activist activity. That’s another place where we need that intelligence view into really what’s behind the curtain, because not all is as it seems.”

Unclassifying Information: ‘A Sea Change’

Joyce said that one of the biggest “sea” and “culture” changes at the NSA is sharing classified information with the private sector.

“We’re taking our sensitive intelligence, and we’re getting that down to unclassified levels that work with industry,” Joyce said, “Why? Because there might be one or two people in a company who are cleared for that intelligence, but chances are the people who can do something about it, they’re the folks who actually are not going to have a clearance.”

Joyce said that the department has decided to shift its stance around sharing in intelligence in part because “what we know is not nearly as sensitive as how we know it” and because “knowing something really doesn’t matter if you don’t do something about it; industry is the first that can do something about it.”

“Americans can and should have confidence in our election system,” Wray said. “And none of the election interference efforts that we’ve seen put at jeopardy the integrity of the vote count itself in any material ways. And so in that sense, people can have confidence.” 

But that doesn’t mean there aren’t threats to the election process, he said, particularly highlighting foreign governments’ desire to meddle. 

“The other part, though, is the chaos, and the ability to generate chaos is very much part of the playbook that some of the foreign adversaries engage in,” Wray said. “And there is the potential. If we’re not all collectively on board, that chaos can ensue to varying levels.”

Wray and Nakasone spoke in a fireside chat moderated by Mary Louise Kelly, host of NPR’s All Things Considered, at the 10th International Conference on Cyber Security, held at Fordham on Jan. 9. Kelly asked how 2024 compares to the 2020 election year.

“Every election as you know is critical infrastructure,” Nakasone said. “We have to be able to deliver a safe and secure outcome. And so when I look at it, I look in terms of both the threat and the technology—but yes, it’s an important year, it’s a presidential election year, and we have adversaries that want to take action.”

Protecting America’s AI Innovation 

Nakasone said that as they look at foreign adversaries and how they are using AI, he noticed that they “are all using U.S. AI models, which tells me that the best AI models are made by U.S companies.” 

“That tells me that we need to protect that competitive advantage of our nation, of our national economy going forward,” he said. 

But that’s not an easy task, Wray added, noting China’s advantage in particular.

“China has a bigger hacking program than that of every other major nation combined and has stolen more of Americans’ personal and corporate data than every nation, big or small, combined,” he said. “If I took the FBI’s cyber personnel and I said, ‘Forget ransomware, forget Russia, forget Iran—we’ll do nothing but China,’ we would be outnumbered 50 to 1, and that’s probably a conservative estimate.” 

Nakasone said that’s why it’s important for the agencies to maintain the United States’ “qualitative advantage.”

“How do we ensure that our workforce is continuing to be incredibly productive?” he said.

Combatting Foreign Adversaries 

In addition to China, Wray and Nakasone highlighted Russia and Iran as threats, even as Russia is occupied with the war in Ukraine. 

“If anything, you could make the argument that their focus on Ukraine has increased their desire to focus on trying to shape what we look like, and how we think about issues because U.S. policy on Ukraine is something that obviously matters deeply to their utterly unprovoked and outrageous invasion of Ukraine,” Wray said.  

In order to combat their efforts to interfere in elections, Nakasone highlighted partnerships between agencies like the NSA and FBI, and the quality of work that U.S. agencies do.

“It will never be having the most people—it’s having the best people and the best partnership being able to develop and deliver outcomes that can address adversaries,” he said.

Calling Out Misinformation and Disruptions

Kelly highlighted a recent poll from The Washington Post that found that one-third of Americans believe that President Joe Biden’s win in 2020 was illegitimate and that a quarter of Americans believe that the FBI instigated the January 6 insurrection. 

“I’m not trying to drag either of you into politics,” she said. “But what kind of charge does that pose for your agencies as you try to navigate this year?”

Wray said it’s important for the NSA and FBI to call out misinformation right away. He highlighted how in October 2020, the FBI called out Iran’s interference efforts ahead of the November elections in an effort to make the messaging less effective.

“We have to call it out when we see it, but we also need in general for the American people, as a whole, to become more thoughtful and discerning consumers of information,” he said. 

The Use of Section 702: ‘A Vital Tool’

In December 2023, Congress gave a four-month extension to Section 702 of the Foreign Intelligence Surveillance Act (FISA), which allows intelligence agencies to conduct surveillance on non-American citizens who are outside of the United States without a warrant. The section has come under scrutiny as privacy advocates and members of both parties said it’s an overreach of government powers.

Nakasone called it “the most important authority we use day in and day out in the National Security Agency to protect Americans.”

He said that the agency uses it to address a number of different threats: “whether or not that’s fentanyl or Chinese precursors [to fentanyl]coming in United States, whether or not it’s hostages that foreigners take overseas, whether or not it’s cybersecurity, in terms of victims that we’re seeing in the United States.” 

Wray said that the section was “a vital tool.”

“This country would be reckless at best and dangerous at worst to blind ourselves and not reauthorize the authority in a way that allows us to protect Americans from these foreign threats,” he said. 

Photos by Chris Taggart

The Hollywood version of a hacker who infiltrates a computer system may look like someone hunched over a laptop in a dark remote location.

In fact, according to the FBI, between a quarter and half of all daily cyberthreats come from “insider threats.”

On March 16, law enforcement, private industry, and academic leaders convened at Fordham’s Lincoln Center campus for a day devoted exclusively to the challenges of stopping those threats.

The conference, “The Insider Threat: Before, During, and After an Incident,” featured three panel discussions and a “fireside chat” on bringing lawless “dark web” sites to justice.

The half-day event was jointly sponsored by Fordham and the FBI and served as a complement to the larger International Conference on Cyber Security (ICCS), held every 18 months at Fordham. The University also runs a Center for Cybersecurity and offers a master’s program in the subject.

In her welcoming address, Tania Tetlow, president of Fordham, noted that because universities are frequent targets of cyberattacks, they have a vested interest in working to stop them.

“We do it in that way that we’re so proud of in higher ed, and in particular, as a Jesuit institution, by being open to the answers, by constantly trying to challenge ourselves to think differently, to be one step ahead of those very creative enemies that we’re up against,” she said.

The Before

Testing and trust came up repeatedly in the first panel, which featured Dave Fitzgibbons, acting assistant director of the FBI’s Insider Threat Office; Richard Aborn, president of the Citizens Crime Commission of New York City; and Chris Farr; executive director of commercial strategy for the strategic intelligence firm Strider.

Aborn said in large organizations, programs that train employees to spot threats are only effective if they’re practiced zealously.

“I think it’s an oxymoron to say you train too much. You have to refresh, you have to train over and over and over again,” he said, noting that his organization had recently sent out test phishing e-mails to its own members.

“We had about a 35% failure rate, and I was pretty shocked at that. We train a lot.”

Behavioral Indicators

Farr said a common misconception is that the first place to start is in the technical realm. In fact, it’s far more important to focus on individuals and have in place a dedicated team to assess behavioral indicators and raise red flags about potential workplace violence, espionage, or fraud. Those indicators might include visits to websites that promote violence, unusual travel patterns, and inexplicable income increases.

The trick is to cultivate a culture of respect where it’s okay to alert a supervisor to a co-worker’s worrisome behavior. It’s tricky, given Americans’ expectations of privacy, but it can be done.

“Employees have to trust your process though,” he said. Programs that have anonymous reporting and policies of no retaliation are super important.”

In the Mix

A key lesson from the second panel, which featured Harold Chun, director of security legal at Google; Darron Smith, insider threat program manager at Bloomberg L.P., and Bill Claycomb, principal researcher at CERT Division’s National Insider Threat Center, was that any insider threat team should also have clear parameters about how to respond.

Is the threat from a full-time employee or a contract one? Is it a one-time issue or an ongoing problem? Is there a threat of physical violence? The response should be commensurate with the problem, said Smith.

“You may not want to raise the fire alarm immediately. It’s really important when you’re thinking about things like duty of care to the employee or privacy,” he said.

Learning from the Past

The final panel featured FBI supervisory special agents Scott Norwell, John Reynolds, and Paul F. Roberts Jr., who specialize in employee, state-sponsored, and white-collar insider threats, respectively. They shared the lessons that have been learned from past cases, such as the 2017 conviction of Kun Shan Chun, a longtime member of the bureau, of passing sensitive information to a Chinese government official.

In that case, Norwell said the bureau had learned that there is a long-term, concerted effort by the Chinese government to identify and recruit people, like Chun, who appear to be vulnerable to flattery, cajoling, or intimidation.

Lessons From the Dark Web

Ed Stroz, GABELLI ’79, co-founder and president of Stroz Friedberg and Fordham trustee, closed the day out with a discussion with Andy Greenberg, senior editor of Wired Magazine and the author of Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency (Penguin RandomHouse, 2022).

Greenberg’s book shows how agents were able to track down the founders of dark web marketplaces such as Silk Road by analyzing Blockchain, the technology that underlies the cryptocurrency that was being used to facilitate the sale of drugs, child pornography, and weapons.

Blockchain was thought by the site administrators to grant them anonymity, but it did not. The path to Silk Road’s demise also included the apprehension of two federal agents who were using the site to commit crimes. One of them was initially accused by an anonymous tipster.

“When people ask about insider programs, it’s easy to think ‘Oh, we’re going to get somebody in trouble,” said Stroz.

“But in many instances, it gets someone out of trouble, or it makes it easier … for people to have a way to raise something so that it can be pursued responsibly. ”

Students Learn from the Pros

Among those in attendance was Jakub Czaplicki, a senior at Fordham College at Lincoln Center working on a five-year, accelerated master’s degree in cybersecurity. He became interested in cybersecurity when he was in middle school, and hopes to join law enforcement after graduation.

He said he enjoyed the case studies in the third panel as well as Greenberg’s talk.

“When the FBI agent was talking about how there is this risk of China and different nation-state actors, it really got me thinking, yeah, we have to secure this. Even though it’s a low percentage, it is a genuine problem for large organizations and the FBI,” he said.

“I learned a lot about cryptocurrency, nation-state actors, and what to look out for.”

Czaplicki was one of six Fordham students who attended, said Thaier Hayajneh, Ph.D., university professor and founder and director of Fordham’s Center for Cybersecurity. Grants that the center won in 2019 from the National Security Agency and the Department of Defense made it possible for them to attend.

“We really want to expose them to the real world and also excite them to work with the executive branches of the federal government,” he said.

“Here, they saw the real cases, and they got to connect the theoretical, the technical, and the practical aspects of cybersecurity.”

Sitting on the panel were Viktor Zhora, the deputy chair of the State Service of Special Communications and Information Protection of Ukraine; Andrii Sharonov, first deputy chief of the Cyber Police Department, National Police of Ukraine; Illia Vitiuk, head of the Department of Cyber and Information Security, Security Sevice of Ukraine; and Nataliia Tkachuk, head of the Department for Information Security and Cybersecurity, National Security Cyber Coordination Center.

Immediately,Tkachuk set a defiant tone toward the aggressors and a thankful tone toward the U.S., which drew applause from the audience of law enforcement, academics, and cyber professionals.

“Thank you for standing with us in this terrible, unprecedented, and unjust war… I know you have feelings about this war the same as we do,” she said without looking at notes. “This work is not only about Ukraine, this war is not only about our independence or territorial integrity. This war is about the democratic values for all the world, about human rights, about international stability and security about respect for international law. We have no chance to lose and that’s why your support is very important to us.”

Tkachuk then outlined a brief history of cyber defense in Ukraine that was in its infancy in 2015 when the Russian military used a trojan hack named BlackEnergy, which led to widespread power outages in the country. Ironically, she thanked the Russians for that early attack because it led to the nation codifying cybersecurity into laws, policies, and institutions.

“We didn’t have the political will to adopt the cybersecurity strategy. Our top officials didn’t understand what was the role of cyber in the context of national security. Then BlackEnergy happened. Well, it took a few months and the strategy was adopted,” she said. “We started to create our national cybersecurity system and the main steps we directed to legal framework, technical capacities, human resources, international operations, and, of course, public-private partnerships.”

Vitiuk concurred that 2015 was a watershed moment that put Ukraine on war footing well before the Feb. 23 invasion. He added that a sequence of BlackEnergy attacks were also felt in more than 60 countries, not only Ukraine. He said the various sectors of the government, as well as the private sector, began a series of so-called attack rehearsals which helped develop the muscle memory needed for when unprecedented cyberattacks began full force just before the military invasion.

“The main thing was communication within the country between the institutions, between the authorities, between public-private partnerships, and communication with our [international]partners that helped us create this whole system and make it work.”

Sharonov said another key turnaround was that all the sectors began to budget for cybersecurity. In addition, the team from cyber police formed their international partnerships as far back as 2012, when many officers visited the United States for months at a time to develop the skill, knowledge, and ability to fend off cyberattacks.

On Jan. 20, an urgent meeting of the national security defense council was called to develop tactical steps to prepare for imminent attacks, said Tkachuk. By Feb. 7 a 24-hour response center was set up where all the main government stakeholders were present “day and night” to begin monitoring threats. She cited the preparedness and professionalism of the national police, in particular, with helping the team to put in place the critical infrastructure necessary to protect the nation from cyberattacks on critical infrastructure which began in earnest just days before the military invasion.

“As you know, they didn’t get to do too much harm, not because the attacks were not sophisticated, but only because we were able to take the right steps in advance,” she said.

Just as Ukraine has received support in the form of military weapons over the past few months, it also has also gained a volunteer cyber army which the deputy chief said numbers around 200,000. Moderator Steve Hill, chief information security officer at Credit Suisse Bank, noted this has led to making Russia the most hacked country in the world today. Sharonov said that the national police accepted help from the volunteers to help block Russian propaganda on social media.

“Right now, we already blocked thousands of

Hill noted that officials from the NSA in the U.S. have expressed concern about such volunteers, as they are not sanctioned nor trained by an official government, regardless of how good their intentions may be.

Sharonov concurred but said Ukraine simply doesn’t have the capacity to match the Russian aggression when it comes to hackers and Zhora dismissed any notion of a moral conundrum the volunteers might present.

“I want to highlight a serious difference between offensive actions of Russians and volunteers that help Ukraine: Russia is attacking an independent country in the 21st century while Ukraine is defending ourselves,” he said.

“This is the first global cyber war and we need to be united,” Zhora said.

He added that no country in the world can protect itself alone and that cybersecurity is not just about people, processes, and technology.

“It’s about collaboration, cooperation. It’s about exchanging knowledge, information, practices, and joint exercises that can contribute to the global cybersecurity ecosystem,” he said. “We need a cyber alliance against cyber aggression, a community of states … which help each other to protect themselves … and Ukraine wants to be an active participant of this community, and I’m confident we will.”

“As a student here, we learned a lot about the right to privacy and the Fourth Amendment, and yet there is this paradox in the big city, where you are sharing so much of your space with others, but you also are still afforded anonymity,” he said during the panel event, part of the International Conference on Cyber Security held at Fordham Law and sponsored by Fordham and the FBI. “But in a smart city where there are all these sensors, is that a problem?”

Smart cities are generally defined as municipalities that use technology and data to ease movement, increase public health and safety, assist in disaster relief, and improve the environment.

As recently as just 10 years ago, the term conjured utopian dreams of environmental applications, tighter security, and swifter transportation, said Elkaim. But today the term takes on dark and sinister tones, such as surveillance and loss of freedom. As such, Elkaim’s question hit on a theme that was returned to again and again by the panel.

Better Explanation is Key

Robert W. Patterson, senior executive director for AT&T Business, Public Safety, and FirstNet, said part of the reason is that public and private sector leaders do not clearly explain the benefits of a smart city. This leads to the public believing that the data driving smart cities merely exposes them to cybersecurity breaches and more surveillance.

“The American public doesn’t necessarily understand what we do with the data or how we protect it. I think we all collectively need to do a better job of having that conversation so that people feel comfortable,” said Patterson. “Yes, you’re going to give up a little bit, but if you’re not doing anything wrong, you should feel comfortable that that [your data]is secure, and there are huge benefits to this.”

He used the example of an IoT (internet of things) device used by the oil and gas industry to turn on the gas, rather than sending out a person in a truck to turn it on.

“That’s a huge saving, but people don’t view that piece. They just think, ‘Hey, someone watched me go from the Bronx to Manhattan’—which is, quite frankly, irrelevant to 99.9% of what’s happening today.”

Tommi Laitio, the Bloomberg public innovation fellow at Johns Hopkins University, was the first executive director for culture and leisure in the city of Helsinki, Finland. He said the mayor dubbed his role the “director of fun.” He concurred with Patterson’s notion of refocusing public perception of what a smart city can be, adding that perhaps the word smart should be complemented with other words that describe the benefits of digital cities, such as “equal, creative, or fun.”

Time for Joy

“For me, a smart city should help create a place where you have more time for things that matter and less time for things that don’t matter,” he said. “The difficulty with all this marketing is that it feels like it’s not driven by the joy and pleasure in our lives.”

Matthew C. Fraser, chief technology officer and commissioner for the New York City Office of Technology and Innovation, succinctly summarized how data should be used in a smart city.

“It’s about using information to optimize interactions and move people all around cities a lot easier,” he said. “When I look at a smart city, it’s all-encompassing, around every interaction that a person has with the city.”

When the floor was opened for questions, an unconvinced member of the audience expressed a concern that government workers with access to such data might use them nefariously. Fraser responded by saying that the problem is certainly not limited to government. He said that the problem exists with any custodian of data, whether it’s in the government, private, or academic sector. He said that for New York City government workers, it means ensuring that the people using the data are using it in ways that align with their job description.

“What we start looking at there is—How do we create a baseline behavior [for that job]? What does a particular function across a particular geography look like? And what does normal look like? So, when someone deviates from that we can catch it and say, ‘This is an anomaly, let’s look at it.’ And what this all ties back to is having accountability in government, taking the responsibility to proactively audit the use of the technology tools that it has.”

In the panel “Insider Risk: Mind Games” at the 2022 International Conference on Cyber Security on July 20, four experts on managing insider risk discussed the challenges that insiders pose to organizations and how their behaviors can be recognized and managed. 

The event featured three panelists—James Dennehy, special agent in charge of the FBI’s counterintelligence and cyber division; Eric Shaw, Ph.D., a clinical psychologist and founder of a company that helps organizations manage insider risks; and Doug Thomas, head of insider threat in counterintelligence and workplace violence and a managing director at JPMorgan Chase—as well as the panel moderator, Elsine van Os, founder and CEO of an insider risk management consultancy firm in the Netherlands. 

Problems Related to the Pandemic and the Great Resignation

There are four critical issues that impact insider risk management today, said Shaw: pandemic-related stressors, social identity stress, the rise of conspiracy theories, and new policies and practices that monitor former employees.

“The [pandemic-related stressors] pull directly on all the personal predispositions we associate with insider risk, whether it’s medical/psychiatric issues, personality, social skills issues, previous violations, or susceptibility to recruitment or social network risks,” Shaw said. “In psychology, we’re saying, ‘If there was a crack [before], now there’s a crevice.’” 

Van Os said another issue that is negatively affecting insider risk management is the Great Resignation. When employees leave their prior workplace, they often take home sensitive company data, thus eroding the company’s value, she said. 

FBI Security Measures: Multilayered and Still ‘Not Enough’  

Dennehy, a special agent for the FBI, said that the insider threat protections at his job are multilayered—but they aren’t enough.

“I work for the FBI. I have access to top-secret information. I have access to all the investigations that the field office conducts. So our insider risk and insider threat program has to be pretty layered—and it is. I started a new job at the New Jersey field office on Monday, so last Friday was my last day in the New York City office. I tried to get into the New York City office today to return a car. They didn’t let me in. I said, ‘No no no, it’s Jim Dennehy!’ And they don’t care,” he said. “My access to the New York office and to all of its files was cut off immediately.”

And that’s only one security measure. Every five years, Dennehy is polygraphed to check if he is spying on the U.S. government or showing signs of becoming a terrorist, he said. He is required to disclose all of his finances to the U.S. government on an annual basis, in addition to undergoing drug tests and mental health evaluations. But that’s still not enough to protect the FBI from insider threats, he said. 

In an insider threat study conducted by the FBI a few years ago, they found that hackers steal information by using their existing or shared credentials to increase their privileges in the company system, he said. In addition, there are likely double agents within the FBI, he said. 

“There are probably Robert Hanssens that still work in the FBI. Probably—we just don’t know about it,” Dennehy said, referring to the former double agent who pled guilty to 15 counts of espionage in 2001. 

‘I Want People to Be Engaged—For Their Sake’ 

Thomas said that one of the biggest challenges in insider risk management is convincing employees and executives that this is a real problem. 

“Unless they’ve actually had it happen to them and they know about it— [and]it’s probably happened, they just don’t know about it …  then it’s hard to convince the masses and the leadership that this really is a problem. It’s not a movie, it’s not just people with clearances, it’s not people who have access to weapon systems. This actually happens for real,” Thomas said. “I want people to be engaged—engaged for their sake, the firm’s sake, their coworkers’ sake—because if these things go wrong … it’s a big deal.”

In order to counteract insider threats, companies can seek to access more personal data from their employees, said Thomas. However, he added that they have to be sensitive about not being too intrusive.

“You have to be very careful about what kind of data you’re looking for, explaining why you want that kind of data, how you’re going to use it, how you’re going to protect it, and how you’re going to protect the reputations of the people you’re looking at,” Thomas said. 

How to Protect a Company’s ‘Crown Jewels’ 

Dennehy explained how the FBI helps research institutions and businesses to manage their insider threats and protect their assets. 

“What we want to do is …identify to us what your crown jewels are. What are your most protected assets besides your people? What information do you want to protect the most? And now let’s build your program around that.” 

At the end of the panel, Dennehy applauded JPMorgan Chase, one of the biggest financial firms in the world, for developing an insider threat program. The company’s action also serves as a lesson to other organizations, he said. 

“[JPMorgan Chase] probably learned because of mistakes. And they probably learned because of feeling the pain of that information going out the door,” Dennehy said. “Undetected, [the threat actors]could’ve taken down a billion dollar firm because that information could lead to the opening of a competitor company that’s now gonna take away their market share. And that’s where CEOs, CFOs, and C-suite are going to really start listening.” 

“Geopolitics and Cyber Risk,” a discussion moderated by Joshua Larocca, managing director of the firm Stroz Feinberg, on the second day of the 2022 International Conference on Cyber Security (ICCS), brought together perspectives from England, Germany, and the United States.

Paddy McGuinness, a senior adviser at the Brunswick Group, noted that North Korea, China, Iran, and Russia are now “very capable threat actors” with the ability to harm the United States, the United Kingdom, and the European Union.

The challenge is that although the European Union works as a single entity to regulate a great deal of technology, national security is still the responsibility of each of the 27 individual nations. As such, there is a great deal of unevenness, he said.

“Europe is on a journey, and it’s conflicted. The majority of what it has done from a regulatory sense has been about competition and major American technology. It has not been about the Chinese state, and it hasn’t been around an active Russia at its back,” he said.

“It’s in movement, but if you look at the bulk of the legislative, regulatory, and practical agenda, it’s as much as about the United States as it is about China or Russia.”

Carsten Meywirth, director of the cybercrime division at Germany’s Federal Criminal Police Office, the Bundeskriminalamt, agreed with McGuinness’ assessment of the threat that the four big state actors pose. The added twist is that there are also threats from non-state actors who act on their own, he said. The underground economy that was created by them really took off in 2015, and last year, Meywith said, ransomware unleashed by hackers unaffiliated with specific countries cost German companies 24.3 billion euros.

“The criminal groups act globally, and with high performance. They’ve adapted the franchise model with the affiliate system,” he said.

“We call it ‘crime as a service.’ You can buy the infrastructure; you can rent the server and VPN services; you can buy credential services, codes, and malware. The criminals work together, and don’t have to know each other. The only thing they know about each other is a nickname.”

The panelists had some good news to report too. Asked by Larocca how European countries might strengthen each other’s defenses, McGuinness cited the public-private partnerships on the continent.

“When I go into really transnational businesses, they’ve got cyber defenses better than most European states. So that’s where you start, with firms like Deutsche Telekom. That’s quite a cyber-capable organization.”

Prashanth Mekela, deputy enterprise chief information security officer at American Family Insurance, said that at the end of the day, macro issues need to be addressed through day-to-day operations. The first hard truth that business leaders need to accept is that if a very capable state actor or committed criminal actor decides they want to break into their network, they will likely find a way.

“Most people have gravitated toward that viewpoint, because even if you put these obstacles out in front of their way and have defensive depth, there could still be an insider within your organization who can either be co-opted or recruited to steal sensitive information,” he said.

He suggested that the solution is to identify what parts of a business network absolutely needs to stay up and running. That includes things like intellectual property and business processes. The bulk of the company’s cyber defenses should then be directed in those areas.  

“It’s a never-ending situation in which you’ve got to protect the enterprise, and you’re not going to get it right all the time. You’ve got to be able to live with it. That’s why you’ve got to be prepared for things like ransomware.”

“It was during our work in this case that I saw the impressive power of likeminded individuals from public and private entities around the globe, coming together to combat these threats,” said the former special agent.

Shortly after that, in 2007, he was meeting with his Fordham mentor Professor Frank Hsu, Ph.D., Clavius Distinguished Professor of Science, and they started discussing ways to bring government, the private sector, and academia together.

“We devised a crazy idea to plan an international cybersecurity conference, a conference that would bring together the world’s best in the industry to talk about how we can all work together to combat the ever-evolving cyber threats we face every single day,” he said.

Two years later in 2009, Ferrante and Hsu had helped launch the first ICCS at Fordham.

At this year’s ICCS, Ferrante, who is now the global head of cybersecurity for FTI consulting, introduced Bryan Vorndran, assistant director of the FBI’s Cyber Division, as part of a session titled “The Morning Intelligence Briefing,” where Vorndran emphasized the importance of those partnerships to the FBI.

“We don’t do anything alone,” he said. “Any success you hear about in terms of U.S. government disruptions, international disruptions, are done as part of a partnership. That includes private sector as well.”

Vorndran highlighted two recent FBI cases that involved significant partnerships from not only government agencies but also the private sector.

The first was “Operation Shell Sweep” in 2021 where the FBI went into computers that were using Microsoft Exchange servers and had been hacked by a group called Hafnium. The hack affected tens of thousands of users. The computers had web shells—or pieces of code that allow for remote administration—installed by the hackers. The web shells “left open” a backdoor that gave the hackers access–but, Vorndran said, the FBI used those same shells to remove the malicious code.

“The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path),” an FBI release on the operation read.

Microsoft became aware of the hack in March 2021, and the FBI said in a statement that “Microsoft and other industry partners released detection tools, patches, and other information to assist victim entities in identifying and mitigating this cyber incident.” Vorndran said that the partnership between the FBI and Microsoft helped address about 93% of the impacted devices, and then the FBI worked to remove the malicious code from the remaining 7%.

The second was “Cyclops Blink,” where the FBI disrupted a Russian botnet that was infecting devices with WatchGuard and other software on them. The FBI partnered with WatchGuard which helped release detection and remediation tools the day the advisory about the botnet went out.

“Our purpose is simply this: to utilize our unique authorities—either unilaterally or with a partner—to impose maximum costs on our adversaries,” he said, noting that could mean an arrest or seizure of assets.

Vorndran highlighted the partnerships that occurred in both of these cases because initially, he said, Microsoft and WatchGuard “could not see the devices or software where there was a vulnerability at a tactical level. It took additional intelligence—in the Hafnium matter from a third party private sector—and it took FBI intelligence to inform the exact laser focus of where we needed to be.”

Partnering into the Future

Both Ferrante and Vorndran emphasized the need for partnerships as threats continue to evolve.

Vorndran said that he’s worried about the “increased precision of the adversary.” He gave the example of all of the commercial real estate companies in the U.S. using the same software. If that software is attacked, it could mean real issues for that industry.

“If they’re that precise on targeting, it could shut down the entire commercial real estate industry,” he said. “That is a huge problem for us.”

Vorndran said that they’re also paying “a lot of attention to synthetic content” or what some call “deep fakes,” which he said could have a tremendous influence on our democracy.

“There’s obviously tremendous downstream effects of deep fakes and synthetic content,” he said.

Vorndran gave the example of a recording played in court, with the attorney arguing that it is not his client on tape, but a fake. The question becomes “how do we authenticate that?” he said.

Vorndran said that they’re “putting a lot of attention into that within the community and that’s something that’s very important for us to get right.”

Having the partnerships between the public and private sector in place ahead of these attacks can help address these future problems, Ferrante said. He noted that “many conversations taking place this week will enhance all our efforts to combat these threats.”

“There are numerous challenges on the horizon, and cybersecurity issues will remain ever present,” he said. “The threat landscape is constantly evolving. A forward-thinking approach is required to keep pace.”