Cybercrime is out of control. It's everywhere. We hear about it every single day. This year, over two billion records lost or stolen. And last year, 100 million of us, mostly Americans, lost our health insurance data to thieves -- myself included. What's particularly concerning about this is that in most cases, it was months before anyone even reported that these records were stolen.
网络犯罪行为已经难以遏制, 它无处不在。 我们每天都能听到它。 今年, 有超过20亿的数据记录丢失或被盗取。 在去年, 1亿人的医保信息落入盗贼手中, 绝大多数是美国人,包括我自己。 尤其令人感到担忧的是, 在大多数情况下, 人们要在几个月后才会 报告这些资料已经泄露。
So if you watch the evening news, you would think that most of this is espionage or nation-state activity. And, well, some of it is. Espionage, you see, is an accepted international practice. But in this case, it is only a small portion of the problem that we're dealing with. How often do we hear about a breach followed by, "... it was the result of a sophisticated nation-state attack?" Well, often that is companies not being willing to own up to their own lackluster security practices. There is also a widely held belief that by blaming an attack on a nation-state, you are putting regulators at bay -- at least for a period of time.
如果你留意晚间新闻, 你可能觉得这是 国家级别的间谍行为, 没错,某些事件确实是这样, 间谍活动是国际上合法的。 但是对网络犯罪来说, 间谍行为只占网络犯罪的 很小的一部分。 我们很少听到报道说 某次信息泄露是由于精心谋划的 国际间谍行为。 事实上,常常是由于那些公司不愿意承认 自己的安保措施不堪一击。 很多人相信 把网络攻击归咎于国家行动, 这样监管机构就没办法监管这些公司了, 起码在一段时间内。
So where is all of this coming from? The United Nations estimates that 80 percent of it is from highly organized and ultrasophisticated criminal gangs. To date, this represents one of the largest illegal economies in the world, topping out at, now get this, 445 billion dollars. Let me put that in perspective for all of you: 445 billion dollars is larger than the GDP of 160 nations, including Ireland, Finland, Denmark and Portugal, to name a few.
那么,这些网络攻击到底 是从何而来呢? 联合国估计80%的网络犯罪, 是由高度组织化且十分老练的 犯罪团伙实施的。 迄今为止, 网络犯罪是金额最庞大的 全球非法经济之一, 目前已经达到了 4450亿美元。 我来做个对比让大家感受下, 4450亿美元比160个国家的GDP还要高, 其中包括 爱尔兰、芬兰、丹麦、葡萄牙等等。
So how does this work? How do these criminals operate? Well, let me tell you a little story. About a year ago, our security researchers were tracking a somewhat ordinary but sophisticated banking Trojan called the Dyre Wolf. The Dyre Wolf would get on your computer via you clicking on a link in a phishing email that you probably shouldn't have. It would then sit and wait. It would wait until you logged into your bank account. And when you did, the bad guys would reach in, steal your credentials, and then use that to steal your money. This sounds terrible, but the reality is, in the security industry, this form of attack is somewhat commonplace. However, the Dyre Wolf had two distinctly different personalities -- one for these small transactions, but it took on an entirely different persona if you were in the business of moving large-scale wire transfers.
网络犯罪是如何运转的? 这些犯罪行为是如何发生的? 请先让我讲一个小故事。 大约一年之前, 我们的网络安全人员在追踪一种 看似普通但复杂的,叫做 "Dyre Wolf"的木马病毒。 在你点击了钓鱼邮件的链接之后, 这种病毒感会染电脑, 你其实不应该受到这些邮件。 它会在你的电脑里安静地等待, 直到你登录自己的银行账户。 然后,坏人会侵入你的账户, 盗取你的安全证书, 利用你的证书偷走你的存款。 这听上去很糟糕, 但事实上,在安保领域, 这种形式的攻击是很常见的。 但是,Dyre Wolf病毒具有 两种截然不同的行动方式。 其一用来针对小额转账, 但当你进行巨额在线商业转账时, 它会有完全不同的表现。
Here's what would happen. You start the process of issuing a wire transfer, and up in your browser would pop a screen from your bank, indicating that there's a problem with your account, and that you need to call the bank immediately, along with the number to the bank's fraud department. So you pick up the phone and you call. And after going through the normal voice prompts, you're met with an English-speaking operator. "Hello, Altoro Mutual Bank. How can I help you?" And you go through the process like you do every time you call your bank, of giving them your name and your account number, going through the security checks to verify you are who you said you are. Most of us may not know this, but in many large-scale wire transfers, it requires two people to sign off on the wire transfer, so the operator then asks you to get the second person on the line, and goes through the same set of verifications and checks.
这样的表现在于, 当你开始处理这笔转账时, 你的浏览器会弹出一个银行窗口, 提示你的账户遇到了问题, 需要你立即打电话联系银行, 同时给你提供一个假冒的银行电话。 此时你会拿起手机拨打电话。 在经过通常的语音流程后, 你会接通到一个说英语的接线员。 “你好,这里是奥特罗银行, 有什么可以帮到您的?” 然后你会按照每次电话银行 都要走的流程, 给他们提供你的姓名,账户号, 并且通过安全查验来确定你的身份。 可能许多人并不知道这些, 但在很多大额转账中, 要求有两个人一起确认交易, 所以那个接线员会要求你 让另外一个人加入通话, 并且经过相同的安全信息查验。
Sounds normal, right? Only one problem: you're not talking to the bank. You're talking to the criminals. They had built an English-speaking help desk, fake overlays to the banking website. And this was so flawlessly executed that they were moving between a half a million and a million and a half dollars per attempt into their criminal coffers.
听起来还挺正常的吧? 然而关键问题是, 你并不是在和银行通话, 而是犯罪分子, 他们安排了说英语的接线员, 用假的界面冒充原本的银行网站。 这些行径被完美无瑕地执行, 让犯罪分子每次能成功转移 五十万至一百五十万美元 到他们自己的保险箱里。
These criminal organizations operate like highly regimented, legitimate businesses. Their employees work Monday through Friday. They take the weekends off. How do we know this? We know this because our security researchers see repeated spikes of malware on a Friday afternoon. The bad guys, after a long weekend with the wife and kids, come back in to see how well things went.
这些犯罪集团像受到严格监管的, 合法的商业集团一样运作。 他们的雇员在周一至周五工作, 并且拥有双休。 那我们是怎么知道这些的呢? 我们的安全人员发现 这些病毒软件会在周五下午持续入侵。 这些犯罪分子在经过有妻儿陪伴的周末后, 回到工作岗位检查病毒的工作进程。
The Dark Web is where they spend their time. That is a term used to describe the anonymous underbelly of the internet, where thieves can operate with anonymity and without detection. Here they peddle their attack software and share information on new attack techniques. You can buy everything there, from a base-level attack to a much more advanced version. In fact, in many cases, you even see gold, silver and bronze levels of service. You can check references. You can even buy attacks that come with a money-back guarantee --
他们把时间都花在了暗网中。 暗网用来表示互联网中的隐藏的阴暗面, 罪犯可以在其中匿名活动, 并且不会被检测到。 在这里他们兜售木马软件, 并且分享最新木马技术的讯息。 你几乎能在这里买到所有东西, 从最基础的网络攻击到更高级的版本。 事实上,许多时候你还能发现, 这些服务有金、银、铜的等级。 你可以查看他们的履历, 你甚至也可以购买 承诺无效退款的黑客攻击,
(Laughter)
(笑声)
if you're not successful. Now, these environments, these marketplaces -- they look like an Amazon or an eBay. You see products, prices, ratings and reviews. Of course, if you're going to buy an attack, you're going to buy from a reputable criminal with good ratings, right?
如果入侵没有成功。 现在看来,这些地下环境,这些市场, 似乎就和亚马逊和易贝一样。 你可以看见产品,以及它们的价格,评分和评价。 理所当然的,如果你要购买一次网络攻击, 你肯定会选择好评多的, 信誉高的犯罪团伙吧?
(Laughter)
(笑声)
This isn't any different than checking on Yelp or TripAdvisor before going to a new restaurant. So, here is an example. This is an actual screenshot of a vendor selling malware. Notice they're a vendor level four, they have a trust level of six. They've had 400 positive reviews in the last year, and only two negative reviews in the last month. We even see things like licensing terms. Here's an example of a site you can go to if you want to change your identity. They will sell you a fake ID, fake passports. But note the legally binding terms for purchasing your fake ID. Give me a break. What are they going to do -- sue you if you violate them?
这就像在去一家新的餐厅之前 上Yelp或TripAdvisor先了解一下。 这就是一个例子。 这是一张木马软件 卖家信息的真实截图, 他们的卖家等级达到了4级, 信用等级为6。 他们在去年收到400封好评, 在上个月也只有两封差评。 我们甚至能找到伪造证件。 你可以访问像这样的网站, 如果你需要伪造的身份证明。 他们会卖给你假的身份证, 伪造的护照。 但请注意购买假身份证时要 遵守相关法律条款。 开玩笑吧。 就算你违反了,他们能怎么做?告你吗?
(Laughter)
(笑声)
This occurred a couple of months ago. One of our security researchers was looking at a new Android malware application that we had discovered. It was called Bilal Bot. In a blog post, she positioned Bilal Bot as a new, inexpensive and beta alternative to the much more advanced GM Bot that was commonplace in the criminal underground.
这发生在几个月之前。 我们的一位安全研究人员在调查一种 在安卓系统中新发现的木马病毒 叫做Bilal Bot。 在一篇博文中, 她认为Bilal Bot是先进的GM Bot病毒的 新版的,更便宜的测试版替代品。 GM Bot在黑市中是很常见的软件。
This review did not sit well with the authors of Bilal Bot. So they wrote her this very email, pleading their case and making the argument that they felt she had evaluated an older version. They asked her to please update her blog with more accurate information and even offered to do an interview to describe to her in detail how their attack software was now far better than the competition.
这条评价令Bilal Bot的作者感到不服, 于是他们给她写了封Email, 说明了他们的情况,并争论说, 她评估的是较旧的版本。 他们要求她在博客中更新更准确的信息, 甚至提供面谈的机会, 来作出清楚地展示出 他们的病毒远比市面上的要强。
So look, you don't have to like what they do, but you do have to respect the entrepreneurial nature of their endeavors.
所以, 你可以不喜欢他们做的事情, 但你应该尊重他们的努力 以及表现出来的 企业家气质。
(Laughter)
(笑声)
So how are we going to stop this? It's not like we're going to be able to identify who's responsible -- remember, they operate with anonymity and outside the reach of the law. We're certainly not going to be able to prosecute the offenders. I would propose that we need a completely new approach. And that approach needs to be centered on the idea that we need to change the economics for the bad guys.
那么我们该如何阻止这些事情发生呢? 我们并不需要去确定这是谁的责任。 记住,他们是匿名操作的 而且是违法的。 我们肯定没办法起诉他们。 我认为我们需要一种全新的方式 而且这种方式要以一种想法为中心, 那就是我们要改变网络犯罪的 经济运作方式。
And to give you a perspective on how this can work, let's think of the response we see to a healthcare pandemic: SARS, Ebola, bird flu, Zika. What is the top priority? It's knowing who is infected and how the disease is spreading. Now, governments, private institutions, hospitals, physicians -- everyone responds openly and quickly. This is a collective and altruistic effort to stop the spread in its tracks and to inform anyone not infected how to protect or inoculate themselves.
向大家解释一下这将如何生效, 想想我们对流行病的对应方式, 非典、埃博拉病毒、禽流感、寨卡病毒, 优先顺序是什么? 先要知道谁被感染了, 而且这种疾病是如何传播的, 现在,政府、私人机构、医院、医生 每个人都公开快速地回应。 这是一种集体和无私的努力 去阻止疾病的传播 并且让没被感染的人了解 如何保护和预防。
Unfortunately, this is not at all what we see in response to a cyber attack. Organizations are far more likely to keep information on that attack to themselves. Why? Because they're worried about competitive advantage, litigation or regulation. We need to effectively democratize threat intelligence data. We need to get all of these organizations to open up and share what is in their private arsenal of information. The bad guys are moving fast; we've got to move faster. And the best way to do that is to open up and share data on what's happening.
不幸的是,这并不是我们 对网络攻击的应对方式。 机构在被攻击之后 更有可能把信息保密。 为什么会这样? 因为他们担心会损伤竞争力, 引发诉讼, 或是监管部门介入。 我们要把威胁的数据有效地公布给大众。 我们要让这些组织公开共享 他们私人武器库里的信息。 犯罪分子的动作很快, 我们就要比他们更快。 最好的方式就是 共享数据。
Let's think about this in the construct of security professionals. Remember, they're programmed right into their DNA to keep secrets. We've got to turn that thinking on its head. We've got to get governments, private institutions and security companies willing to share information at speed. And here's why: because if you share the information, it's equivalent to inoculation. And if you're not sharing, you're actually part of the problem, because you're increasing the odds that other people could be impacted by the same attack techniques.
让我们看看安全专家的想法, 这些安全专家都非常注重保守秘密。 现在我们已经让这些安全专家有了共识。 我们让政府、私人机构 和安全企业 都愿意能够快速分享信息。 原因是 当你分享安全攻击信息的时候, 你类似于接种了疫苗。 如果你选择保密, 那么你实际上就变成了问题的一部分, 因为你增加了其他人被同样的黑客技术 攻击的可能性。
But there's an even bigger benefit. By destroying criminals' devices closer to real time, we break their plans. We inform the people they aim to hurt far sooner than they had ever anticipated. We ruin their reputations, we crush their ratings and reviews. We make cybercrime not pay. We change the economics for the bad guys. But to do this, a first mover was required -- someone to change the thinking in the security industry overall.
但是还有一个更大的好处, 就是这能快速毁灭犯罪分子的病毒 破坏了他们的计划。 我们在那些网络犯罪分子 实施攻击之前, 就通知潜在的受害者。 我们破坏他们的名声, 降低他们的用户评分和评价结果。 我们让网络犯罪赚不到钱。 我们把坏人赚钱的模式改变了。 但是实现这些, 一个重要的前提条件是必须的, 整个信息安全产业的观念都需要改变。
About a year ago, my colleagues and I had a radical idea. What if IBM were to take our data -- we had one of the largest threat intelligence databases in the world -- and open it up? It had information not just on what had happened in the past, but what was happening in near-real time. What if we were to publish it all openly on the internet? As you can imagine, this got quite a reaction. First came the lawyers: What are the legal implications of doing that? Then came the business: What are the business implications of doing that? And this was also met with a good dose of a lot of people just asking if we were completely crazy.
大概一年前, 我和同事有了一个大胆的想法。 如果IBM将我们的数据, 我们有世界上最大的威胁情报库, 并把它公开会怎样? 库中不仅仅有过去发生的攻击信息, 同时也包括正在发生的攻击信息。 如果我们免费公开的放在 互联网上会怎样? 你大概能想象到,大家反应很大。 律师先坐不住了, 这样做有没有什么法律问题? 然后是商务, 这样做对于我们的商业利益 有什么影响? 同时我们也遇到了很多人 他们直接认为我们是不是疯了。
But there was one conversation that kept floating to the surface in every dialogue that we would have: the realization that if we didn't do this, then we were part of the problem. So we did something unheard of in the security industry. We started publishing. Over 700 terabytes of actionable threat intelligence data, including information on real-time attacks that can be used to stop cybercrime in its tracks. And to date, over 4,000 organizations are leveraging this data, including half of the Fortune 100. And our hope as a next step is to get all of those organizations to join us in the fight, and do the same thing and share their information on when and how they're being attacked as well.
然而在每一次我们跟人们的谈话中 有一句对白始终会出现: 我们意识到如果我们不这么做, 我们就成了问题的一部分。 所以我们做了一件安全领域 从未有人做的事。 我们开始公开情报。 超过700TB数据的威胁情报信息, 包括正在发生的攻击情报 都可以帮助停止正在发生的 网络攻击行为。 到今天, 超过4000家组织从这个情报中获益, 包括半数以上财富100强企业。 下一步,我们希望能够让这些组织 都加入我们的战斗, 跟我们一样, 共享威胁信息, 报告他们何时以何种方式被入侵。
We all have the opportunity to stop it, and we already all know how. All we have to do is look to the response that we see in the world of health care, and how they respond to a pandemic. Simply put, we need to be open and collaborative.
我们都有机会来阻止网络犯罪, 我们也已经知道方法。 我们要做的就是 向世界医疗机构学习, 学习他们是如何应对传染病的。 简单说, 我们需要开放和合作。
Thank you.
谢谢大家。
(Applause)
(掌声)