‘There’s more opportunity in cybercrime’ than seeking a desk job ─Ric Longenecker, Cybersecurity Expert

In this revealing and riveting interview, Ric Longenecker, Chief Information Security Officer (CISO) at Open Systems, discloses there are 4million vacant positions in cybersecurity industry worldwide, but the cybercrime world is not short of talent! The expert says ‘the idea of me as a CISO finding, hiring, and trusting a brilliant potential cybercriminal is a real stretch.’ Excerpts:

Gbenga Kayode | ConsumerConnect

Cybercriminals have reportedly become greedy with ransom demands hitting new records, becoming somewhat public relations (PR) savvy in recent times.

Law enforcement also celebrates some victories from time to time, a report has said.

For instance, together with financial institutions, the United States (US) Federal Bureau of Investigation (FBI) was able to retrieve around $500million for victims in 2020 alone.

A cybercriminal

It was learnt that the FBI urges any ransomware victim to report the crime; otherwise, they “can’t help you.”

Ragnar Locker, a notorious ransomware group, warns its victims not to dare use professional ransom negotiators, according to report.

RELATED Cybercrime: Europol Busts Italian Hacking Group, Seizes €10million Worth Of Assets

In view of these developments in the cybersecurity world, Longenecker in a revealing interview told CyberNews about the latest trends in ransomware developments, and he was asked whether he would hire a cybercriminal as the dark world is filled with masterminds.

Recently, it seems that awfully many big and prominent organisations are being attacked. Accenture, Gigabyte, T-Mobile, AT&T (even though they haven’t confirmed a breach), to name just a few. What do you make out of this? Have cybercriminals become bolder and greedier? Is it a result of a hybrid work model, or is it just gaining more public attention now?

Yes, things are more public. But I think it’s a combination of many factors, some of which you’ve named.

In reality, we still have a situation where cyber plays into international politics. And we have criminals who are able to live and operate in countries without fear of consequence. So, in the end, it really doesn’t matter who they attack.

What trends do you see in ransomware development?

It keeps growing, of course, due to potential payouts, and we’ve already seen “corporate” models spin up in the last few years. Now, it takes a stronger turn in the sense that blackmail is taken into account – they start to simply threaten to leak confidential information.

Have Joe Biden-Vladimir Putin talks had any effect yet? Is it even wise to rely on policymakers and governments to tackle cybercrime?

Andy Greenberg published another great book back in 2019 – Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers. It talks about early days (post-Yeltsin, start Putin) US/Russian relations on cyber. Things haven’t really changed – talks will have limited effect and are largely political.

RELATED Cyberattacks: Biden Challenges Russia On Critical Infrastructure Hacks ‘Off-Limits’

There’s a shortage of talent (4million worldwide) in cybersecurity. However, it doesn’t seem that there’s a shortage of brilliant minds in the cybercrime world. Why do people become criminals instead of using their skills and talents for good?

Why does anyone become a criminal? Opportunity, circumstances (environment), and timing. And right now, if you live in some countries and are smart, there’s more opportunity in crime than in pursuing a desk job.

While there continues to be a shortage of good people in the industry, there’s a large trust factor that plays out, as well as traditional approaches to hiring still in play.

Photo: Aithority

The idea of me as a CISO finding, hiring, and trusting a brilliant potential cybercriminal – and keeping that person on the “whitehat” side – is a real stretch.

There are not many examples when cybercriminals are caught at the crime scene, are there? Do you anticipate that will change any time soon?

Quite frankly, as many know, it’s actually really difficult to pinpoint or prove who has actually committed the crime in many cases. Beyond that, it takes a number of years and really strong international cooperation to arrest an individual or a group.

RELATED: Cybercrime: US Court Sentences Obinwanne Okeke ‘Invictus Obi’ To 10-Year Imprisonment

I’ve sat in on a number of law enforcement groups working tirelessly across international lines through a case. It takes years and somewhat improves with time. However, don’t expect change any time soon.

Though being instrumental in various uprisings, encrypted chat apps have also become a marketplace for illegal goods, such as ransomware-as-a-service, etc. Should privacy be bent to some extent in important law enforcement cases to fight cybercriminals more effectively?

There are quite a number of intelligence companies working covertly in different encrypted chat forums, etc., that currently work strongly with law enforcement. You can also consider the recent FBI and Australian “sting” operation, which seeded a fake encryption app to millions of criminals worldwide.

Overall, privacy for many remains a strong human right as a concept. And we always need a balance between the ability of law enforcement to do its job and individuals’ rights.

Is the cybersecurity landscape evolving fast enough to tackle cybercrime? There are so many attack vectors nowadays, and the COVID-19 pandemic adds its own challenge with WFH, people being an easier target for fake news, etc.

I would say that cybersecurity has come quite a long way. There are now plenty of good supporting partners and services like Managed Detection and Response that allow the average organisation to implement a strong degree of protection.

READ ALSO Cybercrime: Scammers Fleece Access Bank Of N871million In Five Years ─Report

However, many of the same security challenges that existed 10 years ago exist today in companies. Preparedness starts with awareness and effort, implementation of good IT, and choosing to invest in a few folks to focus in this area and work with a partner.

Even though companies are encouraged not to pay the ransom, it may be the only obvious choice as doing otherwise would mean severe business disruption (for critical infrastructure) or the loss of a business overall for SMEs. What should be done before we can prohibit ransom payments by law?

We’re almost getting to the point that payment will be illegal in some countries. It is actually more limited in possibility as insurance companies will stop paying for it in some cases.

RELATED Cybercrime: US Tracks Down, Seizes Bitcoin Ransom Colonial Pipeline Paid Hackers

In short, we see a stronger amount of due diligence by insurance companies requiring companies to validate their level of security.

This level of validation weighed against a potential payout can be a pretty good mechanism to encourage SMEs to be prepared, and I think it’s a good direction.

Overall, as mentioned earlier, the industry has come a long way. And, in many cases, it’s all about each individual organisation doing its due diligence to realise potential risks, support some dedicated folks on the issue, or get out there and find a partner to help it strengthen its security posture.

As we continue to be more and more digital, the problem of cyberattacks isn’t going away. Hence, organisations need to be thinking proactively about what they can do to equip themselves better.

About Ric Longenecker

ConsumerConnect reports Ric Longenecker, the Chief Information Security Officer at Open Systems, is a seasoned security leader with global experience in the Government, Energy and Consumer Services industries.

According to Open Systems, Ric remains strongly passionate about security and enablement in a fast-changing world.

Ric holds a degree in Electrical Engineering from Lehigh University, a number of certifications, and is strongly involved with multiple industry groups and associations in the US, Europe and Israel.

Kindly Share This Story