A former FBI investigator who helped expose Soviet double agent Robert Hanssen1 warns that enterprises should give up worrying about hackers, “who are now the good guys”, and be more worried about spies.
Veteran spy hunter turned infosec exec Eric O'Neill said that espionage has evolved and become increasingly digital as hackers have become key in exposing security bugs through bug bounties and the like. The evolution of the threat landscape has happened without corporate security mindsets catching up, he says.
Too many enterprises continue to think that they aren’t important enough to become a target for cyber-espionage from so-called APT groups but this mindset is wrong and needs to change, according to O'Neill, who argues that reconnaissance followed by spear-phishing or other social engineering attacks has become the go-to spying method of the 21st century. Much of this is targeted towards industrial espionage with China and (to a much smaller extent) Russia primarily to blame, he says.
O'Neill, the national security strategist for endpoint security firm Carbon Black, described last year’s China-US “no hack pact” as a “joke”.
“I don’t believe there’s anyone in the US government [who] thought China would stop spying,” O'Neill said.
“Chinese firms don’t invest in research and development. They’re not interested in innovation themselves,” he claimed.
O'Neill claims China is playing the long game with hacks against American health insurer Anthem and the US government’s Office of Personnel Management last year. China has said the attacks were carried out by China-based criminals rather than state-sponsored hackers. But O'Neill insists that both breaches were about long-term intelligence gathering and perhaps ultimately aimed towards cultivating insiders as assets rather than the theft of trade secrets. Real world examples of the latter are not hard to find.
The attack against US retailer Target, which relied on breaching its systems and stealing credit card data after first hacking into its heating and ventilation contractor, is also more a case of espionage rather than a "conventional" hack, according to O'Neill.
“You need the right mindset and extraordinary efforts to prevent loss,” O'Neill said. “Attackers are spending more time and energy on more sophisticated attacks.”
The bad guys are not playing by the rules. This is a particular problem because security as a whole is too reactive and slow to adapt. “We need to do a better job at protecting ourselves,” O'Neil concluded.
O'Neil served five years in the FBI prior to leaving just before 9/11 (“I’d probably still be at the agency if I hadn’t left beforehand,” he said) to work as a lawyer before moving to a security consultancy. In his new role at Carbon Black, O'Neil will be focusing on raising awareness of cybersecurity within governments, helping to shape policies around national security.
1Hanssen was a hacker during a time that FBI didn’t do computers, according to O'Neill.