EP 34 – How to Catch a Malicious Insider w/ Eric O’Neill

[00:00:00.000] – David Puner
You’re listening to the Trust Issues podcast. I’m David Puner, a Senior Editorial Manager at CyberArk, the global leader in identity security.

[00:00:09.240] – David Puner
In early 2001, the FBI arrested one of its own, Agent Robert Hanssen, just after he’d made a dead drop of classified documents to his Russian handlers in a park in Vienna, Virginia. It marked the end of over 20 years of on-and-off spying for Hanssen, who’s widely considered to be the most damaging spy in US history.

[00:00:44.700] – David Puner
Later that year, Hanssen pleaded guilty to 15 counts of espionage and conspiracy in exchange for the government not seeking the death penalty. He’d spend the rest of his life in a supermax prison where he died this past June. Our guest today, Eric O’Neill figures prominently in Hanssen’s capture.

[00:01:05.310] – David Puner
As a 27-year-old undercover surveillance operative at the FBI in 2000, O’Neill was tapped to go undercover as himself within the FBI itself to work alongside Hanssen while trying to catch him. To create a situation conducive to getting close to Hanssen, O’Neill reported into Hanssen while building the FBI’s cybersecurity.

[00:01:30.380] – David Puner
You can read the whole story in O’Neill’s book, Gray Day: My Undercover Mission to Expose America’s First Cyber Spy, and you can watch The Breach, a movie in which the character, Eric O’Neill, is played by Ryan Phillippe. Our conversation today dives into this story with threads that connect to today’s threat landscape and the canny similarity between spies and cybercriminals, and how identity figures into all of it.

[00:01:57.890] – David Puner
These days, we hear a lot about malicious insider threats. Robert Hanssen foreshadowed them all. Here’s my conversation with former FBI counterintelligence operative, and current national security strategist, Eric O’Neill.

[00:02:15.520] – David Puner
Welcome to Eric O’Neill, former FBI counterintelligence operative, and current national security strategist. We’re really excited to have you on the podcast.

[00:02:25.410] – Eric O’Neill
David, it’s great to be on the podcast. I love talking about spies and cybersecurity and all the things we’re going to get into.

[00:02:30.330] – David Puner
You were a 27-year-old FBI undercover surveillance operator, also referred to as a Ghost. When your boss showed up at your house at 8:00 AM on a Sunday, unannounced, which seems like never a good thing to have happened, what couldn’t wait until Monday morning? How would this fun Sunday pop by ultimately alter the trajectory of your life?

[00:02:55.170] – Eric O’Neill
Well, David, it was one of the strangest moments in my life, and you put it a perfect way. That Sunday morning, early, unannounced visit by Gene McClelland, who was the supervisor for all of the Ghosts in the Washington region, all of the SSG undercover operatives who worked out of Washington Field Office. Supervisors don’t show up at your house.

[00:03:19.740] – Eric O’Neill
So him showing up unannounced, calling me and then saying, “You don’t have to come downtown. I’m parked outside.” To put it mildly, scared me. I was worried that some information had gotten mistaken or Russians, who I was doing a lot of work against, are pretty well known for compromising information, especially if they’re able to peel back your cover, and then they can do the spy version of what we see now with swatting, where you create some fake story or some fake crime, and then the FBI shows up to arrest you just to figure out what’s going on.

[00:03:57.980] – Eric O’Neill
So I’m worried that I was in trouble. I didn’t think that this was a happy visit. Coming out, I was worried. I looked at Gene, and he’s grinning at me because he knew that this was this situation I’d have. But after I got in the car with him, all of that went away. It became a very sobering conversation. It was about this guy named Robert Hanssen, who I hadn’t worked, which was good.

[00:04:21.530] – Eric O’Neill
Hanssen didn’t know me. I didn’t know Hanssen, which was important to the investigation. He told me that the FBI wanted me to go undercover to catch Robert Hanssen, a very senior supervisory special agent, an almost 25-year veteran of the FBI that they suspected of espionage. That’s all he told me.

[00:04:41.270] – Eric O’Neill
Not that Hanssen was the most damaging spy in US history, not that he was the mole that we had been after for over two decades, just that this was a guy who was suspected of espionage and they wanted me to go undercover and catch him. That actually made me upset because I said, “Why would you come to my house on a Sunday morning, wake me up, scare the hell out of me and my wife, just to ask me to go undercover to do what I do every single day, 24/7?

[00:05:07.630] – Eric O’Neill
We’ve worked when the bad guys worked, we slept when they slept. He said something that changed everything for me. He said, “We don’t want you to go undercover and ghost him. We want you to go undercover in a brand new section we’ve built in the FBI to catch him, called the Information Assurance Section.” We want you to work face to face with him. Now, that was unique. That was unexpected.

[00:05:32.990] – David Puner
This Information Assurance Division, this was created essentially for you to go undercover within the FBI. What thought was given to Information Assurance and what you were going to do? I should say this is what? This is the beginning of 2001, end of 2000?

[00:05:52.050] – Eric O’Neill
This was December 2000. The FBI received a tiny little folder of information from a former KGB. Now, the KGB had been disbanded decades before. Intelligence officer who had stolen some information about the Robert Hanssen investigation, about the mole. Now, the guy they knew as Ramon Garcia or B, they didn’t even know that he was in the FBI or his name or anything about him.

[00:06:17.900] – Eric O’Neill
But when the KGB was disbanded, what these guys did was what they were trained to do. They stole information and sold it to the highest bidder or saved it for a rainy day. This individual saved it for a rainy day, sold it to a joint CIA-FBI task force who opened the information and found three things: letters, a cassette tape, and a trash bag.

[00:06:40.740] – Eric O’Neill
Now, the trash bag was one of the bags that Hanssen had used early in his career to wrap his drop that he would put under a bridge in Foxstone Park in Vienna. So his clandestine drops and then an intelligence officer would come out of the Russian embassy, go on this long surveillance detection run and then when he thought he was black or clean or didn’t have surveillance, people like me on him, he would go pick up the drop.

[00:07:03.450] – Eric O’Neill
Now, like I said, the Soviets then, or the Russians, didn’t know who the spy was, so they kept every scrap of information they could. We could run prints, so we had partial prints. We listened to the cassette tape. It was the only time that Hanssen… It was his biggest mistake. He called the Russian consulate asking, “Where is my money?” He’d left a drop, he couldn’t find the money. They pointed him to it. But of course, they recorded his voice.

[00:07:28.910] – Eric O’Neill
Once again, they were trying to figure out who he was, the same time we were. Of course, we were able to identify his voice, and we had very good circumstantial evidence that Robert Hanssen, senior supervisory special agent in the FBI, one of the main career guys and also the top analyst against Russia for over two decades, was the most damaging spy in FBI history and quite possibly world history, and had been under our nose, including working on the task force to catch himself.

[00:08:02.580] – David Puner
Surprise, he didn’t find himself, right?

[00:08:06.030] – Eric O’Neill
Yeah, he made sure that we never got close, that we only knew as Gray Suit. That was the code name for this mole for two decades. Whenever we got close, he would push the task force on these wild goose chases. We had this slim information that pointed to Hanssen. Here’s the problem with Hanssen, he was a computer genius. He was a hacker.

[00:08:25.720] – Eric O’Neill
He knew how to program, he knew how to write code, he knew how to write malware. He had actually hacked the FBI and got caught. He wrote a script that was essentially what we call now a key logger, so that he could capture passcodes. When he was caught, he said, “Oh, I was doing it just because I wanted to install a printer, or I was doing it because I was trying to show that our cybersecurity isn’t very strong.”

[00:08:48.060] – Eric O’Neill
Back then, we called it Information Security. The FBI was very concerned that he had access to information in ways that we couldn’t track or audit. The other problem was he had been banished to the State Department for his somewhat cumbersome demeanor and was just supposed to ride out his retirement.

[00:09:08.300] – Eric O’Neill
So in order to get him to come back to headquarters and submit to a job that we thought was going to last far longer than this investigation did. They wanted him to accept a job that was going to allow him to go past his retirement. We thought this was going to take two years. I caught him in three months. They had to give him his dream job and something that they could sell to his ego.

[00:09:32.540] – Eric O’Neill
That was, you’re the computer guy. You’ve been spending your career complaining and beating a drama about how bad the FBI is at cybersecurity. We’re going to put you in charge of building cybersecurity for the FBI. His ego couldn’t let him say no. They promoted him to executive service. They gave him more money.

[00:09:51.120] – Eric O’Neill
They gave him all the things that he thought he needed, except a windowed office, which he complained about the entire investigation. They put him in charge of a really important section. But then what do you do? Someone has to go in there with him that’s read into the case, that knows how to catch a spy, but also actually knows how to turn on a computer.

[00:10:13.080] – Eric O’Neill
The IT guys didn’t know how to catch a spy, and nobody wanted to read them into this level of an investigation. The FBI agents, while they were still handwriting their memos, what did they know about how to identify whether someone was breaching a computer system or what he was doing within our data set in the FBI. So they looked deeper.

[00:10:36.700] – Eric O’Neill
They looked into the SSG, where I was. I had gained some notoriety for myself. I say notoriety because I put together a database of information that tracked targets over time with the idea that if you look at everything the Russians have done in the past, they tend to set out their signal sites and drop sites years and years in the future. If you just correlate the past, you can predict the future. Very simple, as I said.

[00:11:02.750] – David Puner
But most of this was happening just on paper at this point.

[00:11:06.410] – Eric O’Neill
It was happening on paper. I wrote a program that did it for us really fast, and it worked. They thought, here’s a spy hunter who knows how to turn a computer on. That’s the guy. Apparently, I found out later this big fight in the FBI over we can’t have this SSG guy. These unknown ghosts work the biggest case we’ve ever run. This has to be one of our decorated trained agents. These decorated trained agents who know how to do that face-to-face undercover work are not going to be able to sell working in cybersecurity for the FBI, the Information Assurance section. They rolled the dice and they went with me.

[00:11:43.570] – David Puner
So you show up there on day one, you are on Robert Hanssen’s team of essentially two, Robert Hanssen and you. What becomes your process and how long does it take for him to actually buy that you are who you are? I don’t even know how best to say that, but I got to think that there’s a lot of suspicion along the way.

[00:12:05.840] – Eric O’Neill
So if you’re a spy… If you’re a spy hunter… If you’re any operator in Special Ops, suspicion is a good thing. It means that you’re checking your six, you’re searching the corners, you’re doing all the things to protect yourself. You keep your eyes up, you’re not sleeping at the job. Paranoia is bad.

[00:12:22.890] – Eric O’Neill
One of my biggest jobs was to keep him suspicious, but never paranoid. Look, at the very end of his career, after being made fun of for his whole career, he’s given his dream job, and he’s given someone to manage. They had taken away all his management responsibilities because he was not a very good manager, and that’s one of his problems in promotion in the FBI.

[00:12:44.200] – Eric O’Neill
They’ve said, “We’re even going to delay your retirement and pay you more.” Of course you’re going to be suspicious. You have to be. His only point of attack was me. My number one job was don’t screw it up. Make him feel like this is real. We actually had do the job of building cybersecurity. To be honest, David, we were pretty good at it.

[00:13:06.240] – Eric O’Neill
The thing about Hanssen, even though he was the most notorious, most damaging spy in US history, we also had a lot of very good ideas about how to build cybersecurity. He’d breached the FBI for decades, so he knew all of the cracks and flaws and how to repair them. His entire career at the FBI had been a study of how to break the security, how to break counterintelligence.

[00:13:30.460] – Eric O’Neill
He was the number one person to explain how we were going to correct it. But I had to get him to talk. You can’t beat him. You can’t win in an undercover investigation unless your target is going to talk to you and people don’t give up information unless there’s trust. But after I bundled a while, he stopped me and he said, “Look, if you want to be a top counterintelligence agent in the FBI, Eric, you’ve got to know one thing.” I was like, “What’s that?”

[00:14:03.180] – Eric O’Neill
He said, “I call it Hanssen’s Law.” Now, everything was very important to him, and he was a big narcissist, so of course he called it Hanssen’s Law. But I don’t blame him for it. It’s actually an incredibly elegant law. I joke around when I’m nervous, so I say, “I didn’t study that at the FBI Academy at Quantico. Boss, what is that?”

[00:14:20.130] – Eric O’Neill
He said, “Hanssen’s Law is simply this. The spy is in the worst possible place. Now, I looked at him when he said that, and I kept a poker face, and I had to keep a very good poker face in this entire case, because here we are in the middle of the FBI’s data set. I didn’t know he was the spy, but I knew he was suspected of espionage, and he’s there with access and I’m there to stop him, and we are in the worst possible place.

[00:14:51.770] – Eric O’Neill
Is he challenging me? Is he laughing at me? Is he just trying to throw me off? Or is he just trying to be a mentor? I didn’t know, but I kept a very straight face and I looked at him. I said, “What do you mean by that?” He said this, “Hanssen’s Law, the spy is in the worst possible place. The spy is that person who has access to the most damaging information and the knowledge and the wherewithal to sell it to those who are going to pay the most for it.”

[00:15:19.360] – Eric O’Neill
That, Eric, is what we are here to defend against. I knew that my job was not just to get him to trust me, not just to not screw up and make him feel like this was real, but to catch that spy in the worst possible place. That was Robert Hanssen.

[00:15:38.200] – David Puner
It’s really fascinating. I want to get a little bit more into the process in a minute or two, but I do think it’s interesting, again, to note that this was essentially working on the FBI’s cybersecurity program. What was the actual state of the FBI’s cybersecurity at the time? Did you and Hanssen make any notable contributions to the cyber defenses over what turned out to be six weeks that you worked together?

[00:16:03.470] – Eric O’Neill
I liked to call, and I called Robert Hanssen in my book, Gray Day, the modern architect of the FBI, because the state of the FBI’s cyber security was pretty bad. That is why Hanssen was able to get away with everything that he got away with for so long. It turns out that the FBI was not auditing access the way they should.

[00:16:22.930] – Eric O’Neill
Hanssen was able to go into the automated case system again and again and again and mine information, check himself, see if there was an active investigation open against him or his addresses or any of his associates to clean himself and steal information. He once bragged that if you go into the ACS— one flaw of the ACS, is if you go in the ACS and you type someone’s name in, like a Russian name, a spy that say, the Russian intelligence services interested in, and a record is returned that’s all stared out, that means there’s an open investigation.

[00:17:00.550] – Eric O’Neill
You don’t see the name, but you know. There you’ve just stolen critical intelligence that’s very valuable to a foreign intelligence service. There were problems, not only in how we protected information, but how we built and shared information.

[00:17:14.280] – Eric O’Neill
There were critical problems in the pathways between agencies. Hanssen was adept at getting on task forces and stealing from other agencies. That way, a lot of the intelligence didn’t come from the FBI. So when the Russians were trying to figure out who he was, they thought he might be in the CIA or the NSA. Our spies weren’t coming back and saying we believe he’s in the FBI.

[00:17:36.120] – Eric O’Neill
There were a lot of ways that he was able to use this very beginning of FBI cybersecurity and all of the flaws to exploit those flaws and steal information in a way that he was not tracked or discovered, which is exactly what modern spies do today. He was our first cyber spy. Not only that, he’s the guy at the crest of a wave of modern espionage, which is now almost all cyber intelligence.

[00:18:04.650] – Eric O’Neill
To catch him was hard. Now, we did do some good work. He knew the flaws. He had ideas of how to map data. We were working very hard to create a system where FBI agents could have their desktop computers that had access to our Intranet, which was, by the way, this horrible green screen, monochrome keyboard-based mess that we were trying to at least be able to create a frontend where you could use a mouse and the Internet on the same computer.

[00:18:31.700] – Eric O’Neill
Everything was separate. In fact, back then, in 2000, 2001, you would have the separate Internet computer that didn’t have access to anything and agents and personnel. We were using our Gmail or Yahoo or Hotmail accounts to send emails around because the FBI didn’t even have an email address for people. We were behind every corporation, and it drove me nuts because I was a law student. I was using Westlaw and Lexis with these amazing databases, and I’m like, “We don’t even have that at the FBI. This is pathetic.”

[00:19:03.820] – David Puner
Didn’t you have to use a separate computer for email?

[00:19:06.160] – Eric O’Neill
I did. I had to go use our Internet computer. Our office was a pit area where it was just me and it was only going to be me, but there were desks for three other people to make him feel like he was going to get a big squad. Then he had his separate office. To use the Internet, he would have to come out and use that separate computer in my office.

[00:19:26.310] – David Puner
You’re working for your boss at this point now, and he required you to call him either boss or sir. At what point do you know the extent of what he’s done or might do? How can the FBI still give him access to all of this when he’s such a potentially huge insider threat?

[00:19:43.440] – Eric O’Neill
Well, part of it was that it had to look real. You have to understand that the information we had was pretty circumstantial. Even after I did an early search and I found letters that he wrote to the Russians, which made us very certain that this was the spy we were after, I was told by Kate Alleman, who was the FBI agent, who one of her jobs—there were many—but one of her tasks was to make sure I had the resources I needed not to screw up and my marching orders and to debrief me every night, she told me, “This isn’t just a spy we’re after. This is the spy. This is Gray Suit. We believe this is Gray Suit.”

[00:20:23.190] – Eric O’Neill
Robert Hanssen, codenamed Gray Day, was actually Gray Suit, the legendary mole that we had been after forever. I’m in the middle of that case, and I think that was after I asked, “Hey, I think I need to get off this case. It’s really messing up my law school grades and my relationship with my wife.” She’s like, “You don’t understand how big this is. There’s no getting off.”

[00:20:43.330] – Eric O’Neill
We had to get him to make a final drop. We had to. He had to make a drop so that we could catch him red-handed and put all of the pressure on him. Not just to get the arrest and make the conviction stick, but to get him to explain everything he had done so we can fix it.

[00:20:59.130] – Eric O’Neill
That’s why I call him the modern architect of the FBI, because by winning this case with slamdunk evidence, a smoking gun that no attorney, not even Hanssen’s attorney, Plato Cacheris, which was known as the top attorney for representing moles in the intelligence community, could argue against it, so that he would say everything he’d done. Part of the plea deal was that he had to explain what he had done and how he’d done it so the FBI could fix it, and they did. The FBI is much more secure than they were before Robert Hanssen.

[00:21:32.580] – David Puner
The plea deal that you mentioned, he did plead guilty in order to avoid the death penalty, but wound up with at least one life sentence and supermax?

[00:21:42.240] – Eric O’Neill
Yes. He pled guilty to multiple counts, including espionage. His execution was stayed as long as he cooperated. As part of his plea deal, he maintained his pension for his family so that they wouldn’t be destitute, and they were allowed to keep their home and cars, which the FBI could have seized. It was a good deal for his family. He, of course, avoided the death penalty as long as he continued to talk, and he did for years. He was banished to supermax prison for the rest of his life.

[00:22:15.910] – David Puner
One of the big players in all of this is his handheld PDA devices, PalmPilot. People of a certain age probably remember those. Those were really the bomb back in the day. I couldn’t get rid of mine fast enough, but Robert Hanssen really loves his. It was a big factor that led to his downfall. Today, vulnerable IoT devices are of greatest risk to data loss, and that’s according to the Ponemon Institute on Insider Threat Research. How can organizations effectively balance workforce device flexibility with security to mitigate these risks?

[00:22:52.620] – Eric O’Neill
First of all, let me explain how much Hanssen loved his PalmPilot. He loved his PalmPilot the way your teenager loves their phone. This thing was always on him, never was separated from him, except for when he sat down. Then it would go in a bag right next to his desk. Like clockwork, he would grab it and pull it out when he stood up and put it right back in his left back pocket. Always in the same place, always protected, always where he knew it was, a very good routine to protect information.

[00:23:22.050] – Eric O’Neill
The PalmPilot was important to Hanssen because he not only used it to organize his whole day, it’s how he organized the spy aspect of himself. On the PalmPilot were a synchronized way that he managed his different signal sites and drop dates and all of that information. He also saved letters on it that he wrote to the Russians. Now, we only learned that later after I stole it from him.

[00:23:49.700] – Eric O’Neill
My biggest contribution to the case, after not screwing up, was identifying that this PalmPilot probably had the information we were looking for. I’d gone through his office, we’d done multiple searches, we looked everywhere, and I said, “This is the only thing we haven’t looked at. He keeps it on him all the time, and he talks about it like it’s his seventh child. We got to get it away from him.”

[00:24:11.940] – Eric O’Neill
We put together this whole social engineering of getting him down to go shoot with Rich Garcia, Section Chief, and Adec, a assistant director. He couldn’t say no. We got him really flustered when they came in and asked, and he goes down to shoot, and I steal the PalmPilot from his bag, run down three flights of stairs, get it copied, and get it back moments before he walks in the door. I think I had seconds to get it in his bag and run to my desk. Then made a great movie, made a great chapter of my book.

[00:24:45.770] – David Puner
Great scene.

[00:24:46.520] – Eric O’Neill
I thought I got the wrong pocket. I thought I was about to die. Turns out I got it right. He had written encryption himself on the PalmPilot, when we were able to decrypt it, we learned everything we needed to be ahead of him for a spinal drop to the Russians, and that’s how you catch a spy.

[00:25:08.110] – Eric O’Neill
Looking at a device like that—obviously, this is the reverse; this is law enforcement stealing the device in order to catch the bad guy—but bad guys use these devices more than ever before in order to compromise us. Because if you look at just what happened during the pandemic, when we all went from an office environment to working from home and we still haven’t returned and we never will, now, the normal work, what we used to call future work, now normal work state is hybrid.

[00:25:38.630] – Eric O’Neill
We work sometimes at home, we work sometimes in the office, we work from the road. We’re very flexible now in how we work. That is a nightmare for IT because you can’t control the large number of different devices that employees or people are going to connect to your data from, or where they’re connecting.

[00:25:58.500] – Eric O’Neill
Every time someone connects from a different internet point, like working in Starbucks or working on a plane or working at some temporary office somewhere when they’re traveling, that’s another point of attack for cyber criminals or cyber spies. I don’t see a distinction between the two anymore.

[00:26:17.100] – Eric O’Neill
How do we protect devices? Well, you got to not worry as much about the devices as worry about the identity, the credentials, of the person who is trying to ashore into the data. That’s the only way. That is the future. Everything in cybersecurity now must be built around identity and less about devices.

[00:26:39.410] – Eric O’Neill
Now, devices are always going to be very important. If you have a holistic company that’s really smart about cybersecurity, then you’re going to ensure that people are only using devices to access critical data that IT has assured. So then you really want to leverage endpoint detection and response, EDR, and now XDR, which looks at Endpoint Plus network, to make sure that the device that is connecting to, say, the e-mail account or to the shared drive is something that you know.

[00:27:15.600] – Eric O’Neill
But people are still going to have to get in on different ways. There, we’re looking at not only the device, but also the identity and using a lot of different heuristics to understand whether that person actually is who they say they are or if they’re a spy.

[00:27:32.400] – David Puner
That scene with the bag, just incredible. That had happened to me. My heart would still be beating, and that’s what? Over 20 years ago? You think you got the right pocket, or was at that point, he just had a lot on his mind?

[00:27:44.960] – Eric O’Neill
I thought I got the wrong pocket. But I must have had the right one because you don’t survive as a spy for 22 years without being the most meticulous OCD person in the world. By the way, I didn’t just grab the PalmPilot, I grabbed a floppy disk and a memory card, which were all in different pockets. If I had gotten any of it wrong, then I might not be speaking to you today because he had nothing to lose at that point. It was great.

[00:28:11.510] – David Puner
That goes to show the gravity of what situation he was in that you actually thought that he might try to kill you had he realized that the PalmPilot had been moved.

[00:28:22.780] – Eric O’Neill
Yeah, we’re in a soundproof room, why not? He’s about to go away for life and he’s looking at the death penalty. He knew it. Betrayal was ironically a huge deal for him. Why not take me out on his way? He’d gotten other people killed. It wasn’t anything new for him.

[00:28:37.560] – David Puner
Russian operatives have been working with the US and then he gave them up to Russia. Is that right? Among other things?

[00:28:43.380] – Eric O’Neill
Yes. During the midyear between 1984 and 1985, the United States lost every single Russian asset in the Soviet Union. Robert Hanssen and Aldrich Ames, who was a CIA spy, share credit for that.

[00:29:01.720] – David Puner
You get an idea then what a serious deal this was, among other things. As far as actually coming out with great, great wealth himself, he didn’t exactly enrich himself for lifetimes to come.

[00:29:14.770] – Eric O’Neill
No, he didn’t. He took just enough money that he could take in cash and spend without getting caught. And in fact, in one letter back to the Russians, when they gave him, I think, 100,000 or a big chunk of cash, he freaked out and he said, “What am I supposed to do with this? I can’t spend this. Never give me more than,” I think, “10 or 20 at a time.” They must have just been like, “You’re giving us the secrets to the US nuclear arsenal. We’ll give you a billion dollars. Hey, you only want 10,000 for it? Sure, buddy. It’s a great deal for us.”

[00:29:53.590] – David Puner
Maybe that’s part of the reason why he was able to keep doing it for so many years.

[00:29:56.970] – Eric O’Neill
It is one of them, yes.

[00:29:58.070] – David Puner
Taking it back then to credential theft and identity compromise, this story at least, today’s landscape, how is being attacked by something like a spear-phishing e-mail pertinent to Hanssen and the spy game?

[00:30:11.100] – Eric O’Neill
A spear-phishing e-mail is the purest form of espionage, and let me explain this. Spies, espionage tactics to steal information, they’ve been around for centuries. As long as there have been people in society, there have always been spies. This goes back to the Bible, the earliest books in the you find spies. Moses sent people out to spy.

[00:30:33.120] – Eric O’Neill
These tactics—the way that I’ve outlined them, I’ve put them into buckets—are deception, impersonation; I’m going to impersonate somebody that you trust, confidence schemes; I get you to believe in something you shouldn’t, infiltration; getting into your data, stealing your data, and then, of course, destruction, because now we’re seeing that modern spies are not just stealing data and criminals as well, they’re destroying it. Ransomware attacks are very well known for this.

[00:30:59.540] – Eric O’Neill
Modern cyber spies and cyber criminal goals are really… They’re deploying the same tactics if you think of it. A spear-phishing e-mail is a way to fool a person into doing something they know is wrong. In fact, most of the time they’ve been specifically trained not to click on these things, but they click anyway.

[00:31:17.530] – Eric O’Neill
Statistically, 25% of people, so 1 in 4 people will click on a spear-phishing e-mail attack. If you send it to four people in your company, one of them is going to click on it. No matter how much training you give them, no matter how much of the spear-phishing, red teaming, and yelling or whatever, they’re going to click. 25% of all attacks come from these things, so they are absolutely deadly.

[00:31:42.140] – Eric O’Neill
If we go back to my buckets of espionage tactics, a spear-phishing e-mail uses reconnaissance. The best ones mean that they’re surveilling the person, they’re learning about the person, they’re crafting something that is going to resonate with the person, look like something they should trust. They’re using impersonation, which is why business e-mail compromise is the number one cybercrime in the world today. It has devastating reach in terms of cost.

[00:32:11.110] – Eric O’Neill
That’s where you are impersonating, say, the CEO or the CFO and saying, “We’ve got this vendor, we need to pay right away. Immediately send a wire of a million dollars to this account right here, and I need this to happen right now or we’re going to lose this business.” You’d think that people would stop and think, but when your CEO tells you to do something, you do it, right?

[00:32:33.480] – Eric O’Neill
It’s cost massive amounts of money. In just 2022, it was $2.7 billion worth of that crime, so a big deal. Then, of course, confidence schemes. What spear-phishing e-mails do is get you to trust them. They’re useless if you don’t get them to trust. Some of them are really simple. If you remember the massive campaign of spear-phishing that happened during the lockdown during COVID. If you remember, everyone was getting flooded with Amazon, UPS, FedEx, “Track your package,” “Your package has been lost,” “A package is on the way,” “Thank you for your payment of $1,072. Click here if you disagree.”

[00:33:20.310] – Eric O’Neill
Because we were ordering so much online, people were just trusting like, “Oh, yeah, I have a package coming from UPS.” Then they get to the really complicated ones where I saw this case where the cyber attackers, the cybercrime syndicate using the Dark Web to launch attacks just like espionage operations, went through LinkedIn for an event.

[00:33:43.030] – Eric O’Neill
Now, I’m a public speaker, so this one really resonated with me. In a lot of events, especially when you do virtual public speaking, sometimes what the venue will do is send out a gift, a hard gift, because you didn’t get your backpack or your mug and whatever. What these really clever attackers did is they went on LinkedIn and they found a virtual event, a huge attended virtual event, and they found everybody who clicked like when the event said, “Thank you for coming to our event. It was so wonderful to have you here, especially virtual. We know it’s hard, blah, blah, blah.”

[00:34:14.640] – Eric O’Neill
They sent an e-mail to all those people, because you can find the e-mail through social media saying, “Once again, I want to follow up on our thanks. It was great you came to the event, but we want to give you a physical gift because this was virtual, but we know you still want the physical gift. Click here and choose whether you want your Yeti mug, your Minecraft stored, your North Face backpack,” and everybody clicked through.

[00:34:40.720] – Eric O’Neill
Of course, then malware is installed because they clicked through to a website that’s scanning their computer to find the flaw and what needs to be downloaded. This led to this massive ransomware attack. Spear-phishing can be incredibly clever as well, especially when these cybercrime syndicates take the time to learn about an organization before creating that perfect e-mail that’s going to fool people.

[00:35:05.660] – David Puner
Then now you infuse generative AI into the mix, it’s going to be even crazier.

[00:35:10.360] – Eric O’Neill
Well, generative AI is fascinating in terms of cybersecurity. One, AI and machine learning is used in cybersecurity to think faster, to analyze faster than people can. We have it working for us too. But the attackers, I mean, they’re always innovating as well, and they’re now using AI for a couple of things in terms of spear-phishing, now you can craft an e-mail—English is mostly not their first language—that’s perfect grammar.

[00:35:41.480] – Eric O’Neill
You can even use generative AI to analyze, say, e-mails or traffic that you’ve stolen from an individual at a company like a CEO or a CFO, and ask it to write in that person’s voice based on the body of information data that you’ve mined. AI also allows attackers to scale. Instead of hiring a lot of programmers, they only need a few and they can use AI to get the code almost all the way.

[00:36:08.310] – Eric O’Neill
It’s not perfect yet, and then you have your in-house programmers perfect brand-new malware. Generative AI, I mean, it’s going to change everything, but it certainly is doing a lot of work in changing not only how we protect using cybersecurity, but how attacks are leveraged.

[00:36:26.170] – David Puner
To think that we were seeing the seeds of this back in the day when you were trying to catch Robert Hanssen, you can really see those ties. Of course, physical security, of course, won’t keep legitimate employees from walking through the front doors with their badges. Robert Hanssen illustrated this all too well.

[00:36:45.350] – David Puner
By the time he was arrested in 2001, he’d sold thousands of classified documents that was working as the head of, as we’ve already discussed, Information Assurance, aka, Cybersecurity at the FBI. Since walls, locked doors, and other physical barriers don’t work, and when an organization’s most precious asset is its data, how can it keep it secure?

[00:37:07.080] – Eric O’Neill
Yeah, well, where is an organization now? Because in the last few years, many of them shut down their buildings. I work with a company that doesn’t even have a building right now. Everybody works from home. I’ve worked with a lot of different companies, and I’m on the boards of different ones, but one of these companies where I serve on the board doesn’t even have an office anymore.

[00:37:28.660] – Eric O’Neill
It doesn’t make a lot of sense to have a lot of physical protections, especially when we perfected in the SSG and as a ghost, being able to backdoor just about anyone you want. I can get in anywhere physically, that’s easy. What you do there, right?

[00:37:45.890] – Eric O’Neill
Even if not a trust insider, but someone was able to breach physical, the idea is to have data stored and managed in a way that it’s useless to them. What are they going to do? It shouldn’t matter where you are, or what you’re accessing from. What should matter is protocols and protections in data that lives in the cloud that identifies that you are who you say you are, so we’re talking about trust and assurance.

[00:38:12.840] – Eric O’Neill
The Holy Grail of cybersecurity is I can access my data or my company’s data from anywhere on any device through any cloud and have perfect security. Now, that’s the Holy Grail. That’s very difficult, but we’re getting there. The way you do it is by combining all these things that are going to reach this counterintelligence and cyber security.

[00:38:40.480] – Eric O’Neill
We’re always spy hunting. We’re always looking for the bad instead of just assuming the good, right? We have to combine all the critical systems that track, manage, and ensure data. That’s why I talk about endpoint, that’s why we talk about identity. But we also have to talk about network and cloud and how all four of those things work together to tell a story about data. That gives you, in the terms of spy hunting, context. You have to understand what’s happening around you. If you can do that, you can be a spy hunter and catch those spies.

[00:39:17.810] – David Puner
It’s also interesting to consider the psychology behind insider threats. Why do people go rogue? What were Robert Hanssen’s key motivations? How do they compare to those of other insider threat actors?

[00:39:30.640] – Eric O’Neill
Insider threats are absolutely fascinating. David, as you point out, the psychology is something that has been well studied and agonized over because we always want to understand why someone would betray a trust that’s so valuable.

[00:39:46.810] – Eric O’Neill
We think about it just in the context of a marriage or a friendship, which can be devastating. In the context of business, particularly when the trust insider can now steal, not just a couple of pieces of paper, but gigabytes and terabytes of data, and data is the lifeblood of every company. One thing I’d say all the time in Keynotes is data is the currency of our lives. Everything is data now. Our bank accounts, the pictures of our kids, our investments for the future. That trust is there. We want to understand why they would betray.

[00:40:19.060] – Eric O’Neill
It has to be someone who would be willing to betray. You’re looking at a psychology that is a narcissist or borderline narcissist and also slightly psychotic. That doesn’t mean that someone is going to go out and become an ax murderer or shoot up something. It means that they are able to turn off or point away from all those social pressures to be a good person, to just be able to resolve it and not crack under that pressure.

[00:40:51.810] – Eric O’Neill
That was Hanssen. He was able to do that. He was able to compartmentalize his mind. He could be that upstanding, churchgoing father and grandfather. Then a couple of times a year, he was the most damaging spy in US history, who ruthless gave up information that he knew would get people killed. He knew would completely undermine the fabric of defense against foreign intelligence services in the United States, and he just didn’t care, and he let it go. I think he was tortured a little bit by it, but he was able to keep quiet and not confess.

[00:41:25.810] – Eric O’Neill
When someone decides to spy, to be a trust insider, there’s really three key ingredients if you want to recruit them. There’s the age-old money. You bribe them. You need money. I’ve looked at you. You got three mortgages on your house. Your wife’s threatening to leave you. But if you just plug this thumb drive into your computer and let this thing run, here’s $10,000. So bribery, we understand.

[00:41:51.640] – Eric O’Neill
Then blackmail. Oh, I learned something about you. You did something real naughty, and I got pictures, and they’re going to your grandma and your wife and your teenage daughter if you don’t do this. Plug that thumb drive in, run this script, go to this website and hit execute. By the way, I’ll still give you $10,000. We’ll sweeten the deal. So blackmail really works.

[00:42:16.050] – Eric O’Neill
The hardest to catch though is ideology. People will attack because of ideology. Now, that doesn’t just mean I’m more sympathetic to China or Cuba or Russia or North Korea, although I don’t know why you’d be sympathetic to North Korea. It can also mean, I’m really disgruntled. I’m really pissed off. Ideologically, I don’t believe my corporation is a good citizen of the world. Their ESG score is too low. They do all these horrible things in the environment. I’m going to harm them. So they become a trust insider. Of course, it helps a little too if they can make a buck off of it.

[00:42:55.710] – Eric O’Neill
Trust insiders is something we really have to worry about, particularly at a time when the societies of our businesses are fragmented. You have entire business units who have never met each other in person. You don’t have that same feeling of trust and communality that you might have if you all work together in an office and saw each other day to day and hung out by the water cooler and talked about the episode of the last show you just watched. It’s a lot easier to betray people who you’ve only met once or twice at a retreat in two years.

[00:43:30.120] – Eric O’Neill
As we become more disaggregated as a workforce, we’re opening the door to more trust insiders who don’t feel any loyalty not just to their business, but to their peers.

[00:43:44.100] – David Puner
Then based on all this, how should security teams prioritize defense in depth?

[00:43:49.630] – Eric O’Neill
We need to look at a person, their identity, and that includes data about how they access data, when they access data, what data they access, what data they should be accessing, and are they accessing things they shouldn’t at a time they usually don’t. We have to understand the context of the person as well.

[00:44:09.930] – Eric O’Neill
I work from Washington, DC. Suddenly, I’m trying to reach in using a VPN from New York City. Is there a reason that I’m in New York? Was I supposed to travel up there? You can block that access and quickly reach out to the person and say, “Hey, you’re from somewhere different at a time you normally don’t. It’s like 2:00 in the morning. You’re normally asleep. Is this you?” It’s a little bit of an inconvenience, but you may have just stopped a ransomware attack.

[00:44:43.580] – Eric O’Neill
Data has to work for us, not work against us. The way to do that is to understand everything about not just the data, but who is accessing the data, and whether they’re doing it when they normally do. That, by the way, is exactly how you catch a trust insider. Whether they’re a physical mole within the building or whether they are somebody stealing, going through the corporate records, it’s also how you catch a virtual trust insider.

[00:45:10.140] – Eric O’Neill
If you read Gray Day, a virtual trust insider is what I call someone whose credentials, their identity, is stolen by an outside attacker using, say, a spear phishing attack, where now they own your credentials or just buying the credentials off the Dark Web. All our usernames and passwords are for sale there anyway for multiple years of breaches.

[00:45:30.550] – Eric O’Neill
If you buy them and you don’t have all those extra layers of security, like the most basic one, two-factor authentication, which, believe it or not, many organizations still haven’t turned on, which is terrifying in the world of cybersecurity, you’re dead in the water. By deploying good technology, we can protect against the mistakes that humans will make.

[00:45:57.640] – David Puner
When Robert Hanssen is finally apprehended, he says, “What took you so long?” I found that to be an interesting omission from the movie, Breach. Do you have any backstory why that didn’t make it in there?

[00:46:10.850] – Eric O’Neill
The film was pretty close to… It was years after, but it was pretty close to the investigation. Of course, it depended on how many people we could access. When you read Gray Day, which I published in 2019, that was almost two decades after the events of the Hanssen case. I had a lot more information that I could say in Gray Day than was in the movie that came out a few years after the arrest. Hanssen actually put his hands up and he said, “The guns are not necessary.” Then he said, “What took you so long?”

[00:46:48.390] – Eric O’Neill
It just didn’t make it in the movie. I’m sure that Billy Ray, who’s the director, would love to go back and do another cut and throw all sorts of things that were in Gray Day in the movie. But the movie is still an amazing portrayal of how you catch a spy. But just what took you so long? What should have been the most devastating moment of Hanssen’s life, where he finds that he has no chance. He’s just been arrested red-handed, loading a drop for the Russians. He knows that he’s looking at a firing squad potentially for the crimes he’s committed. And instead of being morose or apologetic, he says, “What took you so long?” That is a textbook narcissist.

[00:47:32.520] – David Puner
It’s incredible. Hanssen did die this past June while serving out his life at a supermax prison. Did you get a chance to speak with him at all at any point after his arrest or incarceration?

[00:47:44.350] – Eric O’Neill
I had a roller coaster of emotions when I heard that Hanssen had died. He is probably one of the most instrumental figures in my life. It was a springboard for a lot of the thought leadership and cybersecurity that I found myself in, but also my career as a public speaker and the movie Breach and so many other good things came out of such a rotten case that I had to survive. He was also a brilliant guy who, in an alternate reality maybe, had not turned to espionage, but had actually done the good work to make the FBI better and more secure. Unfortunately, he went the way of the devils, not the angels.

[00:48:29.810] – Eric O’Neill
I never got a chance to meet with him. I tried multiple times over the years. In the beginning, when he was in a penitentiary in Pennsylvania and was undergoing enormous scrutiny and interrogation over what he had done, I asked, and the FBI debated it, but then said that we’re afraid that if he finds out you were the one who betrayed him, that he would clam up and not talk anymore and lawyer up. Actually, the exact quote they used is, “He will rattle the bars of his cage.”

[00:49:01.530] – Eric O’Neill
And then later I asked, and he had been moved to supermax, and I just couldn’t find a way in. Talk to the Bureau of Prisons, they said, “Go talk to the FBI.” Talk to the FBI. They said, “Talk to the Bureau of Prisons.” I went back to the FBI. They’re like, “Well, maybe if you talk to the family,” and I wasn’t willing to do that. I kept trying to find someone who could get me in. I was trying earnestly in the last year after the pandemic and potentially visitation could happen again. Then it sadly became too late. I will never have that closure that I wanted.

[00:49:34.280] – David Puner
What was the big, lingering question that you wanted to ask him for closure or the conversation you wanted to have?

[00:49:40.860] – Eric O’Neill
There are a number of things. The two biggest things I wanted to ask him was, “Why did you do it?” It’s the most common question I get asked, the one that I feel I have the best answer for, but one he has steadfastly refused to answer through his entire incarceration and interrogation. I’m pretty sure I know why, but I wanted just to have that discussion with him.

[00:50:04.850] – Eric O’Neill
The other question I wanted to ask him is about our relationship together in room 9930 and whether indeed he was recruiting me. Because in his final drop to the Russians, he left my information, my name and all my information and address and phone number and whatever, suggesting to them that I would be a perfect person to recruit, that I could take over for him now that he was done, that he’d made his final drop.

[00:50:35.250] – David Puner
He didn’t check that one with you first?

[00:50:37.710] – Eric O’Neill
No, but I felt, I truly felt that, and so did the squad of agents behind the scenes, that he was recruiting me. And in fact, at one point, one of the supervisory special agents met with me and said, “We believe he’s recruiting you and we want you to let this happen.” Then, of course, I might have ended up a double agent, and we wouldn’t be talking here today because they never let me leave the FBI. But yes, it was somewhat flattering, I suppose, and a little scary that I had gained his trust to such an extent that he was coming close to telling me everything he had done and helping me be the next Russian spy.

[00:51:23.840] – David Puner
Incredible. As a national security strategist, what are you doing these days?

[00:51:28.670] – Eric O’Neill
I’m an author, a speaker, and I’m still a spy hunter. I continue to call myself that because now I hunt cyber spies. That’s what I do as national security strategist. I help inform cybersecurity and help bring counterintelligence to cybersecurity. I was the first person to say there are no hackers, there are only spies, and that hacking is nothing more than the necessary evolution of espionage.

[00:51:52.980] – Eric O’Neill
The idea being that we have to stop thinking about some lone cyber criminal, some lone wolf attacker in a basement, and start thinking of cybercrime syndicates who are launching attacks from the Dark Web where they can’t be stopped, and they’re modeling the best intelligence agencies. In fact, what we’re seeing now is cybercrime syndicates are so successful in generating such an immense amount of money that they are hiring former intelligence officers from the top spy agencies in Russia and China and whatnot, and some of them are moonlighting to help them launch better attacks.

[00:52:34.260] – Eric O’Neill
Right now, the Dark Web is the third largest economy on Earth in terms of GDP. It still goes US and then China, and it used to go Germany and then Japan. Now it goes to the Dark Web. And in a few years, the Dark Web in terms of GDP, gross domestic product, will be bigger than Germany and Japan. If we don’t work more on the cybersecurity, if we don’t turn cybersecurity professionals into spy hunters, then we’re going to continue to lose trillions of dollars a year to cyber criminals who are lining their pockets.

[00:53:06.560] – David Puner
Eric O’Neill, thank you so much for coming on to Trust Issues. Can’t wait to have you back. Can you come back tomorrow?

[00:53:12.460] – Eric O’Neill
Maybe we’ll give it a little bit of time, David. But I’d love to come back. This was a pleasure.

[00:53:26.680] – David Puner
Thanks for listening to Trust Issues. If you like this episode, please check out our back catalog for more conversations with cyber defenders and protectors. And don’t miss new episodes. Make sure you’re following us wherever you get your podcasts. Let’s see. Drop us a line if you feel so inclined, questions, comments, suggestions, which come to think of it are kind of like comments. Our email address is [email protected]. See you next time.