Our participants for this fifth and final episode of “Patching the System” are:
- Amy Hogan-Burney, General Manager, Microsoft’s Digital Crimes Unit
- Ali Wyne, Eurasia Group Senior Analyst (Moderator)
This special podcast series from GZERO Media is produced in partnership with Microsoft as part of the award-winning Global Stage series. “Patching the System” highlights the work of the Cybersecurity Tech Accord, a public commitment from over 150 global technology companies dedicated to creating a safer cyber world for all of us.
Subscribe to the GZERO World Podcast on Apple Podcasts, Spotify, Stitcher, or your preferred podcast platform, to receive new episodes as soon as they're published.
Podcast: A cybercrime treaty proposed by…Russia?
Disclosure: The opinions expressed by Eurasia Group analysts in this podcast episode are their own, and may differ from those of Microsoft and its affiliates.
Amy Hogan-Burney:It's clear from this conversation, clear from the work I do every single day, that there is a greater need for international cooperation because as cyber crime escalates, it's clearly borderless and it clearly requires both public sector and the private sector to work on the problem.
Ali Wyne: Welcome to Patching the System, a special podcast for the Global State series, a partnership between GZERO media and Microsoft. I'm Ali Wyne, a senior analyst at Eurasia Group.
Throughout this series, we're highlighting the work of the Cybersecurity Tech Accord, a public commitment for more than 150 global technology companies dedicated to creating a safer cyber world for all of us.
And today in our final installment of this podcast, we will talk a little bit more about protecting businesses, governments, and citizens from cyber crime well into the future. Now, technology moves fast and certainly in the past two years of the pandemic, we've seen our reliance on it grow by leaps and bounds.
Unfortunately, though, cyber crime is also growing and evolving. And while there are treaties and agreements to support international cooperation in combating cyber crime, there are also ongoing negotiations over a new cyber crime treaty at the UN. Some governments claim that such a comprehensive treaty is necessary while others, as well as industry and civil society groups, raise concerns about how such a treaty might affect rights and freedoms we have come to expect online.
My guest today is Amy Hogan-Burney, general manager of Microsoft's digital crimes unit. Amy, welcome.
Amy Hogan-Burney: Thank you. I'm pleased to be here today.
Ali Wyne: I'm just going to dive right in. So for those who aren't deeply working in this space, this cyber space, as it were, on a daily basis, as you do, why don't we just start with some basic definitions? So how do you define cyber criminals and how do you differentiate them from other kinds of bad actors on the internet? So maybe just beginning with some semantics and definitions for our audience.
Amy Hogan-Burney: Sure. It's a great question. Like really, what is cyber crime? I think the answer is generally that cyber crime is using a computer to illegally access or transmit or manipulate data. And it really is for financial gain, but it can also be for political advantage or for geopolitical reasons. In our work, we can see cyber crime affecting individuals. So for example, online child exploitation. Or we can see it affecting property, so theft of intellectual property or other confidential information from businesses. The thing that both of the examples that I just gave you have in common is a computer was used to commit the criminal activity. And it couldn't have been accomplished without an internet connected device. So I can, and I probably would use a computer to plan my bank robbery, but that bank robbery is not a cyber crime, I think is the best way I can describe it.
Amy Hogan-Burney: I just want to make sure everyone knows I'm not going to rob a bank though.
Ali Wyne: No, we'll take your word because you're busy fighting crime. Speaking of which, you've been fighting cyber crime for a long time. And actually your title, it sounds a bit like a network TV crime drama. I just want to remind folks who are listening. you're general manager of the digital crimes unit at Microsoft. When you started, what did cyber crime look like? And now, how have you seen the space of cyber crime evolve?
Amy Hogan-Burney: So first, this question makes me feel old. It made me sound like I've been around for a long time, but it's okay.
Ali Wyne: You've been fighting for a long time. You've been fighting the good fight for a long time.
Amy Hogan-Burney: But I will say when I first started back about 10 years ago, I was at the FBI. And 10 years ago, cybercrime largely looked like denial of service attacks on banks. And the financial institution and the financial sector is really mature in fighting cybercrime, frankly, because they've had to be. It was really used to distract security teams so that they could steal personal data and banking credentials. And it really, in the 10, 15 years ago damaged the reputations of financial institutions. And they've worked incredibly hard at combating cyber crime for that exact reason. And while we still do see DDoS attacks in the financial sector, I would really say cybercrime at this point has evolved to be a threat to national security. And I say that for, I think two reasons.
First is we're seeing cyber criminals attacking critical infrastructure, so healthcare, public health, information technology, financial services, the energy sector, things like that. And then we're seeing ransomware attacks that are increasingly successful. And those are actually crippling governments and businesses. And we also see the profits from this criminal activity really soaring. So, in business email compromise and ransomware and other things. And so we're seeing just, I think an increase in criminals who are able to get more money and they're broadening their scope.
Ali Wyne: You already have sort of touched on in your answer just now the way in which cybercrime has grown in scale, it's become more sophisticated. It originally was targeting primarily financial institutions, but now it's really evolved. And it's almost, for lack of a better phrase, you could say that it's become professionalized. It really has become an industry in and of itself.
What's driving it? One explanation might just be, look, the Internet's growing, and hackers and coders, they're just getting more sophisticated as the internet grows. But is that explanation sufficient or do you think there's more that's going on to explain why we're seeing this surge of cybercrime?
Amy Hogan-Burney: Yeah, I think the answer is that years ago we used to see most of the technology was inside the United States. Most of the criminals and the sophisticated developers were located inside the US. And the actors were largely kind of working alone. They were a very small, tight knit, technically savvy group. And we just, we don't see that anymore. So what we're really seeing at this point is cyber crime as a service where we don't have these technically savvy people committing criminal activity. You don't need to be a programmer. You don't need to be a developer. We have a cybercrime supply chain that are created by big criminal syndicates. And those criminal syndicates sell their services, allowing anyone to conduct this nefarious activity, whether it's for financial gain or for other nefarious purposes.
We're also seeing cyber criminals located around the world. And unfortunately, in many cases, they're operating in permissive jurisdictions. And we're seeing this malicious infrastructure located around the world. So we can see domains or servers located in more jurisdictions than anywhere than we've ever seen before. So I have a case right now, which I'm have happy to describe for you, but I have servers located in Brazil and Bulgaria and Bangladesh, and I just gave you the Bs because that's just what I happened to look at right before I-
Ali Wyne: I was just about to ask, I said, all three of those countries begin with B.
Amy Hogan-Burney: Those are the ones that begin with B. I actually pulled up the spreadsheet and I was like, oh, I'll just pick the B countries.
Ali Wyne: Oh, got it, got it, got it, got it. So you use this phrase, I mean, it's really evocative. It's actually the first time I've heard this phrase, cyber crime supply chain. When we think of supply chains, I at least in my, my limited way of thinking, when I think of supply chains, I think of these supply chains that provision vital commodities. So supply chains for medicines, supply chains for technological inputs that go into our phones and our computers. But I generally have an either sort of neutral association with the phrase supply chain or a favorable one. But to think about a cyber crime supply chain, that phrase that you'd use, it's incredibly evocative. And I think it gives us a sense of the way in which cyber crime has evolved.
I want to turn a little bit to the other side of the ledger. Presumably as cyber crime escalates, so do efforts to fight cyber crime. So the two sort of go hand in hand. And we'll talk a little bit more later about what governments can do, what they are doing. But in your work specifically at Microsoft, what are some of the ways in which you've adapted to the challenges presented by cyber crime? And realistically, what can Microsoft and other companies do to combat it?
Amy Hogan-Burney: Yeah, it's a great question. And I am incredibly fortunate to lead a team that this is all we focus on, is we just focus on identifying cyber criminal actors. And then we refer those to law enforcement through criminal referrals. And at the same time, we also identify the actual technology that's used by cyber criminals. And then we seek to take that down. And we do that either with cooperation with other third-party providers, or with civil cases. And I think it's super helpful to maybe give an example here.
That ties back to my Brazil, Bulgaria, Bangladesh - which is, I think in October of 2020, we decided to take down Trick Bot, which is a very large bot net. But we had a really specific reason for doing that. We were concerned and had heard from the US government that they were worried about any possible disruptions to the US election, which was in November of 2020. And they were concerned that there could be a potential ransomware attack, not on the actual technology used to cast ballots, but there could be a ransomware attack that attacked voter roles or other things, something that could undermine confidence in the election, even if it didn't tamper with election results. And they really didn't want anything to undermine confidence in it for obvious reasons. And so Trick Bot was one of the largest deliverers of ransomware. So we thought, okay, we will go after the delivery system to make sure that there's no ransomware in this case.
So we brought a civil case in October of 2020 to seize all of the infrastructure used by those cyber criminals. At the same time, the US government took their own action, both inside and outside of the US. And we really did a, I think a very, very good job of getting rid of that infrastructure in October of 2020. But this was a little different I think in a couple different ways, we learned a lot back in October. And the first thing that we learned is that the criminals that ran Trick Bot would sell out Trick Bot as a service. And so not only did we affect their infrastructure, we affected their business model. And they were really unhappy with us. And what they did was is they fought back. And one of the things that really I think surprised me is not only did they fight back, but they went to attack hospitals.
Ali Wyne: Goodness.
Amy Hogan-Burney: They did it during the pandemic. And they really were trying to prove that their service still worked by going after a pretty vulnerable population during a really sensitive time. And that was pretty surprising to us. We partnered with law enforcement and incident responders to really protect the healthcare system, but it was a big learning experience. And then the second thing is that they worked furiously to rebuild because like I said, we had impacted their business model. And we are still taking down Trick Bot infrastructure today. So we've kind of moved into this phase that I call the advanced persistent disruption. And those servers that I told you I looked up today on our dashboard in Brazil and Bulgaria and Bangladesh, they are up and running for Trick Bot today for an operation I started back in October of 2020.
We will work with the provider to take those down. They usually takes about 24 hours. But it just shows how we're at a different place where we have a supply chain that we're constantly combating now versus years ago, when we used to be able to do an operation, take something down, and move on. We're really sophisticated and much larger in scope and scale.
Ali Wyne: So you've mentioned the three Bs, that you just, you looked at the dashboard this morning and you looked at Brazil, Bulgaria, and Bangladesh. Just from those three Bs alone, it seems that when we talk about cyber crime, it seems we basically were talking about an issue that defies borders. A single crime, it can take place across several jurisdictions at once. So when you're dealing with an inherently borderless issue or challenge such as cyber crime, what are some of the tools and international instruments that are currently in place to support cooperation with both law enforcement and industry?
Amy Hogan-Burney: First, I think global cooperation is just essential in this space. So places where we have private sector sharing information about cyber threats, where we can work together to seize that criminal infrastructure, because Microsoft is not a law enforcement agency. So while I can do all kinds of things to protect customers, to track threats, to provide notice, and assist victims, it really is essential that law enforcement is also able to seize infrastructure and to arrest the individuals behind this work. And this really wouldn't be possible I don't think without the Council of Europe has a convention on cyber crime, so the Budapest Convention, which is a longstanding, really valuable tool we have in this area. It's been in place over 20 years. It's been ratified by 66 governments across regions. And it really is a guideline for domestic cyber legislation.
I think the other part that's really important to us is that anytime we have international cooperation, we also have a focus on protecting human rights. And so the Budapest Convention also does that as well. The other part I would add is, and I think we've touched on this throughout this conversation already, is just that evolution. Every time we see the internet evolve and products and services and other things grow and evolve, we unfortunately see criminals grow and evolve as well. And that means that we also need to see the legal framework and the conventions kind of grow and evolve. And we see that with the Budapest Convention. So we have kind of additional protocol that have been added. And I think you'll see more this spring, which will have greater support for international cooperation and more access to evidence so that there can be those prosecutions for cyber criminals that law enforcement do.
Ali Wyne: So coming to the present, you talked about the centrality of international cooperation. And so let's turn to the current cyber crime treaty negotiations that are taking place at the United Nations. So just at a kind of like from a bird's eye view, 30,000 foot level, what are those negotiations about? And what's the ultimate goal of this treaty that being negotiated?
Amy Hogan-Burney: Yeah, it's a great question. It's just really hard for me to tell. On the one hand, it's clear from this conversation, clear from the work I do every single day, that there is a greater need for international cooperation because as cyber crime escalates, it's clearly borderless and it clearly requires both public sector and the private sector to work on the problem. Although I am just not certain that I think that a new treaty will actually increase that cooperation. And I'm a little concerned that it might do more harm than good. One of the things that we're constantly thinking about is yes, we want to be able to go after cyber criminals across jurisdiction.
But at the same time, we want to make sure that we're protecting fundamental freedoms, always respectful of privacy and other things. Also, we're always mindful of authoritarian states that may be using these negotiations to criminalize content or freedom of expression. So I get concerned about any treaty that looks like it may impact journalists or political dissidents or any other vulnerable group. And given that the Budapest Convention has been in place for 20 years, we certainly don't want to see anything that undermines our conflicts with the Budapest Convention.
Ali Wyne: Let's talk about the elephant in the room. turning to the prospect of digital authoritarianism, Russia is obviously a major part of these negotiations that we've just been discussing. They not only sponsored the resolution that began these negotiations, but I think pretty surprisingly, they actually released a draft text for the treaty. Can you give us a little bit of an insight into what their proposal entails?
Amy Hogan-Burney: Sure. First I will say, I think everyone was very surprised to see a draft text. Also it's 70 pages.
Ali Wyne: 70 pages? Wow.
Amy Hogan-Burney: Yeah, so I will spare everyone a complete legal analysis. And I will also say it takes quite a commitment to read.
Ali Wyne: Sure.
Amy Hogan-Burney: The draft, I think, is really focused on individual state interests versus kind of broad global cooperation. It's also very broad. Even at the very beginning of the draft, it starts by saying that "It's designed," and this is a quote, "to promote and strengthen measures aimed at effectively preventing and combating crime and other unlawful acts in the field of ICT," which is information and communications technology. Combating crimes and unlawful acts in the field of ICT is just so incredibly broad and very different than the definition that I gave you at the beginning of what cyber crime really is. And so that broad criminalization, I think, really brings up the risk to freedom of expression, privacy and other things.
And also, I think that vague language of just because a computer is involved, that it is part of this treaty, is also concerning. So it brings us back to my bank robbery example. My bank robbery, should I seek to commit it, certainly shouldn't be covered by a cyber crime treaty that's being negotiated at the UN. And so I think the first real big concern is making sure that we're very clear on definitions. And that we're really focused on cyber crime, such as very clear cyber dependent offenses, and that those that are enabled by computers. And that definition, I think really needs to be clarified in any draft.
Ali Wyne: And that's another important distinction that you posited. Between cyber crime in the narrow way, and the more helpful way that you specified at the outset of our conversation, versus cyber enabled crimes or cyber enabled nefarious activity. But I think positing that distinction is really important. And you mentioned that Russia has a draft text. The definition of cyber crime, or I shouldn't even say a definition, it seems that it's more of just it's such an expansive conception, that it can subsume almost any kind of activity involving a computer. So it's so expansive as to be not only unhelpful, but as you said, potentially catch a lot of people in its net who really don't deserve to be caught up.
Ali Wyne: Let me turn, Amy, to another question. Continuing the discussion of this current cyber crime treaty that's being negotiated at the UN. What is the main argument for a new or more inclusive treaty, and how and why could it potentially fight cyber crime more effectively?
Amy Hogan-Burney: So I think anytime I see conversations being had about well scoped or structured international legal instruments to combat cyber crime, I have to be supportive of that because if we can get to a place where there is widely adopted consensus across governments that would allow for kind of common legal frameworks, obligations across jurisdictions that would allow for effective cooperation, and would provide kind of clear and repeatable access to data, this will be helpful in allowing governments to hold cyber criminals accountable. I think this will be helpful for private sector and the public sector to work together to take down that malicious infrastructure. As long as we are making sure that we kind of have a human centric approach to this, which we really need to make sure that there is a right to redress for individuals in case any rights are violated, and that it doesn't expand authorities in a way that allow law enforcement to trample those fundamental rights that we discussed before.
Ali Wyne: Is the biggest challenge in combating cyber crime just the lack of a common framework? How much of an impact would a new treaty have? And let's say a new treaty that would be up to your standards, a new treaty that you would advocate. Let's say that it were to be endorsed and let's say that it were to come into effect. What are some of the outstanding challenges that even a good treaty that lives up to your standards might not be able to solve as cyber crime continues to evolve?
Amy Hogan-Burney:Yeah, I wish a new treaty would solve all my problems. That would be great. I mean, someday maybe a new treaty will work me out of a job, but I don't think so. So I don't think even a perfect treaty will be the silver bullet. But I think one of the big things we see is for many states is that there really needs to be capacity building. So we've talked a lot about the technology that's involved in this, how sophisticated these criminal infrastructures are, how sophisticated the criminal groups are. And so I think more really needs to be done to support law enforcement agencies to up their technological capability, to better preserve and collect information, to share evidence, to perform digital forensics, and so that they can work with others. And so a treaty is great, a legal framework is great, but we need to have people on the ground that are able to implement that. And that I think is one of the most important things.
Ali Wyne: You've given us a sense of what a good treaty might entail, obviously, recognizing that it's not a silver bullet. But let's push on that a little bit more and let's imagine sort of two scenarios. So in scenario one, a treaty isn't reached. So then if a treaty isn't reached, what are some of the possible outcomes? And then scenario two, let's imagine that a treaty is reached, but it doesn't really reflect the traditional understandings of cyber crime. So maybe walk us through those two scenarios and what you think the implications would be for cyber crime in each of those two scenarios.
Amy Hogan-Burney: So if a treaty isn't reached, I don't think that this exercise is all for naught. So I think the first thing is that having the conversations about international cooperation, the conversations about definitional issues about cyber crime, about protecting fundamental rights in this space, really important. And I also think it does raise the issue of the permissive environment that we sometimes see here, where we have nations that are allowing this illegal activity to be conducted in their jurisdictions, it's an unfortunate reality. But by raising this at the international level and in the UN, it does make us and force us to have this conversation. So even if a treaty isn't reached, we have still had that international cooperative conversation.
If a treaty is reached, I think a lot just depends on how many states adopt the treaty and how it is enforced. I would imagine that there could be a change in the level of privacy and freedom of expression for individuals where the countries put this agreement in force. And I also have concerns, frankly, that it could threaten the vision of a global public internet if there are obligations that are inconsistent with our current international framework.
Ali Wyne: Sure. So let's leave the audience with a little bit of hope. What is the ideal or potential new digital world that could be created by a cyber crime treaty that lives up to your standards? Maybe leave us with a little bit of cautious optimism about some of the possibilities of not a brave new digital world, but a better digital world.
Amy Hogan-Burney: Yeah. I always do worry about being just such a Debbie downer when I do these, because I just talk constantly about the threat. So I do like to try to leave with hope. And I think there's hope first in that we're seeing more victims come forward and more transparency and more conversation here. And if we were to see a new cyber crime treaty that enables law enforcement cooperation across jurisdictions, if it improves access to data while protecting fundamental rights, I just think it could go such a long way towards aligning our efforts internationally across governments and across the private sector, and could go a long way towards protecting those victims that I mentioned that we're really starting to see humanize the aspect of cyber crime that is out there.
Ali Wyne: Amy Hogan-Burney, general manager of Microsoft digital crimes unit. Amy, thank you so much for being with us today. Thank you so much for sharing your insights. It's been a real pleasure.
Amy Hogan-Burney: Thank you for having me.
Ali Wyne: And before we go, let's check in once more with Annalaura Gallo, head of the secretariat of the Tech Accord, about what the Tech Accord and its industry partners hope to see from a cyber crime treaty.
Gallo: Last year before the UN negotiations on the new cyber crime convention started together with the CyberPeace Institute and over 60 organizations, the Tech Accord launched a manifesto on cyber crime, highlighting the principles for a cyber crime convention that safeguards human rights online and a free, open and secure internet. The manifesto includes a set of principles that the negotiations and that states that are conducting the negotiations should keep in mind to ensure that the treaty preserves human rights, but also a free and open internet. And first of all, the new cyber crime treaty should protect targets and victims of cyber crime. We think this is a very important point take into account. It should also ensure that there is effective international cooperation across sectors and between the public and the private sector, but also maintain existing international legal obligations. A new cyber crime treaty should not be an avenue for states to reduce their existing obligations. And of course the manifesto is also a focus on the importance of a multi stakeholder approach to the negotiations. So ensuring that non governmental stakeholders were included in the process and we were happy to see that there has been definitely an inclusive approach so far.
Ali Wyne: That's it for this, the final episode of the Patching the System series. Thank you for joining us and be sure to listen to all of our episodes on topics including cyber mercenaries, supply chain attacks, hybrid warfare, and the internet of things. For deep dive discussions with industry experts from the Cybersecurity Tech Accord on the most pressing challenges online. All episodes are available in Ian Bremmer's GZERO world feed anywhere you get your podcasts. And for more information on the Cybersecurity Tech Accord, and its ongoing efforts to give a voice to the industry on matters of peace and security online, you can check out their website at cybertechaccord.org. I'm Ali Wyne, thanks very much for listening.