CXO Breakfast Briefing – Organized Crime on the Internet

It’s 7.30. While average mortals stumble past us, sleepy-eyed on the way to work, we’re taking our places at the Hilton Residencies. Why? The SLASSCOM CXO Breakfast Briefing. The tagline here is “Organized crime, cyber threats and proactive defense”. We’ve been talking about this quite a bit – now to find out what’s actually happening.

The CXO briefing is – or should we say, was – an awareness program. SLASSCOM represents a large number of companies, most of whom are top-dollar providers of software and services to both local and international clients. The purpose of the meetup? To educate the upper management of these companies on the cybersecurity threats that they could be facing. Specifically, organized cybercrime.

Of course, it’s as much a Microsoft event as anything: Windows is hands-down the most widely used computing platform in Sri Lanka and any serious discussion on office either starts or ends there. The primary speaker here is Keshav Dhakad, noted cybersec advocate – the Director of IP, License Compliance and Digital Crimes for Microsoft Asia.

He breaks the ice quickly. “What is the unknown that we should be prepared for?” he asks the crowd in highly lightly accented English. “Once, when you and I were starting out in the industry, hackers were hobbyists and experimenters. They did things for fun and amusement. Now we have entire criminal syndicates – how and why? Criminals chase the money. And the money today is in the Internet.

It’s a very big business. $130 million alone is made by cybercriminals every year. 12 people get compromised every second. 50% of adults have been hacked already. Child pornography is increasing.”

[pullquote_left]People don’t see us as a cybercrime company. They see us selling Windows, Xbox and Bing.[/pullquote_left]His Windows 8-themed presentation goes into how Microsoft, as one of the largest companies in the IT space, is dealing with security: the Microsoft Digital Crimes Unit. This is something you don’t hear of every day: a 100-strong global team of legal and cyberforensics experts who counterhack. Proactive disruption, Keshav calls it. From what we gather, the unit works with governments and companies to actively go out and disrupt cybercrime. Specifically, malware crimes, Intellectual Property Theft and child sex trafficking. (They also have a cool HQ)

“None of you would have heard of this before,” he confirms, showing a list of major botnets that the team has taken down in the past few years. “People don’t see us as a cybercrime company. They see us selling Windows, Xbox, Bing – but yes, we do this stuff too.”

However, the fundamentals of security boil down to two factors: Clean IT and supply chain integrity – the art of knowing what you’re running, knowing how secure it is and getting your software and hardware from trusted suppliers. There’s a subtle touch on cloud services (which Microsoft is investing heavily in) and on the upcoming Windows XP End-Of-Lifetime declaration before Keshav takes up the primary focus of today’s event: visibility in upper management.

[pullquote_right]The fundamentals of security boil down to two factors: Clean IT and supply chain integrity.[/pullquote_right]Poor visibility in top management, he concludes emphatically, is crippling IT security. “Your IT managers aren’t just installing software. They need to keep the ship clean. You need to be aware of what’s happening: your clients need to be aware of what’s happening. It’s not just software – it’s about policies. Are people bringing in USB drives from home? Are they connecting their own devices? How’s the data secured? When your programmers write software, what security measures do you have around the data flow?

IT has to rise from the tech support level all the way up to the board. It’s not a piece of furniture, for God’s sake! This is why companies are appointing top-level executives for security – this is something we cannot ignore.”

The second phase of the event is the panel we’ve been looking forward to: Jayantha Fernando of ICTA, Lal Dias of CERT, Sujit Christy of Layers-7 Seguro Consultoria, led by Mano Sekaram of 99X. MS propaganda aside, the panel session turns out to have some interesting questions.

 One professional questions Microsoft’s expensive license fees. “We pay in rupees but you charge in dollars,” he says. Another inquires into Sri Lanka’s cybercrime measures. One question touches on PRISM (without actually mentioning the P-word), querying Keshav whether Microsoft will refuse to collaborate in the future – Keshav vehemently insists that Microsoft will stand up for their and their users’ data rights.

In a fairly lengthy discussion, we find out that Sri Lanka does in fact have a fair amount of legislature in place, but enforcing is sub-par and the Parliament isn’t making things easier. And that 50% of computers are still on Windows XP, which means they’re twelve years behind in terms of security. Third world problems, eh? After the event, we caught up with the panellists to shed a bit more light on some of the things that they said – catch them on video on our Youtube channel over the weekend.

Checkout event album here.