[00:56] He Knows All the Things About the Invader

Rachael: We have Nick Espinosa, the Chief Security Fanatic at Security Fanatics. He knows all the things and he's talked to all the people and I can't wait for him to share the insights of everything he knows. 

Before we got on the podcast, you were telling us you've been hustling and talking to a lot of folks particularly in Ukraine. You’ve been really impressed with the folks that you've been able to speak to, including members of Ukraine parliament. I’d love for you to share what you've been working on these last couple of weeks. Then we can dive into the conversation of what you've been discovering.

Nick: We've been pretty much running in emergency mode with the Ukraine situation right now for obvious reasons, just given what we do. But I've had the honor of talking to several members of the Ukrainian government. Two of which decided to sit down or chose to sit down and be interviewed by me for my radio show. I was just deeply grateful for that, but I've spoken to members of parliament.

 

We Fear the Worst From an Invader

Nick: My last interview was with the secretary for the committee on foreign affairs. She's also the deputy head of the NATO delegation for Ukraine, as well as a member of parliament. I've also spoken to other leaders in the defense ministry and others just back and forth on various messaging. It's been a very tough week, only in the sense that I know that some of the people that I've spoken to are probably no longer with us.

That has been a very difficult thing to grasp. There's a lot of people that were very friendly and receptive to these kinds of things. They've simply stopped communicating and responding. Some have responded back, others have not and obviously we fear the worst.

Eric: Let's hope it's just a comms issue.

Nick: It's been a very tough week.

Eric: They just can't get the signal out or something.

Nick: Yes. What's interesting is one of the things that a lot of people are not realizing is that obviously we're fighting a social media war. The reason why we are able to see all of these images from literally the millions of citizen journalists that are Ukrainians, because they've got a mobile phone.

The ability to record and upload is because, by all intelligence accounts, the Russians have not actually been hitting the internet infrastructure directly in Ukraine. There’s the belief that they actually need to use it themselves for their military and coordination. The double edged sword being Ukrainians, get to use it too.

 

People Who Are Actively Under Threat From an Invader

Nick: I think that's why we've had such good communication, but we've had plenty of interviews or communications delayed for hours or days. We set up appointments with these people to have interviews. Then they would not show up only to have hours later say, "I had to move to a bomb shelter," or, "we had to move positions."

These are people that are actively under threat. It's taken sometimes all hours of the night or the morning or whenever just to get obviously these various people in front of a camera or just to be recorded. I think it's really important work, but it's heartbreaking.

Eric: When they talk to you, what are you talking about? What's the message that's coming out?

Nick: Because I have a nationally syndicated radio show, as well as a good chunk of followers on LinkedIn, Facebook, and Twitter, part of it is I just want to get the word out. I want them to be able to say what they are seeing on the ground. The first question I ask all of them is, "How are you, are you safe? Are your loved ones safe? What's going on?"

I want to understand essentially what they are seeing, what's the real-time news? As I'm interviewing them, I'm timestamping it. I’m saying, "Okay, it's X time in Kyiv on this date," just so we understand for future reference what they were seeing on the ground. But a lot of them want to talk about and press home what has been a consistent message from Ukraine is that the Ukrainian government, especially in the last week or so, have not actually been asking for troops. They've not been asking for boots on the ground.

 

No-Fly Zones
Nick: Not that they'd say no to let's say in a Marine division from the United States showing up and helping. But what they're asking for essentially is no-fly zones. They are looking basically to reestablish essentially that. They believe from what I've heard, especially from my last interview from a few days ago, that they can take the Russians on the ground. That the Russians are slow, they're ill-equipped. A lot of them, by all reports, not just in Ukraine, but outside of Ukraine didn't even realize they were going to be part of an invasion. They thought they were going to be part of a training exercise or didn't understand this.

The Ukrainians have been very well equipped and they're motivated. That has been a huge benefit to them. But the constant bombardments have been the problem that they have been seeing. Every interview and member of parliament I've talked to has consistently had that message for me. "Even if I don't interview, please ask the American public to convince your members of Congress to vote for a no-fly zone over Ukraine." Now we just heard that NATO is going to be supplying actual aircraft to Ukraine so that the Ukrainians can fly it to hopefully establish air supremacy over their country.

Eric: They're talking about it right now, MiG-29 which the Ukrainians can theoretically fly, assuming they have roads or airstrips and fuel and everything they need.

Nick: That's the key. Are they going to take off from Poland because apparently these planes will be coming from Poland or through Poland, I should say? Or do they have to establish airfields in and around Ukraine? Now, Western Ukraine is not really under heavy attack.

 

[07:07] Not Enough for an Invader to Take the Entire Country

Nick: A lot of people don't realize that Ukraine is roughly the size of Texas with the population of California. So while 150 to 200,000 Russian troops seems like a massive number and it is, it's not nearly enough to take the entire country or become an occupying force.

What we are looking at, assuming that Kyiv and other major cities like Kharkiv and some others fall is a continued well-armed insurgency against Russia until it's so untenable for the Russians to stay. So we're going to see what happens.

Eric: My 14-year-old was asking me last night, "How does this end?" There's no great answer for a 14-year-old. I always like to look at things from every angle I can conceive of. Get as much sourcing material as I can to think through the problem. But there's no good answer here. I don't see how it ends well for Russia at a minimum, but probably anybody. It's a horrible situation.

Nick: I was interviewing a man named Dale Buckner. He's the founder and CEO of a private security force called Global Guardian. They actually have assets in Ukraine that are extracting their clients from an active war zone. This guy spent two, three decades in military special operations, intelligence, and all of that.

To hear him talk about it and I think he had some really good points, is to look at the world in any insurgency of a native population against foreign invaders. It never ends well, it gets protracted. Members of Congress right now are being told to expect 10 to 20 years of this if the Russians establish a foothold and are not repelled initially.

 

Beyond Absolute Bloodshed

Nick: There is no easy answer beyond just absolute bloodshed for decades to come. If that is the case, then at some point somebody has to throw in the towel. It's not looking like it's going to be the Ukrainians. Meaning, Russia's going to have to do that or else NATO has to intervene militarily in some way, shape or form. NATO seems very dead set against that. People are looking to see, is there a way to have Vladimir Putin save face while exiting the rest of Ukraine?

Do we give Crimea, Donbas, those regions as well that claim some Russian heritage or status while essentially leaving the rest of Ukraine intact? While allowing them to join NATO or promise not to join NATO, but heavily arm them with military presence. There are balances to be made, but it doesn't seem right now from everything that I've read and understand that the Russians are going to be slowing down anytime soon here.

Rachael: No. But it's great to have that perspective from the ground. We were talking a little bit about misinformation before and you just don't know what you're seeing on social media. Is it a video from like 15 years ago? To have that perspective and that interview you did with Inna last week was just so powerful. It just sounds so devastating. When you hear it from the first person like that, it just breaks your heart that people have to go through this.

Nick: It took days.

Eric: She was in Ukraine at the time.

Nick: She was in Kyiv. When I got to interview her, it was Monday morning here in the United States, Monday afternoon in Kyiv.

 

Perspectives

Eric: Monday, the 1st of March.

Nick: Yes. Basically a week ago from today as we were recording this and it was very difficult. We spent a lot of time communicating back and forth over the weekend. We'd set up times. She wouldn't show up and then she'd apologize saying, "I'm so sorry. I had to move." "You have nothing to apologize for, I totally understand. I'm sitting here comfortably in Chicago."

Getting those perspectives is one of the reasons why I'm reaching out to all of these people. I want them to be able to have their voices heard and I think it's just important. It is actual news from the front. It's not a report, to your point, Rachel, a video from 15 years ago that is pro one side or the other. It is just this person on the ground, part of this government and it's just accurate to that point.

Rachael: We'll link to that interview in the show notes, just so folks know because it was really powerful that discussion, for sure.

Nick: It was.

Eric: Nick, I have a question for you. As you were reflecting on the situation a couple of days in, we really did not see a tremendous amount of cyber activity leading up to the event. It just went so quickly. It’s like they almost overran cyber minus some DDoS and some wipers that were detected. Did that surprise you?

Nick: From what we understand and what we know, prior to the invasion. Inna spoke about this as did my last interview with another member of parliament, her name is Solomiia Bobrovska. Both of them had mentioned, well leading up to this, they did see financial institutions hit.

 

Cyber Attacks Strategically Designed by an Invader

Nick: They did see cyber attacks strategically designed essentially to undermine the confidence that the Ukrainian public had in their government. We're not seeing a total devastation, let's say of the infrastructure. Again, if the Russians need to use the infrastructure of Ukraine to essentially help with their communication, then they're not going to knock it out. But what they have been doing, and they have been doing this actually through the war with boots on the ground, is run a massive disinformation campaign against the Ukrainian people.

One of the most recent things being that President Zelensky basically had secretly fled with his family, I think it was to Poland or another border nation in an attempt to demoralize. So like, "Ukrainian soldiers give up. Your leader has given up." Zelensky has had to put out messages saying, "No, I'm here. I am not moving. I’m in this for the long haul."

I think these things are there and they're prevalent. The reason why we didn't see just an unbelievable knocking out of their infrastructure, which we know thanks to 2014 that the Russians have had the ability to do. I think it's one because they needed the internet. But two, I think the Russians overestimated it. I think by virtue of that, when they walked into Crimea, they were able to hit that nuclear power plant as well, and knock it out in 2014.

Ukraine was a much different place. Since then, they have been arming. They have been improving their military, they have been getting training for special operations and forces and all this stuff. Understanding that on their border, they have somebody that's more than happy to take their land if given a chance and here we are.

 

[13:53] Improving Our Cyber Defensive Capabilities Against an Invader

Nick: I think that's essentially part of that equation as well. It would stand to reason then that their internet is probably significantly more hardened than it was in 2014. You would hope the world's internet is more hardened than it was in 2014 because we are always improving in our cyber defensive capabilities.

You're always innovating new ways to approach threats. Forcepoint is no different in that vein. You're not selling the same firewall and the same system with the same algorithms you did in 2014. By virtue of that, I think that's part of the answer here. But I think it's a combination of all those things to be perfectly honest.

Eric: I can't speak to Ukraine, but what I will say is we're spending more money on cybersecurity. We're losing more IP, we're losing more money through things like ransomware and the like and espionage. We are losing intellectual property at a greater rate than we were in '14. I don't know if Ukraine has figured out the secret sauce, but it doesn't appear the rest of the world has.

Nick: What the world has is a recognition of cyber threat. It’s a standard complacency that they've always had and that I think gets everybody into trouble. You can look at our own government in the United States. I actually have an article that's in the process of being published on that as well. In 2021, the inspectors general for the eight major federal agencies came back and said, "We are a complete and utter hot mess." The state department can account for something like 60% of all logins to their secret systems.

 

Cybersecurity 101

Nick: I think it was Homeland Security that wasn't up to date in patching. I think housing and urban development couldn't understand where their assets were. These are cyber security 101. While we have new and innovative products, when you have, let's say an old guard or an antiquated, thinking of, "Well, I've been using this brand for the last 10 years. So I just renewed the licensing." Well, odds are, you might be innovated around.

So while the Ukrainians understand that, they've had a concerted effort by virtue of an actual military threat on their border for eight years prior to this. To say, "Yes, we have to step up the game because we might not exist anymore." That is a really good motivation. I think that is one side. The other side is the Russians are looking at the internet that the Ukrainians have.

Say, "Yes, we need to use that one, to run our disinformation campaigns. To attempt to demoralize the country, but also to coordinate our own actions." Obviously, the Russians are coming with their own intelligence, their own radios, their own satellites. But why not use what the enemy has, especially if it's free and open? You can encrypt communication very easily across the internet so it would make sense for them to use it as well.

Rachael: Eric's taking it in.

Eric: No, that's exactly what I'm doing. There's so many facets to this campaign. We're learning so much in the actions, the mistakes and everything. It brings up a great point. If you take the internet down, guess what you don't have access to? The internet. How do you run a disinformation campaign?

 

A Cost-Benefit Trade-off

Eric: I would argue the Russians are probably one of, if not the best in the world at. How do you run one, if you don't have com links and how do you make a cost-benefit trade-off? That's a question that's running through my mind. Is it better to be able to create disinformation in the Ukrainian people's minds? Will they have access to it? Or do we take the network down and prevent things like electricity. What do we do? How do we do it?

Nick: I would say that when you're looking at warfare, one of the best things that you can do, and this is in the history of warfare. Prior to your attack, attempt to make your enemy as deaf and blind as possible. So if you're looking back at Ukraine in 2014, when they hit the nuclear power plant, they knocked out power to roughly 200,000 individuals or residents of that region. But they also ran a denial of service attack on the communication infrastructure.

So nobody could pick up a phone and actually call the power company or the power plant or whoever they had to call to say, "My power is out." They made them deaf and blind and a lot of intelligence agencies believe that was a dry run for potential attacks. What we're not seeing though is that, we're not seeing that reported here. So the question is, why?

Why wouldn't they do that when they have the capability? Have the Ukrainians hardened themselves that well around that infrastructure that the Russians simply couldn't get in? Or do the Russians actually need this? The answer is, I think the Russians actually need this.

 

Making the Calculation

Nick: They're making the calculation that their need of the internet, plus their need for disinformation campaign outweighs what the Ukrainians will use it for. I think quite frankly, that was a gross estimation. They underestimated the capability of Ukraine. I think they also underestimated the galvanization that we have seen globally of countries, not even in NATO.

South Korea and Japan are leveling sanctions. Australia, South Africa, it's global. FIFA, the soccer federation, said, "You can't play the world cup anymore." It's death by a thousand cuts to be a pariah here. I think that's a problem, but to the original point, you're looking at the internet as this indispensable entity that allows for communication both ways. As I mentioned earlier, it's a double-edged sword. They recognize that Ukrainians can use it, but I think they need it. I think that's a really good observation by our Intel.

Eric: I'm interested to see what happens. At this point we're seeing on the Northeastern, the Eastern side of the country. They're bombing out the towns and cities. You're going to hit power. They hit the TV tower in Kyiv about a week ago, maybe four or five days ago. So they're starting to hit that infrastructure from a kinetic perspective, whether intentional or not. It does appear there's some intention there. They took over Chernobyl, they took over another nuclear power plant.

Nick: And set it on fire.

Eric: Well, yes. There’s a little bit of that. It'll be interesting to see over time how their calculus changes, how they analyze what we do, what we control as communications, and power water sewers. The critical infrastructure that people count on for their daily lives starts to get challenged. We'll see what happens.

 

[20:26] Why Ukraine Is Desperate for a No-Fly Zone

Nick: In anything, combat is never the same and it always changes. Meaning, you have shifting boundaries. You have shifting borders in a combat zone as you are approaching or retreating, depending on the situation. When you're looking at this, that's one of the reasons why the Ukrainians are so desperate for a no-fly zone. The Russians appear to be indiscriminately bombing and attempting to soften up targets to allow their troops a much easier time on the ground.

That's why they're so desperate for this. We will see to your point, and did they hit that intentionally? That was the same strike that also hit a Holocaust Memorial. Not that I'm sure the Russians care about that, but the point being is that they seem to be hitting this. I've literally seen the pictures being reported of like a children's hospital was hit, a daycare was hit.

These are not typical targets, obviously for any war. It's abhorrent that this is where children would be. But it doesn't seem like the Russians are being that accurate beyond the point of, if we can soften it up, it's going to be making it easier to go in. Maybe that's a calculation on demoralization as well. We can't understand 100% what's in their minds because we're not running their war for them.

But as we're looking at this, I think to your point, there's going to be calculations that simply have to be made in that. It's going to change the landscape. Maybe next week or two days from now, they decide to knock out Ukraine's internet.

 

Relentless Cyber Attacks from the Invader

Nick: We're already getting reports that they are looking at cutting off the Russian internet from the rest of the world due to the relentless cyber attacks that we've seen hacker collectives. Anybody else that wants to get in this fight starts a law launching against them.

The estimate right now is on roughly March 11th, they may actually cut themselves off from the internet. ICANN refused to do it. We've seen a lot of spectacular hits against Russian infrastructure, including a hacker collective known as Network Brigade 65. It’s claiming to have knocked out Russian spy satellites, something they probably weren't expecting. Anonymous has hit Russian TV, changing the programming to the Ukrainian national anthems.

Eric: A number of times.

Nick: So all those kinds of things. I think they're realizing just how vast their own infrastructure is, how insecure they are. Now, they're making moves to change that. So the calculus to your point may change.

Eric: Let's switch gears here. I'm glad you went there. That's exactly where I think we should go next. We've seen these different, I think you call them hacker collectives. I was going to call them adversarial groups. We all know what we're talking about, Conti, Anonymous, you name it. You go down the list. They're almost picking sides.

We saw what happened at Conti last week. They had some issues because some people didn't want to join that team. Anonymous has pretty much decided to launch counterattacks against Russia. Did that surprise you? Have you ever thought about it? Maybe that's the first question.

 

What Would the Invader Decide to Do

Eric: Did you ever think about in a conflict like this, what would the hacker collectives decide to do? How would they pick sides or would they sit it out? What would they do? 

Nick: This doesn't surprise me at all. Again, you can call them whatever you want. I'm sure there are ransomware gangs out there that have turned around. Personally, as we are tracking these kinds of things, we've actually seen a decrease in ransomware attacks in the last couple of weeks. Meaning, as the frequency of this war has caught on, we're getting less calls or less alerts.

Eric: It's almost the opposite of what CISA is warning us against right now.

Nick: Well, yes and no. I will say this because think about what a ransomware attack is to an organization. You break in some way, shape, or form. Typically phishing, you establish a presence, you establish that command and control traffic and then you do recon. That's where the sensitive data is, these are the servers I want to hit. Then you go ahead. You copy out what you want and then essentially you lock everything out and you're asking for money.

If you are looking at an attack, basically as a retaliatory situation for a war from an intelligence agency like the Russian FSB, what you're looking at is not taking the time to essentially look through and query all of your data. They want to knock you out, to disrupt, to wipe the data, and to knock out your infrastructure. And they want to brick your firewall, whatever they can do, as fast as they can and move on.

 

A Huge Target for an Invader

Nick: Because we have such vast infrastructure here in a massive population in the United States, we are a huge target. That's literally the article I'm hoping will get published, I hope my editor is fast tracking that. That's essentially what we are bracing for and I think the US population is wholly unaware of that.

It doesn't surprise me with Anonymous. If you look at the history of what Anonymous is, whatever they consider social justice in that moment is what they go after. They have gone after child pornography rings in the dark web. They've knocked out national infrastructure over free speech rights. I think it was Zimbabwe or Zaire, one of those.

Ferguson, Missouri, if you remember that just horrible unfortunate event. They went after the Ferguson police and protested for Michael Brown, I believe his name was. They have a complete history of saying, "We want to be on this side," which is why there's a love-hate relationship with them. While they commit crime, they're often doing it in the name of what they consider to be human rights or social justice at that moment.

This doesn't surprise me at all. I'll give you a perfect example of this. We were negotiating with one of the ransomware gangs. Literally, I want to say like a week ago, we just agreed on an actual price for this client to pay. They basically ghosted us for about three days. We didn't hear from them, they wouldn't respond. So, are they sitting in Russia? Are they turning their sites against Russia? What's going on here?

 

Low Ball Price

Nick: They were very quick to take our low ball price. We have to understand that I think there are going to be both sides. There are going to be people that are obviously very much for Russia, whether it's Russia or whoever's allied with them. But I think we are seeing right now a focus of these gangs, of these collectives looking at one thing. That is how we get into Russia. Very similar to when COVID 19 started. We basically saw every criminal element using that as a fishing law in some way, shape or form. It's a world event.

Eric: There’s a lot to learn here. In some ways, Russia taking themselves off the internet stops their social media problem. It stops their collective problem from outside of Russia, but it creates a whole lot of other problems. If you want to sanction a country, I can't think of anything more serious in 2022. Then taking them off the internet, that just seems crazy. That seems like the ultimate sanction.

Rachael: It's the backbone of everything. Without that, we can't exist.

Eric: We're about to see, I think.

Nick: But here's the caveat to the whole thing. In 2021, they actually did a dry run of this. They said, "We're going to cut ourselves off the internet for eight hours, 24 hours," whatever that timeframe was, "to see if we could sustain our intranet at that point within the country." But here's the thing. The wild card in cutting themselves off to the internet is China. A perfect example is Visa and MasterCard have both come out and said, "We are now no longer going to do business in Russia whatsoever.

 

[28:00] Playing Both Sides of the Fence

Nick: Your visa, your MasterCard is useless to you at the moment." So what did Russia do? They went to UnionPay, which is Chinese based. China itself is playing both sides of the fence. In the past, prior to the invasion, President Xi basically said that Russia and China have a friendship that is endless or boundless or something along those lines.

They are now sitting on the fence. They're not saying, "We support Russia." They are not saying, "We support Ukraine." They're saying, "We respect both entities and the sovereignty they're in." So if Russia is cutting themselves off, the lifeline could be similar to the lifeline North Korea has. That the massive economy that China has could float them.

Russia, if you're looking at this historically for the last 10, 20 years, has been shifting assets for the company to non-traditional markets, essentially to harden themselves against the west. China being one of those places where they have very deep ties. And so while they're cutting themselves, let's say off the internet, there may be an exception in their firewalls for Chinese IP addresses.

That's what we're going to see. We're going to see how this shakes out. If they do this and they are literally alone, then to Rachel's point, that is how you survive because now, you are an island unto yourself in the world economically. It's not feasible. If we cut off Russian oil around the globe, then that's a total nail in the coffin as well.

Eric: Well, let's say we don't cut off Russian oil. I think Europe is still getting about 40% of, I think, natural gas from Russia.

 

So Many Pieces of Data

Nick: Natural gas and petroleum products.

Eric: I think oil's like 25% and natural gas is 40%. It's one of those mixes. There's so many pieces of data going through my head right now.

Nick: The point is it's a lot.

Eric: How do you even receive payment for that if you don't have the internet? Are you somehow going through China? That becomes bizarre to me, the challenges.

Nick: Well, right. This is the case. What do you do with this? Do you seize the oil and turn it around and sell it yourself? There are so many unanswered questions here. I'm sure that there are statisticians that are doing the math on all of these different variables to the economy that we have right now. But when you are looking at it, I can't remember who I interviewed, but they said basically Russia is a gas station masquerading as a country.

Eric: That was pretty funny.

Nick: But that's an incredibly true thing.

Eric: I think that was a John McCain quote from back.

Nick: It could be, but it's accurate. To that point, how many Russian parts do I have in my car? The computer that I'm sitting on, talking to you, how many parts were made in Russia? They're not really doing anything except having natural resources that they can sell to the world. If the world says, "We don't want to buy your resources," that's obviously a huge problem.

Obviously there are other places to get it. The Middle East. We now have a massive petroleum system here since the Shell boom of the 2010s. It's not like the world necessarily 100% is relying on Russia.

A Separate Challenge

Nick: But that shifting economy to let's say, move, just getting a direct pipeline from hundreds of miles across your border, to having it shipped from the United States or from the Middle East, obviously becomes a separate challenge.

But it's something that I think a lot of people in the world are willing to say, "You know what? If it takes a few months of me paying five bucks a gallon or seven bucks a gallon at the gas pump," which is dirt cheap globally because we import so much oil. A lot of people are willing to do that. Obviously, there are two sides to this. I like to say that cybersecurity is agnostic to politics, but we're not immune from it. It's something that we, in the cybersecurity community, have to consider and understand.

Eric: Just tying this one off then and we can transition, going back to disinformation. It does seem like Anonymous, at least said, "We believe the Ukrainian story more than the Russian media story." Fair piece?

Nick: I think that's 100% fair. Anybody objectively looking at the situation where the Ukrainians weren't massing troops on the border of Russia. They were just going about their normal lives and trying to keep their democracy established and here we are. I think it's fair to say the vast majority of the world looks at this as a Russian aggression as opposed to an equal footing, I struck first before my opponent struck. Ukraine had no assets that looked like that at all.

Rachael: It's just so overwhelming to think that it could last 10, 20 years and what's left after that as well. Then there's the other piece too of leakage.
Harden Your Defenses Against an Invader

Rachael: What leaks out from there? Should we be concerned about that? You have the shields up right from CISA. Everyone's getting this guidance, "You need to start looking at your infrastructure, harden your defenses just in case." But we're not really seeing that yet, but is that potentially to come?

Nick: The short answer is, I'm pretty much banking on it. Not because I'm doom and gloom or Debbie Downer, I swear I'm fun at parties. It’s because Russia recognizes that if they start going after US infrastructure, it's because they're desperate. If they start attacking this and we start identifying Russian intelligence attacks against US government infrastructure, state, local, municipal business, all that stuff, they know that they're going to have a very serious problem on their hands.

Because we will hit back as will everybody else and we've been playing it very coy. We've been turning a blind eye to the Anonymouses of the world as they do this. I think that's an important thing. But it's also important to recognize there have been reports of Russian-based intelligence cyber attacks outside of the conflict zone, outside of Ukraine.

Perfect example. I interviewed, he's Ukrainian, the president of the American Ukrainian Congress Committee of America, Illinois division. He's out of Chicago. He is the president of it and he basically said that he himself was hacked. That his system was infected about 24 hours or so before we actually had our interview. I saw him on, I think it was like CNN or MSNBC. So I watch like every news station literally just as I'm going through my day here, just seeing who's on and what's interesting.

 

[34:35] The Invader Attacks Ukrainian Based Organizations

Nick: We are seeing attacks against Ukrainian-based organizations globally. The Russians know that while these are the people that have relatives back in the home country, they're going to provide material support. They're going to provide morale, they're going to provide all of these things. So they have been going after Ukrainian organizations. That's literally what he spoke to in my interview last week. We're seeing that already, but we're not seeing it directed at US infrastructure or assets just yet in terms of governments.

Eric: Just so I understand what you're saying, you almost guarantee that we will see attacks on US infrastructure or you're saying you don't think we will.

Nick: There are no guarantees in cyber warfare, but what I'm saying is I would put money on it. If I were a betting man, and this were Las Vegas and I had my 20 bucks or whatever, I would put money on seeing this. The reason why I say that is because as I mentioned, this would be a move of desperation for the Russians because they're not going to launch kinetic warfare against the United States. They would be absolutely crazy to do that.

They know that's short of a total nuclear Holocaust around the globe. Their real recourse against hitting the United States, Canada, Germany, UK, is going to be cyber attacks. That’s why if we are looking at them cutting off their internet, the question is, "Okay, how would that happen? How would they launch? Do they have assets in other countries that they will activate like they did with that guy in Canada to hit Yahoo about a decade ago or so?" Will they have those kinds of things?

What's going on with that?

If the Invader Begins to Grow Desperate

Nick: But as we are looking at this, if Russia begins to grow more desperate then we are going to see cyber attacks launched from Russian assets against the United States and her allies. I would put money on that.

Eric: Do you think shutting down the internet, taking the country offline effectively is the protection mechanism they're planning to use so that they can launch attacks without having that type of recourse?

Nick: It's very possible. For example, shutting down the internet means obviously you're cutting routing to essentially the rest of the globe.

Eric: Essentially or something.

Nick: It's one of the things that we recommend to clients, "You've got a next-generation firewall? Run geoblocking. Block every country that you don't have business in or should be looking at your infrastructure." Those are things that we know exist. But there's no reason why they couldn't say, "Okay, we're going to basically gather our resources and launch a major attack. Open up something, hit it, and then lock it back down or they've got assets that are sitting outside of the country, leveraging this."

We all know that botnets exist around the globe. They have been working on various variants of the Mirai virus. Not to get technical for your audience here, but we know that the Russian intelligence uses the Mirai virus or variants thereof rather frequently, as well as other techniques and tactics. They don't necessarily need Russian infrastructure to hit us, although it definitely helps. We'll see what happens.

Eric: You could just reroute the internet research agency to Africa, great bandwidth, no laws, and operate from there. You don't need access to Russia itself, but you can still perform asymmetric warfare.
Protect the Country From an Invader

Nick: That's my point. You can protect the country while hitting. There's a lot of ways that this could happen, but I would expect it. I am expecting it. We are preparing to expect it. Unfortunately, the American public has not been prepped for this. They’ve not been prepped for this at all and that's a terrifying thing.

Eric: I think that's a terrifying thing because we have a lot to lose and not a lot to gain there.

Nick: Way more to lose infrastructure-wise than Russia does. We are much more vast than they are in terms of population, in terms of the internet, we are all tied to this.

Eric: Reliance.

Nick: Look at the younger generations. You take away wifi from kids and it's like a bomb going off in their world. Imagine if nothing works, you can't call 911. You can't go to a gas station and use a credit card. These things, we don't think about. Water and wastewater go down, traffic lights go down. We are so interconnected here that the prospect of just having them use the cyber nuclear option on us is a very difficult thing. Our government's unprepared. I just literally just talked about that. This is a very deeply concerning thing that we all have to be prepped for.

Eric: I've been in a number of discussions where we've talked about theoreticals. What would we do if we were attacked by a nation state and how would we respond? Universally, we have the most to lose, the least to again. But everybody goes back to, "Well, we have the best cyber offensive capabilities out there." We still have the most to lose and the least to gain.

 

Targeting Would Be Difficult

Eric: I've never heard anybody suggest that the targeting would be difficult because an entire nation state may come off the internet. The target basically is obfuscated from offensive capabilities. It's an interesting concept. Actually, I don't know. Maybe somebody's discussed it and they've looked at it, but I would be wondering, how do you handle that? What do you do?

Nick: This is something that has been discussed for the last few years or so only because we've seen other authoritarian regimes attempt to do that as well. Take themselves completely off the internet. I believe Iran tried that a few years back as well. Maybe even China now that I'm thinking about it.

Eric: China changed some protocols, some routing tables. This was probably 8-9 years ago. I know we watched that and it was a mistake. North Korea's off the internet, but they're really not.

Nick: They're a bit of a hybrid, it's just incredibly restrictive. Interestingly enough, we have a copy of Red Star OS here at Security Fanatics, their version. It does some really unusual things as we're putting it behind traffic analyzers, just seeing where it goes every time we play with it. You never know. But the point being is that, as you're looking at this, I think the calculation has been traditionally to your point of a country that's going to cut themselves off from the internet.

It has more to lose than it has to gain. Meaning, the only reason why you would ever want to do that is out of desperation, desperation for survival primarily. So if Russia is looking at essentially their tanking economy, they are looking at a globe that is united against them for the most part.

Supplying More Advanced Weaponry

Nick: Supplying more advanced weaponry than they have to a force on the ground that is using it effectively. This is something that they are taking into consideration and saying, "Well, if the United States, if the Americans, if the Australians, if everybody around the world decides to collectively start hitting us with cyber attacks, that's like burying the coffin at that point." What else do they have? They've been cut off from every major stream, from financial institutions. They got killed for the most part from swift. These are things that are devastating to their economy. For them, it has to be the nuclear option in that case. It's going to get worse for them.

Eric: It may give them an opportunity to say, "The United States cut us off. It wasn't us." Really control that narrative. Sure, I agree with you. I don't see them lasting terribly long in the way the world works today. You're not just going to build, what were they? Ladas back in the day or Volgas, the Russian cars. You're just not going to build a modern day without access to the materials that the geo-connected world needs and nobody wants that anymore.

Nick: Even their budding robotics programs rely very heavily on Western research. They're out there. To that point, think about it. If I drive my car into a tree, I can't blame the tree. If I catch a kid with his hand in the cookie jar, the kid can't blame, "Well, the cookies were there therefore I had to have one." It's this overwhelming, no, we have some self control, we're humans. Here's a situation that simply is the antithesis of that for all intents and purposes.

 

[42:52] We’re Fighting to the Last Man

Nick: To your point, we're going to see what happens. But as it becomes more perilous for Russia, more so than they, I think ever really imagined what happened, I think they thought they'd walk in like in 2014 flags waving shots, not fired and you'd have a population. Now you've got a president that says, "We're fighting to the last man."

In one of my interviews, I think it was the one on Friday with 42:57. They have over a 100,000 Ukrainians that have conscripted, that have intentionally stood in lines and signed one year contracts to defend the country. They're being armed. I literally just saw a video of a grandma making Molotov cocktails.

Eric: That's a darn good point. I think March 7th today, the Department of Defense just did a briefing. They now believe that about 100% of the Russian forces that were aligned against Ukraine on the 23rd of February are now deployed in the country. Let's call that 190,000 or so people. I believe that was about 70% of the Russian military forces.

They are bringing more forces in, but you think about 100,000 conscripts in the Ukraine. You've got the Ukrainian military, forget how large they were. But it wasn't a small military. I saw today that Ukraine has said there are over 20,000 volunteers from other nations that have signed up to come in. All of a sudden the numbers are really changing. In an offensive war, the defender always has the advantage.

Nick: That's any insurgency. We're not innocent of that here as well. Look at Afghanistan.

Eric: Iraq, Afghanistan, Vietnam, all of them.

 

Why Insurgency Never Favors the Invader

Nick: Whatever you think about the withdrawal of Afghanistan, the point being is that we were in the country, we were there. We set up a fledgling democracy that collapsed in something like a week because they didn't have the will to fight. That was something that I think was very telling of that situation. Actually, my fourth TED Talk was on that. It's a huge problem that we have.

But you look at the history of any insurgency, it never favors the invader unless you annihilate the entire population. Just bring your own people in, then essentially you're committing genocide. It's not going to look good for the Russians no matter what. This is a losing proposition right out of the gate. They're not rolling over. From everything I've seen and every leader I've talked to in that country, and I've talked to a few, they're not moving.

Eric: The Ukrainians are not moving. They get the world behind them too.

Nick: Yes, they do. We have created an airbase in Western Ukraine, just off the border of Western Ukraine. We are flying roughly 17 to 20 cargo planes a day full of anti-tank, anti-aircraft, just ground weapons, all these kinds of things. They're being funneled right into essentially the defense forces, which could turn into the best and most well equipped insurgency the world has ever seen.

Forget the Mujahideen that we equipped in the '80s against the Soviet Union. That fails in comparison to what the Ukrainians are getting right now, not to mention they're about to get fighter planes. It's an entirely different landscape without us having to fire shots directly.

 

Rapidly Evolving

Rachael: It's a lot to take in and process. In a week, it could be a very different conversation. We just don't even know how it's going to go.

Nick: We don't. We have no idea.

Eric: That's why I think we keep marking the date and time where we're talking about, because it is so rapidly evolving.

Nick: That's exactly what I'm doing with all my interviews. I'm timestamping everything now, because advice today could be horrible advice tomorrow.

Eric: Three things you'd recommend to mom and dad, what they should do to protect themselves at home right now, if they're worried about their own systems.

Nick: The most basic, it's three or four things. It's very similar to what the CISA said almost verbatim, but make sure everything is up to date. Enable multi factor authentication on absolutely everything in your life because you're that much harder to hit. This goes for home.

Eric: Give us an example. I was talking to a woman this weekend. She looked at me and said, "What is multifactor authentication?"

Nick: When you're logging into that website, your Gmail account or your Office 365 account or Facebook or bank or Amazon, you have a username, you have a password. As soon as you enter those, it should prompt you for another code. You have an authenticator app on your phone like Authy or Google or any one of those, they're free that gives you a code.

Eric: Or at least they text your phone.

Nick: Although we don't recommend using text because of SMS hijacking, authenticator apps tend to be more secure. So that's why I'm leading with that.

 

Fix Vulnerabilities that an Invader Can Exploit

Nick: By virtue of that, essentially if I steal your username and password, I don't have access to your phone, that's a thing. Also, make sure everything in your life is up to date. We patch primarily to fix vulnerabilities that can be exploited to that point.

The CISA put out a laundry list of essential infrastructure equipment, like FortiGate VPNs, for example. Pulse Secure VPN, Microsoft Exchange and a whole bunch of others that Russian intelligence loves to hit and exploit if they're not patched. This is why Microsoft and Fortinet and et cetera, patch all of these products.

Also, make sure your backups are good. Even if you're a personal person, have a copy. If you've got stuff on your computer at home, make sure it's in the cloud and offline and make sure it works. Make sure you're actually backing up what you think you can and what you're doing. The last thing I would mention too, and there's a whole bunch more advice but if we're being quick is in business for your ICS. Your industrial control systems or at home for your home automation, make sure they work without the internet.

Make sure that Google Nest will actually heat and cool your house the way it should if it can't phone home to Google. That's a problem we've seen when things like Amazon have gotten hit. Or Amazon has gotten down due to an unknown error or something like that and then people can't access their thermostat. Test that stuff in your life. It's such a basic thing. We don't think about it, but those are three or four critical things out of probably a dozen that we should be doing, but I would start there.

 

A Good or Bad Behavior

Eric: I share passwords on all of our applications and amongst each other. Is that a good or bad behavior?

Nick: That's perfectly fine. Your password is “password”, right?

Eric: I believe we're monkeys this month. Yes, Monkey123.

Nick: Monkey123? All right. Well, mine is March 2022. You're better than me. Guess what last month's was.

Eric: I've seen that problem before. But seriously, don't share passwords across applications or with other people.

Nick: Part of the reason why is obviously the more people that know a password, the more susceptible it is to being hijacked. The other side of that too, is that one of the things we need, especially during a cyber attack, is good logging for the identification side. So that we know exactly, "Was it Rachel that logged in or was it Eric that logged in with that shared username and password that got us hit?" Now, I've got Rachel pointing the finger at Eric and Eric pointing the finger at Rachel. That is a huge problem that we see.

Eric: If you get called by a CEO and he says, or she says, "Nick, give me one thing I need to ask my CISO today in the meeting." What question are you telling them to ask at the corporate level?

Nick: If it's the CEO that's asking the CISO, then the very first thing I would have is a CEO, because again, assuming the CEO is non-technical. They're usually not wearing the nerd hat in the corporation. Do we have a cybersecurity framework in place right now that indemnifies us from risk?

Eric: How do you answer that as an affirmative?

 

[51:05] Let’s Talk About Risk from an Invader

Nick: A good CISO and this is the question that I use, when I'm coaching or counseling CISOs. Usually, what happens is they'll say, "Okay, Nick. Let's talk about cyber security." I say, "No. We're going to talk about risk. This is meeting number one."

My very first question to any CISO, I don't care if it's a Fortune 100 company or they have three people, is, "Can you tell me in hard and soft dollars, how many computers can be out and for how long, until it's economically untenable for your organization?"

Eric: Have you ever had to say yes?
Nick: No, not yet. If you can't tell me that, how do you know your backups are appropriate? How do you know your infrastructure does what it says it should do? Can production be down for six hours and it's so economically non-viable for the company, but marketing be down for a week and nobody cares?

If you can't tell me of these things, then how do you know what you're doing is correct? A CEO is not going to understand a firewall or remote browser isolation or DNS routing. They understand the vision for the company, the next three to five years, this is where we're going. The CIO is going to build that infrastructure that moves the engine to the economy and the CISO is going to defend the whole thing.

So that CISO better be able to speak to the risk for the next three to five years and what we are doing to ensure that. If you can't, you've got a problem in your job. You cannot answer essentially what a CEO and a CFO need to know as they are moving the ball forward.

 

The Indemnification of Risk from an Invader

Rachael: What is your perspective on the BISO role, the Business Information Security Officer?

Nick: I think at the end of the day, what we are all looking at is the indemnification of risk. When you have security attached to your name, I don't care if you're the physical security officer that is building the physical perimeters around your data centers, whatever that is. At the end of the day, it all comes down to a quantification of risk, whatever elements of risk are for you.

For example, if it's a CISO, obviously you're looking at that infrastructure. Can my firewalls do what they say they do? Or can my backups do what they say they do? Are they effective, are they working, all those kinds of things. Business on the business side of things. Maybe it's intellectual property, maybe it's whatever they're indemnifying.

Is it hardened to the point where we understand the risk to this and the security around it? I think that's an important message for anybody that has security in their name. That is the message that CISO should be telling their team too. You are essentially the shield for this, this organization. You’re defending them. We have to do our jobs. Complacency is the death now of what we're doing.

Rachael: I'm hearing from you, BISO is an okay job person to have in the organization.

Nick: If the organization is big enough. That goes for anything. I'm looking at a small to midsize business that outsources their IT. Well, okay. You need somebody that's going to operate and run and understand the security side of it, even if you're outsourcing those kinds of things.

 

The Sea Level for Security

Nick: But I have no problem with having multiple roles at roughly the sea level for security if the security of the organization requires it to be that fast. A lot of companies really need to understand essentially what they are protecting in order to really differentiate between one role or the other. If they can't, well, then that's on them.

Eric: But they're really creating that role as a crutch. Really, what you said was the CISO should know what he or she risks and what she or he needs to protect and why. You wouldn't need the ratios BISO if you had that.

Nick: Well, think about this. Why would you remove the ability to understand the risk footprint from anybody that is a security officer in a company?

Eric: I think it's an instrument like the primary function of the job, understanding risk and protecting against it.

Nick: By virtue of that, you have a CISO, a CSO, a BISO, take your pick. The security officer for the zoo because you own a zoo for some reason.

Eric: Whatever you need to protect against risk.

Nick: Whatever the title is, if they are involved in security, they are involved in the risk. They have to have an understanding of their risk footprint. Now, for the security person that's physical. Maybe, it's okay if the building gets blown up or broken into. These are the physical assets that I would be responsible for. Therefore, I understand.

On the data security side, it could be that your data classification or quantification differentiates between standard operating procedures versus intellectual property to be protected versus, let's say, ITAR compliant data for the government.

 

Creating a Holistic Cybersecurity Against an Invader

Nick: Now you've got these buckets, but you have a coordination between the physical security, the administrative security and the technical security. It’s essentially what we're talking about, then we've got proper coordination.
Holistically all of those technical controls or safeguards go into creating a holistic cyber security framework. You just happen to be breaking that out beyond one person owning everything and breaking it down into multiple officers. Maybe you're the size that can do that. That's essentially what I'm getting at.

Eric: I think you brought Rachel and I together in almost agreement at the end here. That's how impressive your talents are. You are a true security fanatic.

Nick: This has been fun. Let's do it again.

Rachael: Absolutely. Who's to say what happens in the next however many weeks and as things turned, would love to stay in touch for sure.

Nick: I've been living and breathing and drinking Ukraine for the last week and a half. It's been a very tough week and a half, but it's been a much needed week and a half, not just for Ukraine in my radio show, but for my clients with interest in the area as well. It's just a tough situation all around. I really appreciate the time and allowing me to talk about it and everything else.

Rachael: It's good for people to hear what's going on in the ground because it's just so vital. That's what we love about good journalism and folks like you who are able to amplify messages. That is the only way we're going to know what's going on and of course, how folks can help as well. Thank you, Nick. To all of our listeners, we'll talk to you next week.

 

About Our Guest

For over 25 years, Nick Espinosa has been on a first name basis with computers. Since the age of 9 he’s been building computers and programming in multiple languages. Landing his first IT job at age 15, Nick founded Windy City Networks, Inc at 19 which was acquired in 2013 by BSSi2. In 2015, Nick created Security Fanatics, a Cybersecurity/Cyberwarfare outfit dedicated to designing custom Cyberdefense strategies for medium to enterprise corporations.

An expert in cybersecurity and network infrastructure, Nick has consulted with clients ranging from the small business owners up to Fortune 100 level companies. Nick has designed, built, and implemented multinational networks, encryption systems, and multi-tiered infrastructures as well as small business environments. He is passionate about emerging technology and enjoys creating, breaking, and fixing test environments.