Insider Portrait: The Robert Hanssen File

Few periods are as influential and significant in the realm of insider risk as the Cold War. The ideological and strategic conflict saw privileged access to confidential information emerge as it’s foundation. As the world would find out following his arrest in 2001, Hanssen played a crucial role in this, becoming one of the most notorious insiders of the period, and inflicting one of the most damaging intelligence disasters in American history. 

With the threat and fears of nuclear confrontation, the Cold War was fought in the secretive avenues of espionage with insiders at the front line. Through holding key positions in counterintelligence, Hanssen was able to provide highly classified information directly compromising American national security to the Soviet GRU and KGB, and the subsequent SVR between 1978 and 2001. In exchange, Hanssen received more than $1.4 million in funds and goods. 

Through using old-school covert operation methods such as dead-drops and remaining anonymous to his clandestine handlers, over three espionage cycles, Hanssen passed information detailing U.S. nuclear strategies, technological developments in military weaponry, the identity of U.S. agents within Soviet ranks, and many other details on the American counterintelligence program against the Soviet Union. Three of the double-agents identified by Hanssen were later executed by the Soviet Union, representing not only an invaluable loss of information and assets, but also proving the extent to which Hanssen was prepared to damage his organisation and others through his actions.

Robert Hanssen

Who was Robert Hanssen?

Whilst famous for his activities as a double agent and insider throughout the Cold War, to many, Hanssen was a respected agent and family man with (eventually) six children. Living in a modest four-bedroom house in Virginia, Hanssen and his family attended Mass every Sunday, with neighbours describing the Hanssen family as quiet and unassuming. In 1976, Hanssen joined the FBI, and following two short-term relocations and transfers, he joined the counterintelligence team in 1978, tasked with compiling a database of Soviet intelligence for the FBI. Shortly thereafter, in 1979, Hanssen began committing his first espionage cycle and offered himself as an anonymous double agent for the Soviets. He would remain in the FBI until his arrest in 2001, with his insider acts going largely undetected until then.

Psychology of the Insider

Personal Predispositions

Whilst to the naked eye there was no reason to suspect Hanssen of any wrongdoing, there were several indicators from Hanssen’s life previous to the FBI that may have raised red flags, called personal predispositions. Personal predispositions can be understood as vulnerabilities that insiders bring to their organisation therefore, posing a potential a risk. These may include medical or psychiatric disorders, personality concerns or social skill problems, history of rule violations, social-network risk and ideological beliefs. 

Surprisingly, ideology does not seem to stand out in Hanssen’s case which is very unlike many other cases of espionage throughout the Cold War period. Instead, what stands out in Hanssen’s case is his narcissistic personality, including a desire to leave a legacy behind. Hanssen reportedly suffered emotional abuse from his father whilst growing up, and later developed a strong desire to demonstrate intellectual superiority to his peers; when arrested, Hanssen simply commented “what took you so long?”

Indeed, psychiatrist Dr. David Charney, who spent over 100 hours with Hanssen following his arrest, believes the betrayal was rooted in his ego and a sense of personal failure which began mounting before Hanssen joined the FBI. Other elements in his private life such as sexual perversions were also indicators of a wider psychological disorder. 

Stressors

Personal predispositions however do not paint the entire picture. Hanssen encountered numerous stressors: negative or positive events that change personal, social or professional responsibilities, and cause behaviours to be adjusted. From this perspective, Hanssen faced both personal and professional stressors. Firstly, Hanssen reportedly found himself struggling to support his rapidly growing family under an inadequate salary provided by the FBI, leading him to seek alternative avenues for income. Before his third espionage cycle, several years after cashing in large sums of money through his activities, Hanssen also accrued large and mounting debts, pushing him to return to commit espionage.

Hanssen was also influenced by a lack of recognition at the workplace. As mentioned prior, Hanssen seeked to leave a legacy, engaging in espionage against the FBI “knowing this would make him immortal”. But why could he not leave a legacy through his ordinary work at the FBI? Hanssen’s great desire for legacy made him believe he was to be a field agent. Hanssen seeked the life of the spy, but was never able to earn it. His former colleague O’Neill, who was instrumental in eventually catching Hanssen, admits: “He was disgruntled with the FBI”, and, “He wanted to be James Bond, and he thought they’d made him a librarian”. The lack of professional prospects, or at least those he aspired to achieve, would not have materialised at the FBI, pushing Hanssen further down the critical pathway towards insider risk. 

Lessons Learned

Whilst exploring Robert Hanssen’s past and stressors may help us understand his motivations, it does not help us to understand how he went undetected for so long, begging the question of what organisational pitfalls did the FBI succumb to?

Hanssen himself did not hold back in criticising the internal countermeasures the FBI had against insider risk at the time of his actions. Hanssen accused the FBI of criminal negligence, exposing the internal security systems as chaotic and amateurish. Failures included ignoring warnings from Hanssen’s colleagues concerning his reliability and attitude due to what is called the “trust trap”, a lack of follow up on the financial disclosures of employees, and inadequate access management measures. Organisational shortcomings such as a lack of standard operating procedures, enforced policies, and problematic organisational responses exacerbate the risk and scope posed by insiders. 

As organisations grapple with evolving threats, the Cold War espionage saga of Robert Hanssen imparts invaluable lessons. It underscores the universality of insider risk, the contrasting focus between internal and external threats, and the paramount importance of thorough countermeasures such as identity and access management.

Indeed, insiders can be found in any organisation, something we will be highlighting throughout this series. Even the most ‘secure’ organisations can find themselves harmed by one of their own. What’s more is that they can go undetected for prolonged periods if insider risk is not on the organisation’s radar. What the FBI suffered from may also be understood as the previously mentioned trust trap; whereby an organisation’s trust of it’s employees increases over time, therefore reducing security and vigilance. This may help explain why Hanssen’s finances were never scrutinised, and why his colleague’s concerns were seemingly brushed aside. 

This links us to the second lesson, and that is that threats originating from the inside can be just as costly and dangerous as those originating from the outside. A common trend we see both in this historic case and today’s context is the focus on external threats. Whilst during the Cold War intelligence agencies were more worried about infiltration originating externally and defeating their rival, their greatest threat originated from within. Similarly, today’s organisations tend to  focus their budgets and attention on external threats such as physical or cyber security. With these measures increasing in robustness, insiders become a lucrative avenue for competitors to access confidential information. 

Access and its management is the area where we can draw our third lesson. With information historically representing the cornerstone to creating strategic advantages, its safeguarding is crucial. Identity and Access Management represents a critical countermeasure to mitigate insider risk. Whilst Hanssen held legitimate access to information, its confidentiality and integrity was not ensured. Furthermore, the FBI itself admits that at the time, “Any clerk in the bureau could come up with stuff on that system”. Information has only become more vulnerable since, but it is now also easier to store safely with technological advancements. Principles such as giving employees the least set of privileges needed to complete their job and denying access by default are straightforward yet effective countermeasures. 

Robert Hanssen’s clandestine activities during the Cold War offer a compelling narrative, detailing some of the intricate dimensions of insider risk. By looking at the psychology, motivations, and organisational shortcomings, we can garner insights to fortify modern organisations against insider threats. In an era where information remains a strategic asset, the legacy of Hanssen serves as a stark reminder of the continuous relevance of proactive insider risk management.

Author: Enrico Henriksson

Insider Risk Intern

enrico@signpostsix.com

Join the conversation

Shopping Bag 0