Imagine you’re spying on America. You make contact with a disgruntled individual who is willing to share one of two pieces of valuable information with you: he can give you a comprehensive map of a sensitive military installation or a single piece of source code for a wind turbine. What do you choose?
If you want the most bang for your buck, you’ll take the source code.
This is not a theoretical scheme. In 2011, the Chinese company Sinovel convinced an employee at AMSC, a U.S.-based company that produces wind turbine designs and engineering services, to steal a single piece of source code so that Sinovel could bring it first to the market. As a result, AMSC lost more than $1 billion in shareholder equity and was forced to let go of nearly 700 employees amounting to over half its workforce.
According to a friend of mine from the FBI who recently retired from his agency, the majority of defectors he interrogated were not targeting intelligence officers or military personnel; they were targeting engineers in an effort to steal precious intellectual property (IP). And the price is steep. According to the United States Trade Representative, Chinese theft alone of American IP is costing our country between $225 to $600 billion annually.
This is where Peter Warmka, a former CIA senior intelligence officer, comes into the picture. For over 20 years, Peter specialized in a specific form of clandestine intelligence collection that he refers to as “human hacking.” In his memoir, Confessions of a CIA Spy: The Art of Human Hacking, he shares the detailed methodologies that he and other threat actors use to breach the security of their targets. Following his retirement, he made it his personal mission to educate American corporations, organizations, and academic institutions on how to protect their sensitive information and personal data from hacking attempts through the Counterintelligence Institute.
If you’re an engineer working for a government contractor or research laboratory, you may already be aware that our defense industrial base is routinely targeted by foreign intelligence agencies. But what you may not be aware of is that attacks aren’t just delivered through malware in an email or a phishing attempt through your cellphone. Hacking attempts can occur face-to-face, when you’re least expecting them.
As Peter explained during our interview, “I realized people are over-focused on technology as a solution to preventing these data breaches, regardless of the fact that over 90% of successful data breaches start with some form of social engineering, or what I like to call human hacking.”
My hope is that through the following condensed interview, engineers and other professionals in the defense industry will be better equipped to protect themselves against threats that harm our national security interests. Read on to learn about the unexpected environments in which you may be targeted and the practical tips to protect yourself, directly from a man who made a living out of hacking humans.
Jessica: Tell me a bit about your background, including what inspired you to join the CIA and get involved specifically in HUMINT (human intelligence, or espionage)?
Peter: Before I joined the CIA, I had no interest in working for the federal government. I got my graduate degree in international business management and relocated from Arizona to Miami, where I started working in international banking. My career goal was to expand my work into Latin America, using banking for a springboard for further opportunities. It was during this time that I came across an ad in the Wall Street Journal for a job that had all the right keywords: opportunity to work overseas, candidates who speak foreign languages, business/economics background, and so on. When I applied, I didn’t know it was a job posting for the CIA.
Long story short, I showed up for the interview and changed my career plans. I wound up serving a 23-year career in the CIA and for at least 20 of those years, I worked overseas as an intelligence collector or case officer. My primary role was to spot, assess, develop, and recruit human sources who could provide intelligence against requirements we had received from Langley. Mainly, I utilized insiders to breach the security of foreign organizations.
Jessica: Aside from the objective criteria you mentioned in the CIA’s job posting, what characteristics or personality traits did you have that made you a good candidate for HUMINT work?
Peter: I’m a highly motivated self-starter and an introvert, the latter of which I’m sure is less expected in this line of work. I’m not normally interested in going out for a cocktail hour or socializing, but if I have a task and a target, I can turn parts of my personality on and off very effectively. I can be Mr. Sociable just for that period of time, although I’ll admit I was usually exhausted afterwards since that’s not my natural personality.
I also have empathy and an understanding of psychology. I can put myself in someone else’s shoes and gain their trust relatively quickly. I can hold what seems like a natural conversation while using subtle elicitation techniques to learn about an organization without someone realizing that they’re leaking information. It’s important in this line of work to understand human behavior, motivations, and vulnerability, so that by the time you deliver your pitch, the target is ready to accept it. Of course there are other factors at play and the ever-evolving role of technology, but those are some of the basics.
Jessica: You recently published your memoir titled Confessions of a CIA Spy: The Art of Human Hacking in which you detail your experience as a spy who manipulated people in order to steal secrets. What compelled you to share these methodologies with the public?
Peter: When I retired from the CIA back in 2010, I started seeing a lot of data breaches happening globally, affecting every type of organization. And I noticed a lot of similarities between the methodologies and psychology used by threat actors attempting data breaches and the methods we used as intelligence officers to target individuals. I wrote my memoir and established the Counterintelligence Institute to provide security awareness training and education. I wanted to help organizations understand and protect themselves from threat actors attempting to leverage insiders in their organization.
Learn more at the Counterintelligence Institute
Just last year in 2022, the cost of an average data breach worldwide was around 4.6 million dollars per organization. For the U.S., it was actually closer to 9.6 million dollars of damage per data breach. I realized people are over focused on technology as a solution to preventing these data breaches, regardless of the fact that over 90% of successful data breaches start with some form of social engineering, or what I like to call human hacking.
“Human hacking” is a means of manipulating somebody to circumvent the technological controls, procedures, and policies of an organization to conduct a breach. I felt that based on my professional experience I needed to get the word out there so that people would better understand how social engineering or human hacking works. I would say this is a crucial aspect of study as well for the field of cybersecurity. So, that’s what I focus on when working with organizations, which is the human psychology piece of the greater data protection problem.
Jessica: I’ve heard directly from the FBI that in the majority of cases in which defectors were interviewed in the United States in the past few years, when asked what they found more valuable—classified government material or IP/R&D—in almost every case the defector responded that they were after IP/R&D. In many cases, it was to either pad their host country’s economy or gain knowledge of new military applications in development so that their own country’s military could preemptively develop defensive measures.
This would indicate that engineers who work in the defense industry are considered high-value targets. Engineers, even the ones who hold a clearance, are not necessarily equipped to protect themselves from such targeting. With this in mind, what are the most important things you want to say to these engineers in regards to how they should protect themselves? Like, what specifically should they be aware of?
Peter: One of the starting points for a human hacker looking to target an organization or individual is OSINT (open-source intelligence, or unclassified material). They’re collecting as much intel as possible from the internet and social media to design an attack that maximizes success and minimizes compromise.
Peter attends the ASIS Middle East Conference in Saudi Arabia as a keynote speaker (c. 2022)
LinkedIn is the number one resource today for the typical intelligence service or criminal to identify a potential insider contact. From LinkedIn, I can glean where you work, where you studied, your geographic location, your hobbies, volunteer work, associations, and even whether you have a security clearance or not. Basically, LinkedIn is a convenient starting point.
As a human hacker, if I’m looking to target an organization and I know there are two individuals in that organization that has access to the information I want, I’m more likely to target the individual who has more information about themselves out there in the public realm. So, the first thing is being aware of the information you’re sharing publicly that could inadvertently increase your vulnerability.
Jessica: Can you give me some specific examples of what kind of information may make someone more vulnerable to a human hacking attempt?
Peter: I can see from social media if someone hangs out a lot at casinos or bars and if they have a gambling or drinking problem that can be used against them. I can tell from dating sites if someone is a bit of a womanizer with an ego that I can appeal to. Ego, by the way, is a very strong vulnerability. I can view online how someone communicates with others and if they have a touch of arrogance or perhaps they’re dissatisfied with their workplace. If someone implies they’re not happy at work, they’re more likely to be open to taking revenge on their place of employment if an attractive deal is offered. Revenge is a powerful motivator.
Another vulnerability is the indication that someone is irresponsible with or struggling with money. From photos on Instagram, I can tell a lot about someone’s socio-economic standing. On Twitter, I can learn about a target’s political views, religious convictions, and their pet peeves. Basically, anything that helps me build a comprehensive picture of a person helps me learn what makes them tick so that I can develop a plan that targets that person most effectively.
Jessica: In the fictional spy thriller TV show The Americans, there’s a scene in which Russian spies kidnap and blackmail an American defense industry engineer for sensitive R&D in his hotel room at a conference. This scene might as well have been taken from a real-life scenario. Since defense professionals often travel for work conferences and industry events, what are some psychological techniques engineers should be aware of when interacting with strangers at such events?
Peter: Conferences are a great opportunity for spies to target a company since they can clearly see from peoples’ badges their name and the organization they work for. I can just take a casual walk around the conference floor and then decide who I’m going to talk to. I’m actually going to break this down by conferences in the U.S. versus international conferences, but I’ll start off with some general good practices for defense professionals to protect themselves at conferences, no matter the country.
Peter discusses the evolving threats to enterprise security ahead of the Global Security Exchange (GSX) Conference (c. 2022)
People are generally more open when they’re out traveling and attending these events compared to their regular routines, making conferences fertile ground for targeting individuals. If you’re a speaker, it’s easier to target you because I will know your schedule better and it will be easier for me to approach you after your presentation and casually start making conversation. I can start off by complimenting the speaker on his work and then getting him to open up and talk about a topic he’s clearly very enthusiastic about.
I would ask subtle, indirect questions with the aim of getting the person to talk as much as possible. If the target brings up an interesting piece of information that I want to glean more details on, I might repeat the statement to the target to encourage him to talk more about those details. I might make a statement about a certain technology that I know to be untrue, just so the target will correct me and reveal sensitive information. So, it’s less about asking questions and more about facilitating the target to speak as much as possible based on subtle cues.
My advice is to listen to your gut. If something seems off, if someone seems a little too eager for information from you, turn the tables on that person and start asking him lots of questions about himself. Observe how he responds, if he carefully starts to pull away. Afterwards, find a quiet place to check out his LinkedIn profile and collect other data points online. Anyone can set up a LinkedIn profile in a heartbeat, but it’s harder to fake publications and other connections to companies the hacker might claim they work for. So if all you see when you type in this person’s name is a LinkedIn profile and nothing else, I would be very suspicious.
Don’t ever lend your phone to anybody, even if it’s just so someone can make a quick call. It can take only seconds to take control over someone’s media device. And don’t even bother with those safes inside your hotel room. Someone who works inside the hotel and has access to your room can easily break into and tamper with whatever they want in that safe without you being the wiser.
Jessica: And what about international conferences? What additional factors do defense professionals need to be aware of when traveling overseas?
Peter: When you’re attending a conference overseas, assume from the beginning that you will have no privacy. For starters, you’re most likely going to apply for a visa, which means the Foreign Ministry of that country can flag your arrival for an intelligence service. They will know where you’re staying and can have someone bug your room before arrival. As a good practice, make an excuse to change rooms when you arrive at the hotel, but basically to be on the safe side assume that none of the conversations you have in your hotel room are private.
As for your phone, I would advise avoiding charging it from an outlet if possible and use a portable battery instead. If you use the WiFi, ascertain the hotel’s private network ahead of time, since it’s easy for someone to set up another WiFi that has a name that’s very similar to the hotel’s legitimate, closed network.
In April 2014, the United States Office of Personnel Management (OPM) was the target of a data breach. Millions of records were exposed, including government employees’ records revealing family information, social security numbers, birth dates, and who holds a security clearance. The Chinese government was behind the breach. A short time later in 2017, there was the Equifax breach that exposed financial information, including details of individuals who were suffering from financial stress. All of this information can be used against the right person, at the right time.
Peter speaks at a bank security conference in Miami (June 2022)
We also live in an era of artificial intelligence in which voices can be impersonated. If you’re traveling and your boss calls, but is asking you to take an action that seems strange, get off the phone and verify through another source. It’s important to be aware of the emerging technologies that can be mixed into human hacking attempts.
Jessica: Are there any personality traits or other factors in particular that might make someone more susceptible to manipulation techniques?
Peter: Extroverts might be more susceptible since they are more inclined to talk about themselves. On the other hand, introverts can also be vulnerable if they keep too much to themselves and have low self-esteem. In that case, a human hacker might build up an insecure introvert’s confidence, along with trust. Alternatively, a person with a big ego has a tendency to think they’re smarter than everyone else and can easily be tripped up by someone challenging their knowledge. So, as you can see, there are many factors which can really depend on the context.
With that said, one of the biggest vulnerabilities is financial distress. This always creates an enticing opening to hook the target through the promise of monetary compensation. The concept has been around forever, but it continues to work.
Jessica: Wrapping up, are there any other tactics or schemes that could be used against defense professionals that you want to share?
Peter: Human hackers have been known recently to use something called an executive recruiter scheme. Going back to using LinkedIn as a starting point to find potential targets, another reason it’s a great platform for human hackers is because they can see who’s looking for their next job. So, you might receive an email or phone call from someone who seems like a legitimate recruiter. He shares the job description, compensation for the role, and so on. You go on an interview and it goes well and you’re invested.
But then you find out you didn’t get the role. Maybe the “recruiter” says you were the second choice, you were so close. You’re a bit deflated, but then the recruiter offers a part-time consulting role. You don’t even have to leave your current job. The “client” is simply interested in learning more about your industry. Gradually, the compensation becomes more generous, based on the quality and quantity of the information you supply. Gradually, the hacker requests increasingly sensitive information, including about your company. At this point, you’re comfortable with the so-called client, you’ve developed a good relationship and are well-compensated.
This type of breach is not a typical data breach where you see an intrusion into a network. Rather, the hacker is using an insider who doesn’t even necessarily know that he’s being manipulated. Companies have hemorrhaged sensitive data through these recruiter schemes. And I’ve known schemes like this that didn’t go on for months—they went on for years. It’s not only used by intelligence agencies, but also industrial competitors and criminal groups. And the engineer who’s participating like I said may not even be aware; they think they’re providing legitimate consulting services on the side while keeping their day job.
Ultimately, the tricks of the trade are often subtle. With this in mind, companies need to be very clear with their employees about what information is sensitive and should never be shared with outsiders. They should do continuous security trainings to remind people of what is considered sensitive and what to be aware of when interacting with strangers or while traveling.
Defense professionals should be educated on the basics of how to protect themselves from hacking attempts. Sharing and enforcing this knowledge will turn the weakest link in an organization to an effective defensive tool against breaches.
* * *
About Jessica Lauren Walton: Jessica is a communications strategist, video producer, and writer in the U.S. defense industry. She has written articles on a range of security and mental health topics and conducted interviews with military leadership, psychologists, filmmakers, CIA officers, journalists, and more. Jessica recently completed her memoir about her experience as an American woman struggling with mental illness while trying to get into Israeli intelligence.
To sign up for the (In)Security Blog newsletter and receive notification of the memoir release, click here.