Gary Warner – TRANSCRIPT
Let me ask you a simple question to get us started here. If you’re the victim of a crime, what do you do? I’ll give you a little hint.
So, let’s say as you leave the audience today, you go out to your car, your windows smashed of your vehicle, your stereo’s gone. So, you’re going to call the….. (Audience) Police. Very good.
Okay, you’re at a bar, you walk out with your friend, someone sticks a gun at you and says, “Give me your wallet.” So, you give him your wallet and then you call the – (Audience) Police. Right! You get home, somebody’s kicked in your door, your stereo, TV….. Everything’s missing, out of your house. So you call the… (Audience) Police. Very good.
You have that strange email that says your bank needs to have you reset your passwords, so, you go to the website and the next time you check your balance you realize you’re down $400 because you’ve wired money to a place you’ve never heard of. So you call the… Bank? Your friends are all calling you and telling you that they hope you’re okay. They’ve got an email that says you’re stranded in London and you need to have them wire you some money, so you call your… Email provider ?
Your kids want that new Xbox 1 for Christmas but you weren’t going to camp out for 48h at Wallmart. So you try to buy one on eBay and the guy says you have to wire him the money in order for him to guarantee a Christmas delivery so you send him $700 but you never get the Xbox. So you call… eBay? Why do we call it “Cyber Crime”, but we don’t call the police?
Well, I have a little personal experience with this because we had an incident in our family. We went to the grocery store, we tried to pay for about $100 worth of groceries and were told the card was declined. I was pretty sure I had more than a $100 in the account, we checked with the bank, we find out someone in San Diego has gone to Walmart 3 times and spent $1800 out of our bank account. Well so, we called the police, and the guy says, “Oh would you like me to do a police statement so we can have the bank give you your money back?” We’re like no, we want you to do a police statement so someone would investigate the crime, catch the criminal and put him in jail. He laughs at us, he says, “That’s not how it works.”
And I said well, I’m a criminal justice kind of guy. I know the DA, I’m going to go talk to the district attorney. He says: “Look, Gary, let’s say you can find the person in San Diego. You know what happens next? I, the DA have to fly them back to Birmingham, put them up a safe place where they reside until such time as we have a trial, feed them, he says, “I’ll have to spend far more than $1800 you lost. Call your bank and get the money back.” That’s not enough for me. I have connections everywhere. So I called someone in San Diego, I managed to get an introduction to the San Diego sheriff. Okay, one of his deputies. But, I realized, the problem was the plane ticket. Right?
So, he says, “We’d be happy to investigate this crime for you Mr. Warner, tell you what, just send me a affidavit that says you or your wife will fly to San Diego at your own expense, stay in a hotel for a week and pay for all your own meals if we catch the criminal, because without a witness in the stand, it’s not going to do us any good. I said, well that would cost me more than the $1800 I lost! He said, “Right, call your bank, get the money back!”
Well, I’ve been trying to connect the dots on these crimes because how many people think that’s the only person they ever stole $1800 from? Right! So, all the way back in 1992, I was working at a local university and, I started having these problems because we made this mistake, we plugged ourselves into this thing we call the Internet and as soon as we did that, we exposed ourselves to hackers and viruses and all sorts of problems. And this was before we had anti-virus or firewalls and, so, I found that the secret was sharing information.
I spent a great deal of my waking hours, and believe me I have more of them than you do, tracking down these people and helping by sharing what I had learned about these crimes with other people around the Internet. I help them protect themselves, they help me protect my network. And my boss came to me and he says, “Gary, you’re spending way too much on this. You’re spending all of your time chasing these bad guys; it’s not your Internet!” That was a formative moment for me.
I still remember exactly how that conversation went, I said, “The hell it’s not. My people created this Internet, computer scientists. We invented this and gave it to the world as a gift, and somebody’s out there trying to destroy it by using it to steal your money and your passwords, and your secrets and your documents. I’m going to stand at the end of my internet driveway and protect what’s mine and I hope other people will do the same to protect what’s theirs.
Well, so why doesn’t it work? What if we treated physical crime the way we treat cyber crime? What if we told you when you got home and your door was kicked in, it was your fault you’re a victim, because you didn’t have enough locks on your door? It was your fault you were a victim, because you didn’t have bars on your windows. You should have had a motion detector. If you had an attack dog in the yard, that would be nice, maybe a brick wall around the perimeter with barbed wire – that’s what you needed, because it’s your fault you were a victim. That’s not how we treat physical crime.
Why do we do that with cyber crime? Why is it your fault that your anti-virus wasn’t up to date? Or you didn’t have the most recent security patch? if you’re a victim of a cyber crime, someone tells you that you should buy a firewall. No, you should buy intrusion detection software, what you really need is intrusion prevention software. Actually you probably should hire a manage security services company to go through all of your logs for you to make sure that you didn’t miss an attack.
Why is it your fault if you’re a victim of a cyber crime? Somewhere along the way we decided that market forces should reign and that the industry would tell you, what you needed to do to protect your self from crime. I have a friend in Japan, he re-tweeted me this morning actually. He told me that in Japan, they had a service they were rolling out where you could call it “government phone number” and they’d send someone to your house to remove the virus for you. I said, that’s ridiculous! How could you do that? He said to me very seriously, Isn’t it the government’s job to protect you from cyber crime? Isn’t it the government’s job to protect its citizens?
And I said, “Not in the United States. Not with cybercrime!” I heard a story from Richard Clarke, I was at the DARPA Cyber Colloquium in 2011 and he said, “What if in the Cold War, President Kennedy had said ‘Hey, General Electric, General Motors and Ford, I need you all to come to the White house, have a little meeting.’ And he said, ‘I’ve got something to tell you.’ The Russians may come after us! So here’s what we’re going to do. I’ll take care of defending the government facilities, but you guys might want to look into some anti-aircraft, and maybe some fighter planes because you’re on your own.'” But that’s exactly what we’ve done with cyber crime.
The government’s actually built this wall around their network and they have trusted Internet connection points, these draw bridges where they’ve put in Einstein 3 billion dollar sensor there to make sure that nothing bad comes into the castle. The problem with that is that we’re all on the outside of the castle. The government has said, we should use these industry solutions to protect ourselves but they’re all building a billion dollar wall that we don’t have access to. I know, I have lots of friends and legislators both in the state and national level, and one nice thing about the legislators, they’ve never heard of a problem that the solution wasn’t another law.