In the tradition of Michael Lewis and Tom Wolfe, a fascinating and frightening behind-the-scenes look at the interconnected cultures of hackers, security specialists, and law enforcement.
Before becoming a Cybersecurity Reporter for CNBC and The Wall Street Journal, Kate Fazzini was herself an executive in cybersecurity operations for financial firms, including a stint as vice president in cybersecurity operations at JPMorgan Chase. One of the first lessons she learned was that, in spite of the air of mystery and seemingly shadowy world that she inhabited, what the field needs most is everyday people with everyday people skills.
Or, as she writes in her new book, Kingdom of Lies:
It didn’t take me long in my career as a cybersecurity executive to figure out that everyone was lying to me.
The biggest lie of all came at the very beginning: that cybersecurity is hard. Too hard. Certainly too difficult for someone who lacks years and years of deep technical training. That it is no place for writers.
It’s unfortunate, because there is a huge gap between the demand for cybersecurity workers and people available to fill those jobs. I think one of the reasons for that is because people can’t imagine themselves doing this kind of work.
Can you use a smartphone? Make a PowerPoint? Think on your feet? Even organize a night out to the movies with your friends that went well and nobody crashed their car to or from the event? Welcome to the twenty-first century’s hottest career path. Are you able to charm the pants off women? Did you escape an abusive marriage? Have you ever hosted a toddler’s birthday party in your home? Honey, I want you on my cybersecurity team.
After reading this book, you will understand that what makes cybersecurity complicated is the complexity of human beings. So if you know how to deal with people, you can handle internet security.
In the excerpt below, Fazzini begins the story of one such person who stumbled into the world of cybersecurity, but on the other side, finding herself employed in a criminal ransomware ring in her village. "Soon she is extorting Silicon Valley billionaires for millions—without knowing the first thing about computers."
It’s 2015. René Kreutz’s hometown, Arnica Valka, is a quiet city of around 100,000 people, nestled in the foothills of the Transylvanian Alps, two hours west of Bucharest.
Arnica Valka has become one of the world’s most notorious cybercrime villages, with an underground economy funded almost entirely by ransomware, stolen credit cards, and identity theft. Media will later call some of its neighboring towns among the most “dangerous places on the internet” and “hackervilles.”
To her, it is just home. René was born in Arnica and grew up in Nicolae Ceauescu-era housing projects. About two years prior to her nineteenth birthday, she noticed her hometown changing. Tech start-ups were percolating in warehouses and old barns, furnished like American social media companies with beanbag chairs and exposed brick walls. René heard the pay at these start-ups was fantastic—too good to be true.
René never mastered math like her parents had wanted and had no desire to marry a nice, older rich man, as her mother had suggested. She decides to go into advertising. As a student in marketing at Arnica Community College, she fantasizes about landing a job in tech, but she can’t write code. Besides, it’s not like these start-ups she keeps hearing about actually advertise job openings. It is all very hush-hush.
What she is good at: talking. She argues her way to better grades in school even when she has cut classes. She talked her way into a job as a waitress as at an upscale cafe called City Italia and talks her way out of parking tickets. She is pretty, too, slender with long auburn hair. Then again, most of the young women in Arnica are pretty. As the economy grows, she can’t help but notice how the local pool of beautiful young women grows with it.
It’s in this waitressing job that she meets a German man named Sig, who spend his money freely and calls himself the CEO of a new start-up in town, Techsolu. He asks her to come in for a job interview.
So one morning, she finds herself walking through the main street in town, which she’d not visited since starting college. That’s where she sees how the new flood of foreign, possibly illicit money has gently shifted the local landscape.
Block by block as she nears the center of town, she sees new streetlights, more police cars. There are more people, too—young people—moving quickly in the cool morning air as they make their way to work. Stores that once sold cheap cell phones are now vending expensive tablets. Computer servers are advertised in the windows like puppies. Some of the storefronts promote the fact that they accept bitcoin as payment.
René passes the old, yellow-drab laundry where her mother would take her when their washing machine wasn’t working. It is now called Cafe Americain and looks just like a Starbucks. Wedged between a health food store selling some kind of Korean drink with bubbles in it and a law office advertising financial crime defense is TechSolu.
René grips her handbag a bit tighter as she enters. Inside she finds a beautifully appointed open floor plan. The workers, all men, stare intently at their computer screens.
Sig says he needs a customer service representative for his business, which he characterizes as a cybersecurity shop. Customers call in he says, and they’re upset because they’ve been hacked. It’s up to you to calm them down, and explain how they can pay for Techsolu’s services in bitcoin, he tells her. He offers to triple her salary as a waitress.
She accepts. She gets to work right away. And it’s clear, from the moment she starts, the business is not what it seems.
On her first day, René helps four customers transmit bitcoin into a digital wallet held by TechSolu. The executives she speaks with on the phone are distraught. Sig explains that that’s because they don’t get to find out how to fix the cybersecurity problems until after they pay. It becomes clear after not too long, that this enterprise is dealing in a type of malware called ransomware, and its customers aren’t willing.
Sig’s other “employees” are hackers, not cybersecurity professionals, and they’re breaking into American and European companies, freezing their important files, and demanding payment to get them back. She learns this but doesn’t leave. It’s exciting, she admits. And from what she can, nobody is getting hurt.
What René lacks in computer skills she makes up for in street smarts.
She quickly becomes hooked on customer service. Every day, she talks to distressed businessmen and -women, calms them down, and explains that they have been hacked, that they can restore their data immediately for a small fee, and they can make sure it doesn’t happen again. The “customers” often go from pleading, crying, sometimes screaming to thanking her.
Some even say that the money—often just a few hundred dollars—is a small price to pay for recovering their files and making sure it never happens again.
René soon learns that all the tech start-ups on General Maleur specialize in ransomware or similar work. Above the Korean tea shop is a company that hacks into the databases of American retailers and steals credit card numbers.
Next to Cafe Americain, another company buys those credit card numbers and manufactures fake credit cards that work like the real thing. They hire mules to go out and purchase goods that can easily be turned around and sold, thereby creating “clean” cash from the illegal credit card transactions.
Sig was wrong when he said he would triple her pay from City Italia. In fact, she makes four times what she had been making at the restaurant. She quits community college but uses what she’d learned in class to make TechSolu’s PowerPoint approach to hacked customers more businesslike, almost presentable.
Soon, René is optimizing TechSolu’s ransomware racket. But she doesn’t realize that Sig may not appreciate her ambition, and has alternative plans.
Excerpted from Kingdom of Lies: Unnerving Adventures in the World of Cybercrime.
Published by St. Martin's Press, a division of Macmillan
Copyright © 2019 by Kate Fazzini.
All rights reserved.
ABOUT THE AUTHOR
Kate Fazzini is Cybersecurity Reporter for CNBC. Before that she reported on cybersecurity for The Wall Street Journal. She previously served as a principal in the cybersecurity practice at Washington D.C.-based Promontory Financial Group, now a division of IBM. Prior to that, she served as a vice president in cybersecurity operations at JPMorgan Chase. Fazzini teaches in the applied intelligence program at Georgetown University. She lives in New York City.