Commentary: Cyber Extortion Deserves No Quarter

Under most circumstances, a business decision involving $200,000 wouldn't be important enough to require a personal appearance from the CEO of a $2 billion corporation, let alone a special trip to London from New York. But media titan Michael R. Bloomberg, CEO of Bloomberg LP, made such a trip on Aug. 10. And he did it to prove that cyber-extortion will not go unpunished at his company.

Bloomberg went to meet with two Kazakhs--Oleg Zezov, 27, and Igor Yarimaka, 37--who were allegedly demanding $200,000 in "consulting" fees. For this, they would reveal how they had allegedly compromised the byzantine Bloomberg computer systems, an exploit they allegedly proved by e-mailing Bloomberg the photo from his own corporate ID badge.

With billions of dollars in stocks and bonds traded daily based on information from Bloomberg terminals, the threat of a hacked system could have proved catastrophic for both the company and its customers. Fortunately, this tale has a happy ending. Bloomberg brought two police officers, one posing as a company executive and the other as a translator, to the meeting. Zezov and Yarimaka were arrested, and both have been charged in the U.S. with three felony counts, including extortion and unauthorized computer intrusion.

TROUBLING SILENCE. The incident highlights a worrisome trend. Computer-security experts say cyber-extortion, though relatively infrequent, has become more common. "We see this on a pretty periodic basis," says Chris Rouland, director of the special-response team at Internet Security Systems Inc., a consulting firm. "I personally get called in on these once a month, and the public usually doesn't hear about them."

That silence is disturbing. Although Rouland believes the number of cyber-extortion cases around the globe may be somewhere in the low thousands each year, no statistics exist--largely because companies do not want to reveal that their defenses have been breached. "It indicates that the organization was compromised, and could bring further attack," Rouland says. "It could make customers uncomfortable using [the targeted companies'] technology."

But hiding their heads in the sand will not protect companies from cyber-attacks. Experts say companies must have a strategy in place for dealing with such extortions. The strategies bear a remarkable resemblance to dealing with real-world kidnappings. When a company has determined that a cyber-extortion attempt is real, it's crucial to quickly contact the organization's decision makers, a task often neglected by managers who lack experience with cyber-attacks. Security experts say the company must carefully engage the code crackers while at the same time mounting a defense of its system. Where possible, that means backing up and isolating the compromised computer servers.

In a case such as Bloomberg's, where the system consists of a massive network of computers, isolating the unauthorized point of entry can take months. For that reason, Bloomberg dragged out the negotiations--much as a hostage negotiator might. "I think you're put in a particularly difficult position being contacted by a hacker who has already compromised your system," says Tim Belcher, chief technology officer of information-security firm RIPTech Inc. "How you respond and react can lead to vastly different outcomes."

LESSONS. Indeed, Bloomberg's closely controlled engagement might never have made the news if things had gone awry. For example, says Belcher, many systems administrators mistakenly destroy evidence when they try to fix problems in a computer system after a malicious hacker has altered code.

Others anger crackers by eliminating only some of the "Trojan horses" used to ensure constant access to a system. "We have seen systems that have been `backdoored' 10 different ways. And if you had missed No. 10 and gotten the first nine, the hacker would have come back in. And then the hacker has a reason to be upset," says Belcher. For a worst-case scenario, look at what happened to online music store CD Universe in January: A game of chicken ended in disaster when angry crackers dumped tens of thousands of credit-card numbers from the store's customers onto the Web.

By hiding such cases, victims help sustain the illusion that no one gets caught for cyber-extortion. For now, it appears that Zezov and Yarimaka have received a harsh lesson at the hands of a noted Wall Street tough guy. If more executives were willing to go after would-be crackers as relentlessly as Michael Bloomberg did, criminals might understand that it is not open season on the world's computer networks.