“CIA Case Officer, Cyber Entrepreneur, Burning Man Volunteer” – with Mike Susong (Part 2 of 2)
Andrew Hammond: Hi, and welcome to "SpyCast." I'm your host, Dr. Andrew Hammond, historian and curator here at the International Spy Museum in Washington, D.C. "SpyCast's" sole purpose is to educate our listeners about the past, present and future of intelligence and espionage. Every week, through engaging conversations, we explore some aspect of a vast ecosystem that looms beneath the surface of everyday life. We talk to spies, operators, mole hunters, defectors, analysts and authors to explore the stories and secrets, tradecraft and technology of the secret world. We are "SpyCast." Now sit back, relax and enjoy the show.
Andrew Hammond: This week is the second of a two-parter looking at the life and times of Mike Susong. In the first part, we looked at Mike's time working for Uncle Sam, specifically his time with the Central Intelligence Agency. This week, we'll look at Mike's time working intelligence, but in the private sphere. Among other things we discuss - Mike setting up competitive intelligence programs for Fujitsu and Ernst & Young; his co-founding of a cyber threat intelligence company, iSIGHT, and its role as a pioneer in that field; using intelligence to support business decision-making as opposed to national security decision-making; and last but not least, what drew Mike to the annual gathering of avant-garde free spirits in the Nevada desert called Burning Man. And as Mike says, don't Google it from your work computer.
Mike Susong: After the government service, I went into a - still is - but at that time, kind of an emerging field of intelligence in the private sector - competitive intelligence. And I worked with two corporations to build competitive intelligence programs for them. And again, as I said earlier, I want to emphasize that's the ethical application of certain aspects of the intelligence cycle to support a business decision. So this was more on the analysis piece - some on collection. And certainly, when you start to speak of collection within a private sector environment, you have to have clear, bright lines about what is and is not, you know, acceptable.
Mike Susong: The dilemma is, if I can get on a soapbox just for a moment, is the rules and the latitude you're given in support, in pursuit of national security policy - cover, deception, international laws that are not observed - obviously are completely off the table when you work for a corporation. And so you're applying, really, the analytical process - red-teaming, mirroring, looking at a problem from your business competitor's point of view and applying that to your client. So that was the transition - competitive intelligence - which was arguably the first step of intelligence into the private sector community. That was what was first really accepted. You looked at corporations that had long R&D cycles or high-value intellectual property. And they were the first ones to really appreciate intelligence as a function within a corporation. So you think of pharmaceutical companies or high-tech companies - were one of the early adopters.
Andrew Hammond: And you set up your own business or you go to work for a corporation or...
Mike Susong: Well, initially, I went to work for two corporations and work - set up their competitive intelligence programs. And then, to your point, had the opportunity in the mid-2000s - 2007 - with a colleague to start a private company.
Andrew Hammond: The two companies that you were involved in developing their threat intelligence - what were they again?
Mike Susong: Oh, it was Fujitsu Limited in Tokyo and then Ernst & Young.
Andrew Hammond: Ernst & Young.
Mike Susong: So a consultancy and then a high-tech...
Andrew Hammond: Wow.
Mike Susong: ...Corporation.
Andrew Hammond: And tell us a bit more about the company that you were involved in setting up.
Mike Susong: Certainly. Quite proud of that.
Andrew Hammond: iSIGHT?
Mike Susong: iSIGHT Partners. That's correct. Started in '07. We were clever enough to target the financial market as our clients right when there was the financial crash (laughter). So we had an opportunity to adjust and learn the broader market more quickly. But we formed iSIGHT Partners, which is a cyber threat intelligence company in, I would suggest - it was that evolution of intelligence within the corporate world when we formed iSIGHT. See, you hear the expression now quite commonly within cyber - CTI, cyber threat intelligence - but I would argue that iSIGHT was the first one. We applied intelligence principles...
Andrew Hammond: Wow.
Mike Susong: ...To the problems, whether it was malware, reverse engineering, whether it was the underground, the deep and dark web - and operating in forums with cybercriminals to identify either tools, techniques and procedures that they were using against organizations.
Andrew Hammond: Wow. The "SpyCast" episode that was on the Microsoft Threat Intelligence Center - they were real interesting. I spent a bit talking about recruiting (laughter) assets. It was a year to get them to commit to it but - it's (laughter) certainly much less significant than founding iSIGHT, but I'm proud of getting Microsoft to commit to doing the podcast. But I think that threat - cyber threat intelligence and threat intelligence are really, really fascinating.
Mike Susong: To your credit, the Microsoft program is a very good program, and so that was a good podcast. I'll encourage the listeners to listen to it.
Andrew Hammond: (Laughter) I'm flattered that you listen to it.
Mike Susong: Of course I do.
Andrew Hammond: And tell us a bit more about that. Was that one of those things where afterwards, you look back and you think to yourself, wow, I guess I was involved in the development of this whole new thing, threat intelligence? Or was it more at the beginning, here's threat intelligence; we need to apply this to corporations? Was it something that you started with or was it something that you ended up with?
Mike Susong: I guess one of the points of being an entrepreneur is you kind of have to have an unwavering belief in your idea. That's both a detriment and a benefit because in the back of your mind, you keep wanting to say - especially with my background - is, I don't want to be applying something that I truly believe in my heart - the intelligence process - either to a market or to a time that it's just not ready for. So in the end, you know, it all worked out well. And the marketplace - certainly cyber threat intelligence, as the Microsoft Center demonstrates - it is certainly - the time has come.
Mike Susong: I'll take - if you'll give me just a moment to digress, is when I mentioned about the competitive intelligence being formed, then really the next step was geopolitical risk. So you had companies that formed right after 9/11. The world transformed itself. And corporations, suddenly, who had not really concerned themselves with all those variables - of protests, threat actors, typhoons affecting supply chain - because again, at this time, the world was flattening. You know, supply chains were being distributed globally. So then there was that second phase of private sector intelligence, and that was the geopolitical piece. And then, as we're talking now, the cyber threat intelligence piece is cyber became more prominent within the way corporations wanted and had to do business. So also, it opened up the attack vector, to use the phrase, of companies into the cyberspace. So it was inevitable. When - to your question, when you're founding a company, you don't know if you're early or late.
Andrew Hammond: OK. That's quite interesting. So you're saying that when the Cold War ends, and with processes of globalization and supply chains and markets expanding, then, all of a sudden, maybe, for example, in the '50s and '60s, you didn't have to worry about geopolitical risk as much. But if you have a factory in country X or you're sourcing material from country Y, then, all of a sudden, geopolitical risk has more implications for the company and for the bottom line. So therefore, it becomes more important. Is that right?
Mike Susong: It's absolutely critical. And I think we're living through the, you know, supply chain disruptions of COVID, which is a testament to the fact that almost every supply chain is global, whether it's arbitrage on currency or the availability of a workforce in another country. You may be making farm equipment in the Midwest, or that may be where your headquarter is, but your supply chain, your biggest customers, your workforce is global. And so those companies, then and today, begin to realize, oh, well, I need to know what's going on. Is country X about to be, you know, nationalized? Or is there a workforce that we use in a country that's maybe an ethnic minority, and the country is - has had a change of government and they're turning their attention against that ethnic group? And suddenly, I lose a workforce. And I don't want to sound as cavalier that the company only cares that they lose a workforce. But it would have, you know, a direct impact on them in a country where - maybe somebody in the back office in the Midwest wouldn't even know where it was on the map.
Andrew Hammond: Wow. That's fascinating. So we've got geopolitical risk, but at the same time, cyber and the internet - this is all developing at the same time. So not only are - is your factory or your - or the place where you get raw products from - that's not just a factor. But now the battle lines are redrawn because, rather than someone having to cross the world, break into a corporate headquarters in the Midwest and steal information out of a safe, now you can sit in the luxury of a computer bank somewhere in another country. And you can get access to the same information. So the battle lines have been redrawn, really, for you.
Andrew Hammond: I just wondered if you had any thoughts on that because that - is that what's happened, then? Now it's not just about geopolitical risk, but it's also about - the battle lines have came to your front door, have came into your corporation because you're connected up to the internet.
Mike Susong: It absolutely has. You know, I'll hearken to one of my favorite Bond films. In "Skyfall," that's what made that villain so believable - is the tool was cyber and the manipulation of the network to nefarious means. But nonetheless, any corporation has that exposure now, you know, whether we have a discussion about ransomware or just securing data within one country that may have privacy concerns about that information flowing to another country. It's completely fundamental to the way businesses operate now, and so cyber is front and center.
Andrew Hammond: And to your point, how that information is secured or how it's stolen is virtual. And, you know, we could can have a whole conversation about the extrajurisdictional (ph) pursuit of someone. In some places, it's not a crime. Or in some places - or it may be a crime, and that country is actually supportive of the U.S. or another country pursuing it. And there's been occasion I've bought gasoline for police cars to drive to the town where we think the cyber actor was operating. So it's not that they don't want to support it. But it's either they have bigger problems, or it's just not within their capacity to have a robust counter-cyber force.
Andrew Hammond: Wow. And can you give us an example of some of this that would maybe just make it more tangible for our listeners?
Mike Susong: One thing I would say about ransomware, since we touched on that just a moment ago, is - and a lot of the questions are - is, why suddenly ransomware? And just I'll make two points on there. You can look at ransomware as, really, a kidnapping and ransom event, but it's just using cyber. To your - to the earlier point that you made, that's what it is. It's a ransom event. It just happens to be you pay in cryptocurrency, and they - instead of releasing the individual, they're releasing your data back to you.
Mike Susong: So that's the way you should frame that problem. And that's the way corporations should look at that problem. Just like you would have a armored vehicle and maybe a security driver for your principal if they're traveling in a high-risk area, you should be doing the equivalent to secure your - the critical nodes of your network. And if you're not, you've exposed yourself.
Mike Susong: The other piece of that is I believe reason ransomware is so prevalent now is - I refer to the speed of monetization. The speed of monetization for a ransomware event is days, rarely more than weeks, whereas previously, if you looked at e-criminals, they would breach a network. If they were able to maybe steal credit card numbers, then you start the whole process of it, whether, if you do it old school, you clone the credit cards or you clone the ATM cards and then you - $200 at a time, you withdraw money out of an ATM machine. And then that money gets passed off to the e-criminal. And the mule who stands at the ATM machine gets a percentage - or even if it was still an intellectual property, maybe something that could be sold in a secondary market or, worst case, to a competitor.
Mike Susong: All those things still took time, and there were various players, and there were chances of being compromised or interdicted by law enforcement. Speed to monetization with ransomware is - I lock down your network and encrypt access to it, and you're dead in the water until you pay the ransom. And then when you pay the ransom and the cybercurrency is transferred, I'm in the money. So I think that's one of the high motivations for the e-criminals to pursue this method.
Andrew Hammond: We'll be right back after this.
Andrew Hammond: Tell us a little bit more about iSIGHT. What would be an example of what it would do? So say I'm a company. And I come along, and I reach out to you. What services are you providing? How do you go about providing them?
Mike Susong: Good question. We were able to work - kind of work across the spectrum of the cyberthreat. If you look at - it was probably brought up during your Microsoft visit. If you look at vulnerabilities in the parlance, it's zero days. A zero-day would be a software flaw that's not been reported across the network. So if I, as the criminal, know about that flaw - even though I'm a conscientious corporation, I don't know there's a hole in my network. So the zero-day is very valuable. So we would either pursue zero days by doing software analysis and finding that hole. Or we would be working in the electronic underground, where obviously that's the coin of the realm for the criminal, to find a zero-day. So if we could find a zero-day in the underground, do our own analysis to make sure that it was, in fact, functioned as advertised and then make the IT security industry aware of that vulnerability, it could be patched. So that would be one thing. So a second piece would be - is attribution. Let's say the network was, in fact, breached by e-criminals. We would work with either a breach responder - now Mandiant is our partner for iSIGHT - who would actually go in and do a diagnostic of the network to see what had happened. When that happens, you can look at - it's like fingerprints, you know? Or certain criminals use certain techniques. You then start to see those signatures. And let's say - I don't want to get too geeky here. But say the criminals go into a network, and they tend to always try to find a place in the HR server because nobody ever looks there. And then they use that as kind of their springboard within the rest of the network. If we see those early indicators, we can much more quickly help the enterprise find out what happened. Maybe that particular group always likes intellectual property, whereas another group likes to steal credit cards, whereas another group is actually just surveying the network for maybe an exploit later. It helps the corporation get back on track much sooner.
Andrew Hammond: And how did you come up with this idea, you know, as an entrepreneur? Did you have the skill set to do this yourself? Or did you have the idea and think, I need to get people that can rummage around on the dark web or look for zero days and so forth? Is that something that you'd done? Or was it, this is something that needs to happen, and I've got the idea and now we need to get people that can apply this?
Mike Susong: Yeah, it was the latter. I certainly don't have any corner on wisdom. I consider myself smart enough in - across the broad spectrum of the skills that we need. But no, it was - end of the day, it was 380 people that - all those skills, different skills, were what made the corporation successful. As I joke, you know, you have the guys in the dark room who you feed on Mountain Dew and bean dip. And they can reverse engineer anything. And they can see exactly how something was coded or why it was built a certain way. And those skills are invaluable. At the same time, I would add, is - and again, in respect to all my colleagues who have high technical skills, you then have to articulate that risk in business terms.
Andrew Hammond: Yeah.
Mike Susong: And I think that's where iSIGHT Partners was successful and where any intelligence capability within the corporate world has to really make sure they can do that is, why does a business leader need to know that? What can they do about it? I joke that if you come from the government, you come from a moneyless society. There's certainly money there, but you don't have to meet shareholder intent quarter to quarter. And so you have to make sure you phrase what you bring from intelligence to your business client in those terms.
Andrew Hammond: One of the things that you often hear about with ransomware and other cyberattacks, you always hear of, with links to government X or with links to government Y or intelligence service Z. For our listeners, help them understand the threat landscape out there. Is it, like, 95% of all of the stuff is basically just a once or twice-removed arm of the Chinese government or some other government or are there, like, big actors out there playing the game for themselves? So as the - I don't know if anyone's thought of this before, but I think it's quite a neat idea is there are, like, five families, you know, mafia-style network of cybercriminals. Are there - help us understand that. Is it mainly nation-states that are doing this? Or is it rogue companies? Or are there organized criminal elements out there playing the game for themselves?
Mike Susong: It's all of the above, but I'll go into detail. If I categorize cyber threat actors in categories, I would say nation-states - and we'll go into a bit more detail - e-criminals - and, again, we'll characterize what those groups look like - hacktivists - if you want to think of Anonymous and some other groups that are motivated by political activities - and then a category that's kind of neither fish nor fowl. It may be groups that are acting in support of a nation-state, but they're also probably - fund themselves through e-criminal activity. So you kind of have this landscape of those groups.
Mike Susong: Nation-state actors - if you want to characterize their efforts, usually you would refer to it as low and slow. They're pursuing their national strategies, and so they don't need to go in and proverbially break the glass of the jewel case and steal the diamonds to monetize them. In one way, they're the most insidious threat because they'll be harder to detect. They're playing the long game. As I mentioned earlier, maybe their objective is just to go in and surveil the network, know how it operates and then know what vulnerabilities are. And then they remove themselves, and there's little or no indication of that. So that's pervasive, whether it's infrastructure, dams, the electric power grid, financial institution or whether it's targeting a particular American or other company that has intellectual property that that nation-state wants to maybe make a technological leap of. So that would be how I would be - characterize those groups.
Mike Susong: Correction - the e-criminals we kind of spoke to, I would say that early on, a lot of the talent - and it's still arguable today - came out of the former Soviet Union system that had high value in STEM skills, hard science skills. Certainly, when they went through the tumultuous time in the '90s, and people, legitimate citizens with legitimate hard science skills, weren't able to feed their families or buy a pair of shoes, and then they had the opportunity to apply their skills to write malware. You know, I'm certainly not defending the actors. But when you think of the talent that now has evolved in that area, you can see why it happened. And to your question, I think I would call it organizing crime. It's probably not owned by identifiable criminal groups, per se, but they certainly use the tools. They certainly then will employ a hacktivist team or a group to pursue criminal activities on their part.
Andrew Hammond: Wow. It's a really fascinating space. And do you think that for, say, corporations out there or for Joe or Gen Q public, what are the things that they need to worry about? Is it the nation-state actors? Is it the e-criminals? Is it the hacktivists or all of the above, to some extent?
Mike Susong: It's the e-criminal, from my point of view, and we used to call it cyber hygiene. It's just good awareness of what your password is, where you keep it, who you give information to, whether it's through a text or go old school over the phone, as well as just being aware of clicking on a link. You know, it's almost always the simplest things that are the problems, but a link in a document or in a text that may be the malware or the pathway in for the criminal. So again, it's God and apple pie. It's just doing what you should do every single day.
Andrew Hammond: Wow. That's really, really interesting. And tell us a little bit more about some of the other things that you've been involved in - so iSIGHT, and I believe that that company was sold on to FireEye, right?
Mike Susong: That's correct. Afterwards, that's when I then shifted gears again. It hurts that I can't keep a job, but - to the geopolitical space. And that's where I joined - what was then iJET is now part of GardaWorld, Crisis24. And we do the geopolitical analysis for about 1,200 clients around the world.
Andrew Hammond: And are those clients mainly corporations or governments or individuals or all of the above?
Mike Susong: All of the above, primarily corporations, although we have a significant number of NGOs, as you can imagine. They're doing great work, and they work in areas that more than likely are more risky. You know, as we look on the news, unfortunately, with the - with individuals who were kidnapped in Haiti yesterday. So we work with NGOs, as well, and they have the same concerns. Is it safe for us to travel down this road? Should we be concerned about operating in this country? What's their attitude towards our mission? And the corporations obviously have bigger-picture issues about - if they're in the extraction business, are we operating in the right part of this country? And, as you can imagine, in some parts of the world where it's tumultuous, are we affiliated with the right group that - you know, warlord that has control over this area, you know? And are we still operating within the good principles of international corporate rules?
Andrew Hammond: Wow. And, you know, you're probably better placed than anybody to answer this question. Does all of these - do all of these technological changes not mean the death of traditional espionage, but - help us understand some of the ways that they may impact it. So human intelligence operations - I'm thinking of - about, in some places, constant surveillance, facial recognition. There's all these really sophisticated ways that you can keep track on people or even the types of people that can maybe join the intelligence agencies because there's hardly anyone from Gen Z out there that doesn't have an image somewhere on the internet with their real name attached to it. So there's all of these technological changes. But as someone that used to be a spec yourself but is now heavily involved in tech, help us understand some of the things that you have maybe thought about over the years, like thinking back on being a case officer and some of the things that are happening now.
Mike Susong: It's a challenge that certainly the intelligence community of every service is dealing with today. And we alluded to it earlier before. It's been a benefit and a curse. Certainly your digital profile has to be far more carefully curated. And to your point, I don't want to sound - about speaking of a younger generation, but it is true that there is more of a - I would call it digital exhaust. I mean, every time you've - you affiliated with a network as you walk down the street, that's a record of you having been there at that point in time and how long that is kept.
Mike Susong: So to your point, it has enabled some technological advances so that the danger and the risk and the countersurveillance of meeting on that street corner has been removed. You can have the virtual meeting. I don't think we've resulted as to having Zoom calls with our assets. But at the same time, it is a challenge to, how do you pass through - across borders with facial recognition or imagery of your other activities available? So it's a real challenge. But I will say that the - still, the principles behind good tradecraft still allow us to operate globally. And it was - and with every operation, you have to adjust.
Andrew Hammond: Just changing tack a little bit. Tell us about Burning Man.
Mike Susong: OK.
Andrew Hammond: I find that quite interesting (laughter).
Mike Susong: That's quite a shift. To those of you who are familiar with Burning Man, it's an annual art event in the desert in Nevada - 70,000 participants. I would caution our listeners not to Google Burning Man on the work computer because it's a very avant-garde, free-spirited event.
Andrew Hammond: (Laughter).
Mike Susong: I had the opportunity to be what's referred to as a Black Rock Ranger. Black Rock is the portion of the Nevada desert where Burning Man is held. The Black Rock Rangers are not security personnel, but we're there to help the participants be safe, whether it's, you know, barking your shins on your tent stake as you're setting it up or something more serious. But I would - one thing that drew me to that - maybe, Dr. Hammond, back to your earlier point about me looking for new opportunities - is Burning Man's a social experiment where 70,000 people show up in the desert. It's - you bring everything you must bring with you - water, food, everything. And when they leave, they leave without a trace. To the credit of the event, it - the ground is swept clean. But the opportunity to see some of the creative artistic talent that is there is really amazing. So it was - again, it was another opportunity to take part in a social experiment that's been going on for decades, but to be as an observer. Maybe that's my case officer skills - it was to be an observer. The motto was safety third.
Mike Susong: People are going to have a good time. They were all adults. They should take care of themselves. If it really got bad, then the Black Rock Rangers would...
Mike Susong: ...Try to help them out of a bad spot (laughter).
Andrew Hammond: I've often thought to myself that it would be - I think it would be a good thing for the IC to have some kind of Burning Man event because it's like you're shaking off the mundanity and the conformity of everyday life. And, like you say, people are thinking avant-garde or thinking outside the box. And, sure, maybe for every success there's nine dead ends. But at least they're thinking and experimenting. You could - do you think you can make an argument that's where the IC needs to go a little bit more.
Mike Susong: I definitely think the IC needs to go to Burning Man.
Andrew Hammond: OK.
Mike Susong: No, but it's a great experience. And to your point, is - there's a lot of talent. And you see a lot of creative things. And although some might think this is a bacchanal, it's actually very well organized, and people are - people have a great time. I don't want to argue otherwise. Fact is, there'll be 1,200 aircraft land and depart Burning Man, and immediately, that's when the glitterata (ph) arrives for just a few days. But it's quite an event, and I think it'll reoccur next year in the desert.
Andrew Hammond: How many times have you been a Black Rock Ranger?
Mike Susong: Well, it's - you have to have attended Burning Man four times.
Andrew Hammond: OK.
Mike Susong: So more recently, the last - you know, we didn't have Burning Man last year because it was virtual. So...
Andrew Hammond: So you've attended as a participant?
Mike Susong: Yes, yes.
Andrew Hammond: Oh, wow. OK.
Mike Susong: So they have a vetting - actually, they have, again, a very organized training process. Again, this all seems counterintuitive to having a discussion about Burning Man, but it's enjoyable.
Andrew Hammond: (Laughter) Well, again, I think that one of the things that's interesting about that to me is that, to me, that speaks to something about you. I know you're being humble and stuff, but, yeah, not everybody that has had the experiences you have had would be willing to go to the desert and mix it up with a bunch of kind of avant-garde, kind of free spirits.
Mike Susong: They certainly are. But, without drawing too hard of a comparison, if you think of a case officer, he or she has to interact with whomever that other asset is, regardless of their cultural background or their philosophies or their points of view. So maybe the Farm trained me to be a good Black Rock Ranger.
Andrew Hammond: Does some of this, you think, go back to - you said that you're really interested in cultures and people and the way that people exchange meaning and so forth. Do you think that Burning Man's a good example of that, as well as the world of espionage?
Mike Susong: I think it really is because, as I said, you'll find a spectrum of people from all over the world come to Burning Man and participate. And it's a big community, so...
Andrew Hammond: I think I've covered most of the ground that I wanted to speak about today. I feel like we could come back and maybe explore some more stuff in a future podcast. But for this one, do you think that there's anything that - are there any important ingredients that I should have been incorporating into the dish that I've left out?
Mike Susong: No, I think you've - thank you very much for the opportunity. I think you did a great job of covering my misspent youth and the opportunity to speak with you today. I think the next phase, if you will, is the role of open source intelligence and AI in that space. And that's where I probably spend my focus today, is how that's going to evolve - once again, both on the government side, IC side, as well as the private sector.
Andrew Hammond: Well, thanks. Thanks ever so much. It's been a pleasure to speak to you and to hear more about your story. Thanks so much for sharing it with me.
Mike Susong: Thank you for today. And I encourage everyone to both listen to "SpyCast," as well as come and visit the International Spy Museum.
Andrew Hammond: Thank you.
Andrew Hammond: Thanks for listening to this episode of "SpyCast." Go to our webpage, where you can find links to further resources, detailed show notes and full transcripts. We have over 500 episodes in our back catalog for you to explore. Please follow the show on Twitter @INTLSpyCast and share your favorite quotes and insights or start a conversation. If you have any additional feedback, please email us at firstname.lastname@example.org. I'm your host, Dr. Andrew Hammond, and you can connect with me on LinkedIn or follow me on Twitter @spyhistorian.
Andrew Hammond: This show is brought to you from the home of the world's preeminent collection of intelligence- and espionage-related artifacts, the International Spy Museum. The "SpyCast" team includes Mike Mincey and Memphis Vaughn III. See you for next week's show.