by Eric O'neill
Diligence is the key to security. When it comes to your personal space, diligence can provide the seconds you need to avoid an attack, save your wallet from a pickpocket, or keep you from bumping into someone who is too busy texting to look around. Diligence helps you spot trouble in your surroundings before it can reach you, makes you aware of escape routes, and provides you with a catalog of facts and observations necessary to later deconstruct an emergency. FBI ghosts frequently drive at high speeds through traffic and rarely get into accidents. We move safely through dangerous alleys in bad parts of town and pass through rooms without anyone taking notice. The FBI trains a hyperawareness of surroundings into the ghosts. We are diligent to the point of being human early-alert systems. Look around you every once in a while. You might spot a spy.
The NSA could have done a better job of heeding that old Russian proverb made famous by President Ronald Reagan. In 2013 a contractor and former CIA employee walked out of the NSA with thumb drives loaded with (according to the NSA) an estimated 1.7 million classified files. Edward Snowden has personally admitted to stealing hundreds of thousands of highly classified files detailing US intelligence-collection programs by the NSA. (The actual number is likely somewhere in the middle.)
According to the director of national intelligence, Snowden’s information leak has compromised critical foreign intelligence collection sources and may be one of the most damaging in US history. To add insult to injury, after stealing the documents, Snowden fled to Hong Kong and then for all intents and purposes defected to Russia, where he has since remained under the watchful eye of Russian intelligence in exchange for asylum. Operationally, the US intelligence community must now assume that all information stolen by Snowden has been collected by the Chinese and Russians—and not just the information that has been published. Many of us in the intelligence community would enjoy personally escorting Snowden to stand trial for theft of US government property and espionage. Some of us would enjoy a one-on-one cage fight.
Snowden has argued that he acted because of an ideological stance that the NSA’s collection practices went above and beyond what was required to protect the interests of US citizens. As a trusted insider, Snowden had the capability to both collect information with his own access and to use social engineering (or trickery) to convince others to provide him their access. He likely knew that providing the stolen information to the Guardian and the Washington Post would enable maximum exposure of the NSA’s activities in order to damage the ability of the NSA to continue those practices into the future. Let’s apply Hanssen’s law. Snowden had a high level of access to critical information in the center of the National Security Agency. He had the knowledge to extract that information without immediately setting off alarm bells and a plan to distribute it as widely as possible. Snowden was a spy in the worst possible place.
While Hanjuan Jin’s theft from Motorola and Snowden’s NSA leaks are perfect examples of the severe damage a trusted insider can inflict, an old campfire story may explain it best. After a long, trying evening, a babysitter has finally gotten the children to sleep upstairs in their rooms. She settles into the comfortable living-room sofa, pillow on her lap and remote in hand, to watch TV for the next hour until the parents return and she can go home. Before she can touch the Power button with her thumb, her cell phone rings on the coffee table in front of her. She doesn’t recognize the number, but answers anyway.
“Hello?” she asks in a hesitant voice.
Breathing on the other end. Then a man’s voice: “Do you know if the kids are all right?”
The caller continues to call and ask after the children in a breathy voice until the babysitter calls the police, who promise to trace the call.
No sooner has she hung up than he calls again. “Do you know if the kids are all right?”
This time she draws out the call, trying to keep the caller on the line so the police can trace it. As soon as they do, they call the babysitter and tell her to run: “The call is coming from inside the house.”
That old campfire tale first came to mind while I sat across from Hanssen in Room 9930. If the children were FBI secrets, then I was the babysitter. The spy was already inside the house.
January 18, 2001—Thursday
I spent Thursday morning attempting to define “information assurance” while Hanssen cloistered himself in his office. When I’d dared to listen at his door, I heard the unmistakable sounds of a movie. I’d slave over my keyboard while the boss hung around until he could make a few edits to my memo and then replace my name with his own. Middle management at the FBI was no different from anywhere else.
Whether Hanssen was trying to test me or had just assigned normal grunt work, I couldn’t say, but my real boss—the covert one—wanted me in Hanssen’s good graces. Kate had also asked me to steal his keys. I idly tapped at my keyboard to see what the FBI’s databases had to say on the matter of information assurance while most of my brain wondered how I’d get Hanssen’s keys. On the few occasions he ceased clicking his pen, one hand would jiggle the keys in his right pants pocket. The man was a fidgeter.
The secure databases my desktop computer could access through the sluggish intranet scarcely mentioned information assurance. This shouldn’t have surprised me, but a chill that had nothing to do with the nonstop air-conditioning that Hanssen blasted into our SCIF forced me to my feet. I think better on my feet, and best when moving. Five steps from my desk to the door. Another three to the opposite side of the room from Hanssen’s office, where a separate Internet computer station waited. Eight steps in reverse to reach the closed door behind which I could hear the cinematic blades of The Mask of Zorro beat against each other. I was a fidgeter too. Another thing I had in common with the spy.
I’d start at the beginning. I uncapped a red dry-erase marker and wrote “Information Security” in big letters on the massive whiteboard between my desk and the door to Hanssen’s office, just under the black words spelling out “Information Assurance Section.” The antiseptic smell of the red ink lingered. I stared at the phrase to pull it forward into my mind.
Assurance is not the same as security. We assure that information will be available, authentic, and confidential. We secure that same information by defending it from attack. Eventually, the term “cybersecurity” would come to encompass both of these poles. But at the time, most technology experts talked about information assurance and information security (INFOSEC) as mutually exclusive practices.
I picked up a green pen and finished the full title of our small office in Room 9930. Information Assurance/Security Team. All that Hanssen had told me about the flaws in the ACS and Hanssen’s law flooded forward in my mind until I imagined the answer swimming just behind my eyes. Our task was protecting information from outside attack and assuring that the FBI could trust and manage confidential information stored in ancient databases. Hanssen had told me that ACS works only as long as someone isn’t a spy. We needed to protect information from attackers inside the FBI as well.
As I considered Hanssen’s words, the room blurred and I stumbled back to my seat. Had we just put possibly the most damaging spy in US history in charge of cybersecurity for the FBI?
I yanked my keyboard into my lap and logged onto the Automated Case System. A black 3270 terminal emulation window popped onto my desktop. Nothing happened when I shook my mouse. “You’ve got to be kidding me,” I said.
The FBI had dropped a thick ACS manual on my desk that I hadn’t bothered to open before now. The highly technical manual required dozens of actions just to upload a single document. No wonder most agents preferred to work with paper.
I eventually figured out how to type my own name and address into the system. ACS returned no records. I wasn’t under investigation. Was Hanssen?
Before I could hit the H key, his door opened. Not for the first time I wondered if Hanssen had a camera on me. He had an uncanny a
bility to surprise me at the most inopportune moments.
“What are you looking at there?” Hanssen strode past my desk and came to stand behind me so he could see my screen. He leaned forward over the back of my chair and put his hands on my shoulders.
I froze. The tensed muscles under my white dress shirt must have felt like stones in Hanssen’s hands. I wished I hadn’t left my suit jacket on the chair opposite my desk. An additional layer of cloth would help ward off the spikes of adrenaline that turned my stomach. The knot of Hanssen’s tie pressed into my hair as he moved closer to the screen. My torts class spun into my mind. Assault: an imminent harmful or offensive contact. Battery: an unconsented-to touching. The FBI employee manual might call what was happening sexual harassment, but I couldn’t exactly go to HR.
“You searched yourself,” he said.
“Boss…” I scooted forward in my seat at the same time I pushed the chair back.
Hanssen chuckled but took his hands off my shoulders.
“I’ve been testing security in ACS,” Hanssen said, scooping up my ACS manual as he passed my desk. “I still have my old access from the State Department that gives me full clearance through a full-text search. The account they gave us here doesn’t have full access.” He dropped the manual into my trash can. “An oversight I am certain they will correct.”
I glanced from my boss to the trash can and tried not to roll the tension out of my shoulders. Hanssen followed my eyes.
“ACS is a joke. We are going to propose something better.”
“Maybe add a mouse?”
That cracked a small smile. “ACS is flawed and the FBI hasn’t a clue. I’ve been typing in names and addresses and searching through cases with my full access and then performing the same searches with my limited account. Want to know what I found?”
I fought past the question that dominated my thoughts—why had Hanssen come behind my desk?—and focused on my boss’s words. Anything Hanssen thought about ACS would help Kate and her team.
Hanssen rolled his eyes and continued before I could stammer a response. “If you search with the limited account, you get the same records, but with the data replaced by x’s.” He stood excitedly and picked up a dry-erase pen. Then he wrote a series of numbers on the board:
65A-WF-123456
“A typical file number for a suspected spy,” Hanssen explained.
I had seen hundreds of these file numbers over the years and knew that the 65A stood for an espionage case, the WF for Washington Field, and the number a sequence that identified the specific case. So what Hanssen had written would translate to Case 123456, an espionage investigation out of the Washington Field Office. There was a similarly numbered case assigned to Hanssen: 65A-WF-220648. I hoped that the FBI hadn’t screwed up and added it to ACS.
“If you search with full access, you see the entire number, plus the name and address and other information of the person suspected of espionage.” Hanssen used his palm to strike everything after the 65A; then he replaced it with x’s. “This is what you see if you don’t have access.”
65A-XX-XXXXXX
“So you don’t know anything about the record,” I said. “But if you type in a name and you get a 65 case file back, you know the file is related to the person—”
“And the person is under investigation for espionage.” Hanssen slammed the pen into the tray beneath the whiteboard. “All the Russians have to do is recruit someone at the FBI with ACS access, feed him a name, and have the mole conduct full-text searches.” He jammed a finger against the 65A, smearing it across the whiteboard. “All that comes back is a 65A and a bucketload of x’s, but that is enough.” He picked up the eraser. “Our mole now knows that the person he searched is compromised.”
How many times had Hanssen searched his own name? “And I suppose he sells that information back to the Russians?”
“Exactly.” Hanssen hefted the eraser and struck out my addition. “If information security is the best definition you can come up with, the future of the FBI is doomed.”
I sucked down my exasperation. “It’s not my definition of information assurance. I’m working through the problem.”
Hanssen tossed the eraser on my desk. “Try harder.” He looked at his watch. “I’m meeting my wife for the Right to Life March and won’t be back for a few hours. Think you can manage things while I’m gone?”
I swallowed my laughter when I saw he wasn’t joking. What did we have to manage? “You can count on me.”
“I doubt that.” He scooped up his coat and settled it on his shoulders. “But you are what I have to work with.”
CHAPTER 8
DILIGENCE IS THE MOTHER OF GOOD LUCK
Thursday, January 18
After Hanssen left the office and the door closed behind him, I counted to a hundred and then walked around to look back at my desk from Hanssen’s perspective. Two additional desks presented the illusion that the FBI would assign more staff to Hanssen’s tiny section. I had chosen my desk over the other two because it sat in a camera blind spot. The thought of analysts watching my every move throughout the day had given me the shivers: I was used to being on the opposite end of the camera. After Hanssen’s hands-on-my-shoulder trick, I regretted that decision.
Ghosts are trained to live in the shadows, to not get familiar with our targets. A ghost lives a covert professional life, relying on telephoto lenses, disguises, quick-change outfits, and the ability to disappear into a crowd. We think fast on our feet, are always ready with multiple excuses and explanations, and only show our golden FBI shield when all other options have been extinguished. Breaking cover equals failure.
I had to remind myself that I was still undercover now. Even though Hanssen knew my true name, I still had a role to play. Still, working undercover as Eric O’Neill lacked all the gravitas of my former alias: Werewolf. As a ghost, I hadn’t associated with many agents after my time with Donner’s squad; I’d stayed buried where they couldn’t learn my name. This is because names are power, and because every now and then an agent went rogue, like Earl Pitts had, and the FBI needed unknown operatives to tail the traitors.
Code names are typically two syllables because at the FBI, the greatest investigative agency in the world, we have issues with field radio transmission. Remember your childhood games with walkie-talkies? Super-expensive FBI field radios weren’t much better in the year 2000. Only one person could transmit at a time, so you needed to count one second before transmitting and one second after you finished in order to make sure everything you sent made it to the other radios. This delay in transmission and reception birthed radio codes to simplify the whole process, along with the practice of saying “over” when you finished speaking. We say “10–7” instead of “I’m taking a break” and “10–8” when we come back into the surveillance. We use two-syllable names, like Werewolf, to identify ourselves. This way if someone reaches out on the radio and either cuts themselves off early or gets “stepped on” by someone else keying in, the “were” or the “wolf” would still come through.
So why Werewolf? Code names are given, not chosen. Early in our training, my academy class had stumbled into the Boardroom and instantly fallen in love. There are many secrets for the intrepid explorer to discover in the FBI Academy at Quantico: a library, a screening room, a store, a weight room, a martial-arts dojo and boxing floor, a computer lab, a forensics lab, a devilish obstacle course called the Yellow Brick Road, and Hogan’s Alley, a movie-set town the FBI commissioned Hollywood to build in order to train agents. But none of those places had beer.
The Boardroom was the FBI Academy’s bar. It had a military break-room feel, with American flags hung on the wall, and it dished up bland pizza, spicy wings, and beers from half a dozen taps. Patches from the many national and international police students who attended the FBI National Academy police training school ringed the walls. Like somethin
g out of a science-fiction movie, the FBI Academy students wore identical blue polo shirts and tan Royal Robbins tactical pants. Fourteen wooden boards that looked pulled from a fence hung on the wall, and each had a different letter carved in the center and painted in gold: THE BOARDROOM.
When my new squad stumbled into the Boardroom, we found a second home. After we had sampled all the beers on tap, someone looked out the tall windows and mentioned that the weak fluorescent lights couldn’t dim the majesty of the full moon. Before I could stop myself, I climbed up on a table, threw back my head, and howled. I’d carry the name Werewolf for the next five years.
Code names also protect ghosts from intercepted radio transmissions or eavesdropping. And just as we mask ourselves, we hide the names of our targets. Hanssen became Gray Day. Investigators never used his true name when referring to the case in order to protect from prying ears, or those who might hear the name by accident. Even in the halls of the FBI, diligence meant holding your trust close to the vest.
Hanssen posed an enormous problem to the FBI. We couldn’t rely solely on surveillance to catch him. He had evaded dedicated spy hunters who had flipped countless stones throughout the intelligence community to examine what crawled out. He knew the FBI’s blind spots and had only needed five minutes and a whiteboard to demonstrate the ACS’s flaws. In the big-game-hunter world of espionage, Hanssen was a lion.
