Featured Article

Spying on a master spy

Espionage expert Eric O'Neill suits up to tell his story at the 28th Annual ACFE Global Fraud Conference

The FBI had tasked Eric O’Neill to investigate Robert Hanssen, a 25-year FBI veteran and suspected spy for the Russians, but he’d have to do it face to face as Hanssen’s office assistant. O’Neill’s courageous work helped bring Hanssen down and end the greatest security breach in U.S. history.

Robert Hanssen’s life apparently had more airtight compartments than a Tupperware party. An FBI agent and computer systems expert for decades, he was a dedicated husband, father and grandfather. He was a devout Catholic and a member of the international church group, Opus Dei. He’d attend Mass every day at 6:30.

And yet in 1979, only three years after joining the FBI, he approached the Soviet GRU (Main Intelligence Agency) to offer his spying services on the U.S. He then later was a spy for the KGB and its successor, the SVR.1

In 2001, the FBI had their eye on Hanssen but needed a smoking gun to nail him on spying charges. Enter Eric O’Neill, an FBI undercover field operative, or “ghost.” The FBI had, in effect, created a sting by establishing a new department at FBI headquarters, appointing Hanssen as its head and giving him O’Neill as his assistant. However, O’Neill’s actual job wasn’t clerical; he was to be a spy to the spy. But there was nothing undercover to it. O’Neill would be surveilling Hanssen as he worked with him. He’d have to convincingly lie to a master deceiver every business day.

“He barely spoke to me at first!” O’Neill says during a Fraud Magazine interview. “And he insisted I call him ‘boss’ or ‘sir.’ I tried to find common ground by talking about the Redskins, and he told me that, ‘Football is a gladiator sport. Anyone who plays it is as stupid as the people who watch it.’ It took time to gain his trust and slowly create a mentor/mentee relationship.”

But O’Neill eventually did gain Hanssen’s trust. And his Palm Pilot. “When we decrypted the Palm, we discovered not only his drop date [to the Russians], but where he would make the drop to the Russians. It was the lone smoking gun that let us win the case,” O’Neill says.

Hanssen was arrested on Feb. 18, 2001, at Foxstone Park, near his home in Vienna, Virginia, where he’d made his last drop. He was charged with selling U.S. secrets to the Soviet Union and then the Russian Federation for more than $1.4 million in cash and diamonds in 22 years.

A criminal affidavit at Hanssen’s arrest alleged that on more than 20 separate occasions Hanssen clandestinely left packages for the Russians at drop sites in the Washington area. He also provided more than two-dozen computer diskettes containing additional disclosures of information. Hanssen gave the Russians more than 6,000 pages of valuable documentary materials, according to the affidavit.

He pleaded guilty to 15 counts of espionage and was sentenced to 15 life terms without the possibility of parole. The U.S. Department of Justice has described his spying as “possibly the worst intelligence disaster in U.S. history.”

A year after O’Neill had left the FBI, he was talking with his brother who said that O’Neill’s experiences with Hanssen would make a great story. O’Neill gained permission from the FBI to pitch a book deal, which ultimately fell through, he says. However, they were able to make a pitch to Hollywood filmmakers.

The treatment eventually found its way to director Billy Ray who wrote a screenplay with Adam Mazer and William Rotko. The result was the 2007 movie, “Breach,” starring Ryan Phillipe as O’Neill, Chris Cooper as Hanssen and Laura Linney as “Kate Burroughs,” O’Neill’s handler. O’Neill was an onsite advisor for the film.

He now runs The Georgetown Group, of Washington, D.C., an investigative and security consultancy, where he specializes in counterintelligence operations, investigations into economic espionage, cybersecurity, internal investigations, catching the trusted insider and security risk assessment consulting. He’s also the national security strategist for Carbon Black, a provider of zero-gap endpoint security protection software that helps organizations replace ineffective antivirus, lock down endpoints and critical systems, and arm incident response teams with tools to hunt down threats.

O’Neill will be a keynote speaker at the 28th Annual ACFE Global Fraud Conference, June 18-23 in Nashville.

O’Neill says he’ll be addressing recent changes in fraud and cyberespionage through the eyes of sophisticated attackers. “I will use elements of the Hanssen investigation as a framework and also to tell an entertaining story,” he says. “The audience will understand why I say that there are no hackers; there are only spies.”

FM: You have a degree in political science and psychology, yet the investigatory life appealed to you. How did that happen? Why the FBI?
       EO: I originally planned to attend the U.S. Naval Academy after pursuing a degree in aerospace engineering. After a year, I changed my plans and decided to pursue a legal career. I thought that psychology and political science would provide a foundation for the law I wanted to practice. Before law school, I decided to get some real-world experience. The FBI was one of many agencies I applied to and the first to offer me a spot at the FBI Academy in Quantico, Virginia.

FM: Can you describe your FBI position?
       EO: I was an investigative specialist or investigator, AKA a “ghost.” It is a little-known distinction from a special agent. Ghosts are highly trained undercover operatives that rarely come out of cover. Similar to agents, ghosts are congressionally appointed law enforcement personnel that conduct highly sensitive and classified investigations into foreign nationals and domestic individuals here in the United States. Ghosts specialize in counterintelligence and counterterrorism operations and primarily operate in a surveillance capacity.

FM: Do you know why the FBI chose you to take on this important and possibly dangerous assignment of observing Hanssen?
       EO: I believe the FBI chose me because I had all the elements that would interest Hanssen. I have a deep understanding of computer systems and had developed software that analyzed and tracked targets. I am Roman Catholic and was attending law school at the time at George Washington University. Hanssen only spoke comfortably about a few things: computer systems and cybersecurity, his faith and catching Russians. I could engage him in conversation on all three topics. My law studies endeared me to him because his son was also attending law school. You seek these connections for undercover work. Law school also gave me a cover story: I needed to come off the streets and work a desk job so I could get to law school on time.

He called himself a human lie detector and would go to great lengths to tell me stories about all the people that tried to lie to him and failed.”

FM: I just saw the movie “Breach” again. Can you talk about your duties as a consultant on the film? What facts did the producers have to leave out? Was it mostly accurate?
       EO: The central core and theme of the movie was very accurate — the conversations and actions between Hanssen and myself and how we pursued the investigation. Dramatic elements were added around that core story to heighten the tension. As an on-set consultant and part of the writing team, I had to understand that “Breach” is a Hollywood movie, not a documentary. The scenes I most miss from the initial shoots were those between Eric and Juliana, my wife. The most Hollywood of the scenes is the shooting scene in the woods near the end of the movie. Hanssen never shot at me in real life.

FM: In the movie, the FBI reassigns you — played by Ryan Phillipe — to be Robert Hanssen’s assistant at the FBI headquarters to “keep an eye on him” because the FBI has branded this supposed “sexual deviant.” How did this assignment differ from your ghost work? Why didn’t the FBI give you a legend when you began to work for Hanssen?
       EO: I was the first investigative specialist in the history of the program to come out of deep cover to perform a face-to-face elicitation operation at the FBI HQ. Elicitation is the art of drawing information out of another person that is necessary to the investigation without the other person being aware that you are investigating them. Having never been formally trained in elicitation, I had to learn on the job.

The FBI didn’t give me a legend when I went undercover in HQ because my cover would have been blown the first time someone recognized me. The FBI was also concerned about Hanssen’s ability to manipulate computer systems. He may have been able to search our databases to determine whether my identity had been masked.

FM: Why do you think the FBI didn’t at first give you the real reason why it wanted you to spy on Hanssen? How did you eventually find out that you were sent to gather evidence on Hanssen’s espionage activity?
       EO: The movie flips this fact. In real life I was told that I would be investigating Hanssen for suspected espionage. The sexual issues were a shock to me. In “Breach,” Billy Ray, the director, decided to flip this revelation for the audience so that at the mid-point of the movie I learn I am tracking the most damaging spy in history. It’s a bigger punch.

FM: Did Hanssen communicate to you that he could catch any kind of deception from you?
       EO: Frequently. He called himself a human lie detector and would go to great lengths to tell me stories about all the people that tried to lie to him and failed. Rather disconcerting for a person lying to him daily.

FM: How were you — a young man in the investigatory field — able to deceive a master detector of deception?
       EO: It turns out I have a knack for undercover work. I was able to not only lie to Hanssen but believe my own lie so honestly that there were no tells for him to spot. I earned his trust and respect. This led to major successes in the case. And yes, at one level, I felt guilty for breaking even the master spy’s trust.

FM: As depicted in the movie, did you come to respect Hanssen before the FBI briefed you on his spy activities?
       EO: Yes, even after I knew he was a spy. I respected his genius, not only as a master spy who avoided a massive dragnet for over two decades, but for the solutions to the cybersecurity problems he proposed.

FM: Can you describe how you were able to copy the contents of Hanssen’s Palm Pilot? How did you separate him from his Pilot? What was on the Pilot that helped the case?
       EO: This is a story I will be telling in detail during my keynote.

FM: You worked closely with Hanssen for a while. You must have speculated on his motives beyond simple greed. How could he betray his country especially given his squeaky-clean, devout-Catholic exterior life? 
       EO: I believe he compartmentalized the separate sides of his life. One side was a James Bond-esque master spy who was ruthless and immoral. The other side an upstanding churchgoer, family man, husband, father and grandfather. He could switch roles at will. However, I believe the evil he committed as a spy tortured him as a man. He was not a happy person.

FM: Your adjoining office with Hanssen’s office was basically a soundproof vault only accessible with a security keypad. Did you ever feel that your life would be in danger if Hanssen discovered that you were spying on him?
       EO: I was fairly certain that he would shoot me after I couldn’t recall which pocket of his bag to replace the Palm Pilot after I stole it and we copied it. Turns out I have a guardian angel — I guessed correctly.

FM: Why do you think he made that last drop to his Russian contact, especially when he suspected that the FBI might be on to him? Do you think he wanted to get caught?
       EO: He suspected the FBI might be on to him, but he had no hard proof of this. He was a prideful person who had gotten away with his crimes so long, I’m not certain he could admit to himself that we were closing in. I was also able to convince him of the importance of the office we shared and the work we performed overtly for the FBI. If I hadn’t managed to keep him involved in our work, he probably would have gone to ground.

FM: Through the years, what was some of the most damaging information that Hanssen passed to the Russians? How were lives affected?
       EO: He is directly responsible for three deaths of our assets overseas. He passed their names knowing that the Soviets would assassinate them. He provided nuclear secrets, undercover operations, identities and ways and means. He destroyed the FBI’s ability to effectively pursue counterintelligence in the United States. When we can’t protect information, or trust it, secrets get lost, buildings fall and people die.

FM: What did you learn from your experiences with Hanssen that now benefit you in fraud examinations and other investigations? What advice would you give our Certified Fraud Examiners from what you learned during the Hanssen investigation? Any other advice for them as they fight fraud daily in the trenches?
       EO: The most important lesson is to be active in our role as investigators. It is easy to wait for an event and then react to it. But our goal is to actively monitor, investigate and pursue before the fraud so that we can spot trouble before the catastrophe. During the Hanssen case I learned that I would have no success in the investigation until I stopped reacting to Hanssen — just trying to preserve the integrity of the investigation — and started actively pursuing the case. This meant I had to challenge him, engage in deep discussion with him, spend time out of the office with him — and ultimately become his protégé.

FM: Nations have spied on each other for decades. But what’s different today in governmental infiltration than it was even 15 years ago? I realize you can’t reveal too much, but can you hint at some innovative ways that agencies and private entities can now detect how countries have breached governmental systems? 
       EO: I have long said that hacking is nothing more than the necessary evolution of espionage. Indeed, there are no more hackers. There are only spies. Spies are exploiting computer systems by attacking people. Spearphishing has become the No. 1 way that cyber penetrations begin. Social engineering is used more frequently than any other attack. This is traditional tradecraft — recruiting people whether they are aware of the recruitment or not — to engage in extraordinary cyber penetrations. Until we stop thinking of hackers as petty criminals and start thinking like spy hunters, we won’t make headway in the cyber war.

FM: The year 2016 was a breach-filled year. Russia, of course, was accused of “hacking the vote,” Yahoo announced new user account breaches, ransomware variants were ubiquitous, a botnet began a massive denial of service attack against a major domain name system provider, and on and on. During your current investigations, what have you and your teams found to be common denominators and ways that organizations can protect themselves?
       EO: The three critical steps to good cybersecurity are: 1) invest in technology that makes sense for your organization, 2) ensure that your IT personnel understand that technology and 3) train your entire organization to practice good cyber hygiene — don’t click on links!

FM: The general public seems to be more blasé about data breaches and cyberattacks. Are we just getting numb to the onslaught? 
       EO: We were put on notice during the Sony attack two years ago that email is the No. 1 vector for cyber penetrations. During Sony, we first saw the horrendous result of entire accounts being pasted to the media and sites like Wikileaks for everyone to review. This put us all on notice, but you are correct that no one seems to care — when we all should. The chairman for a major Democratic campaign practiced poor cyber hygiene and had his entire account — tens of thousands of emails from 2008 until 2016 — posted online. This if nothing else should get people motivated to make changes. I fear that change won’t come until a cyberattack occurs that we treat the same way we might a kinetic attack. When our power doesn’t run or our flights are grounded, then the United States will wake up to the threat.

FM: In 1988, Dr. Joseph T. Wells, CFE, CPA, began the ACFE with the mantra that fraud deterrence and prevention will save organizations money and reputations. How do you emphasize prevention with your clients?
       EO: An active role is critical to prevent and spot issues before they snowball. More to come in my keynote!

Read a full account of Eric O’Neill’s thrilling story (including the heart-pounding Palm Pilot handoff) in the wrap-up article of the 28th Annual ACFE Global Fraud Conference in the upcoming September/October issue of Fraud Magazine.

Dick Carozza, CFE, is editor-in-chief of Fraud Magazine. His email address is: dcarozza@ACFE.com.

1Source: “Spy: The Inside Story of How the FBI’s Robert Hanssen Betrayed America,” by David Wise, 2002, Random House.