Kingdom of Lies: Unnerving Adventures in the World of Cybercrime

By Kate Fazzini

“Wow. Kate Fazzini is the rare top-level reporter who can make you see, smell and feel a hidden world, not just understand it. Cybercrime (and security) has found its Michael Lewis.” —Bret Witter, co-author of the #1 NYT bestseller The Monuments Men

One of BookRiot's "50 of the Best Books to Read This Summer"

In the tradition of Michael Lewis and Tom Wolfe, a fascinating and frightening behind-the-scenes look at the interconnected cultures of hackers, security specialists, and law enforcement

A 19-year-old Romanian student stumbles into a criminal ransomware ring in her village. Soon she is extorting Silicon Valley billionaires for millions--without knowing the first thing about computers.

A veteran cybersecurity specialist has built a deep network of top notch hackers in one of the world’s largest banks. But then the bank brings in a cadre of ex-military personnel to “help.”

A cynical Russian only leaves his tiny New Jersey apartment to hack sports cars at a high performance shop in Newark. But he opens his door to a consultant who needs his help.

A hotel doorman in China once served in the People’s Army, stealing intellectual property from American companies. Now he uses his skills to build up a private side-business selling the data he takes from travelers to Shanghai’s commercial center.

Kingdom of Lies follows the intertwined stories of cybercriminals and ethical hackers as they jump from criminal trend to criminal trend, crisis to crisis. A cybersecurity professional turned journalist, Kate Fazzini illuminates the many lies companies and governments tell us about our security, the lies criminals tell to get ahead, and the lies security leaders tell to make us think they are better at their jobs than they are.

Like Traffic set in the cybercrime world, Kingdom of Lies is as entertaining as it is eye opening.

• Language: English
• Publisher: Macmillan Publishers
• Release date: Jun 11, 2019
• ISBN: 9781250201355

Kate Fazzini

Kate Fazzini is Cybersecurity Reporter for CNBC. Before that she reported on cybersecurity for The Wall Street Journal. She previously served as a principal in the cybersecurity practice at Washington D.C.-based Promontory Financial Group, now a division of IBM. Prior to that, she served as a vice president in cybersecurity operations at JPMorgan Chase. Fazzini teaches in the applied intelligence program at Georgetown University. She lives in New York City.

Book preview

Preface

Kingdom of Lies

It didn’t take me long in my career as a cybersecurity executive to figure out everyone was lying to me.

The biggest lie of all came at the very beginning: that cybersecurity is hard. Too hard. Certainly too difficult for someone who lacks years and years of deep technical training. That it is no place for writers.

That thicket of incomprehensible jargon alone seemed meant to discourage outsiders like me from entering the field. They told me I could never hope to understand the terminology unless I’d worked around it for a very long time. Unless I had a special and complicated certification. Unless I knew how to take apart and reassemble a computer. Unless I knew how to code in Python and could read it, interpret it, and spot problems on sight.

And if I somehow managed to learn the lingo, the learning curve for the rest of it would prove insurmountable.

Lies, lies, lies.

It’s unfortunate, because there is a huge gap between the demand for cybersecurity workers and the people available to fill those jobs. I think one of the reasons for that is because people can’t imagine themselves doing this kind of work.

Can you use a smartphone? Make a PowerPoint? Think on your feet? Ever organize a night out to the movies with your friends that went well and nobody crashed their car to or from the event? Welcome to the twenty-first century’s hottest career path. Are you able to charm the pants off women? Did you escape an abusive marriage? Have you ever hosted a toddler’s birthday party at your home? Honey, I want you on my cybersecurity team.

After reading the stories in this book, you will understand that what makes cybersecurity complicated is the complexity of human beings. So if you know how to deal with people, you can handle internet security. If you understand what makes people tick, not only will you be able to recognize a threat, you’ll be one step ahead of your adversary.

During my career as a cybersecurity executive at multinational corporations, a journalist for The Wall Street Journal and later CNBC, and a professor at Georgetown University, I’ve met a lot of fascinating people. From the hackers who perpetrate malicious attacks to the security professionals who try to prevent these incidents from happening, and the alphabet soup of government agencies that do damage control, at the end of the day they’re all fathers, sons, mothers, sisters, and spouses. In other words, people just like us. Yes, white hats cross paths with black hats and change alliances more frequently than you might expect, but they’re driven by the same desires as the rest of us—even if sometimes it feels as if everyone in cybersecurity is allergic to the truth.

As a professional, I was told a great many lies about the field I have grown to love so much. After becoming a journalist on the cybersecurity beat, I was told even more. Here are a few:

Let me introduce you to the hacker community.

This lie is usually delivered with a wink and a nod from someone who thinks they know every hacker on the planet. The truth of the matter is, there is no hacker community.

Sure, the guys who make a splash at the big annual conferences might say otherwise. But every country, every state, every faction, every identifying group has its own community of people who hack computers. Some of them are extremely conservative, others are massively liberal, most fall somewhere in between. Some wear suits and ties and work as lawyers during the day, while others look like everyday citizens and have great people skills as they pursue their idiosyncratic agendas.

Some are good guys who get fed up with the low pay and boring duties and become criminals. Some are criminals who end up becoming good guys. Many start and end their careers on either end of that spectrum.

Some, including many you’ll meet in this book, are extremely proficient hackers who have no time or inclination to identify with any community at all.

As a journalist, I was astonished at the number of people who came out of the woodwork to offer me exclusive access to the hacker community. I couldn’t help but notice that the members of the source’s hacker community were often people just like him or her. My point is there are many different types of people working in this field, and I can guarantee you that a lot of them are exactly like you.

Here’s another lie: He’s a luminary in the cybersecurity field.

He’s probably not. Fame and luminescence don’t typically intersect in this field. The people I’ve met who are actual geniuses aren’t famous, and most of them don’t have social media profiles. They tend not to pontificate on areas outside their expertise.

The people who are constantly headlining conferences and who are so often offered up to me for interviews have less insight than those who stay underground. Anything a high-profile hacker is willing to share typically carries with it a massive and crystal-clear agenda that I’ve learned to spot from a mile away. Even if a conversation is off the record, the intel coming from top government officials or other marquee corporate cybersecurity names carries little novel information.

The only people who have illuminated the way for me in this world—and in this book—have been genuine practitioners who never held a C-level title. You’ve never heard of them and because I’ve changed their names to protect their privacy, you probably never will.

They are luminaries not because of the degrees they’ve collected or the events they’ve headlined but because they carry a lantern that guides the path for others. These types of people typically don’t have a public relations team.

One of my favorite lies: He doesn’t know what he’s talking about.

This one is usually delivered by someone who asserts that he or she knows the cybersecurity field better than anyone else. These people will brag that they know what it’s like to be a hacker and can do things that no one else in the room can.

I’m always wary of those who try to establish their bona fides by discrediting the expertise of other cybersecurity professionals. The depth and breadth of this field is so vast that everyone who works in it is an expert at some part of it, and I have yet to meet someone who is an expert at all of it. Not even close.

Every view of an incident is informed by the viewer—what he sees, what her level of expertise is—and that changes over time. It’s like asking someone who lives in the Plaza to describe Manhattan, then asking someone who lives in a halfway house in East Harlem to do the same thing. Different pictures emerge of the same subject depending on your point of reference.

Then there is the final lie, the one that is the hardest to dispute, the lie of the Machiavellian technological wonder. The Lisbeth Salanders and Mr. Robots. The media loves to portray hackers, security experts, and intelligence professionals through a two-dimensional lens: they’re either crusaders for good or practitioners of evil, and they all wear