Cybercrime is out of control.

網路犯罪已經失控了。

It's everywhere.

它無所不在。

We hear about it every single day.

我們每天都會耳聞這樣的事件。

This year,

在今年，超過 20 億筆紀錄 遺失或遭竊。

over two billion records lost or stolen.

而在去年，有一億人， 其中大部分是美國人，

And last year, 100 million of us, mostly Americans,

健保資料落入竊賊手中， 我也身受其害。

lost our health insurance data to thieves -- myself included.

更令人擔憂的是：

What's particularly concerning about this is that in most cases,

在大多數事件中，

it was months before anyone even reported that these records were stolen.

就算有人回報資料被偷， 往往也是幾個月之後的事了。

So if you watch the evening news,

所以你看到晚間新聞報導時，

you would think that most of this is espionage or nation-state activity.

你可能會認為這些大部分是 諜報或國家層級的行動。

And, well, some of it is.

嗯，有些的確是。

Espionage, you see, is an accepted international practice.

如你所見，諜報活動 已經是一種「國際慣例」，

But in this case,

但在這個案例當中，

it is only a small portion of the problem that we're dealing with.

它只是我們所面對難題 其中的一小部分。

How often do we hear about a breach

我們是否經常聽到這些入侵事件，

followed by, "... it was the result of a sophisticated nation-state attack?"

被描述成： 「這是件精心策劃的國家攻擊行動」

Well, often that is companies not being willing to own up

通常，這是公司不願意承認

to their own lackluster security practices.

自身安全措施失靈的推托之詞。

There is also a widely held belief

而且這些公司普遍相信，

that by blaming an attack on a nation-state,

只要將攻擊歸咎於某個國家，

you are putting regulators at bay --

就可以逃避主管機關的監督──

at least for a period of time.

或是至少拖延一段時間。

So where is all of this coming from?

那麼實際上網路犯罪從何而來？

The United Nations estimates that 80 percent of it

聯合國估計 80% 的網路犯罪，

is from highly organized and ultrasophisticated criminal gangs.

來自具有高度組織 且分工精細的犯罪集團。

To date,

時至今日，

this represents one of the largest illegal economies in the world,

網路犯罪已是世界上 最大的非法經濟體之一。

topping out at, now get this,

而在這之上 ──大家聽好了──

445 billion dollars.

是 4,450 億美金的獲利。

Let me put that in perspective for all of you:

我來給大家更具體的概念：

445 billion dollars is larger than the GDP

4,450 億美金已經超過了

of 160 nations,

160 個國家的國內生產總值，

including Ireland, Finland, Denmark and Portugal,

其中包括愛爾蘭、芬蘭、 丹麥和葡萄牙......

to name a few.

等等國家。

So how does this work?

這個體系是如何運作的？

How do these criminals operate?

這些罪犯又如何進行作業？

Well, let me tell you a little story.

讓我說個小故事給你們聽。

About a year ago,

大約一年前，

our security researchers were tracking

我們的資安研究員正在追蹤一個

a somewhat ordinary but sophisticated banking Trojan called the Dyre Wolf.

看似尋常卻很精密的 銀行木馬程式── Dyre Wolf。

The Dyre Wolf would get on your computer

這隻程式會進入你的電腦，

via you clicking on a link in a phishing email

是因為你點擊了 釣魚信件中的網址──

that you probably shouldn't have.

你不應該點擊的。

It would then sit and wait.

接著它會守株待兔，

It would wait until you logged into your bank account.

等待你登入銀行帳戶。

And when you did, the bad guys would reach in,

到時候，歹徒就大手一伸，

steal your credentials,

盜用你的身份，

and then use that to steal your money.

然後偷走你的錢。

This sounds terrible,

這聽起來很嚇人，

but the reality is, in the security industry,

但事實上，在資訊安全領域，

this form of attack is somewhat commonplace.

這種形式的攻擊還算常見。

However, the Dyre Wolf had two distinctly different personalities --

然而，Dyre Wolf 程式 具有雙重人格──

one for these small transactions,

其中一個是針對剛提到的小額交易，

but it took on an entirely different persona

但如果你的工作 會接觸到大筆金錢往來，

if you were in the business of moving large-scale wire transfers.

它就會展現出截然不同的另一面。

Here's what would happen.

過程會是這樣的。

You start the process of issuing a wire transfer,

當你啟動匯款流程，

and up in your browser would pop a screen from your bank,

在瀏覽器上， 你的網路銀行會跳出一個畫面，

indicating that there's a problem with your account,

顯示你的帳戶出現問題，

and that you need to call the bank immediately,

你必須馬上打電話給銀行，

along with the number to the bank's fraud department.

並附上銀行防詐騙部門的專線號碼。

So you pick up the phone and you call.

於是你拿起電話撥過去。

And after going through the normal voice prompts,

經過一連串看似正常的語音指示後，

you're met with an English-speaking operator.

你被轉接給一位英語客服。

"Hello, Altoro Mutual Bank. How can I help you?"

「哈囉！奧多羅互助銀行。 很高興為您服務。」

And you go through the process like you do every time you call your bank,

接著你一如往常進行整個流程：

of giving them your name and your account number,

給出你的名字、帳戶、

going through the security checks to verify you are who you said you are.

回答安全問題以確認你的身份。

Most of us may not know this,

大部分的人可能不知道，

but in many large-scale wire transfers,

在許多的鉅額轉帳中，

it requires two people to sign off on the wire transfer,

規定要經過兩個人的確認，

so the operator then asks you to get the second person on the line,

接著客服請第二個人聽電話，

and goes through the same set of verifications and checks.

然後進行同樣的確認流程。

Sounds normal, right?

聽起來很正常吧？

Only one problem:

只有一個問題：

you're not talking to the bank.

在電話另一端的不是銀行。

You're talking to the criminals.

和你通電話的是歹徒。

They had built an English-speaking help desk,

他們還設置了英語客服中心，

fake overlays to the banking website.

並製作了假的銀行網站。

And this was so flawlessly executed

在這天衣無縫的過程中，

that they were moving between a half a million

每一次作案，就會有 50 萬 至 150 萬美金的不法所得

and a million and a half dollars per attempt

落入歹徒的口袋。

into their criminal coffers.

這些犯罪組織的運作

These criminal organizations operate

就像紀律嚴明的合法企業。

like highly regimented, legitimate businesses.

他們的員工從週一工作到週五，

Their employees work Monday through Friday.

週末則是放假休息。

They take the weekends off.

我們為什麼知道？

How do we know this?

這是因為我們的資安研究人員發現

We know this because our security researchers see

每當週五下午， 惡意程式都會大量出現。

repeated spikes of malware on a Friday afternoon.

這些壞蛋們陪老婆小孩度過週末，

The bad guys, after a long weekend with the wife and kids,

之後就可以回來驗收成果。

come back in to see how well things went.

「暗網」是他們棲息的地方。

The Dark Web is where they spend their time.

這個詞是用來描述 隱藏在網際網路中的匿名空間。

That is a term used to describe the anonymous underbelly of the internet,

竊賊們在此得以匿名行事，

where thieves can operate with anonymity

而不會被人發現。

and without detection.

他們在此兜售攻擊軟體，

Here they peddle their attack software

並且分享各種新的攻擊技術。

and share information on new attack techniques.

在那裡，你能買到任何東西，

You can buy everything there,

從基本等級的攻擊服務

from a base-level attack to a much more advanced version.

到更進階的版本都有。

In fact, in many cases, you even see

在很多地方，你甚至會看到

gold, silver and bronze levels of service.

被區分為金、銀、銅等級 的各種攻擊服務。

You can check references.

你可以查詢他人的推薦心得。

You can even buy attacks

你所購買的攻擊服務

that come with a money-back guarantee --

甚至還能有退款保證──

(Laughter)

（笑聲）

if you're not successful.

如果你的攻擊沒有成功。

Now, these environments, these marketplaces --

這樣的環境、這樣的交易市集，

they look like an Amazon or an eBay.

看起來跟亞馬遜或 eBay 一模一樣。

You see products, prices, ratings and reviews.

你看得到產品、價格、評分跟評論。

Of course, if you're going to buy an attack,

如果你要買攻擊服務，

you're going to buy from a reputable criminal with good ratings, right?

你當然會向評分高、 名聲好的罪犯購買，對吧？

(Laughter)

（笑聲）

This isn't any different

這就像你要到一間新的餐廳之前，

than checking on Yelp or TripAdvisor before going to a new restaurant.

會先到 Yelp 或 TripAdvisor 網站 查詢評價一樣。

So, here is an example.

我舉個例子。

This is an actual screenshot of a vendor selling malware.

這是從惡意軟體販賣者的網頁 所擷取的真實畫面。

Notice they're a vendor level four,

他是屬於第四級的販賣商，

they have a trust level of six.

他的信賴度則是第六級。

They've had 400 positive reviews in the last year,

他在去年得到 400 個正面評價，

and only two negative reviews in the last month.

而在上個月的負面評價只有兩個。

We even see things like licensing terms.

我們甚至在上面看到授權條款。

Here's an example of a site you can go to

另外這個網站，

if you want to change your identity.

如果你想要改變個人身分， 可以上去看看。

They will sell you a fake ID,

他們販賣假身分證、

fake passports.

假護照。

But note the legally binding terms for purchasing your fake ID.

特別注意有關購買假證件的法律條款。

Give me a break.

饒了我吧！

What are they going to do -- sue you if you violate them?

就算你違反了這些條款， 他們能怎樣？控告你嗎？

(Laughter)

（笑聲）

This occurred a couple of months ago.

就在幾個月前，

One of our security researchers was looking

我們的一位資安研究員

at a new Android malware application that we had discovered.

正在分析新發現的一個 Android 惡意程式。

It was called Bilal Bot.

這個程式叫 Bilal Bot。

In a blog post,

在一篇部落格文章中，

she positioned Bilal Bot as a new, inexpensive and beta alternative

她（部落格作者) 將 Bilal Bot 定位為

to the much more advanced GM Bot

新穎、便宜、待測試修正的、 另一個 GM Bot 程式的替代品，

that was commonplace in the criminal underground.

而 GM Bot 更為先進， 在地下黑市非常普及。

This review did not sit well with the authors of Bilal Bot.

Bilal Bot 作者對此評論感到不滿。

So they wrote her this very email,

所以他們寫了這封信給她，

pleading their case and making the argument

除了為產品辯護，

that they felt she had evaluated an older version.

並認為她所評測的是舊版程式。

They asked her to please update her blog with more accurate information

他們要求她更新部落格 以提供更正確的資訊，

and even offered to do an interview

甚至要求當面對談，

to describe to her in detail

好向她詳細解釋

how their attack software was now far better than the competition.

他們的攻擊程式如何比競爭對手更好。

So look,

所以你瞧，

you don't have to like what they do,

你不需認同他們的行為，

but you do have to respect the entrepreneurial nature

但你得敬佩他們

of their endeavors.

在努力的過程中 所流露出的創業家特質。

(Laughter)

（笑聲）

So how are we going to stop this?

所以，我們要如何阻止這一切？

It's not like we're going to be able to identify who's responsible --

並不是說我們要找出某個人 來追究責任──

remember, they operate with anonymity

記住，他們都匿名行事，

and outside the reach of the law.

置身法律之外。

We're certainly not going to be able to prosecute the offenders.

我們確實無法起訴這些犯罪份子。

I would propose that we need a completely new approach.

我提議，採用完全不同的作法。

And that approach needs to be centered on the idea

這個作法的核心觀念是：

that we need to change the economics for the bad guys.

我們要顛覆那些壞蛋的經濟體系。

And to give you a perspective on how this can work,

為了讓你們了解這個方法為何有效，

let's think of the response we see to a healthcare pandemic:

先回想我們如何面對以下這些傳染病：

SARS, Ebola, bird flu, Zika.

SARS、伊波拉、禽流感、茲卡病毒。

What is the top priority?

第一要務是什麼？

It's knowing who is infected and how the disease is spreading.

是知道誰受到感染 以及疾病如何傳播。

Now, governments, private institutions, hospitals, physicians --

現在，包括政府、私人機構、 醫院、醫師──

everyone responds openly and quickly.

所有人都能開放、迅速地 做好應對工作。

This is a collective and altruistic effort

這樣的集體利他行為，

to stop the spread in its tracks

遏止了疾病的傳播，

and to inform anyone not infected

並告知尚未被感染者

how to protect or inoculate themselves.

如何自保或接種疫苗。

Unfortunately, this is not at all what we see in response to a cyber attack.

不幸地，在面對網路攻擊時， 我們看到的完全不是這樣。

Organizations are far more likely to keep information on that attack

組織更傾向於 將受到攻擊的相關資訊

to themselves.

採取保密。

Why?

為什麼？

Because they're worried about competitive advantage,

因為他們擔心失去競爭優勢、

litigation

面對法律訴訟、

or regulation.

或是接受監督管理。

We need to effectively democratize threat intelligence data.

我們必須有效率地 將網路威脅情資公開。

We need to get all of these organizations to open up and share

我們必須讓這些組織

what is in their private arsenal of information.

開放並分享他們的情報資料庫。

The bad guys are moving fast;

犯罪份子的手法一日千里，

we've got to move faster.

我們必須走在他們之前。

And the best way to do that is to open up

最好的方式便是開放

and share data on what's happening.

並且共享即時資訊。

Let's think about this in the construct of security professionals.

讓我們從資訊安全人員的角度 來反思一下。

Remember, they're programmed right into their DNA to keep secrets.

要知道，這群人 保密的天性深入骨子裡。

We've got to turn that thinking on its head.

我們得扭轉這樣的習性。

We've got to get governments, private institutions

我們得想辦法讓政府、私人機構，

and security companies

還有資安服務業者，

willing to share information at speed.

願意迅速地分享資訊。

And here's why:

原因如下：

because if you share the information,

若是共享訊息，

it's equivalent to inoculation.

就像是接種了疫苗。

And if you're not sharing,

若是拒絕共享，

you're actually part of the problem,

我們就等於是共犯，

because you're increasing the odds that other people could be impacted

因為你可能助長了他人

by the same attack techniques.

被相同手法攻擊的機會。

But there's an even bigger benefit.

這麼做還有更大的好處。

By destroying criminals' devices closer to real time,

用近乎即時的速度消滅犯罪工具，

we break their plans.

我們也破壞了歹徒的計畫。

We inform the people they aim to hurt

我們能用罪犯措手不及的速度，

far sooner than they had ever anticipated.

預先告知民眾， 他們已經成為攻擊目標。

We ruin their reputations,

我們能破壞他們的聲譽，

we crush their ratings and reviews.

毀掉他們的評分及評論。

We make cybercrime not pay.

我們讓網路犯罪無利可圖。

We change the economics for the bad guys.

我們顛覆犯罪份子的經濟體系。

But to do this, a first mover was required --

但要達成這個目標的第一步，

someone to change the thinking in the security industry overall.

是要有人來改變 整個資安產業的思維。

About a year ago,

大約一年前，

my colleagues and I had a radical idea.

我同事和我有個大膽的想法。

What if IBM were to take our data --

如果把全球最大的 網路威脅情報資料庫──

we had one of the largest threat intelligence databases in the world --

也就是 IBM 擁有的資料庫──

and open it up?

把它開放出來如何？

It had information not just on what had happened in the past,

這裡面不只有過去事件的歷史紀錄，

but what was happening in near-real time.

還有近乎即時的資安動態資訊。

What if we were to publish it all openly on the internet?

把這些資料都公開會變成怎樣呢？

As you can imagine, this got quite a reaction.

可想而知，這構想招來激烈反應。

First came the lawyers:

首先是律師問：

What are the legal implications of doing that?

「在法律上會有什麼瓜葛？」

Then came the business:

接著是商業人士：

What are the business implications of doing that?

「在商業上會有什麼含義？」

And this was also met with a good dose

我們還遇到許多聲音

of a lot of people just asking if we were completely crazy.

質疑我們是不是徹底瘋了？

But there was one conversation that kept floating to the surface

但是在我們參與的每場對話當中，

in every dialogue that we would have:

有一個論點持續、逐漸地浮出檯面，

the realization that if we didn't do this,

就是我們瞭解到：

then we were part of the problem.

如果不開放資訊，

So we did something unheard of in the security industry.

我們就成為網路犯罪的共犯。

We started publishing.

所以我們做了 在資安產業中前所未有的事。

Over 700 terabytes of actionable threat intelligence data,

我們開始將資料公開。

including information on real-time attacks

超過 700 兆位元組的資安威脅情報，

that can be used to stop cybercrime in its tracks.

其中包含即時的攻擊資訊，

And to date,

可以協助我們阻斷網路犯罪。

over 4,000 organizations are leveraging this data,

時至今日，

including half of the Fortune 100.

超過四千個組織正在利用這些資料，

And our hope as a next step is to get all of those organizations

包含全球百大企業的一半以上。

to join us in the fight,

下一步，我們希望所有的組織