by Kate Fazzini
Executives are expected to be able to interact with all the people who work in the bank. A business manager is an organizer; a chief of staff is a gatekeeper.
Gatekeepers. They are not just deadly in the enterprise, they are murderous to the practice of cybersecurity. Caroline knows this—everyone in cybersecurity knows this. A 20-year-old analyst who specializes in examining computer code must be able to quickly raise an alarm to his top executive. Gatekeepers stop that from happening. A talented engineer who has unique knowledge about mobile device security must be able to shine when the bank buys new cell phones for everyone. Gatekeepers stop this from happening.
Still, Caroline is a company woman. If her boss wants her to be a chief of staff, she will call herself a chief of staff. But she’ll do the job the right way. And she will manage his business. She will manage the shit out of it.
Just before Raykoff came on board, Caroline and the others who had survived the DDoS attack decided to create a matrixed organization. For cybersecurity in the business world, this works well, because there are so few employees and so many things to do. Everyone multitasks.
When a cybersecurity team is matrixed, everyone—including the people who do the hacking, manage the buildings, install the technology, and deal with regulators—cooperates with each other.
What Raykoff proposes is the opposite of that. A heavily layered, top-down organization, where one leader (him) has all the decision-making power and those below him report exclusively to him. This works well in the military, where people must know where their orders are coming from. It does not work as well in a corporation, especially in an organization that does not rely on orders to achieve goals. The enterprise, by contrast, depends on the autonomy of very smart people who are paid to solve problems.
Imagine it this way: You are a cybersecurity employee. You need to make a change to some software that the bankers use. This change will cause the software to go offline for four hours during the workday. The bankers want to be able to work, to make money and hit targets, and they have to do this job using the software. They will be very angry about this. You, the cybersecurity employee, therefore, will not order them to do it because if you do so, they will tell their boss, who will tell his boss, who will raise it up to a high-level manager who will then get into a fight with your high-level manager, delaying this important security project. So instead you negotiate.
You agree with the business unit leaders to stagger the time, so only half the downtime is during the workday and the rest of the hours are on a Sunday. You create a chart describing precisely how the downtime will keep their systems safe from some kind of awful security problem that recently struck traders at another bank. You, the cybersecurity employee, are not in charge. Neither is your boss. Nor are the bankers or their bosses. Nobody is really “in charge” except the shareholders, so all things must be negotiated.
But it becomes quite clear that Raykoff, who continues talking over Caroline’s head about operational strategies and synergies and best practices, does not believe this, or perhaps does not understand it. As Raykoff drones on, it becomes clear that Caroline will not be in her job for long, because he wants a military man. Someone more hard-hitting, more authoritative. One of his buddies.
He says he wants to be insulated from the lower levels of staff. He discusses adding several layers below the chief of staff to help with this. He already has a few people in mind. People to replace all the talented people, like Carl, who have already proven their worth.
Gatekeepers for the gatekeepers. Caroline winces.
It’s not that Caroline isn’t comfortable with leaving her job if necessary. This is the nature of how a bank operates. Organizations change all the time. But she never contemplated having to leave her friends in the hands of someone who so transparently doesn’t understand how the organization that hired him works. She feels an unfamiliar anxiety in her stomach as he rambles on. He mentions some aspects of cybersecurity that are unfamiliar to her. She plumbs her memory and experience to try to understand the terms he’s using.
It’s government jargon. Terms that have little practical application in the enterprise. Then he brags a little, something about having served as a cybersecurity advisor to Condoleezza Rice. He talks about something called con-ops. Concept of operations. That sounds vaguely familiar.
“Do you mean a business plan?” she asks.
He stares back at her blankly.
What we have here is a failure to communicate.
It gets worse. He seems annoyed that she spoke. He becomes gruff. Dismissive. Rude. Asks her where the coffee machine is. Makes a joke about how that’s probably sexist. She composes herself. Anger helps.
He asks her whether she knows how to use the fax machine. Her eyes narrow. Caroline has a master’s degree in cybersecurity and seven technical certifications. She knows more about financial-sector security than anyone at the U.S. Department of Treasury.
He begins listing all the cybersecurity staffers he is hoping to hire, a job he is tasking her with. The people he is naming will replace some of her most precious, most loyal dragons. People she loves like her own family. The godparents of her children. Some attended her wedding. She cried with them when their children were born and, in some cases, when their children died.
He never looks at her. He keeps his eyes set on a space on the wall far above her forehead.
He asks her if she knows the best route to get to the Newark airport.
She is taking notes. She’s written the name “Bob Raykoff” in black as the header. She clicks the black part of her four-color pen closed. Clicks open the red part. Draws a neat red line through his name.
“Yes, sir,” Caroline says with a smile. “I’ll go print off a map for you.”
On her way out, Caroline stops by the operations center, where she’s greeted cheerfully by some of her colleagues. She gives out a round of hugs. They want to know how the meeting went. She tells them it was fine. No one says another word. They don’t have to.
Raykoff doesn’t know it and he never will, but his career at NOW Bank is over. It ended during the first hour of his first meeting with the mother of so many hackers.
It will be a very fast, then a very slow demise.
* * *
It is 5:15 a.m. in Vladivostok, Russian Federation, and still the previous day elsewhere—3:15 p.m. in Orlando, Florida, and 12:15 p.m. in Seattle, Washington, and 9:15 p.m. in Tel Aviv, Israel.
Tony Belvedere is at the Orlando International Airport. He waits quietly in a long line of tired, sweaty families. The air conditioner blasts. He contemplates a giant gumball machine the size of a minivan. It has an intricate trail and takes minutes to spit out each individual piece of candy. Two boys keep pumping quarters into it. Tony understands. It’s mesmerizing to watch.
He’s on his way to Newark. Once he reaches his destination, Tony plans to drive out to a dump of an abandoned suburb of the city, a subsection of a neighborhood called Orange, and set up a fake bank. It’s the fifth time he’s done this.
He’ll set up the fake bank inside the Clarksburg Federal Credit Union, a nearly defunct institution for low-income residents of Orange. For the modest sum of $100,000, he will bribe the credit union’s board of directors to allow him and his cohorts to take it over.
He will pay in cash with the proceeds of the members-only sports memorabilia collectors group that he owns. Tony hates sports but loves money. That company, Fantastical Autographs, is a front that launders money for cybercriminals in Vladivostok and Tel Aviv. Using Bitcoin converted into cash, the dirty money gets filtered into phony sports memorabilia investments, then cashed out and cleaned up through a network of both real and phony banks.
Tony’s not flying with the $100,000 in cash. That would be gauche. It’s in a business account held by Fantastical Autographs at a NOW Bank branch in Midtown Manhattan, just 11 floors below where Caroline Chan sits in a conference room, sadly contemplating what she will do next in her career.
Tony’s associates in Tel Aviv, Moscow, and Vladivostok have also hacked into NOW Bank. They prowl the bank’s networks, looking around, taking information from the bank’s asset management organization about people who may be susceptible to a pump-and-dump scheme. This type of scheme will involve calling those individuals who, based on their data, appear rich and possibly vulnerable enough to hit with a sales pitch for penny stocks. Once their orders drive up the price of the stocks, of which the criminals hold the majority, they will “dump” the worthless investments and pocket a significant profit.
They take just enough information, not too much to trip any alarms, not enough to ping the sensitive radars of the bank’s many sophisticated cybersecurity tools. Just enough. Little by little. They drill these folks with penny stocks, then reap the proceeds. Drip, drip, drip.
They’ve made close to $100 million doing this. Some of that money will be flowing through the credit union by the end of the month; some of it will make its way back through NOW Bank. Some of it will be used to buy baseballs with forged Pete Rose signatures for outrageous prices. None of it will be in any given place at any given time.
It’s some kind of god-awful hour in Tel Aviv, but his associates there are awake and texting him secure, disappearing messages on a smartphone application called Wickr. They want to know the status of the bank setup in Orange. They have too much money; they need to dump it now. They don’t state this exactly, of course, but Tony gets the gist.
They are not just in NOW Bank. They’re in some smaller banks, as well. They’ve also hacked a consulting firm, an accounting giant. They’re even in The Wall Street Journal. All with the same goal—finding people with too much money and not enough street smarts. Thankfully for Tony and his cohorts, there are a lot of people who fit that description.
* * *
At a place like NOW Bank, it’s easy for hackers to narrow the target pool. The bank does the work for them by cordoning off the rich and older customers from the hoi polloi.
NOW Bank has five primary lines of business: retail banking, investment banking, commercial banking, asset management, and the core corporation itself, which is where all the lawyers, human resource people, and technology staff are housed.
The retail bank oversees all of the bank branches, its brick-and-mortar presence. This includes the mortgage lending business, car loans, personal loans, small business banking, private banking, and wealth management. Those last two might be of some interest to the Israelis. The highest tier of individuals served by the retail bank are people who have at least $50 million in assets but less than $100 million. Not that rich. But good targets for one-off schemes. The retail bank is a great target if they are going after credit card numbers and checking accounts, but they’re not.
Then there’s the commercial bank. It’s a slightly better target because there are some big transfers going back and forth. This makes for lots of reconnaissance opportunities for other types of operations. Specifically, it’s perfect for getting enough information to execute man-in-the-middle attacks.
In these types of schemes, the bad guys get as much information about a company’s CEO as possible. They’ll pretend to be him—digitally anyway—and convince his lawyer or his secretary to wire money to an offshore account, feigning urgency on an unpaid invoice. Some of these scams make upward of $10 million at a time.
And then there’s the investment bank. A treasure trove of embarrassments, especially when plumbing the emails of male traders who just cannot keep it in their pants.
These guys have been dreaming of the day that they can have a big swinging dick just as described in Liar’s Poker. Those days are long gone, but even the 20-year-old upstarts don’t realize it. They don’t even work on Wall Street. They work on Park Avenue or in Brooklyn. There are 16-year-old Russians turning more profit than they do, and without taxes. These bankers put so much information about what they’re doing in email and text messages. Who’s acquiring whom, what analysts will say in their next series of letters recommending certain stocks. They store valuable algorithms, business plans, instructions on how to execute high-speed trades, and they do it carelessly. Hubris.
Then there’s asset management. Nobody’s allowed in without $250 million or more in wealth. This is the sweet spot for a pump-and-dump operation. But it’s smaller and more prestigious and, for that reason, harder to get to. That’s a lot of money and reputation at stake, and banks have traditionally been better at protecting these clients.
At NOW Bank, as in most large banks, the asset management organization is run by a personality: Lydia DeBuffet.
Lydia DeBuffet conveys a very specific type of wealth: confident but never flashy. She’s unmistakably beautiful, but not sexy. Grievances are closely held and never, ever aired in public. Lydia is deeply intelligent, aggressively well connected—more than she will ever let on—and she can bevel the edge of a Carrara marble countertop with her glare.
In many ways the asset management network is like her: utterly impenetrable. Unless you have $250 million. Or look like you do. Or, in the case of Belvedere’s contacts in Tel Aviv and Russia, have other ways to get in.
Finally, there’s the corporate organization. Compared to asset management’s refinement, corporate is the Lotto-ticket buying cousin from the old country. Bob Raykoff sits in corporate. When he meets Lydia DeBuffet for the first time, it does not go well. Because one of them holds all the cards—the one who makes the money—and it’s not him.
Within the company, corporate is referred to as a “cost center.” Meaning it has a negative bottom line and is a drain on resources. Cost centers don’t generate revenue, they only incur costs.
Cybersecurity is also a cost center. However, the DDoS attacks demonstrated value in what cybersecurity professionals do. But value and making money are two very different things. People like Caroline will never have the status of a less-experienced banker who happens to bring in the bucks. Most people who work in the corporate setting understand this implicitly, but this reality can take time to get used to.
Technology is both corporate and a cost center. After the financial crisis, the bank had the unenviable task of integrating, practically overnight, the technology from several other large investment banks, retail banks, commercial banks, and asset managers who were thrown together at once—all on a cost center budget. The bank also had to integrate thousands of potentially disgruntled employees who weren’t thrilled about the work, a huge risk to cybersecurity.
* * *
At about the same time in mid-2014, in a prison cell in Seattle, Valery Romanov contemplates the indictment against him. The indictment is sealed and not yet available to the public, but he knows why he’s being held because he has a copy. It’s his indictment.
He has been accused of multiple violations of the U.S. Computer Fraud and Abuse Act. He is accused of abusing computers and the internet, two entities he thinks deserve far less abuse than humans. He’s not particularly worried. Such crimes normally garner a sentence of five years or less, so it’s not like he will be here for decades.
Beginning at a time unknown, but no later than October 2, 2009, and continuing through on or about January 20, 2011, within the Western District of Washington and elsewhere, Valery Romanov, aka NTrain, aka Roman Valerov, aka Nikolai Rubenfeld, aka nCux, aka bandylegs, aka shrork, aka Tokyo Joe, aka peacemaster, aka Tupac (hereinafter Valery Romanov), and others unknown to the grand jury, knowingly and willfully devised and executed, and aided and abetted a scheme and artifice to defraud various financial institutions, including but not limited to NOW Bank, Boeing Employees’ Credit Union, Chase Bank, Capital One, Citibank and Key Bank. The object of the scheme and artifice was to “hack” into the computers of retail businesses within the Western District of Washington and elsewhere; to install malicious computer code onto those hacked computers that would effectively steal the credit card numbers of the victim businesses’ customers; to market and sell the stolen credit card numbers
on criminally inspired websites, for the purpose and with the intent that the stolen credit card numbers would then, in turn, be used for fraudulent transactions across the United States, and in foreign countries. By way of this series of criminal actions, the defendants intended to and did generate and receive millions of dollars in illicit profits that they then converted to their own personal benefit and use.
He scans the indictment again. And again. And again. Reads it in full. Makes a mental note of the things they got wrong, but does not laugh about them. Here, in this cell, they have taken away his computers. There is nothing to laugh about. He has nobody to ping, nobody to text to commiserate with about this injustice. He cannot take selfies with stacks of cash to balm his pain. He’s alone with the papers and his own mind.
The printed pages feel foreign to him. He doesn’t like how thick and heavy the paper feels, how difficult it is to interact with the words. Sometimes he swipes his fingers across it by mistake instead of turning the page with his hands. There is no depth to it, no endless electronic well to dive into. If Valery Romanov were the anxious type, which he is not, he would be feeling it now. He has reached the end of the 40-page indictment. He goes back again to the first sentence. His favorite sentence:
Beginning at a time unknown.
This is the government’s biggest mistake. Because when did it all begin for Valery? What made Valery the most influential hacker in the world? He goes over, in his mind, some of the options, but none of them is a time unknown. He knows all of them.
1984. Maybe that’s when it began, when he was born and lived in a 1,000-square-foot room in Vladivostok, Russia. A port town on the Sea of Japan, 5,778 miles from Moscow, a two-day, 120-stop train ride on the Trans-Siberian Railway. He shared the room with his single mother and three other families.
