Welcome to another installment in our Executive Interview Series, where we sit down with some of the most influential figures in cybersecurity and network technology.
In this article, we spoke with Dave Piscitello, also known by his online moniker The Security Skeptic, a man with more than 40 years of building and consulting on telecommunications, Internet, and their security.
Although “quasi-retired,” in his own words, Dave is a partner at Interisle Consulting Group and directs the Cybercrime Information Center project for Interisle. He remains an active member of the global cybersecurity community and has co-authored three books, as well as written hundreds of articles on cybercrime, Domain Name Server (DNS) technology, and other related topics.
Earlier in his career, he served as the Vice President, Security at ICANN, where he also served on the Security and Stability Advisory Committee (SSAC) and was instrumental in the creation of ICANN’s Domain Abuse Activity Reporting (DAAR) system.
Our Executive Interview Series has included other excellent guests, including:
- Cybersecurity pioneer and entrepreneur Paul Walsh.
- Engineer and educator Bill Newhouse.
- Author and speaker Thomas P. Vartanian.
- Erick Cook from Cook Technology Solutions LLC.
- J. Trent Adams from Proofpoint.
- John Carlson from the ABA.
- Lorri Janssen Anessi from BlueVoyant.
Dave’s involvement in networking technology from its birth in the 1970s to its current upheaval in the age of AI marks him as a rare voice of wisdom, earned in the trenches and honed as a policymaker and cybersecurity researcher.
This interview has been edited for your reading enjoyment, highlighting the very best insights from a conversation littered with gems.
The Makings of a Cybersecurity Researcher and Skeptic
Q: How did your early work in networking evolve into a career focused on cybersecurity?
I’ve actually been involved in networking since the mid-1970s.
At that time, the internet was experimental, largely Department of Defense technology. I was working for a computer mainframe manufacturer, Burroughs, which was a provider of equipment for the SWIFT network. My early exposure was focused on enabling connectivity, which was the central challenge of the time.
In 1988, I joined Bell Communications Research, shortly after the divestiture of AT&T, where I was tasked with helping the Baby Bells transition into the internet era.
Since I didn’t want to move, my introduction to security was very practical: I had to figure out how to create a remote worker environment for myself. This involved literally building things on “pins and paper clips,” like punching holes through firewalls and creating our own tunnels.
Through that process, I learned an immense amount about early firewall development, authentication methods, and the necessity of encryption.
As the dot-com era began, I moved into consulting.
There was a very limited number of people doing this kind of work, which allowed me to focus heavily on providing remote connectivity to small businesses and satellite offices. My involvement with security evolved organically with the network: first came remote access, then identity management, and quickly into intrusion detection, spyware and malware protection, and defeating denial-of-service (DDoS) attacks.
For about nine years, much of what I learned and practiced was by the “seat of my pants” until the dot-com bubble burst.
Q: Tell us about what it’s like working as an international cybersecurity educator and consultant.
After the bubble burst, I took a position at ICANN, the Internet Corporation for Assigned Names and Numbers, where I was asked to work with the Security and Stability Advisory Committee (SSAC).
This group was tasked with identifying threats and misuse focused on the Domain Name System (DNS): how it was being exploited through domain hijacking, domain tasting, and name system poisoning. We provided deep-dive analyses on these topics.
One thing led to another, and I started training law enforcement. A simple 30-minute chat with an FBI agent turned into full-day, multi-day seminars.
By the time I left ICANN in 2018, I had trained law enforcement at the international and national levels all over the world, including Europol, Interpol, and agencies across Western, Central, and Eastern Europe, on how to identify and investigate phishing, spam, and malware and gather evidence for global takedowns.
During my time at ICANN, we also recognized the acute need for measurement.
At a bar in Los Angeles, a few of us decided, “Why don’t we just measure it all?” This led to the creation of the Domain Abuse Activity Reporting (DAAR) system. When I later joined Interisle Consulting Group, we evolved this work into the Cybercrime Information Center (CIC).
The CIC project is a vast system to collect threat intelligence data. We ingest tens of millions of records annually from multiple sources, looking at everything from where cybercriminals concentrate their registrations and hosting to why they go there.
We’ve demonstrated that criminals gravitate toward free and cheap resources. If a top-level domain (TLD) has more registration restrictions and a higher price, our research shows that it is less attractive to cybercriminals. Conversely, the prevalence of free or cheap, unverified domains and hosting services is linked to widespread abuse.
Highly secured TLDs like .Bank and .Insurance serve as excellent corroborations of our research.
Cybercrime-as-a-Service and the Dangers of AI
Q: What are the most significant trends you are tracking in the evolution of cybercrime right now?
The big worry for me is the professionalization and commoditization of cybercrime, which is best summarized as the rise of cybercrime-as-a-service.
Criminal activity is no longer perpetrated by individuals or small, groups. Cybercrime is a commercial albeit illicit enterprise. Criminal entrepreneurs are creating full service platforms. Just as you can subscribe to software-as-a-service, bad actors can also subscribe to spam-as-a-service, malware-as-a-service, and fraud-as-a-service.
These services are one-stop shops that operate on affiliate or subscription models. A criminal pays a fee and gets everything needed to launch an attack: domains, hosting, and even assistance in composing the attack.
The introduction of generative AI is accelerating this commoditization. It’s not necessarily making criminals “smarter,” but it’s making them dramatically more efficient and reducing their costs.
AI is being used to generate really, really credible phishing emails and compose extremely strong, solid impersonation sites that look identical to major brands. The core novelty, the human element of deceit, is still required, but the AI automates all the necessary scutwork.
Another trend we’re tracking is the resurgence of older, effective techniques, specifically the use of visually similar deceptive strings in phishing.
Five years ago, this attack vector had been largely abandoned, but we’re now seeing it recycled. This involves incorporating misspelled words or visually similar characters (homoglyphs) to trick users into believing they are visiting a legitimate site, such as using Chase Bank with a zero instead of the letter ‘o’ in a URL. This requires constant vigilance and sophisticated detection tools.
Q: Given the rapid advancement in criminal capabilities, where do you see the cybersecurity industry headed?
We are headed toward a critical tipping point driven by three major factors: technology, economics, and human capital.
On the defensive side, AI is going to play the same role it does for criminals: eliminating scutwork.
Defenders and investigators will use AI to process enormous computational environments and large data sets faster, allowing security analysts to move away from hand-examining logs. However, this only elevates the need for expert human thinkers who can look at the data and think “out of the box” to predict and circumvent novel attacks.
This brings us to the second, more concerning factor: the critical talent gap and burnout crisis. I observe an enormous disconnect in the industry, where you have people north of 55 and people under 35, and the middle seems to have burned out.
This is largely due to enormous pressure, work overload, and economic pressure that often causes companies to view security as an “expense center” rather than a revenue center.
Organizations reduce security staff and expect fewer people to do more, which is a recipe for failure. By putting people in positions of extreme stress and workload, we drive away million-dollar investments in expertise. Some of the most respected of my contemporaries retired early or left the field entirely to become a photographer, vintner, and even a lay minister.
When you combine the talent drop with economic compression—where companies try to get more out of fewer resources—and the acceleration of automation on the criminal side, you have a perfect storm scenario.
Attackers are highly organized, global criminal conspiracies making revenue that most Fortune 1000 companies would envy. We must stop thinking that we can stop these people by treating them like small businesses.
If you’re a bank, you need to realize you have big conspirators attacking you, and you may be steamrolled by organizations that have more revenue than you do.
Banks of All Sizes Can Still Do a Lot To Protect Themselves
Q: What are some actionable steps banks can take to improve their cybersecurity posture?
For banking leaders looking to shore up their defenses against these sophisticated threats, there are several foundational and practical steps that should be prioritized immediately.
1. Implement Secure Identity and Transaction Management
The identity and authentication of your users are paramount. Any transaction not using multi-factor authentication (MFA) creates a significant vulnerability.
Biometrics is one of the better ways to implement MFA. Encourage and, where possible, require customers to use biometric factors (fingerprint or face) for authentication, especially for sensitive financial transactions.
Also, we should move to apps. I believe less consumer transactions should be done on the web, as web environments are generally more vulnerable. You have more control and can enforce stronger authentication and security within a well-written mobile app environment. Focus on moving the kinds of transactions most likely to be attacked into a secure, mobile application.
2. Uphold Rigorous Hosting and Domain Hygiene
The infrastructure you use to serve your website and email is a critical attack vector that is often overlooked, especially by smaller financial institutions concerned about cost.
Banks should be cautious about being on virtual IP hosting. If you’re on a hosting company that has a reputation for hosting phishing attacks, your bank’s domain could end up on the same virtual IP address as a bunch of domains with bad reputations.
Blacklist operators will downgrade your reputation based on this proximity to criminality. This can be easily mitigated by using a dedicated IP address, which ensures your reputation is not contaminated by your “neighborhood.”
Another thing banks must do is actively look for and take actions to mitigate visually similar or deceptive strings in TLDs—this is how many phishing campaigns target your customers.
You need to be actively looking at zone data every day, using tools that check for domains that are one character away from your brand string. It’s a resource-intensive process, but it can be automated using AI agents trained specifically for this task. If our CIC project can do this post-mortem (after the attack), the same screening techniques can be applied in real time. Ideally, such screening would be performed before domains are registered.
Finally, understand the vulnerabilities of your domain name system (DNS) and your content management system (CMS). If you are using simple, often vulnerable, small business solutions for your public-facing systems, you are creating a weak entry point. Ensure your entire DNS infrastructure measures up to recommended practices, even if it requires a greater investment.
3. Formalize Collaboration and Intelligence Sharing
Given the sophistication and global nature of the criminal entities, collaboration is a necessity for defense.
You should use the Financial Services Information Sharing and Analysis Center (FS-ISAC) to share actionable and timely intelligence about threats across the vertical. The pace and breadth of attacks are accelerating, and you cannot afford to have a siloed view of the threat landscape.
Also, contemplate enabling cross-community efforts—specifically with the DNS world. If the banking and DNS communities share intelligence, there is a better chance of acting against a particular conspirator who is registering batches of fraudulent domains before the phishing campaign even begins.
Using verifiable TLDs like .Bank is really valuable. Because of how they’re run, the .Bank and .Insurance domains don’t have any phishing. Other domains, like .zin are really cheap and make an easy business case for criminals. They’re low-hanging fruit.
Q: What are you working on now that ICANN retired DAAR?
DAAR is not dead. We took the DAAR concepts and principles, and we did version two—that’s what the Cybercrime Information Center is.
I think DAAR broke the ice.
And I’m happy that ICANN’s doing the Domain Metrica and reporting. Now you have the NetBeacon Institute (formerly DNS Abuse Institute) publishing and reporting. The industry is doing more reporting.
More is better. Many are also trying to do this in a very professional, scientific manner and coming up with numbers that will inform policymakers.
It’s important for people to realize that ICANN doesn’t speak for the hosting community. ICANN doesn’t speak for the country code community. Yes, there’s a ccTLD group, but it’s not every single ccTLD on the globe. So ICANN represents only a part of the solution.
What you do with the data that you collect, with the research you perform, is the most important step. Doing the research isn’t trivial, but once you have the data in front of you, you have to figure out how to use it for the public benefit. And that’s something that I really would hope that ICANN will take to heart.
My Interisle partners and I don’t do this because we need the money at this point. We do this because it still needs to be done and there’s just not enough people who are paying attention to it.
To learn more about .Bank and stay ahead of the cybersecurity curve, we invite you to:
✅ Stay connected: Sign up for our monthly newsletter to receive exclusive banking and cybersecurity insights.
✅ Follow us on LinkedIn: Don’t miss important updates, including our upcoming webinars, by following our page.
✅ Schedule a call: Let’s discuss how .Bank can enhance your bank’s security.
