Get IT Started Podcast

EP 4 – Den Jones speaks with Elvis Chan, FBI

In this episode of Get It Started, Get It Done, the Banyan Security podcast covering the security industry and beyond, our host and Banyan’s Chief Security Officer Den Jones speaks with Elvis Chan, Assistant Special Agent in Charge of FBI San Francisco’s Cyber Branch.

Den and Elvis discuss the importance of the relationship between the FBI and the private sector both through programs including the FBI’s SISO Academy, and through the relationships private sector security professions can and should form with their local FBI field office. We hope you enjoy Den’s discussion with Elvis Chan.

View Transcript

Intro/outro:

Hello, and welcome to, Get It Started. Get It Done, the Banyan Security Podcast, covering the security industry and beyond. In this episode, our Host and Banyan’s Chief Security Officer, Den Jones, speaks with Elvis Chan, assistant special agent in charge of FBI San Francisco’s, Cyber Branch.

Intro/outro:

Den and Elvis discuss the importance of the relationship between the FBI and the private sector, both through programs including the FBI’s CISO Academy and through the relationships private sector security professionals can and should form with their local FBI field office. We hope you enjoy Den’s discussion with Elvis Chan.

Den Jones:

Okay. Hey everyone. So welcome to Get It Started. Get It Done. Banyan Security’s newest adventure into podcasting. I’m the host Den Jones. And every episode we bring in some fascinating guests. And I’m delighted for this episode to bring in Elvis Chan, one of my great friends from the FBI. So Hey Elvis, how are you sir?

Elvis Chan:

Staying good. Thanks for having me on Den, it’s going to be a fun conversation today.

Den Jones:

Yeah. I’m looking forward to it. I always to like ask guests, so we met a number of years ago now, but do you remember and can you share the recollection of how we met or anything strange during that initial meeting?

Elvis Chan:

Yeah. I feel like, gosh, when did we meet? Was it maybe 2016 or 2017? Right around then. I used to work at another company and I do a lot of outreach with the private sector, which I know we’re going to talk about a lot. But I was meeting with some security folks, information security folks and folks from your general counsel’s office, just to talk about cyber incident response and what could they expect from the FBI, what could they expect from the US government.

Elvis Chan:

And so then I started talking to you and I recognized that accent right away as being a Scottish accent. And I wanted to confirm, “Hey, are you from Scotland?” And he said, “Yeah.” And I was like, “Well, I spent three months of my life there.” This was pre-bureau. I used to be an engineer in the semiconductor industry.

Elvis Chan:

And in Scotland, there used to be this thing called the Silicon Glen. It was going to be the next version of the Silicon Valley. And so I worked for a company, NEC Electronics. And I know Motorola was out there. I know Intel was out there. And so actually, Silicon Glen was in a town in right near Livingston. And you said, “Elvis, that’s where I’m from. I’m from Livingston.”

Elvis Chan:

And I’m like, “Yeah, I would never have known it.” But the reason Livingston was big in our lives is because there was The Home Depot there. And there was other stores, but it was anchored by The Home Depot. And then we started reminiscing about that. Remember Den?

Den Jones:

Yeah. And it is funny. They always had this slogan, “Life is for Livingston.” And Livingston’s one of those new towns. And it’s in interest now because almost all of those companies have since pulled out. Well, in the ’80s and ’90s then, it was huge. I mean, there was so many of those factories.

Den Jones:

And then those all to support things like the mobile market, early computers and things like that. So, I used to work in a company called SHIN-ETSU HANDOTAI. That was my first IT job. And it was a fascinating process. Fascinating process.

Den Jones:

And so you were there for three months and you survived the Scottish weather, the Scottish people and the food, right?

Elvis Chan:

Yeah. I mean, the haggis, someone slipped it into a meat pie. And so I thought I was eating a meat pie. And I said, “There’s something off about this pie. What’s going on with this?” And, “That’s a haggis pie Elvis.” And I’m like, “Oh.” And let me tell you, my body was telling me it did not that haggis pie I ate, for the next day or so.

Den Jones:

That’s funny. I miss good haggis. But probably maybe the one you got wasn’t the best haggis pie. So, awesome. So great to have you on the show. I’d love to hear, so we get to meet every now and again, there’s so many things going on in the world and so many geopolitical things that has a huge influence on the cyber things as well.

Den Jones:

So I’d love, why don’t you start off by sharing, for those who don’t know who the FBI is, what the charter, the vision, mission, those things. Why don’t you bring FBI to light for us?

Elvis Chan:

Okay. That sounds good. Well, hopefully, the good news is Dick Wolf on CBS, I think he has three or four FBI shows. I think most people are pretty familiar with the FBI. But for those of you who haven’t seen The Silence of the Lambs or any of the other shows, Federal Bureau of Investigation, we are the primary national level law enforcement agency. That’s one of our hats.

Elvis Chan:

The other hat that we wear is that we’re the domestic security intelligence service. That sounds a little scary, but post 9/11, that was really a big deal for us. Our job is to keep the nation safe and we do that by working with all of the other intelligence community agencies within the United States, as well as with state local and tribal law enforcement.

Elvis Chan:

So really the bread and butter of our job is I, the investigations. So anything that you think can be investigated. Anything, whether it’s interstate boundaries being crossed or overseas boundaries being crossed, probably there’s a federal statute that allows the FBI to investigate it.

Den Jones:

Awesome. Awesome. And, so what inspired you to join? But you said, when you were in Livingston, you were doing a whole different job. So what inspired you to join the FBI?

Elvis Chan:

Yeah. So like I said, I used to be an engineer. And I would say on a scale of 1 to 10, that’s like a seven out of 10. So I majored in chemical engineering. I worked in the semiconductor industry. I used to make computer chips. That’s a really good living. And so, living very comfortably.

Elvis Chan:

But I’d always yearn for something more. I’d always yearn for public service, but being first generation born in the United States, both my folks immigrated here from China, they always wanted something better for me. And so there was a few acceptable jobs for a first generation born American. And engineer, doctor, attorney, accountant, that was the acceptable occupations. And so I picked engineering.

Elvis Chan:

And I really enjoyed that. One of my buddies who I worked with at the company I was at, his game plan was always to join The Bureau. But the way it works is, you need to have at least three years of job experience before you can apply to be an FBI agent. So he did that. So actually, he worked four years with me. We became really close friends.

Elvis Chan:

He said, “Elvis, I am putting in for the FBI.” And I said, “You are crazy.” And he got in and he’s calling me from the FBI academy in Quantico, which you were able to visit with me. Maybe we’ll talk about that later. But he said, “Elvis,” he’s calling me on the phone, he’s like, “you would love this. We’re shooting guns. We’re kicking down doors. I’m learn about the constitution. This is awesome.”

Elvis Chan:

And so it re-lit the fire of wanting to do public service. I talked to my wife about it. And I said, “Hey, if I want to get in, this is my only chance because there’s an age maximum.” You can be a maximum of 36 years old before are allowed to join The Bureau. You have to be younger than that.

Elvis Chan:

And so I was running up against it. And I guess you could say I had my midlife crisis early. I applied. And a year later, almost 12 months to the day, I was at the FBI academy in Quantico getting sworn in. And since then, it’s just been a crazy ride.

Den Jones:

That’s awesome. And so going through the academy and stuff, and then even into your role now, I’ve met quite a few people in the FBI. And we can talk about the CISO Academy and stuff. As I met people, they’re always like, “Elvis.” “Elvis.” “He’s the guy.” “He’s the guy.”

Den Jones:

So what I think of for me with my reputation, I’ve got a reputation. But I think everybody I spoke to or everyone that spoke about who Elvis was, you have this bigger than life reputation. And I don’t think it’s the name. So what do you put down? What’s one of the biggest things you’d attribute to your success?

Elvis Chan:

So, this comes back to my leadership philosophy. I guess we’re getting meta pretty quickly here. So I know a lot of people talk about having a servant leader philosophy, but I really, really believe in that. So my job at the end of the day, whether I was in private sector or now in the government. Number one, serve my people. “How can I help the people?” And then with that, serve the mission. “What is the mission?”

Elvis Chan:

Back then in the private sector, I had to make so many wafer chips. We had to get so many wafers and the throughput and everything. But really the FBI’s mission, so much cooler. My mission is, “Protect the American people and uphold the constitution.” And that’s a mission that pretty much anyone can get behind. But how do I do that?

Elvis Chan:

And just by serving the people, “Whether I’m a line level employee, what can I do to help out.” “How can I run this investigation better? How can I help the victims of this company that were just hacked?”

Elvis Chan:

So really, that has been my model. How can I do this? And I would say that like you, when I get something started, I get it done. I have really good follow through. So I guess that’s another skill.

Elvis Chan:

But really, having the humility to know that, “I am just a very small cog in a large machine. And just trying my best to lead from where I am standing.”

Elvis Chan:

And whether it’s leading by mastering whatever skill I need to or running whatever investigation or supervising people, it’s really that. It’s like, “How can I lead from the place I’m at?” I’m not looking, “What’s my next rung on the ladder that I want to get up to.” It’s really focusing on, “What do I need to do here? How can I be impactful? How can I help the people?”

Elvis Chan:

And I think that is what has carried me, is, I’ve never had an agenda. I’ve never wanted to be the deputy director of the FBI. I joined this organization because I wanted to make a positive impact. And I think it shows.

Den Jones:

Awesome. Yeah, no, that’s brilliant. And then the partnership between the FBI and the private sector. So I’m aware more and more about that relationship and partnership. But you want to explain a little bit about, what’s the FBI’s goal and mission with that?

Den Jones:

And then how would you think that benefits private sector and how do you think private sector could get more involved?

Elvis Chan:

Yeah, so that’s a great question. I think people have this myth or this conception in their head that the FBI and the US government, we’re like big brother. We see everything, we know everything. And that is completely not true. I think you’ve seen different statistics and surveys that say, within the United States, the vast majority, I think over 85% of all critical infrastructure is controlled by private entities. Either private entities or public entities that are not the US government.

Elvis Chan:

And so our job is to defend the critical infrastructure, the critical sector industries within the United States. But we don’t own most of the property. Who does? The private sector and the public sector. And so we need to be engaged with them to be able to do our job.

Elvis Chan:

We need to be engaged with you Den, to be able to do our jobs, because, at Banyan Security, and you know this better than most, you are a vendor and you get put into these companies. And you can see what’s going on. I don’t know if people know this, but me at the FBI, I can’t see what’s going on at the company. Banyan Security can see a lot better what’s going on at this company.

Elvis Chan:

Now, I will know better maybe what the Russian spies are doing or what cyber criminals are doing, through the course of our investigations. But I’m looking through a straw. And we only have one piece of the puzzle and really industry has the other piece of the puzzle. So when you frame it like that, it totally makes sense for me to be able to get along and for me to develop relationships with all of these different companies.

Elvis Chan:

So, within the FBI, we have figured out who are the strategically important companies that we have to get along with? And pretty much, if you’re on a Fortune 500 Company or a Fortune 1000 Company, then you’ll know that, “I’m probably working at a company that the FBI needs to know and get along with.”

Elvis Chan:

And some people say, “Well Elvis, I don’t work for any of those. But I’m like, “AHA, but are you a contractor? Are you a supplier for a fortune 1000 company?” And invariably, if the answer is yes, then we probably need to have a relationship with you.

Den Jones:

Yep. And, you and I, we first met during my days in Adobe. And then I left and went to Cisco. And I call you up straight away and I’m like, “Hey, Elvis, I’ve moved.” And then 18 months later, I joined Banyan as their CSO. And it’s like, “Hey, I’ve moved again.”

Den Jones:

And I’m not the person that really tries to move around companies so often. I mean, I was with Adobe for 19 years. So maybe that was longer than I anticipated. But my recent move here, and as you mentioned, Banyan, we have customers that are big household name customers. And while we might not be the biggest target, they very well will be.

Den Jones:

And I’d hate to think of people coming through Banyan to get to our customers, because that’s not the that’s not the plan. And then, so if a company wants to learn more about the partnership and wants to get involved, what do they need to do? How do they go find out that?

Elvis Chan:

That’s pretty easy. So, I mean, we hustle. I think you know, I hustle. I’m at a lot of different conferences and events. And so we’re typically there. You can reach out and come shake my hand and talk to me, that’s one way. You can go to fbi.gov.

Elvis Chan:

So we actually, you can do a speaker request form and ask for an FBI agent or analyst to come in and talk to your company about a variety of things, not just cybersecurity. That’s definitely another way.

Elvis Chan:

A third way I would say that’s really important is, we have an organization called InfraGard, which is the FBI’s, it’s a nonprofit organization. It’s a 501(c), but partners with the FBI where you can attend quarterly meetings, get FBI briefings and you can also get FBI reporting on a monthly basis. And so InfraGard, it’s spelled weird, it’s I-N-F-R-A-G-A-R-D.

Elvis Chan:

If you just Google that you can find and you can join to be a member. It’s really easy to be a member, only two requirements. Number one, you have to be a US citizen. And number two, you can’t have a criminal record. So fine upstanding listeners of this podcast will qualify for both of those.

Den Jones:

All five of them. Awesome. Awesome. So let me jump in. So as part of our relationship, then you got me invited to the CISO Academy, so I was privileged and blessed to be there. I didn’t get to go to Quantico though, because it was the first one after COVID so I was in Charlotte, which for me was still a brilliant experience. I got to shoot a Tommy gun. So I remember that, I’ve got pictures of that stuff.

Den Jones:

So, what’s the CISO Academy and what do you think the benefits of people getting involved in that are?

Elvis Chan:

Yeah, so you and I, actually I guess most people, it’s the Chief Information Security Officer Academy. So FBI headquarters, we thought, from a cyber perspective, it’s really important for CISOs to understand where the FBI is coming from. And so, God, you went, I think, to the 9th iteration that we’ve done. And it’s been super popular.

Elvis Chan:

I’ve noticed that in CISO circles, it’s a badge of honor having gone to the CISO Academy, because we typically take between 25 to 30 people per class. And field offices get to nominate CISOs from different companies in their area. And very few get chosen, so you were one of the chosen few, I guess I’m going to be pulling up a Highlander reference right there. “You were the chosen.”

Den Jones:

“Chosen one.”

Elvis Chan:

But really, during the course of that week, we provide classified briefings, we do round table discussions with other US government agencies. And really, I think the fun time is, like I said, me and Den hanging out at the pub. Really just being able to share war stories.

Elvis Chan:

Like, “What happened during this incident response? How did you guys handle that? How could things have been better?”

Elvis Chan:

Just being able to shoot the breeze. But it’s really a nice event that we do. That’s another reason, if you’re not already plugged in with your local FBI field office, you need to be, because if you’re a CISO and this sounds really intriguing to you, getting to hear classified briefings, getting to shoot the breeze with senior level FBI and the US government executives and getting to shoot guns, then hey, you should get plugged into your local FBI office.

Den Jones:

Yep. No, absolutely. And so briefings and things like that, and I sat through and listened to some of those, which for me was just brilliant. And then great for me to take back to my company, at the time it was Cisco. And then share with our CSO there. Really, some of the areas or concerns that you’re able to share.

Den Jones:

So for, me that’s a really valuable opportunity to look at your company and where you’re spending your money and gaining insight.

Den Jones:

Now, so talking about gaining insight, you work on a lot of, I’m going to say they’re very highly public events, incidents for some of the companies around the world and stuff. As you work with companies on breaches, what can you share about the key takeaways and the lessons that you think these companies are learning as they go through the events?

Elvis Chan:

So, I mean, I know I’m preaching to the choir Den, but the one thing I’ve learned is, the companies that have defense and depth, and a resilient culture, those are the companies that can survive a major security breach and then come back stronger than ever. Unfortunately, many of the companies that I deal with, don’t have defense and depth and don’t have that type of resiliency.

Elvis Chan:

But I really think it’s more and more important these days. Let’s just say, so we’ve talked about this before, FBI San Francisco. It’s, “No, we’re the lead office investigating the SolarWinds breach. And so, that’s a supply chain issue. And so having defense in depth also means, “Hey, have we audited all of our suppliers? And what does it look like if something bad happens, like if one of those suppliers is promised in one way.”

Elvis Chan:

And I guess this is going to be a nice segue, specifically from the SolarWinds breach and similar supply chain breaches. What I’ve really learned from it is, we as an industry need to start moving, and some people are already moving, towards zero trust architecture. Really knowing that, just taking it on fact that, “Hey, I think that I’m already compromised, how can I minimize the compromise?”

Elvis Chan:

“How can I have these little islands of trust inside this entire ocean of distrust?” So I guess we can talk about that, but really zero trust architecture is the direction I think we’re moving in.

Den Jones:

And it’s funny for me and one of the reasons I joined Banyan was, I have great confidence in the technology. I know how unaware people are of zero trust and what do you mean by zero trust, and that whole over marketed nonsense and hype, really. And at the end of it, for me, I look at these breaches. So whether it’s a ransomware attack or whether it’s someone used a sloppy username and passwords and they don’t have MFA set up. So some of the basics.

Den Jones:

And I sit there and say, Look this landscape or this thing called zero trust, it’s such an emerging industry in the sense of, the market opportunity right now, certainly for a company like Banyan, because what we are doing is, we are saying, “Hey, we don’t trust the network. We don’t trust this big network. We want an application to really look and feel like its own island.”

Den Jones:

“And in order for you to access the application, you have to have a device that’s got a great posture, we’re continuously authenticating it and you’re directly connecting to the application.”

Den Jones:

And for us, it’s a great thing that the government’s also saying, “Hey, this zero trust thing you want to pay attention to it.”

Den Jones:

Do you think that many companies, especially the ones who go through a big breach, they understand that if they had their third party suppliers access their apps and services via zero trust model, that would maybe have helped them. I mean, are you confident in that?

Elvis Chan:

Yeah. I am confident in that because, so I can’t get into the gory details of all the significant security breaches I’ve investigated, but invariably you’ll see, once they’re in, it’s either a flat network and they could just move laterally. Or, Maybe it was a segmented network, but they were able to compromise and a network administrator’s credentials and then just use those all over network.

Den Jones:

All over.

Elvis Chan:

And so having zero trust architect, I mean, it’s still new, zero trust architecture. NIST really only came out with guidance, 800-207, in 2020, which is the framework. So it’s still really new. And we really re rely on the private sector, including your company, to help us still flesh this out. We’re still trying to put this framework together.

Elvis Chan:

So hey, the thing is, you’re going to see the gory details more than I on a daily basis. So being able to help inform the government, “Hey, we really think the framework should include this.” Or, “You really need to consider these things.” So public calls for paper, public calls for input. Any NIST related stuff, I mean, it’s good.

Elvis Chan:

And that’s what we need, because at the end of the day, you don’t want the government dictating this stuff to you. You want to be able to collaborate with the government to make what is a reasonable framework so that everyone can get on board with it and everyone can aspire towards something.

Den Jones:

Yeah. And I think, one of the things I’ve noticed over years, various companies and various attacks, that this idea of, “I might have segmented network, but it’s too costly to really segment it down to the nerdiest grittiest little subnet.”

Den Jones:

So in the end, your office network tends to be a flat network. And then the segmentation is data center labs, conference and equipment or other stuff that you care less about. But that flat network ultimately means that the privileged people also are on that flat network with their regular devices, but then they use those same devices to elevate and get into the data centers.

Den Jones:

So the reality is, I wrote a paper on this, which is, how to turn your office network into a guest network. The reality is, if your office network was just like a guest network and you couldn’t see any peer to peer stuff, all you can do is get to the internet and then from the internet you can get to your apps and services, then all of this lateral movement stuff would really, really be hampered.

Den Jones:

I mean, I always said to my old boss, I’m hesitant to use the word eliminate, but I am really confident that we could almost eliminate lateral movement during a compromise. And as I explained how you would go about it, well like, what steps are required?

Den Jones:

Publishing your applications and the zero trust methodology to begin with. And then, you don’t need to access something via your internal network, because they’re published and you can go via the internet. So for me, that was always, always cool.

Den Jones:

Now, one of the things, I think a lot of people are numb to the fact, in the news, that breaches happen now. I think people hear in the news a breach a day almost, and certainly one a month hits the mainstream media. I look at though, a lot of companies are now judged just on how they communicate to their customers and to the public about the breach.

Den Jones:

So what advice would you have for companies when they are breached on how they communicate to their customers?

Elvis Chan:

No, that’s really important. And I think, obviously there are liability issues. And so if you’re a company with some financial wherewithal, you’re going to have your internal general counsel’s office, you’re going to have a third party, external counsel, and they’re going to help you with the messaging.

Elvis Chan:

However, I would say that the more transparent and honest you can be, the better off you will be. If you’re a publicly traded company being honest with your shareholders, being honest with your stakeholders is really important. And what I find to be the case is, that is actually more reassuring, because at the end of the day, every single organization has been hacked or is being hacked or will be hacked.

Elvis Chan:

And so like SolarWinds case in point, guess what, the FBI, Department of Justice, we’re SolarWinds customers and we were breached just like everyone else. I would say, we had defense in depth. We were able to minimize the amount of lateral movement.

Elvis Chan:

But I think trying to be honest, that’s without having, you’re not giving away the keys of the kingdom, but being able to say very quickly, being able to come out and say, “Hey, on this day, at this time, we became aware that there was a security incident. We are cooperating with the FBI in this matter. And when we can, we will share additional information.”

Elvis Chan:

And then doing a 10-K filing and going through that. But I have found that even though people seem numb to it, they still appreciate honesty. I think people can appreciate when a company spokesperson is being authentic as opposed to CYA.

Den Jones:

Yeah. And it’s funny. I would like to coin this term now, Elvis, three Ts. Timely Transparent and Trusted. And I think if your communication follows those three Ts… So we should patent that somewhere.

Elvis Chan:

Yeah.

Den Jones:

If you follow that, I think it really helps, because you can see someone is talking BS and they’re not being truthful, you can sniff that a mile way. And one thing that was really good for me, I actually going back to the CISO Academy, was, there was a conversation that you participated in with an executive from a company that was willing to share.

Den Jones:

And the whole conversation was really about transparency and trust. And not sharing who the company is, but I know who the company is. And I’ll tell you, after, the way they handled it, people have more trust and respect for that company than ever before.

Den Jones:

And for me, it’s brilliant. I mean, it was just absolutely brilliant. The conversation on how people could share, it’s a hard decision. And like you said, you’ve got legal counsel, both your own plus and external. And it’s not easy. I’ve been involved in discussions and tabletops and real life stuff. And when you’re in the moment and you’re in the event, there’s an adrenaline rush.

Den Jones:

But part of the adrenaline rush is also, you’re trying to stay calm and figure out what the best right move is. And that’s why for us, tabletop exercises in our industry are a really good way to get yourself thinking about it.

Den Jones:

So here’s a couple of silly questions. So you’ve got two US patents or whatever the accent is, are you able to share what those are or anything about those?

Elvis Chan:

Yeah. I mean, those are from my previous career as an engineer. So they’re both in the semiconductor field. And one of the patents is to improve the reliability of copper wiring on chips. So just a different way to put barrier metals because you and I both know, copper it can rest, it can oxidize. So you need to coat it with another, a barrier metal, is what we call it. But just a special technique to coating copper wiring, so that it will be more reliable, that was one thing.

Elvis Chan:

Another thing, the other patent was for, so when you’re forming the copper wiring on these computer chips, there’s a lot of just copper contamination all over the chip. And the problem with that is, copper is conductive, so you can accidentally have copper particles in between copper wires and you can short the wiring.

Elvis Chan:

And so we developed a method just to use regular acidic chemicals in a specific combination to clean off all of that copper contamination. So both of my patents were trying to make computer chips more reliable. I’ve probably lost like 90% of your audience. But, I mean, both of these took like three or four years of my life, so I’m still very proud of those accomplishments.

Den Jones:

Yeah. No, I think anyone that’s got patents to their names, they should always be proud because they’re not easy to get. So one of the things in your FBI role, you’ve specialized, and I think you still do, in election cyber stuff as well as counter-terrorism cyber stuff. So is there any sanitized non-classified juicy details you can share on what you’ve learned during those two endeavors?

Elvis Chan:

Yeah. So I’ll talk about election security because that’s the more recent one. So I was very involved. Our field office, FBI San Francisco, was very involved in helping to protect the US elections in 2020. And I think we can all agree or I think many of us can agree that it was a very safe election. That there was no malign foreign influence. There was mostly not voter fraud, despite what you hear on different outlets.

Elvis Chan:

Chris Krebs, the former director for the Cybersecurity and Infrastructure Security Agency said, he believes this is the safest election ever in the United States. And I agree with him. It was as safe as it could possibly be. That doesn’t mean that we didn’t have a few hiccups and maybe people were registered in two or three counties, things like that. Yes, that happens every year.

Elvis Chan:

But completely different from 2016 where we did not. Even though foreign actors were trying to interfere in our elections, the FBI, the US government working in conjunction with the private sector, as well as with election officials from every single state and protectorate, we were really able to do it.

Elvis Chan:

And you’re going to say, “Hey Elvis, what was the juicy stuff?” The juicy stuff was, we talked with all of these entities I mentioned, regularly, at least on a monthly basis. And right before the election, probably on a weekly basis. If they were seeing anything unusual, if we were seeing anything unusual, sharing intelligence with technology companies, with social media companies, so that they could protect their own platforms. That’s where the FBI and the US government can actually help companies.

Elvis Chan:

So we have all of these investigations, we have all of these methods for collecting intelligence. We share them with you and then you do what you want with them to protect your networks.

Elvis Chan:

If we have an investigation on an advanced persistent threat like APT28 and we’re tracking on them and watching where they’re going, hey, we shared indicators out on multiple occasions with many companies where we saw APT28 activities were going on. So the secret sauce is communication. But I guess that’s not that secret.

Elvis Chan:

It seems obvious, but I’m not going to lie, in 2016, there was not that same level of communications between the US government and the private sector. And then on the other side, in terms of cyber terrorism, people are always wondering like, “What is cyber terrorism, Elvis?”

Elvis Chan:

And so our definition it’s, hacking on behalf of, at the behest of, or in sympathy of a terrorist organization like ISIS or Al-Qaeda or Hezbollah, those are mostly classified conversations that we’re having. But what I can tell all of your listeners is that, right now we don’t think that any of these international terrorist groups have the capability of opening up the floodgates and Folsom Dam or knocking out the power grid in Santa Clara County.

Elvis Chan:

It’s not that they don’t want to do it, it’s just that right now we don’t think they have the capability. All of the counterinsurgency, counter-terrorism efforts, that the United States and its partners around the world, have really been focused on keeping ISIS and terrorist organizations like ISIS on the run, so that they don’t have time to build up this capability.

Den Jones:

Awesome. And I was just thinking of this. So as you were saying that they don’t have the capabilities, but there’s certain geopolitical situations in the world right now. And I think the government’s term is, shields up.

Elvis Chan:

Yes.

Den Jones:

So, you want to explain what’s going on and where the shields need to be up?

Elvis Chan:

Yeah. So Jen Easterly, she’s the current director for CISA, she’s the one who coined that term shields up. She’s a Star Trek fan. She’s a Treky, I am myself. So I thought that was a brilliant piece of marketing. Hopefully Gene Roddenberry heirs won’t be suing us anytime soon for that one.

Elvis Chan:

But where we in the government are saying, if you are in one of the 17 designated critical infrastructure sectors, of which information technology is one of them, then you need to be more mindful. But I don’t want to freak people out. Where we have seen the most, let’s say cyber reconnaissance activities, specifically from the Russian government, is in the energy sector, in the transportation sector, specifically the part of the transportation sector that distributes energy and then the financial sector. That’s where we’ve seen a lot of heavy reconnaissance from the Russian government, as well as the Chinese government.

Elvis Chan:

The Russian government, I think because they want to do harm to us. I think everyone who’s paying attention to the news knows that the US and it’s allied countries have put a lot of economic sanctions on the Russians. All of the oligarchs, there’ve been a lot of sanctions going on. I keep saying this and I don’t want to be right, but I know I’m going to be right. At some point, the Russian government Vladimir Putin is going to decide that doing cyber retaliation against the United States and NATO partners, is going to be the way to go.

Elvis Chan:

They’re starting to feel the pain, economically speaking, militarily speaking, and one way that they can really attack us and partner countries is through our infrastructure. We are a very internet connected society and being able to do harm to us, I definitely think that is something that I worry about. And that’s why I’m hoping that the company’s listening, they do MFA.

Elvis Chan:

“Hey, let’s do some multifactor authentication, let’s do network segmentation, let’s do user access management.” Those are just three. I know they cost some money, but if you can do those three things, you will take care of the vast majority of the potential vulnerabilities within your organization.

Den Jones:

Yeah. No. And it’s funny, you and I have spoken about this, about just doing the basics right. I mean, I think too many times people try and invest. So the term defense and depth is brilliant, but don’t lose sight of getting the basics right. Having MFA across all the key applications you use.

Den Jones:

And for me in Adobe, we wanted to make it available to all applications. Not even the top ones, because I didn’t want to spend time to figure out what one is a top one. Most people talk about, “Protect the crown jewels.” It’s like, “Well, I don’t have time or want to spend the money to figure out what the crown jewels are. Let’s make all of it be crown jewels and then make sure all of it’s behind the MFA.”

Den Jones:

And then understand, if you’ve got a role, like a server admin or an infrastructure admin, then how you operate within your role regardless of the infrastructure you go to, just assume it’s all critical. And then that means that how you behave is the same every single time.

Den Jones:

So makes it easier for people to know what their role and responsibility is. So as we can get to the end here, couple of things. What would you say still keeps you up at night?

Den Jones:

You’ve experienced a lot of things. I can imagine, not much keeps you up at night. But what keeps you up?

Elvis Chan:

So I mean, the good news is, I do sleep pretty regularly. It was a little stressful when the Russians first invaded Ukraine, because very involved with supporting Ukrainian security services, because a lot of the information that they needed was from the tech sector here in San Francisco.

Elvis Chan:

But I would say that there’s really two things that keep me up at night. And one of them we’ve already talked about, is the Russian government. So not for nothing, Russia has more nuclear weapons than United States does. And so, you want countries to be predictable. Like the United States, we’re always telegraphing what we’re going to say or what we’re going to do, because we want to be predictable. We want to stay in a stable regime.

Elvis Chan:

But right now, you can just see from the news that Russia is not doing as well as they thought they should be in Ukraine. And I’m worried because I know firsthand what their cyber capabilities are and I’m just waiting for a coordinated ransomware attack. They’ve got these Conti guys or these REvil guys under their thumb. And I’m sure that there’s a lot of organizations who have been exploited by these companies, but they haven’t pushed the red button yet to activate the ransomware and lock up people’s data.

Elvis Chan:

I’m really worried about that, coordinator ransomware attacks. That’s my immediate short term concern. What keeps me up at night, that’s a longer, more existential threat, is the Chinese government. So I think in the next five years, the Chinese economy is going to pass the American economy in terms of size.

Elvis Chan:

And so I am really worried about what is it going to look like around the globe when you have a country that’s a one party system, that’s under autocratic control, that is getting to set, that’s getting to dictate, what are the rules of engagement.

Elvis Chan:

And you can already see what the belt and road initiative that the Chinese government is doing. You think you’re getting these sweetheart deals or loans and infrastructure, getting highways and ports getting built. But you’ll find that there’s all of these strings attached. That the loans from the Chinese government or that the strings that the Chinese government is wanting to attach so that you can have increased trade with them, not worth it.

Elvis Chan:

I would say the Chinese government’s really looking to just be transactional. “You give me something, I give you something.” Whereas, we have fallen short here in the United States. I’m not going to lie that we haven’t. But we are aspiring. We’re we’re a country with ideals where we want democracy, we’re looking for a liberal democracy where people are treated with dignity.

Elvis Chan:

And yes, we have fallen short, but I think we are looking to be a transformational country when we’re dealing with other countries as opposed to the Chinese government, which is just looking to be transactional. And so it’s trying to make sure that, like right now, I would say maybe with the way the Chinese government is handling COVID, this is what it looks like when an autocracy is handling a bad situation.

Elvis Chan:

Whereas the American situation it’s been messy, but guess what, I mean, I just read the news that we will have regained all of the jobs that we lost in COVID by August of this year barring all of the inflation and everything else. So I think those are the two things that keep me up at night.

Den Jones:

Awesome. And it’d be concerning if China and Russia decided to partner and work together. I think that would keep me up maybe more than everything else combined.

Den Jones:

So as we wrap, Elvis, one thing. If our listeners took one thing away from our conversation with you today, what would you want to be the take away?

Elvis Chan:

So number one is, if you do not already have a relationship with your friendly FBI office, please reach out. You can look on the fbi.gov website, figure out where your closest field office is and send an email. Say, “Hey, I would like to establish a relationship with the FBI.”

Elvis Chan:

And every field office has a private sector engagement coordinator whose main job is to connect with the private sector. And so depending on what industry you are and what you’re interested in, they will have an FBI employee, most likely an agent or analyst, reach out just to establish a relationship, because at the end of the day, I’m not going to lie, when I get a phone call from a CISO it’s usually Friday afternoon and their hair is completely on fire.

Elvis Chan:

Wouldn’t that be nice to have an established relationship and not have to build up this trust relationship in a minute, on a Friday afternoon right?

Den Jones:

Yeah.

Elvis Chan:

Like me and you, we’ve known each other, God, for how many, six years now?

Den Jones:

Yeah, give or take.

Elvis Chan:

So having that trust that we’ve built up, knowing that I’m not going to screw you if share information with me, that I’m actually going to help you. That I’m actually going to find, look in our holdings and see if I have indicators to share back with you so that you could do threat hunting. So having that relationship built up is the most important thing.

Den Jones:

Awesome. Awesome. Elvis, thank you very much. I know we’re a little over time, but really appreciate it. Great conversation.

Den Jones:

So everyone, so you heard it from Elvis, if you don’t have a relationship with someone awesome like Elvis, then reach out to the FBI. Use the Google Search in business and you can find a lot of information there.

Den Jones:

So as we wrap up this show, thanks again to Elvis. And folks, thanks for watching listening. And we’d love to hear some feedback. And then we’ve got some amazing guests around the corner. Some of them are actually going to be some Banyan customers and then some of them are other professionals in the industry. We’re not going to reveal too many names just yet though so stay tuned. Thanks everyone.

Intro/outro:

Thanks for listening. To learn more about Banyan Security and find future episodes of the podcast, please visit us at banyansecurity.io. Special thanks to Urban Punks for providing the music for this episode. You can find their track Summer Silk and all their music at urbanpunks.com.

Close Transcript

< Back to Resources

Book Office Hours with Den Jones

If you are interested in chatting with Den Jones in a more informal setting to talk about your challenges, he hosts office hours that you are welcome to schedule with him directly.

Den is a seasoned professional and loves talking about the best ways to get started, how to measure progress and finally how to get things done.

Make an Appointment