Kingdom of Lies
Begin Reading
Table of Contents
About the Author
Copyright Page
Thank you for buying this
St. Martin’s Press ebook.
To receive special offers, bonus content,
and info on new releases and other great reads,
sign up for our newsletters.
Or visit us online at
us.macmillan.com/newslettersignup
For email updates on the author, click here.
The author and publisher have provided this e-book to you for your personal use only. You may not make this e-book publicly available in any way. Copyright infringement is against the law. If you believe the copy of this e-book you are reading infringes on the author’s copyright, please notify the publisher at: us.macmillanusa.com/piracy.
For Noah and Zahra
This work of mine, the kind of work which takes no arms to do,
Is least noble of all. It’s peopled by Wizards, the Forlorn,
The Awkward, the Blinkers, the Spoon-Fingered, Agnostic Lispers,
Stutterers of Prayer, the Flatulent, the Closet Weepers,
The Charlatans.
I am one of those.
In January, the month the owls
Nest in, I am a witness & a small thing altogether.
The Kingdom Of Ingratitude.
Kingdom of Lies.
Kingdom of How Dare I.
—LUCIE BROCK-BROIDO
Before
The Swallows
René Kreutz is only 15 years old, but she’s out drinking and dancing in a club on a Thursday after school, in the outskirts of a mid-sized town in Romania.
It’s late 2013. They’re playing her jam. Carly Jepsen’s “Call Me Maybe.”
It’s the kind of club where the bouncers don’t let in too many guys over 18. So she feels safe. And anyway, she’s surrounded by her girlfriends. Giggling. Drinking weak drinks.
They dance in a big circle. Occasionally, one will enter the circle and do a particularly silly series of moves, usually something inspired more by their ballet instructor than pop culture. The song is the kind that forces you to bob and weave and shake your hair around, and she does. It’s so loud, it’s hard for conversation, or really anything else for that matter.
Hey, I just met you.
René shout-sings along with the song. She bobs her head left to right with an ear-to-ear smile. Her auburn hair flies around, smacks her friend in the face. They laugh.
At the same time, far away in China, a government-backed hacker named Bolin Chou, who has been stealing intellectual property from U.S. companies for the bulk of his career, has left his job. He is drinking a cheap beer in a Shanghai bar for expats, having scored a new gig at a big hotel as a dishwasher. The bartender is glaring at him and he knows he’ll be chased out soon, since he doesn’t fit in with the more upscale, European clientele. He’s surprised they served him in the first place.
With his cell phone, he uses the short time he has left to monitor the computers of all the businessmen connecting to the bar’s unsecured Wi-Fi network.
He contemplates the possibilities.
And this is crazy.
In Romania, René, who has never met someone from China, bobs left to right and spins.
At the same time, far away in Washington, D.C., Admiral Michael Rogers, the head of the National Security Agency (NSA) and the Central Intelligence Agency, addresses Congress about cyberthreats, contrasting them with nuclear weapons. “That’s very different from the cyber dynamic,” he says. “Where we’re not only going to be dealing with nation-states, but we’re going to be dealing with groups, with individuals, when we’re dealing with a capability that is relatively inexpensive and so easy to acquire, very unlike the nuclear kind of model. That makes this really problematic.”
René has never met an American. She doesn’t know about the NSA, nor what an admiral is.
But here’s my number.
In Romania, René enters the circle of girlfriends and starts a silly dance. She pretends her drink glass is a microphone and sings along even louder.
Also at the same time, not so far away, in Germany, Sigmar “Sig” Himelman, an influential 30-something cybercriminal, acknowledges that he’s burned too many bridges, including with the local police, and is going to need to make a move. He has already disposed of several computers and hard drives. He’s not answering his phones, and soon those will be destroyed, too. He’s packing his bag and going somewhere else, somewhere safer for hackers who like to innovate: Romania.
René has never met someone from Germany. She’s been a bit sheltered. The junior-league clubbing is about as bad-assed as it gets for her. For now.
But in not too long, she’ll be a more influential cybercriminal than Sig, a competitor of Bo’s, and one of Rogers’ new big problems.
So call me maybe.
* * *
Also at the same time, Carl Ramirez stands in a room inside a NOW Bank building in Midtown Manhattan that for reasons he has never been able to ascertain is shaped like a plus sign.
He faces a receptionist’s desk, long abandoned, covered in a layer of dust. Behind the desk, a wall of glass showcases a vivid seven-story drop to a lower atrium where bankers sit, drinking coffee and eating power breakfasts. Unbeknownst to the bankers down below and many of the bank executives above, the financial sector is about to be attacked by terrorists.
Carl, an unimposing, flat-footed bank executive with an engineering degree from Carnegie Mellon and a Gomer Pyle laugh, has come to the rescue. He is here to save the world.
There is nobody here to greet him. Behind him and to the right and left are three locked doors. His cell phone doesn’t work. Even though this floor is filled with employees, the lobby is dead silent.
Carl thinks the scene is like something out of an apocalypse movie, right before the zombies appear. Carl tries the doors again. No luck. Still locked.
He picks up the phone on the receptionist’s desk. The handset has been disconnected. In fact, it’s been stripped of wires. Four paper clips sit lined up in a row next to two empty three-ring binders, each with a gold-leaf Fleur Stansbury insignia.
It’s 2012 and the world is not ending, but four years earlier, someone emptied this desk out in a hurry when Fleur Stansbury dissolved overnight. Fleur Stansbury moved out and NOW Bank moved in. NOW Bank, Carl knows, is one of the biggest banks in the world, by trade volume, by number of branches, by number of customers, and by number of global offices. Pretty much by any standard that you can measure, NOW Bank is absolutely massive. Trillions of dollars flow through the bank’s extensive computer systems every single day.
Nobody has bothered to clean up the desk or hire a new receptionist because this floor is for technologists, not bankers. No big-shot investors were going to be received in this office. No swinging dicks of Wall Street here. Not anymore.
Carl grabs one of the binders. Tucks it under his arm. He needs someplace to store his security reports from today’s event. A dusty relic of Wall Street seems appropriate. Above him, a fluorescent light flickers. There are dead flies inside it.
Carl holds a binder with a PowerPoint briefing about the matter at hand: A terrorist attack called Operation Ababil is about to be executed. It is a well-planned cyberattack, and will likely be well-executed by a shockingly well-resourced group calling itself the Izz ad-Din al-Qassam Cyber Fighters.
A little history: NOW Bank’s cybersecurity team encountered this collective for the first time four months ago, when the group attacked the bank. The group claimed their attack was a response to U.S. policies in Syria and other problems specific to Shiite Muslims. That’s when the Izz ad-Din collective took down NOW Bank’s main website.
>
When this happened, the entire corporate side of the bank, including its executives, its board of directors, and its customers, all looked to the NOW Bank cybersecurity team to find out what the fuck had happened. And what the executives found staring back at them were a bunch of nerds with zero charisma and even less presence wearing bad, off-the-rack suits without ties. Some of them even wore athletic shoes, not just on their way to work but all day long. They spoke in inside jokes and used weird technical references and spooky-sounding security terms. They were not reassuring.
So for four months, Carl’s cybersecurity team went through a sort of front-office boot camp. They went to Men’s Wearhouse and learned what a tailor does. They crammed on how to use PowerPoint. They practiced spinning the Izz ad-Din incident to get a bigger budget, which they needed, because all of them were making a lot less than their friends at tech companies and not much more than their friends in government. With that kind of compensation, Carl’s boss, Joe, understood, it was getting harder and harder to hire good people.
So here they are, still trying to explain an extraordinarily complex set of circumstances and protocols to a cadre of executives who enjoy a white-glove technology experience in their day-to-day existence. These are people who rarely bother with technicalities, and when they do, they view them as an inconvenience.
Hackers are a notoriously crude lot, and Carl should know because he’s one of the best. He enjoys the elegance of the operation’s timeline because it gives him a schedule during which to size up his worthy opponent. Not only does whoever put this together know what they’re doing. They have style.
This is where the battle between NOW Bank and the Izz ad-Din will be fought.
Game on.
Preface
Kingdom of Lies
It didn’t take me long in my career as a cybersecurity executive to figure out everyone was lying to me.
The biggest lie of all came at the very beginning: that cybersecurity is hard. Too hard. Certainly too difficult for someone who lacks years and years of deep technical training. That it is no place for writers.
That thicket of incomprehensible jargon alone seemed meant to discourage outsiders like me from entering the field. They told me I could never hope to understand the terminology unless I’d worked around it for a very long time. Unless I had a special and complicated certification. Unless I knew how to take apart and reassemble a computer. Unless I knew how to code in Python and could read it, interpret it, and spot problems on sight.
And if I somehow managed to learn the lingo, the learning curve for the rest of it would prove insurmountable.
Lies, lies, lies.
It’s unfortunate, because there is a huge gap between the demand for cybersecurity workers and the people available to fill those jobs. I think one of the reasons for that is because people can’t imagine themselves doing this kind of work.
Can you use a smartphone? Make a PowerPoint? Think on your feet? Ever organize a night out to the movies with your friends that went well and nobody crashed their car to or from the event? Welcome to the twenty-first century’s hottest career path. Are you able to charm the pants off women? Did you escape an abusive marriage? Have you ever hosted a toddler’s birthday party at your home? Honey, I want you on my cybersecurity team.
After reading the stories in this book, you will understand that what makes cybersecurity complicated is the complexity of human beings. So if you know how to deal with people, you can handle internet security. If you understand what makes people tick, not only will you be able to recognize a threat, you’ll be one step ahead of your adversary.
During my career as a cybersecurity executive at multinational corporations, a journalist for The Wall Street Journal and later CNBC, and a professor at Georgetown University, I’ve met a lot of fascinating people. From the hackers who perpetrate malicious attacks to the security professionals who try to prevent these incidents from happening, and the alphabet soup of government agencies that do damage control, at the end of the day they’re all fathers, sons, mothers, sisters, and spouses. In other words, people just like us. Yes, white hats cross paths with black hats and change alliances more frequently than you might expect, but they’re driven by the same desires as the rest of us—even if sometimes it feels as if everyone in cybersecurity is allergic to the truth.
As a professional, I was told a great many lies about the field I have grown to love so much. After becoming a journalist on the cybersecurity beat, I was told even more. Here are a few:
“Let me introduce you to the hacker community.”
This lie is usually delivered with a wink and a nod from someone who thinks they know every hacker on the planet. The truth of the matter is, there is no hacker “community.”
Sure, the guys who make a splash at the big annual conferences might say otherwise. But every country, every state, every faction, every identifying group has its own community of people who hack computers. Some of them are extremely conservative, others are massively liberal, most fall somewhere in between. Some wear suits and ties and work as lawyers during the day, while others look like everyday citizens and have great people skills as they pursue their idiosyncratic agendas.
Some are good guys who get fed up with the low pay and boring duties and become criminals. Some are criminals who end up becoming good guys. Many start and end their careers on either end of that spectrum.
Some, including many you’ll meet in this book, are extremely proficient hackers who have no time or inclination to identify with any community at all.
As a journalist, I was astonished at the number of people who came out of the woodwork to offer me exclusive access to the hacker community. I couldn’t help but notice that the members of the source’s “hacker community” were often people just like him or her. My point is there are many different types of people working in this field, and I can guarantee you that a lot of them are exactly like you.
Here’s another lie: “He’s a luminary in the cybersecurity field.”
He’s probably not. Fame and luminescence don’t typically intersect in this field. The people I’ve met who are actual geniuses aren’t famous, and most of them don’t have social media profiles. They tend not to pontificate on areas outside their expertise.
The people who are constantly headlining conferences and who are so often offered up to me for interviews have less insight than those who stay underground. Anything a high-profile hacker is willing to share typically carries with it a massive and crystal-clear agenda that I’ve learned to spot from a mile away. Even if a conversation is off the record, the intel coming from top government officials or other marquee corporate cybersecurity names carries little novel information.
The only people who have illuminated the way for me in this world—and in this book—have been genuine practitioners who never held a C-level title. You’ve never heard of them and because I’ve changed their names to protect their privacy, you probably never will.
They are luminaries not because of the degrees they’ve collected or the events they’ve headlined but because they carry a lantern that guides the path for others. These types of people typically don’t have a public relations team.
One of my favorite lies: “He doesn’t know what he’s talking about.”
This one is usually delivered by someone who asserts that he or she knows the cybersecurity field better than anyone else. These people will brag that they know what it’s like to be a hacker and can do things that no one else in the room can.
I’m always wary of those who try to establish their bona fides by discrediting the expertise of other cybersecurity professionals. The depth and breadth of this field is so vast that everyone who works in it is an expert at some part of it, and I have yet to meet someone who is an expert at all of it. Not even close.
Every view of an incident is informed by the viewer—what he sees, what her level of expertise is—and that changes over time. It’s like asking someone who lives in the Plaz
a to describe Manhattan, then asking someone who lives in a halfway house in East Harlem to do the same thing. Different pictures emerge of the same subject depending on your point of reference.
Then there is the final lie, the one that is the hardest to dispute, the lie of the Machiavellian technological wonder. The Lisbeth Salanders and Mr. Robots. The media loves to portray hackers, security experts, and intelligence professionals through a two-dimensional lens: they’re either crusaders for good or practitioners of evil, and they all wear black.
I’ve read countless news articles about people I know that portray cybersecurity professionals as shadowy puppet masters pulling strings with their computer science acumen. For better or worse, I’ve seen these people go through all the same human experiences as you and I, and I want to tell you about them.
* * *
I’ve been working in and observing the cybersecurity world for the past decade. Some of my contacts are criminals. Some of them skate the line between truth and fiction. To the best of my ability, I’ve tried to verify that their stories are accurate or, at the very least, plausible.
The profession, as I write this, is made up of about 9 percent women. I know a lot of them, maybe because we are such a rare lot. In order to staff the shortfall of cybersecurity jobs—millions that will need to be filled by 2020—we are going to have to do a better job of recruiting women to the field. This makes it sound like we are up against some sort of serious challenge, but it shouldn’t be this way. It’s a natural career for women.
Hypervigilance. Risk aversion. The ability to imagine frightening scenarios that nobody else can see based on a series of devastating, cascading factors. Three pathologies so often held against women in business. Three characteristics of so many new mothers. These are enormous assets in the field. Perhaps it’s better, I learned, for women who suffer from them to put them to work, to use anxieties to make money hand over fist.