Cybercrime warrior: Symantec’s Michael Brown

That is despite efforts by Symantec and its rivals to crack down on a crime that has been estimated to cost the global economy $445 billion every year, according to the US-based Center for Strategic and International Studies (CSIS).

That is larger than the illegal drug trade and its significance is reflected in Symantec’s operations. Headquartered in California but with offices around the world including in the UAE, Riyadh, Jeddah, Qatar and Kuwait, Symantec has more than 11,000 employees working to identify risks, monitor attacks and create security programmes to protect consumers. It had a turnover of $4bn in 2014, the most recent full-year figure.

Brown was appointed to head up Symantec in 2014 after serving as chairman and CEO of Quantum Corporation. No reclusive technology geek, the California-based graduate of Stanford and Harvard universities is a classically trained pianist and has played in a rock band called The Wildcats for the past 15 years.

In an interview with Arabian Business in Dubai, Brown says the scale and severity of attacks is intensifying and explains why Gulf-based organisations are increasingly vulnerable as hackers, or ‘bad actors’ as they are known in the industry, become more sophisticated.

“Most of the threats are motivated by greed,” he says. “More and more of our lives are stored digitally and that information is highly valuable, be it credit card details or information about our identity. The bad guys have figured out how to inflict more damage economically by accessing that information.

“For one, the sophistication of the attacks is increasing. The number of basic spam attacks has gone down as they are easy to spot as emails with a malicious code embedded.

“Instead, hackers are using advanced social engineering to put together highly realistic emails. For example, a message sent to a company chief financial officer purporting to be from one of his staff, requesting he transfer tens of millions of dollars to a client firm elsewhere.”

This form of attack is known as ‘spearfishing’, Brown says.

“However, perhaps more dangerously, we are also seeing increasing levels of sophistication about how hacking can cause material damage in the real world. Vital information about how the world works is stored digitally, so folks can use that to start affecting physical assets and the way they function — disrupting critical infrastructure like power plants.”

An example of this is a malware attack in 2014 by Eastern European collective Dragonfly. It compromised more than 1,000 energy companies across 84 countries in North America and Europe, including energy grid operators and industrial equipment providers. Symantec said at the time that it suspected the group’s primary goal was espionage.

Brown is talking about career hackers, not a handful of morally flexible tech whiz -kids operating from their garages. “It is increasingly possible to make a living from hacking,” he explains. “We like to think it’s just a few bad actors but we are increasingly seeing larger and more sophisticated organisations with business models and even customer service numbers victims can call to find out what they must do to stop an attack.”

This often involves paying off a criminal organisation in the same way you might resolve a kidnapping. “Attacks using a type of software called Ransomware have increased by more than 100 percent in the past 12 months,” Brown claims. “The agents use the malware to run ‘campaigns’ that essentially take over your machine and send you a message threatening to block access to all of your data unless you pay a certain amount of money.

“If you haven’t backed up your system lately and have no security software in place, there’s nothing you can do. These criminals are clever — they have a proper business model and have worked out how much they can charge to maximise the number of people who feel it’s worthwhile to pay.

“The campaigns run for a couple of months until there’s enough security software out there to recognise them, and then they move to a new campaign, which is just a variation of what went before.”

Such attacks are more continuous in nature than they are episodic, he says. “It’s all about the economics, and making sure it pays.” One campaign, called Cryptolocker, netted hundreds of millions of dollars for criminal organisations during the two months in which it ran.

Other such sophisticated attacks look for access into a company or government’s network and spend a substantial amount of time undetected in there, seeping up information before they are discovered. A case in point was the breach of a reported $5.5m worth of data at Sony Pictures in 2014. This was a state-sponsored attack by North Korea-based hacker group Guardians of Peace, Brown says, noting that the tell-tale sign was a blue screen that showed up with the group’s logo.

“This was the end of the attack, not the beginning — the hackers already had all the information they wanted.”

Guardians of Peace leaked nearly 100 terabytes of employee data, it was claimed at the time, including information about unreleased movies, unpublished scripts, executive salaries and internal emails. Brown points out that today’s cyber attacks can last up to 200 days before the security firms pick it up — more than enough time for hackers to infiltrate private networks and seize reams of confidential information. The CSIS claims the damage to businesses as a result of the loss of intellectual property from hacking could be in the region of $160bn per year.

Attackers are based all across the world but there is a concentration in Eastern Europe, Russia and China. Brown claims as much as 50 percent of attacks globally are accredited to an organisation called the Russian Business Network, an anonymous group Symantec says it is monitoring closely.

Brown is unable to disclose how many attackers are based in the Gulf, but says the UAE alone is the fourth most targeted country in the world for cybercrime. Around 2 million people in the UAE were affected by cybercrime in 2015, according to Symantec’s latest annual Norton Global Cybersecurity Insights Report published in November, while five out of six businesses across the world are expected to become victims of cyberattack each year.

“The Gulf is increasingly becoming a target for cybercrime and that’s because it has all the elements of a prosperous economy, growing reliance on a digital economy and increased use of software. Then you have the fact that the region is geographically right in the middle of some dangerous neighbours who want to see what’s going on.”

Sectors especially vulnerable to attack in the Middle East include healthcare, education and government, says Brown. “For a while there was a heavy emphasis on financial services because that was where valuable digital information was held.

“But this sector has spent a lot of time and energy protecting itself so bad actors are looking for easier targets. Government departments and privately run public service providers such as healthcare groups hold a lot of crucial information that could be used to compromise someone’s identity.”

Dubai Police in February this year announced a 23 percent surge in individual cybercrimes since 2014, and Brown notes that in 2014 the UAE government doubled its ten-year budget for homeland security — including information security and cybercrime — to $10bn as the country becomes more digitally advanced and more vulnerable to attack.

Dubai in particular aims to become one of the 600 ‘smartest’ cities in the world as part of the Smart City 2021 initiative, and the first city in the world to have 100 percent broadband penetration. Brown says Symantec is working closely with the government to identify threats and harden systems.

“Our view is that we have two missions in life: one is of course selling products and services to protect our customers — which are businesses, governments and consumers.

“The other is working with law enforcement agencies such as the FBI, Interpol, Europol, to try to stop these attacks and make the world a safer place given the increasing amount of activity that happens online.”  

The approach is a combination of people, process and technology. First, the industry must work harder to raise awareness, says Brown.

“The UAE and other governments are doing a lot in this space. President Obama recently announced the National Cyber Security Action Plan. He’s saying, ‘Let’s get more serious about this issue: the economic damage is significant and we’ve got to do more to protect ourselves’.

“Much of it is about improving ‘hygiene’, such as tightening password protection and investing in security software.”

Second, says Brown, more people need to be trained to deal with the problem. In this regard, Symantec provides consultancy and other services to businesses and governments. Finally, the actual technology is crucial.

“A large part of our business is about assuming you are going to be attacked and, particularly as a corporate, that someone is going to compromise your network. So, how do you ensure the critical information is protected?”

Brown says Symantec is investing 25 percent of its revenue in research and development and has more than 500 full-time researchers working to develop tougher security architecture based on real-time monitoring of information Brown describes as ‘threat telematory’. “This is data related to the type of attacks we are seeing, who are the perpetrators and how they evolving. When our analysts see something new they’re on to it quickly to see what’s behind that.”

He claims such intelligence comes from 175 million ‘end points’ (computers or other devices), 30 billion URLs and 25 billion unique files. Add that up, says Brown, and Symantec is watching 8 trillion online ‘objects’ at any given point in time and updating its records at a rate of 200,000 objects a second. These updates filter into all of its security software packages in order to constantly refresh and strengthen them.

Symantec is halfway through a three-year turnaround to refocus almost all of its efforts on internet security. In January, it announced the $5.3bn sale of its storage management software division Veritas to a group of investors led by The Carlyle Group. In the coming years it will concentrate on growing its two main security businesses, Norton and Enterprise.

While the Norton consumer security business has a 45 percent market share and is seeing modest growth, says Brown, its other security business, Enterprise, had been in decline for several years and performance only started to pick up in the past 12 months. Brown says the product portfolio needed refreshing and now the business has grown for the third consecutive quarter following a shake-up of its offer.

However, its decline was a factor in Symantec’s year-on-year contraction in 2014, and, while Brown declines to reveal financial figures or forecasts, he says the aim is to accelerate growth in the coming years. Part of this will be through acquisitions that fall within the group’s core business areas of threat protection, information protection, data loss prevention and services and analytics.

The Gulf accounts for up to 30 percent of revenue in Europe, the Middle East and Africa region (EMEA), and EMEA in turn accounts for around 10 percent of the group’s overall revenue. Brown says there are plans to expand Symantec’s presence in the Middle East to service growing demand.

A substantial risk for the Middle East and beyond is the so-called Internet of Things (IoT), the concept of digitally connected devices and objects to help streamline processes such as traffic control and heat management.

It is the concept behind driverless cars and ‘smart’ energy meters, and is expected to become an even bigger talking point in years to come. “IoT is the next frontier and every technology that enables greater productivity and creativity brings with it risk by expanding the attack surface and increasing the ways in which attackers can penetrate,” Brown says.

“Analytics will be even more important in this world, if we are to understand the different threats these complex networks pose. The whole world increasingly functions via some form of software and this makes it very vulnerable.”