There Are No Hackers, Only Spies - Eric O'Neill

I recently finished reading the book Gray Day by Eric O'Neill. Eric was an FBI agent who was sent undercover to expose to the work spy in United States history, Robert Hanssen. Gray Day is a fascinating read, recounting the story of Eric's undercover work, working with Hanssen on a daily basis until the FBI had at long last found the smoking gun and moved in and made the arrest.

Throughout the story, Eric talks about the strains and pressures of a deep cover operation, including how it impacted his young marriage. It's a fascinating story of one of the most important counter espionage operations in FBI history. It's also an incredibly story of personal dynamics and unexpected impacts of such secretive work. You will come away with a keen appreciation for the sacrifices the people involved in these operations make every day.

I had the pleasure of seeing Eric speak this summer at CompTIA's ChannelCon event. I blogged about the event and Eric's talk in my post titled ChannelCon 2019 is a Wrap!

While I thoroughly enjoyed every word in the book, I was really captivated by the last few chapters, where Eric really ties things up with his assertion "There are no hackers, only spies." Eric often refers to Hanssen as America's first cyber spy, because he took advantage of weaknesses in the security of the FBI's computer systems to pass some of the most sensitive secrets we have as a nation to the intelligence apparatus of the Soviet Union.

Some of the key lessons that came from the investigation were the tightening of technical security controls to protect the electronic information of the United States. This effort focused not just on protecting the perimeter, though that was a huge part of the effort. These efforts also focused on controls and alerts to immediately notify the right people if someone who didn't have a need to know, was trying to access sensitive information that they shouldn't be. Least privileged access and data leak prevention was born.

The FBI also implemented comprehensive security training, knowing that the best surveillance system are the employees within the agency. But despite all the improvements that were implemented, the government has still fallen victim to breaches. The breach at the Office of Personnel Management in 2014 is probably the worst such breach. This attack leveraged a trusted insider, a spy who didn't even know they were being used as a spy. Through sophisticated social engineering, someone with authorization to have access to the sensitive information in OPM databases was compromised and a nation state actor used those credentials to gain access to secure OPM systems and sit there, undetected, for months and years, harvesting incredibly valuable personnel information that some say could be used to recruit more spies, knowingly or unknowingly.

As Eric wraps up the final few chapters of his book, he brings the entire story into the present. He talked about how the world did change after the collapse of the Soviet Union. While most thought the end of the Cold War made us all safer, perhaps not. Many former spies in many countries around the world found themselves out of work. But they quickly found a new use for their unique skillset...hacking. Eric contents that many of the hacks and breaches we see today bear the hallmark of skilled intelligence operations. Rather than trying to weaken or take over an adversary by traditional military or espionage methods, Eric makes the case that some countries are using sophisticated hacking based on traditional espionage principals to disrupt norms and create confusion with the intent of weakening an adversary. The situation between Russia and Ukraine over the Crimea Peninsula is one such example. Ironically, it's an example that is playing out before our eyes even today.

I encourage you to read Gray Day. It's a fascinating and true story. Perhaps most importantly, it provides an important and I believe accurate assessment of the current state of cybersecurity and the threats we face today and into the future. I was very fortunate to receive a an autographed copy of Gray Day from Eric. I have it proudly displayed in my home office book collection. As someone with a Political Science degree with a Soviet Studies concentration who became an IT professional with a focus on cybersecurity matters, this book hits all my hot buttons. I hope it hits some of yours as well.