If ever there was a security professional whose experience in the industry gives him a unique, unprecedented insight into the political landscape of cybersecurity, it’s decorated FBI veteran Eric O’Neill, who is the new National Security Specialist at Carbon Black.
You’d be forgiven for thinking O’Neill’s fascinating security career, in which he exposed a Soviet Spy and prevented the leak of US state secrets to the Russian government, would make for a compelling movie script – in fact, you’d be absolutely right! O’Neill was the inspiration for the 2007 film Breach which portrays his role in unmasking his then boss Robert Hanssen, who was jailed for 15 consecutive life sentences for espionage.
It would come as no surprise then that I jumped at the opportunity to sit down with O’Neill to discuss his background at the FBI, his new role at Carbon Black and the current political state of play in cybersecurity.
O’Neill joined the FBI back in the mid-1990s as an investigator as part of the Special Surveillance Group, where he was a covert surveillance asset following spies and terrorists for five years.
“My final case was the Robert Hanssen investigation where I was asked to do something very atypical,” he explained. “This was to go undercover directly against Hanssen in an office in headquarters, which was a completely and utterly unique investigation for the FBI, the first time they had done something like this.”
“My unique contribution to that case was identifying the information that led us to his final drop to the Russians which gave us the time and date of his next drop of secrets, and that is how we caught him.”
O’Neill said that whilst this brought him some fame, it was not long after the Hanssen case that he left the FBI to complete his law degree before working for DLA Piper, conducting national security law and government contracts law, eventually going on to form his own company, the investigative and security service The Georgetown Group, in 2008.
“I have followed Carbon Black for quite some time,” he added. “So, last year, when Carbon Black asked me to come on board as a national security strategist I realized it was a perfect fit, a perfect combination of all of the different disciplines in my background.”
Moving the conversation onto the subject of the political issues surrounding cybersecurity, an extremely hot topic across the industry at the moment, O’Neill explained that he perceives there to be a distinct difference between cyber-crime, which is often financially driven, and cyber-espionage, which is now a bigger political concern for national security.
“We are seeing nation states playing on an un-level playing field with countries like China and Russia, among many others, backing cyber-espionage and literally attacking our industry, often targeting companies that do not have the security of, say, the FBI or the CIA protecting it.”
“We need to think of the political ramifications of protecting our technology and our industry, and stemming the information flow to other countries and competitive companies overseas who will use it to gain a better economic flip hold.”
O’Neill suggested that a change in attitudes towards privacy over the last few years has resulted in cybersecurity becoming a far more politically-focused issue, citing the Edward Snowden incident as playing a significant role in this.
“We all live in a reality show, and we’ve forgotten that cameras are rolling. Just imagine how much [information] people put on social media,” he argued.
“People have forgotten that these things aren’t private, it’s not just going to your Grandma and your best friend, and it’s going to anyone in the world who wants to look at it.”
“What he [Snowden] has done has caused pretty much everybody to take a hard look at privacy versus national security and question where the balance is, which is going to be a theme that just continues into the future because it has its origins in the very depth of what a federal government should be doing. Is it more important to have national security or more important to have privacy?”
With regards to the role the government plays in cybersecurity and where things appear to be heading in the next few years, O’Neill raised concerns over the fact that none of the candidates currently battling it out to become the next US president have voiced any solid, noteworthy polices on cybersecurity, an issue he believes to be extremely important.
When asked what he observes to be the reason for such little public discussion on this, O’Neill suggested the candidates are shying away from the topic as it’s something they are not sufficiently clued up on, instead relying on a certain degree of vague “lip service” but failing to say how they actually plan to get to the heart of tackling cybersecurity going forward.
“To date, federal government has made an extraordinarily poor job of this – there have been programs and policies put forward by The White House to try to share information and collaborate,” but there hasn’t been really good polices put in place to deal with threats, he added.
I asked O’Neill if he thinks the government can have a greater impact on regulating and improving cybersecurity on a broader scale and why this is proving to be such a difficult task.
“There are two worlds,” he explained. “The world of government contract and the world of private industry. With the world of government contract, you take the government’s money and you are working on a classified program – you are bound by certain regulations in cybersecurity, there is a whole framework that you must follow and you must have in place.”
“That model has been taken up by some companies as it’s a good framework to use, but the problem with trying to broaden that out to the private sector is then you have very significant government regulation on private industry, which we shy away from in the US.”
O’Neill said it is just not plausible to expect the US government to be able to successfully enforce strict cybersecurity regulations that will be suitable for every corporation in the private industry, because not only do many not have the funds to adhere to them it would also require companies to implement some form of control over every one of its employees, even when they are not in the working environment.
“Most hackers are attacking employees when they are sitting at home using endpoints like their computer or iPhone or tablet. So then the government is going to have to say ‘well, you’re going to have to also deploy cybersecurity protection on all your endpoints as well’. Whilst this would be really good for the Carbon Blacks of the world, I think there would be a huge amount of resistance with companies saying ‘give me the money, federal government, to do this’ but the government doesn’t have the money.”
Instead, O’Neill believes the answer lies in private industries working collaboratively with thought leaders from well-meaning companies to form a strong security community, which the government can then strengthen further by also feeding its own threat intelligence into the system, which companies can learn from.