We are fighting a new war with an indiscernible enemy. This is America’s Secret Cyber War and we’ve been fighting it since the dawn of the internet.
Learn more about your ad-choices at https://www.iheartpodcastnetwork.com
Hi, This is newt twenty twenty is going to be one of the most extraordinary election years of our lifetime. I want to invite you to join my Inner Circle as we discuss each twist and turn in the race and my members only Inner Circle Club. You will receive special flash briefings, online events, and members only audio reports from me and my team. Here's a special offer to my podcast listeners. If you joined the Inner Circle today at newtcenter circle dot com and sign up for a one or two year membership, I'll send you a free personally autographed copy of my book Jettisburg and a VIP fast pass to my live events. Join my Inner Circle today at newts Inner Circle dot com. Use the code free book at checkout. Sign up today at Newts Inner Circle dot com Code free Book. This offer ends January thirty first. On this episode of news Work, we are fighting a new war with an invisible front line and an indiscernible enemy. The enemy can strike us at any time without warning, and we aren't doing enough to fortify and protect ourselves. This is America's secret cyber war, and we've been fighting it since the dawn of the Internet. It includes cyber attacks on companies, governments and individuals, hacking, spreading propaganda through social media, intellectual property theft, and stealing on military secrets. It is an invisible war we are fighting every day and we as a nation need to do more to protect ourselves against these advanced adversaries. And please to introduce my guest, Chris Gore. Chris is CEO of D four C Global, a private counterintelligence firm based in Fairfax, Virginia. He served as a former Air Force OSI special Agent. We really underestimate the amount of criminal involvement in cyber because many companies just pay them off and stay quiet because they don't want the publicity that they can be penetrated. Is it your impression that there's probably actually more cyber crime than we know about, because there's a substantial pattern of not reporting. If you have the ability to get onto a network, whether it's a corporate backbone, whether it's data or a power grid, to steal information, you have the ability to cause damage. So it's just a matter of intent to change from stealing to destruction. I can take you all the way back to two thousand and four when I was investigating the intrusions around the trying Strike Fighter, which is the largest contract in the history of DOOD, thousands of subcontractors. It's being targeted all over the place. And at that time, there was no requirement for defense contract to report to the government that their unclassified networks were compromised, and so we had to change policy and the federal acquisition requirements and all kinds of things. And that kind of shift hasn't happened in the rest of the sectors in America. So the financial sector and those type of things are not don't have the same type of reporting acquirements. And I am personally familiar with a number of cases where corporations have been hit with ransomware, have paid the ransom have brought in professional cybersecurity firms to negotiate with the bad guys and pay it, and then move on as if nothing has happened. Some of these are substantial ransoms, and so there's definitely no motivation for the bad guys to stop. American society is completely unaware just how bad the criminal elements are. Taken a lot of money from people. If you had to guess what percent of this is criminal, what percents government, and what percent of it is just the individual's journking around as a hobby. There are different types of things happening. When you see ransomware that's happening and organizations being blackmailed without going and there encrypt all of their servers and then basically you have to pay a bunch of bitcoin to get your stuff undone that is in most part a criminal enterprise, but it can also blend into state sponsored enterprise. The North Koreans are kind of considered for doing this to try to increase some revenue because of all the sanctions. I would suggest that any of the targeting US intellectual property that's been happening over the last five, six seven years, to the tune of some government reporting three hundred billion dollars a year and losses of intellectual property, that when you're going after a Lockey Martin or a Northrop Grumman or a Caterpillar, those require substantial capability to defeat those organizations. That is state sponsored. The criminal stuff is going after your money in the black mail, and then your individual on the basement can kind of weave in between. There. There was a report of the teenager that compromised the director of the CIA's home account that does happen. You do get some activist groups anonymous will do some things, and those may be kind of politically motivated, and they're doing it more to put a message up on a website, those type of things. So most of the lower level script kitty, if you will, are defacing websites and that type of thing. The criminal enterprises are getting in and trying to go after money and doing blackmail, and the state sponsored organizations are stealing our trade secrets and then positioning themselves from an order battle perspective to have that strategic surprise. So knock out the lights, can they shut down the FAA, Can they hurt NAZDAC? Can they do those type of things that would kind of cause a lot of turmoil for us. That's the way I would kind of outline a teering thing so that in sense, this is the new cyber mafia and represents it totally different set of skills and a much higher profit margin than the traditional crimes. Agree ten years ago, the moneymaker on the cyberside was you would steal data and then you had to go find an information broker to sell the data to, or you would create the actual exploits and sell those. So a zero day right now can get you about a million dollars a good one, like if you can get through windows or get on an iPhone or something like that. But if you're going to go hit a corporation and you're going to hit them for five million dollars in bitcoin, and you can use that same tool that you use against them and hit five more companies, and now you're at twenty five million dollars of somewhat untraceable in the way this is being done, because it goes through multiple iterations of different cryptocurrency providers and whatnot, it's a challenge for law enforcement. There have been United States municipal, city, and state police departments that themselves have been hit with ransomware and paid the ransom. It's a part of kind of cyber hygiene issue on our side where we're not backing things up as much as we should. We're not really preparing our communities and our organizations for the threat, and then it's very very difficult once you've been hit without stuff to get your data unlocked. The interesting thing about this is for the most part the criminals, there is some honor there, like once you do pay, you do get your stuff back. Very rarely does it not work out that way because within that criminal subculture, if you get a reputation for not following through with releasing the holdings, then they would expect that they wouldn't be paid in the future, so they want to keep that fasted on by honoring the bounty. Sony produced a movie that made fun of Kim Jongan, and they promptly had a cyber attack on Sony. I think everybody agrees with the Koreans, but it's really hard to track down improve it's the Koreans. And isn't that one of the problems that you can have these attacks and really not know precisely where they're coming from. It is definitely one of the challenge. To some degree, there are elements with the intelligence community that have better visibility and understanding than others, and in some cases it's still unknown. The other challenge with this if you're utilizing a criminal elements or you're supporting them, and you kind of give yourself that plausible deniability, whether it's the Russians or the Chinese, or the Koreans or the Urians, if you can cause that doubt at distance between an actual organized wearing a uniform group like you had in the GRU I think most people in the community would agree are still under the control or supported by the government. Is an issue, but even more so from a political will perspective, what happens when you actually do attribute it to a Russian government or the Chinese government or the North Koreans. The ability to dissuade them from doing something like that is also a challenge, both from a political will to do it and then what you actually do. So it's a problem cross multiple elements of national response. After you even understand who did it, which is still a problem, how far would you go in responding, For example, in response to Sony, should we have tried to take down the North Korean system? And even if we had, given how little electricity they use, would they even have noticed it. We have the ability to be surgical as well, So maybe the response is if we have attribution or a strong enough agreement within the community intelligence community, maybe the effect is to neutralize the cyber capability of the people we believe are doing it, whether it's going right back after their machines and the quote unquote hats back taking out the infrastructure that they're utilizing is a tactic that can be done and has been done from law enforcements. So if you look at how botnets are being done and some of the criminal enterprises, there are coordinated efforts with interpoll and others to go take down botnets, s and controllers and some of that infrastructure. Takes a long time to build millions of dollars in investment to get this stuff staged out, and taking that down dramatically impacts the bad guys operations. That is something that can be done. Maybe it needs to be a little bit more public so people understand that this is happening. In some cases, the United States government is aware of more than the general population, as you would expect, on a lot of things. So do they have capability to do things? Does NSA and Cyber Command have the ability from a cyber perspective to disrupt and engage in some cases destroy cyber targets? Absolutely? Do they have the political backing or charter to do that. That's where we're not there yet. So we're not sending two one guys into Beijing to kidnap hackers, we're not dropping bombs on buildings, and in most cases we're not even doing a cyber operation to nuke their routers. I'm sure there are conversations happen in various pockets of the government on what to do. These conversations have been happening for ten years now, and we definitely have the capacity to do things. From my perspective, when I was in the government as an operator doing these type of things, the only thing we were lacking was the political world to do it. That's the threshold. If the military is ordered or given a green light, they have the capability to do a lot of things and various stages of escalation. So that's where we have to get our political leadership on the same page, understanding the threat better, and then having a series of responses that are publicly known to the adversary. If you do this, this is going to be the consequences very similar that mutually assured destruction doctrine during the Cold War. We definitely need to start moving towards that right now. It's just been we've been getting hit, getting hit, getting hit, getting hit, and a small group of American citizens have been seeing this and trying to deal with it and pocket but we haven't had a unified response, and that's the biggest challenge next, a data breach on the opposite of personnel management, leaks the personal information and fingerprints of millions of federal employees. This is week to my profiled journey, and right now we are beginning to talk about meal planning, which, when you travel as much as I do, really requires thinking ahead. I've already dropped some four and a half pounds, so I'm pretty excited, wonderful. A lot of the things that you've shared with me have been simple that you've already just started cutting down on your portions and being a little bit more aware of the foods that you're eating. Those little changes can take you a long way in your journey. I need coaching on getting the habit of planning ahead, because when you travel, talking through how I should think about planning the meals it's probably the most important next step. I travel a lot. I see great new restaurants, new different styles of food preparations, so I'm always tempted to eat out a lot. Some tips along the way when you're traveling, First of all, profile shakes and bars very easy, very portable, easy to take with you. And then also finding out how to time what meals are available to you, and That's the whole key with Profile is we don't want to focus on the fact that it's a diet. We want to focus on the lifestyle changes. And that's where it's really up to you to make those lifestyle changes that are realistic for you. Right. It has to become a set of habits so that they're automatic, and I think having you as a coach is really helpful. Frankly, at Profile, our coaches are here to partner with you, to work through solutions with you, hold you accountable as well as set realistic goals. Learn more about Newton Dewe's journeys to better health at profile plan dot com slash newt. Right now, Newts World listeners get an exclusive offer one hundred dollars off a one year Profile membership by visiting profile plan dot com and entering code NEWT. Get your health journey started today with a free coach consultation at your nearest Profile location or by visiting profileplan dot com slash newt. That's profileplan dot com slash n ewt. In twenty fifteen, and they reported that packers had gotten five million, six hundred thousand digital images of government employees fingerprints and had broken in just a huge volume of information about federal employement that breach the Office of Personnel Management and all of the the background records for security clearances. Was a strategic hit that was a focused effort to go after those records. That has all of the information for every federal employee who has gone through a security clearance background check, so it'll cover the organization that you're in, your previous employment, your family, every place you've lived, your credit record, your fingerplans, all of it. So it was a major kit. But in terms of the scale of constant aggressiveness, I think the Officer Personal Management said that they get something like ten million attempted digital intrusions every month. Shouldn't we be much more militant about stopping the people who are doing all this? It seems to me although we're playing defense with no offense, and eventually they're going to break through. I agree, if it's connected to the Internet, it's at risk and it will always be at risk. I would suggests that ten million attempts a day is a lot of that scanning or system machines that are just probing for openings. But when you get to an actual dedicated military intelligence unit or Chinese INNESSA or Russian NSA, they will have a dedicated campaign where they'll go at you from our target like that from an insider perspective, from a human perspective, from a cyber perspective, they're going to get after it. And we haven't really come to the realization that some of these things are highly vulnerable and good targets. If you look at the ramifications of what happened there. Initially, that breach when after a contractor that had to work to do the investigations, so they would have contracted personnel that would go out using laptops and do field interviews, and then those laptops we're plugging back into a corporate backbone, and they got on through that link. The US government basically kind of blame that company. That company basically went bankrupt, thousands of people lost their job. They tried to file an insurance claim about it. The insurance policy said, this is a state sponsored thing. We're not going to protect you in your own Come to find out that the government itself was also compromised in this thing, and they had not complied with inspections and security audits saying you need to do some things. So corporate side, big impact government side. I'm not sure anybody even lost a job. The bad guys got away with a strategic hall of valuable intelligence about every employee in all their backgrounds and everything that you could hope to have, and we really, as a response, did nothing other than offer a couple of years of free credit check to the employees. So I completely agree with you that we need to start changing our mindset and how we're responding to some of these things, because there is no fear, there is no cost of doing business from their side, there's no ramifications for things like this. As I understand, in terms of intellectual property theft, it's a different kind of problem. There was one report the China may account for as much as eighty seven percent of the counterfeit goods that are seized coming into the US. Doesn't this almost have to have the backing of the government of China to be on this scale as far as I'm concerned. I mean, they control the Internet, to control your access in and out. I could tell you a story all the way back in two thousand and one. You may recall that there was a Navy P three surveillance plane that was flying along the coast of China. China sent up two fighter jets to shadow it and they ended up clipping wings and we had to land our navy plane on the ground. And it was a big kind of international incident that kicked off around a kind of patriotic hacking between the US and China, and on our side, the FBI and others kind of try to track our guys down and tell them to stop. On the Chinese side, they started to kind of watch this and they saw that these patriarch hackers were going against the US and they were allowed to continue. That created your first generation of what the Chinese called big bulls or like the strong hackers, and they started their own little hackle organizations. And then ten years later, in twenty eleven, they literally had kind of a ten year anniversary awards ceremony for these groups and it was held in a Chinese Communist leadership quadric facility cassette approval from the government. So, without a doubt, these groups that are going after intellectual property, and we're talking hundreds of terabytes of data over the course of a couple of years that have been taken. I think the Mandian report that talked about six one nine eighth the military unit that the FBI did indictments on. They were talking about hundreds of terabytes and weekly stands, and that's just one unit. So when you start talking about hundreds of terabytes, I don't think people understand what that really looks like. Fifteen terabytes. If you were to take that and print that out, that would equate to every piece of printed material in the Library of Congress, and you're talking hundreds and hundreds of those. So it's a massive amount of information that's been taken. And the Chinese are experts at recreating through imitation. So not only are they doing counterfeit goods for purses and shoes and t shirts and those type of things, but they're also creating weapons systems. They've created the J thirty one, which looks and flies exactly like the forty five Joint Strike Fighter. They have a drone that looks just like our Predator. They're selling it in Africa in the Middle East. They've taken our technology, they've created it themselves, and now they're moving into the market and they're competing against US, so not only from commercial goods, but from weapons of war as well. So there's a commission on the Theft of American Intellectual Property, which made a report in twenty seventeen, and the range they estimate of how much has stolen of intellectual property annually from the US economy was between one hundred and eighty billion in five hundred and forty billion. Now, how can we know so little that we have a range of almost four hundred billion between the high and low estimate for one year. Isn't there something wrong with our own systems if we can't get a narrower than that. Well, it kind of goes back to your point of it's hard to get everybody to admit that has happened. It's hard to quantify the volume of what's been taken and how you actually turn that into a dollar amount. Some of us amongst the community will just kind of take up middle number and it's three hundred billion a year. And if you do that across five years, I mean you're at one point five trillion dollars in economic impact. We cannot sustain this, We cannot continue to compete economically and eventually militarily. I can tell you I personally briefed the CEO of Lockey Martin when we were doing a joint strike fighter intrusion and had a big analyst note, but chart out, and here's kind of what we're doing, what we know, and where the case is going. He basically kind of sat there and looked up and said, I'm sick and tired of investing hundreds of millions of dollars in building the stuff to have it stolen in a matter of minutes. And that was just one company. Some of the other statistics around that report that you mentioned was one in five corporations has been hit or will be hit, maybe as high as two fifths. So that's a massive amount of intrusion. And then being able to quantify it. So let's say you did. Let's say you actually said we narrowed it down. We can tell you it's three hundred and fifty billion dollars. The question is, then, what if we know it's eighty seven percent China and they took three hundred billion dollars a year for five years, where at one point five trillion dollars in economic warfare, what are we doing about it. Some of the things that the current administration is doing is saying enough is enough. The American public is not really as far as I can see well informed or in tune to this because what you see on the news on a daily basis is something else that's not really focusing on these strategic challenges that we're facing as a society. Next, we reveal the lack of cyber health around our senior corporate and government leaders and what they need to do to protect themselves. Chris, Since there is a growing pattern of going after individuals and their home systems, etc. What advice do you have for people who want to deal with the cyber threat in a way that's effective for them as individuals. A couple of things. A couple of things. Cyber hygiene is important, so kind of basic practices. If you are part of a corporation and you've got a set of security policies in place, changing your password quarterly, making sure that your systems are updated and patched. Apply those same disciplines to your home life. So change a password on your Gmail regularly, make sure that your home network equipment is updated and patched. You need to make sure that those things are updated and patched. Your home computers have basic anavirus, and those things will make it a little bit more difficult for the bad guys to move into your personal space. It is a growing challenge. I will fully admit that this is a challenge. The growth of the Internet of Things and your refrigerator being able to call out and order milk adds a level of risk to your home. What we advise friends and family and clients is that you pay attention to this. So when you read the news, pay attention to what's going on from a cyber perspective as well. I mean, there's always a blurb out there somewhere about what's going on, and see how that might impact you. It's definitely a concern across a number of things. So I do want to touch on this for the executives. So if you are a corporate executive, there's an entire trend of this whale fishing where people will go in and grab your information, make it look like it is you send an email to your chief financial officer to tell you to move money. It's a whole scam that's been going around for a couple of years. Targeting often happens at home, so if they can go after your Gmail or your home route or they're going to do that. What we find over and over again is if you're a senior leader in a corporation. You're well defended in your office, you have a team of security professionals, you've got a lot of money invested, you've got the latest and greatest security technology. As soon as you go home, you are just like everybody else, and your corporate security posture and visibility isn't coming to the home because we as Americans value that privacy, so it's beyond the remit of a security team from a corporation or even a govern to protect officials at home. I can tell you that I personally spoke to a member of Congress who gave me their official business card with their Congressional seal on there, and their email address was a GMAIL. That scares me to death because that Gmail is not being protected by the States government. That is an area where people need to recognize that you are a target, especially if you're in a position of political leadership or corporate leadership, and either take the time to invest in your own security, consider getting some consultation on how to or protect yourself. There are some simple, free things that can be done to improve your posture. Training is a huge benefit. Understanding how to maybe adjust some of the settings on your mobile devices. Making sure that you come in and just have a basic assessment of what your posture is at home is simple thing to do that either is low cost or no cost. But let me do o distinction. If you're a business executive, shouldn't thinking through protecting you at home be part of your corporate system? It should be in some cases it is, in most cases it is not. How many executives have you seen that walk around two phones. They'll have their corporate phone and they'll have their personal phone. I've seen communications in the kind of the cyber underground, the deep and dark web, where people are offering bounties for executives personal email addresses and personal phone numbers. Why because that's what they want to target. I've seen kind of dialogues happening about why would I bomb the hacker? Why would I attack the general on his dot mill account when he's protected by literally an army of cyberdefenders. When I can attack the general on his cool account where he's got no desenses other than AOL and all is not going to be able to stop. But what's coming. There's been recent reporting that three hundred to seven hundred thousand home routers in the United States have been compromised by a suspected Russian hacker group, and so that's moving away from corporate enterprise and businesses into the home space. That's an extremely troubling potential where there's definitely a lower security posture in the homes. So when you start to look at global operations from a cyber perspective, and you look you're talking about Russian NSA or Chinese NSA, they have the ability to go very surgical right after an individual or step back and try to have thousand points of light or a thousand points of presence or a million points of presence around the world to help them with their sick in operations. When you start talking about a million points of presence, how much of that's done just by using automatic devices, whether they're bots or other things that self propagate a love it is initially, so there'll be scanning of the Internet constantly looking for unpatched machines and vulnerabilities, and then they'll have a library of exploits when their machinists scanning across Western Europe or across North America and they find an IP address that's reporting that it has a port open or a vulnerability, then their exploit library will just compromise that system and then they can take control of it and move on to the next one. That is kind of a regular general noise that's happening on a daily basis, which is what a lot of the cybersecurity industry is kind of dealing with, where you're constantly having an update and patcher machines and make sure your firewall is up to date and your annavirus is good. Criminals can do that. Sponsored organizations can do that. Teenagers in their basement can do that. But when you start to move into the higher order advanced groups, state sponsored with national level backing and funding, and they're creating zero days, which is an exploiter a piece of malware that has no signature. So the way most antiviruses work as they're based off of the signature, so it has to know that this is a malware. It creates a fingerprint for it, and then it can look for it some other place. A zero day would be something that has never been detained before, and it can run for a long time until it's actually identified. The fingerprint created and then put into your anavirus. When you have state sponsor organizations that have dedicated funding. They're constantly looking and creating new zero days. They have a library full of weapons, if you will, that they can use to continue to maintain access in places that they want. How would you change things if you could get the President and the Congress to agree. I think there's a couple of things that we should be doing that are less provocative than others, and it can kind of go from a scale. We should be taking more advantage of encryption and encrypting our data at rest. It's very, very difficult for it to be utilized because it's encrypted, and you've got to spend a lot of time and resources to decrypt that stuff. As just a fundamental policy, we're not doing as much as we could there. As just a hygiene perspective, there would be a good cause at some point in time for the American public to know more about what's going on. We have a tendency to classify a lot of stuff, and some of it absolutely one hundred percent needs to be classified. Maybe some arguments where some of it shouldn't be and people need to know about it. If I had the ability to make some changes now, I would hope that we could get both sides of the aisle to stop looking at each other as the enemy and look outward at Russia and China and what they're doing to us as a country. So we're too busy pointing a finger at each other over things then looking outward. I mean, if you kind of look back over the last few months, in the last year and the whole Russia thing. The Muller Report talks about Russia doing some things, but the since you get from the way it's being projected on a daily basis is is still more of a focus on the Trump administration than on what Russia was actually doing and has been doing since the Cold War. There are just as many or more Russian spies in the United States now than they weren't a peak of the Cold War. But that's not what we're talking about. We're talking about the wrong thing. So that would be the next year is so let's make a data that sits on our enterprises more difficult to capitalize on because you encrypted, let's get our political leadership to stop throwing stones at each other and pay attention to what's impacting our country from an external forces perspective. And then three, we need to have the political resolve to escalate and for people to understand why this is happening. I don't know what the line is where you would start to go kinetic on something like this, but one point five trillion dollars over five years in economics theft is a huge number and something should be done about that. And there needs to be some concern by these units that sit in Moscow or Beijing and are basically operating with impunity. I mean Muller doing an indictment on GRU officers and naming them, saying this major in the GRU at seven fifteen in the morning did this event? Is telling them what we know, but nothing's happening to these individuals or the country or the government. From that perspective, I don't have an answer other than I think if we had our political leadership working together to come up with some better solutions is the first step. And that's definitely not happening right now because we focus on for your political cycles and the constant campaigning and that type of thing, so we're losing the ability to actually protect against the strategic threats in the long term. I'm just very grateful to you for taking the time and sharing all this knowledge with us, Yes, sir, my pleasure. Thank you to my guest Chris Gore. You can learn more about America's secret cyber war on our showpage at newtsworld dot com. Newtsworld is produced by Westwood One. Our executive producer is Debbie Myers and oducer is Garnsey Sloan. Our editor is Robert Borowski, and our researcher is Rachel Peterson. Our guest booker is Grace Davis. The artwork for the show was created by Steve Penley. The music was composed by Joey Salvia. Special thanks to the team at Gingrash three sixty and Westwood Ones, John Wardock and Robert Mathers. Please email me with your comments at newt at newtsworld dot com. If you've been enjoying Newtsworld, I hope you'll go to Apple Podcasts and both rate us with five stars and give us a review so others can learn what it's all about. On the next episode of Newtsworld, twenty five years ago, we began the Republican Revolution with a set of promises to the nation called the Contract with America. Republicans gained the majority of seats in one hundred and fourth for the first time in forty years. Next week, I'm looking back at that time and revealing my own personal experience. I'm new Kingridge. This is Newsworld, the Westwood one podcast network.