A

The only real threat to the United States right now, the only real realistic threat, is a large scale cyber attack that denies us the critical infrastructure that makes our lives happy, healthy and whole. And what we've seen in analysis of our systems are scada, which are the networks that move everything from power to water to gas, to all the things we need.

B

Welcome to Embracing Digital Transformation, where we explore how people process policy and tech technology drive effective change. This is Dr. Darin, Chief Enterprise architect, educator, author and most importantly, your host. On this episode, Nation State cybersecurity is digital transformation with Eric o', Neill, former FBI Counterintelligence.

A

Eric, welcome to the show. Darren, it's good to be here.

B

Hey was very excited about when we started talking. I said don't tell me anymore Eric, because I want to save that. I need to hit the record button. So I'm really excited about what's, what we're going to talk about today. But before we get started on cybersecurity and threat nations and all this stuff, everyone knows on my show that I only have superheroes on the show and every superhero has a background story. So Eric, what's your background story?

A

Well, I don't know if I'm a superhero, but I do have a background story and a pretty unique one. My earliest job that really matters was working undercover for the FBI. I was a counterintelligence and counter terrorism undercover operative, which meant I chased spies and terrorists all over, mostly around Washington D.C. and stopped them before they did whatever dastardly act they were planning if we wanted to.

B

All right, that's super cool all by.

A

Itself, the superhero hero analogy. So most of that was working undercover on the street using a lot of classified technology, good old human intelligence gathering, surveillance ops, whether it's vehicle versus on foot, and tracking those targets to stop them before like I said, they do whatever their plan was, either steal information or blow something up. And then at the very end of my career, by my choice, I was asked to join and go undercover in the most unique case the FBI had ever run. To go undercover in FBI headquarters, which was unprecedented as myself, which was really weird to catch who turned a man who turned out to be the most damaging spy in US history, Robert Hansen. And Hansen had spied for the Soviet Union and then Russia. That's how long he spied. He survived for 22 years of his 25 year career, he was known only under the code name Gray Suit. This mythological legendary figure that the entire intelligence community had been hunting for decades. And at the very end of his career before he was about to retire, months before he was about to retire, a former KGB source sold a small file of information to a very fortunate joint tax force between the FBI and CIA, who opened it, thinking it was going to be someone else, and that were shocked that it was Robert Hanssen. The reason Hanssen was the top FBI analyst for the Soviet Union and then Russia. And at one point during his career, he was asked to catch Grey Suit. So he was asked to catch himself, which was insane, right? And so Robert Hanssen, the FBI had to put together this very unique case in. In days. They gave him his dream job. They promoted him to executive service. They brought him back to FBI headquarters. They put him in charge of a section called the Information Assurance Section, which was extensively building cybersecurity for the FBI. And they had needed somebody to go undercover with him, and that ended up being me, because I knew how to catch a spy and turn on a computer. Because we were doing cybersecurity for the FBI, they needed someone who could sell the position, and that ended up being me. I did manage to catch them. Yeah, I did manage to catch them. In the end, I found a smoking gun in the case that made the legal case a slam dunk. And since then I have been a national security attorney. I run a couple of companies. One that does cybersecurity, one that does competitive intelligence. And near and dear to my off my heart, my two favorite things in the world is I'm in global public speaker, keynote speaker on cybersecurity and catching spies and espionage, and an author. I've written two books. My First Gray Day is the story of how you caught how we caught Robert Hansen. And my newest book, Spies, Lies and Cybercrime is everything you need to know to protect yourself in a world and often dizzying world of cyber attacks.

B

Yeah, yeah, we got to talk about the cyber attacks. I just had on my show a personal security expert, both physical security and cyber security, which was very fascinating.

A

But.

B

And it kind of starts with that personal cyber security. But we just touched a little tiny bit. I want to go a little bit deeper with, with you, Eric, but before we do that, I've got to ask a couple interesting questions about. About going undercover as yourself. That's. That's very unique. Yeah, that. I mean, that, that's an incredible story all by itself.

A

What.

B

How long ago was this, that. That this happened? I mean, because he was, he was, he was in operation for 22 years. How long ago did we catch him? And, and were you involved in. In that I would Call it a physical honey pot, because basically that's what you guys did. You created.

A

That's a good way to. That's a good way to describe it. And essentially we got. The FBI did a lot of hard work to get very lucky at the very end of his career. So he, the FBI, you have mandatory retirement at 25 years as a special agent. We only learned about Robert Hansen, learned that he was the biggest possible for Gray Suit in December of 2000, and he was going to retire in April of 2001, his mandatory retirement. So the FBI had to do something that would keep him in place and, and, and, and sell a job that the FBI desperately needed that was going to allow us to extend his service and not force his retirement. So they give him his dream job, they extend his. His service in the FBI, and they pay him more. So coming into that room, 9930 and FBI headquarters on the ninth floor, he, he had to be insanely suspicious that this was. That the FBI had learned he was the spy and was closing the lid on a coffin just at the end of his career. For Hansen, his problem was there were only two of us in that room, me and him. So in order to determine whether this was an investigation or the FBI had just given him his dream job because he was the only one who could do it, which is what he wanted to believe. He could only attack me. And that was the big difficulty for that investigation. I had to succeed at the overt job of building cybersecurity for the FBI. We had to prove we were doing something, but also succeed at the COVID job of, number one, not screwing up, making sure that Hansen believed that this was a real job. Number two, finding the investigation that proved to us that he was the spy we've been after 22 years. And then, number three, find the smoking gun that would lead to his arrest and a slam dunk conviction. You very rarely have a case where you succeed in all three of those, and just by. I'm not exactly sure still how I managed it, but we as a team and I, as the undercover asset, managed to catch Anson.

B

All right, let's. We could talk about that all day, but I want to get into, you know, the, the nation threats that we're seeing here. The, the level and sophistication of the attacks that we're seeing are pretty astronomical. Everything from aid fakes and social engineering attacks to just brute force cyber attacks. It's. It's all over the board right now.

A

So it is. We are the nation. The United States has Never been more under siege in cyber warfare than today. And I talk a little bit about this in my first book and I carry it forward and really explain it in my second. You know, the Cold War never ended for Russia and China has jumped on the bandwagon. Iran knows that the only way they can attack us here in the homeland is through cyber. And North Korea is basically just a bunch of robber barons who steal from countries in the west in order to improve their economy. Also, they don't feel very fondly toward the United States. But cyber attacks, cyber terrorism is cyber warfare, allows any country that has a bone to pick with the United States to attack us on our homeland, whether it's stealing information, actually stealing money, or preparing for a future war. So what do I mean by that? I believe that the only real threat to the United States right now, the only real realistic threat, is a large scale cyber attack that denies us the critical infrastructure that makes our lives happy, healthy and whole. And what we've seen in analysis of our systems, our scada, which are the networks that move everything from power to water to gas, to all the things we need across the United States. And looking into critical infrastructure in itself is that those big four countries who are the broadest threat in terms of cyber threats to the United States, China and then Russia and then Iran and North Korea, in that order, have been launching probe attacks and some successful cyber attacks in our critical infrastructure. And that critical infrastructure is our power grid, is our water, right? You want fresh water. And then people forget that a big part of critical infrastructure is the removal of wastewater. If you can't fire sewage and some, you know, or hit your, hit your drain on your sink, that can cause serious problems, especially in health, but, but also flow of gas and the things that we need. Telecom has been attacked, finance sector has been attacked. And these attacks are using the best espionage tactics to infiltrate, to maintain persistence, which means they hang around as long as they can and then see how deep they can get and how long they can persist unobserved. So perfect probe attacks, and these are occurring in greater frequency. It doesn't mean that tomorrow or next week there is going to be a large scale attack. So, you know, don't run to your grocery store and hoard toilet paper. But it does mean that if current geopolitical issues continue in the pace that they're going, then the only way that these countries can hurt the United States is through a cyber attack. And we do need to be ready for it. And it's a. Jerome I've been beating for some time hoping that administration takes it up.

B

Yeah, you're not the only one. My PhD dissertation was on this exact thing.

A

Exactly.

B

OT and it's. And the cybersecurity best practices between them. It's a disaster right now.

A

It is. And it's completely wide open. If you look at large infrastructure companies and if you look at all the different pieces of infrastructure, the only thing that's really saved us is unlike a great example right now is Ukraine. Russia in their war against Ukraine. And in my book I spent a chapter on the email that launched a war. They started all of their kinetics. So now we have to talk about cyber attack versus kinetic attack warfare. You get two new terms. Right. You have to talk about one or the other because warfare is always part of both. But Russia, before even moving into Ukraine, launched a large scale cyber attack that shut down the power in the power grids on the eastern oblasts, which are the easternmost regions that touch Russia. Then they moved in on cover of darkness. And they did this in the winter. They just attacked them again to, to shut off the power in Kiev this winter when things are freezing cold, to make people miserable. It is an incredible weapon. Now, the difference between Ukraine and the United States is Ukraine has one central power grid run by, by the Ukrainian government. Here in the US Our, our power grid is state run. Private, Private. Private and state partnerships. Federal. It's. It's this. Yeah. It's a patchwork grid. But there have been analysis where, and it's been shown by the Department of Energy, if nine separate sub grids in the United States, across the United States are brought down at once, the entire grid collapses under its own weight. So we are vulnerable. It's just a lot harder for a threat actor to do what Russia.

B

Because there's not one switch.

A

Because we're very decentralized. Yes. You got to get a lot of switches in a lot of places without being seen. That doesn't mean it's impossible. It just means it's a little harder. Which is probably one of the reasons that it hasn't happened yet.

B

Well, and, and if we talk beyond power, if you talk water, I mean, how many different water districts. I, I live in California. Just in California alone. Every county is its own water district, has its own pumps. That's right. Its own treatment plants, has its own sewage, all that stuff. It's. So that one is going to be really hard to attack. But we're seeing more and more of these attacks and probes, like you said, on critical infrastructure. What can we do as a nation then to shore this up. I mean we have a system, right, that is supposed to look at critical infrastructure and security and frankly it sounds like they're moving back in that direction. They kind of went sideways there for a little bit, but it seems like they're, they're trying to buckle down a little, a little better on our critical infrastructure.

A

But it's like herding cats. It's difficult. Well, there are a couple of problems. One, you know, the federal response hasn't been great. And this isn't, this isn't a partisan issue. It hasn't been great in any of the last administrations. I know that Trump 1 did put pour some money into a state run endeavor where a bucket of money was going to be given to state CISOs if they were able to show the investments they were going to make in critical infrastructure. I thought that was pretty important. The problem was that it was so hard to get the money. I was working with CISOs in different states to help them as a national security strategist and as an attorney to help them figure out how to get those buckets of money. And, and it's mind boggling. And that's the problem with administrative oversight and some of the red tape that happens.

B

And like you said, that's across different.

A

Administration, that's just, and across different administrations it's been a grab bag. You know, at the end of the day we know exactly what has to happen. You shore up those defenses, you go out and you install better cybersecurity, particularly around this space, this data switching networks. You upgrade cyber security, you weaken a lot of the, the poor patching and you know, failure to use two factor authentication, all of the basics in cybersecurity. The, the, the cy. Cybersecurity 101, right. That, that are the, the, the 99% things that you should be doing we are not doing across the board. So that has to happen. I mean that's, that's just step one and step two is, is improving cybersecurity with better technology using AI based heuristics and analysis and looking for threats, especially threats that try to maintain persistence and onward, you know, part of the problem. And, and I actually state this in our book. I don't think a change, in my book, I, I don't think a change is going to happen until there is a large scale cyber attack.

B

Oh, isn't that pretty typical though Eric?

A

I mean, look, it is, I mean.

B

If we go all the way back to World War II, right, we weren't ready for World War II until Pearl Harbor.

A

Yes, that's right.

B

And then all of a sudden our manufacturing kicked in and everything kicked in. I, A lot of people are afraid to wake the dragon. I think that's what Japanese Yamamoto said.

A

Right.

B

I say, I'm afraid we woke the dragon. And they did. Right, Right. Once the US pulls together and stops their infighting, no one, no one in the world can stop. Right.

A

Once that happens, that's 100% true. But I think there's a more nefarious thing that we're missing. We worry so much about nation state threat actors and we should, especially in critical infrastructure. Because, look, if China ever decides we really want Taiwan, so we're taking it, the first thing they're going to do is launch a cyber attack here and then blame it on criminals. And one of the reasons that they're able to do that is today I'm more worried about cyber criminal attacks on critical infrastructure here in the US if you just look at the last number of years, they have taken down cities including Atlanta, Dallas and others just for ransomware.

B

Right?

A

For ransomware. Right. And double extortion attacks where they steal a lot of data on the population, medical records and financial records and Social Security numbers, and they tell the city, you know, we're going to publish all this if you don't pay. Because they know that now everyone has good backups and they can restore. Right. And they have resilience. The biggest wake up, I think, for the United States was the attack on Colonial Pipeline out in your side of the woods in California. One of the biggest distributors of fuel from the west coast to the east coast is. And when Colonial Pipeline was attacked, and you talk about OSINT versus, you know, your operational controls versus your administrative controls. Colonial Pipeline was, was attacked just on the administrative side by a cyber, a Russian cybercrime group. But their protocol said that if we can't immediately determine where the attack came from and where it landed, we shut it all down. Because it could be a nation state attack. I think that was the right call. But the fact of the matter was, because they didn't have the context, the ability to say, okay, in our cybersecurity infrastructure, we know that the attacker is here in the administrative side of things. You know, they're sitting in hr, they're sitting in the exec function, let's shut down all the administrative, segment it from operational and continue to pump gasoline. They didn't have the ability to do that. They do now. They didn't then.

B

They do now. Yeah.

A

And so they Shut everything down. And the, you know, the United States went into crisis. People forget this because it was during the pandemic, so we were already in crisis. But you couldn't get gasoline in a lot of places here in the East Coast. I tell a story about people getting in fistfights at one of my local gasoline, gasoline stations here because they were lined up and they get, the pumps are running out and people were getting upset. And my thought was like, why do you care? Nobody can drive anywhere anyway. We're all working from home. So it's stupid.

B

But yeah. Could you imagine, Eric, if, if the pandemic wasn't going on, what mass chaos it would've caused?

A

Yes, exactly. And I mean, the fact of the matter is that anything like this, that is a chaotic event, causes people to react in uncertain ways. So, you know, it's not just your lights go out, your power go out. You can't get natural gas in your home to run your heater. When these things happen, people tend to freak out. And attackers know that. That kind of panic puts a pressure situation. So the pressure situation for spies can be to cause chaos and disruption in the United States. They could do it around an election, they could do it around, you know, all sorts of events. You know, fourth of July, you know, when people need their air conditionings for cyber criminals. They know that it creates pressure, serious pressure. And that pressure can be pressure to pay. Right. Because that's what they want. And so what I've been saying for some time is the only difference between a foreign intelligence service cyber attack and a cybercrime syndicate cyber attack is the outcome. They use the same tactics, they use the same protocols, the same tool bag. They launch, they carefully reconnoit. They use reconnaissance to learn everything about you. They find a person who will be their point of attack. That's the person with access to controls. They create a very sophisticated social engineering attack to fool that person into, into believing a lie. They steal that person's usernames, credentials, password, and their two factor authentication. Then they get into your system. They maintain persistence as long as they can to corrupt as much as they can. And then here's the difference. The spies escape having stolen your information. They don't ever want you to know they're there. Or if it's critical infrastructure attack, they bring down everything they can and disappear. The criminals crash and burn and destroy everything on their way out and then tell you, you pay us and we'll give you your data back. We'll give you the keys to resurrect it and we won't dump your information on the dark web for everyone to see. Wow.

B

So, all right, so now that we've scared everyone sufficiently, Eric, Because, I mean, but that's the reality of what's going on. What can we, as an individual person or an organization, especially around critical infrastructure.

A

Yeah. Well, the steps are really the same. I came up with this methodology some time ago called paid, because everybody can remember it, right? Paid. And it's very simple. It stands for prepare, assess, investigate and decide. So as an individual, you can do all of this and as a CISO of a large enterprise, you can do the same thing. The only difference is, is scale. Right. So let's think of an un. Of a individual. We prepare ahead of the threat. We assess constantly. Because you, because cybersecurity is not. Or security itself is not set. And forget, you've always got your radar up. When your assessment says you have a problem, you investigate. So you need the tools to investigate. You have to have the know how and you have to have the ability to do it. And finally you decide to act. One of the biggest problems in security and cybersecurity and all aspects of this is people don't act. They feel like I can't or it won't happen to me, or they put their heads in the sand. So part of paid, which is a loop, is deciding to start the process. So start with prepare. Ahead of any attack, you have to prepare, which means that personally you have to take a look at what you're doing. Are you going to sites where you're going to get into trouble? And we know like what some of those are. Are you deploying two factor authentication and not relying on a password? Are you reusing passwords everywhere? Are you being careful in what you do online? Most cyber attacks on an individual today are leveraging impersonation attacks and confidence schemes. Attacks. They are fooling you by pretending they're someone you trust. So you have to use this be skeptical of everything. Trust last approach to everything that comes to you on the Internet. If it looks like your brother or sister, it might not be, or your best friend. Cybercriminals are using email as their, you know, it's still the number one. But they're, they, they know that we're getting more skeptical about email. So they're attacking us through social media and they're attacking us through direct messages in social media and through text. So we have to be very careful about what we're seeing. And once you receive those texts or those emails or Those social media DMs, you need to assess, that's part two of paid and see if it's true. You know, don't immediately click on links or open attachments because you think it's from your bank or you've just won the lottery or you've got this great deal that you just saw through your social media app when you're scrolling. So always assess and put on what I say is put on your spy hunter hat. And when your assessment says I think this might be a trick, this is where you have to investigate. Do some work, find out if that person actually sent you the link, go online and see if this is a legitimate company trying to send you this great deal. 50% off this new Valentine's Day gift. Right. Make sure that that video you just watched from somebody is true or not a deep fake. And then finally, you know, if your investigation says I don't feel good about this, decide to act. Follow that cop instinct that tickle in your stomach and don't get fooled by the cyber attack.

B

I love you laid it out so simply without specific tools there which I love because right the tools used in a corporation are different than what I'm going to use at home. Right on, on especially on assess. They've got tons of tools for assessing, you know, all that stuff. But the basic steps are, are the same throughout all these. So what do I do when I do investigate and I do see something bad? Can, can I involve my decide to act Is the right decision to call the FBI?

A

Well that or it also depends on, for companies, for companies who think it could be a nation state attack or a one of the high end cybercrime syndicates who tend to come from China, Russia, you know, North Korea, Iran. Then, then yes. Reaching out to the FBI's IC3, the Internet Crime Complaint center is one important because they are the best map of statistics for these attacks. We want to continue to show how many are happening and two, they can provide some help. If they think it's a nation state then they will come in and help. If they think it's espionage, they will come in and help. But even if they don't, it is a good resource and it's important to report it. On the other hand, you know, as a, as a consumer you can go to, to different local and state police agencies who you know will have as some have cybercrime divisions. Like for example I had a client in New York, in Queens actually who was the victim of what we call a pig butchering attack. There was a Romance fraud where he thought that he had a romantic relationship with a woman that he met online and that they went to text and she, and it was actually she we found her. Ended up being a cyber criminal who then with a gang of criminals, defrauded him by getting him to invest in a fake investment scheme where he put a ton of his money. The nice thing about where he was is they had a good cybercrime division who was able to quickly track the, the cryptocurrency investment he was making and freeze the wallet and repatriate a bunch of his money before it disappeared into the cyber criminals. You know, so our local offline.

B

So our local authorities should be probably our primary.

A

Our first local, first cybercrime and then for, for foreign intelligence, then yes, definitely. The FBI. Local can be a grab bag. New York, big state, a lot of cybercrime, and they know what they're doing. If you're in a small jurisdiction somewhere, municipality, your local police probably are just going to take the police report. That helps you with insurance. So at the end of the day, what I say is we are responsible for protecting ourself. The number one thing that we as individuals have to do is learn about it, is understand the different ways that we're being attacked. If you can see the attack coming, then you can defend against it.

B

Yeah, yeah.

A

And the only way to do that is counterintelligence. You have to be a spy hunter. You have to understand the different ways that they attack. And there are six different ways they attack. They use deception, they use infiltration and impersonation, confidence schemes, exploitation and destruction. That acronym, by the way, comes out to dice. That's another cool one. So you have the. The counterintelligence is diced and the cyber spy hunting is paid. And between the two of those, you are a fully functional spy hunter who can see the attack coming and defend against it.

B

Everyone that listens to this episode, you're now a spy hunter. You've been trained by a real spy. This has been really great, Eric. If people want to, if they want to learn more, they go out and buy your book. Is that probably the easiest way to go?

A

Right? Certainly a couple things. My book is available wherever books are sold and if you kind of like my voice, you can listen to my audiobook. I read the book myself. Oh, that's awesome. Because a lot of it is in the first person. There's a follow through story about a cyber attack against a big company I was working with. You're in the middle of a ransomware case. And, and how we solved the case. And then I use a lot of storytelling for each of those different ways that cybercriminals attack. And then for paid, you know, how you could protect against it. So I use the ways that they've attacked in the beginning of the book to say, like, if you use paid here, how you could have solved this problem, you could solve storytelling. But you can also reach out to me directly on my website, Eric O' Neill.net and every week on Tuesday morning, I publish a newsletter that keeps the book alive. So it keeps updating the book, you know, every week with cyber attacks, they never stop. Yeah.

B

Yeah, that's a lot of work.

A

And you can, you can join that@ericoneil.net newsletter and join this, the community of many thousands of people who we collaborate and our goal is to make the world safe from cyber attacks.

B

That is awesome, Eric. You're doing a great job out there and I appreciate, I appreciate, I love what you brought. Very practical things that my audience can use today. So thanks for coming on the show, Darren.

A

You're very welcome. It was a pleasure. And stay safe out there.

B

Thanks for listening to Embracing Digital Transformation. If you enjoyed today's conversation, give us five stars on your favorite podcasting app or on YouTube. It really helps others discover the show. If you want to go deeper, join our exclusive community@patreon.com embracingdigital where we share bonus content. And you can always connect with other change makers like yourself. You can always find more resources@embracingdigital.org until next time, keep Embracing the Digital Transformation.