A career in cybersecurity was probably the last thing on John Fokker’s mind as he was speeding across the Indian Ocean with his fellow Marines towards a ship crewed by pirates. But as it turns out, there are a surprising number of similarities between the two disciplines.
Now Head of Cyber Investigations at security firm McAfee, the combat Fokker finds himself in today is more virtual than physical, but high-stakes nonetheless.
In a world in which cybercrime is increasingly lucrative and ever more sophisticated, attackers and defenders are now engaged in perpetual conflict, each trying to outwit and outmaneuver the other.
While he acknowledges his route into cybersecurity was an atypical one, Fokker told TechRadar Pro his experience in the military actually provided him with the perfect grounding.
“When you take away all the technical elements, ransomware is very much like a hostage negotiation situation. Especially when you look at the emotional state of threat actors and victims,” he said.
“Ransomware is one of the few cyberattacks where you as the victim interact with the cybercriminal. From a psychological point of view, it’s very interesting; everybody wants something from someone else.”
A unique grounding
A job with the Royal Netherlands Marine Corps was, for Fokker, an antidote to the drudgery of the office job he took up after graduating with a degree in computer science. It wasn’t about the combat necessarily, more about doing something different.
He spent eight years as a Marine in total, the last five of which with the Special Operations Branch working counterterrorism, counterpiracy and hostage rescue, which took him across the globe.
In North Afghanistan, where he was stationed for a time, Fokker was tasked with provincial reconstruction, which involved helping local civilians build infrastructure such as schools and water pits, and keeping the engineers safe in the process.
At another posting in Somalia, he was part of a team based on a Navy ship, whose job was to monitor pirate activity in the area.
“We did a lot of close range reconnaissance at night to see where the main camps were and who was ready to sail out; it was a lot of intelligence gathering,” he said. “If there was any indication a pirate ship was about to sail out or was operating at sea, or if there was a hostage situation, we would intervene.”
As glamorous as this might sound, Fokker said he eventually tired of the lifestyle, which kept him away from home for all but a few weeks each year. He chose to pass up a role as a ranking officer in the Marine Corp in favor of a different flavor of combat.
“I saw the nature of what was going on in the world shift,” he told us. “Even though I wasn’t actively in the cybersecurity realm, I could see that this was the future.”
Cybersecurity comes calling
Although Fokker had set his sights on a job in cybersecurity, he didn’t transition immediately to civilian life, instead taking on a role as a digital investigations expert with the Dutch national police.
As part of the organized crime team, he went after drug kingpins, assassins and other criminals of a similar class, tapping their phones and analyzing the recordings. On occasion, though, he found himself lurking in the undergrowth in a ghillie suit aiming to “sniff their Wi-Fi”, proving that cyber investigation doesn’t all take place behind a desk.
He also played a role in various malware investigations and botnet takedowns during his time with the police. According to Fokker, despite the country’s diminutive size, the Dutch find themselves the heart of many international cybercriminal investigations.
“The Netherlands is small, but a lot of internet backbones terminate in the country, so it’s a central hub and there’s a lot of web hosting,” he said. “From the very beginning, the Dutch police have been involved in a lot of investigations, purely because that’s where cybercriminals host their systems.”
However, while the police get to handle the most serious cybercrime there is – the “dire stuff”, as Fokker called it – the extent of their influence is limited in some respects. The main problem is that only a small percentage of cybercrime victims file a formal report, limiting the scope of police investigations.
“[The police’s] view on cybercrime isn’t necessarily incomplete,” Fokker told us, “but it could be limited to the reports that arrive on their plate. And the total threat landscape might actually be much larger.”
To illustrate his point, he gestured towards the official figures from the Internet Crime Complaint Center (IC3), which suggest business email compromise is the most threatening form of attack. However, anyone operating in cybersecurity will tell you that the damage from ransomware is much greater; it just doesn’t get reported via official channels.
Another problem is that intelligence sharing can be challenging, because government entities are hamstrung by specific processes and international politics.
“Right now, I can hang up the phone with you and call the NCAA or FBI and I can share information no problem. In the police, the various rules and international treaties make that kind of collaboration a lot tougher,” Fokker told us.
At McAfee, in the private sector, he says he enjoys a level of flexibility and dynamism that was unavailable to him in the previous role.
“I think it’s the best job in the world,” he said. “We get to hunt cybercriminals, figure out what’s going on and protect our customers. And if we have valuable information that could lead to attribution or be helpful to the police, within certain circumstances we’ll share it.”
Asked whether there is ever a reluctance in the industry to share intelligence with other security vendors, due to competition between them, Fokker laughs.
“Nobody is looking to steal technology or criticize other people,” he says “Actually, everybody has a piece of the puzzle and we all try to work together to build as complete a picture as possible. It’s not as cutthroat as you might imagine.”
A different kind of hostage negotiation
A lot of Fokker’s time today is spent thinking about one type of cyberthreat in particular: ransomware.
According to all manner of studies, ransomware attacks are becoming more elaborate, more effective and more lucrative for operators, who have been emboldened and are demanding greater and greater ransom fees.
A report authored by researchers at Coveware, for instance, found that the average ransom payment reached an all-time high in Q1 2021, at $220,298. The rise was attributed to one particularly opportunistic group, called CloP, which capitalized on a specific vulnerability to seize the data of a raft of organizations.
Recent data from Kaspersky, meanwhile, shows ransomware is also becoming ever more targeted, with attacks on high-profile victims such as corporations and government agencies growing by 767% year-on-year.
What fascinates Fokker, though, is the psychological element of ransomware attacks and the strange dynamic established between the attacker and victim.
“As with real-life hostage situations, victims are very vulnerable in the first few minutes and hours after an attack. Often, they’re trying to get their bearings and sometimes make over-hasty decisions without taking the time to evaluate what’s going on,” he explained.
There is an element of strategy to mitigating ransomware that does not apply to traditional malware attacks, he says. It’s not just a technical problem, but a psychological one that requires the victim to “size up the criminal” and react accordingly.
“I’ve also seen plenty of cases of cyber Stockholm Syndrome, where the victims that do end up negotiating are thankful to the perpetrator,” Fokker told us. “It’s almost like a real hostage situation where somebody forms an emotional bond with their captor.”
To pay or not to pay
In 2017, in a bid to assist the many victims of ransomware, Fokker founded a project called No More Ransom, which archives free decryptors that can help people recover their data without caving in to ransom demands.
The service grew quickly and became the first ransomware portal built off the back of collaboration between law enforcement and the private sector; fitting, given Fokker’s personal career path.
No More Ransom currently offers decryption tools for a range of different ransomware strains, such as Avaddon, Zigggy, Fonix, Judge and Darkside, with more being added all the time. It also helps people diagnose the type of infection they are suffering from, by cross checking information provided with known malicious URLs and Bitcoin addresses.
When there is no decryptor available, however, the question becomes whether or not to negotiate with the attacker. According to the No More Ransom website, the advice is never to pay the ransom, full stop.
“Paying the ransom is never recommended, mainly because it does not guarantee a solution to the problem. There are also a number of issues that can go wrong accidentally. For example, there could be bugs in the malware that makes the encrypted data unrecoverable, even with the right key,” reads the FAQ page.
“In addition, if the ransom is paid, it proves to the cybercriminals that ransomware is effective. As a result, cybercriminals will continue their activity and look for new ways to exploit systems.”
However, Fokker concedes that the complex mixture of factors at play means the problem isn’t quite that cut-and-dry in reality, particularly for businesses.
“In the trenches, some companies are presented with a different threat, because it turns into a business decision. For example, they may find themselves in a situation in which they would have to lay off employees if they refused to pay the ransom and data was leaked. There are tons of companies that are in a situation where they have no choice but to pay.”
The ultimate goal, he says, is that the approach to cybersecurity matures to the point at which ransomware victims no longer have to make that decision. By having solid backups in place and a clear strategy in anticipation of an attack, the hope is that the ransomware business model can be shattered once and for all.