“Because that’s where the money is.”

—Quote attributed to notorious felon William Francis “Willie” Sutton when asked by reporter Mitch Ohnstad why he robbed banks

Merriam-Webster defines an urban legend as “a story about an unusual event or occurrence that many people believe is true but that is not true.” Willie Sutton’s 40-year criminal record, in which he scored nearly $2 million and escaped from prison three times, is the stuff of which urban legends are made. Indeed, with an estimated 100 bank heists to his credit, Sutton rightfully earned his place in history as one of the most prolific bank robbers of the 20th century.

Yet, despite his prodigious career as criminal mastermind, the one defining mark of Sutton’s legacy would become so inextricably linked to him that it could only be dubbed “Sutton’s Law”—that is, his oft-quoted response to the question of why he robbed banks, to which Sutton allegedly quipped, “Because that’s where the money is.” Beyond demonstrating the brilliant simplicity (and wit) of one of the most famed bank robbers of a generation, Sutton’s Law would live on in other more respectable trades. In the medical community, it served as a metaphor encouraging doctors to focus on the most likely diagnosis, rather than waste resources investigating every potential possibility. In management accounting, it gained traction in activity-based costing, where the highest-cost items are scrutinized to uncover commensurate savings.

Despite all the notoriety of Sutton’s Law, the truth, according to Sutton himself, is that he never made the comment:

• The irony of using a bank robber’s maxim as an instrument for teaching medicine is compounded, I will now confess, by the fact that I never said it. The credit belongs to some enterprising reporter who apparently felt a need to fill out his copy. I can’t even remember where I first read it. It just seemed to appear one day, and then it was everywhere. ⁱ

And so it goes: urban legend born from one journalist’s active imagination attributed to a one-man-crime-spree whose record hardly needed embellishment continues to this day. And, as Sutton’s Law has gone down as one of the most fascinating (if not completely fictitious) retorts in modern history, it pales in comparison to the widespread popular opinion of early bank robbers and their reign of terror over what American historians would label the country’s “frontier period.” The mere mention of the “Wild Wild West” conjures images ripped from the silver screen of gun-wielding, mask-donning bank robbers, intent on cashing in before darting out on their trusty steeds. Here’s the problem with this image: Like the Sutton quote, it is born of fiction.

To clarify, there certainly were bank robberies during this period, but the number hardly warrants the moniker, yet alone icon, associated with a “Wild West.” In their book, Banking in the American West from the Gold Rush to Deregulation , authors Larry Schweikart and Lynne Doti examine primary and secondary sources from all the states of the “frontier west” during the period 1859-1900. Based on their extensive research, including additional interviews from well-intentioned sources bent on clarifying the record following the book’s release, Schweikart and Doti report roughly a half dozen bank robberies over a 40-year period and across 15 states. Putting the number into context, there were more bank robberies in Dayton, Ohio, in one year at the turn of this century than there were in the entire Old West in a decade and perhaps in the whole frontier period. ⁱⁱ

While the results were not entirely surprising to Schweikart and Doti, the average layperson may be puzzled by the lack of robberies among what would have represented a lucrative target for inspired thieves. After all, whether Sutton said it or not, banks really were where the money was. In deconstructing the success of these early frontier bankers, the authors point to a relatively simple blueprint that established a financial bedrock for society.

• Bankers were often first something else. Despite several early bankers having ties to eastern financial firms, many did not inhabit a town and immediately set up a bank. Instead, they typically opened a general merchandise store. The reason was simple, if not profound. These early businessmen recognized that a bank’s foundation was predicated on the psychological currency of trust. Introducing a general store allowed these leaders to build trust with those in the community before attempting to monetize it via a banking relationship.

• Bankers looked the part. Before the days of federal regulation or financial insurance, a banker’s appearance was paramount in convincing customers of his authenticity and credibility. A banker’s dress denoted success and wealth; more important, it conveyed assurance of a person behind the bank, one capable of supporting his business during times of trouble. With trust still the principal currency in play, a banker who effectively played the part connoted competence.

• Banks were secure. Often placed in the center of town and constructed by some of the leading architects in the country, the bank building itself was one that deterred would-be criminals. Flanked on both sides by other merchants, a bank’s most vulnerable entry was through the rear of the building. Still, blasting through this rear entry proved no simple task, as many bankers double-reinforced this wall. Even if the most industrious of criminals found their way in, they would find themselves confounded with a seemingly impenetrable iron safe. The physical representation of the institution was the final marker upon which to build trust, one where customers had confidence in the construction of the bank itself.

Of course, there were exceptions to the rule and notorious bank robbers, including Butch Cassidy and his clan, were successful in major scores. While fiction is quick to glamorize the shoot-out matches likely present in these escapades, it fails to convey the excruciating planning behind such heists. As a case in point, Cassidy was known to be an expert with horses and would strategically station his stallions at deliberate checkpoints between his score and hideout, allowing his team to switch “vehicles” mid-course at precisely the moments the animals were most likely to fatigue. ⁱⁱⁱ

But the capers of Cassidy and other notorious felons were rare cases. Based on Schweikart and Doti’s own account, the Wild West bank robbery was virtually nonexistent. While the money certainly was at the bank, so too were considerable obstacles and risks to the criminally inclined. Instead, stagecoaches and trains became the risk-averse targets of choice, rendering most banks during the frontier era safe havens upon which a burgeoning economy would ultimately flourish—one where physical currency traded on the basis of an underlying trust relationship.

Only when the playing field was leveled between experienced and amateur robbers did the bank heist become a more common occurrence. Specifically, the introductions of the automobile and highway system allowed crooks the advantage once enjoyed exclusively by innovators like Cassidy – the ability to evade pursuit. Once banks became softer targets, thieves responded in kind.

Fast forwarding to modern times, the economics of bank robbery still prove elusive but for the most adept masterminds. According to a study by a team of economists at the University of Sussex, who crunched data on more than 350 robberies between 2005 and 2008, the average haul for a British robber was a rather insignificant £20,330 ($31,610). In the United States, the take was even lower—just $10,025, on average, according to the FBI. ^iv Just as mythical as the prolific Wild West bank heist is the notion that current bank robbers abscond with huge sums of money for their risk and trouble. Contrary to the images so common on a Hollywood set, less than 10 percent of US bank robbers even make it inside the vault, leaving their spoils subject to what can be collected at a bank teller’s window. ^v

And so, the annals of bank robberies have been relegated but to the most notorious of criminals, including Sutton, Cassidy, and their ilk, leaving most thieves in the category of petty nuisance to the financial bastions they infiltrate. That is, until 2015, when security firm Kaspersky Labs uncovered what would be heralded as the largest bank heist in history. In an attack on more than 100 banks in 30 countries, criminals made off with close to an estimated $1 billion, of which only one-third was even traceable. ^vi There was no need to determine how to crack a seemingly impenetrable vault or orchestrate a strategic escape plan across jurisdictional lines. This attack was perpetrated by savvy hackers across Russia, China, and Europe.

First, the trap was set, as cybercriminals targeted bank employees with e-mails appearing to come from trusted colleagues (known as a phishing scheme in industry parlance). Once unwitting employees clicked on the e-mail attachments, malicious programs did their part to trace employee behavioral patterns. After capturing photo and video surveillance of employees’ computers, the hackers used their victims’ credentials to siphon money in what would otherwise appear as authorized bank or ATM (automated teller machine) transactions. One such tactic involved inflating individual bank account balances, such as showing $10,000 in an account where only $1,000 was actually deposited, allowing the criminals to abscond with the $9,000 in counterfeit withdrawals. And, perhaps the scariest fact in the case: unlike the quick in-and-out approach of “traditional” bank robberies, these perpetrators took their time, literally spending as much as two years camping out incognito within the virtual perimeter of their targets—collecting data, learning behavioral patterns, and inconspicuously taking up to $1 billion in treasure over several quarters. ^vii

Though newsworthy given the size of take, the $1 billion, nameless, faceless, virtual hack is one of so many stories that make daily headlines. In the financial industry alone, consider some of the more notable hacks in recent years.

• At 1:07 p.m. Eastern Standard Time on April 23, 2013, the official Twitter account belonging to the Associated Press released this tweet to its nearly two million followers: “Breaking: Two Explosions in the White House and Barack Obama is injured.” ^viii Over a three-minute period that followed, the Dow nosedived nearly 150 points, temporarily obliterating $136 billion in equity market value before stabilizing. The recovery came when the tweet was exposed as fake. A group of Syrian hackers claimed credit for the breach and, though a financial institution was not the direct target, the group was able to wreak havoc on Wall Street for three minutes. ^ix Imagine the consequences if the hackers were successful in seizing the official Twitter accounts of multiple news organizations simultaneously with consistent counterfeit messages.

• British banking customers fell prey to another phishing scam in October 2015, losing up to £20 million to Eastern European hackers. The real target of the attack were global financial institutions as hackers lured consumers to click on otherwise legitimate e-mails which activated the insidious Dridex virus, succumbing the victims’ computers—and online banking details—to the hackers’ control. ^x

• In November 2015, four hackers were indicted for infiltrating a JPMorgan Chase server containing the contact records of more than 80 million customers. The case didn’t involve a complex phishing scheme or zero-day attack exploiting an unknown software vulnerability. Instead, criminals simply stole the username and password of an employee.

  Normally, such a simplistic attempt would be thwarted, as most servers require two-factor authentication. Multifactor authentication is common security practice, requiring at least two forms of verification before allowing a user access to a system. As an example, consider a withdrawal from a cash machine, which requires both the authorized bank card and associated PIN (personal identification number) for the account, to be executed. In the JPMorgan Chase hack, a typical server would have required at least one more piece of verification beyond a user name and password for access. However, in JPMorgan Chase’s vast network of servers, including those gained via mergers and acquisitions, the one that lacked this additional layer of security offered adversaries entry to more than 90 other servers on the bank’s network. ^xi

  Though no account data was stolen, the criminals still enjoyed a healthy payday—netting more than $100 million in a bogus stock-pumping scheme and online gambling operation. ^xii In the scam, the hackers used the stolen contact data to con victims into buying stocks and manipulate their prices. When asked whether buying stocks was popular in America, one of the perpetrators allegedly responded, “It’s like drinking freaking vodka in Russia.” ^xiii

Make no mistake: the nature of these attacks do not merely compromise a few companies’ bottom lines. They call into question the stability and integrity of the financial system itself—a system that, at its foundation, is built on the psychological currency of trust. Early bankers knew that their very success depended on first gaining customer trust, hence the reason so many were first general merchants and carefully looked the part of credible financier capable of covering any potential losses. Historically, bank robbers proved more nuisance than threat, targeting banks meeting certain physical criteria and limiting their spoils largely to what they could quickly take when seconds matter.

However, with a virtual and highly interconnected monetary network now in play, cybercriminals increasingly have the entire financial system in their sights. The stakes of this game couldn’t be higher as law enforcement officials are becoming all too aware. When federal prosecutor Preet Bharara brought charges against an Eastern European hacking ring in 2013, he presciently added, “Cybercriminals are determined to prey not only on individual bank accounts, but on the financial system itself.” ^xiv These adversaries have a vast attack surface to target: a 2013 report from Iosco and the World Federation of Exchanges reported that 89 percent of the world’s financial exchanges listed hacking as a “systemic risk.” ^xv

And, the financial system is just one target. Hackers are not prone to discrimination, pursuing everyone from consumers to companies and everything from data centers to utility grids. Like the urban legends that pervasively represent a Wild West as a distant notion from reality, many still imagine a hacker as the pimple-faced teen in his parents’ basement with nothing better to do with his time and talent. While hobbyist hackers still exist, the reality is that insidious cybercrime is increasingly at the hands of organized crime syndicates and nation-states, whose profits produce a staggering economic burden. According to the Center for Strategic and International Studies, a Washington think tank, the estimated global costs of cybercrime and economic espionage are nearly $450 billion, placing cybercrime in similar company with drug trafficking in terms of economic harm. Put another way, if cybercrime were a country, its GDP (gross domestic product) would rank in the top 30 of nations, exceeding the economies of Singapore, Hong Kong, and Austria, to name just a few.

And, similar to bona fide businesses, in the world of cybercrime, time equals money. Consider the dwell time—or the time between when a breach occurs and is finally detected—in which hackers enjoyed unauthorized access to their victims’ most sensitive files and systems in some of the above-mentioned hacks:

• for JPMorgan Chase, cybercriminals were in the perimeter several months before being detected, ^xvi

• for at least some of the banks targeted in the $1B heist, up to two years went by with no knowledge of a breach, ^xvii and

• although the Associated Press Twitter hack lasted just a few short minutes before discovery, the temporary damage of more than $100 billion in market value was palpable nonetheless.

Cybercrime turns the tables on unsuspecting victims. Unlike physical threats that are readily seen and understood, virtual adversaries often enjoy a cloak of invisibility upon infiltration. The time of this clandestine advantage becomes a major weapon in the fight to contain damage or losses. Unfortunately, time is increasingly not on the side of the victim. A 2015 Ponemon Institute Survey reported the average dwell time at 98 days for financial services firms. For retail companies, the results were worse: breaches were not discovered for 197 days following attack. ^xviii Even more sobering, 58 and 71 percent of financial services and retail organizations, respectively, were not optimistic about improving their responsiveness to these virtual attacks within the coming year. ^xix Making matters worse, the volume of strikes would be sufficient on their own to cause concern, even if they could be immediately detected—more than 80 percent of financial service companies experience more than 12 attacks per week. Retail companies fared a bit better, but with nearly half of these companies reporting the same volumes at more than twice the dwell time of their financial counterparts, their results are equally disconcerting. ^xx

The physical world knows no such threat. Imagine a thief being in your house or place of business rummaging through your most sensitive belongings and remaining there undetected for months, seasons, or even years. Couple this with popular phishing schemes used to lure unsuspecting employees (Verizon reports 23 percent of recipients open phishing e-mails ^xxi ) and you now also have a case where you, as the victim, offer the thug the key to your very own dwelling.

As adversaries have grown in number and sophistication, so too have their incentives. Just as the reporter who fabricated what would become known as Sutton’s Law was seeking an answer to what would motivate such an individual, victims are left to ponder what would compel nameless, faceless hackers to strike. Assuming all are motivated by profit, as Sutton, seriously simplifies much more complex psychological undercurrents. Hacktivists enlist recruits to their virtual army to fight for principle. Nation-states identify targets to expand their province. And, yes, there are still hackers who view the hobby as a means to prank their victims. Whether for profit, principle, province, or prank, each attack serves to erode the trust of customers in a company’s ability to withstand future breaches and protect their interests.

While threat actors may differ in incentive models, they universally share a currency of time. Time becomes the critical strategic weapon in the cyberwar. Whether using time against a victim, as in the recent spate of ransomware attacks, or dwelling inconspicuously for as long as possible to pilfer sensitive records, the way time is used in the battle depends on the hacker’s incentive model. The two are often inextricably linked.

This book explores all of the above: the underlying incentives that are foundational to various cybercriminals and their victims, the time imperative when a cyberattack occurs, and the trust that is eroded between supplier and customer with each hack. The Second Economy pertains to all three: treasure, time, and trust. Like urban legends that seduce their believers into succumbing to an alternate reality, preconceived security notions—even those held by the most well-intentioned professionals employed to defend their organizations—are dangerous delusions that demand a second look to overcome an increasingly powerful enemy.

To thoroughly examine the problem, the book is divided in its approach. The first half explores the incentive models in play for cybercriminals acting for profit, principle, or province and the underlying trust economy that is ultimately corroded with each company breach. This part of the book is more observational in its orientation, as understanding how threat actors are changing their methods to abscond with treasure and trust is fundamental to formulating the solution. The second half offers a practical prescription for critical stakeholders of private and public organizations—including chief information officers (CIOs), chief executive officers (CEOs), and boards of directors—to remediate the threat and compete effectively in The Second Economy . This part of the book is more opinionated in its tone, as we respectfully challenge conventional security paradigms, based, in part, on a McAfee primary research study surveying more than 1,000 security professionals globally to understand attitudes, beliefs, and actions underlying their organization’s security posture—many of which, we submit, must change for successful outcomes.

In writing a book like this, it is tempting to devolve to fear-mongering or hyperbole when discussing such a sensational topic. While we will resist such tendencies, we would be remiss in not placing a spotlight on how and where threat actors increasingly surround us. In fact, it is human nature to underestimate or misjudge risk entirely—a weapon the adversary exploits in his arsenal. As such, our intention is not to fuel exaggerated scare tactics but to inspire a sense of urgency among key decision makers to respond to their enemies in kind.

Organizations have historically lacked this bias for action, with cybersecurity dwelling in the shadows of traditional information technology (IT) organizations. Some have argued that IT, prone to commoditization, is a function best relegated to being a fast follower of innovation. However, the opposite is true for cybersecurity, as threat actors invest their own research and development preparing the next assault and seeking the most vulnerable victim—a follower, be it fast or not—to attack. It has only been fairly recently, with notable public hacks on significant targets like Sony, Target, and The Home Depot, that cybersecurity has elevated itself from a back-office function in IT to a conversation worthy of boardroom debate, as organizations scramble to prevent themselves from being the next headline or punch line.

The Second Economy provides a different lens through which to examine cybersecurity issues that ultimately affect each one of us, particularly as we increasingly inhabit a world comprised of the cloud, mobility, the “Internet of Things,” and a seemingly infinite number of goods and services that are exchanged online. In the end, we hope to answer the reader’s fundamental questions with regard to an ongoing and escalating battle of which we are all now part: as either prey, predator, or unwitting participant in this virtual marketplace. Among them are the following:

• How has the threat landscape changed over time and what is likely next?

• Where are preconceived security notions limiting successful outcomes for victims in the fight?

• What measures can organizations take to protect themselves?

We will also carefully embark on answering another critical question: Why? Why do cybercriminals do what they do? Specifically, for the financially motivated adversary, cause-oriented hacktivist or power-induced nation state, we will rely on the principles of another underlying economy in play—that of cybercrime itself. By deconstructing the incentives and addressable market available to different types of assailants, juxtaposed against the risk for various assaults, we will attempt to understand how motives are influenced by opportunity. While we will answer this question as it pertains to the mentality of those in pursuit of profit, principle, or province, the same cannot be offered for the mind-set of other cybercriminals who do not follow one of these walks of life and for whose motives we will likely never understand. And, while it is human nature to attempt to find an explanation for such destruction, sometimes the answer itself leaves one wanting more. It isn’t surprising that a reporter asked the infamous Willie Sutton why he robbed banks, and when one considers his real answer, perhaps the falsified response becomes a bit more understandable. According to Sutton:

• If anybody had asked me [why I robbed banks], I’d have probably said it [because that’s where the money is]. That’s what almost anybody would say … it couldn’t be more obvious.

• Or could it?

• Why did I rob banks? Because I enjoyed it. I loved it. I was more alive when I was inside a bank, robbing it, than at any other time in my life. I enjoyed everything about it so much that one or two weeks later I’d be out looking for the next job. But to me the money was the chips, that’s all. ^xxii

We may never fully understand what motivates these predators, though we can certainly examine the economic nature of crime itself as a precursor to knowledge. And, we can definitely make progress in altering our own beliefs and behaviors to be more successful in the battle. It starts with understanding what form of treasure is in play for various threat actors, why trust is often taken for granted, and how time is the most valuable weapon in the arsenal. It ends when we each recognize our part in The Second Economy .