Eric O’Neill has a story or two. As an FBI investigator, O’Neill developed a reputation for capturing some of the most sinister cybercriminals in the world. Most notably, he was instrumental in taking down notorious cyber spy Robert Hanssen, accused of selling secrets to Russia for more than $1 million. The case was later turned into a Hollywood movie, “Breach,” starring Ryan Phillippe as O’Neill.
Today, O’Neill is a successful attorney, security consultant and professional public speaker—and will be a keynote speaker at CompTIA ChannelCon 2019, held Aug. 5-7 in Las Vegas, where he will talk his career, spies and cybersecurity. In preparation for the event, we caught up with O’Neill to ask him about the current state of cybersecurity, how solution providers should be protecting their customers—and what it’s like to be the basis for a Hollywood movie.
What is the No. 1 cybersecurity threat facing our nation today, and why?
Foreign cyber-attacks and espionage pose the largest threat to U.S. security. Over the past two decades, Russia, China, North Korea, and Iran have all made massive investments in cyberespionage and the ability to launch disruptive and destructive cyberattacks against the critical infrastructure of rival nations. A recent February 2018 report by the Council of Economic Advisers to the Whitehouse pegged the cost of cyberattacks to the US Economy between $57 and $109 billion in 2016. Each year the losses grow. The United States has made great leaps forward in our offensive and defensive cyber capacity, but foreign investment in attack capability continues to outpace the United States.
Is cybersecurity protection technology keeping up with the threats?
Not all cybersecurity is equal. The best cybersecurity is innovative and balances defense and response with robust threat hunting. As a young FBI operative, I went undercover to help catch Robert Phillip Hanssen, a 25-year veteran of the FBI who had been selling secrets to the Russians for decades. He was the worst mole in U.S. history—and the first to take advantage of holes in the country’s cybersecurity infrastructure. Hanssen and I spent a lot of time together during the case, and he often pontificated about what he called Hanssen’s Law: “the spy is in the worst possible place.” That is, spies will seek out the secrets that will do the most damage in order to sell them for the most money. The cloak and dagger espionage of the past and today’s modern cyber espionage share the common goal of proving Hanssen’s Law correct. The only difference is in the methods of obtaining that information.
Hanssen taught me that counterintelligence is not won by defending against threats, but by actively hunting the spies wherever they hide. Decades of security work and investigations have proven my former mentor and target correct. If we don’t hunt the threats, they will hunt us. Our traditional, defensive approaches to cybersecurity that rely on protecting a perimeter are outdated, expensive, and fail against modern cyberattacks. We need a different playbook. Just as spies once took lessons from hackers, cyber professionals must become expert spy hunters.
Do you think that businesses take cybersecurity serious enough? Why/why not?
I think businesses are starting to wake up to the enormous cyber threat but are still slow to dive into robust security. It’s an unfortunate industry rule that security is often the first area to undergo cuts and the last to receive significant investment. The extraordinary costs of addressing, responding to and surviving a breach are exponentially more than the costs to protect against breaches through security investment. Cybersecurity is one of the most critical value investments a company can make.
The cyber threat is also growing. Today, there are no hackers, there are only spies. The hackers of yore have gone off to join cyber security companies and found startups. Spies have stepped into the space left behind: intelligence service experts trained to use traditional spy craft to recruit individuals at targeted organizations and steal their access to information. These spies are sophisticated, devious, and well-funded—and they’re behind all the major security breaches we’ve experienced this century.
Are small businesses at the same risk as large enterprises, or more/less risk?
Attackers don’t care about the size of a target. They only care whether you are vulnerable. Criminals and spies don’t get paid unless they win. They will therefore always seek the easiest path to victory.
What’s your advice to solution providers audience trying to secure their customers’ data and networks?
Over the years since my time locked in Room 9930 at FBI headquarters with the worst spy in the FBI’s history, I’ve spent a great deal of time reflecting on the lessons Hanssen taught me about espionage’s cyber revolution. In the years since, I’ve updated Hanssen’s Law to fit our modern espionage problems. In my book “Gray Day” (as a nod to my old boss) I call it O’Neill’s Law:
Hacking is the necessary evolution of espionage
There are no hackers, there are only spies.
We must hunt the threat before the threat hunts us.
Because the spy is always in the worst possible place.
BONUS: What was it like having Ryan Phillippe play you onscreen?
I was very fortunate to have Ryan portray my first face to the world. He’s remained a friend over the years since we spent time shooting "Breach" in Toronto and Washington, D.C. Since then I’ve carved my own path forward as a professional speaker and author, but it’s still good to have friends in high places.
Catch Eric O’Neill at CompTIA ChannelCon at Bellagio Hotel in Las Vegas, along with Shaquille O’Neal, and more than 1,500 IT industry experts. It’s your best opportunity to hear about all the latest innovations and solutions, as well as network with the channel’s leading solution providers and vendor executives. Learn more!