Speaking With Analyst and Fantasy Author Myke Cole

September 11, 2017 • Amanda McKeon

Our guest today is Myke Cole. He’s a cyber threat intelligence analyst with a large metropolitan police department, and a member of the United States Coast Guard reserve, supporting maritime search and rescue and law enforcement around New York City. He is also an award-winning, best-selling author of fantasy fiction, perhaps best known for his “Shadow Ops” series of novels, combining military action with magic and sorcery. And if that weren’t enough, he’s also featured in the CBS reality TV series, “Hunted,” where he’s one of an elite team of fugitive hunters.

Mr. Cole shares his unlikely path to cybersecurity, how his ability to conjure convincing characters in his fantasy novels transfers to understanding the minds of cyber adversaries, and the importance of creativity and taking risks.

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, I’m Dave Bittner from the CyberWire. Thanks for joining us for episode 23 of the Recorded Future podcast. Our guest today is Myke Cole. He’s a cyber threat intelligence analyst with a large metropolitan police department, and a member of the United States Coast Guard Reserve supporting maritime search and rescue and law enforcement around New York City. He’s also an award-winning, best-selling author of fantasy fiction, perhaps best known for his “Shadow Ops” series of novels, combining military action with magic and sorcery. And, if that weren’t enough, he’s also featured in the new CBS reality TV series “Hunted,” where he’s one of an elite team of fugitive hunters.

A quick program note: There is some salty language in this episode, so consider yourself warned. Stay with us.

Myke Cole:

You know, it’s funny. I come to IT and to cyber by a really strange route. I have a master’s degree in museum studies, and I was raised to be an academic and an aesthete. My mom actually raised me to believe that I’m bad at math. And, unfortunately, kids believe what their parents tells them, right? It wasn’t until I wanted to get married that I decided I needed to make money, and this was in the IT boom when Clinton was calling for people to go into the field. And if you had a heartbeat and a brain, you got a job. So, I taught myself HTML 4.0 out of a book, and then, lied on my resume. A friend of mine ran a law firm and I asked, “Can I say I designed your website?” I hadn’t designed his website, but of course, I had the skills to.

And from that, I leveraged myself onto a help desk at the Pentagon. And the effort here was not because I loved IT, it was because I wanted to make money. And the irony of all this is, based on lying on my resume for that first position, I actually got a secret clearance and got myself into the Pentagon. But, hey, at the risk of sounding egotistical, I’m good at stuff —

Dave Bittner:

Yeah.

Myke Cole:

… and by the time the smoke cleared I was the head of electronic messaging at the Department of Education. And then 9/11 hit. And I don’t know if you remember, but everybody wanted to get into the fight. Everybody. You could do it one of two ways. You could try to go through the federal government hiring process, which is horrendously broken and it takes one to two years, sometimes longer, to get hired. Or, briefly, because of the panic after the towers came down, the country kind of went crazy and started letting people — private contractors, really — let’s use the correct term, mercenaries. These are private armies, they do all kinds of jobs they shouldn’t be doing, including war fighting and spying. And so, I got cleared to start leveraging my IT skills to help design operating systems and make adjustments to operating systems. But then, I realized once I was inside the intelligence community, all anybody cares about is the clearance. They don’t care what you can do.

I thought, well, why would I be a computer guy when I could be a spy? So, I took a $27,000-a-year pay cut to move sideways from IT into operations. I went through private boot camp and retrained myself as a targeting officer and interrogator, went downrange to Iraq, learned all that fun stuff. Later on, I think, since I had a boots-on-the-ground, counter-terrorism background and I had the IT skills, the logical nexus of the two was working in cyber intelligence, especially as that field was evolving. And then I felt bad about the fact that I was a mercenary. I felt bad about the fact that I was essentially war profiteering, so I wanted to go federal. So, I did two things. One is, I joined the military. I did it backwards, right? Most people get out of the military and then go into IT contracting. I went backwards.

Dave Bittner:

Right.

Myke Cole:

I’m one of the few people in this field whose salary has steadily declined over time. I ended up working in CTA 5, which is the cyber threat analysis center at the Defense Intelligence Agency, now, as a federal employee. So, that was that trajectory. At the same time, I never left my nerd roots. I grew up, I think like a lot of IT people, playing Dungeons and Dragons, reading comic books, being unable to get a date no matter how hard I tried, and reading fantasy novels. It isn’t only until the last two years that IT has become cool enough that the jocks are getting into it. And I never gave up that dream of being a writer. Never. It was always what I wanted to do, because it was what I grew up on. And, the funny thing is, at the time I was running a major program at The Office of Naval Intelligence, and I just soured on the intelligence mission because, look, I’m not an idiot and I understand that intelligence is a critical part of how countries function.

But, it’s a dirty business and the reality of it is that, at its core, the mission of an intelligence service is to break the laws of other countries and steal their stuff. I didn’t want to be that guy and I was really souring on it. Plus, I think, running counterterrorism missions, and particularly being an interrogator, custodial debriefer, really broke my spine in that regard. Being in a prison environment, seeing what we were doing really made it tough for me ethically to continue in the field, and I was looking for a way out. I told my best friend, Peter V. Brett — who is a pretty famous fantasy novelist, if you’re into fantasy you probably know who he is — I told him, “Look, man, if I ever get a book deal, I’m gonna sell everything and quit everything and I’m gonna move to New York City, and money doesn’t matter and I’m gonna live in a crappy apartment and be a writer.”

I said that, of course, thinking that would never happen, because here I was being groomed for the senior executive service and a corner office at ONI. And, of course, then, the book deal did happen. And I called Pete, and Pete’s like, “All right Mike. You said you were gonna sell everything and move to New York.”

Dave Bittner:

At this point, do you have a family? Are you unattached still, or?

Myke Cole:

No, I told you I could never get a date. And I said, “Yeah, I know I said that, but this is really scary.” And he goes, “Dude, you gotta put your money where your mouth is.” So, I sold everything, I quit everything. I moved to New York City and I wrote full-time for two years. Then, I discovered that I could make a living, but it wasn’t a good one. And it’s one thing to, I think in your youth, go from being a poor college kid to transitioning to an artist. It’s another thing to go from being a GS-14 and having all of those comforts, that security, that kind of financial background it gives you, and then be a full-time writer living in a beat-up apartment in Brooklyn, getting jumped on the street because you live in a bad neighborhood. It was pretty stressful. So, I thought, all right, well, I need to go back to work. And amazingly enough — I thought two years out of the workforce, forget it — but my background appealed and I was very, very fortunate that the police picked me up.

And now, I’m part of a defensive unit, which is probably the only police department in the world that is large enough to have this kind of specialization. All we do is defend the department. If you rob a bank with a computer, we don’t care. We’re only gonna get involved if you attack the department itself. And then … so my life is now stabilized, and I think, all right, this is what’s gonna happen. I’m gonna do cyber threat intel during the day, I’m gonna write at night. This is great. And I get a call out of nowhere from CBS asking me if I want to be on a TV show. So, this is the thing … I didn’t realize this, that they were doing a TV show called “Hunted,” which is a reality show where people hunt fugitives and fugitives try to get away, and if they can for 28 days, they get a quarter of a million dollars.

And in the man-hunting world, there’s really two fields. There’s fugitive recovery, which is law enforcement — you know, guys skip out on their warrants or whatever and you go get ’em and you bring them to justice. And then there’s counterterrorism targeting, which uses almost all the same easy pieces, tactics, techniques, and procedures. But, the ugly reality of it is, usually we’re not bringing them to justice. We’re killing them. We may try to bring them in for interrogation, but generally, you’re pushing a button on somebody. The man-hunting aspect of it is pretty equivalent. I guess, when they made the show they decided that they were going go out and find sort of 50% fugitive recovery people and 50% counterterrorism targeters. And I guess they started asking around in D.C. for who the people with the reputations are to do that work, and my name came up, completely unbeknownst to me. So, I literally got a call out of nowhere asking me if I wanted to be on a TV show. Can I curse on this show?

Dave Bittner:

Ummmm, sure.

Myke Cole:

So, my first words when I’m on the phone with the CBS producer, you know, “You want to be on a TV show?” were like, “Fuck you.” I completely did not believe that it was real. And of course, by the time I got a plane ticket and they’re flying me out to L.A. to meet the president of CBS I was like, “Oh my god.” So, I literally fell backwards into being on TV. And right now … so now, I have this bizarre triple life where cyber threat intel is a huge piece of my life. I love it, it’s a fascinating part of the field, it’s a fascinating part of law enforcement. It’s intelligence. It’s never been more important than it is now, and you can’t help but look at the news and see. And at the same time, I’m writing, spare seconds, and then at the same time, “Hunted” is wrapped and I’m auditioning for other TV roles which may be coming up in the future.

Dave Bittner:

How do you balance your time between the three? How do you set priorities?

Myke Cole:

This is the thing: I don’t. You asked me before if I had anybody, and the answer is no. Part of the reasoning for that is my life is wildly out of balance. I work from the moment my eyes open in the morning to the moment they close at night. I have no hobbies that do not connect directly to these three pursuits. I think I’m very fortunate in that, and I understand that a lot of people might hear that and go, “Oh my god. That sounds like hell.” But, it isn’t, because the three things that I’m doing are really fascinating and awesome. I don’t know if I like these platitudes, like, “You have to live a life of balance” and “You have to take downtime.” Where does it say that in the manual? I don’t know that that’s necessarily true. I think that life is made up. I think that nothing is inevitable. I think we get to define what it is for ourselves, and I am very, very fortunate to have these really extraordinary avenues in my life, and I’m not prepared to give up on any of them.

Dave Bittner:

Tell me about the analyst side of your life. What’s your day-to-day like when you’re attacking that part of your life?

Myke Cole:

I think that cyber threat intelligence is a weird and multi-varied discipline. On the one hand, there is a kinetic, what I call a kinetic aspect to it, just the straight up intelligence portion of it. People have to understand who the threat actors are, they have to understand where conversations are being held, they have to understand what the community of malevolent actors is, what communities there are. And all of this is nontechnical. What it involves is almost like running a beat. You have to spend a lot of time, frankly, reading and researching, and being in the field. You have to understand what colloquialisms and lingos are being used, you have to understand what forums people are hanging out on, you have to understand what is motivating threat actors to do what they do. And in order to understand those things, there’s no way around it, you have to be hip deep in it. That’s absolutely critical.

But, and I say this all the time, cyber is computers. It is nothing else. It is computers. And the moment a cyber threat intelligence analyst starts prioritizing the intelligence aspect of it above the technology, they’re wrong and they’re gonna suck. This is one of the biggest problems in the field right now, is that people emphasize the word intelligence and forget the word cyber. So, a huge amount of your time has got to be spent keeping up your chops in terms of technology. You need to know Cisco IOS. You need to understand Windows Active Directory. You need to understand how traffic is flowing intimately through the OSI model. You need to be sniffing traffic and looking at, and safely decrypting packets and being able to interpret that information. If your eyes aren’t bleeding because you’re reviewing log files, you’re doing it wrong. So, it’s labor intensive, but it becomes less so as long as you’re constantly maintaining that stuff.

So, I’m very fortunate in my job that I have a cool blend of investigative work which satisfies both of those aspects, and the need to produce intelligence products which satisfies that sort of kinetic piece of it. But also, operational work, and an operational component, a technical component to my investigations, which feeds my tech job. So, it’s really important, I think. I’m fortunate in this position, and I would encourage other cyber threat intel analysts in different positions to make sure that they’re hitting both sides of that coin.

Dave Bittner:

What about the role of automation in technology? Particularly, artificial intelligence and machine learning, which are certainly buzzwords these days, but also, useful technology. It seems to me like they can help take some of the load away from that purely technical side and free up the humans to do that work that requires, for lack of a better word, intuition? Do you agree with that?

Myke Cole:

I do, very strongly. And in fact, I think that anyone in IT is in the business of putting themselves out of a job, and should be if they’re doing it responsibly and well. Anytime anyone who has a fear of automation … amazingly enough, you see a lot of those people in IT, especially in IT services and support, the operations people, help desk people. But, that’s the wrong attitude. Because the reality of it is, at least for the foreseeable future, this kind of high-tech stuff will require human interface to do well. Or simply, you’ll put yourself out of one job and retrain for another because there’s enough of a broad base in technology skills. For example, if you understand theoretically how the OSI model works, if you understand theoretically how data flows, you’re going to be able to pivot from proprietary technology to proprietary technology no matter what becomes obsolete. So, being afraid of automation is, in my opinion, never really acceptable in IT personnel. And the reality of it is, a lot of people will say that big data is bullshit.

The noted futurist, Cory Doctorow — I really encourage your listeners out there to be reading his articles. He’s also, by the way, a science fiction writer and a major heavy hitter in the field. He’s noted for saying that big data is bullshit. But he’s wrong. And I’m saying this about one of my heroes. Big data is not bullshit. Big data is absolutely a way we’re getting things done. And as big data increases, you need automation to crunch that and make meaning fall out of it that humans can then interpret. I don’t know if folks are familiar with STIX/TAXII. STIX/TAXII is a sort of universal protocol used to categorize cyber threats, that I think was invented by the Mitre Corporation, and is currently being pushed by multiple branches of government. It’s a great idea because it allows us to share cyber threats across multiple verticals … stuff that’s happening with IP addresses, but also stuff that’s happening with specific individuals or specific threat groups, and it’s a way to sort of categorize all that information and get it fed out to various feeds on an automated basis.

Well, once you have that, that’s big data, man. That’s a lot of information. And there is no way a security operation center with 20 personnel or less, as many organizations have, can hand-jam all that information. That information has to be ingested into devices so those devices can make smart decisions about what to block, what to allow, what to warn on. And it has to be happening in real time. And there’s no way — a thousand humans couldn’t do that. It must be automated. But it also must be curated and analyzed. And in all cases, automation is going to make mistakes. There is no such thing as perfect automation, and you need that human oversight and that human analysis, both to interact when false positives occur, and to intervene and take action on more sophisticated and complex scenarios where automated logic is insufficient.

A perfect example of that is in law enforcement investigations. You can’t have a computer making a decision about how to preserve a chain of evidence because a computer can’t go to court and testify.

Dave Bittner:

It strikes me that you are an award-winning and best-selling author, and in order to write compelling characters, you have to be able to put yourself in the mindset of the characters that you’re writing. I wonder how that informs your abilities as an analyst, to be able to put yourself in the mindset of your adversaries.

Myke Cole:

I’m really glad you asked that question because it’s something I think that — it’s an issue, actually, I kind of campaign on, especially in law enforcement and intelligence in the military, and it applies to cyber. Look, cyber is an incredibly analytical field, right? We are attempting to interpret and understand machines and think like machines all the time. And that necessarily takes you out of a human mindset. Then, you marry that to the law enforcement and the intelligence field, you know, what we call the people who are our adversaries in every police department, and almost every intelligence agency — we call them bad guys. And that’s an incredibly judgmental position to take. It’s necessary, because you can’t be worrying about your adversary’s relationship with their mother if you’re going to have to do the hard work of prosecuting them, or if you’re in kinetic law enforcement, literally putting cuffs on them and dragging them off. So, I’m not saying that kind of snap judgment isn’t necessary. But, it is a roadblock and it does hold you back, because behind those computers are people and people have human motivations.

Let me give you a corollary in fantasy fiction. One that maybe a lot of your listeners will be familiar with is George R. R. Martin’s famous series “A Song of Ice and Fire,” which has been re-interpreted by HBO into the hit television show “Game of Thrones,” which I’m sure pretty much everybody listening to this podcast has seen. If they haven’t, they’re living under a rock, I guess. So, George R. R. Martin is famous for evoking. George R. R. Martin, if you meet him, is an older, overweight white guy, grew up in Bayonne, New Jersey. I think we can all safely say that he’s not a dwarf, like Tyrion Lannister, and that he’s not a haughty noble queen like Cersei Lannister, right? And yet, he evokes these characters so convincingly that they resonate so realistically with an audience. It’s amazing. It’s like he knows them.

And when people try to dissect how is it that he is able to do that so well as a writer, my answer is, he is empathetic. He is able to step outside his own preconceived notions and judgments of the world and into the shoes of someone who’s utterly unlike them in a sympathetic manner, and that enables him to understand their goals. Now, think about that. Obviously, that has utility in fiction because it enables us to make realistic characters. But, it also has utility in law enforcement and intelligence, because when you can step into the mindset of an adversary and understand their goals intimately, you’ll be able to move one step ahead of them. If you understand that the motivation of a hacker is to do something for the “lulz” or to do something because they’re ideologically sympathetic to ISIS, but not the same as ISIS, that’s a very, very different set of actions.

This is one of the things that always frustrated the heck out of me when I was working CT. I can’t remember the name of the head of FBI CT who famously said to Congress that he looked for leadership skills — whatever that means — in his counter-terrorism agents, because a bombing was a bombing, a murder was a murder. He didn’t think anybody needed to know Arabic or anything about Islam. And I wanted to choke the guy because that’s exactly the opposite of what’s correct, right? The bad guys that we’re judging, they have motivations, and those motivations can serve as predictors for their actions. If you marry a real knowledge of the technology that they’re using, and an understanding of what’s making them tick, and an empathetic and a sympathetic — I say, yes, a sympathetic — understanding of what makes them tick.

I’m not saying you should betray your organization and assist a bad guy. What I’m saying is, you should be able to understand what makes them tick because it will help you stay one step ahead of them. One of the watchwords in fiction, one of the aphorisms you’ll always hear us saying, is that everyone is the hero of their own story.

Dave Bittner:

Just give me an overview — what is the place of threat intelligence from your point of view? How do you dial it in? How do you choose what you want to use, what you want to ignore, and then how do you use that along the spectrum of tools that you use in your day-to-day work?

Myke Cole:

I think that threat intelligence … and this is where you talked before about the risks of automation versus human interaction, right? Threat intelligence, especially cyber threat intelligence, exists across this broad range of verticals, right? It can be anywhere. All of these verticals have different intelligence needs and different threats and concerns. I, defending a police department, have different intelligence requirements than, say, computer crimes, which is focused on fighting computer crime that doesn’t necessarily threaten a police department. A bank would have different requirements. Power utility, government organization, Recorded Future itself — who I’m sure has a security operation center — has to defend itself. And here’s where the human role comes in. We have to be able to know what the intelligence requirements of our organization are, have those requirements be driven by the operational commanders and policymakers in our organization, people in the C-suite, and then interpret that into real technical requirements that we can leverage tools like Recorded Future to produce the technical factors, the technical indicators we can use to defend our networks.

Examples include taking all the IP addresses in your organization and building those as use cases in Recorded Future so that if it pops up on Zone-H — well, I guess it’s not Zone-H anymore — pops up on some dark web forum, you’re going to be alerted. But, that’s something that has to be tailored to your organization and it’s something that you need a human to do. But, notice that I’m mentioning specific technical factors here. In cyber threat intelligence, the focus has to be on the technical. Cyber is computers, and more often than not, when you’re dealing with information assurance of computer network defense, who did it doesn’t really matter. What matters is the technical indicators of compromise that can be leveraged to proactively defend the network. There’s a lot of those out there, and marrying your requirements to that information and using tools like RF to basically turn over every stone on an automated basis is something no human can ever do, and get that information back to you so you can act on it. That’s the sweet spot.

Dave Bittner:

I want to ask you about creativity. Because I think, particularly in a lot of technical fields, and obviously cybersecurity is one of them, I’ll often hear people say, “I’m just not creative. How do you people in the arts, how are you so creative?” And my response typically to them is, “Everyone is creative. Creativity is problem-solving, in my opinion.” I’m wondering, what is your take on that?

Myke Cole:

It’s bullshit, it’s an excuse, and I don’t have a lot of patience for it. For the prog rock band in the ’80s, Boston — you ever heard of them?

Dave Bittner:

Oh, sure.

Myke Cole:

You know they’re all math guys from MIT, right?

Dave Bittner:

Right.

Myke Cole:

My good friend who’s a VP — well, his title isn’t VP, they use some wacky term at Spotify — she’s an engineering manager at Spotify and she is a major, heavy-hitting cellist. She’s the cellist that when the Lumineers are playing Madison Square Garden, they’re gonna call her to come play. It’s no coincidence that, especially in math and in the arts, if you look across all of the verticals into the arts, you’re gonna see tons of engineers and tons of mathematicians in the field.

You’re exactly right, that creativity is kind of … what is that? How do you quantify that? It’s a BS buzzword. It’s like the word “talent.” It’s this thing that we assume exists, and nobody can prove that it exists, right? So, I think that creation and the making of art is really, really scary because the reality of it is, if you go to a job and you’re just kind of fulfilling a role and doing what’s expected of you, yeah, I guess you could do a good job or a bad job. But, you’re not doing something unique that accrues to you and has your name and face on it, and then putting it out in front of an audience to be judged. Right? That’s what you do when you make art. I write a book. You make a painting. You write a song. But, my book has “Myke Cole” on the cover and it’s got a picture of me on the back.

And if it sucks, it’s on me and only me. And believe me, this is the age of Twitter and social media, and people are not nice. When your work sucks, you’re gonna hear about it. Not only are you gonna hear about it, the whole world’s gonna hear about it. And people are not gentle, and that’s terrifying. It’s absolutely terrifying to go out on a limb and put that out there. So, it’s a lot easier for people to say, “Oh, I’m just not creative” than it is to face that risk. When I put on my more sympathetic hat, I get it, man. I’m scared too, I’m scared all the time. I’m scared every time I produce a work of art, but I’m also scared when I take a novel position at work and when I champion a theory or a case, or produce an intelligence product.

I’ll give you a perfect example. I don’t believe there is a Cyber Caliphate. I think that’s a bunch of bullshit. I think the Cyber Caliphate — you can’t see me, but I’m using air quotes — is a set of strategic goals that is put out by ISIS-aligned sympathetic actors that anyone can pick up and use, much in the same way that I don’t believe there is a hacker collective called Anonymous. It’s a set of strategic goals with no corporate infrastructure. These positions that I’m telling you right now are not popular, and when I write to that and speak passionately to that, often to high-ranking people, we’re talking chiefs. And when I was still in the military community and intelligence community, up to the assistant-secretary-of-defense-level consumers of my work. That is creative. It is my name on that product. And I am taking a contrary view because I believe in it.

So, I think that the issue isn’t a lack of creativity. People are not bashing to hear it’s a lack of courage, and I don’t say that to shame you, and I don’t say that to bash you. I say it to push you, and push you in the direction of a more extraordinary life. Life, like art, is best when you risk, and I think that there’s a place for that risk, not just in the arts, but in what we do as cyber threat intelligence people.

Dave Bittner:

Our thanks to Myke Cole for joining us. You can learn more about his work on his website, mykecole.com. He’s also on Twitter @mykecole. He’s also one of the scheduled keynote speakers at Recorded Future’s upcoming RFUN conference, more on that in a moment.

Don’t forget to sign up for the Recorded Future’s Cyber Daily email where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

And remember to save the date for RFUN, the sixth annual threat intelligence conference coming up in October in Washington, D.C. Attendees will gain valuable insight into threat intelligence best practices by hearing from industry luminaries, peers, and Recorded Future experts. The details are at recordedfuture.com/rfun. I’m planning on being there, and we’re actually going to do an episode of the CyberWire from the show.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinator Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.