Combating Insider Threats and “Hanssen’s Law” with Visibility

On the first day of my assignment under Robert Hanssen, he told me where to find the spies.  The FBI had assigned me to work with Hanssen in the newly minted Information Assurance Section.  Our overt job would be to examine and improve cybersecurity for the FBI.  Covertly, I was tasked with gaining Hanssen’s trust, verifying that he was the spy in the US intelligence community that we’d hunted for two decades, and finally, catch him.

On day one, sitting at the foot of his large government desk in an office made gloomy by a single desk lamp, the master spy told me what he would frequently refer to as “Hanssen’s Law.”

The spy is always in the worst possible place.

I’ve thought of that moment countless times through the many years since we caught Hanssen and sent him to life imprisonment for the countless US intelligence secrets he sold to Soviet and Russian spymasters.  Hanssen’s basic premise was that spies are constantly targeting the most damaging information in the most damaging places.

“That is where you’ll find the spy,” he told me.

Second, the spy has the knowledge to take that information and sell it where he can make the most money and do the most damage.  Wherever you find the spy is the worst possible place.

Hanssen has proven himself right again and again over the years since he loaded his final drop of secrets under a footbridge in Virginia and walked, surprised into FBI handcuffs.  As we have sent old file cabinets to the dustbins of history and have eschewed paper for data that is infinitely easier to access, change, share and collaborate, spies have had to evolve.  The majority of spying today seeks out that worst possible place deep within servers and archived drives to steal, disrupt, ransom and sometimes destroy our data through cyber-attacks.  But the old ways still hold sway.

In January of this year, Ex-Cia officer Jerry Chun Shing Lee, 53, a naturalized U.S. citizen was arrested at New York’s JFK airport.  FBI agents seized a thumb drive that contained classified secrets.  Lee had worked as a case officer for the CIA from 1994 until 2007 and was returning from Hong Kong to live in Virginia at the time of his arrest.  He was charged with conspiracy to commit espionage for China after an FBI investigation that began in a Honolulu hotel room in 2012.  The FBI had found two small books containing handwritten notes that contained classified information, including true names and phone numbers of assets and covert CIA employees, operational notes from asset meetings, operational meeting locations and locations of covert facilities.

The indictment recently offered by the prosecutor alleges that two Chinese intelligence officers approached Lee in 2010, three years after Lee left the CIA, and offered to pay him for information.  According to Prosecutors, Lee provided documents, made cash deposits and lied to FBI officials about his travel to China.

Lee maintains his innocence, and the FBI has not yet offered a rationale for what tipped them to Lee’s alleged espionage, but there is a potential correlation between the information in Lee’s notebooks and a staggering loss of US informants in China.  Starting in 2010, the Chinese Government mysteriously began systematically dismantling CIA spy operations.  More than a dozen US sources were killed or imprisoned through the end of 2012.  If Lee was behind the identification and removal of sources, as the FBI believes, then the former CIA agent was certainly a spy in the worst possible place.

According to the Ponemon Institute’s 2018 Cost of Insider Threats: Global Organizations the average cost of global insider threats annually is $8.76 million.  Some insider threats are spies. Careless employees, third party vendors and contractors with access, and criminal and disgruntled employees all add to the problem.  The fastest growing insider threat is through credential theft, where an attacker compromises an employee to turn them into a virtual (unknowing) trusted insider.  The group most targeted for credential theft are administrators and privileged users – those with the most damaging information in the most damaging places.  According to the Ponemon report, the average number of credential theft incidents has doubled over the past two years, increasing by 170 percent.

The best way to address the insider threat is through strictly monitoring access to data.  Companies increasingly deploy a global and dispersed workforce that accesses data from offices, home, coffee shops, airplanes and hotels around the globe. Policies and procedures must therefore focus on preventing threats by locking down the endpoint and providing employees tools they need to work remotely as securely as possible.

For organizations looking to combat insider threats and minimize damage,  a system to identify breaches and respond to them rapidly must be put into place. This starts with gaining visibility on your enterprise. To earn that visibility, start with the most important questions. Are you able to see and monitor the arrival and execution of every file? Critical system resources? USB devices? Critical files? Visibility into what’s occurring on your enterprise gives you visibility into potential insider threats.

It took two decades for the FBI to catch Robert Hanssen and just shy of one to corral Jerry Chun Shing Lee.  Any business today that addresses a breach at such a glacial pace will find its doors shut and its assets auctioned off.  Protecting data requires technology that thwarts attackers, whether they are stealing credentials from a warehouse in North Korea, launching Ransomware attacks from Russia or sitting among colleagues in the IT department.

Otherwise, you’ll run afoul of Hanssen’s Law.

Get Eric’s newsletter with free resources, episodic updates, and valuable reminders to Protect Yourself…and Your Organization

Eric's free video lesson and assessment tool

Sign up for Eric's newsletter and get free resources!