In this podcast Shane Hastie, Lead Editor for Culture & Methods spoke to Former FBI Operative Eric O’Neill about the growing threat of cyberattacks, cyber espionage and cybercrime, and how organizations and individuals can "think like a spy hunter" to better protect themselves.
Key Takeaways
- Cyber espionage has evolved, and cybercriminals are the fastest-growing business on Earth, with the "dark web" being the third-largest economy in the world.
- Successful cyberattacks often start with deception, gaining someone's trust and making them believe a lie is true.
- Protecting data and building trust are the key challenges in cybersecurity.
- Understanding your data, who has access to it, and where it resides is crucial to identify suspicious activity.
- AI can be used to create fake personas, spoof identities, and automate cyberattacks, making it harder to detect threats.
Subscribe on:
Transcript
Shane Hastie: Good day folks. This is Shane Hastie for the InfoQ Engineering Culture Podcast. Today I'm sitting down with Eric O'Neill. Eric, thanks for taking the time to talk to us.
Eric O'Neill: Hey Shane, it's great to be here on InfoQ, and I'm looking forward to our discussion.
Shane Hastie: Indeed. Now you are known for talking about Spies, Lies & Cybercrime, but before we get into that, who's Eric?
Introductions [00:54]
Eric O'Neill: Sure. Well, I am a public speaker, a bestselling author, an attorney. I dabble quite a bit in cybersecurity. I run a company that does cybersecurity advisory services, one that does investigative services. And for quite some time I've used my background as an undercover investigator in the FBI to transfer all that knowledge of counterintelligence into how to make the world safe from cyberattacks.
Shane Hastie: So our audience are the technologists. They're the ones who are building the products that are under attack from cyberattacks. What do they need to know?
What technologists need to know about cybersecurity today [01:32]
Eric O'Neill: Well, the most important and present thing they need to know is that the cyberattacks are coming hard and fast, and it doesn't look like we're going to be able to stop them. Not only has cyber espionage grown, as spies have had to change where they access information. It doesn't make sense to go recruit a person to go into a government agency or a business and steal paper anymore, because we don't really use it much. So cyber spies have adapted and evolved into launching cyberattacks, and they're the best in the business and right behind them, modeling them, learning from them, and equaling them in many instances, are cybercriminals.
And cybercrime is the fastest growing business on earth right now. It exceeds $12 trillion of cybercrime moving through the dark web. So if you took the dark web, and you pretended it was a country, it kind of is a virtual country, but it exists all over the world, and you said that cost of cybercrime, that cryptocurrency moving through the dark web and lining the pockets of bad guys was a gross domestic product, the GDP of the dark web would make it the third-largest economy on earth right now. So if you look at that, it goes: the U.S., China and then the dark web and growing. By 2026, I predicted it'll be around $20 trillion and more, 2027/28, because stopping cybercrime is very difficult. As the good guys, as the technologists, we have a very large attack surface that is getting bigger every day.
Shane Hastie: Tell me some stories. What are some examples of spies, lies and cybercrime that we can learn from?
Espionage tradecraft [03:13]
Eric O'Neill: Certainly. When I'm looking at the primary mode of attack by the bad guys, by the cybercriminals, the cyber spies, the cyberterrorists, everyone who wants to steal, defraud, deceive, impersonate, use confidence schemes, destroy, attack critical infrastructure and all the bad things that all these people do, it all boils down to old espionage tradecraft.
To back up a little bit in my history, I was an undercover operative for the FBI. I used to chase spies and terrorists around the Washington, D.C. area until I went undercover for the last case that I did, which was to catch Robert Hansen, who was the most damaging spy in the FBI's history. And I learned a lot about deceiving and being deceptive by going undercover against him directly in FBI headquarters, which is another thrilling story. And what I've seen in many of the attacks that are the most successful today, and I'm talking about the ones that cost organizations, people, whole cities, government agencies, millions and millions of dollars, is that they all begin with a deception, gaining someone's trust and making them believe that a lie is true.
Examples of cybercrime using AI [04:22]
So here's a great example of a recent story that happened that is an intersection of the new way that we're communicating, the new way we're working, and of course the burgeoning world-changing extraordinary focus on AI. There was a finance manager sitting in Hong Kong, and he receives an email, and stop me if you heard this one before, from the CFO of his company, right? Now that has everybody's hackles raised, the alarm bells ringing, because so many of these stories start with an email from the CFO saying, "Immediately send this wire, or we're going to lose this deal and here's the number of the account to send it to and keep it confidential. And if you don't do it in the next 10 minutes, there's going to be a catastrophic problem for the company", creating that pressure situation. And because the email's been spoofed or the attackers have compromised the CFO's address, it looks like it comes from that person.
Now, we've trained a lot of that away. It is still a massive crime. I mean, this is business email compromise. Just these simple emails telling someone to do something, and they do it still costs businesses $49 billion a year and growing, but that's not what it says. The email simply says, "Join me in a virtual conferencing room", a Zoom room. And so this guy in Hong Kong, who's part of this multinational corporation that headquartered out of the UK, has companies all over the world, one of the biggest architecture firms in the world. I mean, they designed the Sydney Opera House, to tell you how prominent they are, is tickled because now he's going to join a conference directly with his boss's boss's boss from the UK. And so he straightens his tie, and he jumps into the Zoom call, and he sees the CFO himself, two people he recognizes from finance and two people he doesn't.
And during the course of the call, he learns that there is a new deal. They're going to work with these two gentlemen, who are going to be partners, and they're going to have to start payments soon. And the call, after everyone introduces themselves, is abruptly terminated and then the emails continue, and over the next week he sends 15 different wires for $25 million to five different bank accounts in Hong Kong, all controlled bank drop accounts by the criminals, the criminal gang who had created this elaborate scheme by learning about this individual, doing a reconnaissance, that's old espionage tradecraft, learning everything they could about him, where he was, where he worked, and whether he was able to make these transfers, and then targeting him by capturing social media presentations, stagecraft for these individuals and creating AI avatars that were so realistic in their little Zoom boxes they fooled this employee sitting in Hong Kong.
The two people that were the partners, and that was in scare quotes for those who can't see me, were just completely dreamed up avatars by the bad guys. And this is what we're up against. It's not just an email that fools us because that works so well, but you take it to the next level when you can't even trust that the voice you're hearing on the other end of your phone, or the text you're receiving, or the video that you're seeing is true and that is what we're up against.
Shane Hastie: Wow, that is a scary scenario because, personally, I have had an experience of being spoofed and being caught, but it was nowhere near as complex as that. I was just super thankful for my bank's proactive approach, and they did actually step in and prevent the transactions from going through. But yes, it was a very scary time.
Impersonation attacks [07:52]
Eric O'Neill: Yes, it's great when banks are on top of things, but far too often those transactions do go through and banks are in the position of simply writing it off. They'll give you your fraud protection to a certain amount, they'll restore your funds or write it off as a loss, know that they're never going to catch the cyber criminal. But I think that banks, just to tie this up a little, could do more. It's just a major investment, and it's training all their customers to be better with cybersecurity. It's enforcing better controls on their systems to make it harder for what's now called call center attacks.
So the way your bank was probably spoofed is somebody learned about you and called in to the help desk, how to reset your account to get your two-factor authentication reset, pretending they're you. It happens all the time to anyone who has a little bit of a public profile that can be scooped up by some criminal reconnaissance. And so the way of them around that is to have better systems of controls, but it's expensive, and sometimes it's easier just to write it off.
Shane Hastie: What do those systems of controls look like?
Systems of controls [08:52]
Eric O'Neill: Well, encryption is a big one. Using better two-factor authentication than a text to your phone. Remember, we own our phones, but we don't own our phone number. That's actually controlled by a third party, your carrier. You can take it with you, but they have to release it, but they control that data. Some people in the Trump orbit learned recently when Chinese spies were able to compromise the wiretap access that the FBI uses to get into phone records and steal some of that information as an election attack. So it's much better if you have the option to not use the text that comes to your phone. I know that's a little bit more convenient, but to have an authenticator app that you actually control and sits on your phone, that only you can access, and that uses different models of encryption to ensure that that one-time code is only going to be there for a little while, and it's going to change, and it's much more secure.
Shane Hastie: If I'm inside the technology department of an organization, how do I act like a spy hunter?
Acting like a spy hunter [09:55]
Eric O'Neill: That's a great question. It all goes back to data. I've said for some time data is the currency of our lives. Data is one of the most important things that we can protect, and that is the essence of cybersecurity is protecting that data. Now, very recently, because of AI, I've started to say that trust is the most uncommon commodity. So, data and trust are the two holy grails for cybersecurity. And the biggest thing, the most important thing that anyone tasked with cybersecurity for an organization can do, is to intrinsically understand their data. You need to know what data you have, who has access to it, where it resides, and have systems of controls to protect it. So the way to catch a spy is to know your data so well, so contextually, that you can identify when an access point doesn't look right.
So for example, I work at a company and I usually start my day around seven in the morning. I log on whether I'm remote or whether I'm in an office or whether I'm hybrid, who knows. I'm in the office two days a week or three, or whatever companies are doing. I'm an entrepreneur, I work fully from home now for myself, but I used to work for different companies and they know that I get in around seven, leave around six. I'm working on these projects, this is my mandate, these data sets that are controlled. And then, oddly, the cybersecurity, machine learning or AI flags something and says, "Eric O'Neill just logged on at two in the morning", which he doesn't normally do, "from China".
That's an obvious case, but you would hope your cybersecurity would flag that and say, "There's a problem, let's cut his access and elevate the flag for a human to take a quick look at". Whether that's an internal person or an external cybersecurity advisor, and see whether he's a trusted insider, he's gone rogue, Eric's decided to spy, or there was a successful spear phishing attempt, his username and password had been compromised, and now his account is being puppeted within our organization so that an external attacker, what I call a virtual trusted insider, is now stealing data.
If you understand your data that well, if you understand what people are supposed to look at and when they're looking at something they're not, we say, you know the known good and the unknown bad, right? You're able to figure that out, then your cybersecurity becomes an early warning system that can identify when you might have a breach. There will be breaches. The trick is to catch them fast enough that you can prevent them from being catastrophic.
Shane Hastie: You've got a new book coming. Tell us a little bit about it.
Think like a spy [12:36]
Eric O'Neill: Certainly. I mean, all authors love to talk about their books. To talk about my second book, let me talk about my first really quick. It's titled Gray Day, and it's the undercover investigation to catch Robert Hansen through my eyes. But it's also a narrative about the evolution of espionage from its cloak and dagger, dead drop, signal sites, dark meetings in train stations and parks, origins to how espionage has evolved into constant cyberattacks with intelligence officers never leaving Moscow or Beijing or Tehran or anywhere in the world they are and launching their attacks directly.
My next book called The Invisible Threat, which comes out in early 2025, is all about cybercrime. It's a natural evolution from Gray Day into a deep dive into cybercrime, also written as storytelling. And it begins with a series of stories broken up into seven different buckets of traditional espionage that detail how cybercriminals are using traditional espionage to attack us.
I call it think like a spy, and it puts you in the mind of a spy hunter and all of my readers, and it's the most affirming thing about writing a book is when your readers come to you, and you've written a book about how to identify cyberattacks and every one of my beta readers has said, "Somebody tried to scam me and I caught it because I remember chapter four on confidence schemes or chapter five on infiltration".
The second part of the book is where we take action. So I'll teach you how to think like a spy, and in the second part I'm going to teach you how to act like a spy hunter. So now you've identified that an attacker is trying to compromise you. What do you do? How do you stop them? How do you report it? How do you protect yourself from it happening again in the future? All the things that you can do are in that second, more prescriptive part, but still thrilling stories. And then I use one story of an internal look at a major ransomware attack with a company that I was advising as the narrative thread that brings you through the whole book, beginning to end, because you need to have a beginning, middle, and ending story to every book that people are going to pick up and continue to read and not set down.
Shane Hastie: You touched on AI and technology, and you told us the story of the deep fakes at the beginning. Where's that taking us?
Examples of the impact of AI on cybersecurity [14:51]
Eric O'Neill: AI is changing us in a way that I'm not sure we're prepared for or that we've given the detailed amount of thought that we need. And let me explain what I mean by that. AI jumped into the scene right after that thing you're not supposed to talk about; the pandemic happened and changed societies and made us a remote workforce. I've heard in many organizations that I work with and I advise, "We're hybrid first", or "We're remote first", meaning that if an employee desires to be remote or hybrid, they're allowed, they're not forced to come into office. Now some organizations are changing that, but for the most part, the majority of the workforce around the world is still very global, very remote, and you can hire from anywhere.
So here's an example of how AI has intersected that. There have been a number of cases of North Korean espionage where, through the direct hiring practice, an individual, and I just highlighted this in my last, I have a weekly newsletter that comes out called Spies, Lies & Cybercrime, and I just highlighted a story about this.
This company hired an individual who looked great on paper. He worked in Austin, Texas. He was a computer engineer. He had this impeccable resume, great references. They called the number on the references, and they talked to people, and it was all buttoned up. It looked great. LinkedIn profile, everything that recruiters look for. And, of course, because the company was on the East Coast of the United States, and he's in Austin, Texas, he was hired as a remote employee and he was a bad employee. After a number of months, they fired him because he got no work done at all. But what they didn't know is he was doing his actual job. He was a North Korean spy and the whole thing was a setup, and he would log in with his granted access as a computer engineer, to their systems and databases and just download terabytes of information.
That was his job, all day. He didn't do any work, but he stole. And, as soon as he was fired, not only had he stolen the information, he extorted them for $250,000 to give it back or not to use it against them. And that's what we're looking at. Now AI allows that to happen. AI can create an avatar that can make you look however you want. You can change your voice to whatever you want. It can write scripts for you so you don't sound odd or quirky or have bad grammar or the wrong spelling because English isn't your first language. Sophisticated VPNs can make it look like you're working from wherever you want in the world. In fact, my family loves it. My wife is German, my kids speak German. And so we use VPNs so they can watch all the German television here in the U.S. They can be wonderful things, but they can also be used against us in the same way.
So it looked to the company like this guy was sitting in Austin, Texas. He would join meetings, but in reality he was a spy in one of the most ruthless countries on earth for espionage and much worse. AI is changing the way we work, the way we think. It is changing the way our children learn. I was on a plane the other day, just a quick story. I fly in economy a lot, and you have to walk all the way to the back to the bathrooms, and you're waiting in line. And as I'm waiting on board and I look around, and I see this young woman, obvious college student because I could see the name of the college on her hoodie, is on her laptop. So, I mean, I can't help myself on board. I take a look. Maybe she's watching a movie, I can shoulder surf a little, and I see that she's taking an exam and I can see the exam software that's running, and she's taking an online exam. She's on a plane, you can get internet access, and she's going through the multiple choice exam.
And what she's doing is she would grab the user mouse, grab the entire question and all of the multiple choice answers and then switch tabs to ChatGPT, throw it all in there and say, "What's the correct answer and why?" The AI would answer, and then she'd just popped back onto the test and answer correctly. It took so long for the person in front of me, I don't know what they were doing in there, to come out of the bathroom that I watched her take the entire test. And because it's online, it scores immediately, and she got a 100% but did no work, didn't learn anything. I mean, what's going to happen when she graduates and gets her first job and is asked to do it for real? Maybe she'll just ask the AI to do it for her. And that's what worries me. In my new book, I have a chapter that's called No Blank Pages and I worry, as an author and an avid writer and reader, what happens when there's no blank pages?
And what I mean by that is what happens when our children begin all of their work by asking an AI to do it for them? And then what they're doing is editing. And there's something incredibly magical about if you're me sitting in front of your legal pad with a number two pencil and scratching out the first three words of your next article or book or novel or whatever you're writing or, a little bit more modern, in front of your word processor and looking at that just flashing cursor and thinking, "I have to type the first word, what is it?" There's something real magical and hard and difficult about that, but that's what teaches you to be an effective writer and creator. And what happens when nobody does that anymore? You go into ChatGPT or your favorite AI, there are hundreds and hundreds of them, and just say, "Hey, I want to write a story about this". You're not a writer, you're an editor. And I fear for a day when we no longer have creatives.
Shane Hastie: Lots to ponder. Lots to ponder.
Eric O'Neill: Yes. Deep Thoughts by Eric O'Neill.
Shane Hastie: Eric, you've given us a lot to think about here. If people want to continue the conversation, where do they find you?
Eric O'Neill: Well, the best place to find me is on my website. I'm a very avid speaker and writer. I am very good at corresponding through LinkedIn as well.
Shane Hastie: Eric, thanks very much. It's been a pleasure to talk to you today.
Eric O'Neill: Shane, it's been great to be on the show, and I appreciate our conversation.
Mentioned:
- Eric O'Neill on LinkedIn
- Eric O'Neill’s website
