It is also important to know which commonplace activities, such as social media, could increase one’s vulnerability to these attacks. As a result of the COVID-19 crisis, there is an increased amount of virtual interaction. As a direct result, we see a corresponding increase in the number of opportunities that attackers can exploit. Wagner encourages us to become more aware of our actions online and to take the necessary preventative steps to fight against our prospective vulnerability to such attacks.
Welcome to Non-Beta Alpha. I’m Ryan Morfin and today’s guest is Karl Wagner, the CEO and Founder of Eastern Sky Technologies. Karl is a CIA veteran of 29 years and he’s involved in advisory work for some of the largest family offices in the United States. Today, Karl’s going to share some of his insights for cybersecurity threats in the current environment. This is Non-Beta Alpha. Karl, welcome to the show. Thanks for coming.
Thanks, Ryan. Appreciate being here.
Well, given your national security background, I wanted to chat with you a little bit about the current environment that we’re in. Cyber attacks are increasing right now, all the people working from home, and you’ve done a lot in your career after the CIA to help billionaires protect themselves and their families. In this new environment where everybody is working from home wifi and on their mobile devices, could you maybe expand on some of the risks that we’re facing that we may not be thinking about as well as some of the things that billionaires think about when they start protecting their footprint?
Sure. I’d be happy to. I think we’re seeing basically an intensification of trends that had been already in place over the last few years. Obviously, ransomware is a big issue and one way, and that’s the top of many people’s minds. You see a lot of that in the press. But I think we take a step back and think about the strategic framework within which we’re looking at cybersecurity and I think the first important principle is that if you don’t know what the risks are, then you’re not going to be in a good position to defend yourself against them. But as important, and this is something that many people don’t think about is, what are your crown jewels? What are you trying to protect? Because if you try to protect everything, you end up protecting nothing.
And so if you can focus in the same way that you might have a safe at home where you put the things that are of most value to you, thinking about, what are the things on your network that are most important to you, and you might be able to put things that are not as important on a lower priority. So define the crown jewels, understand what the risks are, and then pick a framework. Frameworks sound dull and boring, governance sounds dull and boring, but they’re actually exciting. Why? Because all of the worry that you might have in the middle of the night, if you don’t worry about this in the middle of the night it means you simply haven’t been hit yet, can be put somewhat at ease if you pick a framework.
There’s many of them out there. The NIST framework, the CMMC framework, just Google cyber framework and it gives you a to-do list. So those are your chores. Just like you do chores around the house, those are your chores for your cyber posture. Once you pick a framework, once you start to become familiar with the risks, once you know what your crown jewels are, you are in a much better position to move forward. Another way, putting that now as our foundational piece, I’d like to talk just briefly about what are the kinds of attacks that you need to worry about and prepare for. In the same way that now we’re in a pandemic situation, we either did or did not prepare for this, and we need to be preparing for black swan events from a cyber standpoint as well. And in order to do that, you need to know the types of attacks that are possible, the targets of those attacks, and then the origin of those attacks.
That’s one way to split it out and think about it. I mentioned ransomware already. Phishing is another of the most important types of attacks to protect against, and that’s really more of a human problem. It’s about training yourself and the rest of your staff on not clicking on the link, because we’re only as strong as the weakest link in our chain. Everybody makes mistakes, but there are ways out there to test your staff, train them and then test them on anti-phishing techniques. So phishing, ransomware, data breaches. Data breaches is a cross cutting category, but data breaches are company killers potentially. And some statistics show that if you talk about active shooter events and compare them against data breaches, of course, the human cost and the economic costs are different, but they’re as problematic.
You can talk about millions of records being lost. It can be a threat to your company if that were to happen to you. And then DDoS attacks. So those are really the four main categories to think of, phishing, ransomware, data breaches, and DDoS attacks. As far as targets, critical infrastructure is really what this industry is a part of and you can consider yourselves top tier attack targets because the financial industry is critical infrastructure in the same way that nuclear power, transportation are promo attack targets for these bad actors.
And then finally, just for this initial piece, my comments, it’s important to think about the origin of these attacks. You’ll be lucky if the person attacking you is a common criminal. Why? Because we have advanced persistent threats out there, APTS, and we’re talking about very sophisticated state sponsored actors of the type that when I was in government we had to protect ourselves against and to combat. I don’t need to name countries or name names because a lot of countries do this for their national security purposes. Some countries’ bad actors actually, in their spare time, will use those same techniques for criminal activities. And so that’s kind of a double hit for us in the financial sector that we need to worry about, state sponsored attacks and then non-state sponsored attacks by state sponsored actors.
So it’s really a daunting backdrop out there, but by doing what I said in the beginning, which is knowing what your crown jewels are, knowing what the types of attacks are, the targets, and the origin of those attacks and picking a framework, you’re much better off to start working down your to-do list, your chores, to make yourself much more impervious to attacks and protecting your customers and fulfilling your custodial duties basically.
Those are all great points as a way to kind of start to think about it. I think a lot of entrepreneurs and a lot of financial advisors who own their own office or business typically outsource a lot of their IT and hadn’t really thought through or hoped that the people they’ve paid as consultants have thoughtfully put together a framework. But you said something that really resonates I think if you look at the target attack or some of the other larger data breaches, it was the vendor list or the suppliers or the contacts in that business, maybe not the employees themselves that are the ones that get breached, and some hacker back doors into a position to take over your network. And so can you talk a little bit about the importance of thinking through what you click through and talking a little bit about maybe some examples of how that people have backdoored into major data breaches?
That’s exactly right, Ryan. Thanks for bringing that up. This really is kind of the flavor of last year and into this year. I think that there’s a much greater awareness of what some of the threats are out there, and people are really starting to baton down their hatches. But you have to realize that your edge is the furthest point that your network reaches and to the extent that you’re connected to your law firms or to your third party vendors, or that you’re passing them your sensitive proprietary data, they’re your edge and they’re your endpoint. And so it doesn’t do a lot of good to have endpoint protection on your network when you have an open door for those vendors. So the point is either to close that off or to require in the contracts with them and then follow up through perhaps another vendor that will help you check your third party vendors as to what their cyber protection are and what their cyber posture is.
I will say that one of the projects that I did since I left government was for a large manufacturing company, and luckily they were looking carefully at the third party vendor risk. They found out that their law firm really had low cyber standards and I think they were in the process of increasing those, but they were able to easily access themselves from outside their own network their sensitive files. So it is something that is very important to think of. The target breach data breach is another example of that, the third party vendor risk. Now, again, I think those frameworks, especially the NIST framework, will include that in your checklist. So pick one and work it, basically, is the bottom line.
And one thing that I think a lot of advisors acknowledge but may not think of themselves as a target, is that the financial institutions that we’re all part of are part of the critical infrastructure as defined by DHS. But one question is, why would a nation state want to hack into a CRM or a data set for financial advisers’ particular clients? What would be the nation state reason to want to run somebody into our network?
Right. Well, I mean, there is multiple reasons. I don’t want to be too pessimistic here, but I did spend 29 years in national security and I will say that many of us are American born, U.S. born American citizens and have a hard time under other ways that there are of seeing the world. Some of the advanced persistent threats out there in the state sponsored actors as part of their national security strategy are seeding into our critical infrastructure the ability to stymie us and take down important nodes and entire industries if they need to do so in the event of conflict. So the financial infrastructure is a prime target in that regard. On a more focused basis, some of the techniques used by foreign intelligence services to target their targets, whether they’re Americans or not, include looking at the financial vulnerabilities of their targets.
That’s one of several reasons why somebody might work for a foreign intelligence service and do their bidding, and it gives them a leg up if they can look at the financial status of your customer. So those are two examples I can think of, of others, but suffice it to say, this is important information. If you had all of the financial data and you’re targeting certain people and you can marry it up with other data about them then it’s much easier for you to go ahead and pinpoint the weakest link in whatever. If you’re trying to target a specific firm, for example, or somebody in a specific city with con contacts and connections with the political sphere. It’s a very common practice to do this. You’re collecting data on your target.
And social media is a new tool as well for hackers to socially map a company. Can you talk about why accepting LinkedIn invites from people that you may or may not know could be bad policy?
Yeah. I mean, we’re all guilty of it. I’m not holier than thou. I accepted a LinkedIn connect from somebody who then later I wondered, “Hmm. Who is this guy really?” And I only did it because we had common connects. I contacted our common connects. None of them knew who he was. So I then blocked him. But, basically, it just opens you up for more scrutiny. Now, it’s just something to think through. I’m not saying you need to lock yourself down and wall yourself off. My LinkedIn is fairly open because I want my contacts to see who I’m connected with because I offer in a friendly way to help connect them. What goes around comes around and that’s just the way a good business is done. But you do need to be careful and I think it’s worth sometimes going through some of your connects and just taking some time, maybe a couple of hours, and looking at your exposure there and then going through your settings and thinking through what information you’re projecting and what vulnerabilities you’re opening yourself up to.
Again, it’s just something to think about. I think a balanced approach is usually the best. I wouldn’t lock it all the way down necessarily because at the end of the day we have to sell, we want to expand our business. But, at the same time, a wide open kind of devil may care attitude towards it is one that’s going to burn you at the end of the day. Because I mean, I’ll tell you for example, one company that I was doing a project for had very sensitive intellectual property and one way to get that on actual property is to hack them. What’s a way to hack them? We need to know what kind of systems they’re running on. Is it Linux? What kind of servers are they using, et cetera? Even though they were trying to keep their most sensitive crown jewels locked behind firewalls and not to project what their IT architecture was, they had a couple of programmers who were looking for jobs and they put out there what their expertise was in.
It was very easy to figure out, and they put right there that they were working in this sensitive area of the company, because they wanted to get a job with another company. It was very easy to figure out what the IT architecture, at least from a foundational point of view, how it was structured to then give these APTs, advanced persistent threat actors, a leg up on how they might target them through a cyber attack.
And so how often do you think an entrepreneur in his office should be focusing on it? Is it an annual training? Is it a memo coming out when new threats show that they’ve been working in other parts of the world? How often should people be refocusing on this?
I would say all of the above. I mean, there are certain standards that suggest you should make this annual training. The really answer to this is if you gamify it, that’s the way to success. Find a training vendor or find some open source training tools that are fun, that are easy, that don’t take hours, that aren’t excruciating, and they’re out there, and make it a fun thing. Set up a situation where people get a gold star or something. It sounds childlike, but it still works with adults for helping others and they don’t feel like fools if they made a mistake in a situation where you have an environment of trust, where people can be willing to come forward and say, “Look, I’m sorry. I clicked on a bad link and just realized. Let’s go and track it down and see if I opened us up to expose us to anything.” So I would say more frequent training that’s somewhat shorter is better than onerous once a year longterm thing that everybody hates. And make it fun.
One question I have for you is that we’re in this remote working environment for most companies right now, what are some things we should be aware of while we’re talking or working on our phone as well as our home wifi networks?
Oh, well, there’s a lot. I mean, again, pick a standard and goes through the list. There’s a lot of tips. I would say one of the things is, first, on your home modems, you can change the name of it and the password. That’s a given that ought to happen. The other thing I want to mention is that as IoT really proliferates, the Internet of Things proliferates, the attack surface is exponentially increasing. So you might have the best settings on your computer and say, “Nobody can hit me,” and this is oversimplifying it, but at some point you’re going to be under threat from your microwave because it’s connected through your modem to your laptop. So think about that. And the first line of defense is your wifi and your modem. I would say just be aware. It’s not that hard to put in a Google alert to yourself on cybersecurity threats and realize, for example, there’s a discussion that’s happening right now about certain vulnerabilities in Zooms, which is the most popular video teleconferencing software, the way it’s structured.
I would say that it’s a bit unfair to Zoom because there’s a lot of settings in there that can protect you. It’s just a matter of actually using them and just thinking through what you’re doing and just realizing that there are people out there who want to do us harm. I don’t like to think negative in that way, but this is my industry. I was doing a project for a software company, and it really amazed me after 29 years in government, I thought that people in general are fairly aware of the fact that the cyber world is flat. And so right up against my firewall is not just my neighbors next door, but a guy in Moscow, because there is no geographic separation. And so you need to think in a contrarian way and in a red teaming way about the vulnerabilities that you yourself have and not just assume.
I’ve seen software developers assume, “I did this great program, I put out this product, and there all kinds of holes in it.” They didn’t think that anybody would try to reverse engineer it or try to attack it, which is surprising. But I think that’s changing. I think people are much more aware, especially ransomware, for example, especially as a lot of people wake up. The National Health Service in the U.K., for example, horrible ransomware attack it took them a while to recover from. I believe that one was last year. New Orleans, Baltimore, hospitals, one in Greenfield, Indiana, an attack against them. So large cities, small cities, it’s frightening. So just watch out and follow some of these guidelines, and you’ll be better off, and I don’t like to put it this way either, but the lowest hanging fruit is what the attackers are going to go for. As long as you’re somewhat higher up and you’re working to get higher and higher, you’re going to be okay. Just start thinking through it and applying some of these principles.
You’ve worked and trained some of the largest companies in the United States on this risk. Can you talk a little bit about how it’s become a board issue and it’s got a governance issue for executives to pay attention as well as the fact that there’s now a cybersecurity insurance industry spotting up?
Oh yeah. I mean, I’d say it’s about time. I think sometimes there’s a bit of denial until something is made real by looking at actual events on the ground and effects. So what you don’t want to do is wait until you’re attacked to realize that it’s real and to put a governance process in place. Luckily, some of the larger companies, their boards are imposing this, and that sounds like it’s a onerous thing. There is governance process by which companies really are holding themselves accountable to protect against these threats because of the negative impact on the business. What was the last part of that one, Ryan? Sorry.
Oh, just also touching on the fact that cybersecurity insurance is starting to sprout up as well.
It’s about time for that also. I’ve got a soft spot in my heart for cybersecurity insurance guys and gals because when it first started that was hard to price, and it’s hard to know, really. We know the risks are out there. Until you get a good sense as actual events happen what the economic cost of it is you’re never going to be perfect on the pricing. So it’s changed a bit. It’s really maturing. I think this year, we’re finally starting to see some really more and more sophisticated cybersecurity insurance policies coming out that are well-priced. And, in addition, they come with some interesting services that really help you to put you in a better state so that it reduces your risk, which is good for them and good for you because to the extent they can help you locate your firewall, look at your open ports, go through some of these procedures. They’re going to be putting out less money in claims and you’re going to have better protection for your company.
So I’m just delighted to see this maturing of the industry. And, yeah, I think it’s something that every company needs to be doing, is to review what kind of coverage they have now and to look at some of the exclusions and to just go out and shop around and try to find what would be the best coverage for them realizing that nothing is perfect. But if you don’t have cybersecurity insurance, when and if you get hit, it’s not going to be a pretty picture for you. And these companies can really, especially if they’re paired up or included, incorporate some technical assistance, can really put you in a good place and then you can sleep well at night hopefully.
So speaking of sleeping well at night, in your 29 years of government service, and thank you for your service, what are some of the biggest risks we’re facing as a country today and what keeps you up at night in the current risk environment that we’re in?
Well, I mean, we’re seeing one that I think a lot of folks didn’t expect. I’d like to say I didn’t expect to. I knew we’d have a pandemic at some point. Why? Because I lived through the SARS. It wasn’t a pandemic but it was an epidemic in China when I served in China and it changes the way you think. So that change is happening now on a global scale. And we’ll be fine. I think this will be good preparation for us for a future pandemic that will potentially have a higher mortality rate, not to take away from how tragic this is. I lost a family member myself already to COVID-19 unfortunately.
Sorry to hear that.
Thank you. I guess one way to think about this is I believe that the cyber realm, if you know about Maslow’s hierarchy of needs, it’s not that new. We’ve had the cyber realm for a while but it mixes in interesting ways with the physical realm. We have whole online personas, right? And some of us act in a different way online through avatars than we do in the “real world.” There’s there’s money, cryptocurrency out there, it’s about as real as it gets but it’s in the cyber world. The reason why I’m talking about these two different worlds is because much of the way we interact now going forward is going to be through virtual interactions and those open us up to a lot more disruption from cyber criminals and cyber harassers, so to speak. And so there’s a merging of these worlds. I think it’s good. I mean, there are plenty of upsides to it. It’s great that we have all this technology.
Imagine in 1918, if we had lived through that crisis, they didn’t have this. So there are different ways to connect. So we’re rethinking that. But another thing I like to just put out as a foundational thought piece is, I like to think of some of these supernational companies such as Amazon and Google as nation states. They’re digital nation states, and to the extent that you use Amazon, or you use Google, or maybe you’re an Apple guy or gal, maybe you’re Microsoft, you are part of a tribe. And the digital world right now with these nation states is really more feudalistic. So if you think back to feudal times, you’d belong to a tribe and maybe you align yourself with your tribe and you had a fort that protected you. But there is some freedom in jumping outside your fort and leaving your tribe and roaming the hills on your own, except you’re exposed to all these threats as well.
I just think that it’s an interesting way to think about the state of affairs in the digital world, because I think it prepares you more for the idea that there’s a lot of chaos out there and a lot of threats, and think about which tribe you’re part of. I’m not saying any one tribe is bad, but when you think about the incentives for those tribes, they go beyond American incentives or Chinese or Russian. They have their own incentives and just know what the privacy versus security incentives and guidelines and policies are for your tribe and decide intentionally whether you like that tribe or whether you want to go out on your own a little bit and realize that there’s some chaos out there and prepare to protect yourself. It’s a little ethereal, I know, and philosophical but maybe that helps frame the way you think about the cyber world.
That’s a great analogy. One final question is, a lot of people talk about the intellectual theft, intellectual property theft, that’s going on between the U.S. and China. You served in Asia, how big of an issue is this and is it something that the country will ever recoup from as it relates to just actual dollars stolen?
Yeah, I think it’s a huge issue. I don’t normally name China. I know there is this theft coming from China. Maybe I’m comfortable naming China and then calling it out as long as we caveat it by saying China’s a huge country with many layers of society and many layers of government. This is a known tactic of the Chinese intelligence services and the Chinese central government so I don’t think that we should paint all of China with this broad brush. There’s a lot of great Chinese Americans or Chinese here helping us develop incredible technology. But it is true that whether it’s China, Russia, or other countries I could name but I won’t, we need to think about protecting those crown jewels. And in some ways our society is not ideally set up to do it because we have really more of an open, and I love that kind of society, and I’m proud to be in it and I don’t want to change that per se, but we just need to be smart.
I liken it to, I might have a neighbor, maybe my neighbor is a criminal, or maybe my neighbor’s son is a criminal. I don’t hate my neighbor. My neighbor is a great guy but I’m not necessarily going to invite him in my house and then open up my wallet and say, “Here’s how much money I have. Here’s where my accounts are.” But I can engage with him and really enjoy it and be a better person for it and help him with all kinds of things without doing that and still be careful about what his son is doing, right? So just think about it. It’s not black and white. We need to be able to do hold two seemingly contradictory concepts in our mind at once. But they’re not contradictory. You can be targeted by the Chinese Intelligence Service that may want to steal your intellectual property at the same time that you’re doing a joint venture with a company in China.
So you’ve got to be smart. You’ve got to be smart about leveraging the global nature of our economy and engaging Chinese partners if that’s important to your business model, while at the same time not letting all your IP ne walked out the back door while you’re not watching.
Well, that’s a message that more America and more corporate America need to hear more about. But I appreciate you joining us today, Karl. Thank you for the time and look forward to connecting again with you soon. Appreciate you.
Thank you. Thanks for listening to Non-Beta Alpha. Before we go, please remember to subscribe and leave us a review on Apple podcasts or our YouTube channel. This is non-paid album. Now you know.
Recommended For You
Season 3 EP11: Chuck's Early MMA Career, The Future of Boxing and What Makes A Good Fighter coming soonShare This Episode Recommended For YouWant to join our show?Would you like to be a guest on the Non-Beta Alpha Podcast? Please click...
Season 3 EP10: The Impact of NFTS, Blockchain, and Future of Digital Currency coming soonShare This Episode Recommended For YouWant to join our show?Would you like to be a guest on the Non-Beta Alpha Podcast? Please click below and let...
Season 3 EP09: Covid-19 Vaccines, Antivirals, and Drug Asset Development coming soonShare This Episode Recommended For YouWant to join our show?Would you like to be a guest on the Non-Beta Alpha Podcast? Please click below and let us...
Season 3 EP08: Hotel Industry Trends, Occupancy Trajectories, and a New Era of Gen-Z Travelerscoming soonShare This Episode Recommended For YouRyan Morfin: Welcome to Non-Beta Alpha. I'm Ryan Morfin. On today's episode, we have Pini...
Season 3 EP07: The People's Republic of China's ESG, Standing in Innovation, and Supply Chain coming soonShare This Episode Recommended For YouRyan Morfin: Welcome to Non-Beta Alpha. I'm Ryan Morfin. On today's episode, we have Pini...
Season 3 EP06: Regulatory Compliance and Risk Managementcoming soonShare This Episode Recommended For YouRyan Morfin: Welcome to Non-Beta Alpha. I'm Ryan Morfin. On today's episode, we have Pini Althaus, CEO of USA Rare Earth, talking to...
Season 3 EP05 National Security in the Age of Disinformationcoming soonShare This Episode Recommended For YouRyan Morfin: Welcome to Non-Beta Alpha. I'm Ryan Morfin. On today's episode, we have Pini Althaus, CEO of USA Rare Earth,...
Season 3 EP04 What to expect regarding fiscal policy and a glimpseat what the new normalfor taxes might look like.
Season 3 EP04 What to expect regarding fiscal policy and a glimpseat what the new normalfor taxes might look like. coming soonShare This Episode Recommended For YouRyan Morfin: Welcome to Non-Beta Alpha. I'm Ryan Morfin. On today's...
Season 3 EP03 Curious about the current state of the U.S. agriculture industry? coming soonShare This Episode Recommended For YouRyan Morfin: Welcome to Non-Beta Alpha. I'm Ryan Morfin. On today's episode, we have Pini Althaus, CEO of...
Want to join our show?
Would you like to be a guest on the Non-Beta Alpha Podcast? Please click below and let us know that you are interested in being a guest on the podcast and we will get back to you shortly.