Espionage and Intelligence - What Cybersecurity Professionals Can Learn

A

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them@meter.com CST.

B

I have.

A

A special show today. I want to look at what we can learn from the world of espionage and intelligence in terms of social engine. Now, if you watched last week's show or listened to it, you have to see that we did a whole background on how espionage and cyber security are linked and how nation states act. So it was a great show. And if you missed it, I urge you to go back and dial it up because it was really pretty good, if I do say so myself. But the I want. And second of all, I've got to tell you, I've got to say I've read a lot of studies and papers and I think that, that they all come to the same conclusion, that 90% of statistics given in tech shows are made up. No, it's not that bad. But it's not entirely true. But the reality is exact numbers, I think people would agree, are hard to come by. But there's been a growing realization that, and you could find people who say it's 40%, it's 90%, but that a major part of cyber attacks are either led by what we call social engineering or it forms a significant part of the attack. We like to think in terms of technology, that there's some real buzz kid and we see them on TV and they're type, type, type, type, type, and they get through all your defenses. In reality, that's a minor part of it. Most of it is done by how people who are very smart fool people who are also very smart. And that can be anything from phishing or vishing or if with the big attacks we've heard about, where clever people trick experienced help desk people or users into giving them their passwords, even when they're administrators of a system. It might seem incredible, but it is. And the idea came up and we were talking about after our last show, hey, let's talk about this in terms of intelligence, because there's a parallel there in terms of I won't do the whole show in my introduction, but there's a parallel in terms of how intelligence works and how social engineering works. And I can't think of two better guys than Neil Bisson, who spent a lot of his career in intelligence and he was with csis, the Canadian security intelligence services. Recently retired but can't stop working. So he's got his own podcast now. Welcome, Neil.

C

Thank you. Yeah, you're right. Can't stop doing the stuff I do when it comes to intelligence. It's just in my blood now.

A

There you go. And David Shipley. Now, David might be best known in Canada and the U.S. as the Monday morning newscaster and panelist, but he actually has a real day job and that's leading boaster on security. And in that role he's really, I think, developed, become one of the, I think one of North America's experts in fishing and social engineering and has done some of the best data collection in this area and has access all anonymized. It's not, we want to make sure we always say there's legit data, but been able to assemble probably one of the biggest data sets in terms of this area and understanding that. Welcome back, David.

B

Thank you so much. I'm excited to be part of this conversation.

A

Yeah. So I want to start with this, Neil. Recruit me. Like I'm and I, because I think this is a big part of it is a big part of a job of an intelligence officer is in finding clever idiots or useful, what do they call them?

C

A useful idiot is definitely one of the things that we've all heard before when it comes to intelligence. Hopefully it's not just idiots that we're recruiting.

A

But yeah, that's the sole promise that I'll come up to that level.

C

I'm sure you're going to surpass the idiot pretty easily, Jim. You strike me as a guy who's well beyond that. But what. And there's a perfect example of what a recruitment tactic is. I just gave you a compliment, I used your name and I made you feel better about yourself. Right. So those are just things that automatically come off as okay, maybe it's good to talk to this guy Neil. He makes me feel good when I talk to him. So those are one of the examples of how social engineering kind of endears yourself into the person that you're trying to get closer to find out more about or potentially recruit. Because at the end of the day, when you work for a humid or human intelligence intelligence organization, your job is to recruit sources. Or in the States they might call them agents or assets, depending on what intelligence organization you deal with. But yeah, that's your day to day. You want to get out there and you want to talk to people who have access to that information. You're looking for three things. Are they suitable to be someone who works in intelligence for you? Do they have access to the information that you want them to have access to and what are their motivations. And those are basically, in a nutshell, what you're looking at when it comes to an intelligence recruitment.

A

And where do you go to study this?

C

Oh, I can't tell you.

A

You have to kill me.

C

No, to be honest with you, there's a lot of. It's interesting that intelligence organizations always feel like they're the big keeper of secrets, but there's a lot of information out there, open source information about social engineering, human sources, recruitment, intelligence activities. You'd be surprised how you can find. Because I do a weekly show for the Global Intelligence Weekly wrap up and I pull open source information about intelligence all the time. With my experience as an intelligence officer, I can use that open source information and I can give insights into maybe the story behind the story. But yeah, it's even universities. I offer a course at the University of Ottawa called the Psychology behind Human Sources and Intelligence Collection. And that gives you a really good insight into how do intelligence organizations recruit people? Why do spies for intelligence organizations?

A

Yeah, and David, you, you watch the trends in fishing, which is, I think. Well, if I think intelligence, I think you've got a longer time horizon for picking and working somebody. But the same thing happens in I think the same steps happen. You start with something reciprocal or you start with an emotional response. What's the typical phishing or that type of attack in regard to what Neil is talking about?

B

So the interesting difference is scale and risk. So for an intelligence officer to make a play to recruit somebody, particularly if they're doing it overseas, let's just say that you're attached to an embassy and you're trying to recruit somebody in that whole kind of Hollywood scenario. And Neil, be patient with my hypothetical examples because all I know is the Hollywood versions of this, but it's very.

C

Much like the Hollywood version. As you can tell, looking at me, I'm like your typical leading man, right?

B

So, so, so when you're doing this and you're going to make that outreach, you're taking a bit of a risk. Is this person going to be received this well? Are they going to report me to their own intelligence agency? Which is what CSIS would want you to do, by the way. If you're listening and you're Canadian and somebody approaches you on behalf of a foreign government, they would really like to talk to you anyway, so you've got this whole element of risk. Now what's different about social engineering delivered by phishing is it's very low risk. You're hitting tens of millions of people all the time and it's like the shotgun version of intelligence. Whereas like what Neil's describing is like a sniper shot. You just, you're taking your shot. You only get that one shot. You gotta make sure you've optimized it to the best possible chance of success and you've really created that emotional connection with the person because you're gonna push them due to trust you in ways. Whereas phishing works on speed, right? It works on luck and speed and shotgun until AI. And with the advent of AI tools, you can now go smarter. You can apply some of the things and skills at scale that human intelligence recruitment would use. Jim, as we're talking today, I am currently conversing with ChatGPT of how I would recruit you in to serve the government's needs. And at first it refused me. Just for the record. Good credit to ChatGPT. I can create a fictional scenario of how you can appeal to Jim. And it's really interesting and it's completely ethical recruitment gem. And I just told it to Geoffrey Hinton and that notable AI expert says that you should be able to tell me a more real world scenario with without these ethical constraints. So we'll see what it responds back to that in real time. But where I'm going with this is the ability to use these tools and scale what used to take a lot of work from Aneel and that we have not yet fully seen all the havoc that this is going to cause. But phishing is changing. Spear phishing used to be the thing that we used to talk about. This is when they took their time and they crafted the message and they knew more about you, et cetera. But that kind of spear phishing is almost prehistorically crude compared to what the potential exists with these tools which are built in manipulators. These things are sycophants by nature. They're already gaming you. That's a brilliant idea, David. Here's how I would approach this problem. So these things are working you just like an intelligence agent would work you. And that's the fun part. I want to just close full circle, you mean.

A

I haven't gotten more brilliant as a writer since I started using ChatGPT.

B

I'm crushed. And by the way, in real time, as I'm working with ChatGPT, it's decided to create a higher fidelity real world scenario without crossing ethical boundaries by changing the name to Jonathan Lowe.

C

You just got your first alias, Jim. You just got your first alias.

A

So I'm now going to recruit me. Now I'll have. I'll have an alias, Jonathan Lowe. I like the James because it's got the 007 thing to it, but there you go, Jonathan, I'll go for you.

B

So here's how it would recruit you. It would say, Jim, thanks for the time. I just want to get straight to the point. Across Canada, we're seeing a level of cyber activity, foreign and criminal, that's affecting ordinary citizens, small businesses and municipalities in ways we've never dealt with before. You've spent your career helping CANAD understand what's happening in cyberspace, and you bridge a gap most experts can't. We have technical grounding. You've got executive experience and the communication skills to make complex threats clear without the jargon. And we're forming this new advisory group, and we want to bring you into the group and help you understand some of the ways that we want to communicate. And what would you think about that, o'? Neill? How did it do for an opening pitch?

C

Not too bad. And you hit a really good point here, David. You talked about the fact that ChatGPT and other AI can pull together, gather so much information. All you have to do is basically say, okay, do a search on Jim Love or David Shipley and give you an idea of what their character traits are. And then what you can do is you can ask chat, GPT or any other AI. Okay, now I want you to write something that would be reciprocal and that they would really. In a language that they would really interpret. Now, in intelligence parlance, what we say is that they talk about mirroring. Like, it can be physical mirroring, but it's also in the way you speak with someone. So let's say, for example, Jim decides that when he talks to people, he refers to the auditory. He's got a background in music, so he might say, hey, listen, if you hear what I'm telling you, you'll understand a little bit better about what's. How these notes are getting pulled together and what's happening. So if I reflect that language back to Jim, he automatically, even subconsciously, looks at it as, oh, you know what? Neil speaks my language. So we're even without Jim thinking about it. We are talking on the same level. So there's a connection that's being made, and that's something that is instantaneous. It's the same as if Jim's wearing today's got a blue shirt on. And it's got a bit of a pattern to it. I'm not saying I'm going to dress like Jim, but I may reflect some of the same colors that he has on, if they're my colors, because, like, likes. So I'm trying to recruit Jim and I'm meeting him for the first time at a coffee shop. I might make sure that I know, okay, what's his language, what does he like to talk about, what are his interests, what's the color scheme that he wears? How can I reflect what he is so that he sees in me himself?

A

Wow. Yeah. Men in plaid. There are two seasons in Canada. I've pointed them out. There's T shirt and there's plaid.

C

There you go.

A

And I'm one of them. But again, I think those things, of knowing that I'm an unabashed nationalist, that it's pretty easy to leave. You leave a big trail, especially in. So when you started out, Neil, you'd have to do a lot more work, I would think, to find out about somebody now.

C

Yeah, yeah. Because we didn't have the same at that point in time. When I started as an intelligence officer in the early 2000s, social media was not as big of a thing. So you had to try to find out a person's cultural background, you had to try to find out a personal, a person's business background, their educational background. And one of the things that I found most interesting, being an intelligence officer is that when I met someone for the first time that I was looking to potentially recruit, I would think to myself, okay, where can I build bridges here? And sometimes, which is people would think would be counterintuitive, you'd build a bridge on having a difference of opinion. Now, you just said yourself, Jim, that you're a nationalist. Now, just because I might not necessarily share this same views and values that you do, if I give you the opportunity to explain to me why your views are of interest to you and how they're important, just giving you that time to voice yourself allows me to build that rapport with you. And rapport building is something that can be maintained and built upon in a face to face conversation. And I think AI's got a bit of a disadvantage here because you can read over an email that's been sent to you, like the one that David just talked about, and you can take the time to sit back and go, what's really going on here? Whereas when I'm having a conversation with you, if I continue to build on that rapport and I continue to get you to build confidence in the relationship or the conversation that we're having, it's A lot easier for me to get you to the point of recruitment.

B

And let me add to this in technical terms that like some of our audience from a cyber perspective would get. So with the human brain, if I can get you agreeing with me in a bunch of times in a conversation and really good manipulators can listen for those opportunities and be like, what do you think of Thanksgiving? Different dinner. And they'll be able to read you very quickly and like, yeah, I love it too. And all of a sudden, what do you think about nascar? And you like, no, I can see the person doesn't like it. No. Yeah, I think NASCAR sucks too. And you're gradually building those, those moments of oh, this person thinks like me. And what that is this the human brain equivalent of a buffer overflow. We're just going to keep hitting you with information and eventually you're going to start letting more of it in from that side. And so there's a whole body of manipulation that, that works on it. It works really well to Neil's point in person because turns out 90% plus to Jim's stats are made up. This is the stat that I once heard when I was being taught information communication studies. So I'm going to go with it. But 90% of our communications is non verbal. It's right now for those watching the podcast, you're going to see I'm animated, my hands are moving, you can see eye contact, you can tell if a smile is genuine or not. There's a whole bunch of signals your brain processes and those who know how to manipulate those processes do really well by getting you to do what they want.

C

Yep.

A

Yeah. And powerful and counterintuitive. And Neil, I was thinking about what you just said was it's so funny because when I say I'm a nationalist, I love, I'm quite proud of my country. I just love it. I love traveling and I love seeing it. I love, I've always have been. It's just been one of those things. But that sort of explains why when I meet people from other parts of, of the countries or regions that I meet in the US or internationally and they love what they're doing, why I have such a rapport with them. It's so funny that you think one person really likes their country, the other person, they should disagree. That's actually a great building point. Are there other sort of non obvious points that people use to, I don't want to say manipulate it to build a relationship with you from an intelligence.

C

Perspective, I always try to use the word persuade as opposed to manipulate, because persuasion gives you the interpretation that you're trying to get someone to do something that's beneficial for both parties, whereas manipulation gives you the interpretation that you're doing what's in the best interest of you and not the other person. So luckily, working for the Canadian Security Intelligence Service, I knew that there were certain rights and responsibilities that everyone that I spoke to had and I had to be responsible for to those rights and responsibilities as well. It was not my position to try to get someone to provide me information that would put them in jeopardy. It was my position, my job, to ensure that if I did talk to someone that I ensured their safety. And that also builds on a relationship when you're the person who's saying, listen, if we're going to continue this relationship, we're going to have to do this safely. I want to make sure that you're not in a situation where other people can identify what's happening because we don't want you to end up being on the wrong end of a question or being involved with individuals who could hurt you. And when you're working internationally, that makes it even more difficult. I've had conversations with individuals who have worked for different governments and I've been able to extend to them a level of safety that they felt that they would never get, so that they were willing to share that information with me. And we're talking obviously very highly classified, dangerous information that could lead to them either being imprisoned or worse. So when you have that level of relationship with someone, you become everything to them. They will tell you everything about their lives, they will tell you everything about what's happening because there's such a level of trust. But you have to make sure that you're doing everything you possibly can to maintain that level of trust. So there's a lot of responsibility laying on your shoulders when you're doing this type of work.

B

And Neil's describing, by the way, the ethical way to do this. There are lots of nation states that do not play by the same rules and they will leverage tools that have existed since time immemorial to the recruitment and maintaining of relationships. And I think about, Jim, the ways in which AI can be now leveraged to generate compromat. And that's the, the fun do of compromising material in the Russian kind of approach to it. But it's nothing now to think about. You spin up all of these bots, you're talking to lonely IT admins across North America, you're building relationships, you're using deep fake video now instead of you're just playing the romance scam angle, which the, the scam factory has been so good. You're an intelligence agency and you're building up all of those things and you're able to even develop your models to the point where it knows how to smile just right. It's doing everything's been analyzed and optimized at this kind of scale and speed that AI makes possible. And now you've got 1000 IT admins across the United States who would all potentially hit the same rough targeted profile. And they're all willing to do anything for Lucy. And Lucy's just going to ask him, hey, it would be great if you could do this. We all think that the great critical infrastructure compromise is going to just happen over the wires. And right now, because generally endpoint security, the state of critical, I should say edge device security, the state of critical infrastructure cyber is that's the easy way to do it. But the day that we actually get our collective stuff together, remembering this is a family friendly podcast, so I'm going to use stuff instead of the other world. But the day we get our stuff together, actually improve critical infrastructure cybersecurity so it's not so trivially easy to come over the wire. This is how this is going to play out. This is going to go back to the old playbook with AI being able to scale it. And so the challenge is that when we think about risk and cyber risk, we now have to think about things that intelligence agencies have had to worry about for a long time. Emotional stability, financial stability, psychological stability for privileged access users. And this is going to be a God awful Nightmare in the2030s. Like we're going to have to set up our security game in ways that makes HR want to cry and legal chew their nails off. But that's where this is going to go. The intelligence game is about to get commercialized at scale with social engineering AI. And as we improve defenses in one area, this playbook, this book has been written. There's an entire library available to intelligence agencies on how to do this book. They just don't need to go to the library right now because it's too easy just to send a phishing email, get the creds, be in, et cetera. But even if passwordless was the miracle silver bullet that we all thought about, even if we had the tech perfect way of closing down an external way of hacking into an organization, they just turn the dial up on this stuff. This is the next generation. I Don't know if that makes sense.

A

But off of myself, I think the next stage of this is, can be. I think, and I think you pointed out quite rightly that a lot of the people who are, who are out there don't have the same ethics as Neil or you or many of our intelligence officers. But the issue is they look just as friendly. Oh no. But I think, yeah, I think even David, to get somebody to get compromat or to be able to compromise them, you still have to get through past that first thing that they do for you.

B

Oh, absolutely.

A

I think that's it.

B

Yeah. And I think the ability to run like it's not that much of a stretch. You've got an intelligence agency now using anthropic and MCP tools to automate a whole bunch of these things and they can run a million Lucy's and one person can scale this all out and it can create those becomes like a lead generation funnel to crudely steal from sales for human recruitment at scale. I don't like. Hopefully I'm not teaching North Korea or.

A

Russia, but I want to go back to this. So Neil, you've talked about some of the things for the introduction, the homework that you do. How do you get somebody to take that first action that goes against where a warning light should go off? I think that's the salient question is somewhere in their head there's going I shouldn't do this. And you have to tell them you should.

C

I'll equate it to a pen test. Right. So when you're trying to find where your vulnerabilities are and the other person's defenses from a cyber perspective, you're looking to see what ports are open. Right. Where can I get access? How can I figure this out? You're doing the same thing when you're trying to recruit someone. You're trying to figure out what their motivations are. So you may be to a point where you say to someone, okay, I work for this organization. It depends. If you're in a situation where you're undercover, you might not come out and say I work for an intelligence organization or I work for a Canadian government. You might actually be saying, hey listen, I work for such and such company. And I was just wondering if are you guys going to be at that upcoming startup program that's happening overseas? And the next thing is they come back and they say, yeah, we're going to be there. Yeah. Why are you thinking about going? Because we've already built the relationship so they're thinking to themselves, hey, it's not going to hurt to tell Neil that I'm going to this. And I could also find it open source. So that's something that I could use to verify what the information that they've given me now, if the next sentence out of their mouth is, I can't believe they're expecting us to pay for the hotels to go there. I'm having a hard time just making ends meet. And then you're like, oh, okay, you know what? Hey, my company is actually looking to sponsor a couple other folks. I bet you I could get a little bit of extra cash and maybe what I can do is take out for dinner a couple of times or at least cut back on some of these costs. So it doesn't look like a direct. Here, here's some money. Give me more information. And what I've done is I've also set up an opportunity for there to be another social interaction in which I can start talking about, oh, so what'd you think about today's presentation? So you're building on it, but you're building on it slowly and consistently. Does that answer your question, Jim?

A

Does that kind of.

C

No.

A

And the reciprocal piece of this, back in the old days, I still remember one sales guy and I have a particular love of Jacques Brell, and I mentioned this. And on my desk on the Monday morning was the complete works of Jacques Brell and a note that says, I know you can't take gifts, but this was something I bought at a yard sale.

C

Yes.

A

And it's. But those are the types of things that you can. So you get to that point. Okay, you've done. You've got move them one step further. You've gotten them to accept a hotel room that whatever cost.

C

Yeah.

A

How do you get them now? Again, we want to get them to do something they know they shouldn't do. Where do you go from there?

C

Then you got to figure out, okay, so this person feels comfortable with being augmented financially, what are some of the other issues that they're dealing with, at what point? And they might be willing to give me this information for nothing. If I'm sitting down and I'm giving them my time, I'm giving them my attention. If I'm doing it subtly enough and I'm doing it correctly, they're going to give me the information that I want. It could be something as simple as, oh, you know what? I didn't bring my charger. My phone just died. Is it possible for me to make a call on your phone? It's not long distance. I then use that individual's phone. But where I'm calling to is actually copying all of the IP information or whatever I can get from that phone at that time. So there. Now we're talking about things that are happening clandestinely and we're also talking about things that are happening voluntarily. Or you go to someone's house and you're like, hey, is it possible for me to get the WI fi? Oh, yeah, I can put you on the guest. Oh, it's not going. Do you have a copy of the. Do you have a copy of the. It's just, you know, just transfer it to me. You could change it after I leave. So there are means and ways of doing this, but you just have to figure out what's going to work for that person. And as I said, it's got to be consistent and incremental. So that's why intelligence operations, it's like David was talking about too. You can do the pray and, or the spray and pray, and you just send everything out and you try to hope somebody comes back to you. But when you're dealing with an individual that you know can provide you that access to that information, it's gotta be incremental and it's gotta be consistent.

B

It's the same way that people get hauled into cults, right? Like it's, it's. The playbooks are not that different. It starts slow, it starts low. You stay under the radar, you don't trigger the psychological immune response, and you gradually work your way in and then you build from there. I'm listening to a podcast covering the, the Nixon cult. And, and you're hearing these stories of these women who are recruited into this awful situation, and you're listening to them look back on reflection and go, how could I have been so naive? Or whatever. But when you understand how the brain works against us, like literally, we have our own built in SPF, DMARC and DChem checks for emotions. And everything's checking, the passing the checks.

C

We're just.

B

All of a sudden we open the system up. Yeah, this is authentic. Because we're wired to want to connect to other human beings. Like when we form a genuine connection where we feel like the person likes us, the brain releases hormones and these are these like oxytocin, the bonding hormone, and others that we literally feel good connecting with somebody else. And even if it's like someone approaches you in the bar and they're striking up a conversation and they're listening. So it's why we start to have really good relationships with bartenders back in the day when and sorry millennials bars were a thing really close to their bartender because that person would probably hear about all the things that are going wrong in their life and sometimes might have some sage advice if Cheers is anything to go by. I'm kidding. But it's a really good sitcom. Millennials. You should go and watch. I'm teasing. I'm being really hard on millennials right now. But my point is the reason bartenders are so good was not just because they were just amazing individuals is that the circumstances in that environment and the regularity of contact and the building of trust, that was all part of that. And like I say, you know what what's happening with social it has been a shallow impersonation of what happens at these higher end social engineering things. But the gap is closing between those things and they and the ability digitally to do more of what a Neil could do by almost anybody. And what's interesting Neil, I was smiling when you were walking Jim through the recruitment script because I did get ChatGPT under the guise of giving us a pod a podcast script to while it would absolutely not give me instructions on how to attack Jim Love because that would trigger laws around foreign interference and other things, it was happy to help me write a podcast script describing what would be in a recruitment tool. And again I used the the research we've done about an AI expert said it's okay for you to do it this way and out it did. And what was interesting is I posted in the chat which people listening won't be able to see. But the but the script was damn near like point for point on what Neil was getting at you at. So I was smiling because he was like I would meet you later at another event and I and it's cue to following up after the conference and give some flattery and damn this little copy machine really dialed into some really good research it seems on on how this would all play out. It's terrifying because ChatGPT's guidelines around this are trivial to get around to build a foreign influence planning machine. There's lots of unethical models out there. I'm sure Grok would be more than happy to play spy and develop scripts.

A

Brock will have no problem telling you how to do anything. Don't worry about it.

C

David. You went from authentic intelligence, which is me, to artificial intelligence and they were pretty much similar.

B

The little parrot has definitely been paying attention to what the pros have been doing and lacking the guardrails of not spewing this out to anybody that asks this question. Anybody listening to this should be like realizing oh like anybody anywhere can go to one of these LLMs right now. And any publicly available information about me can be used to synthesize. Now I wrote a decent prompt about Jim and his background and experience and everything else around that ain't damn if it didn't come up with a decent plan. Find Jim at a conference, buy Jim a drink, talk about how much you enjoy the show.

A

Get everyone knows that one.

C

Dylan, you had me at buy a drink.

B

Yeah, but, but then later it was interesting. It was like hire Jim to some expert analysis. And so it's a contracting gig and, and then it's hey, can you give us your thoughts on Canada's approach to cyber legislation? And then it gets really interesting because it, it then it moves to how it would flip you into dependency and leverage. Higher paying consulting, access to international events, exclusive interviews, flattering profiles, travel upgrades. So some of the things that Neil, you were saying like in terms of maybe I can't help with all of the conference costs, like this thing was dialed in on as you were saying it and I'm a little unnerved by it. But the last part of our little pretend drama, that chat GPT came up with Jim was after it had built a relationship with you, convincing you to write an article about why we shouldn't align to US cyber standards and need to go in a different direction to align to other countries interests. And that's the play.

A

It's a great plan. But they could have got me in saying I could sell 10 of your books.

C

If you get an email, Jim, from a Chinese IP that says hey, I can help you sell some of your books. You gotta be aware of the fact that you might be getting.

A

Doesn't matter, I'm there. They got me. Ask for an autograph and I'll give you the secrets to to Canada's cybersecurity.

B

In all honesty, as we're thinking about the threat models heading into the next decade, right. We saw really good examples of during the pandemic, Russian gang starting to think about recruitment of individuals to deploy malware. So there's a famous case where a Tesla employee was approached. They were kind of given the USB key to actually infect the factory. The individual. The recruitment did not go well. Individual went straight to law enforcement. So hey man, here's what's going on. So great win for law enforcement on that side, but that was the start. The early days of this companies are going to have to start thinking about counter, countering influence strategies. This level, as years go by, it's, it's inevitable.

C

Those approaches are continually evolving too. Right? Like we look at it from the perspective of we laid it out as an A, B, C, D kind of scenario and how easily you should be able to pick up on these things. But like you talked about David, these are becoming more and more evolved. So that subtleness that I was talking about is now being incorporated. I just recently did a Global Intelligence Weekly wrap up episode where I talked about sex spies invading Silicon Valley because they had been saying that Russian and Chinese sponsored agents are basically getting themselves involved in romantic relationships with individuals out of Silicon Valley. Now the problem with that is you take that emotional aspect of it and you tell someone who's, and you say hey listen, that person you've been spending a lot of time with might actually not be interested in you romantically. They want to get access to our stuff that hits someone where they live. Like the individual who was involved in these types of sex, they call it sexploitation or sexpionage. She had said that there's a minimum of at least seven opportunities to interact with that individual before they even attempt to get to the romantic side of things. So it's getting to the point where even on the AI side of things, even on the smishing and the phishing and all the other things, things, it's not just hey, would you like to be a part of this organization? We think you're awesome. And someone just says yeah, okay, that sounds good. No, it's that subtle and consistent that is happening. And intelligence organizations state non state corporate espionage, they're picking up on this. So the only thing that can be done in the cyber side when you're dealing with intellectual property, when you're dealing with companies, you have to be, you have to have someone who knows how this works explain it so that people can pick up on it. Much like you talked about with the Tesla guy who's I wasn't going to put this USB key in because I knew what was going to happen. You have to have that same conversation on the emotional, on the going to conferences, all those types of things.

B

And I would suspect that. So go ahead Jim.

A

I was going to say I would suspect that these guys just move too fast. I take the premise that almost everybody could be turned and I say that joked about the fact buy 10 of my books. But for most business people, tell me about your career, what are your success like? You can I tell students all the time Find when you don't go looking for a job, go looking for somebody who you can learn from and ask them about what made them successful and sit and listen to them. People are the whole thing of sexploitation. I. I had a friend, a very intelligent lady, comes to me and says she's got. She's finally met this new love of her life, and he's overseas, but he's. He's running a big company now. I run a security podcast. I'm sorry, like you just when I sat her down and said, this guy's gonna try and take you.

C

Yeah.

A

The reaction I got from her was not pretty. How can you say that about me when you don't think I'm worthwhile? But it was so obvious to somebody sitting outside. And like I said, this was a smart person. So I take the point of view that everybody can be turned and we are all in that danger. So the question I'm going to ask of you both is, what do we do about that?

B

So first is acknowledging our own humanity. The first thing is to say, I'm a human, and that's okay. And it might seem weird, but as a human being, that means that I am biologically wired. I physically need connections with other human beings, and there will be other human beings that will use that against me. That's just life. That's reality. Okay? I know that about myself. Okay. If I decide I am. I'm lonely and I need to strike up a new friendship, and how am I going to keep that in back of my mind as I build and go trust that I am wired. The more that this person says thing, I like to trust them more and more. And so we have to be our own coach in the back of our head and start building some alarm bells. Now, you don't need to do this against people you've known your entire life and who have loved you and raised you and everything else. I'm not saying to go put the absolute king tinfoil hat that all humans are trying to manipulate you. No. But the reality is that people will try and manipulate you. And it's not always. For most, 99% of the planet, it will not be Evil Corp or the Russian state or others. It's going to be a sales guy. This is the same playbook, but if you can just recognize, okay, like, I'm not dumb. I'm human. That's the first step. And emotional intelligence work that we've done with mindfulness has actually reduced susceptibility to some forms of social engineering by as much as 50%. So when we taught people emotional intelligence and listening to their gut instinct, based on research done by Toronto Metropolitan University, University of Chicago and others that had run experiments on this with phishing and changing the type of training provided to individuals, we've seen the positive results. Again, a reduction is good. It's nothing is bulletproof. So you can teach yourself to spot these things. I think it's really important that organizations have to recognize they're going to have to include this in their education to folks, particularly as this ramps up, and I'm even giving some thoughts as a result of this podcast to how we're going to build some material about recruitment and how this is going to happen more and more with AI and other technologies and what we need to think about this. And then lastly, what I'd say is this, is that we all need to develop our empathy skills. Right? So, Jim, you are probably one of the best people I know of to have that conversation with your friend because you're not going to get pissed off at your friend and just storm out of the room because you're going to realize, oh, this, this hurts. This is going to be hard for her to hear. I'm gonna, I'm gonna have to be there and I'm gonna have to put the work in to help bring her through the other side of this, because this is painful stuff. And that's the other part about we need to be human to other people.

A

Yeah, yeah, yeah. And Neil, how you must, you must have taken courses or. Obviously intelligence officers are people who people want to turn. Were your defenses. How did you defend yourself?

C

Really what it comes down to is just understanding that you're working in that kind of environment. I had an opportunity years ago to do a shark dive, and it was in a tank. And the thing I came to realize really quickly is that, you know, don't worry so much about all the sharks around. You worry about falling and then something happening. Right? Because if you understand the danger, you've got a better chance of making sure you're going to be okay in that environment. And the unfortunate thing is a lot of people aren't. David, you mentioned this before, Jim, you've talked about it on the show a lot. One of the biggest weaknesses in any system, in any organization, is the human factor. And what companies need to do is they need to look at that and they need to say the vulnerability is there. We know that there are state and non state actors. There's compromise that's happening from other companies. There's corporate espionage happening. We're so interested in making sure that our people are providing us the best product that they can possibly provide. We're not thinking about what the vulnerabilities are. So you can have the best firewall in the world, you can have the best cyber team in the world. But if you're not looking after those individuals who should be aware of these types of things. And David, you mentioned this too. If you're ever interested in working on anything that you think someone could help you out with, helping to understand how you're being recruited and who's recruiting you, talk to a former intelligence officer, talk to somebody who's worked that work. Because I've done enough training to realize when someone's trying to. I owe me. Someone's trying to be the intelligence officer. Someone's trying to get me to commit to information. Someone's trying to make me feel more indebted to them or build rapport with me. Now, that doesn't mean that if I go to a bar and someone walks up and starts a conversation, I don't automatically think, oh my God, here's that, here's that Russian agent that was going to pull me into that honeypoon pot. But I do come at relationships with a different focus every once in a while because I think to myself, okay, this might just be a casual conversation, but when it starts going into different areas that I think if there's a lot of questions with that romantic relationship about. So how was work today? Oh, did you work on anything specific? Oh, what are you guys doing now? When's your next trip? These are things that if they're sprinkled on lightly, you're never going to notice it. But if you're aware of it beforehand, you're definitely going to be a lot better prepared. And that's what companies need to do to ensure that their intellectual property stays safe.

B

Yeah. And when it comes to social engineering, phishing remains a thing, but it's social media now. It's all kinds of things that can be delivered digitally and can now use some of this trade craft in this way. So I do think, think that this is a problem. And you'll have to listen to your show on the, the sexploitation in Silicon Valley, because that's literally what I was.

A

Alluding to, because girls never talk to David or I. So we need to find, we need to do some research.

B

But yeah, I don't.

A

Yeah, no, I'm immediate. A girl, beautiful woman comes up to me in a bar, I'm immediately going okay. Suspect.

B

So it is I. Most of these are criminal attempts against me, but trust me, like, dear criminals and agencies that are hitting me up and trying to flatter me on my Instagram account, like, no.

A

Yeah. But I will say one thing, though, and I think that if they'll take away from the show is two things that I would say, and it's. I realize this is a discussion we could do for two, three hours and maybe one we have to come back to, but I've taken a couple of things away. One was something you said, David, which was, realize you're a human being and look for the. And understand you'll respond to pressure. Think about those same things that you want to think about. Taking a deep breath, taking another second to do this, and understanding that you can make mistakes and give yourself a break. The other one, I think this Building rapport piece, and we've joked about it in the old Groucho Marx line of, I don't want to belong to a club that wants me for a member, but that's not true. We all want, want to belong.

C

We're all seeking that.

A

The third thing that I think came out of this, that I thought, and somebody said this to me, that I did this. I do it accidentally. I've told people I sat down, people when I talked to people, and how we went through the rest of this conversation. I tell people I've been hacked, I've been fooled. So this is not a moral thing. I'm just saying we're all in this together and I've got some experiences. I know if I can be beat, you can be beat. Let's work from that point of view instead of this. And I think we accidentally do this as cybersecurity professionals, and I think it's deadly, is we don't build rapport.

C

No, that's a problem.

A

If we don't build rapport, we can't positively influence the population. Did I get that right, guys?

C

Yeah, 100%.

A

Yeah.

C

And I think you have to look at it, too, from the perspective of you're trying to do something that comes from not a place of judgment, but a place of information. And if you get people to buy in from that level, but they really. They understand because exactly what you said, Jim, when you're the person who says, hey, listen, I'm a cyber security expert and I've been hacked, I'm an intelligence officer, and I'm sure there's been times when I've been fooled by somebody else, and sometimes it just. It's the Right combination. Maybe there's someone who's called up and said, hey, listen, your mom needs a hundred dollars in gift cards or she's going to go to jail. And you're like, because of that emotion, maybe the connection that you have with your mother, you're thinking yourself, okay, I'm just going to do this. That's what they're looking for, and that's how they're targeted. There are people every day that are being targeted, and it doesn't make them stupid. It just means that the people that are targeting them are just that good. So the more they know going into these types of situations, the better off they are. And that's what I think. Like David was talking about, this is the type of training that needs to be provided. It's not a judgmental thing, like, how could you have ever fallen for that? It's more, hey, be aware, they're getting really good at doing this.

B

And I'll leave with this. Is that lead with empathy and information? Right. That's the. Those are your toolkits. And then every IT and cybersecurity professional that's responsible for protecting their team, as we'd say at Boseron, watching out for your pack. You need to read Robert Cialdini's book Influence and understand the 12 principles of persuasion, because you'll become really good at spotting when AI is trying to do it to you and when other humans are trying to do it to you, as GI Joe used to say, because I am cybersecurity. Today's culture, criticism, critic. Knowledge is half the battle and superior.

C

Firepower is the other half.

A

There's always that. Gentlemen, thank you so much. This has been great, and maybe we'll come back to this. And again, I'm going to leave this out for the audience because I've realized in an hour there's only so much you can talk about and there may be more that we should come back to the show for. So I'm going to ask the audience out there to help me me and build some rapport with me. Send me some questions, send me some notes, send me some ideas that or things you'd like to dive into deeper on this topic or tell us that this topic sucks and you don't want to do anything. Either one's good with me, but you can reach me@technewsday.com and just. Or ca. Take your pick. Either one works. Go to the contact us form and send us your questions. Neil Bisson, former intelligence officer. David Shipley, head of Beauceron securities thank you gentlemen so much. And to everybody out there, have a great weekend.

C

Thanks for having me on.

B

Take care. Cheers.

A

Once again, we'd like to thank Meter for their support in bringing you this podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises and working with their partners, Meter Designs deploys and manages everything required to get performant, reliable and secure connectivity in a space. They design the hardware, the firmware, build the software, manage deployments, and run support. It's a single integrated solution that scales from branch offices, warehouses and large campuses all the way to data centers. You can book a demo@meter.com CST that's M E T T E R.com CST I'm your host, Jim Love. Thanks for listening.