The Spy You Can See: Protecting Yourself in Today’s Rapidly Evolving Digital Landscape
The following is adapted from Cyber War…and Peace by Nick Shevelyov.
I was five years old when my parents told me that our apartment had been bugged.
The United States wasn’t a particularly friendly place for Russians when I was born in the 1970s. My parents, both of Russian descent, were born in China, immigrated to the US, met, married, moved to the Pacific Northwest, and eventually gave birth to me. Despite the somewhat hostile environment — or perhaps because of it — they decided they wanted to move back to Russia. There, they hoped to contribute to raising awareness about what life was like in the West in hopes of eroding some of the “iron curtain” that had been drawn up between the East and the West. They also wanted to immerse themselves and their child in the culture of their origin.
My father took a job with the US State Department and we moved to an apartment in Moscow. Although I was only a child, it was quickly clear to me how much our lives had changed. The infrastructure of the Soviet Union was so very different. The architecture was bleak, and the monuments were massive. To this day, I still remember driving from Sheremetyevo Airport in Moscow to our new apartment and being awestruck by the size of the World War II monuments we passed along the way.
Not long after we took up residence in our new apartment, my father learned that our family was being observed by the KGB because they believed us to be spies. After all, we were from America, moving to the Soviet Union at the height of the Cold War, and my father was a retired Marine who worked for the US State Department. Part of this observation meant that we were assigned someone we believed to be a “family friend,” a person we met who would join us on excursions to the park, grocery store, and the like. Decades later, we would discover that our family friend was forced by the KGB to report on our movements and develop a dossier about all the things that were said in conversation during the time we spent together. In addition, our apartment had been bugged. My father discovered this fact relatively quickly, though I can’t be sure just how he figured it out.
Despite my young age, I remember being very aware of the threat to our security — the idea that at any time the KGB could come and take any one of us away, and that we were constantly being listened to. It created a sort of internal alarm within my family, and we developed new habits as a result. If any of us had something important to say, we would give a hand signal to go into the bathroom, where we would run the faucet as we spoke. The faucet served as white noise to prevent the bugs from picking up any sensitive conversations.
While in the Soviet Union, my father published a book titled Information Moscow about the upcoming Olympics, with the goal of attracting Westerners to Russia. In writing this, it was necessary for him to create and utilize an accurate map of Moscow — something the Soviets were none too keen on. One day, not long after publication, a black Lada — the government-issued cars then — arrived at our apartment, and agents took my father away. He was drugged and interrogated about his intentions and who he was working for.
It was then that we all realized the true gravity and absolute precariousness of our situation. We packed up and moved back to the States not long after. We have remained here ever since.
To say that those events in my childhood left an impression on me is an understatement. I saw at a very early age that, at any point in time, someone you love can be taken away from you — that the very sense of your own security and privacy can be fractured and invaded. The experience has, without a doubt, fueled my drive to join the field of technology and contributed to my philosophical view of risk management today.
It also lent to my appetite as a young man for technology and the democratization of data and information. I became fascinated with the idea that we could share information around the world, and that sense of wonder led me to pursue a career in technology.
But in the back of my mind, I also thought about the ways in which information could be misused — used against you, used to do harm — and it steered me toward not just technology, but technology risk management. Or, as we referred to it in the 1990s, IT security. I started off in network engineering and system administration, but I found myself more drawn to the protection, rather than the creation, of those assets.
By the late nineties, my career was focused on information security — breaking into networks (also known as “white hat” operations), hardening them, and protecting the information contained within. I eventually ended up with a security consulting firm that did work for clients, breaking into hardened networks. Eventually, I landed at Deloitte, where I worked for a partner who was also an attorney and who focused on data privacy.
It was my work with him that taught me an important differentiation: Security professionals care about what information you have; they tend to overlook privacy nuances. Privacy professionals, on the other hand, care about how you use that information.
It’s that interplay — that balance of identifying information, protecting it, and figuring out how to use it in an enlightened manner — that has laid the foundation and served as the core of my career.
SPIES LIKE US
The irony not lost on me — nor should it be on you — that today, no one has to bug our homes. The espionage and monitoring game has evolved to a point where it is no longer necessary to have resources assigned to spy on us.
We’re spying on ourselves.
We bring into our homes voice-activated devices that we think preserve our privacy. We bring in video surveillance cameras that can be hacked, to the point where the actions within our home can be observed. We update our own dossiers every time we log into social media accounts or check-in at a location on an app.
We consider this the new age of information, but studies suggest it is also an age of disinformation, given that falsified information may spread up to six times faster than fact-based news reporting.
Today, surveillance capitalism information exchanges trade in human behavior futures at scale, managed by systems with little human intervention to build models and predict and further influence your behavior.
The reality is that the world is changing more rapidly now than at any point in our history, and that rate of change is continuing to accelerate.
We see and feel it every day with the introduction of each new technology service or device that we feel will empower us to do things faster, easier, and more efficiently than the way we did it the month before.
The problem is that we don’t spend a lot of — if any — time thinking about how these things introduce risk. Remember, the very technology that empowers us can also imperil us. As such, we bring these devices and technologies into our homes and our organizations without considering how we’re letting in the Trojan horse.
This happens in business on a regular basis.
Malicious software known as Trojan horses do this every single day, and they can reap vast amounts of damage to organizations. Some take the form of a program that sits sleeping on your laptop until you visit your online banking site. At that time, it wakes up and grabs your username and password with a keylogger. Others sit on your corporate network, stealing your most sensitive intellectual property.
The very strategies the Greeks used three thousand years ago to conquer the Trojans are being used today to conquer the business that you are in charge of running.
In turn, you must use those very same strategies — along with those utilized at various inflection points in our world history — to protect your businesses.
To learn how to apply timeless techniques to your company’s cybersecurity Cyber War… and Peace can be found on Amazon.
Nick Shevelyov is a specialist in cybersecurity, information technology, data privacy, and risk management with experience in multiple industries — from an engineering to executive and board advisory level. See his LinkedIn profile for career history.
A guest speaker at a variety of industry events, Nick has an undergraduate degree in economics, an executive MBA, and CISSP, CIPP, and CISM industry certifications.
