On this episode of the NEWTS World. It's not often I get the opportunity to speak with someone who used to be a professional hacker for the CIA. My guest is doctor Eric Cole. He is a renowned cyber security expert, entrepreneur, and best selling author with over thirty years of experience in the industry. He is known for his work in advancing cybersecurity and his dedication to making the digital world a safer place. He has advised some of the world's top companies on reducing their digital threats and improving their cyber health. He's the author of the book cyber Crisis, Protecting Your Business from real threats in the Virtual World. Eric, welcome and thank you for joining me on NEWTS World.

On this episode of the NEWTS World. It's not often I get the opportunity to speak with someone who used to be a professional hacker for the CIA. My guest is doctor Eric Cole. He is a renowned cyber security expert, entrepreneur, and best selling author with over thirty years of experience in the industry. He is known for his work in advancing cybersecurity and his dedication to making the digital world a safer place. He has advised some of the world's top companies on reducing their digital threats and improving their cyber health. He's the author of the book cyber Crisis, Protecting Your Business from real threats in the Virtual World. Eric, welcome and thank you for joining me on NEWTS World.

My pleasure and thank you for having me.

My pleasure and thank you for having me.

I'm very curious. Symber of last year, Chinese hackers breached a third party vendor for the US Treasury Department to gain access to over three thousand unclassified files. How could this have happened and what should the US government learn from this?

I'm very curious. Symber of last year, Chinese hackers breached a third party vendor for the US Treasury Department to gain access to over three thousand unclassified files. How could this have happened and what should the US government learn from this?

The reality is this is happening all the time.

The reality is this is happening all the time.

Most security vendors, most companies, most organizations have been compromised or penetrated by the Chinese, the Russians, or the Iranians, and we just didn't detect it. We didn't realize it, and we didn't know that it's happening.

Most security vendors, most companies, most organizations have been compromised or penetrated by the Chinese, the Russians, or the Iranians, and we just didn't detect it. We didn't realize it, and we didn't know that it's happening.

So this is a much.

So this is a much.

Bigger problem that has been brewing for a long time, and unfortunately there's not been a lot of awareness around just how bad the issue is. And governments and other organizations have to realize that the probability of third party vendors or third party sources having a vulnerability or a compromise is very high, and we need to redesign our systems, We need to redesign how we're configured to protect against it. And most importantly, we need federal laws on cybersecurity. There's a lot of state laws, California is leading the pack where there's a lot of privacy laws, but the United States is one of the few countries that don't have federal laws on cybersecurity and federal laws on data privacy.

Bigger problem that has been brewing for a long time, and unfortunately there's not been a lot of awareness around just how bad the issue is. And governments and other organizations have to realize that the probability of third party vendors or third party sources having a vulnerability or a compromise is very high, and we need to redesign our systems, We need to redesign how we're configured to protect against it. And most importantly, we need federal laws on cybersecurity. There's a lot of state laws, California is leading the pack where there's a lot of privacy laws, but the United States is one of the few countries that don't have federal laws on cybersecurity and federal laws on data privacy.

Then why is that? Why are we behind?

Then why is that? Why are we behind?

I believe the big issue is we always thought and a lot of people still do, that cybersecurity gets in the way of freedom of speech, that cybersecurity gets in the way of exchange of information, and that cybersecurity is not fit for a democracy. Like most people when they think of cybersecurity, you think of North Korea, where they don't have internet access. Citizens in North Korea, they can't access the internet, they don't have email, they can't access information. Even in Russia, most people don't realize a lot of the websites that we take for granted, a lot of the social media sites are not accessible in Russia and they're not available. So people have always felt that cybersecurity is more of limiting and reducing access to information.

I believe the big issue is we always thought and a lot of people still do, that cybersecurity gets in the way of freedom of speech, that cybersecurity gets in the way of exchange of information, and that cybersecurity is not fit for a democracy. Like most people when they think of cybersecurity, you think of North Korea, where they don't have internet access. Citizens in North Korea, they can't access the internet, they don't have email, they can't access information. Even in Russia, most people don't realize a lot of the websites that we take for granted, a lot of the social media sites are not accessible in Russia and they're not available. So people have always felt that cybersecurity is more of limiting and reducing access to information.

But that's just not correct.

But that's just not correct.

Cybersecurity is about how do we protect and control our information so only people that need access to it has access to it. And I think that's why we've fallen behind, because we just haven't realized that cybersecurity is actually a compliment to democracy, it's not adverse to it.

Cybersecurity is about how do we protect and control our information so only people that need access to it has access to it. And I think that's why we've fallen behind, because we just haven't realized that cybersecurity is actually a compliment to democracy, it's not adverse to it.

Does anybody the you know of have an effective cybersecurity bill proposal?

Does anybody the you know of have an effective cybersecurity bill proposal?

None that I'm aware of. I continually try to push it. The problem is, as you're probably very familiar, everything is so political, everything is so either side has to disagree with each other that anything we we're trying to push through on cybersecurity is reading a version from.

None that I'm aware of. I continually try to push it. The problem is, as you're probably very familiar, everything is so political, everything is so either side has to disagree with each other that anything we we're trying to push through on cybersecurity is reading a version from.

The other side.

The other side.

And the reality is we need to recognize cybersecurity as a non bipartisan issue. It's really something that impacts both sides. It impacts democrats and impacts Republicans and impacts America as a whole. And one of the things I'm trying to do is really, how can we break down those barriers and get both sides to agree that, Okay, we can fight about some things, but cybersecurity, we need to get her act together. Because when the founding fathers wrote the Constitution and the bill Wrights, they had no clue that we were going to be carrying cell phones with us. They had no clue that we've been having tracking devices on us twenty four to seven and we need new laws that are keeping up with the digital frontier.

And the reality is we need to recognize cybersecurity as a non bipartisan issue. It's really something that impacts both sides. It impacts democrats and impacts Republicans and impacts America as a whole. And one of the things I'm trying to do is really, how can we break down those barriers and get both sides to agree that, Okay, we can fight about some things, but cybersecurity, we need to get her act together. Because when the founding fathers wrote the Constitution and the bill Wrights, they had no clue that we were going to be carrying cell phones with us. They had no clue that we've been having tracking devices on us twenty four to seven and we need new laws that are keeping up with the digital frontier.

I couldn't help but smile, dad, is we have ready to celebrate our two hundred and fiftieth birthday that if you were to drop George Washington or Jefferson or Franklin under the current situation, all of them would have found them. Yeah.

I couldn't help but smile, dad, is we have ready to celebrate our two hundred and fiftieth birthday that if you were to drop George Washington or Jefferson or Franklin under the current situation, all of them would have found them. Yeah.

I think they would be amazed.

I think they would be amazed.

It'll be remarkable. One of the examples I've been thinking about a lot elon Musk and Doge sent an email to federal workers saying, please reply to this email with approximately five bullets of what you accomplished this week and carbon copy your manager. Now, if people responded to that, are there any cybersecurity risks in responding to an email like that?

It'll be remarkable. One of the examples I've been thinking about a lot elon Musk and Doge sent an email to federal workers saying, please reply to this email with approximately five bullets of what you accomplished this week and carbon copy your manager. Now, if people responded to that, are there any cybersecurity risks in responding to an email like that?

There's huge cybersecurity risks because you essentially have somebody who is not employed by that government agency and they're asking for information about what you're doing on a daily basis. If I answered that accurately, I would be giving away a lot of critical information. If I had to go in and say, well, I'm working on this project, I'm working in this area, I'm working.

There's huge cybersecurity risks because you essentially have somebody who is not employed by that government agency and they're asking for information about what you're doing on a daily basis. If I answered that accurately, I would be giving away a lot of critical information. If I had to go in and say, well, I'm working on this project, I'm working in this area, I'm working.

On this research.

On this research.

That's a lot of valuable information that if that got on the wrong hands. And my question is what email address is Elon Musk using to get replies?

That's a lot of valuable information that if that got on the wrong hands. And my question is what email address is Elon Musk using to get replies?

Where are those emails being stored?

Where are those emails being stored?

Because at least from as far as I can tell, Elon is not using government servers. I know that he's installed some of his own servers at Treasury and other areas.

Because at least from as far as I can tell, Elon is not using government servers. I know that he's installed some of his own servers at Treasury and other areas.

So now, if these.

So now, if these.

Emails from government employees that potentially are containing sensitive or even classified information are stored on public servers, what happens if foreign adversaries get access to it. And I don't know if you saw this week, but the Doze website got hacked.

Emails from government employees that potentially are containing sensitive or even classified information are stored on public servers, what happens if foreign adversaries get access to it. And I don't know if you saw this week, but the Doze website got hacked.

They don't even have proper security.

They don't even have proper security.

So here he's setting up their website for Doze for government efficiency. They got hacked, and they're expecting government employees to give all this sensitive information to these servers that clearly have vulnerabilities.

So here he's setting up their website for Doze for government efficiency. They got hacked, and they're expecting government employees to give all this sensitive information to these servers that clearly have vulnerabilities.

What I'm thinking that this is one of those ideas which, when you hit the implementation phase, is a thousand times more complicated than the idea. Yeah, and I think that they really don't fully understand that.

What I'm thinking that this is one of those ideas which, when you hit the implementation phase, is a thousand times more complicated than the idea. Yeah, and I think that they really don't fully understand that.

And this is one when I can resonate because at the end of the day, Elon is a geek. He's not a businessman, he's not a cyber guy. He's a geek, and he's all about solving problems and he wants to solve the problem as quick and as fast as possible and get access to information. The issue is cybersecurity is always an afterthought. And back to your original question of why is the United States behind it's because cybersecurity is always an afterthought. We're not thinking of cybersecurity. Elon didn't sit down and say, okay, how can we do this in a secure manner. What are the cybersecurity protocols that we need in place to do this correctly? He basically just said, I need the data. We'll figure out cyber later. But the problem is with digital information. Once your data is leaked out, once your data exists on servers, you can't get it back. It will exist forever. I know before the podcast, I was talking with your producer how she took her daughter to a hospital and it got hacked and her daughter's personal information was exposed. And the reality is now that person has to live the next fifty sixty seventy years of their life in a world where their personal information has been compromised because once somebody has your social Security number, you can't get it back.

And this is one when I can resonate because at the end of the day, Elon is a geek. He's not a businessman, he's not a cyber guy. He's a geek, and he's all about solving problems and he wants to solve the problem as quick and as fast as possible and get access to information. The issue is cybersecurity is always an afterthought. And back to your original question of why is the United States behind it's because cybersecurity is always an afterthought. We're not thinking of cybersecurity. Elon didn't sit down and say, okay, how can we do this in a secure manner. What are the cybersecurity protocols that we need in place to do this correctly? He basically just said, I need the data. We'll figure out cyber later. But the problem is with digital information. Once your data is leaked out, once your data exists on servers, you can't get it back. It will exist forever. I know before the podcast, I was talking with your producer how she took her daughter to a hospital and it got hacked and her daughter's personal information was exposed. And the reality is now that person has to live the next fifty sixty seventy years of their life in a world where their personal information has been compromised because once somebody has your social Security number, you can't get it back.

So to make clear how big a threat this says, you talk about a cyber war, you say, quote, our nation is currently a war, whether we realize it or not. We're in the middle of World War three. The reason why many people don't recognize it is because it's a different type of world war. In this war, every single country is involved in. Every single country is both being attacked and attacking other countries. Walk us through all that. I agree with you, but I think it'll be very helpful for people to hear what this cyber war is like.

So to make clear how big a threat this says, you talk about a cyber war, you say, quote, our nation is currently a war, whether we realize it or not. We're in the middle of World War three. The reason why many people don't recognize it is because it's a different type of world war. In this war, every single country is involved in. Every single country is both being attacked and attacking other countries. Walk us through all that. I agree with you, but I think it'll be very helpful for people to hear what this cyber war is like.

So most of us think of wars.

So most of us think of wars.

We think of World War one, World War two, tanks, planes, boats, missiles, and guns.

We think of World War one, World War two, tanks, planes, boats, missiles, and guns.

But we're in a digital war because we live in a digital world.

But we're in a digital war because we live in a digital world.

And now it's not bullets, it's not weapons, it's packets, it's information, it's data, it's leakage. And the reality is, as we're starting to see with some of these breaches that come out. We saw Colonial Pipeline. I live on the East Coast in Virginia, and when Colonial Pipeline, a large oil supplier on the East coast, got hacked, our gas stations were closed for four days. People were actually walking, they were panicking, saying, are we actually going to be able to get gas because of a cyber attack. Then we have Solar Winds, where you talked about earlier, where broke into a vendor that compromised government systems, And these attacks continue to happen and occur, but the reality is they started five to ten years ago. The Chinese, the Russians, they're in our systems, we're in their systems, and it's sort of like the nuclear Cold War where Russia could destroy the United States and we could destroy Russia. So neither side would actually launch a nuclear weapon. But we're in Russian's critical infrastructure, they're in our critical infrastructure, and neither side is going to do anything because it would do mutual mass destruction. But what's happening when our information starts leaking out? What happens when our data is being compromised? And the reality is because we're at war. When you're at war, you have a different mentality. I've been over in the Ukraine, I was over in Iraq during the Iraq War. When you're in a war, people are thinking differently, they're acting differently. They're more scared, they're more paranoid, they're more careful about what they're doing. The problem we have in the United States is everybody on the Internet thinks we're in peace time conditions. So they're sharing information, they're giving their data, they're accessing whatever they want, they're posting pictures, they're putting everything out there. But the reality is, if they knew were at war, we need wartime thinking. People need to be more paranoid, a little more scared, than a little more protective of the data. They need to be careful of who they're giving their information to. We need to start implementing security because here's the great news. Your banks, your e commerce all have security built in, but it's turned off by default. It's not all turned on because they don't think citizens are ready for it. So we need to start going in to our apps, going into our devices and start turning on security as turning on notifications, turning on two factor authentication. So the security is there, but we just have to start implementing it. And the war that we're facing today is not a visible war where there's huge explosions or banks are being taken down. It's a war of data leakage. Imagine we have a big bucket. Instead of somebody going in emptying the bucket, they're just putting little holes in the bucket. They're slowly leaking our data and leaking our information, and by the time the bucket's empty, most people don't even notice. A reality that I see all the time is most people's bank accounts or credit cards are compromised. But here's the reality. The attacker is stealing a dollar a month. Now, imagine if somebody is taking a dollar from your bank account each month or a dollar from your credit card, you probably wouldn't know. Most people don't look at their credit cards that closely. Most people don't look at their bank accounts close enough that if a dollar was missing, they would not recognize that error. But if you steal a dollar from every person every single month, that starts turning into a billion dollar industry, which is what we have right now. Cybercrime is over fifty billion dollars. It's costing America on a regular basis.

And now it's not bullets, it's not weapons, it's packets, it's information, it's data, it's leakage. And the reality is, as we're starting to see with some of these breaches that come out. We saw Colonial Pipeline. I live on the East Coast in Virginia, and when Colonial Pipeline, a large oil supplier on the East coast, got hacked, our gas stations were closed for four days. People were actually walking, they were panicking, saying, are we actually going to be able to get gas because of a cyber attack. Then we have Solar Winds, where you talked about earlier, where broke into a vendor that compromised government systems, And these attacks continue to happen and occur, but the reality is they started five to ten years ago. The Chinese, the Russians, they're in our systems, we're in their systems, and it's sort of like the nuclear Cold War where Russia could destroy the United States and we could destroy Russia. So neither side would actually launch a nuclear weapon. But we're in Russian's critical infrastructure, they're in our critical infrastructure, and neither side is going to do anything because it would do mutual mass destruction. But what's happening when our information starts leaking out? What happens when our data is being compromised? And the reality is because we're at war. When you're at war, you have a different mentality. I've been over in the Ukraine, I was over in Iraq during the Iraq War. When you're in a war, people are thinking differently, they're acting differently. They're more scared, they're more paranoid, they're more careful about what they're doing. The problem we have in the United States is everybody on the Internet thinks we're in peace time conditions. So they're sharing information, they're giving their data, they're accessing whatever they want, they're posting pictures, they're putting everything out there. But the reality is, if they knew were at war, we need wartime thinking. People need to be more paranoid, a little more scared, than a little more protective of the data. They need to be careful of who they're giving their information to. We need to start implementing security because here's the great news. Your banks, your e commerce all have security built in, but it's turned off by default. It's not all turned on because they don't think citizens are ready for it. So we need to start going in to our apps, going into our devices and start turning on security as turning on notifications, turning on two factor authentication. So the security is there, but we just have to start implementing it. And the war that we're facing today is not a visible war where there's huge explosions or banks are being taken down. It's a war of data leakage. Imagine we have a big bucket. Instead of somebody going in emptying the bucket, they're just putting little holes in the bucket. They're slowly leaking our data and leaking our information, and by the time the bucket's empty, most people don't even notice. A reality that I see all the time is most people's bank accounts or credit cards are compromised. But here's the reality. The attacker is stealing a dollar a month. Now, imagine if somebody is taking a dollar from your bank account each month or a dollar from your credit card, you probably wouldn't know. Most people don't look at their credit cards that closely. Most people don't look at their bank accounts close enough that if a dollar was missing, they would not recognize that error. But if you steal a dollar from every person every single month, that starts turning into a billion dollar industry, which is what we have right now. Cybercrime is over fifty billion dollars. It's costing America on a regular basis.

That's wild, and that's so much bigger than people think it is. Exactly if people want to protect themselves somewhat from their own devices, what should they do and how do they do it?

That's wild, and that's so much bigger than people think it is. Exactly if people want to protect themselves somewhat from their own devices, what should they do and how do they do it?

So the first thing they need to do is realize that when you buy a new iPhone or you buy a new Android device, they are very secure.

So the first thing they need to do is realize that when you buy a new iPhone or you buy a new Android device, they are very secure.

They are very locked down and protected.

They are very locked down and protected.

The problem is when we start installing all of these different apps. Free is not free, and basically a free app is tracking your location. So first, if you have the choice between a free app or a paid version, use the paid version. If it's something that you need to run your life or it's critical for your life, you need to use a paid version because the paid versions are a lot more secure than the free versions. Next, any app that you haven't used in forty five days, the lead the lead off your app, And I'm going to give you the challenge. I run my life on ten apps. If I go and download a new app, I only do it if I delete an old one. So instead of having fifty and seventy apps on your device that you're not using, do you realize an app that you install on your device but you're not using, actually is spying on you. It's tracking your location, it's accessing your camera, it's accessing your information. So delete any apps that are not needed or required. Second, for any application you're using, you need to use what we call two factor authentication. This is where when you log in, you put in your password and then your text a one time code to your cell phone, and then you have to enter in that one time code. And I know people's initial response is, Eric, that's annoying if every time I need to log in, I have to enter a code that takes a couple of extra seconds. And my response is, you know what's really annoying your bank account getting hacked. You know what's really annoying your identity being stolen. So do you want a short term annoyance with two factor or a long term annoyance of being vulnerable? Next, turn on account notification. Every time I use my credit card, every time I withdraw money from my bank, I get a text notification where it says, Eric, is this you Did you actually do this transaction?

The problem is when we start installing all of these different apps. Free is not free, and basically a free app is tracking your location. So first, if you have the choice between a free app or a paid version, use the paid version. If it's something that you need to run your life or it's critical for your life, you need to use a paid version because the paid versions are a lot more secure than the free versions. Next, any app that you haven't used in forty five days, the lead the lead off your app, And I'm going to give you the challenge. I run my life on ten apps. If I go and download a new app, I only do it if I delete an old one. So instead of having fifty and seventy apps on your device that you're not using, do you realize an app that you install on your device but you're not using, actually is spying on you. It's tracking your location, it's accessing your camera, it's accessing your information. So delete any apps that are not needed or required. Second, for any application you're using, you need to use what we call two factor authentication. This is where when you log in, you put in your password and then your text a one time code to your cell phone, and then you have to enter in that one time code. And I know people's initial response is, Eric, that's annoying if every time I need to log in, I have to enter a code that takes a couple of extra seconds. And my response is, you know what's really annoying your bank account getting hacked. You know what's really annoying your identity being stolen. So do you want a short term annoyance with two factor or a long term annoyance of being vulnerable? Next, turn on account notification. Every time I use my credit card, every time I withdraw money from my bank, I get a text notification where it says, Eric, is this you Did you actually do this transaction?

Did you actually withdraw money from the account?

Did you actually withdraw money from the account?

And the reality is I get text messages at least one to two times a quarter that are unauthorized transactions. So if I didn't have that turned on, those transactions would have occurred, and I would have been exploited and I would have been compromised. So once again, small short term annoyance, but long term benefits. So turn on account activity notification on all your systems. And then the last piece I always give is, under no circumstances should you ever click on a link. Don't ever click on a link, don't ever click on attachment. This just happened to one of my friends where they're traveling in Florida. They got a text notification that said, you ran one of the fast tolls in Florida and you need to pay the fine or you're going to have huge issue. Using problems click on this link, and because they were in Florida, they thought it was legit. They clicked on the link and it was a scam. So don't ever click on a link, don't ever open an attachment. But Eric, what if my bank sends me a notification that says there's a problem and there's a link, Go to the app, Go to the app, log in using a valid app to access your bank account, But never click on a link and never open an attachment.

And the reality is I get text messages at least one to two times a quarter that are unauthorized transactions. So if I didn't have that turned on, those transactions would have occurred, and I would have been exploited and I would have been compromised. So once again, small short term annoyance, but long term benefits. So turn on account activity notification on all your systems. And then the last piece I always give is, under no circumstances should you ever click on a link. Don't ever click on a link, don't ever click on attachment. This just happened to one of my friends where they're traveling in Florida. They got a text notification that said, you ran one of the fast tolls in Florida and you need to pay the fine or you're going to have huge issue. Using problems click on this link, and because they were in Florida, they thought it was legit. They clicked on the link and it was a scam. So don't ever click on a link, don't ever open an attachment. But Eric, what if my bank sends me a notification that says there's a problem and there's a link, Go to the app, Go to the app, log in using a valid app to access your bank account, But never click on a link and never open an attachment.

Well, I'm really curious, Eric, should you have a banking app on your phone? Yes?

Well, I'm really curious, Eric, should you have a banking app on your phone? Yes?

I know that's counter because a lot of security people are like, no, don't have anything. The reality is our phone is a trusted advisor. It's something that we have with us and we access And here's the reality. Apps are much more secure than websites. Apps are much.

I know that's counter because a lot of security people are like, no, don't have anything. The reality is our phone is a trusted advisor. It's something that we have with us and we access And here's the reality. Apps are much more secure than websites. Apps are much.

More secure than clicking links.

More secure than clicking links.

So if you're going to use your bank, if you're going to do online banking, if you're going to e commerce, it's much better to use the apps. The apps have a lot more security and a lot more protection than websites. So the best advice I can give you is minimize your use of websites. Maximize your use of trusted apps, and that's going to also make you a lot more secure.

So if you're going to use your bank, if you're going to do online banking, if you're going to e commerce, it's much better to use the apps. The apps have a lot more security and a lot more protection than websites. So the best advice I can give you is minimize your use of websites. Maximize your use of trusted apps, and that's going to also make you a lot more secure.

We're really kind of a free for all where it's not like the Cold War where there was one side and the other side. It's more like between governments and private criminal groups, et cetera. It can be coming from anywhere at any time, and so you can't just focus on North Korea or focus on Russia. You almost have to focus on how you defend yourself against all the attacks in every single version.

We're really kind of a free for all where it's not like the Cold War where there was one side and the other side. It's more like between governments and private criminal groups, et cetera. It can be coming from anywhere at any time, and so you can't just focus on North Korea or focus on Russia. You almost have to focus on how you defend yourself against all the attacks in every single version.

That's very because here's the reality. There are no.

That's very because here's the reality. There are no.

National and international borders on the Internet. When you're on the Internet, I can access different countries, different areas, different locations, and there's no boundaries.

National and international borders on the Internet. When you're on the Internet, I can access different countries, different areas, different locations, and there's no boundaries.

There's nothing.

There's nothing.

Somebody in Russia can access servers and individuals in America without going through customs, without presenting a passport, without going through immigration. So the problem is, as I mentioned, the laws were written for physical boundaries. If somebody is physically in the United States, they have to abide by our laws. If they're physically in Russia, they abide by Russian laws. Well, on the Internet, you don't know where you're at. I track very closely and I will tell you when I'm surfing the Web and doing daily activity just like you and anyone else. I'm frequently accessing servers in the Philippines because there's a lot of data centers there. In Singapore, the Middle East has a lot of data centers, Dubai, South America, and people don't realize that even when they're going to e commerce sites or banks or other areas and giving away their information, those servers are often not in the United States, which means your data and your information is not in the United States, which means even if we had privacy laws, they might not apply to your data information if it's outside of our country. So people just don't really understand the complexities that the Internet is really one world.

Somebody in Russia can access servers and individuals in America without going through customs, without presenting a passport, without going through immigration. So the problem is, as I mentioned, the laws were written for physical boundaries. If somebody is physically in the United States, they have to abide by our laws. If they're physically in Russia, they abide by Russian laws. Well, on the Internet, you don't know where you're at. I track very closely and I will tell you when I'm surfing the Web and doing daily activity just like you and anyone else. I'm frequently accessing servers in the Philippines because there's a lot of data centers there. In Singapore, the Middle East has a lot of data centers, Dubai, South America, and people don't realize that even when they're going to e commerce sites or banks or other areas and giving away their information, those servers are often not in the United States, which means your data and your information is not in the United States, which means even if we had privacy laws, they might not apply to your data information if it's outside of our country. So people just don't really understand the complexities that the Internet is really one world.

There's no boundaries.

There's no boundaries.

Servers can exist, data can exist anywhere, and until we get international laws where we all cooperate and say, okay, we're all going to work together, it's going to be real difficult. Because this just happened this morning is I'm working on an investigation and we found a hacking group in Russia. We know who they are, we know where they're located, we have their physical address. They're a company, an incorporated company in Russia. But here's the problem. They're not breaking any laws in Russia, and there's no extradition treaty with Russia, so we know who's hurting us, who's hurting Americans, who's stealing our information. But because there's no international laws, there's really little we can do to stop them, which, as you said, every individual has to realize they're a target and we need to start putting measures in place and protect us because unfortunately, until there's global laws, the laws aren't going to be able to protect us or keep us safe.

Servers can exist, data can exist anywhere, and until we get international laws where we all cooperate and say, okay, we're all going to work together, it's going to be real difficult. Because this just happened this morning is I'm working on an investigation and we found a hacking group in Russia. We know who they are, we know where they're located, we have their physical address. They're a company, an incorporated company in Russia. But here's the problem. They're not breaking any laws in Russia, and there's no extradition treaty with Russia, so we know who's hurting us, who's hurting Americans, who's stealing our information. But because there's no international laws, there's really little we can do to stop them, which, as you said, every individual has to realize they're a target and we need to start putting measures in place and protect us because unfortunately, until there's global laws, the laws aren't going to be able to protect us or keep us safe.

Can we reverse it and use our cyber capabilities to go back in and attack the people who are doing.

Can we reverse it and use our cyber capabilities to go back in and attack the people who are doing.

This, We absolutely can. That's another area that we've seen the recent presidents actually do a really good job on Trump in his first term he was actually the first president that actually allowed Department of Defense to launch scienceber attacks without executive approval.

This, We absolutely can. That's another area that we've seen the recent presidents actually do a really good job on Trump in his first term he was actually the first president that actually allowed Department of Defense to launch scienceber attacks without executive approval.

Prior to Trump passing.

Prior to Trump passing.

That executive order on his first term, if the Department of Defense wanted to launch a cyber attack and offensive operation, they needed presidential approval. Now, China doesn't require that, Russia doesn't require that.

That executive order on his first term, if the Department of Defense wanted to launch a cyber attack and offensive operation, they needed presidential approval. Now, China doesn't require that, Russia doesn't require that.

I ran in Iraq doesn't require.

I ran in Iraq doesn't require.

That, so we were really hamstrung in that capability. So yes, we have to start getting more aggressive. But the other thing we need to do is got a lot more partnership between government and commercial organizations. In China, the Chinese government spies and steals information from US companies for the benefit of Chinese companies. In the United States, we don't have that capability in the United States, the Department of Defense. They can't steal corporate information and give it to US companies because once again.

That, so we were really hamstrung in that capability. So yes, we have to start getting more aggressive. But the other thing we need to do is got a lot more partnership between government and commercial organizations. In China, the Chinese government spies and steals information from US companies for the benefit of Chinese companies. In the United States, we don't have that capability in the United States, the Department of Defense. They can't steal corporate information and give it to US companies because once again.

That violates our laws.

That violates our laws.

But if other countries, their governments are working on behalf of local companies to help and support them, we need to do the same thing. We need to have a much closer partnership where we can launch offensive operations and then the government can share that information with US companies to help make them more competitive.

But if other countries, their governments are working on behalf of local companies to help and support them, we need to do the same thing. We need to have a much closer partnership where we can launch offensive operations and then the government can share that information with US companies to help make them more competitive.

As you think through this continuous cyber war, as I understand that North Korea is almost entirely government run cyber war, but Russia has a huge amount of criminal operations. Nigeria, I think has a lot of criminal operations. So yeahther China has a mixture of government them free enterprise entrepreneurs. Is that lily to all around the world that there are different.

As you think through this continuous cyber war, as I understand that North Korea is almost entirely government run cyber war, but Russia has a huge amount of criminal operations. Nigeria, I think has a lot of criminal operations. So yeahther China has a mixture of government them free enterprise entrepreneurs. Is that lily to all around the world that there are different.

Patterns, absolutely, and you nailed it in North Korea.

Patterns, absolutely, and you nailed it in North Korea.

There's really no corporations.

There's really no corporations.

The government is the country and basically runs everything, so everything is run from the govern and control by the government. In China, it's very cooperative where companies and the government work very closely together, so the government is going to do attacks on the heaf of companies and vice versa. Now when you get in to carriers like Russia and Nigeria, it's interesting the commercial criminal actually helps and supports the government. So these commercial elements are actually supporting and involved.

The government is the country and basically runs everything, so everything is run from the govern and control by the government. In China, it's very cooperative where companies and the government work very closely together, so the government is going to do attacks on the heaf of companies and vice versa. Now when you get in to carriers like Russia and Nigeria, it's interesting the commercial criminal actually helps and supports the government. So these commercial elements are actually supporting and involved.

A lot of government.

A lot of government.

Officials in Nigeria, a lot of government officials in Russia. They're actually involved and sit on the board of these cyber crime or criminal companies, so they're actually supporting, helping them, and they're helping and supporting the government in return. Imagine in the United States if we had generals and government officials actually sitting on commercial boards that are doing offensive operations to help the company but also help the country.

Officials in Nigeria, a lot of government officials in Russia. They're actually involved and sit on the board of these cyber crime or criminal companies, so they're actually supporting, helping them, and they're helping and supporting the government in return. Imagine in the United States if we had generals and government officials actually sitting on commercial boards that are doing offensive operations to help the company but also help the country.

It's a total mind shift.

It's a total mind shift.

But the reality is until we start thinking and acting like the adversary and started doing what the adversary does, we're at a disadvantage. Because these other countries have commercialized cybercrime. They're making tons of money on it. They've legalized cybercrime, and because in the United States it's illegal, we're at a huge disadvantage in terms of offensive operations and protecting ourselves.

But the reality is until we start thinking and acting like the adversary and started doing what the adversary does, we're at a disadvantage. Because these other countries have commercialized cybercrime. They're making tons of money on it. They've legalized cybercrime, and because in the United States it's illegal, we're at a huge disadvantage in terms of offensive operations and protecting ourselves.

And some of these things are really big. If I'm mumber correctly, the twenty fifteen Office of Personnel Management breach was a huge failure. Did we learn anything from it?

And some of these things are really big. If I'm mumber correctly, the twenty fifteen Office of Personnel Management breach was a huge failure. Did we learn anything from it?

Unfortunately, very little. And the reality that.

Unfortunately, very little. And the reality that.

Is brought up that we have to recognize is social security numbers are no longer private information.

Is brought up that we have to recognize is social security numbers are no longer private information.

We have this term.

We have this term.

I'm sure you've heard PII personally identifiable information or PHI personal healthcare information, and our social security number, our driver's license are all considered private information. And if somebody knows my social security number, my data birth and my driver's license, they can open bank accounts, they can open credit cards, they can access information, they can access data. But as you said, in that breach and in other breaches, a large percent of American social security number has been compromised. A large number of social security numbers is public information. So now we're living in a world where a personal identifiable information is actually public. Our social security number is public, our driver's license is public.

I'm sure you've heard PII personally identifiable information or PHI personal healthcare information, and our social security number, our driver's license are all considered private information. And if somebody knows my social security number, my data birth and my driver's license, they can open bank accounts, they can open credit cards, they can access information, they can access data. But as you said, in that breach and in other breaches, a large percent of American social security number has been compromised. A large number of social security numbers is public information. So now we're living in a world where a personal identifiable information is actually public. Our social security number is public, our driver's license is public.

Yet that's what we're.

Yet that's what we're.

Using to authenticate, and verify. So in terms of back to the federal laws, we actually need to come up with new unique identifiers for American citizens that is actually secure, protected and not compromise. Something along the lines of biometrics. We're actually tying it to like your fingerprint or your facial idea or something that's much more difficult for somebody to steal. But the reality is what we're using as personal information is actually public and exposed and available to many people.

Using to authenticate, and verify. So in terms of back to the federal laws, we actually need to come up with new unique identifiers for American citizens that is actually secure, protected and not compromise. Something along the lines of biometrics. We're actually tying it to like your fingerprint or your facial idea or something that's much more difficult for somebody to steal. But the reality is what we're using as personal information is actually public and exposed and available to many people.

I mean, should people despair or how do you function in the kind of wide open world you're describing?

I mean, should people despair or how do you function in the kind of wide open world you're describing?

The reality is sort of two things. One is awareness is recognizing the reality. Don't be afraid of it, don't be terrified. I work in cybersecurity, and people like Eric, how are you in a good mood?

The reality is sort of two things. One is awareness is recognizing the reality. Don't be afraid of it, don't be terrified. I work in cybersecurity, and people like Eric, how are you in a good mood?

How are you not depressed?

How are you not depressed?

Them like, Because I'm aware and I understand that, I embrace it, and then it's just doing simple things, doing cyber hygiene. But the reality is because technology came on so quick that most of us were not trained in school. When I went to school, the Worldwide Web didn't exist. There weren't cell phones, there weren't computers. They didn't teach me about cyber hygiene.

Them like, Because I'm aware and I understand that, I embrace it, and then it's just doing simple things, doing cyber hygiene. But the reality is because technology came on so quick that most of us were not trained in school. When I went to school, the Worldwide Web didn't exist. There weren't cell phones, there weren't computers. They didn't teach me about cyber hygiene.

But now my.

But now my.

Kids are going to school and they're still not teaching them about cyber hygiene.

Kids are going to school and they're still not teaching them about cyber hygiene.

So to me, it's a lot of simple things.

So to me, it's a lot of simple things.

One is just recognize and know that you're a target, and understand where is your information, where is your critical data? And then understand that passwords are a thing of the past. Passwords are no longer strong. I can crack any password. You give me an account that uses a password, and I'll break into it. And we need to really embrace what we call two factor, a multi factor, and this is where you get an alert to your phone. You type in a code and start doing that. The other thing we have to realize is free apps are not free. Those free apps that you have on your cell phone, they're spying on you. I always love doing this. If we were in person, with your permission, I would ask to look at your phone and go under advanced settings and go under tracking and camera and you would probably be shocked of how many apps are tracking your location and how many apps are accessing your camera, or how many apps are accessing your microphone. And the reality is we can turn that off if we're aware. Most people just are not aware of how bad the threat is, and how open and exposed our data is.

One is just recognize and know that you're a target, and understand where is your information, where is your critical data? And then understand that passwords are a thing of the past. Passwords are no longer strong. I can crack any password. You give me an account that uses a password, and I'll break into it. And we need to really embrace what we call two factor, a multi factor, and this is where you get an alert to your phone. You type in a code and start doing that. The other thing we have to realize is free apps are not free. Those free apps that you have on your cell phone, they're spying on you. I always love doing this. If we were in person, with your permission, I would ask to look at your phone and go under advanced settings and go under tracking and camera and you would probably be shocked of how many apps are tracking your location and how many apps are accessing your camera, or how many apps are accessing your microphone. And the reality is we can turn that off if we're aware. Most people just are not aware of how bad the threat is, and how open and exposed our data is.

I'm sort of being sobered up just thinking about it. Let me ask you specifically about North Korea, because several people have said to me that a large part of the North Korean military operation is actually subsidized by cybercrime, and that if we were really serious about putting pressure on North Korea, we would find ways to sort of isolate them from a cyber theft standpoint. I mean, is that accurate?

I'm sort of being sobered up just thinking about it. Let me ask you specifically about North Korea, because several people have said to me that a large part of the North Korean military operation is actually subsidized by cybercrime, and that if we were really serious about putting pressure on North Korea, we would find ways to sort of isolate them from a cyber theft standpoint. I mean, is that accurate?

It is accurate, and not just for North Korea, but also Russia and Nigeria and Argentina and a lot of these countries that they're realizing that competing with the United States in traditional business is really hard. It's really difficult, and I hate to say it. You heard the phrase crime pays. It is real easy to commit cybercrime. I often joke with my friends and family that if I didn't have ethics and morals and I didn't love this country, I could be a lot richer if I moved to South America and basically was a cyber criminal.

It is accurate, and not just for North Korea, but also Russia and Nigeria and Argentina and a lot of these countries that they're realizing that competing with the United States in traditional business is really hard. It's really difficult, and I hate to say it. You heard the phrase crime pays. It is real easy to commit cybercrime. I often joke with my friends and family that if I didn't have ethics and morals and I didn't love this country, I could be a lot richer if I moved to South America and basically was a cyber criminal.

It is just unfortunately so easy and.

It is just unfortunately so easy and.

Simple to break in to these different companies, steal information, hold them ransom, ransomware attacks where they break in, they steal the data unless you pay ransom. Most people don't realize last year, in two thousand and twenty four, ransomware attacks just in the United States against US companies was over forty two billion dollars.

Simple to break in to these different companies, steal information, hold them ransom, ransomware attacks where they break in, they steal the data unless you pay ransom. Most people don't realize last year, in two thousand and twenty four, ransomware attacks just in the United States against US companies was over forty two billion dollars.

Good grief.

Good grief.

Now take twenty bills million of that, give that to North Korea. Take another ten billion, give that to Russia. So yes, imagine now a country like North Korea is making twenty billion dollars a year on cybercrime, and they're increasing their capabilities because guess what, it's working. We can't stop them, and they're continuing to get more advanced in their capabilities. I always laugh is we're trying to stop North Korea from having nuclear weapons, But the reality is, without realizing it, North Korea has built cyber security nuclear weapons.

Now take twenty bills million of that, give that to North Korea. Take another ten billion, give that to Russia. So yes, imagine now a country like North Korea is making twenty billion dollars a year on cybercrime, and they're increasing their capabilities because guess what, it's working. We can't stop them, and they're continuing to get more advanced in their capabilities. I always laugh is we're trying to stop North Korea from having nuclear weapons, But the reality is, without realizing it, North Korea has built cyber security nuclear weapons.

That are hurting and harming US, and we don't even realize.

That are hurting and harming US, and we don't even realize.

It that the whole system you're describing. We really have to reconceptualize how we're approaching this. It's so much bigger, so much more powerful, it has so many more threats. You almost need to start from ground zero and try to imagine both what would a secure effective system be like and what would the right kind of offensive system be to make people decide it was too expensive and too painful to do things to us. I mean, it does not require a whole new way of thinking about the system's architecture.

It that the whole system you're describing. We really have to reconceptualize how we're approaching this. It's so much bigger, so much more powerful, it has so many more threats. You almost need to start from ground zero and try to imagine both what would a secure effective system be like and what would the right kind of offensive system be to make people decide it was too expensive and too painful to do things to us. I mean, it does not require a whole new way of thinking about the system's architecture.

Absolutely.

Absolutely.

We talked about the last several years about infrastructure. There was the trillion dollar Infrastructure Bill to sort of rebuild the US infrastructure because it's old and it's outdata, it's antiquated. We need a trillion dollar bill on rebuilding our cyber infrastructure. Because the reality is the United States created the Internet. If you go back to the sixties and seventies, there was Darpernet, which was the original research project with the Department of Advanced Research, Department of Defense that actually built out the Internet. Well, what happened is the infrastructure of the Internet and the United States have now become one, which means we don't have any boundaries, we don't have any protection. North Korea can disconnect from the Internet. They know where they're connected to the Internet. Russia has done this twice a year. Russia disconnects from the Internet for twenty four hours to show that they can run independently. The problem is in the United States, the Internet is the United states. We can't disconnect, we can't isolate, we can't protect. So you are spot on where we need a huge revamping, where we need to rebuild the cyber infrastructure. We need to rebuild how we're connected to the Internet, and we need to create ice related countries just like Russia and North Korea, where we could protect, secure and limit who can access and what can access or information. But until we sort of redesign our infrastructure on the Internet and have a new cyber infrastructure, this is going to continue to be a problem because we're trying to fix a broken model.

We talked about the last several years about infrastructure. There was the trillion dollar Infrastructure Bill to sort of rebuild the US infrastructure because it's old and it's outdata, it's antiquated. We need a trillion dollar bill on rebuilding our cyber infrastructure. Because the reality is the United States created the Internet. If you go back to the sixties and seventies, there was Darpernet, which was the original research project with the Department of Advanced Research, Department of Defense that actually built out the Internet. Well, what happened is the infrastructure of the Internet and the United States have now become one, which means we don't have any boundaries, we don't have any protection. North Korea can disconnect from the Internet. They know where they're connected to the Internet. Russia has done this twice a year. Russia disconnects from the Internet for twenty four hours to show that they can run independently. The problem is in the United States, the Internet is the United states. We can't disconnect, we can't isolate, we can't protect. So you are spot on where we need a huge revamping, where we need to rebuild the cyber infrastructure. We need to rebuild how we're connected to the Internet, and we need to create ice related countries just like Russia and North Korea, where we could protect, secure and limit who can access and what can access or information. But until we sort of redesign our infrastructure on the Internet and have a new cyber infrastructure, this is going to continue to be a problem because we're trying to fix a broken model.

Seems smoothed. What you have is something which grew up at hoc over a long period of time and gradually began to attract more and more bad actors. And now you have bad actors who have very modern technologies and very modern approaches kind of trading a system much of which is obsolete. This has really got to be one of the profound infrastructure challenges of the Trump administration to take this head on.

Seems smoothed. What you have is something which grew up at hoc over a long period of time and gradually began to attract more and more bad actors. And now you have bad actors who have very modern technologies and very modern approaches kind of trading a system much of which is obsolete. This has really got to be one of the profound infrastructure challenges of the Trump administration to take this head on.

I agree, and that's one where I love what's going on now with government efficiency and dodge and cutting spending. But my concern is are we focused on the right now problem Government efficiency is an issue.

I agree, and that's one where I love what's going on now with government efficiency and dodge and cutting spending. But my concern is are we focused on the right now problem Government efficiency is an issue.

It's an issue that we need to address. We need to limit spending.

It's an issue that we need to address. We need to limit spending.

Cyber security is a problem that we have to stop ignoring. So you really summarize it so well that this administration, to me, if they want to go down and sort of be remembered and have a legacy, the legacy is not going to be in government efficiency. It's not going to be in cutting spending. It's going to be Could this be the first administration that actually passes federal cyber security laws? Could this be the first administration that passes a trillion dollar cyber infrastructure bill that rebuilds our cyber infrastructure.

Cyber security is a problem that we have to stop ignoring. So you really summarize it so well that this administration, to me, if they want to go down and sort of be remembered and have a legacy, the legacy is not going to be in government efficiency. It's not going to be in cutting spending. It's going to be Could this be the first administration that actually passes federal cyber security laws? Could this be the first administration that passes a trillion dollar cyber infrastructure bill that rebuilds our cyber infrastructure.

But you're right.

But you're right.

Until we start taking this seriously and Congress and the White House and everyone starts realizing that cybersecurity is the number one problem, we're going to continue to have these issues and continue to be vulnerable.

Until we start taking this seriously and Congress and the White House and everyone starts realizing that cybersecurity is the number one problem, we're going to continue to have these issues and continue to be vulnerable.

This is exactly right. And I'm really delighted that we had this conversation because I think you put your finger on one of the great challenges of the next ten years. And I want to thank you for joining me. Your book, Cyber Crisis, Protecting Your Business from Real Threats in the Virtual World is available now on Amazon and in bookstores everywhere. We're going to feature a link to buy it on our show page, and I want to let our listeners know they can follow your recent work by visiting your website at doctor Ericcole dot orgon Thank you so much for.

This is exactly right. And I'm really delighted that we had this conversation because I think you put your finger on one of the great challenges of the next ten years. And I want to thank you for joining me. Your book, Cyber Crisis, Protecting Your Business from Real Threats in the Virtual World is available now on Amazon and in bookstores everywhere. We're going to feature a link to buy it on our show page, and I want to let our listeners know they can follow your recent work by visiting your website at doctor Ericcole dot orgon Thank you so much for.

Being here, my pleasure, Thank you for having me.

Being here, my pleasure, Thank you for having me.

Thank you to my guest, doctor Eric Cole. You can get a link to buy his new book Cyber Crisis Protecting Your Business from Real Threats in the Virtual World on our show page at newtsworld dot com. Newtsworld is produced by Gamelish three sixty and iHeartMedia. Our executive producer is Guarnsey Sloan. Our researcher is Rachel Peterson. The artwork for the show was created by Steve Penley. Special thanks to the team at Gaglish three sixty. If you've been enjoying Newtsworld, I hope you'll go to Apple Podcast and both rate us with five stars and give us a review so others can learn what it's all about. Right now, listeners of Neutrold can sign up for my three free weekly columns at Gingrich sixty dot com slash newsletter. I'm newt Gingrich. This is neut world,

Thank you to my guest, doctor Eric Cole. You can get a link to buy his new book Cyber Crisis Protecting Your Business from Real Threats in the Virtual World on our show page at newtsworld dot com. Newtsworld is produced by Gamelish three sixty and iHeartMedia. Our executive producer is Guarnsey Sloan. Our researcher is Rachel Peterson. The artwork for the show was created by Steve Penley. Special thanks to the team at Gaglish three sixty. If you've been enjoying Newtsworld, I hope you'll go to Apple Podcast and both rate us with five stars and give us a review so others can learn what it's all about. Right now, listeners of Neutrold can sign up for my three free weekly columns at Gingrich sixty dot com slash newsletter. I'm newt Gingrich. This is neut world,