On the very first day that former FBI agent Eric O’Neill was assigned to go undercover to investigate the most notorious cyber spy in U.S. history, the target of that investigation looked at O’Neill and said something remarkable.
“So, O’Neill, have you ever heard of something called Hanssen’s law?” the man asked. O’Neill responded that he did not recall studying such a law at the FBI Academy in Quantico.
The man sitting across the table looked back at O’Neill and began to explain Hanssen’s law. “The spy,” he said, “is always in the worst possible place.”
O’Neill could neither believe what he was hearing nor where the conversation was taking place. He was sitting across from Robert Philip Hanssen, one of the most damaging FBI cyber insiders in history, and they were talking as colleagues in the information assurance division within FBI headquarters. O’Neill maintained his poker face and asked Hanssen what he meant.
“That spy is that person with the access to information and the wherewithal to use that information to sell it to those who will do the most damage with it. And that Eric,” Hanssen said to O’Neill, “is what we in the FBI as counterintelligence agents, are tasked to do. Find that spy. Hunt them wherever they are.”
Speaking at the 2021 Public Sector Innovation Summit sponsored by VMware, O’Neill — now National Security Strategist at VMware and author of Gray Day: My Undercover Mission to Expose America’s First Cyber Spy — acknowledged that Hanssen’s words were very prescient.
(Watch O’Neill’s full presentation here.)
The FBI’s most sobering discovery had to do with Hanssen’s use of the Bureau’s own IT infrastructure. To their dismay, the FBI found that Hanssen had used his authorized access to the Bureau’s Automated Case Support system and his knowledge of computers to monitor the FBI investigation that was trying to find him.
At the heart of the ACS system, which first came online in 1995, is the Electronic Case File (ECF). The ECF contains all of the Bureau’s internal communications relating to ongoing investigations and programs. Subsequent investigation of Hanssen’s use of the ECF system showed that he routinely searched the system using search terms directly related to the investigation that was aimed at uncovering his identity.
Hanssen compromised thousands of pages of classified documents detailing the most sensitive intelligence collection programs in the U.S. intelligence community. Among the most damaging disclosures concerned the details of a tunnel that had been dug beneath the Soviet embassy in Washington and outfitted with high-tech listening devices that were monitored by the FBI and the National Security Agency.
It was the exchange with Hanssen and the lessons learned from the investigation that would begin the evolution of O’Neill’s own thinking about cybersecurity and insider threats, which he now shares with government agencies and companies on behalf of VMware.
“As I thought about whether the spy is always in the worst possible place, I realized that the spy is always in the worst possible place for anyone who is breached,” O’Neill said.
Cyberspies are changing the world, according to O’Neill. “There are no hackers, there are only spies,” he said. “The true cyberattackers, cyberspies, and cybercriminals are well-resourced, are very knowledgeable and they’re using sophisticated computer equipment…to get at the data that is the currency of our lives. And as the world gets smaller, cyberattacks are simply growing.”
Pandemic 3.0 – Reopening Our World
O’Neill refers to the massive shift in how people work — from pre-pandemic to pandemic-era remote work and now the post-pandemic reopening — as Pandemic 3.0. Cyberspace has become more hostile, said O’Neill. Destructive attacks have increased 118%, he said.
“Cyberattacks have quadrupled during the pandemic and foreign spies have been targeting everything, in particular COVID-19 research in the healthcare sector,” O’Neill said.
These trends pose a significant challenge for the Pandemic 3.0 world, in which we must find a way for employees to work from any place, on any device, and through any cloud. “Zero trust and endpoint [detection] is critical for remote work,” O’Neill said. “Zero trust is the only way to ensure that everyone accessing your data is authorized.”
The pandemic also forced a massive expansion in cloud investments but when you move to a public cloud “you’re moving to a tough neighborhood,” according to O’Neill. “You may be able to secure your own resources, but you have no control over who’s sharing that environment with you. So you have to prioritize security cloud workloads at every point in the security lifecycle,” he said. “That means security that extends across workloads, containers, and Kubernetes.”
Learn more about “Zero Trust” strategies and how VMware is helping to accelerate public sector innovation.