[02:30] Why Ransomware Attacks are About to Get Worse

Rachael: Today we have Matthew Ferraro. He is counsel at the international law firm Wilmer Cutler Pickering Hale and Dorr. He's here in a personal capacity, I do want to preface that.

Matthew: Wonderful to be with you, and yes, it's vintage Ferraro all the way through here. So you're going to get just me, and 100% Ferraro all the way.

Eric: In your personal capacity. Actually, we did a good bit of research. Yale, Cambridge, Stanford, that's a pretty impressive educational history there. I went to Oxford for a night. There were some great pubs there, but that's as close as I got to that level. Really impressive background here, with that and your work history.

Rachael: Now, let's talk about this amazing CNN opinion piece that you wrote. Ransomware attacks are about to get worse, but there are ways to stop them. You put forward so many great ideas and perspectives here that I would love to dig into a bit further. And you were telling us about this great book, The Future of Violence. You cited that within your article. Could you give just a quick primer on that?

Matthew: The Future of Violence is a book by Benjamin Wittes and Gabriella Blum. But they introduced the democratization of violence, which I ruthlessly just rip off for my op-ed piece, although I did link to the book in the op-ed piece. The idea there is that technology has changed in such a way that the world is getting smaller, think about that.

 

The Role of a Ransomware Attack in the Democratization Cycle

Matthew: Modern technology has placed the capacity for harm in the hands of individuals and not just states, and individuals all over the globe. So it means we're all vulnerable to each other, and the democratization of violence describes literal kinetic violence. Like bio-weapons that you cook up in your kitchen, or drones that you weaponize in your garage, but also cyberattacks. My point was that ransomware is just another step in that democratization cycle.

Eric: I read the first paragraph and I stopped and then I read it again. I probably read it four or five times thinking about it. It really makes you think about the change in society, the implications. Then your mind starts rolling, like, what about tech in general, and how have things evolved.

I went back to the advent of the car, thinking about the term cyberattacks, ransomware and the like. How has crime changed over time? Before the vehicle, crime was relatively isolated to either travelers coming through your town or village or your area, or people who live there.

Then the automobile made it possible for people to extend their range, if you will, and then the airplane. But when you think about IT, now, as you talk about in the op-ed piece, it's really a global reach that people have, and a very low-cost, high-consequence capability.

Matthew: And distance, which you allude to there with the car, means nothing in cyberspace. So you can be anywhere. You can be in Estonia and you can do violence, in scare quotes to me from 5,000 miles away, and I to you. That is part of the insight, it's this two-way street.

 

9/11 and Ransomware Attack

Matthew: Indeed, I wrote the piece for CNN because they come to me and say, "Can you connect the 20th anniversary of 9/11 to ransomware?" And I said, "Well, I actually can," because what 9/11 showed was, with horrifying clarity, the outsized power of individuals to wreak havoc on an open society.

Eric: Leveraging technology.

Matthew: It was both very high-tech in that case, and very low-technology. Just a sort of brute force that allowed them to hijack the planes. But the fact that we had the planes and that they carried so much fuel and all the rest of it, was the sine qua non. It was the thing that they really needed before anything else.

So now the idea is, look what cyberhacking has done as well. The example that I pointed to in the piece, in ransomware, is Colonial Pipeline. When that suffered its ransomware attack, it shut down oil supplies across the East Coast leading to gas shortages. The thought experiment that I asked the reader in the piece was to consider what it would have taken in a pre-cyber era for that same outcome.

Eric: Right, you're talking kinetic.
Matthew: Like what kind of kinetic attack would you have needed? How many people would you have needed? What kind of trucks?

Eric: C-4 explosives

Matthew: And guns.

Eric: Exactly, coordination, and it's a lot more than a keystroke.

Matthew: And the fact that it could be done from so far away, assuming it was Russian-backed hackers, I need to check my notes. But from so far away, without firing a shot, which I suppose is in some ways better, but a question mark.

Eric: It depends on the consequences that you've got to consider also, better, worse.

 

From the Defender Perspective

Matthew: There was a report recently of a hospital that lost a child because of a ransomware attack, so that is quite violent.

Eric: Not just the attack, but one of the things you got me thinking about was the escape. If you had to drive trucks and do physical work to destroy a pipeline or incapacitate a pipeline, you've got to be there to do that. You're not in a foreign country, protected by a government potentially, long distance away, out of harm. You are right there, and then you've got to make your escape.

In the case of Colonial Pipeline and most of these ransomware attacks, you're already safe. But you're not there. I think about that from the defender perspective, it almost makes the physical defense of attacks, not easier, different. But the risk profile is so low.

Matthew: The incentives are a bit different. I'm a lawyer, and so you think about things like jurisdiction. It's much easier to prosecute someone who is within the jurisdiction of the United States than someone who is overseas. We talk about Estonian ransomware hackers.

Think also of Nigerian romance fraudsters, people who convince lonely hearts to fall in love with them. Send them money and gift cards and whatnot.

Basically, if they were outside the writ of the courts, hard to get anybody extradited, and all the rest of it. It's harder to fathom solutions because in some ways it exists in an ungoverned space. It is of course, cyberspace, not the streets and the valleys and the mountains that we think of when we think of territory.

 

The Legal Challenges in a Ransomware Attack

Eric: That's assuming you can even identify them, find them, and incarcerate them. Then the whole legal challenges you were discussing. But with ransomware, it's not like Joe who just blew up a pipeline was captured locally and you have him. You may not even know who did it, because it's behind keystrokes, in a different country, protected by a nation-state, potentially. It's a crazy world.

Matthew: It's a more and more difficult world with a lot more threats and defenses that we're all called upon to man.

Eric: The same technology that allows us to record this podcast in three locations across the United States provides the same technology to the criminal, to the adversary, to do harm to the United States, or really any country. There was a line in there that I also fixated on. "Ransomware extortions have become a self-sustaining ecosystem of criminality," and basically what you're saying is, there's a lot of treasure.

There isn't a lot of risk. Essentially, there's this self-sustaining ecosystem or business that's being created. You use some statistics in this. One of the reports, a 57-fold increase from 2015 to 2021 in ransomware cost to the global economy.

Matthew: That was a report that I cited. That's really interesting. It's important to highlight because when it comes to ransomware, the benefits of paying, it almost always makes sense to pay. It depends on what the ransom is. But usually, if the criminals are smart enough, they'll pitch it at a low enough cost point, price point. So it just makes more sense to pay, with relatively high likelihood you'll get your data back. Not always for sure.

 

[11:38] Incentivizing a Future Ransomware Attack

Matthew: So the benefits are individualized, you get the benefit. The costs, the moral hazard of incentivizing future attacks, is socialized. Society bears those costs, and you get the benefit. That is the problem because then, as I said, it is self-sustaining. Then this money goes to the bad guys, who can then continue their attacks. They're unlikely to attack you again.

Eric: But there are plenty of targets.

Matthew: Yes, and increasingly so. There are businesses, police stations, hospitals, governments of all kinds. The internet is ubiquitous. Online connectivity is ubiquitous. So everything is now connected to the internet. Individuals. It's not the kind of thing that has a silver-bullet solution. It is a many-different-element solution.

Eric: It's a typical good cybersecurity problem where there is no silver bullet. The adversary always has the advantage, and they can try as much as they want to. They only have to get right once, and it's crazy. I was thinking about the article, and we don't have to spend the whole show on the article. But I was like, "Okay, so what do we do about it?"

Especially with ransomware, you're talking about state and local governments and businesses. You're not talking about the United States government and major Fortune 500 companies, which have enough trouble protecting their infrastructure and their data. You're talking mom-and-pop businesses, school systems, it's not a focus for them.

So I don't think better technology, better defense is the answer. Honestly, I don't think it's a tenable situation there. You're not going to buy technology, and the adversary just finds a way through it even if you do. What I wrote down was, how do you raise the cost to the adversary?
 

Transaction Costs

Eric: How do you raise the cost to the adversary is probably the only answer I could come up with. Or the only good question that could drive to a satisfactory answer.

Matthew: I talk about transaction costs, which is a fancy way of saying friction, how do you increase friction? Just before we move off of it, I do think defense is part of it, for sure. 

Ransomware begins with a malware attack, or with the placing of malware on a system. The more you can do to make sure that your staff is using two-factor authentication, that they're aware of these threats. That they're not clicking on links, that you've got good hygiene when it comes to what's coming through your firewall. All of those things are important.

Eric: I have yet to see a business or government organization where they are deemed impenetrable.

Matthew: Because there are so many targets, one, the more that you raise the cost, the harder it is for them to do it. So they'll move on to the next target, which benefits the potential victim. But okay, so one would be obviously bolstering defenses.
The second is that I really think that the government should act where businesses can. Then take basically all of the actions in their power to disrupt the ransomware activities of foreign states, of criminal gangs.

So, what does that actually mean? In my mind, it means employing diplomatic pressure, progress on taking ransomware groups offline, and sanctions relief. Like, "We'll give you relief on sanctions if you take these ransomware groups offline." If the ransom groups reside in those countries, usually in Eastern Europe, indicting bad actors.

 

A Ransomware Attack Wants to Visit Disneyland

Matthew: It's important to indict them even if we can't necessarily prosecute them. Sometimes they want to visit Disneyland. They want to get on a plane and they want to go to Orlando, then they get picked up at the airport. It happens. Or they have to transfer through Schiphol in the Netherlands, and they get picked up by the Dutch.

These things can happen, and extraditing and prosecuting them when we can get our hands on them. Then potentially, this is really in the government's bailiwick, taking any kind of offensive action against ransomware groups. These are things that the private sector cannot do, so this is where the government must act. This really is a governance problem because it exists in this territory that is not really governed. That's like step one of several more steps.

Eric: Which goes into raising that cost, as I thought more about it. If you're a local school district, you're on the school board. You're not raising that cost other than the defense angle. We should invest a higher percentage of our budget into basic cybersecurity, maybe training, things like multi-factor.

But they're not going to go after a persistent ransomware group operating out of Kazakhstan. Local school board, they probably can't even spell Kazakhstan. Nothing against the school board, but they're not going after Kazakhstan.

Matthew: No, but that's totally part of it. I mentioned as well the importance of interrupting this payment cycle, this thing that creates the self-sustaining cycle of criminality. That's a little bit harder. But we saw that OFAC, the Office of Foreign Asset Control, and the Treasury Department, issued sanctions on the first ever virtual currency exchange. It was Russian or in the Czech Republic.

 

How a Ransomware Attack Could Harm the Adoption of Crypto

Matthew: I was asked if I thought doing that would harm the adoption of crypto more broadly. Part of me actually thinks the opposite is true. If there could be more to clean up crypto, so it isn't this malefactor's bazaar of every terrible thing you could think of being paid for in cryptocurrency. It makes it easier for companies and clients to deal with due diligence, know-your-customer issues. Then if they're more confident using crypto, it actually could lead to greater adoption.

That's an area where more regulation could help. It should be said that in Colonial and others, because they went to the authorities early, they were able to trace some of the crypto to wallets and get the money back. That's something important. It's important that the government should work with companies to do more of that to make it less profitable.

Someone once told me that they thought going after ransomware groups was like playing whack-a-mole. To which my response is, "Have you ever played whack-a-mole when you're the mole?" It's no fun when you're the mole.

Eric: I haven't, but I imagine it hurts when that little padded mallet smacks you in the head.

Matthew: The idea is that even if it's whack-a-mole, if it's a particularly aggressive whack-a-mole, you actually can get some benefits. Which ransomware group, to extend our metaphor, wants to keep getting bopped on the head?

Rachael: It's an interesting perspective, too, the government getting more involved. Particularly, Colonial Pipeline was very much this catalyst moment. We saw the current administration starts putting out executive orders. I heard there's 18 cybersecurity bills that are soon to come before the Senate.

 

[19:29] The Trickle-Down Effect

Rachael: There's a lot of opportunity with the regulations, to that point. But what's the trickle-down effect though, as businesses then have to start adapting to these new regulations, and following new compliance measures? It seems like it could get tricky, and sometimes, it's easier just to pay the ransomware and pretend like it didn't happen.

Matthew: Sometimes it is. But, at least some of the bills out there, like the Ransomware Disclosure Act, which I believe moved out of the Senate committee, would require certain entities to report.
Eric: There's a disclosure component.

Matthew: That's the kind of thing that companies should be doing already. They should be talking to the FBI because, first of all, on the very practical point, it's going to make it easier for them to trace the crypto. Second, there is legal considerations. I will say that any company should talk to their lawyers. I'm not giving you legal advice, but it's rare that paying a ransom is illegal.

A lot of things would have to line up for that to happen. Again, speak to your lawyers, but that's the general thing. You still want to talk to the government about it because they're going to have a certain expertise. Increasingly, the FBI is assigning different field offices to different ransomware groups. Like this Russian ransomware group is being honchoed by the Charlotte FBI office, or the Houston. So they're going to want to connect you with their pros, there's a certain benefit there. 

The other thing that the government could be doing, is that the more the government does to establish a modus operandi, the less it leaves to the courts and civil litigants to figure out. 

 

Issues of Liability and Negligence

Matthew: Colonial's a subject of at least two class actions that I know of, perhaps more. A judge will end up having to determine issues of liability and negligence and rules and standards. It's just much easier in my mind for the experts in the federal government, often working with industry in sort of a comment period or process.

To establish those baseline guides and to make that clear, then to leave it to judges to do in the context of litigation. Often, what will happen is there'll be lawsuits. But then they can look to what the federal guidelines are and that can help resolve some of the lawsuits.

Eric: I want to go back to that sharing component. When I talk to my government clients, they are usually talking about government-industry partnerships and sharing malware. We want signatures, we want to know IOCs, indicators of compromise, indicators of behavior, we want all of this stuff. They just want it, it seems. I don't know why. They collect it, they have no good way to use it or disseminate it. The ISACs are about the best I've seen, and there's some good value there.

But then you look at something like the Sunburst attack reported last December. A lot of companies, Microsoft and SolarWinds and a few others were caught up in that. You recognize that what FireEye did when they detected the problem and they went public immediately, saved a lot of catastrophic loss. No way to calculate it, it's not tangible.

You can't just measure how much, but by FireEye getting that out there and not just saying, "We have a problem. If we talk about this we could have a liability here for our shareholders."

 

Preventing Downstream Consequences of a Ransomware Attack

Eric: They went right to the government, and they went to SolarWinds. To me, that was selfless. They were thinking about the global community as opposed to, "Okay, what's the liability? What's the risk here for us if we disclose this? Our shareholders, our stock price," you name it.

It prevented significant downstream consequences or the continuation of loss. It allowed customers, the government and everybody else to much more quickly respond and deal with the issues at hand. I'm a big one on disclosure. Hey, you have a problem? Talk about it. Fix it.

Matthew: Oftentimes, if you're in communication with law enforcement that's going to be protected. There were a lot of protections to it. It can also just be down to that of the industry and of society.

Eric: In my experience, which is not massive, but I've been involved in some major public cases that have been out there. The government is very tight-lipped about these. Sony has a problem and is working with DHS. DHS can't tell anyone, doesn't want to tell anyone. Just making that example up. So they don't want to publicize it, and they're very siloed in the way they work. You could see that same attack hitting 52 other companies, except you really don't see it.

Matthew: That's an area where it is imperative for the government to be disclosing as well. They have to be a good partner in this, because it really is only in working together. Some of the time, for the obvious reason that the targets are going to be private. But also, the pipes that the data travels on are going to all be owned by private companies.

 

Be a Good Steward

Matthew: You have to be a good steward, and I will say that from what I've seen in the past few years. There has been more of a recognition of that through the CISA and the maturation of that has gone through. Now there's a StopRansomware.gov website that CISA stood up. It’s supposed to bring all of the different stakeholders together. If anyone is listening to this podcast, if your company is a victim of ransomware, you can go to that website.

Eric: There's some good content there. You don't have the Staples Easy Button where, if you're under a ransomware attack, you hit the button and it just stops. But there's some good content, go there before you have an issue. Look at it, educate yourself, learn about this space, learn about what could be a problem for you. It's probably better before than after.

Matthew: Absolutely, and I should say, this is not just plugging my law firm. But you should talk to your lawyers and others who will help you update your cybersecurity plans. This absolutely has to be part of your planning. I will say it's been a very busy summer for us. We have a lot of clients who are interested in this, given everything that's been in the news. So yes, you want to prepare before.

I was just reading James Baker's biography, the former Secretary of State and Houstonian. He had a phrase, the five Ps, "Proper preparation prevents poor performance."

Eric: We had six in the military, but I won't go into that. But yes, it's a great phrase. We were infantry and we still used it, so it applies.

 

Proper Preparation From a Ransomware Attack

Matthew: What was the sixth? I think I know what it means.

Eric: Bodily function. You would use it very frequently with privates who did something and failed to prepare or think about something.

Matthew: Proper preparation prevents poor performance, it applies to ransomware as well.

Eric: Well, anything in cybersecurity, like plan for it.

Matthew: Or life, I suppose.

Eric: It worked with young privates too.

Rachael: That's part of the issue, though. A lot of people are, "What are the chances? I'm a mom-and-pop," and they're not really following all this stuff. Our CEO has a great story. He knows someone who runs a plastic surgery practice in Los Angeles, and works with pretty notable people. And he came around like, "Oh, wait a minute, what if I got hacked?" They love to do the before and after pictures which, if those got out, how do you protect yourself? But that's an outlier.

I don't know if a lot of smaller private businesses are thinking about this. How do we raise that awareness and get people to take action instead of waiting for that catalyst moment like Colonial Pipeline? "Well, maybe we should probably invest now that we just shelled out a million dollars in ransomware cryptocurrency payment"?

Matthew: It's basically like anything else. Buying insurance, you have to put money up front to prevent a deeper loss. Part of it is consciousness-raising, like through this podcast. Also, part of it is recognizing that for that mom-and-pop, or that doctor's office. It's not that much of an investment to start raising those defenses.

It's two-factor, making sure that your crown jewels, as it were, or the most sensitive information, like those before-and-afters, might be segmented on your drive.

 

[29:51] A Ransomware Attack Is Not the Priority Right Now

Eric: Or a different network, not connected to the internet.

Matthew: If you can do it as a standalone, that would be fabulous, with an air gap. Anything like that would be beneficial. But so in actual dollars and cents it's not that much. It is just the attention and spending a little bit of money on it now.

Eric: But how many plastic surgeons, I'm looking at a neighbor who's a vascular surgeon across the street with a couple of offices in the DC area, think about it? He doesn't. How many people think about that with all the business problems they have, especially in times of COVID? They're working COVID protocols, what can we do? That's the priority right now, not ransomware that they've not been hit by.

Matthew: But they all have insurance. They have liability insurance, they might have flood insurance, they have employee insurance, and they all have an IT system. They'll all pay somebody to come and give them a basic IT system. I know a fellow who wrote a book called Start-Up Secure. It was building cybersecurity right from the ground up of any business and any startup. It has to be, I guess penetrated in terms of the public mind sufficiently that you recognize that it's the thing that you're going to have to address.

Eric: If you go to a convention of plastic surgeons and three people are talking about getting hammered by ransomware, all of a sudden it's probably top of mind. There will be some loss before, in many cases. Or the insurance companies may come back and ask questions regarding the insurance costs and ratings.

 

Cybersecurity Insurance

Matthew: I actually haven't seen this yet, but there has been some talk in the press of insurance companies becoming more skittish of paying out ransoms. Because more sophisticated companies, not necessarily the mom-and-pops, but the more sophisticated ones will have cybersecurity insurance. It will cover ransomware attacks, but those are all based on tables. If too many people start asking for payments then it starts messing with the models.

Eric: It's like a beachfront house basically in the water. You know that thing's going to be expensive on the insurance side.

Rachael: In Europe, didn't one of the ransomware gangs actually target a ransomware insurance company to see who all the clients were? So that they could get paid, they knew they were guaranteed payment. So it's smart.

Matthew: That is wise, in a devilish kind of way.

Eric: Criminals are smart.

Matthew: They put themselves towards good.

Eric: Sometimes it's more lucrative to not do good, especially if the risk is almost nonexistent. Looking at, what is that risk factor? I understand why they do it. I'm not condoning it but I do understand why they're in that business and why they're making money. They're absolutely smart.

Matthew: There was a raid in a foreign country whose name is escaping me and they seized a Maserati. It was a ransomware gang. They seized $100,000 in cash and a lot of really fancy materials. You hit enough people with $40,000 ransom demands and you live in a relatively low rent country. You're going to have a lot of stuff. You gain the world but lose your soul. That's really the issue.

 

Deepfakes and What They Do Versus a Ransomware Attack

Rachael: I was reading some article that there was a deepfake that had passed a photo company. This is what they do, they know photography. There was one that made it past their desk that they didn't even pick up on, and that's truly scary.
People right now, they think of it as a joke. Like on the internet, "Ha ha, I'm putting my face on Obama's body," or something like that. "Oh, it looks scary." This can get really dark really fast, and we've only scratched the surface here.

Matthew: I do write and speak to clients on synthetic media, on deepfakes. That it is a major change, almost a revolution in media. I do like the phrase revolution because revolutions don't necessarily have solutions. It's not clear to me that deepfakes are going to be, "solved". We're just going to deal with them. By that, I mean, we're going to live in a world in which there's much more very believable false media.

That media is going to be created by many more people in a democratization of technology and, if you will, "violence". There are many different kinds. So, the real nightmare scenario would be time, say, for a period of great tension between North Korea and the United States. Maybe there is a war game going on in the Korean peninsula.

There's a deepfake that is created of President Biden announcing that because of a recently discovered Korean perfidy. He is going to be launching a first strike against Pyongyang. Say as well that this is timed with a cyber hack in which a malefactor, bad actor, gets access to the White House Twitter handle.

 

A Compound Attack

Matthew: So they start circulating this video from the White House account, and it goes viral.

Eric: Some level of credentials there.
Matthew: I'm imagining a compound attack in which, maybe they've gained access to the Twitter account. But they've laid in wait for months because they want to time this for the moment of maximum peril. So then this video goes viral and the Kim regime sees it. They're not sure it's true.

They think it might even most likely be fake, but there's like a 10% chance that it's actually true. That their death is imminent, and the entire reason for the North Korean regime is the survival of the Kim family. So what are they going to do? They would probably, in their mind, counterattack by firing artillery across the DMZ into Seoul, where 30 million people live, and millions would die.

Then of course there would be an attack which the US would have to respond to. It would all have been started because of a fake video, and whoever created it. Whatever bad actor, China, Iran, or a private actor, would be laughing, so to speak, as all this went down. That would be the terrible worst-case national security scenario, but there are many others.

One that's common right now, a future threat, is deepfake non-consensual pornography. This is the placing of a non-consenting person's face on a nude body in such a way that it looks like a realistic pornographic image. It targets women almost uniformly. Lots of celebrities online, in the back alleys of the internet, but also increasingly regular people.

Eric: I haven't heard of this. Is it for extortion purposes?

Rachael: It's for humiliation.

 

[38:34] Market Manipulation

Matthew: It's just awful behavior towards people. It's sometimes ex-lovers or people like that.

Eric: Like, "I don't like Jennifer Aniston. I put her face on somebody else's body and I circulate it."

Matthew: For celebrities it might be a certain kind of sexual gratification, like they want to see these celebrities nude. When it's average people, a friend of mine named Henry Ajder in the UK put out a study. He found something like 600,000 average women had been victimized by this. Some of that, it's more animus or gratification.

It is a serious issue. It's a little under-reported because obviously who would ever want to admit to this? There's a woman in Australia who was a victim of this and then became an outspoken advocate for the rights of women and girls in these situations. But that's a problem, and then in the business context, which I think a lot about because of my professional role. There's market manipulation, and this happens a lot already with just fake news and fake social media posts. They announce a merger on social media and the stocks rise. But it was just all a feint to drive the price up so that they could derive a benefit.

Or perhaps they announce some regulatory action that drives the stock down and they've taken a short position. So, imagine that not just with text announcing these things, but video of the two CEOs shaking hands but the video is fake. Or a news conference where a "US attorney" has announced an investigation into company XYZ, but it's fake. So there would be that, and then also, just social engineering.

 

Employment Law Issues

Matthew: Especially now we're all at home, and then you get an email from Stan in IT. He says, "Oh, your credentials are expired. Let's have a Zoom call and I'll reset them," and he comes on. He even looks like Stan from IT because Stan from IT's photos are all over the internet. They can create a deepfake of that. Then you hand over your credentials, thinking, of course, you've even double-checked, because your company policy is you have to have a video chat. You can't do it by phone because phones are not reliable enough.

Eric: And you saw Stan, so it's got to be good.

Matthew: Now he's got access to your network, and he can place it with malware, he can steal IP. There are some employment law issues. One can imagine an undercover video showing an employer doing something aghast. Maybe they're sexually harassing someone, and it turns out that it's fake. Or there's at least an open question as to whether or not it's fake, but they use that perhaps for extortion purposes.

Basically, any time you rely on the media for anything, which is all the time, there is a danger here. It's really interesting and it's growing. Right now, there is a spectrum. The best deepfakes are very convincing. 

I would point listeners to the work of Chris Umé, who's a Belgian-born, but he now lives in Thailand. He created for TikTok, these really believable deepfake videos of Tom Cruise and he hired a Tom Cruise impersonator named Miles Fisher. All he had to replace on the impersonator to make it look like Tom Cruise was from his lip line to his hairline. So not that much geography, not that much landscape.

 

A Phony Disclosure

Matthew: He did it well enough that it is really quite believable. You can go online, and I will say Chris is very talented, but he's also smart. He didn't have Tom Cruise saying anything that was defamatory or anything like that. He's just having fun. That's one, and two, the account that he uses is called DeepTomCruise. It's right there in the name, a disclosure that it's phony.

Eric: There are people who will believe it.

Matthew: That's the very best end, and Chris is a professional. He has a lot of skill and he has the right kind of computer hardware. On the worst end, you can use face-swapping apps like Rachael mentioned, and things like that. There's still the delta between the two. Just technology being what it is, you're going to see that delta narrow and narrow.

Pretty soon, we'll have the ability to just make deepfakes on our phone. In the interim, the interim step is what I call deepfakes-as-a-service, DFaaS, or software-as-a-service. DFaaS is where you go to a service provider. Chris Umé has a company now called Metaphysic AI, in which you say, "I want to create a deepfake of myself. I want to speak in foreign languages because I have such a large employee base. Half of my employees are in India. I want to be able to speak to them in their language about our latest strategic plan. So create a deepfake of me talking to them." That would be an example. There's a fascinating new company out there. It's a start-up but it promises to revolutionize dubbing into foreign languages.

 

An Interesting Change

Matthew: When you look at a movie, and now either they would hire actors in foreign languages to record the dialogue that would then be basically dubbed over the English dialogue. They now want to change it so that they move the lips of the actual actors. So that it matches more seamlessly the words of the foreign voices. That would be an interesting change.

Then I will say, artistic uses are going to be a very prominent, popular example. You're going to be able to de-age older actors so that they can play younger selves. You can put deceased actors into movies. I will say that this is an actually interesting legal area. New York recently passed the first law in the country that creates a statutory right to one's digital likeness postmortem of one's an actor.

So you can actually register with the state your likeness if you're an actor. Once one dies, one's family will be able to collect royalties for 40 years. Anyway, it's really interesting.

Eric: You said at the beginning of this section here, it's a revolution and it may not have an answer. If we have to live with it, deepfakes, you can't believe what you're seeing in all cases. In fact, even if it is legit, you should be questioning whether it's legitimate or not. How do we do that? Okay, we're going to live with it. Now what? What do I tell Mom? Hey, you got to question everything. I get that far, but what do you do?

Matthew: That is a very popular issue, which is called the liar's dividend. It’s a phrase coined by Bobby Chesney and Danielle Citron, two law professors.

 

[45:04] Why Deepfakes Are Powerful

Matthew: It says that deepfakes are very powerful because it gives the liar this dividend, this value. Because they can now deny the reality of any true media that is inconvenient.

The classic example is that former President Trump is now saying, I read this in Vanity Fair, that the Access Hollywood tape, in which he was on tape bragging about grabbing women, is fake. So that would be like an example of the liar's dividend, because it's a benefit that accrues to him.

Eric: But then people question, was it real, was it not real? Or legitimate data, the inverse.

Matthew: I've coined my own term, we'll see if this goes viral. I call it the zealot's dividend. That's when it's not even the subject of the media who just dismisses any true life video evidence, media evidence as being fake. Again, the supporters of former President Trump are a good example here.

President Trump came on television on January 7th to forswear and criticize the rioters and insurrectionists who broke into the Capitol. Some of his supporters said, "That has to be a deepfake because he would never turn against us," you know? They're not even the subjects of the media, but they latch onto this idea that media can be fake.

So what do I tell Mom? The first thing is to be skeptical but not cynical, which is to say, put on your thinking hat. Look for indicia of falsity, and there are many. The face doesn't look right, the eyes don't blink, and all of that, without buying into the cynicism that there's no such thing as truth or falsehood. Like that it's just one thing and not the other.

 

Two Ways to Handle Deepfakes

Matthew: That's a big part of it. The second is that there are things that we can start adopting from a technical standpoint. We're not quite there yet, but there's basically two ways to handle deepfakes technologically. One is to detect deepfakes after the fact. There is some progress being made on detection software by Microsoft and others. The second is to use what's called digital provenance. It’s basically when you take a photograph or a video, you tag it with metadata.

Eric: Almost like a digital watermark.

Matthew: Exactly, and the digital watermark gets stored in blockchain so it can't be tampered with. That's getting more popular now because of the pandemic, in a very basic application, for insurance companies. They can't send insurance adjusters, so they've been sending claimants software by Truepic. It’s a company that I know and like, and they download it and they take photographs.

The photograph is marked by a watermark and a bunch of other stuff. Then the insurance adjusters know that it hasn't been tampered with when they review.  There's that, and I'll just draw an analogy to close us out. I have an old passport in my family, and it's of my grandfather. If you open it, it's just his photograph stapled into the passport. There's no watermarks. It's not behind plastic, but that was considered legitimate and trusted passports back in the day.

But as forgery technology has improved, as photography became much more common, you had to come up with different kinds of standards. Now, my passport is laminated, and it's got holograms. If I try to show up and board a plane with my grandfather's style passport, it would give rise to questions of whether or not it was legitimate.
 

Moving Ransomware Attacks in the Priority List

Matthew: Something similar might very well happen with the media now. When I open a video on my computer and I don't see a watermark or a bug to suggest that it's been made with, say, provenance technology, or that it's passed some sort of scan, then I'll be a little bit more skeptical. That's happened in the past and it might well happen in the future.

Eric: We need to move that up faster on the priority list. We'll see if people pay attention. 

Rachael: Matthew, thank you so much for joining us this week.

Matthew: This was so much fun. Thank you for having me.

Rachael: As always, hit that subscribe button. We'd love to show up in your mailbox every single Tuesday with a fresh episode, and until next time, stay safe.

 

About Our Guest

Matthew F. Ferraro is an attorney and former intelligence officer who writes widely on national security and legal issues. Currently, Mr. Ferraro is a counsel at the international law firm Wilmer Cutler Pickering Hale and Dorr. He counsels clients on matters related to defense and national security, cybersecurity, and crisis management. In the international mergers and acquisitions sector, Mr. Ferraro helps clients navigate complex transactions before the Committee on Foreign Investment in the United States (CFIUS).