This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
📍 Today in Health IT, we are discussing how a teenage hacker became a legend attacking companies.
Then his rivals attacked him. This episode is brought to you by SureTest, revolutionizing healthcare IT with automated testing solutions. Learn more at thisweekhealth. com slash suretest. My name is Sarah Richardson. I'm a former CIO for several healthcare systems, most notably within HCA and Optum, and now president of this week Health 229 Executive Development Community, where we host a set of channels and events dedicated to transforming healthcare one connection at a time.
And I am joined by Drex DeFord, president of our 229 Cyber and Risk Community. Drex, welcome to the show. Thank you so much. I'm always happy to be here. And it's Friday! We are recording this on a Friday, and what a perfectly fascinating article to review, because I feel like this was one of those articles where you cannot make it up.
This talks about a teenage hacker involved in high profile cyber attacks on companies like Uber and Rockstar Games. And as a part of these groups, he showcased his technical skills while under protective custody. He started down this path when he was 11 years old. And then he got fame in the underground hacking community, making him a target for other hackers and shifted his status from admired to vulnerable.
I'll cover this last piece of his experience highlights the risks of seeking social validation in the digital underworld, where alliances can quickly turn adversarial. And it underscores the precarious balance between opportunity and threat. In the world of cybercrime, there are so many ways to go with this.
I want to get your take on it first, because this was a child who got involved in this. He is on the spectrum that was identified in the article, and his skill set was perfect for cyber, and yet he chose the
path
Of
IoT.
nefarious hacking because of the fame and fortune it can bring. So fill us in on some of your perspectives for this one.
It's a it's a really interesting story. It's from the Wall Street Journal. This is a London teenager. He grew up in Oxford. His name is Kurtage. He's been involved in online attacks since he was about 11 years old. His parents divorced when he was young. He wound up at about 14 in a residential school for kids with severe emotional and behavioral needs.
And from the time he's 14, he's worked, He's just been one of the bad guys. He's allegedly worked with the Iranian hackers to build distributed denial of service software, stuff that takes down websites or shuts down organizations by just flooding them with lots of content. He's been apparently involved in some really big hacks.
arts, stealing data. And in:They started doing SIM swapping. Once they were able to get into people's phones, they were able to get into their accounts like crypto accounts. So they started stealing Bitcoin and other crypto. And, that's, juicy stuff. Lapsus also broke into the Brazilian Ministry of Health.
And deleted the COVID vaccine databases there. They got into NVIDIA and Microsoft and Samsung and Rockstar Games. And then he was arrested. He's actually been arrested a few times. And after being arrested, he was put into protective custody because, as you said, his online rivals had doxed him.
And they put him under like physical protection. He was ordered not to use a computer and even under physical protection. Told not to use a computer in the hotel room. He figured out how to break into Uber. So ultimately now he's been tried and convicted. He's been sentenced to like an indefinite hospital stay.
He gets to appeal that on a regular basis. He's in a health system, he's in a hospital that's connected, obviously, to the internet, so there are a lot of laptops and computers around, so it makes you wonder what's happening in there. But the story is about this kind of challenge, I think, that we see with young kids who come from a community of online gamers, who've basically grown up using computers since old enough to hold grandma or grandpa's cell phone, and they become very proficient at technology and how to hack into it and make it do the things that they want to do.
And obviously that's a big part of the warning. These kids have challenges connecting in the real world and that leaves them only the computer world to find their way around. And obviously there's a lot challenges and concerns about that. So this is a crazy story. There's another crazy story, that I have talked about in yesterday's Two Minute Drill that'll be published on, that's published on Thursday.
But both of them are tied to this idea of really young, hackers. And you think about how they're getting in, they are using social engineering and exploiting contractors primarily, and that just goes back to those weaknesses in any organization's security systems, especially around access and identity management.
And I've been solving on this problem for over 20 years. It's actually a pretty easy problem to get in front of, and yet does take a pretty significant lift organizationally. And I'm always surprised, much like project governance, how hard it is to get the right process and structure into an organization when it comes to access and identity management as a component of your cyber hygiene.
It's incredibly difficult. It's, difficult for a lot of reasons, too. You have folks that obviously have new people coming on board all the time, so you have to onboard them, make sure that they get access to the right systems, and that isn't necessarily in most healthcare organizations today, a really clean thing, because every person apparently needs different access to different things.
And it makes it really difficult to standardize that work. And then that person changes jobs inside that health system, which means they move from one job to another and they get access to additional systems. The problem is you can find people that have 25 new PINs in a health system that somehow have access to everything in the health system.
And they're not a vice president. They're not maybe even a director. They just have moved through the organization and they have tons of access. And so if you can just hack that person, you can get to so many things in the network or applications that they use. and all the other things. And then we've also done a bunch of work now.
Obviously, as we went through COVID, we did a lot of software as a service. We outsourced a lot of things. We buy a lot of services now online. And all of that connects third parties and fourth parties to our networks. And we have to manage those identities and those capabilities too. So it's, tough.
It's a very tough job. It is. And yet the technology is there. So when you start thinking about. The growing cyber threats, especially healthcare, let's be honest, we all know that emerging threats can inform stronger defense strategies, and also the data breaches and ransom that we continue to see. The healthcare data is sensitive, it's valuable, and so when these kids especially are hacking into gaming systems and telecom systems, it's not that they can't get into the healthcare system, but at that age perhaps healthcare isn't as much on their radar.
And so I started thinking about, all right, You're a hacker with technical skills. If you have a history of nefarious activity, even if you've had to serve time for it, as an example, transitioning into ethical hacking, that can be a positive contribution to cybersecurity. And there's so many ways to do that.
But when we think about either joining a bug bounty program, which just sounds cool to me in general, like if you can go and get a financial reward for discovering. Responsibly reporting security vulnerabilities instead of saying, hey, I just hacked you and I did it for fun. And by the way, pay me to show you how to block that.
Penetration testing cybersecurity consultancy, teaching cyber, joining the law enforcement agencies doing this, security tools like cyber firms as we think about ways to move kids either into ethical hacking careers and getting in front of them effectively, or almost like rehab, becoming an ethical hacker, how viable of a strategy or approach is that in our organizations?
, this happens a lot of times, right? Some of this is just the, I want to help you understand that what you're doing is really cool and interesting and there's actually a right way to do it. Not cheating not being the bad guy, but actually helping the good guys because of the knowledge and the skills that you have.
Sometimes that takes. one of the bad guys being busted and going to jail or just having that public humiliation of something that's happened to them. Often law enforcement authorities will come to those individuals and offer them an opportunity to maybe not go to jail because they're going to Play a different role in society.
Hopefully it doesn't come to that, right? And what you can do is try to figure out how to get ahead of kids by, I think, teaching them and exposing them to all these other opportunities that are actually really cool, that align with their personal interests around taking things apart and understanding how they work and understanding how to get to the crown jewels inside of an organization, but doing it in a way that actually doesn't hurt the organization.
Helps them. And if I'm CISO today, I'm thinking about that. What does my cybersecurity talent profile look like? I want an ethical hacker on my team. I've had them in the past and the things that they find are fascinating. And then it creates that conversation with the board, with their C suite members, where you're really talking about the regular assessment of all the system vulnerabilities that we have.
Truly training our employees to prevent social engineering attacks and creating that level of awareness. And sometimes it can be hard to say, why do you want to hire an ethical hacker? If we have an ethical hacker, their job is to find our vulnerabilities and fix them and keep us constantly aware.
of what could happen in our organization. Articles like this are the exact things that I would be sharing with my peers and with my board. It's really interesting too. There's the other angle of this cartages are autistic and that certainly probably has, plays some role in all of this.
Being on the spectrum means kids like that can have an incredible amount of focus if it's something that they're really interested in. And sometimes, obviously, it can get them into trouble. But it also means that because they have Kind of the superpower of being able to focus when a lot of the rest of us get distracted with things.
It also makes them really great talent for things like security operation centers and there's a lot of great jobs for people that are on the spectrum and, have, like I said, I feel like this is in a lot of ways a superpower. So it's something for parents who have kids. Who have some of those challenges to guide them into the right kind of jobs and the right kind of roles.
Yeah, I couldn't agree more, especially with the proliferation of programs, availability, diagnoses, etc. that people have access to. Imagine if you're thinking about a career for your child. Or someone that you know specific to using that level of focus and capability for good in the world of cyber. We all need more of that.
Good for them too. Yeah. Thanks for joining me. It's always great when you and I get to riff on a Friday. It's the things that we get to talk about that we see all week long and beyond and bring it back to our audience. So I always appreciate time with you. Yeah. Thanks for having me on. I appreciate it.
Of course, remember to share this podcast with a friend or colleague. Use it as a foundation for daily or weekly discussions on the topics that are relevant to you and the industry. 📍 You can subscribe anywhere you listen to podcasts. That's all for now. Thanks for listening.