​​​​​​​Spies Now Conduct Espionage From Their Couches

“There are no hackers; there are only spies,” cybersecurity expert Eric O’Neill told attendees at the Tuesday Working Lunch. “Hacking is nothing more than the necessary evolution of espionage. As we took our information out of file cabinets and we put it into databases, and then because we wanted to communicate quickly we hooked those databases up to the internet … we exposed ourselves to a new way of espionage.”

O’Neill knows a bit about espionage. In 2001, when he was working as an FBI covert field operative or “ghost,” the agency involved him in a sting to catch Robert Hanssen, veteran FBI agent and decades-long spy for the Russians.

The FBI created a new department at headquarters, appointed Hanssen as its head and placed O’Neill as his assistant. O’Neill was able to lift Hanssen’s Palm Pilot from his briefcase in his office, deliver it to FBI analysts on another floor who quickly extracted information about Hanssen’s upcoming clandestine information drop to Russian agents and place the device back into Hanssen’s briefcase.

O’Neill’s undercover surveillance of Hanssen eventually helped lead to Hanssen’s conviction and lifetime prison sentence. The 2007 movie, “Breach,” starring Ryan Phillipe and Chris Cooper, was based on Hanssen’s story.

O’Neill now operates The Georgetown Group, of Washington, D.C., an investigative and security consultancy and national security strategist for Carbon Black, a provider of zero-gap endpoint security protection software in Waltham, Massachusetts.  

O’Neill asked the attendees, “What is the No. 1 way we communicate today in business?” It’s still via email, he said. And therein lies the ongoing problem.

O’Neill told attendees that agents of the GRU (Soviet Main Intelligence Center) who once tried to recruit government workers in D.C. bars to become spies, now have become “cyberattackers — trained in cyberespionage, sending phishing emails, trying to get people to click on links. It’s the new way espionage works,” O’Neill said.

“Why do [Russian spies] now need to spend a huge amount of time recruiting you when they can send you an email and virtually recruit you. Steal your credentials. Become you within your company’s network and do what I want. Make you into the bad guy, and you never even knew it,” O’Neill said.

In 2014, a North Korean group called the “Guardians of Peace,” attacked and locked up Sony’s computer systems to possibly retaliate against the corporation for producing “The Interview,” a movie about the fictitious assassination of North Korea’s leader, O’Neill said. The hackers stole sensitive emails and planted “cyberbombs” that once detonated would erase data on computers, he said.

O’Neill also discussed how Russian cyberspies last year attacked the personal email account of John Podesta, Hillary Clinton’s former presidential campaign chairman. One Sunday morning last year, Podesta received an email that read, “Your account might have been compromised. … We’ve stopped the attempt, but change your password. Click this link.” He was suspicious, so he sent the email to his chief of staff who sent it to the campaign’s head of high-tech security. The security director mistakenly tells Podesta in an email that the original suspicious email request is legitimate but go directly to a Gmail website and change your password there. (The IT manager later said he meant to write “illegitimate,” O’Neill said.) Podesta only reads the first part of the IT manager’s email and clicks on the link, thus exposing his emails to the world, O’Neill said.

O’Neill gave three ways organizations can combat cyberattacks:

  1. Technology: Installing good cybersecurity that focuses on the endpoints, technology such as phones, laptops, servers and thumb drives, to leverage “zero trust”— “which is like having the best club in Hollywood, and no one is going to get past that big bouncer. … Only those programs, those executables you want to launch are allowed onto your system.”
  2. People: “You have to have people who understand the technology. … If you don’t, it’s all a waste of time.”
  3. Process: “Training people. It’s learning not to click on links! Don’t be a John Podesta.” Also, avoiding “CEO attacks,” in which a fraudster, in the guise of a top executive, will try to convince an employee to wire money.