Introducing Illumio Insights — breakthrough AI-powered observability, detection, and containment.
Read more

Experienced a Breach?

|
Contact Us
|
+1 855 426 3983
A logo with accompanying text "Listen on Spotify"A logo with accompanying text "Listen on Apple Podcasts"
Inside the FBI Playbook
Season Three
· Episode
5

Inside the FBI Playbook

In a world where cybercrime is a business and national security secrets are often hidden in plain sight, this episode uncovers the gripping intersection of espionage and cybersecurity.

Transcript

Raghu Nandakumara  0:12  

Hi everyone. So welcome back to another episode of The Segment. This time around, I am so excited to be speaking to Brian Boetig. Now, Brian has quite a storied career — 35 years of national security, public safety, and consulting experience, including as an FBI Assistant Director, a United States diplomat, CIA liaison officer, state, municipal, and University Police officer, and a partner with an international business advisory firm. He's currently the Principal Advisor at Global Trace, a bespoke advisory firm. So that's a lot of three-letter acronyms that he's been involved with, and I'm really excited to see what stories he's able to share with us today. Brian, welcome to The Segment.  

Brian Boetig  1:01  

Well, thank you so much for having me. It was very nice for the invitation, and I look forward to sharing some of the stories that have been told many times, and some that maybe haven't been told or weren't as relevant as they were years ago, that they might be under today's environment.

Raghu Nandakumara  1:16  

Fantastic. We can't wait. So, it's interesting, just as we're recording this, Brian, I've been, I'm sort of hooked to a particular a podcast I've discovered recently, “The Rest is Classified,” which is hosted by, I think, like an ex-British Secret Service agent and a, I think, a former U.S. CIA agent, right? It's fantastic. And just, sort of just as they discuss various aspects of spy craft and some real, real mission. So, I found that really interesting. So, in fact, let you say, like share with us, you probably like a story that you can share from your experience. Why don't we start there to see how it shaped you?  

Brian Boetig  1:52  

Well, I will tell you one of the, one of stranger stories I have related to one time when I was in DC. This was, this was actually pre-9/11 with Robert Hanssen. And Robert Hanssen was the FBI spy who recently just died in prison, but was convicted and sent to prison for life, but he was turning over information to the Russians. And the story is probably not going to go where you think it's going, but my wife and I were in DC walking our dachshund. This was before we had children, and a gentleman came up to me, and he also had a dachshund. He wanted to breed this dachshund. So, my wife had a conversation with him while I sort of ignored the whole conversation. And then she told me about this conversation I was I was sitting in the park while she was walking, and thought nothing of it till I got home. And again, this is early, this is 2000, is right after Robert Hans was arrested. But pre-9/11, and I got home, and I had three calls on my caller ID box from the Russian Federation, which basically the Russian embassy. Turns out the guy with the dachshund was a Russian who worked at the embassy. And all I could think was, during this Robert Hans era, when there was increased scrutiny on people, and now I was tied up in this event with the Russians, which, you know, they're now calling my house. I'm figuring out what type. So, I had to go back and report this to the FBI. And it was really funny, because I took their guidance and they asked, you know, I asked them what I was supposed to do. And they said, well, “Let's keep this going”. And so I found myself the next weekend walking my dog in front of the Russian embassy, you know, back and forth. And I just kept thinking, everybody is watching this, from the Russians, from the US spy agencies, somebody, somebody's got to be protecting me. And it was just, it turned out to be one of just the most awkward situations. He then came and we went back to the park, and the dogs didn't quite engage like we wanted them to. There might have been a, possibly a language barrier, I don't know what it was, but it was just, it was just the timing of everything. And you know, many of your listeners probably remember the caller ID box and just coming back and seeing those at a time when there was just increased scrutiny and heightened awareness around the Russians, which hasn't stopped in, you know, when I was in, when I was stationed over in London, we had the nerve agent attack with Novichok. That was 2018 and, you know, you look at today with the Russian Ukraine war, and where that sits, and sort of some of the U.S. engagement on that in, you know, recently. So it's just, it's funny how the spy game never stops. And it can hit you at any time that you least expect it.

Raghu Nandakumara  4:30  

Absolutely! Oh, that. That's brilliant. What's all this sort of Russian American engagement? Oh, nothing. Our dogs just want to breed. That's all. It's just a dog breeding ring.

Brian Boetig  4:38  

The hard part was I couldn't really, I couldn't tell my wife what we were doing either, so that she had, she had plans for the next weekend, but we'd already arranged to get back there. But just, I really just felt awkward just walking back and forth in front of the Russian Embassy in DC, walking this dog, and thinking that at some point I'm going to pick up the dog and just throw it over the gate, you know and going to run in there and do something. But just the spy game is just it takes you on very weird twists that you would never expect. And you know, a lot of these TV shows that you watch and think that's pretty unrealistic, I watch them sometimes, and maybe some of the dramatic elements of it are unrealistic, but nothing is too small to end up turning into some type of engagement or counterintelligence activity.

Raghu Nandakumara  5:26  

That's brilliant! Okay, Brian, I'm going to say right now, hands down that is the best, not just intro that one of our guests has given us in now what will be the third season of the podcast, but also probably hands down the best story. So, any of our former guests, whoever I challenge you, to come on and share a more amusing and sort of crazy experience than that.  

Brian Boetig  5:53  

All it takes is buy a dachshund and you'll end up in ridiculous situations like that.  

Raghu Nandakumara  5:59  

That's pretty I mean, just going back to that podcast I was talking about, and in fact, it and in fact, it's based on the current episode I'm listening to is based on the book. I'm sure you've read The Billion Dollar Spy. And just the description in that of sort of the various bits of spy craft that they're trying to use in order to first engage with the asset and then exchange information. It's the creativity is incredible, right? It kind of feels like games that kids play, right? In order to exchange information in one of the most sort of, I guess, tense theaters, or at that time in the 80s in the world.  

Brian Boetig  6:33  

Yeah, the crew recruitment process is very, very creative, and you will spend weeks and months, sometimes just role playing, engaging and discussing an interaction that you're just happy, you just hope as a happenstance brush encounter somewhere that's going to last less than five seconds, but sometimes you've put, you know, five, six months of work just into making sure that that happenstance brush encounter at a grocery store or in traffic is successful. The amount of creativity, but also logistical work that goes into that is amazing.  

Raghu Nandakumara  7:13  

Absolutely. So, I mean, because, like, particularly, like, when we see it on films and again, right, what we've consumed and sort of in the media and in book, so much of spy craft is actually like the it's all those sort of the psychological and the physical contact, etc. How does that then like As the world is increasingly cyber, right? And spy craft moves into the cyber how does that change? What’s the evolution of spy craft to keep pace with the cyber world?

Brian Boetig  7:44  

What's interesting is there's still a very behavioral element. Even in cyber and in the FBI, there's a group that everybody knows from watching decades of Criminal Minds, the Behavioral Analysis Unit, and they have a group that specializes in cyber. Because even when you have people producing malware and other types of code that are in there, there's a signature in there. That's, you know, the way people just like a hand, just like doing a question, document handwriting analysis, there's a signature in code. And different code writers will either advertently, put in their name in there, somewhere or something that identifies them, or they don't, but they don't do it advertently, but they're, they're putting it in there subconsciously, the way that they write it, the way that you write the letter A on a written document, you know, the same way someone would write that in code helps identify who they are. So, there is a behavioral analysis element to reading code and scripts that are written, that is, it is a growing field that's just absolutely amazing.

Raghu Nandakumara  8:55  

I guess it's also around, like other behaviors, and there's, as you say, those sort of signatures, those telltale signs that attackers leave, or help identify them. But also, how have you noticed the tactics or the behaviors of cyberattackers evolve over the years?

Brian Boetig  9:13  

There's been a business model that's really been created out of cybercrime. We, when I look back to originally, when a lot, a lot of the work that we were doing the first cyberattacks were just website defacements, which now seems so petty and easy to absorb as a business, but it's really moved into a business model. I've been, you know, I've been working ransomware for the last 10 years, both, you know, in the FBI and then as a consultant, and you have to realize that it's still human beings behind here, and they're running a business. And it's the same thing. my first assignment, when I got into the FBI, worked on the extra territorial squad, which was one where we worked the extra territorial jurisdiction of the FBI people. Sometimes think of. Extraterrestrial, but it's extra territorial. So outside, outside of the United States, where we have jurisdiction, so in countries where people are murdered or kidnapped, and the FBI has, the US government, has jurisdiction to investigate those now, we did a lot of kidnappings, you know, for ransom, a lot of them, you know, in Africa, where you knew which group would kidnap somebody, and you knew exactly what they wanted. You know, they would ask for 10 million and you knew you could settle for five and you get people back, you know, unharmed, and just because you had intelligence in this group would do it repeatedly to, you know, America tourists. The same as the is what happens in ransomware these days, you a ransomware happens. You go in, you figure out, okay, this is whatever group it may be. And you know, okay, I've talked to all of my counterparts in the FBI or in the other advisory firms to understand this one. This is exactly how they're going to operate. Within 24 hours, they're going to send the follow-up email. They're going to threaten this. They're going to ask for 10 million. Here's what other people are paying when they pay. This is what happens. You know, they either are done and clear, as clear as you can be in a ransomware, or then you're going to get the secondary, you know, notice that now, you know, we've unlocked your computers. But now if you want to destroy your data, so you understand the cycle. So, it's really a business, and cybercrime has turned into a business model. You look at, you look at what North Korea, I mean, North Korea is raising funds through low level, petty cybercrime, and that's how, that's how they're funding their country at this point. So, I think of cybercrime really, as a business, even in some of the stalking cases or, you know, exes that are putting up, you know, dirty pictures of their private pictures of their, you know, exes and stuff like that. It's, it's revenge, it's revenge. But there's also some level of business to it as well, too. They're trying to get something out of this person, whether it's, you know, frustrate them more, or, you know, potentially get them to pay them money. So you have to really just, I look at it as a business model, and that's the best way to sort of counter it.

Raghu Nandakumara  12:04  

That's really interesting, right? Because I think that you're then able to sort of almost replicate, or at least on the defender side, replicate that business model, and sort of identify where it's best placed, to essentially break the business, right, or hinder that hinder that business, like, where in that chain do you put your do you sort of, do you put your focus in order to stop them being productive? Is that how you approach it?

Brian Boetig  12:29  

I do, and it's, if you think about it from a business model of being a criminal, it's so much safer. If you were to break, I use this example quite often, if you were to break into a convenience store, you know, in the UK, in you know, into it grocery store in test, if you stole money from Tesco in the UK, or 711 us. You broke in and either physically robbed from the clerk, or when they weren't there, you went into the safe and stole $50 you'd have an army of police show up, because that's very comfortable to the police, and they'll take fingerprints, they'll interview, they'll pull video. But if that same Tesco, that same 711 had somebody steal a half a million dollars, you know, in cybercrime, you know, from a from a cyber perspective, break in and steal, you could call the police, and in most jurisdictions, the police are going to raise their hand say, I don't know what to do. This is, this is what we do. So if you're, if you're, of course, we're not trying to give criminals advice here, but you're much more apt to get caught in the physical world than you are in the cyber world. It's a work from home job. You can do it from your computer. So the challenge is, you're victimizing people in the cyber world, which is a geographic. In the physical world, you have to go someplace and go and do something, so your pool of victims becomes the world, as opposed to just the city or town that you live in, or you don't have to travel and get someplace. So that's why you see smart organizations that traditionally were in outlaw motorcycle gangs, you've seen that move into cybercrime. You know, they do a lot of still doing a lot of drugs and a lot of violence, but they're also doing cybercrime because it's safe and it produced this money. So just an interesting world to do. But I always look at cybercrime first as a business, because it's easier to understand and then try to pick apart parts of that business that way.  

Raghu Nandakumara  14:21  

Yeah, I agree, and I like the way your analogy of or the way you said that cybercrime is the ultimate work from home business, right? You can be very, very far away from your I guess, ultimately, what's going to generate your profit, very safe from it, but sort of keep, keep taking it home every day, right?  

Brian Boetig  14:40  

I was a university, a city and a state, you know, police officer, before I joined the FBI, and you're really focused on your jurisdiction. So, when you have somebody who is the same, you know, in the UK, the UK is a little bit better with just 43 agencies and a little bit more coordination, but you've got 17,000 law enforcement agencies in the United States. And. And they're worried about things that are bleeding and, you know, things that are stolen physically from people's houses. And once it crosses from one city to another state somewhere else, it just, it would drain the resources of a police department to be able to do that. So there's just this dark underbelly of cybercrime that goes unenforced. And even, even the higher crimes, sometimes they don't meet the threshold for prosecution at the federal level. So if you stole the analogies to give, if you, if you used to find, you know, 100 pounds of marijuana on the US border, maybe in Montana or Idaho, that's a big case. You know, if you're the Border Patrol, and you find 100 pounds of marijuana on somebody on the southern border, that's just like a warning, like, “Hey, guys, pour that out. Get rid of it.” You know, it's just each federal district and where the crime happens, and the dollar value associated with it sort of drives the prosecution. So, you know, you're not gonna in New York City, the Southern District of New York, is probably not going to prosecute white collar crime for 50,000 $100,000 they probably have a million dollar threshold before they're even going to open a case, which then, if you know where that sits, that's where you can operate and really get the work with impunities for the most part.  

Raghu Nandakumara  16:18  

Yeah, I really liked the way you sort of express that, right? It's when you're operating from a sort of, when you're targeting something from outside that jurisdiction, you almost you're not evading law enforcement, but the cost of law enforcement to do something about it just, just gets so much higher, which means that you can almost do things repeatedly till it reaches that reaches that tipping point.  

Brian Boetig  16:43  

You see it physically out in California, in California where they raised the bar of what you got arrested for, for shoplifting, you know, it was like $950 or everything else under that was just a ticket, you know. And so, shoplifting went through the roof because everyone said, “Well, we can do it. They're not going to do anything about it.” So that's we are in cybercrime. There are not enough people doing stuff about it.

Raghu Nandakumara  17:03  

So do you think, like, so just, just on that subject, then right? We often get, I often get asked about, I feel it's almost every month, there is some other article or a journalist says, Oh, right. Like, okay, ransomware, should organizations pay up or refuse to pay, right, and or like, and should they be fined if they pay? But should we put in place a law that says never should ransomware be paid? A ransom be paid right? Where do you sit on that?

Brian Boetig  17:33  

When I was with the FBI, I wasn't able to sit on it, and I wasn't allowed to tell as we were working the cases. I wasn't allowed to give a business or an organization that guidance, they had to make that decision on their own. Then I switched over to doing some cybersecurity consulting, and I ended up in that place quite a bit, and I got to sit in the seats listening to the CEOs and CFOs driving those decisions. It really comes down individually. I don't think you can give a blanket because we had, you know, we were working one case where a law firm had been the victim of a ransomware, and had they not paid, they would no longer be in existence. Right? Exactly, their proprietary information, attorney client information was taken, and so reputational damage of that being released. In addition to not having access to their information, they just, from a business perspective, they couldn't exist without that back, and the only way that they felt like they could get it back was to pay the ransom. There's others that have done a better job of having backups and not. One of the worst things a company can do is just store data, that they know that they no longer need and just holding on to it. Because then, when you become the victim of some type of intrusion or ransomware, you have decades of data that you're now responsible for notifying millions of customers who you're not to know. Your ex-customers, they're not even your customers anywhere. You have nothing to do with them anymore, but now they're the victims of a crime because you didn't get rid of it, but you have companies that are very well prepared for it. They do good with their data governance, cleaning that up, and then if they do get hit with ransomware, they've got the ability to self-recover and rebuild and maybe lose a day's worth of work, as opposed to your months. So I've sat and seen both sides. I would never say you're never going to pay the ransom. And even going back to that example of kidnapped, you know, Americans that I was working sometimes ransom. You know, ransoms were paid because you’d get it down to $5,000 like, hey, $5,000 again, we still couldn't give the guidance on that. As a government official, people had to make their individual decisions on that, but it was really sometimes the best way just to resolve an incident.  

Raghu Nandakumara  19:47  

So I guess right then, just the last thing on this, this particular item, is that, then this talk of sort of ransomware payment bans coming into effect, I feel that that's probably not productive in the way that people assume it would be, because they feel that it's going to put the criminals off. But in fact, I think it's going to make it harder for organizations to take a nuanced position and do what's in their best interests.  

Brian Boetig  20:13  

It's going to is going to take a major tool off of the table, and if, surprisingly. Now, in consulting, I found out that a lot of people don't want to engage law enforcement when they're the victim of a ransomware. So even the ones that I was seeing in the FBI, I knew about those. But there, there are so many that I was working where law enforcement was not engaged, the company made a strategic decision to just go at it on their own. So, taking that payment off the table, you could potentially double victimize somebody who's been the victim of a victim, they made a business decision, and now all of a sudden, they're going to be the ones that are being penalized again. So it really takes a takes a business tool off of the table. You could de incentivize it. And there's ways to do that with to ensure, you know, the cyber insurance is sort of a wild wild west of, you know, payments, and who pays, and how they pay, what you've done before they're going to pay. So, you know, you could de-incentivize making the payments through certain ways. But I don't know that making it, you know. And again, if your child was kidnapped and they were being held by, you know, ISIS, and there's you're not supposed to as Americans, we're not supposed to be giving ISIS any money, you know, if the if the way to get my child back was a payment, and even though I'd be then providing material support to a terrorist organization, I’m getting my child back, you know. And so I don't know that taking options off the table is going to make anything better for companies.

Raghu Nandakumara  21:43  

Yeah, no, I agree, right? And I think that there has to be that flexibility to allow organizations to make the most, the most prudent decision. Otherwise, they don't have sort of, I guess, that the armory or the options available to think things through fully, right? And it's, and they may be taking an suboptimal approach. You touched on, touched on cyber insurance. And you've, you've kind of spoken a lot about insurance and like, and sort of that this is such a gray area, right, as a cybersecurity vendor, right? It's, it's always interesting to sort of have those conversations around, like, is having a control in place? Is it driving down cyber insurance? By how much? What is the obligation of the insurance provider in various scenarios, payouts, and so on? So like, what’s your perspective on just cyber insurance in general, the market today, whether it's a benefit for organizations, is it providing the right kind of cover? This is such a vast subject. What are your thoughts?

Brian Boetig  22:45  

It's very tedious, and I think I've noticed everything I give you. I take it into the real world for a second. So, I have, I have two teenage drivers and one driver in their young twins, that are on my insurance. So my auto insurance, if they're driving and they get into an accident. There's even if they're not wearing their seat belt, which they should, and I hope that they are. Insurance sort of still covers it. Even if we're at fault in an accident, it still gets covered. I found in cyber insurance that there is an initial period where a lot of the providers and brokers are looking to see if there was something that wasn't done that we required? Now I'd have to go back and read my cyber but my like auto insurance policy, and it probably says you have to be wearing your seat belt. You should and you should be wearing your seat belt. But the cyber insurance comes in, and I found with several of them, the first thing they do is try to figure out, how are we going to get out of doing this? Did you not have something that was because it's become the cost is so much for a payout on a cyber, and then it's also very limited on what they will do. So they'll bring in somebody, but they're only going to help you either find what went wrong and mitigate that particular thing, even if they found 10 other things wrong, or they're going to get you back up and running, but then they're not, you know, back up and running is different than recovered, you know, and resiliency, there's, there's usually, you know, months and months of fixing. So it covers a limited portion, which is, which can be helpful. But so often we're four or five days into an incident, and we're still trying to figure out if cyber insurance is going to pay something, or how they're going to do it. And so, it's an evolving, you know, field that's just become so expensive because you're paying out a $3 million ransom, you know, is our ransom, except covered under our policy? Well, they are, if you did this. So I find the policies to be complicated, and getting more and more complicated and limited and requiring that companies, you know, if I, if my kids driving down the street, they get an fender bender, they weren't wearing your seat belt, it would be like, well, sorry, you had to be wearing your seat belt. Now you've, you're bringing up medical costs and everything else, so we're not paying this particular one. Or, Yeah, you, you didn't follow this particular traffic law. Well, that's why we were in an accident. So, yeah, just it's a very complicated world that I think is just, if you, if you have cyber insurance now, and you can keep that policy, I would keep it because I can only guarantee it's it's going to get more expensive.  

Raghu Nandakumara  25:14  

I mean that just what you've expressed there about the complexity of cyber insurance in terms of, sort of what it actually covers, and just because, like we all know, right, the number of cyber incidents is growing, quite literally, on a daily basis. And to feel that, we're buying more and more cyber insurance, but I think your comments sort of imply that a lot of that investment in cyber insurance is probably not giving us the cover we think it does. Which, I think, is concerning, because I think the expectation is probably I'm covered at this level, whereas in reality, you're covered here, which means that's a massive gap that only one person is paying, and it's not the insurer.  

Brian Boetig  25:59  

There is a lot of misunderstandings of cyber insurance policy. So one thing we did as a consultant is we would walk through a cyber incident and the cyber insurance policy. And interestingly enough, one of the hardest things was for the company to find a policy at times. And that's when, that's when the systems weren't even all locked up with a ransomware. You know, I was like, Okay, where's the cyber insurance policy. I don't know who has it, DC has it. No nobody can find it. So just that's from a consultant’s side, that was great, because you can bill them for four hours while they're just trying to find a policy. But then pulling it out and trying to walk through and understand what's covered and what's not covered was very, very complicated. And then there were lots and lots of follow up calls that you had to take, and even the broker sometimes, you know, “well, if you've done this or you've done that.” It's very complicated, and most of the times that cyber insurance was used on engagements that I was on as a consultant, they would end up having to hire somebody else or pay out of their own pocket for additional work that wasn't covered under the policy to be able to, you know, it gives them an incident response, but it doesn't necessarily cover all of the recovery and the resiliency that takes months down the road. For that law firm I talked about before they didn't have cyber insurance, but we had to end up building an entire new network for them while we're doing The ransomware, we're creating an entire new network so they could communicate with their clients, and it was easier just to scrap the old system and build a new one, but that would have never been covered under insurance policy.  

Raghu Nandakumara  27:32  

That's crazy. I mean that that quite literally, is kind of the worst case scenario as an organization is where, literally, your entire infrastructure is worthless because you just can't trust anything that you have there, and you've got to build from scratch. I mean, like, it's something that you never want to have to, want to have to do. But I'm wondering then because there's obviously, like, the whole concept of cyber insurance, and it's like, the question is, like, as an organization, do you have it? Is it like and there's obviously it shouldn't just be part of your general insurance policy. You need to have dedicated specialist cyber insurance that you have the right cover. But do you think that as a result of this, that we're probably going down, or we're actually adopting bad habits? And what I mean by that is that we're looking to mitigate the risks that we have in our environment, right, and putting the investment into that. Instead, we are far more focused on finding a cyber insurance policy that is going to essentially accept or we're going to just transfer the risk of those essentially those vulnerabilities that we haven't that we haven't fixed. Do you think we're trying to solve for the wrong problem?  

Brian Boetig  28:45  

Yes, because insurance is never going to be is never going to be the fix. Yeah, just exactly when we talk about risk, you can either accept it, you can eliminate it, you can transfer it, and transferring it is not for most businesses that I've dealt with, you know, any, any Fortune 500 company, you can't deal with that. And most, you know, medium-sized companies, you don't want to just transfer that risk, because you're basically saying, I'm willing to give up my company. I hope you'll just pay me out for it at the end of the day. It should be a wakeup call for the investment that needs to be made into regular routine. It is the infrastructure, security, and data privacy on a regular basis within an organization. The problem is, the better you are at it, the less likely you are to have an incident. And then without an incident, you have very little to show, “Oh, look what I saved you're from.” So it's, uh, it's sort of that double-edged sword, but it just can't in a world that is so interconnected in where every business has some type of, you know, it responsibility to the mission and the vision of that organization, you have to invest in it. You have to invest in it as much as you would invest in your in your workforce and workforce development and. Sending people to different training things for things that are soft skills. Are you sending people to leadership training or sending them out on other things that are not technical skills, not how to write a policy or how to fix an engine? But investing in some of those soft skills is sort of the functional equivalent of investing in it from a larger perspective, from an organization.  

Raghu Nandakumara  30:23  

And I think along these lines, right? I mean, you've spoken about things like the National Cyber Security Strategy in the US, amongst other things. And I know this part of this covers sort of internal, how the US is own, and that are the public and private sector. The controls and defenses get stronger, right? So, how are strategies like that? How do they then make their way into real sort of execution, right? So that we sort of see that step change in the reduction of cyber risk.  

Brian Boetig  30:57  

It’s really at the C suite level. It has to be top down. What’s funny when I was in the FBI, and back in 2012-13, I ran the National Cyber investigative Joint Task Force, which was 40 US agencies. Then we ended up bringing a couple foreign agencies, and we collaborated on a variety of different threats, primarily focusing a lot on China, Russia and North Korea, as well as a few other, you know, a few other places. But we used to bring in CEOs all the time, and it was sort of this that time period in cyber was just when we started bringing in the private sector. And prior to that, we used to go out to a company and say, hey, just want to let you know Russia's in your network. And they'd say, Well, what do you mean? And say, “Well, I can't tell you more. It's all classified, but just so you know.” And it's kind of set off alarms over there. And then we got into giving, we got into the process of being able to give one day clearances. We bring people in and give them classified briefings and specifically say, This is what's going then we started briefing the C suite to say, hey, we realized we need our opportunity for insight into what's going on in the world was having the private sector who was the victim of a lot of these intrusions and issues, they would be able to give us back. Should we bring in the C suite? And again, a little bit more than a decade ago, some of these CEOs had absolutely no idea it was going on in their IT department. At that time period, it was just “Oh yeah. I got Yeah. My IT says I have it.” It was, it was trust, but not trust and verify. It was just “Oh yeah, the IT”, was the answer to everything, was the “IT guy, oh, the IT guy, the IT guy.” But they couldn't tell you who the IT guy was. Even though he was still a senior-level member of the organization, he wasn't brought into the club. So, I've seen that transition over the last dozen years, and where the C suite is getting far more engaged in cybersecurity. Well, one, because they have to, because there is regulated through the SEC and other folks now the So there, I guess that would be an example of a good government intervention or a regulatory fix to a problem, because I remember bringing in, again, a lot of these were fortune 500 companies, and the CSOs had just really had no idea. And so I think we, I think we have, I think we have some type of, you know, cyber defense, you know, it's like they had no idea. But now you see, there's a whole market of consultants that will go out and just kind of brief C suites and get people up to speed on, you know, being cyber savvy, I guess, at the C-suite level. But if it's not believed in at the C-suite level, it'll never get taken care of. It'll never get taken care of an organization. You can't push it up because it is not a, it's not a, it is a revenue generator, yeah, but it's a hidden, indirect revenue generator.  

Raghu Nandakumara  33:45  

Yes, yes, absolutely, yeah. And I agree, right? And I think that that shift in sort of now cyber being to use a term that's overused, a a board level concern, rather than just a IT function concern, I think, is has made a significant impact, but I think we are but also, if I think about this from a different way, the security leader, CSO, CSO, whatever their title is, one of the things that they're concerned about is, is that, like security is often a function that that doesn't necessarily suffer from a lack of budget, right? But what it does suffer from is, how do I know that the budget that you're using, that with your investment, is resulting in a real reduction in the threat or the risk of attack, right? Because we see all sorts of those graphs, right? You pull up whatever the most recent survey of the cyber landscape, and you see two straight lines, right? One is investment in cyber, right? Nice or like a nice, sort of exponential growth chart, and then cost of cyberattacks, right? Is also a nice growth chart, right? So, when does. That change. When does the cyber investments start resulting in the cost of cyber flatlining?  

Brian Boetig  35:07  

I think there is a requirement to really enter into an enterprise risk. You know, strategy management for you has to look at cyber along with every other risk of an organization. And that way, every business manager, so even those that are in whatever the marketing or delivery or supply chain or whatever, whatever the business has to do, you really have to look at it across the enterprise. And that way, when you're ranking risks, you know you will see that IT touches everything. You know, if you're the lead for human resources and you're responsible for everything from recruiting to retirement, so Cradle to Cradle to grave. HR, there are so many HR functions that are it and have IT risks in them, but the IT folks can't the CISO can't own all of that risk. HR has to own that risk. They have to say, “Oh, we're hiring fake remote, North Korean remote employees here, and we thought they were all based, you know, in India.” You know, that's, that's an HR problem. But there is an IT risk to that. Or the Chief Financial Officer, who's, you know, outsourcing and maybe responsible for contracts, and realizing that, you know, we've been duped. So looking at it from an enterprise and letting the CISO say, “Hey, I'm not the owner of this risk. I'm here to be your advisor and help you on all of this risk”, as opposed to making it a singular stove piped function that this is you're responsible for everything IT, everything in an organization. Is IT, whether it's human resources, finances, but looking at from the enterprise risk strategy perspective, I think is the only way to take a lot of those risks that we just call it risk, because it's really not an IT risk, that's an HR risk, or that's a financial risk, or that's a supply chain risk, which isn't mine as the CISO, just because it has zeros and ones and wires attached to it, that is your risk. I'm here to help you manage that risk, but not putting all of the burden and the onus on the CISO.

Raghu Nandakumara  37:17  

I think that's great point, because I think, again, I feel that what you're describing here is just an evolution of sort of like the organization's perspective, right? In the same way that sort of that evolution of looking at security being something beyond just an IT issue, we need to look at even cyber risk much more holistically as a core part of enterprise risk and how cyber risk leads into these other things, that nothing is isolated in effect.  

Brian Boetig  37:46  

Yeah, when I used to run the FBI office in Buffalo, New York, and I used to, every Monday morning, I'd have all of my leadership in there. So it was about 40 people in the room, and we would go around and discuss various topics. And it was like, you were in a Saturday Night Live skip, because you go around and the guy who was talking counter terrorism, and then the person would talk criminal and then counter intelligence, and you got the Public Affairs person, and then you'd get to, you know, the Saturday Night Live, the IT guy. And you could almost see everyone put their heads down and start taking notes, like, like this, does you know when he's going to talk about something so technical, and I don't care about it. If our IT didn't work, people didn't get paid because they couldn't put their time in. Yeah, you couldn't fix the cars, because every you know, you had to schedule your car through an app, and the IT guy was the most important guy in the room, and people just didn't recognize that their entire job, their entire function was based on their ability to slap their fingers on a keyboard and do something. Whether it's looking up, you know, intelligence through, you know, on the dark web for our Analyst, but you could almost, you know, you would see it. Everyone would then, you know, take that time to, you know, rearrange their seats and everything else, but realizing that his function is one that supports everything else in the organization, really raises the level of importance of what that person does. And the risk of something going down, is it really his? I mean, if the computers go down, yeah, he's the guy. He's going to get yelled at, but the cars aren't going to get fixed, the cases aren't going to get worked and people aren't going to get paid.

Raghu Nandakumara  39:17  

Yeah, yeah, absolutely. And in fact, right, talking about sort of risk and risk management. I actually there's something interesting. You posted it was just a few days ago on your LinkedIn from your time in London. And sort of this was just after the Grenfell Tower tragedy, which is one of the great human tragedies here. And to quote you, or quote your LinkedIn, you said, “driving past Grenfell tower in London on my way to an event outside, I witnessed a horrifying Inferno that tragically claimed many lives, and this devastating event was a result of multiple failures rooted in the assumption that worst case scenarios are mere improbabilities, rooted in the assumption that worst case scenarios are mere improbabilities as risk management professionals in the safety and security industry, our responsibility is to recognize that some degree of. Mitigation efforts are crucial, even when the probability of disaster seems minuscule.” And I think, and the reason I quote this is because I think this is so important when we apply it cyber risks and cyberattacks, because I think that the probability of a successful attack is low, but not zero. And the challenge that we have is that we have tried so hard to sort of prevent, prevent, prevent, that we are not properly prepared for when that prevention fails. And when it fails, it fails in a big way, which is why we need to sort of invest far more in mitigation, in how do we contain the impact? Right? Is that your perspective?  

Brian Boetig  40:53  

It is. I'll take you back to the two most shocking incidents in my law enforcement career that just really shocked my conscience, that were unbelievable. It was 1995 the Oklahoma City bombing. I was a police officer in Alabama at the time, but I remember turning on the news and just looking at the building and just not thinking that that was even possible. And then subsequently, you know, 9/11 you know, I was in DC at the time, I saw the first plane hit the tower, it was horrible tragedy. Bad accident there. Then the other one hit. I knew, Okay, that's bad. And then I was a first responder to the Pentagon. But that really just shocked my conscience. That was something that I wasn't thinking of, the possibility of that ever happening. I mean, that is, that is what you talk about, minuscule possibilities. Now I'm sort of prepared for everything you look at in the insurance and healthcare industry. We just had the murder of a CEO, the execution, you know, that was probably not thought of. That was one of those minuscule possibilities of that happening, and it happened, and now it changes behaviors. We used to tell people again, back to my time, briefing CEOs. It was, I tried to make it sort of humorously, almost like an AA meeting, where I'd make them say, “It's okay to be the victim of a cyberattack. It's okay to be the victim of a cyberattack.” Because that was sort of the standard, oh, we've never been, you know, this is, again, the evolution of what was happening in cybercrime and recognition was we never we can't be the victim, because we can't be the victim of any type of attack. So they would say we can't be the victim. And so many companies were, and then I'd walk them in the back room and say, hey, well, we show you where we see that. You know, China is setting up pop points on your on your network. Oh, my God. So it's okay to be the victim of a cyberattack, it's not okay to not be prepared to mitigate and respond to that. So every company has, I mean you, every single company has been the victim of a cyberattack, whether they know it or not, and so it's not, it used to sort of be a stain on your reputation. Now it's okay they've been the victim of a cyberattack, but they were keeping 10 years of data, or they didn't lose customer data, or was properly encrypted. So if you can make it, here I am, I'm 30, you know, 32 32-year gun-carrying guy. I can still be the victim of a crime walking down the street. Now, how I respond to that, you know, would dictate, you know, if I, if I fall on the ground and just start, you know, getting the fetal position, start crying, you know, that's sort of the one end. But you know, somebody's got a gun to my face, and I don't have a gun to respond back then I give my wallet. I give them whatever they want. I leave. I'm alive. I win. I can then recover my credit cards, my driver's license and everything else. So how you respond to that attack? But being a victim used to be a stain on your reputation, or at least people thought so. So just recognizing that you can be, but how you respond to that event will dictate how people look at you.  

Raghu Nandakumara  43:51  

Yeah, I think that's brilliantly put right, and I think that that's very much sort of, we talk about, sort of like taking a Zero Trust approach to how, like a Zero Trust strategy to inform how you sort of build your cybersecurity defenses. And again, I think that's also rooted in that, right? It's rooted in the fact that the attacker will find a way to get onto your organization's environment, right? So a Zero Trust, adoption of Zero Trust is about, how do we ensure that they can't then move around and access things freely, right? Are we prepared for someone being an intruder, being in our environment and being able to restrict what they can do? And I think also the whole, like, the increasing push for cyber resilience that we see sort of driven, really, from, like, the World Economic Forum downwards, right? Again, very much aligns to that is it's absolutely okay. In fact, you probably will be the victim of a cyberattack, but you absolutely cannot say that you're not prepared to deal with it. I think that's like that statement, Brian, you provided, is super strong. So, appreciate that a lot. And actually, that point before we. Wrap up, there's, there's one thing I do want to ask you, you mentioned extra territorial, but you had a slip of the tongue and you mentioned extraterrestrial. So what really is, in Area 51?  

Brian Boetig  45:13  

Well, I used to know the sheriff who worked out there. Yeah, it was actually one of the students, one of the classes. It's funny because there was this show that you may remember, called The X Files, and it'll probably be, it'll probably be regenerated back and forth. The FBI didn't have, they don't have X Files. There are no X Files. They do have zero files, which is where you send, it's also sometimes known as the circular file or the trash can. But everything that comes in gets recorded and put down. And there were, I did run into an incident one time where somebody was reporting, they were reporting that they had seen something extraterritorial. So, because they did, we wrote it down, and we put it to a zero file, and then the person would turn around and file Freedom of Information Act request to see if we had any information on that. And because we put it into the zero file, there was and then that validated his own concern. He said, “Oh, they do have information on that,” but it was just his information. Then he, we would give it back to me and say, Oh, you gotta have more. But because he filed the speaker of information, there was now more because of the request that had gone in. So it was just this circular reporting. And the guy would say, no, they have, yeah, they do have information on this. Well, it's exactly yeah, so it's funny how that just sort of goes around. But in the world of unmanned aerial aircraft now, and what you saw happening or being reported over New Jersey, there is, and, you know, the creation of the Space Force in the US, there's, you know, the opportunity to learn and see a lot more that's going to be happening. You know, we talked about the, I talked a lot about the physical world in cyberspace, but there is a world above the ground and above the buildings that's going to become, as you're looking at Uber and other companies, you know, starting to look at, you know, flying, you know, people around from place to place. So it's, it's a whole new world that, again, enters that spear of what I talked about Oklahoma City and 9/11 sort of that, you know, shocking to the conscious when you when the first time I see, you know somebody, you know, my daughter dropped off from the airport, you know, and in a flying drone that puts around the doorstep over here. I mean, we're not, we're not too far away from stuff like that.  

Raghu Nandakumara  47:16  

Absolutely, well, Brian, it's been a joy to speak to you to hear about your experiences, for giving us the most amusing story we've had on the podcast. But beyond that, just so many really insightful perspectives across sort of cyber insurance, cyber risk mitigation, building resilience, how we think about attackers. Thank you so much for your time.  

Brian Boetig  47:43  

Well, thank you for the opportunity, and thank you for what you do, making sure that other people have the best information that they can to make the best decisions that they can for themselves and their organization. So thank you.  

Raghu Nandakumara  47:53  

Thanks so much, Brian. Thanks for tuning in to this week's episode of The Segment for even more information and Zero Trust resources. Check out our website at illumio.com. You can also connect with us on LinkedIn and Twitter at Illumio, and if you like today's conversation, you can find our other episodes wherever you get your podcasts. I'm your host, Raghu Nandakumara, and we'll be back soon.  

Back to top
Read more