In a way, the recent prisoner exchange may backfire on the United States

The nation was pleased to see the recent prisoner exchange with Russia. But it was not an equal exchange. For the traveler and newspaper reporter, the US had returned a ruthless killer and a group of malicious cyber hackers. The vice president of global cyber risk at Optiv has studied the exchange and its implications in detail. James Turgal joined Federal Drive with Tom Temin to discuss more.

Interview transcript:

Tom Temin Mr. Turgal, it is a pleasure to have you with us.

Jacob Turgal Thank you for the invitation.

Tom Temin Do you think this exchange will have consequences in the context of cyber actions against the United States?

Jacob Turgal Yes. I mean, look, there are moral, ethical, pragmatic considerations, and certainly a lot of emotional considerations in any kind of prisoner exchange. And let me say, first of all, I’m very happy for the families of the Americans who were returned. But typically when you do this, when you consider a prisoner exchange, you try to swap, you know, skill levels or ranks, and you release a significant number of highly skilled convicts, what I call cyberterrorists. They’re going to go back to Russia and wherever they came from and re-engage in the cyberwarfare that they were waging before they were captured and convicted. And so we’re putting these significant cyber threat actors back out into the air, right back into the wild, who are going to start wreaking even more havoc on the United States and our allies from a cyber perspective.

Tom Temin And to be fair, I’m sure U.S. officials were fully aware of this, and there’s a lot of diplomatic and technical work that’s being done to make these changes, and I don’t want to discount all of that work, because that’s the work that the country has required them to do, but describe the level of activity that exists in the technical attack, counterattack, thwarting, counterattacks that’s going on between the United States, Russia, other countries, because it’s probably a higher level of activity than people realize.

Jacob Turgal This is an extremely high level. So you also have the distinction, the United States does not authorize individuals to go out and hack on behalf of or infiltrate, you know, companies on behalf of the United States government. And actually, me, being a cyber agent in the FBI, right? Actually, you know, I’ve prosecuted, investigated, prosecuted. You know, individuals from the United States for doing things like this. And so the level of cyber activity just in nation states is at an all-time high. But you add to that what they call initial access brokers, where you have a lot of organizations of independent, independent individuals who are hacking, who are doing like initial access to a company and then they pass it off to another group, right. I can come out of the dark web now and for $5,000 rent ransomware for 30 days and attack whoever I want. So AI has made it a lot worse, so now you have this market where anyone can jump in and use quite a high level of malware, so the numbers are just growing, and it’s just low level, not to mention what we were just talking about, right? These significant, you know, Russian and foreign cyber threat actors who are known, who are highly skilled, right? And you release them back into the wild.

Tom Temin And these are individuals among probably hundreds, maybe thousands in these different countries, in this case Russia. So the question is, is the relatively small number of individuals who have come back to Russia and joined this official and officially sanctioned army of people enough to make a difference? Do you think we’ll see them come back?

Jacob Turgal Well, I mean, that’s a fair question, right? And you won’t know until there’s a significant attack that’s attributed to one of these individuals. Again, these were highly skilled threat actors who were paying attention, you know, certainly taking out and hurting certain American companies. Those are the well-known ones, right? It’s healthcare systems, it’s hospitals. It’s all those types of attacks. And honestly, once we’re able to attribute an attack to one of these individuals, yes, you’ll see that, but it’ll take some time.

Tom Temin We’re talking to James Turgal. He’s the vice president of global cyber threat at Optiv. Is there anything really proactive that corporations, contractors, government agencies should be doing differently as a result of this exchange, or should they just continue to do what they’ve been doing as best they can?

Jacob Turgal Yeah. I mean, I don’t want anyone to change their methodology just because these, you know, threat actors are back on the loose, right? You have to be able to maintain your ecosystem. You’re right. You have to do basic cyber hygiene, right? You have to understand where your data is, protect it, make sure you’re making and spending the right money in the right places to protect your data and your ecosystem. This prisoner swap doesn’t change that, right, but I think it puts a higher price on the fact that we’re now allowing, now that we know the actual TTPs, right? It’s about the tactics, the procedures, all the ways that these particular threat actors were actually working, now they’re coming back and changing those TTPs, right? And so we have to evolve with them.

Tom Temin What are the signals about which sectors might be vulnerable right now? We know that healthcare has been attacked multiple times, and I think it’s still recovering from the recent hack on the cross-organizational payment system. We also had a report from the GAO that municipal water systems, regional operating systems, because of the operational technology, are increasingly being attacked. What are you seeing in terms of trends in sectors that seem to be targeted? Based on our review of our customer base, financial services, they continue to be the number one target. Healthcare, hospital systems. It’s not just the healthcare system, right? It’s, or the sector. You have to realize that there are a lot of companies that own part of the payment process, and then they own a lot of hospitals. And so now you’re going to have this crossover of attacks that not only are taking down individual hospitals, but these companies own hospitals in multiple states, right? And so now the tightening of this law, the scale at which these implications are occurring. It’s not just a hospital in a state, right? It’s a hospital system that operates hospitals in, you know, three or four states, and now we’re talking hundreds of hospitals. And so that’s the aspect of scale that I think is the most important thing to think about, how do we scale that down? And when you look at the scale of networks in other sectors, across sectors, you’d think that maybe transportation and utilities wouldn’t be far behind.

Jacob Turgal So critical infrastructure, as you mentioned, Tom, is a big deal, right? Whether it’s water, whether it’s power, the power grid, right? Those have certainly always been high-value targets for state cybercriminals and will continue to be. But I’m also seeing growth in manufacturing, and also in some services, right? There was the MGM hack. Real estate is also something that I spend a lot of time on in the real estate industry, whether it’s the real estate side, whether it’s the mortgage side, whether it’s the finance side, right? The attack on Fidelity National Finance, a number of those in the real estate sector are gaining traction.

Tom Temin Going back to the prisoner exchange, you mentioned a few people who weren’t at the top of the headlines and media reports, but these are people who, as you noted, have been convicted, tried, and sentenced to prison. Just give us an idea of the level of hacking and the damage they’ve done. It’s hundreds of millions of dollars.

Jacob Turgal There are a couple of known threat actors that have been released. One of them in particular was someone I call a crypto warrior. So he’s out there, mining cryptocurrency, but also the fraud that goes along with that, and that’s tens of hundreds of millions of dollars in damages, not just the amount that’s been paid out from their ransomware attacks, their malware attacks. But now you add to that how much that company actually has to pay to both respond to that, fix the problem, right, rebuild their systems, and now you have, again, multiples of hundreds of millions of dollars in damages, not just to pay the specific ransom, but also to fix and respond to the attack.

Tom Temin Well, we’re going to have to keep our antenna up, especially now that this has happened. James Turgal is VP of Global Cyber Threat at Optiv. Thanks so much for joining me.

Jacob Turgal Thanks Tom. I appreciate your time.

Tom Temin And we’ll post this interview on federalwsnetwork.com/federaldrive. Listen to Federal Drive on your schedule. Subscribe wherever you get your podcasts.