Defending against cyber esponiage and the insider threat

Eric O’Neill was a former FBI counterterrorism and counterintelligence operative who helped capture the most notorious spy in United States history, Robert Phillip Hanssen. He founded The Georgetown Group, an investigative and security services firm where he specializes in counterintelligence operations, investigations into economic espionage, cyber security penetrations and security risk assessment.  He is currently the National Security Strategist for Carbon Black.

eGov Innovation speaks with Eric O’Neill on cyber esponiage, the insider threat and national cybersecurity strategies.

What new threats do governments face in the digital age?

Threats to our critical infrastructure, such as the power grid, water supplies, etc., will likely increase in the coming years.  I am concerned that weaknesses in protecting our SCADA networks and power and industrial grids may lead to coordinated attacks that compromise our industrial machine.  In December a malware app called ‘BlackEnergy’ caused a power outage on the Ukrainian power grid (Ukraine blamed Russia for the attack).  Hundreds of thousands of Ukrainians suffered a blackout as a result.  I doubt systems in most other countries are any better protected.


What advice do you have for governments with regards to drawing up a national cybersecurity strategy?

I believe the strategy needs to be organized and led by leaders in industry and cyber-security experts and fed by national governments with raw intelligence warning of potential threats.  The culture of cyber security needs to change to a collaborative effort to stop spies – primarily from well-funded nation states – from stealing our data, intellectual property and trade secrets. Corporations need to deploy better and more effective ways to disrupt the industrial spying complex.  One important step is to defend endpoints – the many devices that access critical data such as tablets, smartphones, laptops, thumb drives, routers, etc. – with intelligent technology that takes a zero-trust approach.  In other words, the system does not allow anything to run on an endpoint unless it is first placed on an approved list.  Second, a cultural shift in protecting personal information – especially the volunteering of private information into social media – must occur to strangle the leverage information spies currently have to trick people into executing targeted exploit attacks.


How can government organizations and enterprises protect themselves from rogue employees and insider threats?

The insider threat is the most damaging and difficult to identify attack on any system.  Insiders and rogue employees are typically those who have been trusted by their organization with access to sensitive data, so when these individuals are compromised by a foreign government or competitor, the situation often is not identified until after the breach occurs.  Protecting against Trusted Insiders requires a culture of security where access to critical data is limited, auditing takes place to identify when access occurs and by whom, and critical information is compartmentalized to prevent data leakage.  Counterespionage and counterintelligence tactics must be leveraged to seek out individuals who might be susceptible to recruitment through ideology, bribery or blackmail.  Background investigations of critical and key personnel to identify potential recruitment weaknesses should be conducted.  Finally, a system to identify breaches and respond to them rapidly must be put into place to minimize the damage from an internal penetration, and to track back the breach to the individual responsible.    


What is the state of cyber espionage and cyber warfare today? How do you see this evolving in future?

Cyber espionage is a disruptive spy tactic that continually evolves in order to leapfrog and discover loopholes in defences. Industrial and economic spying actively attacks while counterintelligence is far too often in a reactive mode. As spies evolve, cyber experts need to change the paradigm and evolve faster. The goal is to have spies reacting to disruptive approaches to cyber security that lock down critical information, mitigate the risk of human attacks (such as social engineering and phishing) and collaborate across a large community of experts to share threat information. 

Cyber warfare is a question of both protecting our critical defence and national security information and protecting our national infrastructure. Russia’s attack (if indeed Russia was the perpetrator) on Ukraine’s energy grid is an act of war.


What areas are most lacking in the global cybersecurity landscape that needs to be addressed?

The problem of attribution and retribution for attacks.  For example, the United States knows and can prove that China and Russia have launched significant attacks against United States agencies and private industry (attribution) but has so far been ineffective in stopping the threat or punishing the bad actors (retribution). Until the global community discovers a way to punish nation states, hacker organizations, mercenary groups and other criminals for their crimes, massive attacks such as the breach of the U.S. Office of Personnel Management, which was discovered last year, will continue.  


What new cybersecurity technologies and solutions can we expect in the near future?

Investing in protecting the endpoint to allow threat intelligence a zero trust approach and the ability to record and roll back the recording of the breach to determine its origins is already, and will continue to be, the most important tool in an effective cyber protection system. Mainstream encryption and trust in email systems will likely be the next wave of technologies in order to identify that the email is legitimate and not from an attacker. The majority of attacks concentrate on exploiting humans. The more we can do to mitigate mistakes made by clicking on the wrong email, the better we can prevent significant cyber attacks.