Jim Love

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at meter.com CST welcome to Cybersecurity Today on the weekend. We have a great guest for you today and a rare treat in that my friend David Shipley is actually coming in for interview as well. Our guest, though, that you don't know is Neil Bisson. Neil, welcome.

David Shipley

Thanks.

Neil Bisson

Thanks for having me on, guys. Really excited to be here.

Jim Love

Can you tell us a little bit about yourself, Neil? Just for the audience who doesn't know you, just a little bit of background and then I'll reveal why that's so important for this discussion.

Neil Bisson

Great. Yeah. So I am a retired intelligence officer with the Canadian Security Intelligence Service. I retired in 2020 and after I retired I realized that there's still a lot of work to be done when it comes to understanding national security, intelligence collection here in Canada and importance of that. So I took it upon myself to start the Global Intelligence Knowledge Network, which is basically a digitally based company that gives me an opportunity to speak to the media about issues relating to everything from cyber security, cyber espionage, to intelligence collection, terrorism, all that interesting stuff that we see on the news from time to time. So I'm, I've been doing that since then and 2023, I decided to, I wanted to see a little bit more about how the cyber side of things is interacting with the national security intelligence. And I took a IBM course for cybersecurity analyst and that got me a little bit more into understanding what some of the vulnerabilities that we're seeing on the digital plane as well as on just our own national security issues.

Jim Love

For those who are wondering what this has to do with cybersecurity, I think you've started to make that bridge and that there's a lot of work that we talk about nation states and how they're involved. And that's one of the things I want to talk to you about today, this discussion is to give us some sort of perspective on this. We, and the problem is we get the news alert, it comes at us piece by piece and it's really difficult to get a full picture of what's happening. I think people, this news comes out of a fire hose need a little perspective. So I just want to back up, talk a little bit about that. Can you talk about your perspective as an intelligence officer and how you see the world? Can you Share that picture with us. As to when you think about the world in terms of nation states, what are you thinking about?

Neil Bisson

Yeah, so I started my career with the federal government in the late 80s, early 90s, and at that time it was telecommunications and the Internet, it was just burgeoning back then. Now everyone's life is basically somehow connected to either social media or the way that we interact with one another, the way that we communicate with one another, the way that we basically talk about our own interests. It's all out there, it's all on the Internet now. And that has changed fundamentally the way intelligence organizations look at collecting information and targeting individuals that they want to collect further information from. So one of the big concerns that I think everyone should be aware of is the fact that the more that you're putting out there, if foreign intelligence, state actor or even a non state actor who's being utilized by a foreign state is looking to garner that information, whether you're working for a tech company, whether you're working for the military, whether you're working for a government department, all of that stuff helps them comprise a plan for how they would approach you, whether it's digitally or whether it's face to face. Back in the day, when we're talking a little bit more old school espionage, we would try to find as much information about an individual, compile that, and then come up with a plausible reason for us to make a meet or some sort of contact with them. Nowadays it's so much easier to do that because as I said, we all live digitally. It's a lot easier for us to reach out to someone, whether it be with a business interest, whether it be through. If they're on a dating app. It's just so much easier to do that than it is logistically to try to figure out, okay, how am I going to make a connection with this person?

Jim Love

Yeah.

David Shipley

And what's interesting is this idea of big data being available. Both what we traditionally would call open source intelligence, but also if you look at what China's biggest raids on North American information, whether it's the Anthem healthcare breach, you got health information on US government employees and other things. The Marriott attacks, where they knew where people were staying, where they were going, and all the other breaches, all this is being funneled into a data set. One can imagine analysis because you in, in the exposure I've had to the world that you live in, Neil, like you, you're looking for those motivational levers. When you have that first conversation with somebody, is this someone that's ego driven? Are they money motivated? Was a little bit of cash going to help give them decide to give up their administrative credentials to a tech company so you can get that intellectual property out. Are there other motivators which are as old as time itself in terms of relationships and Russia's been particularly good about using those to great effect over multiple decades. So you take this information, you know a lot about Jim, Neil and David, what buttons might work, why you would want to talk to them and pitches you can make. One could imagine now we've got a spy DPT or two running around in various intelligence agencies giving suggestions of how can I flip Neil? If I were you trying to flip Neil, I would talk about the Blue Jays and maybe he's interested in some tickets for. I know we're after the season, but.

Jim Love

We'Re all so cheap we'd sell out our country for Blue Jays tickets.

David Shipley

Listen, you would be shocked to what people will sell out. People will give up their passwords for a chocolate bar.

Neil Bisson

That's true.

David Shipley

So yeah, not asking Neil to spill any tea, although we'd love to have any tea. But that's just kind of my take on it is this big data problem, whether it's. It's openly and freely available or just taken like wholesale B and E thieves, they're using it to great effect.

Jim Love

I need to take a step back. You guys are two steps ahead of me. I used to read Mad magazine. I saw Spy vs. Spy comics. I know that nations spy on each other, but when did this become a business thing?

David Shipley

Oh, it was always business. You go back to the great power battles and trying to achieve technological advantage. You can bet that Moscow was doing their best to steal every bit of Silicon Valley insight during the microchip races and things that were happening on that technology side, whether it was defense or civilian application, other things. And you look at China, when you have a five year economic plan, you can literally create a shopping list of all the things you need to have and what priority you need according to your central planning. It was always about money over ideology because it takes money to run ideology. At least that's my take.

Neil Bisson

If you look at it traditionally, technological advancements really were based on military power at one time, right? Everything used to trickle down from the military into private industry. And then at one point in our history, that shift. Whereas now private industry had gotten to the point. I think the Internet was a big catalyst for that. Right. Even at that time it was. The idea was, okay, we need a system that we can easily share Ideas and information with. And even that was almost like from a military perspective, but then it blossomed. And you've got companies like Microsoft and Apple and Google and all of these other companies that are amalgamating huge amounts of information and being used by government departments, by military. And then that is just based basically expanding out and out and the ripple effect that you're seeing. So it gets to the point where state and non state actors realize that, hey, listen, if we want to make some sort of a profit of information or profit of money, we need to start getting into this first. How are we, how do we have a military advantage over the rest of the world and how can we ensure that our influence continues? And all of those things can be based upon, is it. What's the next technological advancement going to be? Are people going to be buying more EVs? Okay, we'll make EVs cheaper, but if we steal the information from another company on how to build those EVs makes it a lot easier for us to do that. And that's just a simple example. But all of the companies out there right now that are privatized, even if you look at it from the perspective of space exploration, you know, you've got SpaceX, you've got, I can't remember on top of my head, but Bezos is working on.

Jim Love

It's Kuiper, but it's got a different name now they're calling it Leo, I think, I'm not sure.

Neil Bisson

Okay, if you look at it from the perspective of at one time it was military and state secrets they wanted to get. Now our adversaries are realizing that really if we want to have an effect on someone else's economy, if we want to influence what's happening, yeah, politically we want to do certain things and we want to be involved in the diaspora communities. But when it comes to the technological advantage, that's what really helps us out. And China is a good example of that. They've always looked at it from the perspective of we can build it better if we just steal the technology and reverse engineer it, than we have to worry about trying to make a relationship with another government or another company. And we've seen that.

David Shipley

Was there a time Canada like you've got the classic Nortel example, right? Nortel was rated for its best, most innovative technologies and those miraculously showed up in a number of Chinese companies. Literally the documentation was copy and pasted.

Neil Bisson

And the impact just recently, Hydro Quebec, same situation, right. You've got an individual working for Hydro Quebec Quebec who is on trial at this moment for secrets that he's provided to the Chinese government. Because Canadians are used to doing okay, we're going to fix this problem. We're going to figure this out. And because we have such a huge country and we have to make sure that infrastructure works throughout such a large landmass, we have made technological innovations and exactly what you're saying, like going back to Nortel, we were making some incredible advancements at that time too. You go back to the Avro Arrow, we were making advancements in aerospace space. But another country will come along and say, instead of trying to talk to Canada or the Canadian government or this company, let's just take IP and use it ourselves.

David Shipley

And it's not just raiding the private sector like Canada's National Research Council. I know this is. It feels like now I'm talking about decades ago, but it was 10 years ago. The NRC, which is responsible for funding billions of dollars worth of research across the country, public and private sector research partnerships, had the cookie jar completely cleaned out by the Chinese. And afterwards they signed a we won't hack you agreement. Of course. It's like when I was a kid, I didn't go check the cookie jar after I raided it because mom hadn't made any more cookies. I promise mom, I'm not going to rate the cookie jar today. Yeah, because there's no cookies. They're back. And what's been interesting is there was a report from either CSE or csis. So CSE being Canada's version of the NSA and CSIS being our combination of CIA, FBI mandate, just for American listeners that talked about that the increase in nation state activity targeting Canada's private sector businesses via cloud attacks to go and get. Because the NRC cookie jar was getting filled back up, maybe had been locked down a little bit tighter this time. And so they just moved to the next area. And this has just been about secrets and intellectual property. That's not even half of what we're seeing out there now.

Jim Love

Neil. What? From your perspective, because you were an intelligence agent, at what point did you start to think, oh, wait a minute, I'm thinking way more corporately now than I was maybe government or did that actually happen?

Neil Bisson

For me, the shift was like when I was working as an intelligence officer, Canadian security Intelligence service focuses on national security threats to Canada. So that breaks down into basically four components. You're looking at terrorism, espionage, foreign interference and sabotage. So we were looking at nation states or actors, whether they be groups or individuals, like terrorist groups. And Individuals that are affiliated to these terrorist organizations, what are their threats to Canada and what are they doing to try to cause problems for Canada? Threatening our, our livelihood, threatening our lives. Now, what we were looking at from that perspective at that time was, okay, what about the corporations? How are they being infiltrated? Because there's always that understanding that private industry has to be responsible for themselves. And are they being targeted? If you don't look at it, you don't see it. So when you're focused on, like I said, those four categories, you're not looking at it from a private industry perspective. Take a look at the microbiology lab in Winnipeg and the information that was stolen from there. Like, what we have to get to the point that Canadians in the Canadian government understands is that what's happening in the corporate and private industry world, what's happening with research and development is just as important as a terrorist entity trying to perpetrate an attack in Canada. Why is it just as important? Because if you're dealing with a foreign state that is willing to use a biological weapon, then if the information is being stolen from Canada and used against another country or used to make the next superbug, what are we going to do about that? And the private industries are really the linchpin. They're that almost like that more vulnerable soft target.

David Shipley

Now, the areas where, you know, when I think about the future, right now we are leaders still in artificial intelligence. We've got some great AI companies, we've got leaders in quantum, the development of quantum computing, plus leaders in trying to develop host quantum secure cryptographic communications. And great examples of that happening with the Canadian telecommunications companies like Telus and others. So we've got lots of cookies that are worth stealing.

Jim Love

Well, and our show covers both the US And Canada. There's a huge amount that's there, but I want to just back, I just want to extract it just a little more. Because when we started introducing you, you said, oh, and I took a cybersecurity course and I'm not being critical, but it made my heart go because I went, wasn't that something you always had to take? If our security operation is not studying cybersecurity, it's like sending the police out and saying that thing in your holster when you retire, you can study that for me, man. That's because I'm a cyber, I'm an industrial guy.

Neil Bisson

Yeah, I hear you from that perspective. I can see why you're saying that. But. But if you look at kind of the mandate of each one of our organizations, David, you Had mentioned the Communication Security Establishment of Canada, or cse. They are more focused on what's happening in relationships to communications and intercepting those communications and trying to understand what that means through those interceptions. Because it's not just the interception of the communication, it's also the technology that's being used to infiltrate Canadian telecommunications and where our adversaries and our enemies are trying to get that information from. Now, as an intelligence officer, my job was to be more of a face to face, having the conversation, making the contact and then getting the individual, let's say he works in cyber. Getting that individual comfortable enough to say, hey, listen, whatever group or organization you're working for, you realize that they're probably doing things that are not advantageous to Canada. We'd really like you to help us out on this. How can we talk about making this work? So on one side for csc, you've got them understanding the metadata and trying to get the information from that perspective. But my job, my role as intelligence officer was to basically get the individual on board to become a human source so that not only do we have the information, but now I may actually have some opportunity to task and direct this individual to provide more or do more.

Jim Love

So the crossover of those skills and that's equally important. And by the way, if you're listening to this, we're bringing you back for an entire show on how to use those, the things that you learn as an intelligence officer and how you can use those for social engineering. Focus on this. So can we back up just another piece? And for the audience that's out there, who are the players that are out there and what are they doing right now with who the players are? Because I think they affect both the US and Canada directly. I hear about North Korea, I hear about Russia, I hear about China. I'm not sure which one's more important. I'm not sure who's doing what. Who are the players in cybersecurity attacking or at least that are threatening cybersecurity right now?

Neil Bisson

Yeah. So the big players as they would be in intelligence are China, Russia, Iran and North Korea. And they've all shown a capacity to infiltrate and to extract information or use information for their own means. So the interesting thing is, if you look at China, China is trying to grab as much information as they can about every individual in North America and in the Western world. The Equifax attack by Stone panda that took 145 million individuals information and now basically the Chinese government has that and they are probably churning it through hundreds of different databases to try to get a profile of every individual that they possibly can. They may be interested in what they're doing in 5 or 10 or 15, same as TikTok, by grabbing as much information on 10, 12, 13, 14 year olds in the next 5, 6, 7, 8, 10 years, when they've actually got it into the working world, they can use that information and hopefully they've been continuing to monitor what these individuals went up to and it makes it easier for them to reach out to them either digitally or have some sort of contact with them and get information now.

Jim Love

So this isn't just movies that people are actually studying people 10 years in advance of when they make the approach.

Neil Bisson

Yeah, you can say a lot of horrible things about authoritarian regime, but the one thing that you've got to give them credit for is that they can make decisions for what's going to happen over the next five, 10, 15, 20 years. They're not concerned about what the next government coming in is going to do because there is no other government coming in. They're not worried about reaching out to their constituency to find out what the issues are for them. It's their decisions that are being made. Right. The decisions of that authoritarian regime is, listen, we're going to make sure that we infiltrate, influence and do what we want to the rest of the world in the next 15 or 20 years. And if that means we have to overtake their critical infrastructure, if that means that we have to steal all their ip, if that means we have to get into their own political systems, we're going to do that. And that's what their priority is. So you've got that from China. And then you're looking at Russia, who's looking at it from a military perspective. Right? They're still involved in the conflict in Ukraine. They're looking at, okay, what's happening in Europe, what's happening in North America, how can we ensure that they don't get the idea that they want to continue to help Ukraine? Or how can we cause some sort of disruption within their system so they question their own government? And we've seen a lot of sabotage attacks happening, but those sabotage attacks are being coordinated with individuals that are working in the cyber world to find out, okay, where are the supply chain weaknesses? How can we overcome these weaknesses? You've got China, you've got Russia. Iran is always concerned about their dissonance and they're concerned about their own nuclear program. So they're going to try to infiltrate anything that deals with defense. They're going to try to get a hold of information from IP from. We talked about rocket companies like space exploration, and now you mentioned it yourself, David. Canada is really getting big into AI and we're trying to push that envelope. Iran would be looking at Canadian companies that are startups and the aerospace industry and being like, okay, we want to get in there. We want to find out what they're doing. So.

David Shipley

And it's interesting because the service, speaking of startups, had a great alert out to Canadian startups and this would apply to American startups as well as, hey, these contests where they invite you to China. Maybe not such a good idea for these potential investments, which you're going to disclose all of your deepest secrets and where you're at and potentially get money and investment this way. Which is interesting that they decided to go loud as part of that. It is worth noting, Jim, the. George. Was it the. The guy behind Game of Thrones? George.

Jim Love

You'Re on your own, buddy.

David Shipley

Yeah, sorry. Yeah, George R.R. martin has this famous quote that no one's the villain in their own story. And for us, the absence of cyber digital evil is Russia, China, North Korea, sometimes Iran, but we do it. We pioneered it. The United States started this by tapping Cisco routers back in the day being shipped to Moscow. The whole reason we're so wired about Huawei networking gear is because we did it first. Now, they may be doing it better than us, but we. I had a chance to meet members of the Intelligence Committee from the United States and remember that awkward moment when Snowden leaks were happening and there was. The one guy was sent out. I just made him. He was the official apology tour for the CIA going to Angela Merkel and others saying, we're really sorry we spied on your phone because allies do it to each other. Israel spies on everybody for their own national interests. What's interesting sometimes for me is the countries we never hear about had some really interesting conversations back when particularly Canada was having a very tense time with India. We made a series of geopolitical choices to get in a fight. Hilariously have our prime minister's plane break down after we start the fight in India, which was super awkward.

Jim Love

There's no red carpet.

David Shipley

Can we get some spare parts for. Where I'm going with this is we don't talk enough about India. Everyone I read on the intelligence assessments on India's cyber capabilities, they're very condescending. And I'm like, wait a second. This country has more engineers than some countries have populations. They're incredibly hardworking. And incredibly smart and I think you're being incredibly dumb to ignore India's potential in 21st century and building up these capacities. So yes a lot of their attention is spent on Pakistan as two nuclear armed countries that like to spark off would spend their time but that don't mean they can't. And when we were getting tents in Canada, you know we have a lot of offshore software development in India and so one of the goals for Indian intelligence like Neil was saying would be develop assets inside their own companies that may potentially want to put code backdoors, other things. These are, this is a form of power projection. Now when we talk about the players it's everybody in Canada we got caught in Snowden hacking Brazil's phone. So during trade negotiations. Awkward. And I was very proud of our spies because we're really good. We had a really good track record of hacking mobile devices stuff but we had our hand in the cookie jar too. As much as I will tut tut China for stealing our stuff, we do it to others.

Jim Love

Yeah. So we've got these companies and now my sense is it's gone beyond information and I first encountered this as a telco consultant way back and I was in Africa and I was meeting guys from Huawei and realizing Huawei is building the telephone infrastructure for the world right now. And, and David, you talk about Nortel so we know and I think most of us are aware that Huawei devices are intricately meshed into most of the telecommunications networks. I think a lot of people think they've been pulled out of the western networks. Germany would disagree and many other countries as well still have these devices but those are, that's one place of where we've infiltrated. But I've heard stories of and I don't know how true they are but you get the news on them. Oh I think I have an idea of how true they are but that most of the infrastructure, the critical infrastructure that we have has been infiltrated. How deep are these intelligence agencies in our corporate and our physical structures right now?

Neil Bisson

It's the worst kept secret out there. That Cozy Bear and Stone Panda and Salt Typhoon and all of these other apts are actually working on behalf of the government but they're working as contractors. So a lot of these governments, the Russian government doesn't care if they're stealing Bitcoin or if they're involved in ransomware or some of these other things as long as they're getting them the information that they want. And really it's a symbiotic relationship, because these foreign governments are not going to start looking into the actions of these hacking groups because they're essentially working on their behalf as well. So you've got that happening now. You take that in consideration with how far they're going to go into critical infrastructure and then provide the information back to their foreign state countries that they're working for. We all know that sometimes it can be years before a company or a department or an organization even knows they've been infiltrated. And the unfortunate thing is, at that point in time, it's too late. If something decides to happen, if they want to probe and find out, okay, we're going to shut down part of southwestern Ontario's electrical grid for the next 48 hours just to see if it works. Look at Russia and what they were doing to Estonia with their financial. You could, if you went to Estonia and you tried to get money out of a bank, forget it. It wasn't going to happen. And they were just doing that essentially just to mess with them, to say, hey, listen, listen. When we want to, we'll shut your lights off. When we want to, we'll shut your water off. When we want to, we'll shut your money off. And what are you going to do about that? We haven't gotten to that point yet because we're still dealing with the issue of, okay, at what point does it become a military attack? At what point do you involve yourselves in shutting off and how do we attribute it to you? Because if you've got Salt Typhoon or some other organization that's a hacking group and the government of China says they don't work for us, we don't know what you're talking about. At what point do we. We have to. To connect the dots and basically make the argument to say, guess what? You are funding Stone Panda, you are funding Salt Typhoon, and we're going to do something about this. Yeah.

David Shipley

And what's interesting here. So I spent the weekend, I watched the new Netflix Kate Bigelow movie House of Dynamite, which is talking about the modern kind of nuclear era. We're in runs you through a very uncomfortable situation of a nuclear strike on the United States and all the things that people are trying to struggle and deal with, with. And one of the interesting points about that movie is they missed who fired it. The satellite didn't show where the myth. They only caught it once the missile was on the upwards trajectory. And so they had no attribution. And that causes significant issues as you try and rack with us. That's cyber you have no idea who launched the massive crippling attack on the West Coast. You have suspicions and, and you got to remember too is that depending on the country, their policy response is not necessarily to respond proportionally. You look at the US playbook is that a significant enough cyber event could response result in a kinetic response or higher. And Israel set the tone for this with one of its raids on Hamas before the most recent war. They, they took out a floor one of the buildings where Hamas software dad had built a really clever spying app. It was made as a soccer app and it was targeting IDF soldiers. What happened was when they installed this soccer app, it was pinging all their troop deployments and locations. Brilliant, great. Like you got to give them points for operational audacity. But the response to that particular intrusion was we're going to wipe out this whole team. That's that. This is where it gets messy. Jim, to your question, like how deep is China in anything that's critical infrastructure and has a Cisco router has had a bad time in the last couple of years because our infrastructure is fundamentally insecure, the motivations aren't there to properly lock it down. And our intelligence agencies up until the last few years in Canada were a little bit tied in terms of how much cooperation they could actually do. CSE could engage through the cyber center if there was voluntary interest, they wanted to engage proactively, let us know what was happening, they would get involved. CSIS really had its hands tied until the changes as well to all the foreign interference and spying stuff in Canada. We had some major later changes and I was witness to CISA stepping up and doing some really great work with the private sector. So we're starting to see those linkages happen. And I don't believe it's just a cynical check the box. We could say we've consulted with the private sector, there's been some decent non classified conversations, but it's bad out there. And the challenge is that that Canada we lacked the legislative tools to force critical infrastructure in, particularly things like energy transmission, where we almost had a pipeline go kaboom on orders from the GRU because a bunch of script kiddies got in and said, hey, do you want us to try and make this go? And then just a couple weeks ago in Canada we had an alert from our intelligence agencies that four different critical infrastructure, everything from water treatment to a grain silo plant, which I did not realize how dangerous green silo plants can be, but those things can go boom too, that people were in there messing with the controls and they were described as hacktivists. But back to Neil's point, two sweetest words in any kind of nation states, Toolkits, plausible deniability. And that gets us back to our house of dynamite problem.

Jim Love

But we had someone from one of the US groups that works with smaller organizations all around in terms of their water plants and things like that, and these, according to them, the attacks were just constant and that most of these plants could be controlled. And when you think about it, we don't think about these dangers. Grain elevators. I grew up near a grain elevator. A huge explosion waiting to happen. The ventilation goes down. If you look at water treatment plants, these are all automated. They release chemicals into the water that we get 15 minutes later in most of our major cities. And if those were ever played with in a way, you could do serious damage. And we saw that in one small town in Ontario, the water treatment plant stops working and a lot of the population gets sick very quickly, never mind the chemicals that they could dump in. So we're fundamentally weak in our infrastructure, if I'm hearing you correctly, we're fundamentally weak in our corporations. Every government is playing. David added another one, the Israelis, we like to ignore them because they're providing the spying equipment that our own governments are using on us. I'll use that tired phrase, do your own research. The Apple phone spying that governments can use and all of that, it's all Israeli technology. And I don't know how much Canada's bought. I know how much the US has bought because they are, they're now using that effectively for facial recognition and for spying on people on their phones, whomever they want.

David Shipley

And actually Citizen Lab at the University of Toronto has done some phenomenal work into the NSO group, the Pegasus malware and all that fun stuff. But to Jim's point, it's all there. And you know what, in terms of the norms, I'm okay with countries spying on each other because in some ways that is a steam release valve. All right, what are they thinking? What are they doing? All right, great. You don't feel we're going to give you the straight answer and you need to go look behind the sheets and see what's going on. Fine. And protect your intellectual property. It's your job to put your goalie in front and away. What I don't like is this expansion of the game and North Korea doing this the most where they're violating international norms around espionage. And now it's monetization and it's pre positioning for infrastructure disruption and it's the weaponization of intelligence and turning this, okay, we got in. We've got persistence, okay? Now we're going to potentially be able to sabotage and shut down critical infrastructure, et cetera. That's when we're crossing a line now between the Great Game and the House of Dynamite. I don't know how we have an adult conversation, because I don't think we have functional multilateral international organizations anymore. Guys, like we need a Geneva Convention 2.0 that says, no, you're not allowed to be in a hospital. Hospital, you're not allowed to be at a power plant, you're not allowed to be in a water plant, period, full stop. That is a violation of international norms. And you're a pariah and sanctioned and cut off or whatever the hell we can do short of war. But we've got to put some boundaries on this stuff.

Neil Bisson

I'll just go back to some of the stuff that you guys were talking about. One of the biggest turning points, I think, just in the last 25 years was Stuxnet, right? You're looking at State on state attack that happen through cyber technology. And it was. It goes back to what you were talking about, too, is what are the motivations? We talked about intelligence, getting close to a human source or recruiting someone, because you understand what their motivations are, and you guys both brought this up, is that if you look at Israel's a good example, what is motivation? What is Israel's biggest motivation? To ensure that they can maintain what they have. And they are basically surrounded in their minds by enemies on all sides, right? So they're going to take technology and they're going to use it against anyone and everyone to try to ensure that they maintain what they have and that they keep their military capacity capable of the most capable as possible. So that means that if you're dealing with them and you're a private industry company. Company, and you're dealing with a company that's based out of Israel, more than likely anything that they provide to you will somehow have malware on it. It's going to infiltrate your system. Like, this is what we have to do. This is what we have to do for our companies as well as our governments, is come to the realization you got to know what the motivations are. If you're dealing with any company in China, that company is partially owned by the Chinese government. You've got to keep that in mind.

Jim Love

The thing that makes me crazy, and I'm just going to relate it back to corporate world work, there's a couple Things that make me crazy in this. But one of them is I've got a whole government that I pay taxes to and there's a bigger government to the south of me where a lot of people pay a lot of taxes to. And people tell me we shouldn't have Huawei equipment or we shouldn't have this equipment or all this stuff. Isn't there some lab somewhere where they pull this stuff in and say, hey, wait a minute, this stuff that's coming to you from China, from. It's always like we make these announcements on our show that you're supposed to watch for this. And you got some guy, he's a security officer for a company, maybe even a mid sized one, four or five people or, I don't know, a dozen people were reporting to him or her. And we're supposed to defend you against China. This is insane.

David Shipley

Apocalypse now, right? It's like we're all sitting on the beach with Kilgore and it's like, surf's up, man.

Neil Bisson

The smell of cyber in the morning.

David Shipley

Morning. So let's just be real for a second. It is insane. Part of it is Neil talked about you need to understand motivation. But the other part, understanding what's going on with bureaucracies, you need to understand what happens when you have a critical lack of imagination, when people are just so focused on staying in their lane in their policy directive. So if your policy directive as CRTC and as industry Canada and others is cheapest Internet costs for Canadians as possible, then when telecommunications providers are working and negotiating with the regulator for, okay, we're gonna, we're gonna buy the cheapest equipment available that's got the highest quality, which China was churning out Huawei. No one cared about the national security implications of that to the extent they cared. They set up a little lab and they tried to do some assurance and everything else, but they just tried to make themselves feel okay about the decision, like the lack of imagination, that we could be in a hostile situation. Because. Because when we were making those decisions about Huawei, we were trying to orient more of our trade towards China. We were doing a great sort of warming of all those things. And then for some absolutely insane reason, we decided to grab the daughter of a senior executive for China's version of Apple. Okay, we're gonna remind you guys, China's really sensitive about INSULTS for reasons, 3,000 years of history and other things. So when you insult the company, that literally means Huawei China forward. And you throw her in detention in Canada, you're gonna provoke a Response. And so we got into a fight with the world's largest economy and all of a sudden back into or second largest economy. Back in our intelligence communities, we're like, oh, maybe it's not such a good idea that all our telecommunications equipment is now influenced by someone who's actively hostile to us.

Neil Bisson

There was that aspect of it, but there's also the aspect of it that all of our Five Eyes partners had come to the realization that using Huawei as a backbone infrastructure for your telecommunications is a bad idea. This is one of those things that because of the Five Eyes, if you're going to go ahead and put yourself in a position where you become the vulnerable point, then there's going to be a major issue. You guys have talked about this on the show time and time again. You have those individuals that are in place that are talking about security, but they're always going to be trumped, no pun intended, by those individuals that are more concerned about profit. Just look at the Canadian government and how we've gone from, okay, India is affecting our diaspora community. There are assassinations happening. The Indian government is involved to, oh, the G7. I'm going to invite Modi there. Or all the issues that we had with the two Michaels, as you mentioned, with the Huawei situation and how we know that on a regular basis China is trying to influence and infiltrate Canadian cyberspace, but yet our Prime Minister still goes there and says, hey, listen, we want to turn a corner here, because why, economically, Canada is looking at itself saying, what's more important, that we make sure that we get more money and that we start doing more trade, or are we more concerned about our national security issues? So these are always going to be conflicting.

Jim Love

If we were to lock out everyone who spied on us, there would be the G1.

David Shipley

Yeah. North Korea's Internet is perhaps not the model that we're advocating for here. And again, I would go back and say, I'm cool with a certain amount of spying. I get it, it's a game. I'm not cool. When we cross the line between spying and sabotage. And the problem is that the wires, the digital infrastructure, the highway to do this is the same road. It's a matter of intentionality at that point. And that's that how do you control for that?

Neil Bisson

The problem with that mindset, though, David, is that that all intelligence is for the future purpose of potential sabotage. You can't differentiate between the two, because the whole idea of spying on another state, another individual, is that there may be a point down the road. That I need to take action, and I want to be able to have the advantage to take that action. It's nice to think that it's okay if we spy on each other, as long as we just catch these little secrets. Really, at the end of the day, it's how do I ensure that my company, my group, my organization, my country has the advantage?

David Shipley

Yeah.

Jim Love

And we make a big thing about the fact that we have elections every four years and we can't plan. I'd be happy if our government was looking a year out. Honestly, right now. I'd be thrilled right now if we went to that. We have to wrap, unfortunately, because there's only so much I can edit this down, but there's only so much I can do in an hour. I think we're gonna end up with three episodes because I think there's more to this. But I wanna leave our audience who's listening to this one with at least some ideas of. We've gone into the air, and we've talked about the groups that are out there. We've talked about some of the threats that are out there. If I'm a person running a cybersecurity area right now, I know one of the things I should be doing. I should be watching who I'm hiring and as a contractor, because that. I fail to believe that the North Koreans are the only people doing this. They're making money doing it, but I think everybody's doing it. And David put a great, great piece of advice out there for anyone, and that is, if you can have a remote contractor and it's worth that to you, and you have any information worth anything, you might want to bring them in for their first week at least to meet with people and work side by side with people. And if they ask what this key does on the keyboard, you might not want to continue with them. Or if they have to make a phone call every time you ask a question, you might want to say, maybe this person doesn't have these skills. And I'm being facetious, but I'm just saying get to know. We talk about know your client, know your employee. What are the other things from a cybersecurity point of view that good intelligence thinking would do for us in protecting ourselves?

Neil Bisson

I think one of the most important things is just paying more attention. The information that's coming at us is coming at us at a fire hose pace. And you've got to have individuals within your organization, whether you're a small, medium, or large corporation that's dealing with IP you have to have somebody in there who can take the time to start pulling that apart. Because every vulnerability that is discovered at another company is a vulnerability that your company itself might face. And what you want to do is you want to have people that can recognize that and then they can apply it. Like for me, when I do my Global Intelligence Knowledge Weekly wrap up, I go through a week's worth of intelligence information that's open and I try to, to explain this to people that why does this affect your day to day? Why does it affect your career? Why does it affect your safety? Why does it affect the sovereignty of your country? Because states are like businesses. They have a business plan, okay, we're going to attack this way, we're going to infiltrate this way, we're going to do it this way. Because that's what they're used to. It's human nature. And if you can become aware of that, you can build the defenses you need to counteract it.

David Shipley

And I would add from my side, first of all, to what Neil was saying, you may not believe in DPRK's interest in your business, but they sure do have an interest in your business. And no one from Washington or Ottawa is automatically magically waving a wand protecting you right now from all the nation state threats that exist. No one's doing that for you. You have to protect yourself. We are in a new era. It's more akin to the feudal era where you know, those who are powerful governments, large corporations live in the castles and the rest of us surfs are out in the village getting raided by the Vikings. And you've got to build up your own defenses. That being said, I am seeing greater willingness and greater interest from our intelligence agencies, not just in Canada, but also in the us You've got CISA for critical infrastructure. You've got the FBI, Secret Service and others. There are folks who will pick up the phone. You see something weird happening in your rural water utility, your telecommunications company, your hospital. There are people who care and want to know about this. And that's the only way we're going to get a handle on it is by people talking about it and sharing it. You're not bad because you get hacked by the Chinese. To Jim's point, like, good luck defending yourself against the cyber army that's larger than most countries. Military. We got to get better working together. And I think we got to have these conversations because just to bring it all the way back, if you're dealing with cyber and you don't take the time to think about the motivations of why someone would attack you and how their criminal groups, nation states and others you're not defending, you're just reacting.

Jim Love

Great. And I want to thank you, Neil, because I think sometimes I think about this when we put the podcast shows together, trying to get the information out there for people, and I sometimes wonder if we're admiring the problem. I honestly do. We talk about these things. And my hope was that if it wasn't schadenfreude that this happened to somebody else and not you, it was this idea that, hey, this is happening out there, you might want to start to think about it because it may start you thinking about how you protect yourself better. And I think that's our legitimate interest. We try to also cover specific attacks when they're ones that people might have gone by them. But I think we all drink through a fire hose. And I'm going to do a little bit of a commercial. Yours is called the Global Intelligence Podcast, Neil.

David Shipley

Neil.

Neil Bisson

Yeah, it's a global intelligence weekly wrap up. So I do it every week and I take information from around the world on headlines because the same way that China is attacking the Philippines is also the same technique that they're going to try to do for other countries. So it's trying to get it out there to have people realize that intelligence is a global business. It's good for you to be aware in Canada or in the United States or in Europe, these techniques that are being done by the Russians, by the Chinese, by the Iranians, they're also happening in your own backyard. You might not be cognizant of it because it just hasn't hit the news yet, but you should be aware of it.

Jim Love

So we'll put a link to Neil's podcast. If you're listening to this show and you want to just keep up on these things, it's a really accessible podcast. And if you're in the U.S. it's going to have more of a Canadian focus. Of course, if you listen to this show when you're in the US you'd realize it has a bit of a Canadian focus anyway. But these are universal themes across. We have listeners across the globe who come in and tune in because there are no borders in cybersecurity. Unfortunately, no, they're not. Yeah. Thank you very much. My guest today has been David Shipley. Of course, he's not really a guest. He'll be back with the news on Monday. Neil Bisson, who has the Global Intelligence Podcast and a. And I'm getting, I'm, I'm botching the name, but you know what I'm talking about. There'll be a link. I call it the Global Intelligence Podcast when I watch.

Neil Bisson

Good enough.

Jim Love

Thank you, guys. Appreciate it. And we're on for another episode at least. And we're going to talk about some of the things next week that Neil will bring to us as an intelligence officer and how those things contribute to our psychological attacks and social engineering. And David will be back for that too, who's our resident social engineering expert and fishing expert. So we're looking forward to that. We'll catch you next week. And David, you're back on the news on Monday morning.

David Shipley

Morning.

Jim Love

Thanks, guys.

Neil Bisson

Thanks.

David Shipley

Awesome.

Jim Love

And finally, once again, we'd like to thank Meter for their support in bringing you this podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises and working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity in a space. They design the hardware, the firmware, build the software, manage deployments and run support. It's a single integrated solution that scales from branch offices, warehouses and large campuses all the way to data centers. You can book a demo@meter.com CST that's M E T E R.com CST. I'm your host, Jim Love. Thanks for listening.