An FBI Operative’s Guide to Cybersecurity, Deepfakes, and Modern Spycraft with Eric O’Neill | [Sidecar Sync Episode 129]

Summary:

In this interview edition of Sidecar Sync, Mallory sits down with Eric O’Neill—former FBI counterintelligence operative, attorney, cybersecurity expert, and founder of The Georgetown Group and NeXasure AI—whose career has spanned undercover FBI work, national security law, and advising organizations on how to defend themselves against modern cyber threats. Eric shares stories from the extraordinary operation that led to the capture of Robert Hanssen, the longtime FBI agent who spied for Russia and became one of the most damaging spies in U.S. history, a case that later inspired the film Breach. From there, the conversation turns to how cybercriminals really operate, why associations and other small organizations are often the easiest targets, and how AI is accelerating everything from phishing and ransomware to deepfakes and large-scale deception. Eric also offers practical steps leaders can take right now to protect their teams, data, and trust.

Connect with Eric O’Neill
Website: https://ericoneill.net
Newsletter: https://ericoneill.net/newsletter/
Book: https://ericoneill.net/books/spies_and_lies/ 

Timestamps:

  🙋‍♀️ Chat with Grace on the Sidecar website

https://sidecar.ai/ 

👥Provide comprehensive AI education for your team

https://learn.sidecar.ai/teams

📅 Register for digitalNow 2026:

https://digitalnow.sidecar.ai/digitalnow

🤖 Join the AI Mastermind:

https://sidecar.ai/association-ai-mas...

🎀 Use code AIPOD50 for $50 off your Association AI Professional (AAiP) certification

https://learn.sidecar.ai/

📕 Download ‘Ascend 3rd Edition: Unlocking the Power of AI for Associations’ for FREE

https://sidecar.ai/ai

🛠 AI Tools and Resources Mentioned in This Episode:

ChatGPT ➔ https://openai.com/chatgpt

Sora ➔ https://openai.com/sora

👍Please Like & Subscribe!

https://www.linkedin.com/company/sidecar-global

https://twitter.com/sidecarglobal

https://www.youtube.com/@SidecarSync

Follow Sidecar on LinkedIn

⚙️ Other Resources from Sidecar: 

• Sidecar Blog
• Sidecar Community
• digitalNow Conference
• Upcoming Webinars and Events
• Association AI Mastermind Group

More about Your Hosts:

Amith Nagarajan is the Chairman of Blue Cypress 🔗 https://BlueCypress.io, a family of purpose-driven companies and proud practitioners of Conscious Capitalism. The Blue Cypress companies focus on helping associations, non-profits, and other purpose-driven organizations achieve long-term success. Amith is also an active early-stage investor in B2B SaaS companies. He’s had the good fortune of nearly three decades of success as an entrepreneur and enjoys helping others in their journey.

📣 Follow Amith on LinkedIn:
https://linkedin.com/amithnagarajan

Mallory Mejias is passionate about creating opportunities for association professionals to learn, grow, and better serve their members using artificial intelligence. She enjoys blending creativity and innovation to produce fresh, meaningful content for the association space.

📣 Follow Mallory on Linkedin:
https://linkedin.com/mallorymejias

Read the Transcript

🤖 Please note this transcript was generated using (you guessed it) AI, so please excuse any errors 🤖

[00:00:00:14 - 00:00:09:17]
Mallory
 Welcome to the Sidecar Sync Podcast, your home for all things innovation, artificial intelligence and associations.

[00:00:09:17 - 00:00:47:17]
Mallory
I'm one of your hosts along with Amith Nagarajan and you all are in for a treat with today's interview edition of the Sidecar Sync. If you think cybersecurity is just an IT problem, well, this episode might just change your mind because according to our guests today, cybercrime isn't just growing. It's already potentially the third largest economy in the world and the people behind it, they're not hackers like you might think. They're trained like spies.

[00:00:48:23 - 00:01:14:17]
Mallory
 In this episode, we are joined by Eric O'Neill, former FBI counterintelligence operative, cybersecurity expert, and the man who helped catch one of the most damaging spies in US history. Now he's focused on helping organizations protect themselves in a world where AI is accelerating cyberattacks, deepfakes are eroding trust and his words, trust itself is becoming an uncommon commodity.

[00:01:15:20 - 00:01:29:17]
Mallory
 In this episode, we talk about how cybercriminals actually operate, why small organizations, hello associations are often the easiest targets and what you can do right now to protect your team, your data, and your members.

[00:01:30:19 - 00:01:38:01]
Mallory
 Plus, some of the stories in this episode honestly sound like they came straight out of a movie because in his case, they actually did.

[00:01:39:09 - 00:01:56:14]
Mallory
 Everyone, I've had the honor of interviewing many guests on the Side Cursing podcast and every now and then there's an episode, an interview that I just keep thinking about days after weeks after months after and this interview is certainly one of those you all are in for a treat for this conversation with Eric O'Neill. Please enjoy.

[00:01:56:14 - 00:02:09:13]
Mallory
 O'Neill, thank you so much for joining us on the Sidecar Sync podcast. You have an incredibly interesting background that I think will be highly relevant for the Sidecar Sync audience. How are you doing today?

[00:02:09:13 - 00:02:23:12]
Speaker 8
 Mallory, I am doing spectacular, and it is great to be here on the podcast with you to talk to your audience and hopefully push the envelope a little bit to help everybody stay safe in an often dizzying world of cybercrime.

[00:02:23:12 - 00:02:44:21]
Mallory
 I love it. We like to push the envelope here on the podcast, so I'm excited to do that with you over the next 45 minutes or so. Eric, you have had a career that spans FBI counterintelligence, national security law, and now cybersecurity and AI. I'm hoping you can give our listeners a little bit of a sense of your background and how you ended up in this world right now.

[00:02:44:21 - 00:04:13:19]
Speaker 8
 Certainly. Well, here's just the Cliff Notes version. My career really started in the FBI. I was an undercover operative responsible for counterintelligence, the science of catching spies, and counterterrorism, which is kind of obvious, stopping terrorists. I went from a career in the FBI with my final case, which was going undercover in the most unique case the FBI I think has ever run, catching the most damaging spy in US history, in FBI headquarters, going undercover as myself. It is as crazy a story as it sounds. It was such a good story because I won, because I caught the guy, that it became the topic for the movie "Breach," which is a universal movie about me. And also my first book, "Great Day," which is my story. So if you're real interested in my story after this podcast, read the book first, then go watch the movie and you'll see where Hollywood played a little bit with the truth. I left the FBI pretty much after that case. I finished law school and I became a national security attorney focusing on government affairs, government contracts, and internal investigations of companies, which was something I'm really good at. If everyone asked, "What really are you? The one thing you'd call yourself, what would it be?" And I'd say, "An investigator." From law school and then working in a career as an attorney at one of the biggest firms, I started my own company called the Georgetown Group that does internal investigations and competitive intelligence work.

[00:04:14:20 - 00:04:55:17]
Speaker 8
 I became a national, international keynote speaker, mostly speaking about cybersecurity, but I got this great keynote about fulfilling your dreams. It really uses the Hanson story, the heck catching that spy story in order to do it. I am the author of my first book and then my second book, which just came out, is "Spies, Lies, and Cybercrime," which is like a manual for how to protect yourself against cyber attacks that reads like a spy thriller. From there, I'm launching into my new company, Nexashore, which does cybersecurity advisory and a technology company that has this great tool to protect companies from cyber attacks.

[00:04:55:17 - 00:05:32:17]
Mallory
 Wow. What a fantastic career, Eric. I've got to say, one of my guilty indulgences is reality TV at times. I don't even know if I've seen a storyline quite as dramatic in reality TV as you having to catch Robert Hanson as a young early career professional in the FBI. Can you just give us, take us briefly into that experience. This is not what the episode is about, but when I saw that in your bio, I went down a rabbit hole, I went to Wikipedia, I started reading all these articles of what that was like. Are there any lessons that you learned from that portion of your life that you take with you today?

[00:05:32:17 - 00:06:10:18]
Speaker 8
 Certainly. Oh, yes. So just a little bit of a background on the case. Robert Hanson was a decorated FBI supervisory special agent. So he was sort of the top tier in the agent class. He had been decorated. He had been the top analyst against Russia back when it was the Soviet Union all the way through the Russian Federation. He was brilliant at synthesizing data and hunting spies. That was his job. He was also Russia's top asset in the entire US intelligence community for 22 years. So for 22 of his 25 years in the FBI, he was the top spy for Russia and also the top spy hunter for the US,

[00:06:11:20 - 00:07:18:03]
Speaker 8
 which means that he was hunting himself. Best place in the world if you're going to be a spy. And it wasn't until the very end of his career right before he was going to retire that a former KGB intelligence officer sold him out, had some information that he had no clue pointed toward Robert Hanson or even where in the intelligence community this mole was, could be the FBI, NSA, CIA. We didn't even know we'd been hunting this person for 22 years on the other side as well. But Hanson, when that information got sold by the former KGB, it pointed right to him and hearts fell on the FBI because this guy was within the entire circle of trust. And he had exploited computer systems at the FBI that were never built to defend from a trusted insider. So what does the FBI do? Does. They create the best mousetrap. Hanson had to be brought back from where he was at the State Department as a liaison at that point into FBI headquarters, giving him his dream job so he wouldn't retire and believe that he was given a job that was necessary based on his skills. They put him in charge of building cybersecurity for the FBI,

[00:07:19:03 - 00:08:30:20]
Speaker 8
 which is pretty brave, right? That you take our first big national cyber spy and put him in charge of building cybersecurity for the premier investigative agency on Earth. But they had to sell something that he would believe was true. Right. They had to fool him and give him access to data because the goal was to catch him making another drop to the Russians so we could have a slam dunk case against him. And then they looked around the FBI for apparently the only person who knew how to catch a spy and turn on a computer. And that happened to be this guy. So very young and untrained to do this. They threw me in the office with him and hoped I won. And I did. I managed to do it despite everything being stacked against me. And to get back to your original question, Mallory, one thing that I learned is that if you only do good enough, you'll never get anywhere. So for the beginning of the case, for a good part of the case, undercover, I was desperately just trying not to lose. And I realized after some point that just trying not to get made, just trying not to let this guy know that this is an investigation, that this isn't a real job, which was an immense amount of work,

[00:08:31:24 - 00:08:59:17]
Speaker 8
 wasn't ever going to get me to winning. To win, I had to take risk. I had to actively pursue the case. I had to push back on Hanson. And once I started doing that tactically, I started to win. And that is how I won that case. Because had I not started pushing back on Hanson, actively pursuing the case and taking some risk, I would have never learned where that information was that led us to catching him red handed in that final drop to the Russians.

[00:09:01:05 - 00:09:15:21]
Mallory
 Wow. I'm so glad we briefly talked about this on the pod. In my other life, Eric, I'm also an actor and I can 100 percent see why someone hearing or reading that story thought, ah, this would this would be great for the big screen. It's almost unbelievable. And I can't believe that that was your life.

[00:09:15:21 - 00:09:40:17]
Speaker 8
 Well, you know, it's interesting you say actor, a very good friend of mine is Ryan Phillipi, who played me in the movie Breach. He and I are the same age. You know, we really bonded on set and we we've continued our friendship what is like 20 years now since Breach came out almost. And we just did a an interview that we did together, just the two of us. We YouTube did. And you can see it if you subscribe to my newsletter.

[00:09:41:17 - 00:10:17:02]
Speaker 8
 And the question was, could a Hollywood actor become a spy hunter and could a spy hunter become a Hollywood actor with the idea that so much of what we both do in our disciplines is improvisation. When you're working undercover, there's no script. You need to figure it out as you go. And when you're an actor, if you really want to be true to the role, it can't just be reading lines. It has to be interpreting lines, improving. Right. And and, you know, it was a great discussion. And it turns out, I think he probably could have done my role a little easier than I could have done his role by the end of it.

[00:10:17:02 - 00:10:50:08]
Mallory
 I'd say you never know. And funny enough, when I was little, I always used to say when I grow up, I want to be an actor, I want to be a spy. So I very much see the how they're intertwined, the improving, the living in another space that's maybe not completely your own. OK, well, that is fascinating, Eric. Thank you for sharing that piece of your background. I want to jump into, of course, cybersecurity and cybercrime. You've said that cybercrime is now the third largest economy in the world. Can you help put that in perspective for us? And what does that mean for everyday organizations?

[00:10:50:08 - 00:12:21:09]
Speaker 8
 Certainly. So by many different metrics, of course, it's hard to put an exact number. Dark Web cybercrime. So that is cybercrime that is flowing through the dark web, which is a system of anonymous servers that exists all over the earth in a lot of places that have no cybercrime law, actual private islands, partitions of servers for legitimate companies that are stolen and the companies have no idea and are connected to the dark web. And it is impossible for law enforcement to shut down. In order to shut it down, you'd have to kill the Internet. Nobody wants that. Dark Web cybercrimes, these are cybercrime syndicates, gangs and attackers who are using the dark web to hide their identity and receive funding through cryptocurrency, have been launching attacks at an exponentially growing rate. The current amount of cybercrime flowing through the dark web surpasses 12 trillion dollars a year. That's a lot of money. That's a lot of your and my and everybody else's money going into the pockets of cybercrime. And what happens is the more money they make, the more it encourages others to join the ranks of cybercriminals, because look, you make a ton of money. There's very little chance you're going to get arrested and it's tax free. Right. You're not you're not telling anybody in an agency that you're making this money. So it is the new biggest growing crime on earth. And part of the reason for it is that they get away with it and we become success susceptible to it.

[00:12:22:10 - 00:13:45:14]
Speaker 8
 They what cybercriminals are doing in order to grow this amount of cybercrime is they are learning from spies. So always gets back to spies. The top tier adversaries in terms of cyberattacks in the world are espionage units. Yeah. And we're talking about China, Russia, North Korea, Iran. Those are the main culprits against the U.S. But you know what? The U.S. is really good at it. So is Israel and Saudi and so many other countries, everybody spying on everybody using cyberattacks. But cybercriminals are hiring intelligence officers from those four threat countries who look the other way as long as they attack the West and they're informing them to make them so good at the cyberattacks. And that's why the majority of cyberattacks now are using traditional espionage techniques like deceit, impersonation, confidence schemes, right? Not a computer attacking a computer, but a person who is highly skilled using their computer, the anonymity of the Internet and traditional espionage to attack you and me, a person, fooling us into handing over our data where there are sometimes not even a line of code to get in. And it is sophisticated. It is nefarious and it is incredibly successful. And when I say it is the third largest economy on Earth,

[00:13:46:14 - 00:14:04:13]
Speaker 8
 if you just call the cost of cybercrime about 12 trillion dollars a year and you consider that a GDP of the dark web, that means that it is larger than the GDPs of Germany and Japan put together, who would be the third and fourth largest economies by country on Earth.

[00:14:05:13 - 00:14:34:11]
Speaker 8
 Technically, the state of California is the third largest economy. Well, actually fourth, because that would also be under the dark web. But by country, it would go the US, China and then the dark web. And that is very significant and growing in a number of years by its rate of growth, it will surpass 20 trillion dollars, which means as China goes down and the dark web goes up, it could be the second largest economy on Earth. And we have not been able to arrest it.

[00:14:34:11 - 00:14:46:07]
Mallory
 Hmm. You were kind of hinting at this just now with your answer with the phrasing around espionage techniques. But there's a core idea in your book that there are no hackers, only spies. Can you clarify what you mean by that?

[00:14:46:07 - 00:16:03:06]
Speaker 8
 Certainly. I don't like the idea of using hacker as a pejorative. Why? I was an old hacker in the 80s. Right. And most hackers I know are people who are trying to break security in order to make it stronger. Right. They're working for companies. Most of the old hackers I knew back in the day are now working for cybersecurity companies or started their own cybersecurity companies. And the idea of the hacker, the second you hear that word, you think of a kid in a basement, black hoodie typing away to keys, lone wolf, right, hits one key and says, I'm in like it's magic. And the idea behind there are no hackers, there are only spies. This is to take you out of that mindset, to understand that hacking is nothing more than the necessary evolution of espionage. As we took all that data that used to be in paper and we put it in computer systems, spies had to evolve. And like I said earlier, criminals have evolved by copying spies. So what you see is not some kid in a basement, the hacker, you see very sophisticated large groups of individuals who are collecting and training and recruiting in order to attack a person, a company, a government agency to put the maximum amount of pressure on that individual company or agency to get them to pay.

[00:16:04:06 - 00:16:40:12]
Speaker 8
 And they're using those traditional espionage techniques, which is why you see for so many organizations attacks by ransomware at the worst time it could possibly happen, using very unique ways to attack, including AI attacks, which are growing at a huge rate right now because they're using reconnaissance, which is an espionage tactic, learning everything they can about the target, finding the weak point, exploiting the weak point, and then systematically spreading their presence within the network until they have a critical mass of networks and they bring it all down at once, burn it to the ground and say pay us or this all disappears.

[00:16:41:20 - 00:16:59:00]
Mallory
 Well, you hinted at AI. And as I told you, Eric, much of our topics on the podcast revolve around artificial intelligence. We try to focus on the upside as much as we can, but of course have to talk about the downside as well. So how have you seen artificial intelligence change the game for cyber criminals?

[00:16:59:00 - 00:19:57:11]
Speaker 8
 Certainly. Well, I'm fascinated by AI and I spend a lot of time talking about and with my AI agents through my newsletter. Right. So my readers can learn about it too. It's a big topic in my book as well. And yeah, most of what I talk about in AI is the negative side of AI. I mean, AI is changing the world. It's changing how we learn. It's changing how we access the world. I think that within a year you won't use your typical Google Web browser. You will have your your personal AI agent that will do that all for you. It's going to cut down on a lot of the work we need to do. You'll just ask it a question. It'll give you the answer. Now, maybe that reduces the amount of knowledge we have in investigating things. But there's always an upside and a downside. On the other hand, criminals also have AI. They're using it and their AI has no guardrails. They steal it from the major companies. They create their own and those AI will do any depraved thing they ask. Whatever they want. It will build malicious code for them. It will draft the perfect spear phishing email. It will even launch in entire campaigns by doing reconnaissance on behalf of the criminal of a company and figuring out the best way to attack. That includes AI that never sleeps and continually scans a network looking for a flaw, vulnerability, an unpatched server, something like that. And then it alerts their little criminal friend because it just wants to be real helpful. Hey, I found a way you can get in. Here are 10 ways that you could do it. Right. AI is making cybercrime much easier and deep fakes are changing the way we trust. In my book, I say that trust is now an uncommon commodity. Trust indeed has become the most important currency. I used to say data is the currency of our life. Now it's trust. Because if we don't have trust and we can't trust what we see or read or hear, which is what AI is doing, deep fakes are doing, then what do we have? We can't trust anything, any transaction on the Internet. And this is where deep fakes are thriving and growing. I've also said that by the end of this year, it's 2026. The book published at the very end of 2025. So I think my predictions already come true. 90 percent of what we see online will be synthetic, which means that in one way, shape or form, it will be edited, changed or solely created by AI. And we're already seeing problems there with AI slop on every social media company you use. So if you're going through Instagram or TikTok or, you know, Facebook Reels, you're seeing tons of things being made by AI, so much so that ChachiPT just stopped using Sora because I think they were tired of seeing, you know, countless videos of cats waking people up, firing rockets at their neighbor, like chasing dogs. Right. And things like that. It was it wasn't what they thought people would use AI for, right? But they forgot what people on the Internet want to do. Silly things.

[00:19:58:13 - 00:20:13:22]
Speaker 8
 But we're going to see a lot of it. And I think that coming up in our midterm and then our 2028 election, we're going to see immense amount of mischief because it already happened the last cycle. And now the progression from the last cycle to today is extraordinary.

[00:20:14:24 - 00:20:42:02]
Speaker 8
 So what do criminals use it primarily for? Creating. Just like we do. They can create content that fools you. They also are using deep fakes in video. So there are using deep fakes that look like someone you know or someone that you report to in the chain of command to tell you to do something that you shouldn't do. They are also using voice. Voice is really easy because they can they can change voice real time by typing it. A video, it takes a little bit more time. It's more difficult.

[00:20:43:03 - 00:21:04:24]
Speaker 8
 But they can use voice to tell you all sorts of things. And you see everything from this CFO calling someone in a company and saying send a wire. I need it done right now. I'm going to wait on the line until you do it to parents getting called by their daughter saying, I've been kidnapped. Help me, help me. And then this new voice comes on that says, I've kidnapped your daughter and we need ten thousand dollars or you'll never see her again.

[00:21:06:00 - 00:21:11:18]
Speaker 8
 Creating pressure, creating urgency. That's always the goal. And and then stealing your money.

[00:21:13:22 - 00:22:41:04]
Mallory
 Now that we're we're nice and afraid, Eric, we are going to talk about some, you know, some practical solutions or our best attempts and solutions in this episode. But I do want to go back to one thing you said, which is trust is and will become an uncommon commodity. And I think that's especially relevant for our association listeners who have really built their organizations based on this idea of trust, having their members come to them for their education, for their professional credentialing, for in-person events. Anytime they need information about their industry or their professions, the association is who they go to. So I think this is an opportunity for associations to double down on that trust. But it's also a threat because if 90 percent of everything we see is synthetic, right, how do we how do we maintain that trust in the age of A.I.? So I think that's something really interesting that we'll keep exploring on our podcast. But I do want to ask you now that we're nice and scared, I think we're all we've all been fairly aware of the threat of A.I. and cybersecurity, especially in recent years. But our audience many times is going to be, you know, association leaders or leaders at nonprofits. And many of these organizations have small I.T. teams, maybe one, two, three people if they have that. And they're managing some pretty sensitive member data, again, around professional credentialing and things like that. When you look at smaller organizations after everything that we've just discussed, which sounds almost impossible to fight even with A.I., right? What worries you the most? And what do you tell small organizations in terms of how they can bolster themselves?

[00:22:41:04 - 00:24:47:03]
Speaker 8
 Right. So small organizations make two huge mistakes time and again. And I'm saying this from experience. I run a company that focuses on SMB and mid-level associations. We decided to focus on the the companies that need us the most as opposed to trying to go compete with the big dogs in enterprise and created an A.I. cybersecurity technology that is scaled and cost affordable. Right. Just for those organizations. So here are the two biggest mistakes we see. One, saying it can't happen to me or I'm too small or I'm not important enough. No one wants to attack me. Criminals in particular don't care who you are or how much money you make or what you do. They only care if you're vulnerable. And there is so much cybercrime out there. There is so much of it that it's just a matter of statistics that you will be attacked if you're vulnerable. They're just looking for vulnerability. They love going after charities, associations, NGOs, because they know that statistically they do not have good cybersecurity. And because criminals are lazy and only get paid if they win, they just want to win. You know, so they will go after anyone that they perceive as being an easy target. The other problem that we see with associations and small businesses in general is that they don't have funding and they don't use budgets strategically. Then the best thing that you can do right away, especially if you have an I.T. team that does not have a CSO. Right. And now if you don't have a CSO, a chief information security officer, you do not have someone who understands the complexity and the demands of cybersecurity and how to position a small budget to give you the best impact to protect yourself. So you need to go external and get a vulnerability assessment. They should be cheap. If someone is charging a lot for a vulnerability assessment, they're not very good business people because usually you use the vulnerability assessment to show the company, here are your weaknesses and we want to make them stronger. And then they hire you to come help with that.

[00:24:48:08 - 00:25:23:03]
Speaker 8
 And so you need to do the vulnerability assessment because your team can't do it. That has to be an external. And then what you want to do is rent a CSO, not hire one. And you can get a fractional CSO just like you could get a fractional CFO or a fractional general counsel that happens who comes into the company, understands your complexity from the inside out and then helps you position and build that cybersecurity and support your I.T. team at a very low cost. Those are the number one and two things you can do. The biggest problem we see often with small organizations and associations is they've turned off two factor authentication.

[00:25:24:04 - 00:25:43:21]
Speaker 8
 So one of the number one things you can do to protect yourself is not rely on a password. But for expediency, particularly if you're working in cross jurisdictions or using a lot of VPNs across the office to office from, say, the U.S. to wherever you are in the world, Uganda, Palestine,

[00:25:45:05 - 00:25:45:12]
Speaker 8
 Ghana,

[00:25:46:22 - 00:25:47:22]
Speaker 8
 West Bank, wherever,

[00:25:49:03 - 00:26:24:20]
Speaker 8
 you need to make sure that you haven't turned it off. And when we do these vulnerability assessments, we often see that organizations have turned it off just because people complain that it's too complicated for me. You know, it's slowing me down and the I.T. people want to be helpful. So they shut it down or employees are able to shut it down because they're there. They have access to that, which they shouldn't. So that's the number one thing that any I.T. team can do. Turn that on everywhere. It will protect you from a lot of the low level cyber attacks that are just out there in the either trying to find a victim.

[00:26:24:20 - 00:26:47:20]
Mallory
 Wow. I definitely thought you were going to just give two kind of high level things. One, you think that you're not vulnerable or you think that you're, you know, too small of a fish. I love that you gave a very practical solution there, which is don't turn off to a pay even though it is annoying or frustrating. I feel like that's just a really low hanging fruit. And if that can offer a degree of protection, everybody should go out and make sure that that's turned on right now.

[00:26:47:20 - 00:27:20:23]
Speaker 8
 And in your personal life, because and remember, in your personal life, don't just turn it on with your bank accounts, right? Which is which is obvious. Turn it on with all your email accounts. What attackers will do is try to get into your personal email and then use that against you. Here's an example. The director of the FBI just got his personal Gmail account attacked by Iran to embarrass him. And his pictures from his personal account were published all over the place online. You don't want that to happen to you. Two factor authentication can help protect you from that happening.

[00:27:20:23 - 00:27:24:06]
Speaker 5
 Are you ready to become the AI leader your association needs?

[00:27:25:19 - 00:27:51:21]
Speaker 5
 Sidecar's Association Artificial Intelligence Professional Certification, or AAIP, is your fast track to mastering AI skills built specifically for the association world. Whether you're just getting started or you're already experimenting with AI, getting your AAIP will give you the practical tools, real-world examples, and hands-on training to boost productivity, enhance member value, and confidently guide your organization into the future.

[00:27:51:21 - 00:27:56:22]
Speaker 6
 And right now, listeners of this podcast get an exclusive discount.

[00:27:58:01 - 00:28:10:15]
Speaker 6
 Visit sidecar.ai.ai.p and use code AIPOD50 today for $50 off your year-long pro-level subscription. That's AIPOD50.

[00:28:12:05 - 00:28:17:09]
Speaker 6
 Become the AI savvy leader your association deserves with Sidecar's AAIP certification.

[00:28:17:09 - 00:28:43:14]
Mallory
 Our mission at Sidecar is to educate one million people in the association community around the world on artificial intelligence. And the good news is you can help. If you're enjoying this podcast, please take on the challenge to share it with one friend or colleague each time you listen. This will help us spread the word and hopefully bring one million association leaders and volunteers into the age of AI.

[00:28:43:14 - 00:28:58:02]
Mallory
 You also in your book talk about a framework called paid, prepare, assess, investigate and decide. Can you walk us through what something like that would look like for a smaller organization?

[00:28:58:02 - 00:29:52:06]
Speaker 8
 Certainly. So with the book, what I wanted to do is teach everybody the science of counterintelligence, how to hunt spies. Right. And if you can hunt a spy, you can hunt a cyber criminal and you can hunt a cyber threat. So the beginning of the book, a couple of acronyms, the beginning of the book is called DICE. And it is all the ways that attackers are coming against us. So deception, impersonation, infiltration, confidence schemes, exploitation and destruction. And there are a few chapters for each of those ways that attackers attack. And it kind of reads like if you want to be a cyber criminal, here's how you do it with stories. So you see the attack. It's kind of like think of it in self-defense. I taught martial arts for many years. Someone's throwing a punch at you. You see that punch before it hits you in the face. Right. Seeing it isn't enough, though. You got to know what to do. Paid is how you block the punch. So paid stands for prepare, assess,

[00:29:53:06 - 00:30:50:07]
Speaker 8
 investigate and decide. Really easy to remember because we all want to get paid. And this is counterintelligence, sort of the way that I learned it at FBI Academy in Quantico. And then throughout a career in the FBI hunting spies in national security law and in cybersecurity, I developed this simple methodology. Prepare means you prepare ahead of the attack. You don't wait for the pressure situation when everything's burning around you to start examining your cybersecurity. When everything's chill, you go and get your vulnerability assessment. You see where your big holes are and you patch the most important ones. And then you have a process and a plan to fix the smaller ones into the future when you have budget. If you don't have a big budget, you need to triage that way. Doing nothing means you're going to get hit by a large scale ransomware attack and probably be shutting down. But doing something gives you a good chance to defend, to see the attack and win. So you're preparing ahead of the attack.

[00:30:51:16 - 00:31:18:04]
Speaker 8
 But that's not enough, right? There's no easy button for cybersecurity. If someone says install this and you'll be 100 percent safe, they are cheating you and it might actually be bad guys. So you have to assess. Assess is your radar. It's always going. You're always looking. Your team is looking. You're using the tools. You're using the training and you're looking for those things that don't seem right, that are out of place, that are too good to be true. For example,

[00:31:19:05 - 00:33:46:19]
Speaker 8
 if it's the holidays, right? And this is when cybercriminals love to insert themselves into social media and you're scrolling through and you've been stopping every once in a while on that perfect gift for your loved one. Right. And then you find it as you're scrolling and add for that perfect gift. And there it is. And it's 70 percent off only for the next five hours. Buy it now. Click here and you click through and then you enter your credit card number and all of that information into the Web site that it brings up. You probably have just given all your information to a cybercriminal. They're known for feeding cyberattacks and fake A.I. created advertisements around the holidays. Assessing means it's 70 percent off. This seems too good to be true. So what do I do? The third part of paid. You investigate. Instead of clicking through the link, you close your app, you go directly to the Web site of the company and you see if the if that 70 percent off is there. I guarantee it's not going to be there because what you did is you went to a dummy Web site and you clicked on a malicious link and now they own you. So what you want to do is when you're assessing, look for those things that don't feel right. And what I say is develop a cop instinct. By reading the first part of the book, you've developed that instinct. You're going to see all the examples of how this stuff plays out. And then when it happens, you'll feel that tickle in your stomach. That's like stop. Anytime there's urgency in some request, stop and take a breath and start investigating. And if you investigate nine times out of 10, you're going to catch the attack because you took a breath. You didn't let them push you into that urgency. So you're prepared. You're always assessing. You investigate when that red flag goes up. The last thing you have to do is decide, decide to act. The number one thing that can take a small emergency into a major crisis is freezing. That could be, you know, just walking down the street and someone approaches you and you get scared and you freeze. Right. It's the same thing in cybersecurity. If you do nothing, then the bad guys will win. You have to know what to do and you have to take decisive action. In the beginning, that means like taking a little bit of your budget and examining your cybersecurity. But as things go through, as you feel that sense that something's wrong, you have to act. And that is the only way that you'll make yourself safe from cyber attacks. So prepare, assess, investigate and decide.

[00:33:47:20 - 00:33:49:17]
Mallory
 Get paid, everybody. Very important.

[00:33:49:17 - 00:33:50:08]
Speaker 8
 Get paid, right.

[00:33:51:13 - 00:34:26:07]
Mallory
 Something that we've said on the pod a lot, and that I do agree with, but now as we're speaking, I'm just thinking of a different angle. On it is that the only thing that can fight bad AI is good AI because it's so advanced. And I believe that. However, in this conversation and on the podcast before, we've spoken about how oftentimes the vulnerability is the human. It's the human turning off the 2FA. It's the human not double checking when there's an urgent message coming in or, or falling for a deep fake or something like that. So how do you balance, Eric, that component, the human with the technology in terms of fighting cyber criminals?

[00:34:26:07 - 00:35:30:19]
Speaker 8
 That's right. So it often is the human. And because cybersecurity has gotten so good at identifying attacks that are, that are computer to computer, right. And what we're deploying now with cybersecurity is AI based. Humans just can't do the analytics fast enough. It's too expensive to have a bunch of humans sitting in a security operations center, constantly looking through logs. AI can do that very quickly. So really, at the end of the day, if you want to be a little funny with it, it is AI versus AI. It's literally the movie Tron from the 80s, the good one, you know, with his vision of programs, fighting programs for your data in cyberspace. And if you really want to think of them as fighting with light cycles and and and light discs, go for it. It's cool because that is what's happening. A good AI cybersecurity is fighting bad AI cyber crime. And in the world of AI, you're right, because cyber criminals know that the technology is so good. What they are trying to do is go after people. So in organizations, here's a great attack that happens all the time.

[00:35:32:04 - 00:38:01:22]
Speaker 8
 They know that there's a lot of people that are processing invoices all the time from vendors, from partners, in projects, you know, from the government, whatever. And so what they do is they insert themselves in the chain and they'll learn a lot about you. They'll go through social media to see, for example, what big event did they last do? What vendors are liking it or saying, yeah, I was there. This was great. We love supporting the company. And then they will do work to understand the vendor, use AI to create the perfect invoice from that vendor. Right. Which which you're you know, your pay person will recognize. Then they find out who has the authority to pay invoices in the company, usually through social media again. And they will reach out to that person with an invoice that doesn't have that has a link on it, but also says, if you don't recognize this, please call us and a phone number. So now this phone scam attacks are growing. And when your finance person gets the invoice, that looks right. But thinks, I thought we paid this already or do we pay this vendor? I'm not sure. They'll call in a really polite person who's an expert in social engineering or maybe an AI just type, just saying whatever the person types will talk that person into paying it. And that has led to a lot of different either fraud attacks where you've just paid an invoice that as you've lost the money, it's gone. Right. Or there's one case that I talked about in the book where an organization gets a call, you know, calls the vendor and the vendor talks the finance person into downloading an app. And he says, we have to get this new really fast way to pay. You download an app. It's seamless. We, you know, we do a lot of work with you. We'd like you to explore using this in the future. And she downloads it and then thinks, I don't feel comfortable and says, I'm not going to pay this way. I'm just going to send you a check. And he's like, OK, that's fine. But the act of downloading it installed a remote access Trojan on their system that allowed the adversary, the criminal, to get in later by himself. And it led to a large scale ransomware attack. So you have to be very careful. Technology will do you will do a lot of it, but you also have to train your people to spot these kind of attacks. And that's why that's why the idea of understanding these kind of attacks and knowing how to respond to them and and and pushing back when you think something's wrong, getting someone else to come in and look right before paying. If you if if it just doesn't seem right.

[00:38:03:00 - 00:38:34:02]
Speaker 8
 The executive saying, it's OK if you call me back after we talked just to check if I really sent you that email, I really called you. I really did that zoom conference with you asking you to pay money to something. You know, so so people don't feel like I can't call the CEO, right? Well, you'd rather do that than twenty five million dollars leave the company because they used A.I. to create a video of the CEO asking a finance person on the zoom and telling him to send a lot of money somewhere. That happens, too.

[00:38:35:09 - 00:38:41:15]
Speaker 8
 So absolutely, you need to you need to invest in a little bit in that time and in training and technology in order to prevent these attacks.

[00:38:41:15 - 00:39:40:17]
Mallory
 And that is really something we get out in every episode of this podcast. We, you know, we're big advocates of A.I. education for association professionals. But I think the same goes for really anything that we don't have a full understanding or grasp of. I think cybersecurity is a key topic to have education on for your staff. Everybody listening. Something that my co-hosts, Amith, has talked about on this side cursing podcast before is the idea of almost going analog to fight some of these attacks. So something that he's mentioned that is done with the leadership team is at in-person quarterly meetings, whenever that may be, coming up with some sort of passphrase word that changes every so often that's not stored on a computer, that's not ever written anywhere digitally. And that if there is any sort of request to transfer money or pay an invoice, that that passphrase can be used. What do you think about that? And do you have any similar ideas with ways that us humans can fight good old A.I.?

[00:39:40:17 - 00:40:46:02]
Speaker 8
 That is a great idea. In my book, I call it a sign of life because that's what we called it when I was doing counterterrorism, the idea that before I would deploy undercover, I would leave an envelope with a specific word phrase in it. Right. So if I was ever kidnapped by a terrorist group and they were trying to ransom me back, they would open the envelope. The envelope would be sealed. No one would know it. And unless I was able to give the code phrase, they would know there was no sign of life. I was I was gone and they were just trying to ransom my body. So the idea isn't as extreme in cybersecurity, but that sign of life can be incredibly helpful. Let's go back to that example I gave of the family who gets called by their daughter. Right. I know it sounds crazy, but in my family, we have a sign of life. It's it's a silly poem. It's the first line. No, I'm not going to tell everybody, but it's you know, all the kids know. My wife knows. I know. Right. That if if this happens, you're going to work it into the conversation. Right. You know, mom, I've been kidnapped and quickly that line of the poem. OK, I know it's real and not a deep fake.

[00:40:47:06 - 00:41:16:18]
Speaker 8
 If you don't have that, you can always do something that's on ad hoc, on the fly, improv. Right. If you're if you're hearing from the CEO and he's telling you to do something, you know, by your training, you're not supposed to do like send a wire because this project has to get funded and it doesn't happen in the next hour. We're going to lose the opportunity. So I'm going to stay right here and wait. Right. And either a stick, pay video or a call. You can say, sure. But remember last week when we had coffee. Where did we have coffee?

[00:41:17:22 - 00:41:24:07]
Speaker 8
 Right. Something like that on the fly really quick. The A.I. is not going to be the A.I. criminal is not going to be able to answer that.

[00:41:25:21 - 00:41:27:06]
Speaker 8
 When you're on screen,

[00:41:28:15 - 00:41:41:06]
Speaker 8
 you can say here's you can say you can do the professional version of an A.I. test or you can do the funny version, you know, depending on your crowd. The professional version is ask the A.I. ask everybody on screen to pick up a pen.

[00:41:42:12 - 00:41:47:04]
Speaker 8
 Right. I mean, if they preprogrammed the video, it can't do that. Right.

[00:41:48:05 - 00:43:32:01]
Speaker 8
 I've seen somebody say put three fingers in front of your face. Right. Or the funny thing like everybody go like this. Right. And A.I. doesn't do that yet. Now I know the bad guys have probably read my book and maybe this is going to happen. But you know, there are tests that you can do and and to make sure now associations. Here's something cool that associations are particularly able to do. Bring people together. They really are great at bringing people together. And when people are physically together in a room, this is why I love keynotes at big conferences. I always say the fact that you are all together in a room means you know that nobody hears a deep fake, that everybody is a real person, that you are working and collaborating with real people. This is important, especially for companies, because, for example, we just learned that Amazon had dozens of people, fake employees, seated into the company by North Korea who created entire A.I. resumes and profiles, making it look like they were the perfect applicant and then used servers that they rented in U.S. states to submit the applications from so that the IP tracking showed that it came from Arizona, it came from wherever and then got hired. And and they got hired as robber barons. They were making a salary, which was filling the coffers up over in North Korea, but they were also stealing intellectual property and and all the work product they were doing because none of them knew how to do any of this stuff was all being done by A.I. So you really want to be careful in your hiring, especially in the world of remote work, to make sure that the person you're hiring actually is a real person and not an A.I. bot that's being puppeted by a cybercriminal.

[00:43:32:01 - 00:43:47:00]
Mallory
 Hmm. Aside from 2FA, is there anything that a listener to this podcast could do in the next week, maybe in the next couple of months that you think would really strengthen their security against cybercriminals?

[00:43:48:02 - 00:44:00:16]
Speaker 8
 Certainly. So 2FA is one of the most important things you can do and make sure you have it turned on everywhere. The other thing that you do want to do is you want to invest in your on your computer in some sort of A.I. security software. Right.

[00:44:01:18 - 00:45:08:19]
Speaker 8
 So you don't want to just trust Windows Defender is going to catch everything. If you have a Mac and I'm in the Mac ecosystem, you I still have cybersecurity, even though you know the Mac and we're completely safe. It's not. There are actually there's malware designed for every operating system out there. So you want to invest in some sort of cybersecurity. And the next thing that you need to do, we all need to do, and it's real unfortunate, is we have to have identity theft monitoring. Now, most of us get it for free because some organization who we entrusted our data to, our identities, our user our user names, passwords, social security numbers, birth dates, addresses, has lost it and it's for sale in the dark web. And because that's happened, usually what courts say is you have to give all those people whose identities you've lost two years of identity theft monitoring. And there are many companies out there that do it. If you don't have one of those, then you should go out and buy it. It's very important because that gives you the early warning system that your social security number, your birth date, your name, your address is being used by someone to open up a credit card, take out a mortgage, get a car loan.

[00:45:09:19 - 00:45:17:18]
Speaker 8
 And if you're not if you're not looking, then those organizations, those financial institutions are going to come after you personally, not the cyber criminal.

[00:45:18:18 - 00:45:45:04]
Speaker 8
 And you could be on the hook for that. So you need to see it quickly so you can immediately reach out and say, I didn't I didn't submit this loan application. This is fraud and get it taken care of. You don't know that unless you get an early warning. Now you can if you want to do the cheap version of this, every year you can request your credit history from a credit report from the three big credit companies out there. Equifax, TransUnion and the third one I'm forgetting.

[00:45:45:04 - 00:45:45:18]
Mallory
 Experian.

[00:45:45:18 - 00:45:47:08]
Speaker 8
 Yeah, Experian. Exactly.

[00:45:48:08 - 00:46:36:17]
Speaker 8
 And you could space that over you get one one, you know, divide the year by three and get one three times a year from one from each of them. And and you can review and see if anything's popped up. But I think that that credit monitoring, that identity monitoring is really crucial right now. I you know, I've invested in it. My my family has invested in it. And that gives you that early warning, especially if you're kids, kids have remember kids have pristine credit. They're a big target for cyber criminals. If they can learn your children's you're like three year old Social Security number and they know that parents aren't sitting there checking the credit history for their kids. Your child might turn 18 and wants to get his first credit card or take out his first loan for a car or something and find out that he is a million dollars in debt.

[00:46:36:17 - 00:47:00:06]
Mallory
 I feel like the cybersecurity landscape that we're currently seeing is something that would have even been hard to dream up five years ago in terms of what kinds of threats we're seeing at every different angle. What do you think the cybersecurity landscape will look like in maybe two to three years? What do you think? Or maybe that's too far in the age of A.I. But in the future in the near future, what do you think we need to keep an eye on?

[00:47:01:07 - 00:49:25:16]
Speaker 8
 Well, I'm also futurist. So my job is to look down the road at what's going to happen. And here's here's something really interesting, fascinating and a little bit scary that is on the horizon. It's peaking over the horizon. Quantum computing. So quantum computers, which anybody who tells you what it's going to do to change society, is just guessing. It is going to be such an enormous change in the speed and processing power of computers. It is going to make our current fastest computers on Earth look like that Casio digital calculator watch you had in the 80s. That's how much of a difference it's going to be. And Google just predicted that we're going to we're going to reach our first scaled quantum computer by 2029. I mean, that's right around the corner. So this is going to do a number of things. It is going to change how fast and efficient A.I. is. A.I. is going to go from all the cool things it can do now to unbelievable things that we can't even predict right now. Now, on the good side of the ledger, that means that A.I. Quantum quantum computer A.I. is going to solve medical problems that have confounded us forever. It's going to extend our life. It's going to create financial booms across the Earth. It's going to solve problems in energy like solar efficiency and and how to use fusion reactors and efficiency. So it's going to make a big positive change. It's also going to change espionage. As soon as the first quantum computer comes online, every single bit of data that's been stolen over decades that's using our current encryption standards or military and RSA encryption standards is gone. It's open and full in the clear. So all the government agencies and all the businesses who were the victims of what we call store now decrypt later attacks where countries like China have really invested in this. They steal massive amounts of data from companies knowing that as soon as they get their quantum computer online, they can crack that encryption in a millisecond and open it all up and steal all that tech. That's going to happen. So whoever gets that quantum computer first wins the espionage war. And that's kind of scary, too, because right now, quantum encryption security is somewhat theoretical until the first quantum computer is out. We don't really know if it's going to work.

[00:49:26:16 - 00:49:41:05]
Speaker 8
 So right now, it's Europe and the US versus China and Russia racing in the biggest arms race on Earth right now to see who can get this scaled quantum computer first. And I'm hoping it's us.

[00:49:41:05 - 00:50:05:17]
Mallory
 I'm hoping it's us, too. That was fascinating. We've had maybe a few episodes on quantum computing. I definitely think it's something we'll have many more episodes on in the coming years. But thank you for sharing that. So, Eric, this episode has been so interesting to listen to. I know our listeners are going to have walked away with some practical solutions, interesting stories, a good movie to watch. Where can people keep up with you, find you? Give us all the links and we'll drop those in the show notes.

[00:50:05:17 - 00:51:22:23]
Speaker 8
 Certainly. So the best place to start is my website. It's www.erikoneal.net. I think I just bought Com2 from someone who's been holding out for years. So they both go the same way. But erikoneal.net. And if you click the top banner on my website, the banner says start here with silly little fire emojis next to it because they're cool. Then it'll take you to a place where you can drop your email address and subscribe to my newsletter. It also gives you some goodies if you do it. And the newsletter only comes out once a week. I don't use your data for anything. I don't sell it. I don't, you know, I keep it secure. Use any email you want. It doesn't have to be your business email. You can be your phone email. And that newsletter, the once a week newsletter on Tuesday, talks about all the things we've talked about here, Mallory, everything in the world of spies lies in cybercrime. And I do it through storytelling. And what it does is it allows me to extend my book spies lies in cybercrime into the future because, you know, editors, they made me stop writing at one point and they published it. And it's locked. But the newsletter allows me to continue. It's also where you can ask me questions, join the community. And it's a very large community of people who are really interested in making the world safe from cyberattacks, learning from each other and

[00:51:22:23 - 00:51:28:01]
 (Music Playing)

[00:51:38:19 - 00:51:55:18]
Mallory
 Thanks for tuning into the Sidecar Sync podcast. If you want to dive deeper into anything mentioned in this episode, please check out the links in our show notes. And if you're looking for more in-depth AI education for you, your entire team, or your members, head to sidecar.ai.

[00:51:55:18 - 00:51:58:24]
 (Music Playing)