The great spy balloon freakout: from January 28 to February 4, a Chinese-operated high altitude balloon was seen across North America. It entered North America through Alaska, went through Western Canada, and it was shot down on the East Coast. And we’ve had several other strange unidentified objects in U.S. airspace. Russia is also operating these spy balloons that are being shot down over Ukraine with that conflict.
Intelligence experts believe the spy balloon situation demonstrates how China is ramping up their espionage tools and gathering intelligence, which could potentially lead to cyber-attacks aimed at U.S. critical infrastructure.
Senior VP of Security, Michael McNerney, has an extensive background in threat intelligence and spent a lot of his career with these types of threats in mind. McNerney is a part of a ransomware task force, a working group of government and private industry leaders brought together by the White House. He joins our podcast to discuss the potential cyber espionage ahead of us.
Katie Keller:
Threat intelligence: let’s talk a little bit about your background and how you became curious about this topic.
Mike McNerney:
Yeah, happy to go into that. My journey into national security really began after 9/11. I graduated college in June 2001. I ended up joining the military in response to the 9/11 attacks. I ended up spending four years as an active duty Air Force officer. I eventually left active duty, went back to school, then went back into government service as a civilian, first spending some time at the State Department working on issues in the Middle East and Afghanistan. I eventually found my way back to the Pentagon where I worked in the Office of the Secretary of Defense, specifically in the Office of Cyber Policy. And that was really my introduction to cybersecurity as a topic.
I left the Pentagon in about 2013, moved to Silicon Valley and tried my hand at being an entrepreneur. I co-founded a cybersecurity company with two colleagues of mine who were also in the Air Force, and who had spent some time at the NSA. This company was focused on cybersecurity analytics. We eventually sold that to another bigger cybersecurity company, and I spent a couple years there as a product manager running their threat intelligence business before finally ended up here at Resilience. One of the many hats I wear here at Resilience is overseeing our own internal threat intelligence capability.
Katie Keller:
And so you’ve definitely had a hand in all different facets of cyber, with the military and the government, and then in the private sector. And so, I know that when it comes to creating creative solutions for some of these ever-growing and evolving threats, it really does take leaders from each industry to come up with those great solutions.
But until some of these objects are recovered and analyzed, we really won’t see the full picture into what China is looking for or what their spying capabilities truly are in their intelligence gathering. So, let’s talk about how the cybersecurity threat developed after spotting that first Chinese spy balloon earlier this year.
Mike McNerney:
Sure. Thanks Katie. I think you alluded to something here that is important. I do think it’s important for us to give the IC an opportunity to figure out exactly what’s going on here. I know folks are jumping to conclusions. These (IC) folks are professionals, and they’ll get to the bottom of this. They need the time to get there to get this right.
And so to your point, we don’t know exactly what is happening right now. What we do know is that China is a sophisticated nation. They have all facets of intelligence collection. They use human intelligence, they use satellites, they use overhead collection, and open source collection. And of course they also use cybersecurity, which has been one of the primary areas of concern here in the United States is the amount, the volume, and the sophistication of the Chinese cyber capability. So, that’s been a real focus area of the government and of the private sector is trying to deal with that threat. Obviously the threat from overhead collection, potentially from these balloons adds another dimension to that, but it doesn’t obviate the cyber threat, which is still very real and very much out there.
Katie Keller:
And which we’ll talk about, affects every part of our critical infrastructure here in the United States. And I think here it’s really important to know as we talk about what the intelligence community is doing to try to figure all this out, it’ll come to a point when they’re ready to release to the general public what it all means. And obviously we’re just not there yet. So, be patient in that the incredible leaders within the IC are doing the good work. But as I think every citizen can see, the tensions between US China continue to rise. Thinking about these cyber-attacks and what it can do to our critical infrastructure, what kind of potential espionage scenarios in your mind could we expect?
Mike McNerney:
Yeah, another great question, Katie. I think it’s really important to make a little bit of a distinction between cyber espionage and a cyber-attack. And sometimes the lines between the two are quite blurred.
But cyber espionage is happening all the time. Every sophisticated nation is attempting to gather intelligence on its adversaries and its competitors. That certainly is happening here and it’s happening in the case of the Chinese, because they’re interested in our intellectual property. They’re also interested in learning more about our systems and capabilities; really all of the above. That has been going on for years. I would expect that to continue.
One of the main challenges though, is the same kinds of things, and often cases, the same kinds of things you need to do to run an effective espionage campaign also allow you to prep a battle space, if you will, for a follow-on cyber-attack. So, there may not be an enormous amount of intelligence value, for example,in penetrating a utility, but doing so could lay the groundwork for a future attack should we ever get into a hot war with a nation like China. So that’s where the concern really lies.
Katie Keller:
Sure. And so just in all of your experience and all the different entities that you’ve supported, how has the government prepared for those situations, and what lessons can help the private sector be cyber resilient or at least prepared?
Mike McNerney:
This really does need to be a partnership between government and the private sector, and including academia, including civil society, because cybersecurity is really a whole of nation threat. Every individual company and every individual person are a potential victim or target of the cyber espionage campaign. In that way, it’s a little bit different from some of the other domains that we think of when we think of war fighting domains like space, land, sea, or air.
Because cybersecurity is very much private sector owned and operated, a lot of the innovation and development comes from the private sector. The government really can’t just own the space like they can on the high seas, for example. So, it’s really, really important for government and private sector to share insights with each other, to be on the same page regarding protection, and to just really trust each other and communicate effectively.
I think the government has made tremendous strides in leading this. It is the government’s job to lead this effort, even if they can’t own it entirely, as I was mentioning. But I do think that organizations like CISA out of the Department of Homeland Security, have done a lot in the last couple years to bring the private sector in and to really make important strides. The FBI has done great work, the Secret Service, really all across the government. So, that has been a really bright light, I think, in terms of where we see things going.
And then we’re seeing a bunch of private sector organizations really step up to the bat as well. The other thing that you mentioned weโre a part of is the ransomware task force, which was generated purely by the private sector. Private sector actors said, โwe need to get together and do more to combat the cyber threat.โ And government ended up playing a significant part in that as well. And that’s a great example of a partnership that has really been important and effective. So, more of that is needed, but there’s been some great progress so far.
Katie Keller:
And I know just in contracts and acquisition that the government has tapped on the private sector for a lot of help in modernizing things. You talked a little bit about academia, and so with this ransomware task force, could you tell us a little bit more about the ins and outs of that and why it’s important to… have those working groups, and what role you see academia playing in that.
Mike McNerney:
The beginning of the ransomware task force was actually started by an organization called the Institute for Security and Technology. And it’s a relatively new, I’d call it a think tank, relatively new think tank. They identified that this is a big problem. No one really owns the specific solution. Everybody has a part of it. And so let’s start the conversation. Let’s get the relevant players in the room. Let’s identify the challenges and let’s drive to a solution.
And academia and other think tanks play a really, really important role because they can do a lot of the convening. They have a lot of the cutting edge research and they have talent. There are all kinds of people that have been in private sector that go into places like Stanford or to various think tanks and continue to do their research and continue to do their work. So, there’s some really important things that the academic sector really adds to this.
Katie Keller:
And through this working group, are there specifics that you could share today that you found through assessing some of these cyber vulnerabilities? And, like I said, we’ve seen in the past where a cyber-attack on one vulnerability could affect our entire infrastructure. So, anything that you could share as this working group is assessing those vulnerabilities?
Mike McNerney:
Absolutely. I really think it comes down to resilience. The most important things that companies can do to protect themselves are not really a mystery. It starts with basic hygiene, basic security hygiene, things like having a strong username and password, having multifactor authentication, understanding your network, understanding your environment, and having visibility into it. It really starts with these things that are fairly well known. It’s really just a trick of rolling up your sleeves and getting them done.
And from there, it goes into collaboration and communication. What do we know about the threats that we see on the horizon? What are their tactics, techniques, and procedures? How can we harden ourselves against those activities? And then there’s also a role for the government as well to come in and say, “Okay, these are the areas that we can help you. We can provide you with these capabilities. Perhaps we can share this level of threat intelligence with you so that you can prepare.”
And then the final part that we feel strongly about at Resilience is the role of insurance in helping a company be resilient to an attack and also bounce back quickly afterwards.
Katie Keller:
Sure. And I know that the government is also implementing these cyber standards that companies working within this space really need to maintain. And then it also goes down to, like you said, username and password or MFA. As an individual, you need to be cyber resilient as well, and practice good cyber hygiene, which really leads me to my next topic.
We’ve talked about in the past here at ClearanceJobs about how China is really a patient beast. And they’re building a picture, a large picture. And so the balloon with national security concerns โ it has not started there. Looking back at the OPM data breach, TikTok, and all of the different data that is easily collected on a platform like LinkedIn. How do the balloons add to national security concerns over China, and what puzzle are they building? And let’s talk about if cyber vulnerabilities is that missing piece.
Mike McNerney:
Yeah, I think there’s a little bit to unpack there. Espionage has been going on for quite a while. And you mentioned some great examples. That shows why cybersecurity has been a concern of ours for years and will continue to be so.
Going to the balloon itself: it’s unclear, at least publicly what collection capabilities it had. It could be that it had some SIGINT collection capability that bolstered the Chinese intelligence apparatus in their understanding of the United States. We don’t know. That’s certainly possible.
One thing that I would also think about is just the fact that they were able to send an aerial surveillance device to the border and then across the border of the United States โ this is unique. It is unusual. We know that they have satellites going overhead all the time. We know they do cyber espionage. This is the first instance, at least that we’ve publicly been aware, of something like this crossing into the territory of the United States. And so whether or not there’s a collection advantage, I think there’s a statement or psychological change that happens here when you’re able to do that.
Katie Keller:
Mike, I really a appreciate you joining me for the conversation today. Are there any closing thoughts that you want to share with our audience in terms of cyber vulnerabilities or just maintaining good cyber hygiene?
Mike McNerney:
I can’t encourage people enough to continue to pursue careers in cybersecurity, both inside and outside of government. It is a growing field. There are all kinds of jobs at all kinds of great companies and government agencies that need talented people, that are willing to accept that mission. And cybersecurity itself is going to be a continued challenge. I think it’s a fun challenge. I think it’s an exciting challenge, but it’s going to be one that we’re going to need sharp people to meet.
And then let’s not forget that every person, every organization, and every company is a potential target of a threat intelligence or cybersecurity actor. And so we all need to be vigilant. We all need to take our cybersecurity hygiene, as we call it, seriously. Like we said, strong passwords is just the beginning. But it really goes on from there to just understanding our environment, being smart, understanding how not to click on phishing emails, all that kind of stuff. It may seem pedestrian, it may seem silly, but it is really effective and really important for us to take seriously.
