Matt LaVigna: When it first started, it was more narrowly focused, and it was trying to prove the model of can we establish trust among industry and between industry and law enforcement. And it’s important to understand that there are two different things there: for industry to be able to collaborate among itself, across different industry sectors, and then between industry and law enforcement. But in the early days, it was focused on just a few issues. For example, let’s see what we can do to address spam. And which companies and industries are impacted? And on the technical side, who can help, and where are leverage points that law enforcement can use to inject themselves in and disrupt the flow? Today it’s a myriad of things. It goes from the very technical, purely cyber, such as malware and botnets, through the entire scheme of cyber-enabled crimes. What I mean by cyber-enabled crimes is the use of computers and the internet to further a criminal scheme.  After all, the purpose of a hack or a breach is to deal data—not just to steal it and possess it, but then to monetize it.  And the monetizing is what feeds crimes. Today it varies from malware to phishing, ransomware, credit card fraud, account takeovers, credential theft, human trafficking, IP rights violations, illicit pharmaceuticals, skimming at the point of sale, and on and on.

ML: And that’s just the tip of the iceberg. We exist to enable industry to have a seat at the table and have a direct voice to the government or law enforcement in order to identify the things that are impacting them the most. Otherwise, from my background in law enforcement, it’s very reactive. A victim would call a local office and report a crime. Unfortunately, whether that agency has the ability to open a case on that specific incident depends on their office resources and capabilities and also on the local prosecutor’s office. If that incident is highly impactful to a particular victim or company, but it can’t be investigated because it doesn’t meet those thresholds, where does that go? What we strive to do is have those things reported through us so that we can connect that with another victim, and another victim, and another victim, and then link the seemingly one-off incidents and make it actionable for law enforcement.

ML: Absolutely. These are real things that happen to real companies and real people. And there are humans behind those threats. Yes, they’re leveraging machines. And yes, they’re leveraging technology. And yes, they’re exploiting our human behavior and how we interact with the internet. But there are actual people behind that. What’s very important is for industries to recognize that they have to report things, to work with others. And then, at the end of the day, help someone who can make an impact and disrupt that. And the only one who can do that on a large scale for everybody is law enforcement. Both in the United States and globally.

ML: You don’t know what you don’t know. Joining a trusted community, where you can freely discuss some of your challenges without that going public and learn what others have found to be solutions, is a direct benefit. Just having a conversation with another company, even potentially a competitor, about a common issue that’s a threat or risk is an extremely big benefit. And then having a conversation with the government or law enforcement about an issue today or an area where they might be able to help, and doing all that under the radar, so to speak, where it is not publicly splashed across media outlets—that’s big. 

ML: The agencies get access to knowing what the most impactful issues are that they should be focusing their limited resources on. And they get access to all of the cyber superheroes and subject matter experts that are out there in private industry. The government has very limited resources in that area. And so this is a way to leverage those resources and be a force multiplier for each other. For law enforcement, it’s the subject matter experts and hearing about the critical issues. And for private industry, it’s fighting back.

ML: The government itself has different levels of engagement. For example, the Secret Service has electronics crimes task forces where the private sector and their regional Secret Service field office engage in cyber crime knowledge sharing. The FBI has the InfraGard program. That’s where their regional private-sector engagement resides. There are industry-specific Information Sharing and Analysis Centers [ISACs]. There’s a financial services ISAC, a health ISAC, an auto ISAC, a legal ISAC and several others. Then there are regional-level Information Sharing and Analysis Organizations [ISAOs].  They’re generally limited within a certain locality or region. There are many different organizations that do similar things, and yet they are still different.

ML: One is our direct engagement and participation with law enforcement—literally in-house. The second is cross-sector collaboration. We have representatives from financial services, telecommunications, manufacturing, the government, some critical infrastructure, health care and others. There’s really no industry that would not be a good fit for us. And just as valuable, if not more valuable, are our staff, our access to external resources and our intelligence analysis capabilities.

ML: I started attending meetings here and talking with private-sector partners and identifying very good cases to refer out to different Secret Service field offices that could be addressed. That’s one of the carrots for the private sector: “Somebody’s going to do something about this problem I have.” Who are the victims? How much information do they have? Can we gather more information? And can we push it out to the field and make it actionable, and have it investigated and ultimately prosecuted? So I started there. And I was very successful finding cases that could be worked. I identified the serendipitous moment—we call it the NCFTA moment—where I just happened to mention a counterfeit case that the Secret Service was working in Pittsburgh, and what was unique about the case was that the particular counterfeit note had only appeared in Uganda and other parts of Africa, and one day it appeared here in Pittsburgh. So that was very impactful for us. One of the law enforcement officers embedded at the NCFTA came to me within three days and said, “I think I identified your man.” That was eye-opening. I was not even aware that that particular agency had access to the information that they had. And they were able to cull it and filter it and identify some good leads that were spot-on, and probably within a week we knew exactly who we were targeting here in the U.S. And that led to a much broader investigation: dark web contacts and counterfeit manufacturing based in Uganda and shipping counterfeit notes to the U.S. That individual just pled guilty in Pittsburgh a couple of weeks ago. 

ML: Our office space is an unclassified environment. Which is the opposite of many government office spaces. So we have an open environment in which people hear other people talking. And that’s by design. An NCFTA moment is somebody in the office overhearing a conversation and just walking up and saying, “Hey, I heard you guys talking about that, and we’ve been looking at that too.” Or: “I think that impacts us. Can you tell me more?” The opposite—in another environment—would be, “Why were you listening to our conversation?” So it’s something that you might not have known that somebody else is working on that leads to success for your investigation or for your company.

ML: There you go.

ML: Helping industry understand how to share information, what information to share and why. That’s probably the biggest challenge. Today sharing data is almost taboo. It sets off alarms when you use a four-letter word like “data.” That’s a very challenging topic internally in the corporate world. And communicating that with the private sector is probably one of the biggest challenges: trying to get them over that hurdle—that it can be done safely, is acceptable, that it is to their benefit, and ultimately it’s to the benefit of the greater good and cybersecurity in general.   

ML: Our first touch point with in-house lawyers is during the introductory period, or signing on, or a company getting approval to join an information-sharing organization. Signing a confidential membership agreement. And typically we would have been having conversations with a chief information security officer [CISO] or their representatives or a chief security officer or a fraud team at the company. And they get it, and they’re antsy and want to get engaged and want to go. And then there’s the “but … I have to go to our in-house counsel.” So we’ve had these long conversations with the operators, and then they have to hand the conversation over to the general counsel: “We have the funding. Here’s what we want to do.” And the general counsel was not in any of the previous conversations, and so we have to have a one-on-one. And it works. It always works. We just have to articulate and explain down in the weeds exactly what it is that we do, and what it is that we would hope that they would approve their company to engage in.

ML: A lot of it has to do with contract language. Take, for example, the term “confidential information.” By default, we share confidential information. You could talk to 10 different lawyers and get the same response: “We’re not going to share company confidential information.” Confidential information meaning a particular fraud scheme. Maybe even the existence of the incident is confidential. That means don’t talk about this publicly, don’t tell anybody, just keep this in-house. And if that’s the culture and the mindset, then that organization would not be a good fit here. And another way is just strictly on contracts—we do have confidential membership agreements with all of our members. Sometimes it’s our agreement; sometimes it’s their agreement. Sometimes the lawyers say, “Everyone we have a relationship with has to sign our master service agreement [MSA].” Ughhh! That’s the challenging moment. Because then none of it really fits. We are not your typical “vendor.” It’s all standard vendor or supplier language that can be very challenging for us. We hope it doesn’t become expensive for us, but if necessary we can then engage our outside counsel with contracts and language and the typical redline back and forth. If we can engage early on with the attorneys, during the initial introductions and conversations, then they know it’s coming, and it makes it a lot smoother.

ML:  We just say, “Hey, it’s definitely going to be an easier process if we just have a conference call.” Having a conference call with the end user—it could be the CISO, the intelligence team, the fraud investigative team—with them and the attorney at the same time.  And then the end user can explain it to their own attorneys. And we can explain it, too. And that goes much more smoothly.

ML: Yes. [laughs] I say yes always, but it happened just yesterday that it did not. But I don’t want to say it was an attorney thing. It was actually an organizational thing. It was an international organization that included in its ultimate membership group certain countries that would preclude them from actually being a member by our rules. For example, those known countries that are supporting cyber crime or terrorism. Those on the list. That just wasn’t going to work. We do have global companies. We’re not just U.S. company-centered. But to answer your initial question, we’ve always been able to resolve the legal hurdles.

ML:  Yes, potentially they could. It’s a community. All of our members, all of our partners could potentially have issues there. One, we have government partners. Two, the companies that are partners here have trust in us and all of the other members. It’s a consortium. They all trust each other, and they all basically have the same agreement on how they’re going to handle information, and for what purpose and where it’s going to go. And if we were to bring in an entity that could potentially disrupt that trust, even if it impacted only one current partner, that wouldn’t work.

ML: One comes to mind. And actually you just brought it up. And it’s not a partner. It’s more of a relationship. You brought up Kaspersky. It was one of the founding entities or companies that was involved in a project at Europol called No More Ransom. No More Ransom is a noncommercial entity. The purpose is to combat ransomware, and it’s based at Europol, so they control it, but there are many foreign law enforcement entities that are engaged. Some might not have very good relationships with the U.S. There are many private-sector companies that are supporting it in several different ways. Some U.S., some not. And then Kaspersky was also there. We were asked to join. And just last week I decided that we would join the project as a supporting partner, because the purpose is to provide resources to victims and to publicize that there are options and practices to prevent being a victim to ransomware attacks. So the single holistic mission overweighed the potential affiliation conflict—there really isn’t any. We’re not working directly with those countries or any one of those companies. It’s a project for the greater good, and I felt it was in the best interests of our community, our citizens and global cybersecurity for us to get engaged.

ML: There are many. Just last year, the collective work that we’ve done, based on what’s being reported back to us, we helped support or initiate 525 law enforcement cases. Law enforcement, based on their engagement here, initiated 139 arrests. Loss avoidance to the private sector was over $250 million. Seizures of intellectual property violations were in excess of $34 million. So those types of successes demonstrate that yes, it does work, and yes, it does make an impact.

ML: It’s a cliché, but the government is truly here to help. Engaging with law enforcement before an incident should be preferable to post-incident, or worse, not at all. And information sharing on cyber-related topics is the right thing to do in our global community. When you’re shown the way, relationships with your peers and with law enforcement can be extremely beneficial. And—this is just my opinion—it’s counterproductive to your own security to avoid talking about things. What I mean by that is that in the majority of companies, when an incident happens they try to address it, fix it and move on. It’s not good for a reputation or a brand to talk about it or go outside the walls with any of this information. Notwithstanding any type of mandatory reporting, of course. And that may include not talking to law enforcement. And I would say, “How do you think that problem got to you in the first place? Somebody else did the exact same thing.” As you’re sitting there, pounding your head against the table that there’s a ransomware notice on every one of your corporate computers or you’ve been defrauded by cyber criminals for millions of dollars, and then you learn your neighbor already dealt with it before and never told you—that would certainly frustrate me, to say the least. I use the example of your neighborhood. If your neighbor has her car broken into one night, and you’re talking over the fence the next day and she says, “There’s someone going around the neighborhood, breaking into cars,” you say, “Thanks for telling me.” We don’t think twice about that. Why are we so circle-the-wagons and tight-lipped when it comes to cyber?

May 2019