NEW YORK FOREIGN PRESS CENTER, 799 UNITED NATIONS PLAZA, 10TH FLOOR
MODERATOR: Hey, everyone. I think we’re going to get started. My name is Daphne Stavropoulos and I’m today’s moderator. Welcome to the Foreign Press Center’s video conference briefing on cybersecurity threats and prevention in the current COVID-19 environment. We will now mute all participants’ microphones. Please keep your microphone muted until you are called on to ask a question. If you have technical problems during the briefing, you can use the chat feature and we will try to assist you. If the Zoom session fails or disconnects, please click on the link again to rejoin. As a reminder of today’s ground rules, this briefing is on the record.
I’d like to go and introduce our briefer, Mr. Edward Stroz. He’s the co-president of Aon’s Cyber Solutions. This press briefing is an opportunity to learn about the current cyber landscape in the United States and threats including recent breaches and the motivations of today’s cyber adversaries. Mr. Stroz is the founder and co-president of Stroz Friedberg, an Aon company and global leader in investigations, intelligence, and risk management. Ed oversees the firm’s growth and client development while ensuring the maintenance of its distinctive culture. Before starting the firm, Ed was a special agent with the FBI, where he formed their computer crimes squad in New York. As a reminder, his views are his own and don’t represent those of the United States Government.
Mr. Stroz will provide some opening remarks and then I will open our meeting to questions and answers. And with that, Mr. Stroz, can I turn it over to you?
MR STROZ: Sure, Daphne, and thank you for that nice introduction. Does the audio sound good to people? Okay.
MODERATOR: Yes.
MR STROZ: So greetings, everyone, and good day if it’s afternoon where you are. It happens to be late morning where I am. And I think it’s too important not to start off by saying that I hope everyone and their families are well during these extraordinary days, which are worldwide. This session that I will focus on has to do with cyber risk in that I think there are almost parallel lessons between what we are seeing in the relationship to the COVID-19 problem and even some of the concepts related to how cybersecurity has to be managed by companies.
So I have three main areas that I’d like to start with. I’ll just – I’ll be brief in some opening comments. One is some trends that we are seeing in the communities that we service and with our clients; secondly, some of the specific attacks that we are encountering in the current environment; and then thirdly, some points about implications for security to improve and the kinds of things that companies and individuals can do to try deal with this enhanced risk.
So specifically what we are seeing in the way of trends – first of all, if you are wondering are cyber attacks slowing down in this environment with COVID-19, they are not. In fact, they are increasing. And I was recently on a webinar hosted by one of our law firm clients that had said in their experience they are seeing a five-fold – that would be five times – increase in the types of cyber crime that their clients are experiencing. Specifically what you see quite a bit today are attacks on computer resource availability, specifically ransomware attacks, and these are – I think most of you are familiar with that term, but a ransomware attack is an attack with malware that will encrypt a computer that is infected with malware – that is, ransomware – and the only way to decrypt it so it can function again is to pay some type of a ransom to the adversary that installed the ransomware. And they usually want to be paid in the form of a cryptocurrency, usually bitcoin.
Another trend that we’re seeing is that the vulnerabilities of our clients are also increasing, mostly because their staff cannot come into the office. So in order for companies to function in this environment, if you’re in an area where people are not supposed to go to work or your company does not want people to come to the office, then the staff are at home using whatever resources they have at home to function. So if you were using your home Wi-Fi network, if that home Wi-Fi network is not as secure as it should be, you have new vulnerabilities. If somebody is using their personal computer, or their iPhone, or the devices and things just to be functional, they may not be able to enjoy the security features that the employer and the company put in place when they were working from the office.
And also if you were working from home and if you were targeted by an adversary, the adversaries can usually learn quite a bit about your home, where you live, what kinds of things you’re doing, what features make up your lifestyle at home, and as we’ll see when we talk a little bit more, they may target you more effectively because of that. This is all about, I would say, new ways to trick people, because many of the cyber attacks today begin with a root cause of tricking somebody to either click on an attachment, or to click on a link, or in some way be fooled to do something because the person who is receiving the communication does not realize it is coming from an adversary.
So those are some of the big sort of trends that we’re seeing. If we switch into the specific types, be a little bit more specific, what we’re seeing is that there’s a targeting of health care organizations. Now, this is especially impactful. It’s especially sad. But if you are in the business of providing health care services, whether you are in the private sector or even in government, adversaries are using this as an opportunity to try to exploit the dependency that people have on this. We’ll talk about some specific examples, but it’s been in the press that in the United States Health and Human Services, a federal agency, has been attacked in this way, as has the World Health Organization, the WHO. Again, malware and ransomware have been targeted to varying degrees of success to these organizations, and this has really ramped up in the context of people’s dependency and expectation to be going to these – to the websites of these organizations.
A second specific type of attack would be a financially motivated threat, where what we’re seeing on the dark web – this is the part of the internet that you can’t access through your normal browser – but on the dark web, where malware is developed and offered for sale, that malware with a price tag of anywhere between about $400 to $1,000 U.S. is being offered. Much of the dialogue that we have seen on the dark web about this is in – not just in the English language but also in non-English languages such as Russian and Chinese. And they are offering malware such as specific, custom-made ransomware today that is designed to exploit people’s concerns about the COVID-19 infections. So the – when you receive an email that is coming from an adversary, it will often be crafted to look like it is helpful information or advice about COVID-19 and people will click on that, and by that simple action of clicking they can be infected with malware. Most of that malware is aimed at Windows systems, but there is also some evidence that the exploits are making use of Javascripting.
Other areas specifically would have to do with the supply chain, disruptions of what has been called PPE, personal protective equipment. So this is the kind of equipment that people, especially health professionals, wear when they are in hospitals and servicing patients so that they themselves don’t get infected: face shields, wraps for your body, gloves, face masks, things of that nature. And you will see because there is a demand for this that adversaries are offering through fraudulent emails and other websites an opportunity, they say, to purchase or find these kinds of PPE for sale. And when you actually click on it or follow the link, you wind up receiving the malware that was hidden inside.
We also will see – and I think we’ll see this more in the future – fraudulent lures for economic stimulus checks, because there are many people out there who are aware from reading the news and listening to the news that there are economic stimulus checks to help with this time, and adversaries are crafting their attacks so that they purport to be associated with a way to get information about these programs, when in actuality they are adversaries looking to install malware on your computer.
And lastly, I would say we also see examples of some of the extremist groups trying to take advantage of the current situation in the world to sort of encourage their followers to use this time of disruption to try to go after and attack the organizations that they hate and to encourage their people to use this current situation to be able to be more effective in their adversarial actions.
With that, I just want to quickly talk about some of the actions we – that can be taken, and then I’ll be happy to after that open it up for questions.
So what do you do in a situation like this? You’re aware of the attacks that can be launched, that they are being updated for taking advantage of the current concerns that people have. Well, for one thing you can plan for the possibility that you will experience this. So most of our clients are companies, but we also have individuals who are clients, and we always tell them: Plan for an incident. A good plan that you can think of is better than the perfect plan that you never get around for.
If you experience an attack this way and you are victimized say, for example, by ransomware, how would you recover? And there is no single, simple answer to this because it depends very much on the technologies you use, the resources you have, and the things you have put in place in advance and how you use them. But you can be guided through this, just as you can with any other type of an attack.
We also recommend that now is a good time for companies to institute awareness training for their employees, to know what to look for and know what to do if you experience it. So when I talked about the kinds of emails that can carry malware and ransomware, we can help companies by telling them that they are more likely to experience something like this today; it is even more likely that a risky email will come in, in some way tricking you around the COVID-19 infections, and that you should be that much more skeptical about clicking on something rather than trusting it.
We also tell companies and people to evaluate your critical suppliers. If your suppliers that you depend on are sophisticated in their cybersecurity, that will be better for you, because you depend on that supplier. On the other hand, if you don’t know about the cybersecurity, the degree of sort of sophistication they have and what they’ve done, their vulnerability – because they are a supplier to you – will introduce a vulnerability back to your organization.
We also believe it’s important to monitor for threats. You heard me talk before about how we monitor the dark web for our clients. Clients who can monitor or have those services should be emphasizing the importance of doing that frequently and specifically at this time know that you may be more likely to be targeted and that you may see indications of being targeted on the dark web during these days, more so than even before COVID-19.
And then lastly, I’d just say it’s a good time to use the fact that people are working from home, may have a little bit more time, and can take the effort to identify their security vulnerabilities and patch them. Every company has vulnerabilities. There’s nobody who is perfectly protected. But this can be an opportunity more important to look at those vulnerabilities and to be able to prioritize addressing them. Because if they get exploited, the fact that people are all working from home may hinder and make it more difficult for you to recover.
So Daphne, those are the opening comments I thought I would make. At this point, I can pause, and I’m happy to take any questions.
MODERATOR: Perfect. Well, thank you very much for those remarks. Let’s first hear from those participating via the Zoom app, and then I will turn to those who’ve called in. For those of you joining via the Zoom app, please click on the “Raise Hand” button at the bottom of the participant list or indicate you have a question via the chat feature at the bottom of your screen, and I will call on you.
Okay. It looks like the first question is going to be from Astrid. Astrid, please go ahead.
QUESTION: Hi. Yeah, sorry. I had to unmute. I have a question. May name is Marie Astrid Langer. I work for the Swiss daily NZZ. And I was wondering, Mr. Stroz, if you could possibly quantify by how much cyber attacks have increased, and secondly, if you could give a few more specific examples of noteworthy creativity of the attackers. Thank you.
MR STROZ: Sure. Thank you for that question. The experience has been very recent, and so the hard quantification of the increases are not that reliable at this point, simply because there isn’t a daily way to sort of compute and calculate this. But what I can tell you is in our experience we have seen multifold increases – three, four. I told you one of my clients, which was a law firm, held a webinar with hundreds of participants and that law firm represented that they had seen a fivefold increase in attacks. And mostly I would say, getting back to the second part of your question, mostly in the area of ransomware.
Now I think it’s important to keep in mind a couple of things. I had mentioned earlier that there are parallels with the way you fight an infectious virus and cybersecurity. Just as we now know that people can be carriers of the COVID-19 virus and not be showing any symptoms but be infected and therefore risk infecting other individuals who they come in contact with, computers can be infected. And unless the type of infection is designed to be noticed, like ransomware is, you could be infected with something that is using a computer to hop off and attack another computer, where the full payload will deploy.
So as we look at the types of attacks here, it’s easy to think that the only type of attack you have to guard against is ransomware on your particular computer. But in fact, that’s only one of several types of attacks. The other attacks, which can attack your confidentiality – that is a computer virus or malware that gets on your computer and secretly copies your information – is still a big risk here. And people generally won’t notice whether or not that has happened for months and sometimes longer than months later on.
So the first part of your question about quantifying, I believe what will happen is as time goes on clients will learn that they had been infected not just by the things they saw instantly, like attacks on your availability, but they will also find that they were attacked by compromises to the integrity of their data, the confidentiality of the data. But because those attacks are not designed to show themselves right away, they will not know it for months and months later on.
So I think safe to say multiple levels of increase and I would safe to say – I would say it’d be safe to say that when we learn more, as companies understand their networks and what’s happened, it will only go up.
I hope that was responsive.
MODERATOR: Perfect. Thank you. We have three questions in the queue. Mr. Le, please go ahead. Provide your full name and your media outlet if you can. Thank you.
QUESTION: Thank you, Daphne. My name is Tuyen Le from Vietnam Television. Thank you, Mr. Edward. I have two question. The first one: As you said that the cyber attacks now mostly aiming at Windows systems, so what about other systems like iOS or Androids? Because we often use like MacBook or iPhone so far.
And the second question is that I think journalists are very informative – informed about the cyber attacks, so we don’t often open the strange emails. But we use a lot of apps like Zoom or Skype to telework with people or interview people. So how can we know that that is secured and our computers are not under attack? Because as you know that recently, we heard about the, like, Zoom bombing. People use Zoom teleconference, and then someone jumping in, they’re hacking in, and they post some very dangerous video on that. Thank you very much.
MR STROZ: Yes. Thank you for your question, which is an excellent – two questions. The first part: The attacks that we see on the dark web that are for sale, the exploits, are only a small portion of the kind of attacks that can be launched.
I think the reason that you see Windows being targeted so much is two things: One, Windows systems are still very, very popular, especially with businesses. And secondly, on the dark web, you have a thriving marketplace where suppliers of malware can meet entities and people that want to have a demand for that and want to use it, and they can meet anonymously and they can transmit – transact business using cryptocurrencies and be untraceable.
So what you’re seeing on the dark web are what the – that type of marketplace finds sells best. So right now, if they can put together, through their skills, something that would exploit a Microsoft system and they believe that that will get the most demand and that, therefore, they can sell them the most, that is why you see that so much.
The other types of systems that can be attacked – as you say, iOS systems and devices – there are still attacks associated with that, but the level of – that the marketplace will allow them to sell those may be more restricted. So instead of selling on the dark web, those types of exploits may be developed by organized crime, nation-states, and may not be showing themselves on the dark web. The dark web is only a subset, but it’s an indicator to some degree of what is happening. Because the – because it’s a subset, we can start with that and say, “My God, if this is what’s happening on dark web marketplaces, we know that this is only the tip of the iceberg for other things that can be going on out there.” So that’s how to interpret that aspect of it.
On the second part of your question about the kinds of applications that people are using to communicate – and you gave a good example, the one we’re using right now with Zoom – all of these technologies and applications have vulnerabilities and can be exploited. It doesn’t mean that they’re bad technologies. It just means that the adversaries can use the same simple interface and features that we are all enjoying to be able to use them, to be able to come in and do the kinds of things that you’re reading about, such as Zoom-bombing and taking over sessions or injecting rancid commentary or pornographic disruption.
This is where I was saying before there are new vulnerabilities, because companies that do not have a robust incident response plan and a security infrastructure that you can tap into will turn to things like Zoom and easy-to-use applications because that’s what – that’s the one thing they know how to use that can keep them functioning. Then you basically hope and pray and cross your fingers that you won’t get Zoom-bombed or experience some other attack. I think it just shows that this is the nature of the kinds of things we have.
If you look at the COVID-19 virus in the United States, what people are saying is even if you don’t have a specifically, specially designed mask to wear on your face, today they’re saying just use what you have at home, put it together, wrap it around. It won’t be as good, but it’ll do something. And I think that’s what we’re seeing with companies and people. They’re using what they need to communicate, and security is a secondary thought. I believe – I’m not speaking for Zoom, but I have seen the press reports where their own CEO has said we didn’t really look at security as thoroughly or with as much priority as we are now. And this is the world that we are living in today and just a reflection of it. I think that will continue for some time.
And maybe the last thing I would say is people will learn from this. This can be a teachable moment. So you can’t just do what you want to do, use what you want, and then try to secure it later. You have to build security into the infrastructure and into the considerations when you are managing your enterprise. And as I said before – one of the things – plan for incidents, and if you go through with somebody who has experience with this, they can help you prioritize the kinds of things that can hurt you the most. I hope that answers your question.
QUESTION: Thank you very much.
MODERATOR: Thank you, Ed. The next question comes from Alex. Alex, can you please go ahead and share with us your full name and your media outlet? Thank you.
QUESTION: Absolutely. Thanks for doing this and thank you for a very (inaudible) presentation. Alex Raufoglu of Turan News Agency. I have two questions: The international police agency INTERPOL recently has warned that cyber criminals are targeting hospitals at the forefront of the coronavirus response. It said that criminals representing some sort of software that blocks computers unless a ransom is paid, so mainly through perhaps emails containing an infected link. How to contain these sort of cyber threats on this front?
And my second question: There are concerns about countries with poor human rights records trying to use facial recognition technology and electronic code systems such as the one in Russia we have seen, or as Azerbaijani Government that requires SMS messages to force their lockdown, in other words to control movements of their residents. My question is: How vulnerable are their citizens to, if you may, government-backed type of threat? Do you draw any distinction between malign type – let’s say groups versus government-backed cyber threats? Thank you very much.
MR STROZ: Okay. Thank you, Alex, for your questions. The first question having to do with ransomware ties into what I sort of opened my comments with, that these kind of attacks are being aimed at hospitals. And if a hospital – what happens a lot of times are hospitals and other organizations, when they think about cybersecurity in advance – say, six months or a year ago – they often think, “Well, who would want to attack us? We do good work. We help people. Even hackers need hospitals once – at some point in their life.” So they underestimate the likelihood of them being threatened and attacked. And then when something happens like this, they’re kind of caught at a disadvantage because they underestimated the likelihood that this could occur.
For the ransomware and the kind of attacks you’re talking about, it’s impossible to completely prevent this, but there are steps that you can take, but they have to be taken in advance. So for example, if a hospital were to receive an email – as you say, with a click on a link or an attachment – that simple action of clicking on that link or clicking on that attachment brings the malware, the encryption software, onto the device that was used to click on it. And from that point forward, you are infected, so – and anybody can be tricked. If the person in a busy environment receives an email, it looks like it’s coming from their organization or their boss or even somebody from home, and it’s because a hacker has compromised that account and it says, “Oh, here, please read these latest instructions, we – something that could be important for getting through the day,” as soon as you click on it, you’re infected. Very often then, that computer cannot be unencrypted unless you pay the ransom.
And it’s a legal question about whether or not to pay the ransom, because certain lawyers have different opinions, but you might be able to recover from it if the computer that is infected has been backed up or replicated in a different location. If that location has not been infected, you can take the infected computer, take it offline, and start working with an uninfected computer while the IT department goes and reinstalls all the software on the infected computer and wipes it clean.
But look, time is passing if that goes on. And some clients do not have the kind of rapid backup that they need to recover that way. And this is why we say planning in advance, having an incident response plan is key. If you work with somebody, we or firms like ours can tell a company look, here’s the way it plays out. If you get infected, this is what would happen. Let’s talk about how you would respond to this. Do you need to pay the ransom or not? How would you recover from it? Where would that backup reside? Can we make sure that the backup itself doesn’t get infected? And it takes you down a whole pathway of practicing good cyber hygiene.
On the – the second part of your question, could you – I just want to make sure I was tracking. Could you give that second part of the question again to me, please?
QUESTION: Absolutely. It’s about the restrictions imposed by countries with poor human rights – human rights records, such as Azerbaijan and Russia, through SMS messaging or some sort of apps that Russia came up with. What does it say about vulnerability that these people feel in those countries towards their government?
MR STROZ: Yes. Yes, thank you for the reminder. I would say that we are all vulnerable to the use of technology to be able to monitor citizens. And for every device that we use, if you think about it, hand-held devices, we want to make sure that the map function works; we want to make sure that we can make phone calls; we want to be able to search the web. And these technologies are designed to really look and say well, where are you, and let me try to give you responses and work with cell sites and towers that are nearby. The same time, want to give you a camera on the phone, want to be able to give you a microphone. All of these technologies are embedded in something that you are physically carrying around with you. Now, those technologies are not evil, but they can be used by a government or by an adversary in not just governments to be able to find out what you were doing.
And if an organization, a country, does not have a strong human rights record, you do read stories where there is a concern that those governments or those organizations are then buying and using software that is spyware. It sends back information secretly to the organization that deployed it to show what you’re doing, what they are hearing, what the phone is seeing, and that information can be weaponized by an adversary.
At the same time, it’s interesting with the COVID-19 virus, there’s also been a discussion about saying yes, but in a lot of ways governments have been able to use the tracking information that comes from phones to better protect their citizens, because if they have information that shows who is traveling around and who is not and where you’re going, you can better make sure that people are not accidentally or sloppily infecting other individuals. And some people may feel that they expect their government to do this kind of thing.
So we have stepped in – I think this is a very instructive time to say yes, these technologies can be intrusive. They can be used by powerful governments for ways that are not always honored by their citizenship. But also we have seen ways where sometimes people say I’m glad that the government was able to have visibility into things, not because I want to be spied on but because I don’t want to get sick with a virus that could be fatal to me. It is a – it is, I think, a very interesting time for that balance between privacy and the public interest. And I don’t purport to have a perfect answer for you on that, but I do think it starts with having a clear understanding of effects, and that these technologies can be used either way.
QUESTION: Makes perfect sense. Thank you.
MODERATOR: Thank you so much. The next question comes from Pearl. Pearl, please, go ahead.
QUESTION: Thank you very much for being available and doing the session. I think everything you’ve said so far is very, very helpful.
I’d like to expand a little bit more on what Alex was talking about just now, in terms of where it concerns the more autocratic regime space. Some of what you’ve said in terms of the dark web and malware can be high-level for the ordinary individual, not for corporates. Can you speak a little bit – we are seeing some, in the last few days here recently, just individual journalists, independent journalists, pro-democracy journalists being attacked on social media like Twitter, which is not quite – is not e-mail, okay. You’ve spoken for the most part today regarding e-mail and how you can be at risk in that regard, but there are journalists and other individuals who are being attacked on spaces like Twitter, and when you try to report these trolls or bots and so on, Twitter has just handful of options that you can select to report a particular activity or a particular tweet.
And are you not seeing any of these becoming more creative in terms of creating these troll type tweets and so on so that they don’t quite fit the options that Twitter and Facebook provide and so they’re able to get away with this kind of thing? I’ll quote for you, just recently – actually, yesterday, a very top journalist was being attacked and they were pulling out information from her past, true or not true, whether it was fake information or not or real information. But the attempt was to try to blemish or put a stain on that journalist’s reputation. Could you speak about that, if you have anything to share? Thank you so much.
MR STROZ: Thank you, Pearl, and thank you – I’ll thank you in two ways. One, thank you for bringing up the point that this is not just through e-mail and web browsing. You’re absolutely right. Let me just start by saying any application that presents data to your device, whether it’s a hand-held or a computer, whether it’s on the screen or just hidden inside memory or on the hard drive, can be exploited on a packet-switched network, which is what the internet is, to accomplish the things that I just talked about.
So – but usually, in order for the activity to deploy, there has to be some conscious action on the part of the user – I say usually, not always. And in this instance, if you were visiting an application, if you download an application or use it, such as Twitter, and be able to go into these forums, many of the things that I just talked about can be deployed in some way by leveraging these applications.
But I’ll tell you the second part of my thank you to you is doing the work of the journalists. I think good journalism is one of the most valuable aspects of a civilization and always has been, but is really important now. And I think it’s terrible that journalists are susceptible and targeted by the kinds of attacks that I have heard taking place.
When you talk about what can be done about this, if it turns out that you are using an application that is developed and known by a vendor – such as Twitter, such as Facebook, such as Zoom – in my personal opinion, the vendor who builds that application has a certain obligation to monitor troublesome activity. It’s not because they caused it, because obviously if somebody is using an application to accomplish an evil purpose, it is not caused by the application vendor as the root cause, but they did provide a mechanism that allowed that kind of activity to be empowered and take place. I believe that the vendors in this area have to have a robust and responsive pathway for dealing with complaints and activity when people suffer from some type of adverse behavior.
And they can prioritize it. So for example, if you run a big application like these kinds of vendors have, there’s always going to be complaints from individuals about things that really don’t arise to the kind of seriousness that you’re talking about. On the other hand, if we triaged to say yeah but what about the most serious ones – there could be ones where they threaten your safety; there could be ones where they impugn your reputation or contaminate your information. I think if you’re a journalist and you experience something that is troublesome in this way, you should be able to take advantage of a high-priority triage messaging system back to the platform to ask for their help to determine the source of that kind of information and anything that they can do to help identify the facts behind it so that law enforcement or you personally will have the kind of information that you can take action on.
I don’t think – and maybe you’ll tell me differently, but I don’t think we are quite there yet. I think the application vendors are getting better at this based on the things that we have seen happen across the world. But I think these businesses came into business to offer the service you were all seeking. And you step into a whole new arena when it becomes widely dispersed, where you realize that people can exploit this. Just as when telephones were put in, nobody was really thinking about the kinds of threats that could come into telephone systems or fraud, and then when it did, it became important to be able to have the phone companies identify the source and destination of specific phone calls that were found to be problematic.
So I think we are on a curve of evolution in this area, and I don’t believe it has hit a state of real satisfaction for people in your field and in other fields. And I look forward to the date, to a time when these pressures and efforts can make the responses that can be brought in. I don’t think it’s entirely on the vendors, but I think it starts with the vendors to be able to be helpful.
And I hope that answers your question.
MODERATOR: Thank you. And thanks for that last question.
The next question comes from Muhammad. Muhammad, can you please introduce your full name and your news outlet? Thank you very much.
QUESTION: Thank you. My name is Muhammad Salim, on the Online International News Network, the wire news service of Pakistan. My question is – one is already answered, regarding the cybersecurity, but another issue which the minorities and immigrations are targeted by the callers regarding the IRS and Social Security payments. So I think a few months and few weeks back, the FBI has caught a ring operative from some outside the country. So what the other measures you’ve taken to prevent such callers to target the particular group or a particular community?
MR STROZ: Thank you, Muhammad. This is an especially painful topic, because I think for adversaries to prey on people who are perhaps more vulnerable than others, and use what we used to call in the FBI affinity scans – meaning, in other words, if you know that your target who you want to victimize is part of a community that they trust, because maybe they share a cultural commonality or they come from a certain part of the world, or they have a language, or all three of these things, that adversaries can exploit that. Because if they work with somebody or are somebody who can come from that same community, they can find ways to trick those people to be able to say, well, if we send something to this person, and it purports to come from their home country, for example, they’re more likely to click on it. And we can make it look very convincing, because we can put some references in there that would be – that only people from that cultural community would actually know.
And this often is for money. It is sometimes for other information. And I think we will see people trying to exploit that kind of affinity scan for the kinds of attacks that will be related to the government support that they are trying to offer for people right now. Because so many people are out of work, and many people – I’m from New York City originally, I’m not there at this moment, but when you look at the cultural diversity of New York City and how many restaurants and vitality comes from the cultural mix, these people from the restaurant industry are now out of work in many cases, and they are very vulnerable to this kind of thing. Almost all of them have a cell phone. You will see a smartphone with people who do this kind of work in today’s world, and I think they’re going to be targeted. Because the fact that they are known to speak another language, come from another culture, makes them that much more vulnerable. We’ve seen it in the past with other things, and I think we’re going to see quite a bit here.
The last point I would say – and this is, I think, a part that brings pain to anybody who is in favor of justice and equity; I know I did, when I was even in the FBI – is that the adversaries, if you follow the trail, often are outside the United States. And the legal systems that we have to work with do not make it easy to pursue an investigation when it crosses an international border, and that would be in both directions. If somebody is doing something from the United States into another country, and that country is conducting an investigation, it will slow down when it comes to the United States, and it goes in the same direction in the other way.
And when it comes to tracing money and funds, if they trick somebody into wiring money or transmitting money in some way, if you do not respond to that almost the same day, you – the likelihood that you will ever recover that money is almost zero in my experience. So I think we are going to see some painful experiences here.
The only thing I can say is it will prioritize, I think, between countries. If we see, for example, something – I think you’ve said you were connected with Pakistan – if there is something happening in Pakistan and the communication between, say, the United States law enforcement and Pakistani law enforcement can prioritize the top 10 sources of what seems to be this problem, and maybe go after them, you can do some good. But I think it’s – I think there’s pain to be had here.
MODERATOR: Thank you. Just as a reminder, if anyone has a question in the Zoom app, please raise your hand at the bottom of the participant list, or indicate you have a question in the chat feature at the bottom of your screen.
Okay. If there are no more questions in the Zoom app, let’s go to those on the phone. If you are on the phone and would like to ask a question, please – to unmute yourself, please press *6.
QUESTION: Yes, sir. My name is Muhammad Salim. This gentleman that just mentioned about Pakistan – I didn’t say that the ring is Pakistan. I did not say any particular country. But let me say that in previous, FBI has unfolded ring operating from India, targeting the communities in the United States. So in this regard, would you please share something that FBI has investigated? And after they’re framing (inaudible), still those groups are working and targeting the communities.
MR STROZ: Yes, thank you. And my example of Pakistan was just a reference to one country, not to target or take on anybody in particular. In answer to your question, which is very good, I don’t know. I – the experiences within FBI today, the investigations are confidential for the privacy of the people who were affected. But my understanding is that there is a good working relationship between FBI and many other countries in the world because of the FBI’s legal attache program.
So if you go back in time, 20, 30 years ago, the FBI rarely – they did have some, but they rarely had a representative, an FBI representative set inside the American embassy in a non-U.S. country. Today, the FBI has dozens and dozens of legal attaches so that there is a mutual respect and understanding from country to country. I think this is very important, and it should be a two-way street. It should not just be, well, the legal attache person is in, say, India, or in China, or in Singapore, or in Ireland, to be able to just do what the FBI needs. It should be about justice; it should be a two-way street. And it should be to listen to what is happening inside those countries by their law enforcement, and how can the U.S. law enforcement and FBI be helpful to them?
But I think – it’s surprising sometimes, but I’ve seen it over and over again. It really works better when you have human beings who can be in touch with each other. And with COVID-19, I know we’re all practicing social distancing, but this will pass, and I think having respectful people in the country to talk and to listen is what really makes a big difference to go this way. But I’m sorry I don’t have any particular knowledge that I can share with you in specific answer to that part of your question.
MODERATOR: Okay. It looks like we have another question coming in from Masako. Please go ahead, Masako. Please pronounce your full name and provide your media outlet. Thank you.
QUESTION: Hi. Thank you very much for sharing your information. I am very, very – appreciate it. And my name is Masako Shimizu from Kyodo News. And my most readers are ordinary citizens in Japan, which kind of slow for the action for the virus. And if you as a – if you give us a free advice for the ordinary people, not the business perspective, what would you suggest? What would you advise? Like, don’t open your email attachment, or anything? What do you suggest? What do you recommend? Thank you.
MR STROZ: Yes. Thank you for your question, Masako. I think it’s – for the ordinary person, I think it sounds obvious, but it is true that when you receive a link or a communication – whether it comes from email, text, some application that you’re using like WhatsApp, even in the U.S. people use Signal, among other things – if you receive something coming in, be skeptical. Instead of trusting everything unless it looks suspicious, don’t trust anything unless you have a basis for believing it.
So if – say if you and I were communicating for the first time by text or by email today and I were to say to you in the email: Masako, nice speaking with you today. This is Ed. Here’s the information you requested. That may make some sense to you, because you and I were speaking today, and I told you I would send you something. If on the other hand you receive something that looked like it was coming from me, and – but it was sending you something where I said here’s that information I said I would send you, and I never said I would send you any information, I would be skeptical. It is better, generally speaking, to avoid clicking on something or opening something and dealing with the problems that that brings than it is to open something and have your computer be infected.
The other bit of advice I would give is many people have a computer at home and then have a smartphone device or an iPad or something to go with it – not everybody, but a lot of people do. I would say if you receive a suspicious communication and if you have a choice between whether to open it on your computer, your laptop, or to open it on your iPhone device or your Android device, open it on the Android or iPhone device. It doesn’t guarantee it won’t be a problem, but it’s less likely to be a problem because most of the malware that does the most damage is designed to go after a computer hard drive rather than the handheld device.
It’s not – what I’m giving you is general advice. It doesn’t help with the spyware that we talked about before, about spying on citizens through their handheld device. But you have to give people some advice that they can act on. And I would say generally speaking click on the handheld device if you feel you have to and you’re not sure rather than doing it on your computer.
And if you do experience something, if you click on something and it turns out that it doesn’t make sense or it seems that you may have been – had a problem, then you can contact – in your community, there are usually either law enforcement organizations you can contact and file a complaint, or you can go to the vendor who sold you the device and ask them if they can perform or offer you any type of analysis of the device to see whether or not it was infected with something. The answer you get varies greatly, but those are the kind of actions that I’d say to try to prevent a problem or respond to a problem, if I had to give general advice.
MODERATOR: Thank you, Ed. I don’t see any more questions in the queue. So I think that wraps up today’s briefing. I want to thank everyone who’s joined us today. Today’s briefing, again, was on the record. And I will share the transcript with you as soon as it’s available, and it’ll be posted at the Foreign Press Center’s website as well.
So thank you, Ed. I really appreciate your time today. And thank you for all of us – for all that joined. Have a good day.
MR STROZ: My pleasure. Thank you.