May 10, 2025 • 34 mins
In this gripping episode of Cybersecurity Today, host Jim Love interviews Daniel Berulis, a self-described whistleblower who recently made a significant disclosure to the U.S. Congress. Berulis reveals the shocking details of tenant admin abuse within a governmental cloud environment, which allowed unauthorized data copying and wiping of audit trails. They discuss Daniel's background, the alarming red flags he observed, his attempt to escalate the issue internally, and finally, his decision to report it to higher authorities. The conversation dives deep into the complexities and moral dilemmas faced by a whistleblower, offering viewers an insider look at the challenges in maintaining transparency and security in high-stakes IT environments.
00:00 Introduction to Cybersecurity Today
00:39 Meet Daniel Berulis: Whistleblower Extraordinaire
01:05 Understanding Tenant Admin Abuse
02:12 Daniel's Career and Community Involvement
05:28 The Mysterious Meeting and Initial Red Flags
08:48 Uncovering the Data Breach
11:56 Internal Reactions and Escalation
19:08 Reporting the Incident and Facing Consequences
23:45 The Whistleblower's Journey
32:31 Conclusion and Final Thoughts
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Welcome to Cybersecurity Today.
The email was accompanied by anofficial looking document that started
talking about tenant admin abuse.
As I read on, I found myselfalmost unable to believe what
I was reading, what followed.
In that document and subsequently inthis interview, was a Tale of Intrigue
(00:23):
that might match any Hollywood movie.
The only difference isthis is all too real.
When I finished this interview,as I said at the end of the Friday
show, my hands were shaking.
welcome to Cybersecurity.
Today Today's showfeatures Daniel Berulis.
A self-described whistleblower and hisrecent disclosure to the US Congress
(00:48):
uncovered how tenant admin abuse, letoutsiders copy data from government
sources and then wipe the audit trail.
It's not the type of thing thathappens normally in our lives.
Welcome Daniel.
Okay.
Thanks for having me.
Jim.
Just a minor note 'cause I don'twanna leave the audience hanging.
What is tenant abuse and whatis exactly that you reported?
(01:10):
Sure.
Absolutely.
There's different layers of ownershipwithin Azure in most cloud environments.
And so at the highest level iswhat you have is the tenant.
The tenant would be housing allyour subscriptions and your various
management groups within Azure.
So essentially tenant is the highestyou can go within your company.
You have to go to Microsoft to get higher.
(01:31):
And you were saying it's, that'sa higher level of access than
even A CIO would normally have?
That's correct.
By zero trust principles generally.
It's a break glass accountonly would be at that level.
Not always followed, but bestpractices would dictate that would
be the way it should be, yes.
Great.
So we'll come back to this.
The situation was.
(01:52):
At least one party having moreaccess than they should ever possibly
have and some things that happened.
And follow us through our conversation.
Before we start I'd like to getto know you a little better, and I
you sent me I guess which was your,documentation that was sent to Congress.
And so I've read a lot about you, but I'djust like to share that with our audience.
(02:12):
Tell us about who you are andhow you got to the point in your
career where you are right now.
Sure.
I definitely started it much like othersin finding a passion in something.
And mine happened to be infrastructure,this was almost two decades ago now.
And then I developed a love for automationvarious scripting and different tools.
And that led into cybersecurity.
And one thing led to another, we.
(02:34):
Gotten to the point now in mycareer where I have a jack all
trades and I've been exposed to manydifferent sector, many different
industries in the private sector.
And recently here I was doing somegovernment consulting and position
notebook, national Labor relations board.
And so I took that on andjoined the federal government.
You're certified in Azure,Amazon Web Services.
You've done, you've beendoing this for a long time.
You also have a reallygreat community story.
(02:57):
You've been quite activein, in both community work.
And one of the things that I'dread about you was that you were
actually working with people whowere victims of human trafficking.
So you put a fair amount of your timeinto your community work as well.
Yep.
Yep.
I have for many years I've beenvolunteer firefighter did the rape
crisis center counseling do Microsofttes always had a desire to give back
(03:19):
to my community in a meaningful way.
And joining the federal governmentwas just another way to do that
for me, to be honest with you.
I'm assuming with your credentialsand they are significant.
I'm sure you didn't move overto the government for the money.
That's a very valid assumption.
Yes.
But for the sense ofpurpose and the mission.
Absolutely.
But you've held some prettypretty good positions here.
You, you had a top secret securityclearance at one point, so you
(03:40):
understand when we're gonna betalking about protection of data.
You've been thoroughly trained in that.
I don't think peoplereally realize how much.
Goes into getting a topsecret security clearance.
You're obviously told not touse commercial apps on your
phone, but we won't go there.
But what's the process for gettingthat, for a normal human being?
(04:00):
Sure.
Try to think of somebody that couldvalidate where you lived 10 years ago.
From your life and then in by thattime, 15 there's so much that they
dig back into bo both previous, every,employee you've talked to, every boss,
lots of different facets that theydig deep into to figure out exactly
who you are and whether or not you'retrustworthy with the government secrets.
(04:20):
Yeah.
And I presume you get thelecture on how to treat things.
You're, they're strict rules.
Can you remember any of that whenand hearing that for the first time?
Absolutely.
Yeah, so classifiedinformation never leaves.
Where you're viewing it,you don't disseminate that.
I can tell you that there'sdifferent protocols.
We generally classify with traffic lights.
(04:42):
For which, red, yellow, and green toindicate who this is shareable to.
And furthermore, the one thing thatis drilled into your head is that
government systems are protected.
The data is not to be exposed to peoplethat are unauthorized to view it.
That's like the number onething that's drilled into
your head time and time again.
Yeah, and there's thatprinciple of least disclosure.
(05:02):
Even if it's not particularlywritten down, it's you have to ask
yourself, does this person havea need to know this information?
So it's not just rules, there areprinciples that you have to follow.
Yeah, absolutely.
So we'll take this.
You're a normal guy.
You've taken this job, you like,obviously liked working there.
I can read that even intothe comments that you make.
You're having a good time and all ofa sudden there was a call that said
(05:25):
you need a bodies and chairs meeting.
Can you describe what thatwas, what that call was like?
Sure.
I was surprised actually.
I. Had we had not gonefully back into office yet.
We were still partially work remote.
So that call was unusual,but also exciting.
At first myself and my coworkers, wewere actually pretty excited to meet
(05:45):
Doge see what they were, if they mettheir technical chops and if they could
come in and, we could work with them.
I actually got there early.
I remember the next Monday which.
It, the drive pretty rare event for me.
So I got in there with20 minutes to spare.
I was pretty excited to come that Monday.
So you, you get into work early,you're sitting there in the
conference room, the could, couldyou see the black limo pull up?
(06:08):
What, how did you know that wasYeah, so I'd actually gone outside.
It was about 15, 20minutes after start a day.
And so I'd been therefor about an hour now.
I went outside with oneof my coworkers and we're.
Looking on the outside and see it inthe peripherals and obviously the lights
and the make it big, draw attention.
But it was an SUV with policeescorts front back and it
(06:30):
pulled into the parking garage.
And I can honestly say that out of evthere wasn't a single other time I've
seen that while working at the, thatbuilding or anywhere near the building.
So that was unusual.
We both commented and said,oh, hey, I bet that's them.
So you see this limo pull in,they get up and into the building
and you're having a meeting.
And what was announced to you?
(06:50):
So the announcements weren't I.Through official channels, they
were your boss comes in or yourcoworker comes in and they close the
door to your office and they tellyou, oh, hey, I just that such da.
There wasn't any officialemail or any kind of like
official memo that was sent out.
But the understanding was that we weregoing to be expecting them to come
up and just talk to us, understandwhat our jobs were and any kind
(07:13):
of system access that they needed.
We were told to grantthem without question.
So there was no official presentationand they didn't come in and present to
you in a conference room or anything,like they just, you were just told
they'll be by your desk to ask youwhat you know, what you're doing right.
And all that sort of prettystandard stuff actually, right?
Yeah, so far it was pretty standard.
The only thing that really raised ared flag off the bat is that I talked
(07:35):
to my CISO later in the afternoonthat day, and he confided to me that.
He had been instructed he, sorry, hehad suggested a streamline process for
them, which is to log their accountsin ServiceNow and just create a
ticket to log the access that they'regonna be given and the accounts they
created versus our normal SOP of goingthrough the user creation process.
(07:57):
However, he'd been shot down andtold instead to not make any log
record of their accounts at allor what permissions are given.
And that was the first major Something'swrong that went off in my head.
And him as well.
Yeah, that's, he both freakedthat's a pretty creepy feeling.
In a world where transparency, issupposed to be our big thing and
(08:22):
following the rules that we have forsecurity, for somebody to come in
and say, keep this off the books.
What did you what went on insideyour mind when you heard that?
So I definitely, I was alarmed.
That was my big something'swrong here, guys.
Something's fishy.
Something is not alignedwith benevolent intention.
(08:43):
So at that point I just startedlistening for anything else.
Started looking around.
It wasn't until a few days actually, butI started noticing some things that also
didn't add up and added to that overall,that fear, those indicators and those
were what, can you describe that to me?
What was your first clue absolutely.
That things were going wrong?
There was a large spike in outgoingdata, and when I say large we're
(09:08):
talking magnitude of three or 400.
It's pretty flat baseline on a metricsas far as data output from this ethernet
adapter, and then just this huge spike.
And there wasn't anything that correlated.
I saw the chart on your disclosuredocument and you'd included that and it,
if the audience wants to picture it, it'slike picture the bottom of a chart with
(09:29):
basically a flat line, almost huggingthe edge of the bottom and a spike that
comes up and takes over the whole page.
This is what you saw, anysecurity professional should
be looking at going what gives.
And so that's what you saw.
What did you do about it?
So immediately I'm very much a pragmatistand realist, so I started looking is
(09:49):
there any corresponding inbound data?
Maybe it was some patchingof some system, nothing.
So it's, okay.
Are there any other systems that arehigh utilization during that time?
And I found the database the NextGendatabase was the only other resource.
And I said, okay, what time is it?
Maybe it was just people moving datacopying over, some DBA doing a something.
It was at 3:00 AM to 4:00 AM Soas I looked for further answers,
(10:14):
it became more and more evidentthat it wasn't something benign.
And is that when you started firstchecking with the development team,
see if there's something there.
You went around andchecked to see if Yeah.
If anybody could have done this.
Yeah.
Throughout this process like I mentioned,the biggest thing, my goal was to try
to figure out what exactly you know, hadhappened that had a logical explanation.
(10:34):
And so I went to both the security team,the network team and the developers
and actually the head of development.
He disseminated down through his wholeteam just to make sure nobody, no
contractors, no third party, nobody wasdoing any work during that time window.
And it came back that was the case.
Networking was your next stop.
Yep.
And you checked there.
Yeah.
Yeah.
Nothing happened.
(10:54):
Because we have like packetsniffers, we have egress, that
normally would've picked up and atleast told us what the date it was.
But when we went to checkthose, they were in an off state
so somebody had turned yourpacket, sniffers off the network
washer, and Azure was, wow.
You gotta be, was in an off state.
Yep.
This has gotta start to creep you out.
(11:15):
This is starting tosound like a spy novel.
Or the chasing of ahacker that's very clever.
Spike in data
.Things are turned off.
What were the discussions like?
And I don't want to even in.
Apply that I would get you to give,get anybody else in trouble or say
that somebody had done something.
(11:36):
So let's leave that off the table.
'cause I don't Yeah I can sense,I know you're not that type of guy
but to the degree you can tell me,can you talk to me about what the
discussions were like internally?
And one of the reasons is we'vegot a big security audience.
They're gonna have thesetypes of discussions when they
see these types of things.
What did you do and what did you discusswith people and what was their reaction?
(11:56):
So I went up my chain of command.
That's what you're trainedto do is that you escalate
through your chain of command.
And so I can honestly saywithout reservation that my
direct chain of command, so bemy a CIO of infrastructure the.
A CF security.
And the CIO all took this very seriously.
They, we started enacting and buildingup our internal threat monitoring
(12:19):
for internal threat actors tooling.
We spent more money on bettersecurity auditing and logging,
interfering, logging some of thesethings that we hadn't necessarily.
Had the budget for because of, whatour policy constraints hadn't been.
We found, they made ways to makethis work now, which was to,
to their credit, very great.
The problem is that it's just nota retroactive thing, so we didn't
have a lot of tools to go backand say, what, how could we apply
(12:41):
this to this date in the past?
And so another one of the things thatI I knew from why this looked the
big picture, knew what to look for,is I've done like red blue War games
exercises at clients in the past.
And so I knew what an attacker, mindsetwould look like, or playbook I should say.
And so I looked at some of theseother repos that have been downloaded.
(13:02):
Some of the other tools I knew to lookfor, and once I found those, it was
clear to me that's exactly what this was.
This was a, an attempt tocovertly ex exfiltrate data.
Just like you'd see in the private sector.
And this is, we're trained for this, but.
This is every security person's nightmareis you've got somebody attacking
you don't know who or from where.
(13:23):
When did you start to noticeother things happening?
It was over the course of a few weeksthat I you know, because I still had
my normal job duties too, but I was.
Looking at metrics from differentreview, trying to, I remember
look at one point for budgetarysavings at a storage account.
I noticed another anomaly.
So it was during the course, normal eventsfor the next two weeks, a bunch of these
(13:46):
pieces started adding up to that picture.
So you're now looking at this, you'redoing your regular, you've got.
You've noticed that internal alerting,monitoring systems turned off,
multi-factor authentication has changed.
And what else did you discover?
Besides those?
(14:07):
There were some conditional accesspolicies that have been altered.
Some really odd logs around thattime now that I was able to narrow
it down to a certain time window.
I was able to look for things.
The container being spun up,but we're not using containers
at all, was a big another.
That's problem.
Yeah.
You found a container on the systemand again, it's not something you
would, I found of the containerbeing spun up and deleted.
(14:29):
Not like a ah, yep.
So whoever's doing this isbeing pretty clever there.
They're deleting everythingright after they've used it.
They're not leaving anythingon the system for you to find.
It looks like a verywell scripted execution.
Yeah.
My, my guess is because the time and howmany activities were executed in a small
amount of time that this was scriptedsome way Python thought, something that
(14:52):
was, essentially prepackaged and then run.
Doesn't seem like there's a lot oftime for all the different interactions
for a human to make the actual clicks.
Wow.
So they've done this before?
Yeah.
This would, this feels like a hack.
The other thing that you noticedthat I noticed from your, from going
through your documents was that.
(15:12):
They turned off the blocking of mobiledevices in Yeah, so that anybody can
get into your systems and it was odd.
They disabled like the insecureclients and the iOS, so
there's four settings in Azure.
They didn't just completely eliminatemobile devices, not be able to login
in, but they made it so insecureand I think it was iOS, where
previously they weren't allowed.
(15:33):
Are now allowed to loginto mobile devices.
I still was not able to put togetherwhat part of the picture that was,
but that was an another anomaly thatnobody in the office owned up to.
I couldn't find any record of the activitylogs of somebody making that change.
They, to me, it just seemedit just magically happened.
I don't wanna keep coming back tothis, but you're talking to people
(15:56):
in your office, they're looking atthings going, we didn't do this.
I. Aren't people startingto freak out by this point?
You have to understand there's aculture of fear that permeates,
and these people have been workinggovernment jobs for 15, 20 years.
They are very scared of, havingto have their heads on the
(16:17):
chopping block and going out to,and that, that was pretty clear.
If you've looked at what happened withCISA and some of the other agencies,
that's exactly what happens if you start.
Looking into this kind of thing.
At first, yeah.
But then when the kind of everybody puttogether, what happened, what timeframe?
Things got very quiet,particular from some of the.
The people I'd been working withup until that point, even when you
(16:40):
noticed that there was an IP inRussia trying to log into your system.
And would've been successfulif not for the condoled access
policies that we had in place isa tertiary backup to geo blocking
that this shouldn't have happened.
And the only way that it, again,I shouldn't speculate though what
I can say is that there was a,there's different levels that one.
(17:02):
Has to trigger before the nextgets triggered as far as a
login attempt authentication.
And so they got past the normal,where you see a ton of these in
normal course of day operationsbecause email addresses are public.
You know that you see tons ofattempts, but you don't see successful
authentications blocked by the cap.
Especially outta the country, unlessthe only other time we'd see it is if
(17:24):
an somebody one of the lawyers travelsinternationally and forgets that they
have their computer and they try to login, then that kind of alert would flag.
But for it to happen at three, whatever,the timing was so shortly after
these new accounts system, a managedidentity account, not just, so there
was the regular account, then there'sthe system managed identity account.
The regular account is the interactivelogin is the one that we saw pop up there.
(17:46):
So it wasn't like, it was justa programmatic key that was
generated and stored to securely.
This was like, this wasan account's password.
Could you tell what, whoseaccount and password this was?
So the, I can tell you that there weretwo new user accounts I saw one was.
Jamaica Whitehall, and theother was Chicago White Sox.
(18:09):
Those were the first and last names ofthe two user accounts that were created.
So I, I don't know the actual thosedon't seem like real names to me.
But those were at the sametime, two accounts that were
created during that timeframe.
But these are.
Your notes say that these loginsoccurred within 15 minutes of
accounts being created by Doge.
So these are right, this was thesecond time they came back in.
(18:32):
So the first time I didn't actually know,I just saw the records of the actual
accounts starting to take activity.
I didn't actually see the creation.
I'm guessing that's because Ionly had global admin, not tenant
level where they were created.
But I was able to see the actionsby what's in Microsoft, what's
called a sid or security identifier.
It's unique to each resource.
And so each resource hasa unique resource id.
(18:55):
And that was what was referenced.
So it wasn't necessarily the accountat that point as much as just the
SID that I saw in the activity logs.
And that was correlated through that sameSID to that alert and the in offender.
So by this point, it's obvious youhave to report this to someone.
Yes, absolutely.
And we my ciso who was very proactiveabout this saw the same thing I did,
(19:19):
looked at my results and said, okay, yeah,we have to report this to you as cert.
There's a procedure andpolicy we had follow.
So we started putting thattogether towards the end of a week.
And everything seemed to be going good.
The right people were gonna comein and take a look, and then
we went home for the weekend.
And the reporting line would be to CISA.
There's a group at CISAyou report this to.
Yeah.
There it, it might have a different namenow, but it used to be called the US
(19:41):
ERT team, which was like your SEAL team.
Sick for for IT incidentswithin the government.
If something happens, there's abreach, they come in, they help you
contain and they help you, triage.
So they're interagency.
But they are part of sis, I believe.
Yeah, so you're gonna report to them.
It seems like a fairly thing, somethingyou're trained to do, MITRE is it calls
(20:02):
into the frameworks, all of the stuff.
You put the report together.
I presume everybody worked on this report.
When did you find out that thereport wasn't to go anywhere?
Just a few days later, whenever itshould have already been submitted.
And I think I wasfollowing up on a status.
It was relayed to me.
That it came down that we would,that was no longer in the agency's
(20:24):
best interest to report that.
There was talk of not havingour heads on the chopping block.
There was talk of the making itdisappear is the right thing.
I was upset, so I went to my CIO.
And wanted some answers there.
And I was surprised, but itwent, it came in from higher.
(20:46):
So there, there's, I can't tell youwhere exactly it came in from, but
I know that he didn't make the call.
And that's about all I know at that point.
But I was very disheartened and alot of us were just, we're hopeful
that we would at least be ableto trigger the right triage in
reporting without being interfered.
However, it turns out that.
It was nothing was gonna happen at all.
(21:08):
We were just to ignore itand, keep our noses down.
Wow.
So you've got people logginginto your system, spikes of data
exfiltrated, the traces of thatbeing removed logs affected and.
How?
I have to know, how could anybody explainto you that this wasn't to be reported?
(21:31):
This is, and I'm sorry,I don't mean to be Yeah.
Obtuse about this, but this ispretty black and white at this point.
Yeah.
People have been prosecuted for notreporting information like this.
And to be honest with you, that shouldhave been at the forefront of my mind.
That should have beenmy motivating factor.
I too, didn't want my coworkersto lose their jobs unnecessarily.
(21:51):
But when you see things in the you knowwhat system jobs are in a database, right?
They run periodically on time.
When you see chunks of time with thosemissing as well as any other activity
during those hours it's obvious.
Somebody manually deleted.
That wasn't just a system glitch'cause the jobs just didn't log their
activity for a little while there.
(22:11):
Absolutely.
To not report that is, is fundamentallyflawed with everything that we were
trained to do and everything we aretrained to do in the government.
So it wasn't just myself, otherpeople are up in arms too.
We just.
We didn't know what recourse, because ifthey were willing to fire the CIO and just
stick somebody else in there, everybodyelse under him is the expendable as well.
So we started to come up with alternatesolutions as to how to get this
(22:34):
information in front of the rightpeople, even though we're not allowed
to officially use those channels.
I, and and we've been through the factthat, the system was, you also traced
it back, that confidential informationwas exfiltrated from your systems.
Yes.
And did that get raised in the case?
And I'm just so surprised that someonewouldn't say there's just I'm mystified.
(22:58):
I and I've had a long corporate career.
I've had those times when people sayto me, Jim, you're a really honest guy,
but sometimes you can be too honest.
I've had that coaching talk, but thisone's pretty cut and dried and yeah,
it's gotta be, it's eating at you.
What?
What did you decide to do?
I just, I have to be really carefulbecause my one goal in this is not throw
(23:19):
anybody else under the bus, so Exactly.
And we don't wanna do that.
So I have to take ownershipfor some stuff that even
realistically may not actually be.
My, my decision or my choice.
And after we you could justsay decisions were made.
Yeah.
We don't have to, don't have talk.
To be fair then who madedecisions were made against?
A few of our voices as loud as we could.
(23:40):
Screaming into the void,I think as someone put it.
But we did eventually.
I did find the congressional reportingroute, and I looked up my laws
and statutes and what I'm supposedto do when I do run into this.
Now, the IG was also involved at my agencyand the Office of Special Counsel as well.
The, those are the, there'sstandard routes you have to follow
(24:01):
if, but there is a method, thereis a way for you to report it.
So even if you feel like somebody'snot taking you seriously, luckily.
Those avenues are whatactually proved to be fruitful.
Somebody there listened andsaid, no, this is not okay.
How did you find those?
Did you just Google it?
. How do you find out who to go to?
So actually Google wasa big part of it too.
(24:23):
Also there, there's someresources as a Fed that I have.
Back when I was doing my T-S-S-C-Iabout how to report in the IC
And so I along that same train ofthought, I just started looking up
how to do whistle blowing how tocorrectly whistle blow with legal
protection and that led me one thingto another to, to where we are today.
Did you talk to a lawyer through this?
(24:44):
Yeah, that's where I ended upeventually and he helped me prepare
the disclosure and everything.
And how do you find a lawyer whodeals with this sort of stuff?
There is very few but luckilyone of the best it's Andrew Bakaj
who the does wi whistleblower.
A he's does exactly this andonly this because he has an
ex whistleblower himself.
(25:05):
And so he is been through it.
He's seen what, what canhappen without protection.
He actually helped change the lawsaround classified disclosures and
how that agency is more, the IgEthere is more independent now.
He's been a big player in thespace for his whole career.
And this is the guy you wanna go to.
So there are a few, there'sa handful of 'em out there.
But once you find that the rightperson, they know exactly the right
(25:27):
route to go and how to, protectyourself while you're disclosing.
So what was your first meetinglike with Andrew was his name?
I think I think I remember, i'mlater recalling that I felt like I
walked in there with a tinfoil haton and and I, to, to his credit, he
took me seriously the whole time.
But just hearing it, reading it out loud,just going through what I thought might've
(25:49):
happened was it was jarring even for me.
But luckily, very professional and helistened to me the whole time and took
me very seriously and helped me fleshout some more questions and things
that I needed to figure out beforeputting that disclosure together.
Yeah.
And yeah, because it, as much aswe say, this looks cut and dried,
this is your career's on the line.
(26:09):
Other people's careers are on the line.
There's, yeah, this is serious stuffwe're talking about, whether you
know who's legally liable and it'seasy to start to doubt yourself.
Did you doubt yourself through this?
Many times.
That's why I tried so hardto come up with alternate.
Viable solutions that could haveexplained some of this, because
(26:30):
that would be a win for me.
That would be a best case scenario.
I don't jeopardize future job prospects.
I don't have any kinda animositytowards my employer or from my employer.
I get to figure out, oh, this was this.
We get to be for our security.
That's a win-win.
I probably tried a little too hard tojust come up with some really crazy
scenarios of how this could have,and I eventually, I just ran out of.
(26:52):
Crazy bills I had to face realityand say, this is what it is, and
put it together just morally.
Now you're, yeah, you're a normal guy.
You probably need a paychecklike everybody else does.
All this sort of stuff.
And you're looking at thisdid you have to resign?
Did you or did what?
(27:13):
What were you facing?
So that's a bit complicatedbecause, the agency did not
fire me, which was pleasant.
However, the day after the disclosurethen Doge announced that they were
formally coming into the agency andthey were gonna staff two people on
the same floor, like basically rightoutside my office for two days a week.
(27:36):
And a as part of this and I don'tknow who it was, I again, the FBI can.
But the law enforcement's looking into it.
I received a letter on my doorbefore I even disclosed to Congress,
my door at my house that I'veonly been there like three months.
Came home from work one day.
Needless to say it wasn't a veryconducive environment after that to
(27:57):
go back to to try to work in the sameoffice as the people that I've accused
of at least possibly data exfiltration.
So there was a lot of that.
Aspect to, and I didn't wanna putanybody else's job, or I didn't wanna
put anyone else in an awkward position.
So I did I chose to resign at that point.
Wow.
And that's yeah that's gotta be tough.
(28:19):
Now where does this go from here?
Did you actually appear beforeanybody or is this just a document
that gets sent to Congress?
No, I've actually spoken to a coupledifferent committees and offices.
And them understand the rightquestions to ask for to explore us
farther and figure out the truth.
And I still have some ongoing stillwork that I'm doing in that aspect too,
but hopefully, there'll be at leastenough resources now to get to some
(28:44):
semblance of the truth before it'sall, at this point, it, none of, a lot
of the data can't be really trusted.
Because as soon as Doge came in,they removed administrative rights
from everyone else in the company.
Except themselves.
That includes like global admin, includessecurity admin, user administrator.
(29:06):
So we can even view like accesslogs or activity logs to see what
their accounts are doing right now.
Before I, resign it brings into questionthe validity of any kind of, data
that comes out from them directly.
And so the goal now is to gethopefully some third party or
additional logging that comes, orrecords that come from outside the
(29:26):
agency when we, when they review that.
An objective outside sourceto, to actually review that.
That would be ideal.
Yeah.
Yeah.
And just for people, 'cause we only havethe exposure to this as theater where the
person sits behind the desk and there'speople yelling at you and telling you're
no good and all that sort of stuff.
What was the real experiencelike in meeting with congress?
(29:50):
They're actually really receptiveand a little bit more in involved
than I would've thought at first.
So I thought I would be handedoff to someone who just, but
it was very action oriented.
I think a day or two later theywrote a 50 or something person I.
Letter to demand answers to the NLRBabout this of over 50 signatures.
They moved very quickly.
(30:10):
I talked to other experts in theindustry too, at other agencies, and
they consulted some for data validation.
So they did their due diligenceand pretty quickly too.
I was rather impressed at the speedof it all, how serious they took it.
And where does this go from here?
You'll have more curiousthat, I don't know.
My, my part in this hopefully is over.
I've done, my, but this is over nowto the bigger authorities' hands that
(30:34):
hopefully, they can do what actionthey deem necessary or prudent.
Wow.
So looking back over it, I have toask you, would you do this again?
I can say I never wanted todo it in the first place.
I was in a position where I sawsomething and I felt morally like I
(30:56):
had, I, it wasn't given another option.
I didn't want this in the first place.
It's, this has been aharrowing experience.
That being said, would I do it again?
I didn't have a choice in the first place.
It's just who I am.
There, there's an obligation you havewhen you see something that, that is
this, that could be this drasticallywrong that you have to tell someone.
(31:17):
You can't just let it go by.
And so I, I would, but knowingfull well what it would cost
me, I still would do it.
I still didn't enjoy any of it.
And I wouldn't wish it on, anybody else.
I bet, just to the degree that you can,if there's someone else listening out
there who's in a similar situation,what advice would you give them?
(31:42):
Absolutely.
I would definitely tell them that builda support system, document everything.
Make sure you're meticulous inyour communications and your record
keeping, and then get somebodythat can offer you some kind of
protection or guidance to do this.
It makes it, it's, it really is almostimpossible to do it alone and you really
do need that support system, and you doneed to actually have that mental health
(32:04):
care lined up ahead of time to take careof yourself throughout the whole process.
There's a lot more to it than justsubmitting a piece of paper I found out.
And so I would suggest to anybody outthere that's thinking about it, or in
the same situation or seeing anythingthat could be unusual anything that's
keeping you up at night, say something,go through the proper channels and
find protection both for yourself andfor your legal stakes in this as well.
(32:29):
Oh.
I wish you the best, my friend.
I hope your next job is reallyeasygoing and the most you have to
do is talk about complex passwords.
Yeah.
Yes, I have high hopes, and Iappreciate you for having me, Jim.
This is a really important messageto, to get out so that people can
know, and I thank you for doing that.
This is absolutely important andI'll just, I'll thank you for this.
(32:52):
I'm Canadian obviously but wehave a huge American audience.
It's, the bulk of our audience isAmerican . Americans have a wonderful
phrase and that's the one thing I'dlike us to adopt up here in Canada.
You say thank you for your service andI'd like to say that to you Daniel.
Thank you for your service to yourcountry and to your profession.
And that's our show.
(33:13):
I hope you found this as incredibleas I did, love to hear from you.
I'm pretty safe across the border,so if anybody out there does want to.
Have a chat or pass on any information.
I've spent 40 years in the industrygetting a reputation for being
confidential and being supportive.
You can reach me ateditorial@technewsday.ca or find me
(33:34):
on LinkedIn like our listeners do.
And like I said, if you're one ofour listeners, we'd love to hear your
comments and opinions on this same deal.
editorial@technewsday.ca, LinkedIn,or if you're watching on YouTube and.
What you say can be public, , justdrop a note under the video.
And I'm gonna be thinking about this fora while and I'll be back next week with
my cohost, David Shipley, bringingyou the best in cybersecurity news.
(33:57):
I'm your host, Jim Love.
Thanks for listening.
Welcome to Cybersecurity Today.
The email was accompanied by anofficial looking document that started
talking about tenant admin abuse.
As I read on, I found myselfalmost unable to believe what
I was reading, what followed.
In that document and subsequently inthis interview, was a Tale of Intrigue
(00:23):
that might match any Hollywood movie.
The only difference isthis is all too real.
When I finished this interview,as I said at the end of the Friday
show, my hands were shaking.
welcome to Cybersecurity.
Today Today's showfeatures Daniel Berulis.
A self-described whistleblower and hisrecent disclosure to the US Congress
(00:48):
uncovered how tenant admin abuse, letoutsiders copy data from government
sources and then wipe the audit trail.
It's not the type of thing thathappens normally in our lives.
Welcome Daniel.
Okay.
Thanks for having me.
Jim.
Just a minor note 'cause I don'twanna leave the audience hanging.
What is tenant abuse and whatis exactly that you reported?
(01:10):
Sure.
Absolutely.
There's different layers of ownershipwithin Azure in most cloud environments.
And so at the highest level iswhat you have is the tenant.
The tenant would be housing allyour subscriptions and your various
management groups within Azure.
So essentially tenant is the highestyou can go within your company.
You have to go to Microsoft to get higher.
(01:31):
And you were saying it's, that'sa higher level of access than
even A CIO would normally have?
That's correct.
By zero trust principles generally.
It's a break glass accountonly would be at that level.
Not always followed, but bestpractices would dictate that would
be the way it should be, yes.
Great.
So we'll come back to this.
The situation was.
(01:52):
At least one party having moreaccess than they should ever possibly
have and some things that happened.
And follow us through our conversation.
Before we start I'd like to getto know you a little better, and I
you sent me I guess which was your,documentation that was sent to Congress.
And so I've read a lot about you, but I'djust like to share that with our audience.
(02:12):
Tell us about who you are andhow you got to the point in your
career where you are right now.
Sure.
I definitely started it much like othersin finding a passion in something.
And mine happened to be infrastructure,this was almost two decades ago now.
And then I developed a love for automationvarious scripting and different tools.
And that led into cybersecurity.
And one thing led to another, we.
(02:34):
Gotten to the point now in mycareer where I have a jack all
trades and I've been exposed to manydifferent sector, many different
industries in the private sector.
And recently here I was doing somegovernment consulting and position
notebook, national Labor relations board.
And so I took that on andjoined the federal government.
You're certified in Azure,Amazon Web Services.
You've done, you've beendoing this for a long time.
You also have a reallygreat community story.
(02:57):
You've been quite activein, in both community work.
And one of the things that I'dread about you was that you were
actually working with people whowere victims of human trafficking.
So you put a fair amount of your timeinto your community work as well.
Yep.
Yep.
I have for many years I've beenvolunteer firefighter did the rape
crisis center counseling do Microsofttes always had a desire to give back
(03:19):
to my community in a meaningful way.
And joining the federal governmentwas just another way to do that
for me, to be honest with you.
I'm assuming with your credentialsand they are significant.
I'm sure you didn't move overto the government for the money.
That's a very valid assumption.
Yes.
But for the sense ofpurpose and the mission.
Absolutely.
But you've held some prettypretty good positions here.
You, you had a top secret securityclearance at one point, so you
(03:40):
understand when we're gonna betalking about protection of data.
You've been thoroughly trained in that.
I don't think peoplereally realize how much.
Goes into getting a topsecret security clearance.
You're obviously told not touse commercial apps on your
phone, but we won't go there.
But what's the process for gettingthat, for a normal human being?
(04:00):
Sure.
Try to think of somebody that couldvalidate where you lived 10 years ago.
From your life and then in by thattime, 15 there's so much that they
dig back into bo both previous, every,employee you've talked to, every boss,
lots of different facets that theydig deep into to figure out exactly
who you are and whether or not you'retrustworthy with the government secrets.
(04:20):
Yeah.
And I presume you get thelecture on how to treat things.
You're, they're strict rules.
Can you remember any of that whenand hearing that for the first time?
Absolutely.
Yeah, so classifiedinformation never leaves.
Where you're viewing it,you don't disseminate that.
I can tell you that there'sdifferent protocols.
We generally classify with traffic lights.
(04:42):
For which, red, yellow, and green toindicate who this is shareable to.
And furthermore, the one thing thatis drilled into your head is that
government systems are protected.
The data is not to be exposed to peoplethat are unauthorized to view it.
That's like the number onething that's drilled into
your head time and time again.
Yeah, and there's thatprinciple of least disclosure.
(05:02):
Even if it's not particularlywritten down, it's you have to ask
yourself, does this person havea need to know this information?
So it's not just rules, there areprinciples that you have to follow.
Yeah, absolutely.
So we'll take this.
You're a normal guy.
You've taken this job, you like,obviously liked working there.
I can read that even intothe comments that you make.
You're having a good time and all ofa sudden there was a call that said
(05:25):
you need a bodies and chairs meeting.
Can you describe what thatwas, what that call was like?
Sure.
I was surprised actually.
I. Had we had not gonefully back into office yet.
We were still partially work remote.
So that call was unusual,but also exciting.
At first myself and my coworkers, wewere actually pretty excited to meet
(05:45):
Doge see what they were, if they mettheir technical chops and if they could
come in and, we could work with them.
I actually got there early.
I remember the next Monday which.
It, the drive pretty rare event for me.
So I got in there with20 minutes to spare.
I was pretty excited to come that Monday.
So you, you get into work early,you're sitting there in the
conference room, the could, couldyou see the black limo pull up?
(06:08):
What, how did you know that wasYeah, so I'd actually gone outside.
It was about 15, 20minutes after start a day.
And so I'd been therefor about an hour now.
I went outside with oneof my coworkers and we're.
Looking on the outside and see it inthe peripherals and obviously the lights
and the make it big, draw attention.
But it was an SUV with policeescorts front back and it
(06:30):
pulled into the parking garage.
And I can honestly say that out of evthere wasn't a single other time I've
seen that while working at the, thatbuilding or anywhere near the building.
So that was unusual.
We both commented and said,oh, hey, I bet that's them.
So you see this limo pull in,they get up and into the building
and you're having a meeting.
And what was announced to you?
(06:50):
So the announcements weren't I.Through official channels, they
were your boss comes in or yourcoworker comes in and they close the
door to your office and they tellyou, oh, hey, I just that such da.
There wasn't any officialemail or any kind of like
official memo that was sent out.
But the understanding was that we weregoing to be expecting them to come
up and just talk to us, understandwhat our jobs were and any kind
(07:13):
of system access that they needed.
We were told to grantthem without question.
So there was no official presentationand they didn't come in and present to
you in a conference room or anything,like they just, you were just told
they'll be by your desk to ask youwhat you know, what you're doing right.
And all that sort of prettystandard stuff actually, right?
Yeah, so far it was pretty standard.
The only thing that really raised ared flag off the bat is that I talked
(07:35):
to my CISO later in the afternoonthat day, and he confided to me that.
He had been instructed he, sorry, hehad suggested a streamline process for
them, which is to log their accountsin ServiceNow and just create a
ticket to log the access that they'regonna be given and the accounts they
created versus our normal SOP of goingthrough the user creation process.
(07:57):
However, he'd been shot down andtold instead to not make any log
record of their accounts at allor what permissions are given.
And that was the first major Something'swrong that went off in my head.
And him as well.
Yeah, that's, he both freakedthat's a pretty creepy feeling.
In a world where transparency, issupposed to be our big thing and
(08:22):
following the rules that we have forsecurity, for somebody to come in
and say, keep this off the books.
What did you what went on insideyour mind when you heard that?
So I definitely, I was alarmed.
That was my big something'swrong here, guys.
Something's fishy.
Something is not alignedwith benevolent intention.
(08:43):
So at that point I just startedlistening for anything else.
Started looking around.
It wasn't until a few days actually, butI started noticing some things that also
didn't add up and added to that overall,that fear, those indicators and those
were what, can you describe that to me?
What was your first clue absolutely.
That things were going wrong?
There was a large spike in outgoingdata, and when I say large we're
(09:08):
talking magnitude of three or 400.
It's pretty flat baseline on a metricsas far as data output from this ethernet
adapter, and then just this huge spike.
And there wasn't anything that correlated.
I saw the chart on your disclosuredocument and you'd included that and it,
if the audience wants to picture it, it'slike picture the bottom of a chart with
(09:29):
basically a flat line, almost huggingthe edge of the bottom and a spike that
comes up and takes over the whole page.
This is what you saw, anysecurity professional should
be looking at going what gives.
And so that's what you saw.
What did you do about it?
So immediately I'm very much a pragmatistand realist, so I started looking is
(09:49):
there any corresponding inbound data?
Maybe it was some patchingof some system, nothing.
So it's, okay.
Are there any other systems that arehigh utilization during that time?
And I found the database the NextGendatabase was the only other resource.
And I said, okay, what time is it?
Maybe it was just people moving datacopying over, some DBA doing a something.
It was at 3:00 AM to 4:00 AM Soas I looked for further answers,
(10:14):
it became more and more evidentthat it wasn't something benign.
And is that when you started firstchecking with the development team,
see if there's something there.
You went around andchecked to see if Yeah.
If anybody could have done this.
Yeah.
Throughout this process like I mentioned,the biggest thing, my goal was to try
to figure out what exactly you know, hadhappened that had a logical explanation.
(10:34):
And so I went to both the security team,the network team and the developers
and actually the head of development.
He disseminated down through his wholeteam just to make sure nobody, no
contractors, no third party, nobody wasdoing any work during that time window.
And it came back that was the case.
Networking was your next stop.
Yep.
And you checked there.
Yeah.
Yeah.
Nothing happened.
(10:54):
Because we have like packetsniffers, we have egress, that
normally would've picked up and atleast told us what the date it was.
But when we went to checkthose, they were in an off state
so somebody had turned yourpacket, sniffers off the network
washer, and Azure was, wow.
You gotta be, was in an off state.
Yep.
This has gotta start to creep you out.
(11:15):
This is starting tosound like a spy novel.
Or the chasing of ahacker that's very clever.
Spike in data
.Things are turned off.
What were the discussions like?
And I don't want to even in.
Apply that I would get you to give,get anybody else in trouble or say
that somebody had done something.
(11:36):
So let's leave that off the table.
'cause I don't Yeah I can sense,I know you're not that type of guy
but to the degree you can tell me,can you talk to me about what the
discussions were like internally?
And one of the reasons is we'vegot a big security audience.
They're gonna have thesetypes of discussions when they
see these types of things.
What did you do and what did you discusswith people and what was their reaction?
(11:56):
So I went up my chain of command.
That's what you're trainedto do is that you escalate
through your chain of command.
And so I can honestly saywithout reservation that my
direct chain of command, so bemy a CIO of infrastructure the.
A CF security.
And the CIO all took this very seriously.
They, we started enacting and buildingup our internal threat monitoring
(12:19):
for internal threat actors tooling.
We spent more money on bettersecurity auditing and logging,
interfering, logging some of thesethings that we hadn't necessarily.
Had the budget for because of, whatour policy constraints hadn't been.
We found, they made ways to makethis work now, which was to,
to their credit, very great.
The problem is that it's just nota retroactive thing, so we didn't
have a lot of tools to go backand say, what, how could we apply
(12:41):
this to this date in the past?
And so another one of the things thatI I knew from why this looked the
big picture, knew what to look for,is I've done like red blue War games
exercises at clients in the past.
And so I knew what an attacker, mindsetwould look like, or playbook I should say.
And so I looked at some of theseother repos that have been downloaded.
(13:02):
Some of the other tools I knew to lookfor, and once I found those, it was
clear to me that's exactly what this was.
This was a, an attempt tocovertly ex exfiltrate data.
Just like you'd see in the private sector.
And this is, we're trained for this, but.
This is every security person's nightmareis you've got somebody attacking
you don't know who or from where.
(13:23):
When did you start to noticeother things happening?
It was over the course of a few weeksthat I you know, because I still had
my normal job duties too, but I was.
Looking at metrics from differentreview, trying to, I remember
look at one point for budgetarysavings at a storage account.
I noticed another anomaly.
So it was during the course, normal eventsfor the next two weeks, a bunch of these
(13:46):
pieces started adding up to that picture.
So you're now looking at this, you'redoing your regular, you've got.
You've noticed that internal alerting,monitoring systems turned off,
multi-factor authentication has changed.
And what else did you discover?
Besides those?
(14:07):
There were some conditional accesspolicies that have been altered.
Some really odd logs around thattime now that I was able to narrow
it down to a certain time window.
I was able to look for things.
The container being spun up,but we're not using containers
at all, was a big another.
That's problem.
Yeah.
You found a container on the systemand again, it's not something you
would, I found of the containerbeing spun up and deleted.
(14:29):
Not like a ah, yep.
So whoever's doing this isbeing pretty clever there.
They're deleting everythingright after they've used it.
They're not leaving anythingon the system for you to find.
It looks like a verywell scripted execution.
Yeah.
My, my guess is because the time and howmany activities were executed in a small
amount of time that this was scriptedsome way Python thought, something that
(14:52):
was, essentially prepackaged and then run.
Doesn't seem like there's a lot oftime for all the different interactions
for a human to make the actual clicks.
Wow.
So they've done this before?
Yeah.
This would, this feels like a hack.
The other thing that you noticedthat I noticed from your, from going
through your documents was that.
(15:12):
They turned off the blocking of mobiledevices in Yeah, so that anybody can
get into your systems and it was odd.
They disabled like the insecureclients and the iOS, so
there's four settings in Azure.
They didn't just completely eliminatemobile devices, not be able to login
in, but they made it so insecureand I think it was iOS, where
previously they weren't allowed.
(15:33):
Are now allowed to loginto mobile devices.
I still was not able to put togetherwhat part of the picture that was,
but that was an another anomaly thatnobody in the office owned up to.
I couldn't find any record of the activitylogs of somebody making that change.
They, to me, it just seemedit just magically happened.
I don't wanna keep coming back tothis, but you're talking to people
(15:56):
in your office, they're looking atthings going, we didn't do this.
I. Aren't people startingto freak out by this point?
You have to understand there's aculture of fear that permeates,
and these people have been workinggovernment jobs for 15, 20 years.
They are very scared of, havingto have their heads on the
(16:17):
chopping block and going out to,and that, that was pretty clear.
If you've looked at what happened withCISA and some of the other agencies,
that's exactly what happens if you start.
Looking into this kind of thing.
At first, yeah.
But then when the kind of everybody puttogether, what happened, what timeframe?
Things got very quiet,particular from some of the.
The people I'd been working withup until that point, even when you
(16:40):
noticed that there was an IP inRussia trying to log into your system.
And would've been successfulif not for the condoled access
policies that we had in place isa tertiary backup to geo blocking
that this shouldn't have happened.
And the only way that it, again,I shouldn't speculate though what
I can say is that there was a,there's different levels that one.
(17:02):
Has to trigger before the nextgets triggered as far as a
login attempt authentication.
And so they got past the normal,where you see a ton of these in
normal course of day operationsbecause email addresses are public.
You know that you see tons ofattempts, but you don't see successful
authentications blocked by the cap.
Especially outta the country, unlessthe only other time we'd see it is if
(17:24):
an somebody one of the lawyers travelsinternationally and forgets that they
have their computer and they try to login, then that kind of alert would flag.
But for it to happen at three, whatever,the timing was so shortly after
these new accounts system, a managedidentity account, not just, so there
was the regular account, then there'sthe system managed identity account.
The regular account is the interactivelogin is the one that we saw pop up there.
(17:46):
So it wasn't like, it was justa programmatic key that was
generated and stored to securely.
This was like, this wasan account's password.
Could you tell what, whoseaccount and password this was?
So the, I can tell you that there weretwo new user accounts I saw one was.
Jamaica Whitehall, and theother was Chicago White Sox.
(18:09):
Those were the first and last names ofthe two user accounts that were created.
So I, I don't know the actual thosedon't seem like real names to me.
But those were at the sametime, two accounts that were
created during that timeframe.
But these are.
Your notes say that these loginsoccurred within 15 minutes of
accounts being created by Doge.
So these are right, this was thesecond time they came back in.
(18:32):
So the first time I didn't actually know,I just saw the records of the actual
accounts starting to take activity.
I didn't actually see the creation.
I'm guessing that's because Ionly had global admin, not tenant
level where they were created.
But I was able to see the actionsby what's in Microsoft, what's
called a sid or security identifier.
It's unique to each resource.
And so each resource hasa unique resource id.
(18:55):
And that was what was referenced.
So it wasn't necessarily the accountat that point as much as just the
SID that I saw in the activity logs.
And that was correlated through that sameSID to that alert and the in offender.
So by this point, it's obvious youhave to report this to someone.
Yes, absolutely.
And we my ciso who was very proactiveabout this saw the same thing I did,
(19:19):
looked at my results and said, okay, yeah,we have to report this to you as cert.
There's a procedure andpolicy we had follow.
So we started putting thattogether towards the end of a week.
And everything seemed to be going good.
The right people were gonna comein and take a look, and then
we went home for the weekend.
And the reporting line would be to CISA.
There's a group at CISAyou report this to.
Yeah.
There it, it might have a different namenow, but it used to be called the US
(19:41):
ERT team, which was like your SEAL team.
Sick for for IT incidentswithin the government.
If something happens, there's abreach, they come in, they help you
contain and they help you, triage.
So they're interagency.
But they are part of sis, I believe.
Yeah, so you're gonna report to them.
It seems like a fairly thing, somethingyou're trained to do, MITRE is it calls
(20:02):
into the frameworks, all of the stuff.
You put the report together.
I presume everybody worked on this report.
When did you find out that thereport wasn't to go anywhere?
Just a few days later, whenever itshould have already been submitted.
And I think I wasfollowing up on a status.
It was relayed to me.
That it came down that we would,that was no longer in the agency's
(20:24):
best interest to report that.
There was talk of not havingour heads on the chopping block.
There was talk of the making itdisappear is the right thing.
I was upset, so I went to my CIO.
And wanted some answers there.
And I was surprised, but itwent, it came in from higher.
(20:46):
So there, there's, I can't tell youwhere exactly it came in from, but
I know that he didn't make the call.
And that's about all I know at that point.
But I was very disheartened and alot of us were just, we're hopeful
that we would at least be ableto trigger the right triage in
reporting without being interfered.
However, it turns out that.
It was nothing was gonna happen at all.
(21:08):
We were just to ignore itand, keep our noses down.
Wow.
So you've got people logginginto your system, spikes of data
exfiltrated, the traces of thatbeing removed logs affected and.
How?
I have to know, how could anybody explainto you that this wasn't to be reported?
(21:31):
This is, and I'm sorry,I don't mean to be Yeah.
Obtuse about this, but this ispretty black and white at this point.
Yeah.
People have been prosecuted for notreporting information like this.
And to be honest with you, that shouldhave been at the forefront of my mind.
That should have beenmy motivating factor.
I too, didn't want my coworkersto lose their jobs unnecessarily.
(21:51):
But when you see things in the you knowwhat system jobs are in a database, right?
They run periodically on time.
When you see chunks of time with thosemissing as well as any other activity
during those hours it's obvious.
Somebody manually deleted.
That wasn't just a system glitch'cause the jobs just didn't log their
activity for a little while there.
(22:11):
Absolutely.
To not report that is, is fundamentallyflawed with everything that we were
trained to do and everything we aretrained to do in the government.
So it wasn't just myself, otherpeople are up in arms too.
We just.
We didn't know what recourse, because ifthey were willing to fire the CIO and just
stick somebody else in there, everybodyelse under him is the expendable as well.
So we started to come up with alternatesolutions as to how to get this
(22:34):
information in front of the rightpeople, even though we're not allowed
to officially use those channels.
I, and and we've been through the factthat, the system was, you also traced
it back, that confidential informationwas exfiltrated from your systems.
Yes.
And did that get raised in the case?
And I'm just so surprised that someonewouldn't say there's just I'm mystified.
(22:58):
I and I've had a long corporate career.
I've had those times when people sayto me, Jim, you're a really honest guy,
but sometimes you can be too honest.
I've had that coaching talk, but thisone's pretty cut and dried and yeah,
it's gotta be, it's eating at you.
What?
What did you decide to do?
I just, I have to be really carefulbecause my one goal in this is not throw
(23:19):
anybody else under the bus, so Exactly.
And we don't wanna do that.
So I have to take ownershipfor some stuff that even
realistically may not actually be.
My, my decision or my choice.
And after we you could justsay decisions were made.
Yeah.
We don't have to, don't have talk.
To be fair then who madedecisions were made against?
A few of our voices as loud as we could.
(23:40):
Screaming into the void,I think as someone put it.
But we did eventually.
I did find the congressional reportingroute, and I looked up my laws
and statutes and what I'm supposedto do when I do run into this.
Now, the IG was also involved at my agencyand the Office of Special Counsel as well.
The, those are the, there'sstandard routes you have to follow
(24:01):
if, but there is a method, thereis a way for you to report it.
So even if you feel like somebody'snot taking you seriously, luckily.
Those avenues are whatactually proved to be fruitful.
Somebody there listened andsaid, no, this is not okay.
How did you find those?
Did you just Google it?
. How do you find out who to go to?
So actually Google wasa big part of it too.
(24:23):
Also there, there's someresources as a Fed that I have.
Back when I was doing my T-S-S-C-Iabout how to report in the IC
And so I along that same train ofthought, I just started looking up
how to do whistle blowing how tocorrectly whistle blow with legal
protection and that led me one thingto another to, to where we are today.
Did you talk to a lawyer through this?
(24:44):
Yeah, that's where I ended upeventually and he helped me prepare
the disclosure and everything.
And how do you find a lawyer whodeals with this sort of stuff?
There is very few but luckilyone of the best it's Andrew Bakaj
who the does wi whistleblower.
A he's does exactly this andonly this because he has an
ex whistleblower himself.
(25:05):
And so he is been through it.
He's seen what, what canhappen without protection.
He actually helped change the lawsaround classified disclosures and
how that agency is more, the IgEthere is more independent now.
He's been a big player in thespace for his whole career.
And this is the guy you wanna go to.
So there are a few, there'sa handful of 'em out there.
But once you find that the rightperson, they know exactly the right
(25:27):
route to go and how to, protectyourself while you're disclosing.
So what was your first meetinglike with Andrew was his name?
I think I think I remember, i'mlater recalling that I felt like I
walked in there with a tinfoil haton and and I, to, to his credit, he
took me seriously the whole time.
But just hearing it, reading it out loud,just going through what I thought might've
(25:49):
happened was it was jarring even for me.
But luckily, very professional and helistened to me the whole time and took
me very seriously and helped me fleshout some more questions and things
that I needed to figure out beforeputting that disclosure together.
Yeah.
And yeah, because it, as much aswe say, this looks cut and dried,
this is your career's on the line.
(26:09):
Other people's careers are on the line.
There's, yeah, this is serious stuffwe're talking about, whether you
know who's legally liable and it'seasy to start to doubt yourself.
Did you doubt yourself through this?
Many times.
That's why I tried so hardto come up with alternate.
Viable solutions that could haveexplained some of this, because
(26:30):
that would be a win for me.
That would be a best case scenario.
I don't jeopardize future job prospects.
I don't have any kinda animositytowards my employer or from my employer.
I get to figure out, oh, this was this.
We get to be for our security.
That's a win-win.
I probably tried a little too hard tojust come up with some really crazy
scenarios of how this could have,and I eventually, I just ran out of.
(26:52):
Crazy bills I had to face realityand say, this is what it is, and
put it together just morally.
Now you're, yeah, you're a normal guy.
You probably need a paychecklike everybody else does.
All this sort of stuff.
And you're looking at thisdid you have to resign?
Did you or did what?
(27:13):
What were you facing?
So that's a bit complicatedbecause, the agency did not
fire me, which was pleasant.
However, the day after the disclosurethen Doge announced that they were
formally coming into the agency andthey were gonna staff two people on
the same floor, like basically rightoutside my office for two days a week.
(27:36):
And a as part of this and I don'tknow who it was, I again, the FBI can.
But the law enforcement's looking into it.
I received a letter on my doorbefore I even disclosed to Congress,
my door at my house that I'veonly been there like three months.
Came home from work one day.
Needless to say it wasn't a veryconducive environment after that to
(27:57):
go back to to try to work in the sameoffice as the people that I've accused
of at least possibly data exfiltration.
So there was a lot of that.
Aspect to, and I didn't wanna putanybody else's job, or I didn't wanna
put anyone else in an awkward position.
So I did I chose to resign at that point.
Wow.
And that's yeah that's gotta be tough.
(28:19):
Now where does this go from here?
Did you actually appear beforeanybody or is this just a document
that gets sent to Congress?
No, I've actually spoken to a coupledifferent committees and offices.
And them understand the rightquestions to ask for to explore us
farther and figure out the truth.
And I still have some ongoing stillwork that I'm doing in that aspect too,
but hopefully, there'll be at leastenough resources now to get to some
(28:44):
semblance of the truth before it'sall, at this point, it, none of, a lot
of the data can't be really trusted.
Because as soon as Doge came in,they removed administrative rights
from everyone else in the company.
Except themselves.
That includes like global admin, includessecurity admin, user administrator.
(29:06):
So we can even view like accesslogs or activity logs to see what
their accounts are doing right now.
Before I, resign it brings into questionthe validity of any kind of, data
that comes out from them directly.
And so the goal now is to gethopefully some third party or
additional logging that comes, orrecords that come from outside the
(29:26):
agency when we, when they review that.
An objective outside sourceto, to actually review that.
That would be ideal.
Yeah.
Yeah.
And just for people, 'cause we only havethe exposure to this as theater where the
person sits behind the desk and there'speople yelling at you and telling you're
no good and all that sort of stuff.
What was the real experiencelike in meeting with congress?
(29:50):
They're actually really receptiveand a little bit more in involved
than I would've thought at first.
So I thought I would be handedoff to someone who just, but
it was very action oriented.
I think a day or two later theywrote a 50 or something person I.
Letter to demand answers to the NLRBabout this of over 50 signatures.
They moved very quickly.
(30:10):
I talked to other experts in theindustry too, at other agencies, and
they consulted some for data validation.
So they did their due diligenceand pretty quickly too.
I was rather impressed at the speedof it all, how serious they took it.
And where does this go from here?
You'll have more curiousthat, I don't know.
My, my part in this hopefully is over.
I've done, my, but this is over nowto the bigger authorities' hands that
(30:34):
hopefully, they can do what actionthey deem necessary or prudent.
Wow.
So looking back over it, I have toask you, would you do this again?
I can say I never wanted todo it in the first place.
I was in a position where I sawsomething and I felt morally like I
(30:56):
had, I, it wasn't given another option.
I didn't want this in the first place.
It's, this has been aharrowing experience.
That being said, would I do it again?
I didn't have a choice in the first place.
It's just who I am.
There, there's an obligation you havewhen you see something that, that is
this, that could be this drasticallywrong that you have to tell someone.
(31:17):
You can't just let it go by.
And so I, I would, but knowingfull well what it would cost
me, I still would do it.
I still didn't enjoy any of it.
And I wouldn't wish it on, anybody else.
I bet, just to the degree that you can,if there's someone else listening out
there who's in a similar situation,what advice would you give them?
(31:42):
Absolutely.
I would definitely tell them that builda support system, document everything.
Make sure you're meticulous inyour communications and your record
keeping, and then get somebodythat can offer you some kind of
protection or guidance to do this.
It makes it, it's, it really is almostimpossible to do it alone and you really
do need that support system, and you doneed to actually have that mental health
(32:04):
care lined up ahead of time to take careof yourself throughout the whole process.
There's a lot more to it than justsubmitting a piece of paper I found out.
And so I would suggest to anybody outthere that's thinking about it, or in
the same situation or seeing anythingthat could be unusual anything that's
keeping you up at night, say something,go through the proper channels and
find protection both for yourself andfor your legal stakes in this as well.
(32:29):
Oh.
I wish you the best, my friend.
I hope your next job is reallyeasygoing and the most you have to
do is talk about complex passwords.
Yeah.
Yes, I have high hopes, and Iappreciate you for having me, Jim.
This is a really important messageto, to get out so that people can
know, and I thank you for doing that.
This is absolutely important andI'll just, I'll thank you for this.
(32:52):
I'm Canadian obviously but wehave a huge American audience.
It's, the bulk of our audience isAmerican . Americans have a wonderful
phrase and that's the one thing I'dlike us to adopt up here in Canada.
You say thank you for your service andI'd like to say that to you Daniel.
Thank you for your service to yourcountry and to your profession.
And that's our show.
(33:13):
I hope you found this as incredibleas I did, love to hear from you.
I'm pretty safe across the border,so if anybody out there does want to.
Have a chat or pass on any information.
I've spent 40 years in the industrygetting a reputation for being
confidential and being supportive.
You can reach me ateditorial@technewsday.ca or find me
(33:34):
on LinkedIn like our listeners do.
And like I said, if you're one ofour listeners, we'd love to hear your
comments and opinions on this same deal.
editorial@technewsday.ca, LinkedIn,or if you're watching on YouTube and.
What you say can be public, , justdrop a note under the video.
And I'm gonna be thinking about this fora while and I'll be back next week with
my cohost, David Shipley, bringingyou the best in cybersecurity news.
(33:57):
I'm your host, Jim Love.
Thanks for listening.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
Ridiculous History
History is beautiful, brutal and, often, ridiculous. Join Ben Bowlin and Noel Brown as they dive into some of the weirdest stories from across the span of human civilization in Ridiculous History, a podcast by iHeartRadio.