In everyday life, it’s often clear when to call in the authorities. Someone egging your house might not rise to the occasion, but a break-in gets a call to the cops. It’s less clear when it comes to a cyberattack. What constitutes a significant attack and what are the regulatory requirements? Once you make the call, how do they help in your response?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our special guest, David Ring, section chief at FBI, Cyber Division.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Hunters
[Voiceover] Who should be listening to CISO Series Podcast?
[David Ring] Anybody who works for a business and is concerned about the business’s reputation and their reliability within that organization should be listening to this podcast and other reputable forms of media where they can learn and think differently about cybersecurity, recognize that they’re the ones responsible for their own organization’s cybersecurity.
It doesn’t stop at each employee. We’re also talking about CEOs, boards of directors, not just CISOs, CIOs, CTOs, and CSOs.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I’m the producer of the CISO Series, and joining for this very episode, he’s my co-host, it’s Andy Ellis. He’s the operating partner at YL Ventures. Andy, say hello to the very nice audience.
[Andy Ellis] Hello to the very nice audience and also hello to the rest of you.
[David Spark] To the people who are not the nice audience?
[Andy Ellis] We might have some people who aren’t feeling very nice today.
[David Spark] Well, if they’re not our audience, they’re not listening. That’s the other thing.
[Andy Ellis] I’ll still say hello to them. I’m very inclusive.
[David Spark] That’s good of you. By the way, we’re available at cisoseries.com. I know you know that, but I’m just letting everybody else know that because we have lots of other programs besides the CISO Series Podcast there.
[Andy Ellis] But this one is the best.
[David Spark] It is. Well, until I go on the other show and I say that one’s the best too. Actually, we’re all-inclusive, we all love our children equally. Hey, our sponsor for today’s episode is Hunters – replace your SIEM, yes! Reduce risk, complexity, and cost for your SOC. Mitigate real threats faster and more reliably with Hunters.
More about that later in the show. I learned something before we went to record is that you are going to go to a K-pop concert in an enormous stadium in the Boston area and I said there must be lots of photos and videos of you there because I’m going to guess you’re going to be the only middle-aged man at the K-pop concert, unless there’s others with their daughters as well.
[Andy Ellis] I might be. Actually, it’s my son who’s the K-pop fan.
[David Spark] Son and daughters, I’m sorry, excuse me. Let me be more inclusive.
[Andy Ellis] Yeah. My whole family’s going. We’re doing the college summer trip and we’re going to be passing through New York right when Blackpink has their concert at Met Life Stadium so we’re all going to go.
[David Spark] See, I didn’t know who Blackpink was, this is how clueless I am, and the only way you learn about pop culture when you’re a parent is through your own kids, right?
[Andy Ellis] Absolutely.
[David Spark] And I just think about how much I made fun of my own parents about them being clueless about pop culture and I realize I’m worse than them now.
[Andy Ellis] Yeah. So, I’ve been listening to Blackpink. Like I get in the car and that’s what’s playing so that I’ll at least recognize the music. Same thing I did for going to the Taylor Swift concert earlier this year that my daughter wanted to go to.
[David Spark] Taylor Swift has a wider audience than I would say K-pop, but K-pop is enormous.
[Andy Ellis] I mean, Taylor Swift has the widest audience on the planet, so there’s really no comparison.
[David Spark] Yes.
[Andy Ellis] But Blackpink is actually pretty huge in K-pop circles, and they’re more than just K-pop, but that’s the genre they get landed in.
[David Spark] All right. At this moment, that’s the end of our conversation on K-pop for a cybersecurity show. But I was very impressed and I’m very eager to see your photos and videos from the concert.
[Andy Ellis] I will send some around.
[David Spark] All right. Very excited to have our guest, we have Mr. Shawn Bowen who’s the CISO of World Fuel Services responsible for making this happen. This is the Section Chief at the FBI Cyber Division, David Ring. David, thank you so much for joining us for this episode.
[David Ring] Thanks for having me. It’s great to be here.
What works? What’s not working?
[David Spark] How are we better tackling the latest trends from nation-state threat actors? In January of 2023, Microsoft released the Digital Defense Report highlighting the top three trends, and those are (1) focus on IT services supply chain rather than the software supply chain. Fifty-three percent of nation-state attacks target the IT sector, NGOs, think tanks, and the education sector; (2) zero-day attacks.
Now, they’re not new but many organizations believe they are less likely to be a victim if they’ve got a good vulnerability management program; and (3) rise of cyber mercenaries. These are the nation-states increasingly turning to private sector offensive actors, including for development of new tools and techniques.
All right. Andy, this report came out in January. What do you think we’ve done in both the private and public sector to better address these three issues? Do you think anything’s improved?
[Andy Ellis] Well, I think it’s interesting that if you said this report had come out in 2013, I would have said yep, these are the same trends we’re seeing in 2013.
[David Spark] Mm-hmm.
[Andy Ellis] So we’re not really seeing a big difference here. I think when we talk about the supply chain, I think IT services and the software supply chain often get mingled together, and most attacks, frankly, are on the services end of the supply chain. There’s some of it in the software supply chain, but often it mingles.
Think about SolarWinds was an attack using the IT services supply chain to then compromise a software supply chain to then compromise an IT services supply chain. So you can’t really separate them. So I don’t know that we’re doing anything new or different that’s fantastic here. The one thing I would note is that when people think about zero-day attacks, your vulnerability management program does not help you against zero-day attacks.
[David Spark] I know. In a clear sense they don’t, but it was the sense of if we’re managing our vulnerabilities well, and I think this was trickling to managing how we deal with blast radius, that this would help us.
[Andy Ellis] Right. So, if you think about blast radius reduction, and you’re dealing with your attack paths.
[David Spark] Yes.
[Andy Ellis] So you’re saying what happens when a machine gets compromised, how do I limit what can happen then, which is sort of the counterpart to your vulnerability management program, that’s where you’re going to see the benefit from zero-day attacks. That’s I think what the whole zero-trust was somewhat aiming for, but I don’t know that we’ve really delivered on the promise of it yet.
[David Spark] All right. David, I’m going to throw this to you, so you can speak more for the public sector hopefully now. First of all, is this the same story since 2013, as Andy has pointed out? And do you think we’re making some headway on any of these three?
[David Ring] I think that the adversaries are getting more creative.
[David Spark] Yeah. Well, again, you could say that story year over year, actually.
[David Ring] Yep. Which tells us that we’re doing our job, both in public sector places like the FBI where we’re out there trying to go after these guys, but then also in private sector, we’re getting better at defending ourselves and defending our nation’s critical infrastructure across the board. It creates more creative criminals and more creative nation-state actors, but they’re not creating these unique methodologies, right?
So I think it is a lot of similar type things that we’re seeing but we’re seeing them more sophisticated, we’re seeing them being better at hiding themselves because they have to be, right? And so that’s both good and bad news for all of us, I think.
[David Spark] So, really, is the answer to the improvement of, yes, we’re getting better at dealing with this but they’re just always evolving and it’s been this truly endless cat-and-mouse game, I mean, is that the story, David?
[David Ring] Well, I think until something changes from where these actors are emanating from, it’s going to be a cat-and-mouse game. When you look at a variety of different threats that the US government, the FBI, our allies and partners have been working against for the past hundred years, yesterday was the FBI’s 115th year in existence, and for 115 years we’ve been working against a variety of different adversaries and you can go back to Prohibition, you go back to the Mafia.
Those types of adversaries we can arrest physically here in the United States. We can literally take them off the playing field.
When we talk about our cyber adversaries, those folks are sitting in adversarial countries that are unwilling to take any action or work with even other partners outside of the US government to prevent those activities from happening from within their borders, it makes it, like you said, that cat-and-mouse game that we’re stuck in.
So we have to get more creative as an organization within the FBI, within the US government, and within private industry to try to secure our networks and systems and our data. And we have to get more creative at going after some of these folks and figuring out ways that we can stop them by taking out some of those key services, disrupting their activities without being able to actually disrupt them.
Would this person be a good fit for the job?
[David Spark] How can we encourage our staff to level up their careers? In a post on LinkedIn, Monte Pedersen of The CDA Group offered this very welcomed advice: (1) understand your boss’s expectations, working style, and preferences; (2) maintain open lines of communications; (3) take the initiative to identify and solve problems; (4) invest in your professional development; and (5) cultivating relationships beyond your immediate team.
So this is great advice that the community seems to agree with. So, I’m going to start with you, Andy, because you actually wrote a book about leadership and this seems very in line with a lot of the stuff you wrote. So assuming you agree these are all good, which one of these do you think people fail to do that’s most limiting to their career path?
[Andy Ellis] So, these are all good. I would add one before I say which one they’re failing to do, which is understand if your boss cares about you leveling up your job.
[David Spark] Oh, that’s interesting. Okay.
[Andy Ellis] Because many managers are not invested in improving the careers of their staff, and so you have to understand if you’re improving your career adversarially or not. But assuming your boss is invested, I would say that fourth one – invest in your professional development. And this isn’t going to conferences or taking classes, those might be pieces of it, but the core thing to invest in your professional development is to understand all of the roles you might take two jobs from now.
Not your next job because you’ll get wrapped up in this idea that you’re ready for a promotion. This is not about being promotion ready. It’s about saying like, “Oh, in two jobs I might work in marketing.” And I have no idea what marketing is like, so I should start learning what that is so I could see do I want to be writing security reports for marketing.
Or maybe I’m going to go into products and so I should learn about products.
[David Spark] Well, this bleeds into number five here, cultivating relationships beyond your immediate team.
[Andy Ellis] Right. And that’s how you’re going to invest in your professional development, but you need to learn what skills aren’t even on your radar that are going to be the ones that will prevent you from career broadening and career growth.
[David Spark] Excellent advice. All right. David Ring, I’m going to throw this to you. Exactly the same question – A, do you agree with this list, and B, which one do you find people don’t do enough of that limits their career growth?
[David Ring] I agree with the list. These are all characteristics of folks who are really thinking about how they can do their job better and how can they contribute. For our organization at the FBI, it’s contributing to a mission that I think is the best in the world, the best in the government, and so I think we get folks that are really, really focused on these things.
I completely agree. I want to answer the same way that you guys did there. I think the first one, if you’re doing everything else really, really well, I think most people who think like that, who have this kind of thought process, really sell themselves short, right? The number one important thing is to get the job done, get it done well, do what you’re supposed to be doing and beyond, and you sacrifice your own personal and professional development for that, right?
And then to do it cultivating relationships beyond your immediate team, just like you guys said, they bleed together. Professional development is critical to build your skillset and go beyond to the next level, places you didn’t think you were going to go, but personal development’s really, really critical I think for every individual.
You have to balance and have balance and drive toward creating balance between your personal and professional growth. It’s really, really important in my organization, and I know high-stress jobs across the board, and the CISOs are one of the most stressful jobs out there, people who have responsibility for managing risk and eliminating risk in their organization.
Really, really high stress. Burnout is a real thing.
[David Spark] Oh, yeah. We talk about this all the time on the show. Andy’s eager to read one of his chapters in his book, 1% Leadership.
[Andy Ellis] I couldn’t help but agree with David’s point on personal development. And in fact, Chapter 1 is Personal Improvement is a Prerequisite to Leading Professionally.
[David Spark] There you go. It’s as if your minds were melding, the two of you.
[Andy Ellis] It’s amazing.
[David Spark] I want to ask you, David Ring, one final question. I want you to think right now of a person, I don’t want the name of the person, but just a person in the FBI that you saw excel within the organization greatly. What was their characteristic that made them excel? And by the way, you can’t say yourself.
And I don’t need to know the name of the person, just what was that characteristic that made that person excel so much?
[David Ring] There are a few folks, right? I’m hesitating. It’s a tough answer for me because I’ve been really, really fortunate in this organization where I’ve had a lot of folks that I look at as mentors for those types of traits that they have. I think the ability to separate your own area of responsibility, the territory that you have and that you own, separate that out in a conversation, in a strategy development, and to stop thinking just about what you have responsibility for and have an enterprise mindset.
I think enterprise mindset is really, really important in this organization, certainly, and that’s where I think was a real breakthrough for me was when I went from being… I’m an intelligence analyst by trade, that’s what my job used to be when I wasn’t in leadership. I was really, really focused on what I was doing.
Nothing else mattered more than what I had. I had blinders on. You want folks like that to have blinders on. But when you elevate yourself and you want to elevate within your organization, I think you really, really need to think outside of yourself and your group and have a true enterprise mindset.
And I think that that bridges over for CISOs and folks in private industry as well. Turning that corner from being focused on only what’s kind of good within your area and recognizing how that brings the greater good to the enterprise and marketing that will help you and help the organization.
Sponsor – Hunters
[David Spark] Before we go on any further, I do need to tell you about Hunters. There’s nothing worse than relying on legacy SIEM that your security team has outgrown, especially when it impacts your ability to detect real incidents. So, Hunters SOC platform offers built-in always-up-to-date detection rules and automatic correlation that allows SOC analysts to focus on higher-valued tasks that impact your organization.
It’s time to move to a platform that reduces risk, complexity, and cost for your SOC. Visit hunters.security to learn how you can replace your SIEM today. Remember, that’s hunters.security to learn how you can replace your SIEM today!
It’s time to play “What’s Worse?”
[David Spark] All right. David Ring, you know this game, yes? Two horrible scenarios, neither one is good, but you have to tell me by a risk management exercise which is the worse scenario. I always ask my co-host, in this case Andy Ellis, to answer first. If you agree with him, he wins. If you disagree with him, I win.
All right? I am going to stress again both of these stink and they’re more globally stinks, I picked a more global problem. All right.
This comes from Matthias Muhlert of Haribo and here are the two scenarios. Cyber attack on the global financial system – highly skilled actors manage to compromise the core infrastructure of the global financial system, such as payment networks, stock exchanges, and clearinghouses. They disrupt financial transactions, manipulate markets, and undermine trust in the entire financial system.
The worst-case scenario would involve a global financial meltdown triggering economic collapse, widespread unemployment, and social unrest. All right. Pretty awful.
[Andy Ellis] Okay, that’s pretty bad. That’s even worse than sugar-free gummy bears.
[David Spark] There you go. I would say just above it.
[Andy Ellis] Just above it.
[David Spark] Now, here’s the other one. So, that was a cyber attack on the global financial system. This one, second scenario is hijacking of critical satellite systems. So, malicious actors gain unauthorized access to critical satellite systems including those responsible for GPS navigation, telecommunication, or military surveillance.
They manipulate or disable satellite functions, leading to disruptions in communication networks, navigation systems, or intelligence gathering capabilities. The worst-case scenario would involve a significant loss of situational awareness, hampering emergency response, military operations, and global communications.
All right. Both globally big problems. Which one is worse here, Andy?
[Andy Ellis] Oh, first one absolutely worse. I mean, these are both really bad. The financial implications are much worse because of second-order effects. When you think about famine that will trigger in a meltdown of that nature, think about how many economies rely on credit. And in the absence of credit, logistics stop moving, and we’re barely a just-in-time logistics situation anymore.
So I don’t think it’s enough to say, “Oh, the financial markets collapsed. Ha ha, I guess capitalism’s dead.” No. A lot of people die in that situation. A lot of poor people become much, much poorer when you look at how many people we’ve brought out of poverty.
[David Spark] So we turn into the Road Warrior at that point.
[Andy Ellis] I don’t know that we go quite that far but it’s quite possible. I think that’s actually a much more apocalyptic scenario for the average citizen than the loss of the satellite networks. It makes for a really bad day for a lot of folks in the Defense Department, in the intelligence services, but a lot of them have a game plan for what to do in those really bad days.
And so I’m going to leave it to them, still they’re going to have a really awful day, it’s going to be really bad. A lot of us who work in communications are also going to have bad days, but I would take that over the complete meltdown of the financial infrastructure.
[David Spark] All right. David Ring, we are agreeing that both of these are horrible. We’re not welcoming either of them. Which one of these is worse?
[David Ring] You guys ready for the classic US government cop-out answer?
[Andy Ellis] That is above my pay grade to comment on.
[David Spark] I was fearing this would happen. Go for it. I’m not going to get an answer, a straight answer out of you?
[David Ring] Well, Andy hit it right on the head in that it depends who’s being impacted by this, right? And so as somebody who works in the intelligence community, again, who’s a career intelligence analyst, the absolute devastation of losing those types of collection and then maybe potentially never being able to get them back, aside from all of the other impacts to emergency services and everything else, is a terrifying scenario.
But of course, we’re back to what Andy laid out in terms of the true long-term impact of an absolute global financial meltdown is something that maybe could never be recovered from. So at the end of the day, I like this game because it tells us what we’re all here to do, and we’re all here for the sole purpose of preventing things like that from happening.
[David Spark] So I’m going to say your answer agrees with Andy here. That is the worst scenario. They’re both horrible. We’re not disagreeing that they’re both horrible, but the worst is the financial system.
[David Ring] I think the long-term impacts of the financial system is harder to recover from.
[David Spark] Okay.
[Andy Ellis] You’re not going to get him to say which one’s worse but…
[David Spark] I’m not going to get him to say worse, but that’s fine. Fine, I’m going to go with that answer. I’m taking that. Thank you, David Ring. I appreciate that. [Laughter]
[David Ring] Doing my best.
[Andy Ellis] And David, I realize that it’s not that you win if we ever disagree. It’s that the person who proposed them wins.
[David Spark] They win. You’re right. And I’m rooting for disagreement as much…
[Andy Ellis] And we should root for them but…
[David Spark] But I think David Ring puts out a good point is they’re both equally horrible but one has a longer-term effect…
[Andy Ellis] Yep.
[David Spark] …than the other. And that’s a good point to bring up. And we have we accepted in some cases because we don’t like the “it depends” game.
[Andy Ellis] Yeah.
[David Spark] But we said if this is the situation, this is definitely worse. If this is the situation, this is definitely worse.
[Andy Ellis] Yep.
They’re young, eager, and want in on cybersecurity.
[David Spark] Seriously, what should be the requirements for someone entering a government job in cybersecurity? In an article on Government Executive by Betty Thompson, she points out the unnecessary four-year requirement, which we’ve quoted on the show previously, eliminates half of all potential candidates.
Now newer research from Handshake found a focus on skills instead of degrees triples the number of qualified tech candidates. The government has made efforts to deal with this for federal employees with a 2020 executive order encouraging a “skills- and competency-based” hiring.
And contractors are a different story, and there seems to be two basic approaches when working with contractors. One is either create outcome-oriented metrics for contracts and let them deal with the staffing themselves or simply update contractor requirements by consulting with industry using these services.
The Government Accountability Office identified these two practices as effective in the private sector, but also acknowledged challenges in adopting them. So, David, how do you approach a skills-and competency-based hiring and are there certain positions for which a four-year degree truly is necessary?
[David Ring] So, the easy question is are there certain positions where a four-year degree is truly necessary. I think the answer to that is clearly yes when it comes to the FBI, right? In order to be an FBI special agent, in order to be an FBI intelligence analyst, there are things that you gather through that college experience and that advanced degree, much of which are hard to get into the organization without for those very specific roles when it comes to broad threat-based work that we do, investigative work that we do, intelligence work that we do.
And then we specialize those folks into technical areas like our cyber action teams, within our Cyber Division and across the field offices on our cyber investigative squads. Those are the folks that we really want to focus in on those technical skills.
And I think that that kind of gives me the answer more broadly, is if we can take people in the organization who have an aptitude to learning and an ability to gather skills and hone them, we can focus them in on what we’re looking to do here in the cyber environment. That tells me that there are plenty of folks out there in this country that can join our organization with those skillsets already which saves us in certain training aspects and elements.
So, what I would encourage everybody to do listening is to go to fbijobs.gov and look at the different jobs that we have. We have so many different jobs in this organization. People think of the FBI as special agents, that’s the job that we do, we investigate crimes, but we also have an amazing cadre of technical talent that we’re looking to grow just like everybody else.
That gap and the amount of jobs that are out there and the amount of qualified candidates for them is incredible, and it seems to be growing rather than closing from things that I’ve read. That’s not a stat from the FBI. That’s just a general observation, what we’re seeing these days. So, what does that mean for how we hire?
We have to be creative. And so the things that you laid out leading into this segment shows that the entire government is recognizing at the highest levels between executive orders and other policy directives that we need to get much, much less rigid in who we hire and how we hire.
[David Spark] And hold it. Have you seen that happening?
[David Ring] Yes. I definitely have.
[David Spark] Can you give me any one example of a change in hiring?
[David Ring] Yeah. So, pay scale’s one of those examples where there’s an ability in different organizations across government to pay a percentage more for specific cyber talent and so if you meet certain technical talent criteria, you can get paid a percentage more at your GS level. Say you’re a GS-12, you can get paid a percentage more depending on what you’re working on.
That’s a relatively new and forward-leaning thing for government to do. It’s already really difficult to compete with private sector when it comes to pay, right?
[David Spark] Right.
[David Ring] I think we’re competitive but not as competitive as there’s a potential to be. But at the end of the day, we have to attract via our mission and we have to lower that barrier of entry for things that aren’t necessary, right?
[David Spark] Right.
[David Ring] When you look at a job, you go, “Do I need 10 years of this to be able to do this job?” Right? We have to be more willing to make some of those traditionalist thoughts and values kind of change a little bit to pivot to face realities we have today.
[David Spark] All right, Andy, I’m going to throw this to you. By the way, Andy, you’ve worked with the government, you’ve worked with the FBI.
[Andy Ellis] Yeah.
[David Spark] And you also have a military background yourself having been in the Air Force as well.
[Andy Ellis] I do.
[David Spark] Where have you seen improvement in essentially not demanding the four-year degree?
[Andy Ellis] I’ll be honest, I’m not seeing a lot of improvement. I think we see some companies and some enterprises have started at the edges, nibble around. But there’s so many incentives here driving towards the four-year degrees. Private sector, when you think about the implication of H-1B visas which then constrain an entire job family to require four-year degrees.
So I’m going to throw in a hot take that’s a little unusual for me on this one which is I actually think we should rethink the value of four-year degrees in general.
[David Spark] By the way, I have strong feelings about that too, four-year degrees in general.
[Andy Ellis] I think we have this mental model of this elite four-year degree that is a renaissance education that prepares you for high-level science and writing and humanities and all of these things you can do, but let’s be honest. That is not what most four-year degrees are. And so I actually question whether when companies say, “We need a four-year degree,” really what you’re getting is this person was selected for a four-year degree.
What’s the best way to handle this?
[David Spark] Someone eggs your house you handle it yourself, but when there’s a break-in you call the authorities. What constitutes a significant attack that requires you to alert the authorities and how do they help in that response? What are the regulatory requirements of getting them involved too, for that matter?
So, are CISOs even aware of how to get the FBI and other law enforcement agencies involved into their incident response process? Obviously, I’m going to turn to you, David, on this one.
[David Ring] If they’re listening and they currently don’t, hopefully they soon will.
[David Spark] Yes. Let’s educate them.
[David Ring] So, the best way is to develop a relationship with your local field office. The FBI’s got 56 field offices.
[David Spark] Before you need them.
[David Ring] And it’s exactly right. Pre-develop a relationship with your local field office. So, the FBI’s got 56 field offices across the country and hundreds of satellite offices off of those field offices. It’s extremely easy to find that FBI agent down the street, right?
[David Spark] I’m going to back you up just for a second here. Okay, I’m a CISO, I want to approach the FBI, I don’t have a current problem right now. What is the engagement? Like walk me through. I don’t even know the beginning of that engagement.
[David Ring] Look. Go online, fbi.gov, find the local field office and say, “I am with this organization and I’m looking for your private sector coordinator or your InfraGard coordinator.” Those would be the two that I would direct. A lot of times they’re the same person depending on the field office.
[David Spark] Okay.
[David Ring] Those are the folks whose full-time job in that field office is to work with private sector.
[David Spark] Okay.
[David Ring] Develop those relationships.
[David Spark] And so what are they asking? Like, “Let’s just have a meeting, let’s talk,” and then they sort of explain how to engage with them? Yes? No?
[David Ring] Yep. That’s exactly right. Just an introduction conversation, “Hey, we’re going to be having a tabletop exercise here in a few weeks. I heard somewhere that the FBI likes to participate in those.”
[David Spark] Oh, that’s cool.
[David Ring] Yep. Absolutely. So we’ll send somebody, depending on obviously logistics and circumstances, to participate in that tabletop exercise so that you now have the FBI in your incident response plan and you know how the FBI will interact with you in your incident response plan, and you have the individual who lives in your community or near your community who you can call and say, “Something just happened and we’re in a bad place here.”
[David Spark] That seems like a no-brainer to get the FBI into your tabletop, I didn’t know you even offered that service. That’s awesome. That’s great.
[David Ring] It’s something that I think is just a really great way to lower barrier to entry and build these relationships and build that trust. And one thing I always like to say is because everybody knows and CISOs especially know that there are a variety of different pressures, especially if you’re dealing with a significant incident, I think if you realize that there’s some real bad-day nation-state activity happening on your systems, I think reaching out to the FBI, to CISA, to other US government agencies makes sense fairly quickly because these are generally things that are hard to handle.
If you’re dealing with a ransomware attack though, those decisions are made, I think we’ve seen progress in terms of folks being more willing to reach out to the FBI in the near, the radius of when that attack happened. And maybe the question has I think shifted a little bit from, “Should we call the FBI or the government?” to “When should we call?” which to me is serious progress.
[David Spark] Hold it. By the way, so my feeling is you’ve dealt with a lot of ransomware issues as well. Where do you think the private sector’s response is improving in respect to that, in how they’re handling it?
[David Ring] Well, I can tell you that our relationship between the FBI and also other organizations, CISA’s a critical partner in this space, I think private sector is recognizing that more often than not, they’re introducing more risk long term and near term by not engaging the FBI and other federal partners as appropriate when something happens, and they’re reducing their risk by bringing us in.
[David Spark] Well, I would think at bare minimum, since you’ve had so much experience with ransomware, that you can sort of walk them through the issues that are going to be happening. Someone getting hit with ransomware the first time, I’m sure panic mode goes into effect at that point, yes?
[David Ring] I think it’s the worst day for your organization if you’re unable to do what your business does and you’re in a real bad place. What we like to say here at FBI Cyber is that we, within our authorities, are what you want us to be in that circumstance. If you would like us to come into your SOC and work with your incident response company, with your outside counsel that’s in there, we’ll sit there and we’ll pass information real time over and take information back.
If you want us to just deal with that outside counsel and only work with them, that’s great. If you want us to just engage through the incident response firm, we’ll do it that way. Right? So, we’re very, very flexible in our response and we have to work on people kind of understanding that an FBI response to a cyber incident is going to be different than what most people think of an FBI response to a bank robbery or a terrorist attack would be.
There are not dozens of black Suburbans and raid jackets and crime scene tape coming out. We’re not rolling servers out your door.
[David Spark] Can you request that though?
[David Ring] If people want it but we recognize that you’re the victim in this scenario, right? Your organization is having the bad day. You’re not the perpetrator of that attack. Our focus is to get at who is responsible for this, and the more information that we can get of what happened there with your incident gets us a little bit closer every time.
[David Spark] All right. I’m going to throw this to you, Andy. Because, Andy, I know you have worked with the FBI and tell me about your experience.
[Andy Ellis] So, I’ve worked with the FBI on a lot of things but I think the experience you want to hear about was an espionage case, actually, with an internal employee.
[David Spark] Yes. You’ve mentioned this on the show previously, which the part that I found fascinating is the FBI made you keep them on and you knew they were an issue.
[Andy Ellis] Yeah. It wasn’t just the FBI; I want to be fair. The FBI is the one who does a lot of the investigation but then you’re waiting for the US attorney to decide what they’re going to do. The US attorney got a little distracted while this was going on by some other things happening in the Commonwealth.
But no, we had an espionage, an employee who was trying to sell our secrets to a foreign government. You can go look up the case, it’s Elliot Doxer. It was several years from when the FBI notified us that what was going on, figuring out what was actually happening.
[David Spark] Hold it. You had this employee on for several years?
[Andy Ellis] Yes.
[David Spark] Wow.
[Andy Ellis] Yes. Because they weren’t successfully selling secrets. They were delivering secrets to an FBI agent. It was like something out of an ’80s spy movie, they had dead drops all over the city of Boston.
[David Spark] So their contact was not who they thought it was.
[Andy Ellis] No. Their contact was not who they thought it was.
[David Spark] So you felt comfortable.
[Andy Ellis] Yeah. They had reached out to an embassy and the embassy was like, “We think this is a honey trap the FBI’s running.” So they called the FBI, who were like, “We have no idea but we will now go have fun with this.” So the agent who did it was wonderful, they were great to deal with. I did actually get the dozens of FBI agents in raid jackets the day that they finally arrested him.
[David Spark] Oh. So at least there was some level of satisfaction there.
[Andy Ellis] It was an interesting day because we pulled him in as if he was going into HR, like being laid off, except for when he walked into the room it’s not actually HR who’s in the room, it’s two agents who interrogated him.
[David Spark] So from a bad day to a worse day.
[Andy Ellis] From a very bad day to a very bad day. But I will say the FBI’s fantastic to work with and I do recommend you make those relationships upfront in advance. There’s a lot of capabilities that the community relations team will make available to CISOs.
[David Spark] So that is something I learned today is about how awesome it can be early on, and actually that the FBI is very flexible in working with you at the end.
[David Spark] Thank you very much, Andy and David Ring. David, hold tight, I’m going to let you have the last word on this as well. I want to thank our sponsor today, that’s Hunters. Go to their site – hunters.security. Replace your SIEM, reduce risk complexity and cost for your SOC, mitigate real threats faster and more reliably.
Just go to hunters.security. All right. David Ring, now I know you’d mentioned checking out the job site at FBI. Any other last words of engaging with the FBI? Anything you’d like to say to our audience?
[David Ring] Well, I would like to again just reiterate that if you don’t have a relationship with the FBI as a CISO, as somebody who’s responsible for your organization’s network systems security as a whole, you need to have one. It only will improve your abilities and your resources and that’s what we’re looking to do.
So start that relationship off now. Reach out to your local field office.
[David Spark] And what’s the name of the person, the contact you’re looking for?
[David Ring] Private sector coordinator, and if you say those words when you call, they’ll know what you mean and they’ll get you in touch with them. They love their jobs. They want to be out there working with the community, they want to develop those relationships, and they want to pass it on. The last thing that I’d say for the CISOs out there, if you’ve received or do receive an invitation to attend the FBI’s CISO Academy, as one of the folks who’s involved in putting that on, it’s one of the best programs that we have to take a relationship from introductory early beginning relationship to a true in-depth working relationship.
It’s also a lot of fun, so if you get that invitation, don’t decline it.
[David Spark] That sounds awesome. Is there a way you can request that invitation?
[David Ring] The best way to request that invitation is to build a relationship with your local field office.
[David Spark] Start there. That’s where you start.
[David Ring] And as you guys grow, it’ll either be offered or just ask for it.
[David Spark] Okay, excellent. Well, thank you very much, David Ring. Thank you very much, Andy Ellis. And thank you to our audience. We greatly appreciate your contributions. Send us more “What’s Worse?” scenarios, we want those, please. All right, we appreciate the contributions and listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input.
Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.