"From the CIA to Strategic Cyber" - with Hans Holmer
Andrew Hammond: Hi. And welcome to "SpyCast." I'm your host, Dr. Andrew Hammond, historian curator here at the International Spy Museum in Washington, D.C. "SpyCast's" sole purpose is to educate our listeners about the past, present and future of intelligence and espionage. Every week, through engaging conversations, we explore some aspect of a vast ecosystem that looms beneath the surface of everyday life. We talk to spies, operators, mole hunters, defectors, analysts and authors to explore the stories and secrets, tradecraft and technology of the secret world. We are "SpyCast." Now sit back, relax and enjoy the show.
Andrew Hammond: This week, I speak to Hans Holmer. Hans was born and raised in Denmark before moving to the states for high school, going on to serve in the U.S. Army before joining the CIA. In the agency, he served on every continent except South America and is one of a select few who have been awarded the CIA intelligence star. Hans has been working at the interface of human beings and technology since 1973. He developed the cybersecurity hierarchy, analogous to Maslow's hierarchy of needs, and he currently works in strategic cyber. He also currently lives in Vienna - and no, not the one in Virginia, as is more typical for guests on the show, but the one in Austria. This week we discuss his transition from CIA case officer to one specializing in cyber and technical counterintelligence, the concept of digital dandruff, advice for cyber novices but also for cyber black belts and his remedy for data leaks of your personal information by corporations. Fun fact - he described the cat-and-mouse game of surveillance as the most fun you can have in public while sober.
Andrew Hammond: Well, thanks ever so much for taking the time to speak to me, Hans. There's a whole host of things that I want to speak to you about - your CIA career, counterintelligence and cyber, which I know is something you're interested in. So I think the best place to start maybe, given that we're - there's so much we can dig into is, how did you end up in the world of intelligence and espionage?
Hans Holmer: Good morning or good afternoon, Andrew. I ended up in espionage in part because it always fascinated me. When I was a teenager, I learned that my mother actually had worked in the CIA and...
Andrew Hammond: Wow.
Hans Holmer: Yeah. She got hired as a 20-some-year-old as a secretary in the early '50s, and she later found out that, in her hiring papers, it said that she was good-looking and could type, too. So she got sent to Denmark, married a Dane, had to quit, got rehired when I was a teenager. And eventually, we moved to the U.S. and, after I went to college and in the Army for three years, I applied to the CIA. They were growing at the time and liked people who had lived overseas and spoke foreign languages and were adept at handling themselves. And it had always seemed like fun to me.
Andrew Hammond: So you grew up partly in Europe, then?
Hans Holmer: I grew up entirely in Denmark. And one of the things that, in retrospect, really changed my life was somewhere in sixth grade I told my parents that I did not think that the public school I was in, in Copenhagen, was very good, and could I please go to a good school? I don't know what I was thinking, but they sent me to a private school. And in seventh grade, the owner of the school decided that the kids were going to need to know how to program. So in '74 or so I learned to program, structured programming and Basic, on a standalone computer that didn't even have a hard drive. All the data was stored on cassette tapes, and we coded on that. And I found I really liked solving the problem. I mean, once you figure out how to solve a problem, that's really the interesting bit. Actually writing the code and then debugging the inevitable errors - that isn't so much fun. But figuring out how to get from the beginning to the end, I always enjoy that.
Andrew Hammond: That's really fascinating. So you grow up in Europe, and then you go to the States for college and, from there, you join - you get involved in the world of intelligence?
Hans Holmer: That's right. So my parents got divorced when I was 13. My dad had spent his teenage years in the Danish resistance and then married my mom, obviously. And they had two kids. I was the first one. Then, sometime when I was 14 or 15, there was a knock on the door. It might actually have been earlier. I don't know. And there's this man standing outside holding a bouquet of flowers and a loaf of bread and asking for my mom. And so I called my mom, and it turned out to be the chief of station, who was apparently looking for someone who spoke fluent Danish.
Hans Holmer: And she went back and worked in the office and, later on, wrote the director and said she deserved to have another shot at having a career. And they let her do that. So in '78, we moved to the U.S., and I started high school. As you can probably imagine, showing up as a senior in an American high school after having grown up in northern Europe, I did not fit in. I mean, football players, cheerleaders, the competitiveness, the careerism - I was not a natural American. And people would say, why were you born in Copenhagen? And my answer, of course, would be, well, that's where my mother was.
Andrew Hammond: (Laughter).
Hans Holmer: So it was really weird, and college was very similar. I went to the best cheap college that we could find in Virginia, but I only learned to drive when I had to go to college, which was an hour away. But it was - I was an utter misfit. But it - that didn't bother me, and I had a lot of fun in both cases.
Andrew Hammond: I find that really fascinating because a lot of - I know we can't get into specific places, but a lot of your career would have been spent overseas. Do you think that having that dual upbringing or that dual identity, like, served you well in your career?
Hans Holmer: I think without a doubt it did. One of the things that I run into now is that when I speak German - I'm living in Austria right now - I speak German with a Danish accent. And we - people will go, ah, you're Danish. And I'll go, yes.
Andrew Hammond: (Laughter).
Hans Holmer: And that's a natural advantage not to come across as an American in many lines of the business. One of the advantages of the Danish school system is that you - I came out of there. I was bad at math, but other than that, I had learned Danish, German, English, Norwegian, Swedish, a little bit of French and a lot of Latin words but absolutely none of the grammar. But that's a tremendous advantage. And particularly the three main languages - Danish, English and German - they're so interrelated, even if they're grammatically very different.
Andrew Hammond: See; if you have those types of linguistic skills for a career, say, in the CIA, do you - do people ever get typecast?
Hans Holmer: I think the standing joke is actually the opposite - that if you speak Arabic, you get sent to Sweden. And if you speak Danish, then you're not going to end up in Scandinavia. You're going to - I mean, my first tour was on the subcontinent. I think it also helped when I was in the army. I ended up being a system administrator in Heidelberg. And I believe I have the world record for the most kilometers bicycled drunk between Heidelberg and my apartment in Lyman, which was where Boris Becker was from. And while I was there, he won Wimbledon first time.
Hans Holmer: At one point while I was there, the - we bombed Libya, and they locked down the army and said you could only be in the barracks or at work. And so my solution was to bicycle into work from my apartment. I didn't go to the barracks. And I'd have my civies in there. And so at the end of the workday, I would switch to my civilian clothes and then bicycle over to my friend Linda's apartment. And then we would go drinking 'cause in Heidelberg, you know, apart from the bad army haircut, nobody could tell that I was in the army. And probably the greatest pleasure was hearing, as I was leaving the army and Heidelberg, that the sergeant major was really surprised to find a soldier leaving whom he had never heard of in spite of having nominally been in charge of me for more than a year. But there's a pattern there of me being non-conformist and, at the same time, getting things done.
Hans Holmer: I remember I was - this is a brave thing to say. I think I was the best system administrator back then. And I would go to work even on my days off to make sure that nobody screwed up because if they did, I would have to come in and fix it. And it was much easier to be ahead of the problem. But also, I should add, at the time, we had two computers - each computer was the size of a refrigerator - and five hard drives. And each of those hard drives was the size of a dishwasher. And in some, they probably had less capacity than the iPhones that just came out. It was archaic. It let me have my life and have a lot of fun, and I had a lot of friends, including Scots and Welsh. And I basically had one American friend who was in the army, and everyone else was a European of some flavor.
Andrew Hammond: For people that are not up to speed with us, could you just give us the sort of two-sentence version of what a system administrator is?
Hans Holmer: It's someone who makes the computers - yeah, keeps them running, keeps them useful for the users. And these were Honeywells. They used to make computers, and I had a user who would hit the escape key regularly. And in order to get him back online, I had to walk around to all the other users, 20 or 25 people, get them to save the work they were doing and log off so I could reboot the machine that connected all of the computers. It was called a cluster controller, but you could imagine that's not what I called it.
Andrew Hammond: (Laughter).
Hans Holmer: And being very politically savvy and understanding how to deal with people, I eventually glued an upside-down thumb tack on the escape key of this particular user's computer so he would stop doing that. And I think my boss told me that was not the best way to deal with the users.
Andrew Hammond: (Laughter).
Hans Holmer: But it was - you know, whatever. It's 30 years ago, something like that now.
Andrew Hammond: Just on that, is there ever - being typecast, does that ever play out in terms of the skill set that you bring along with you?
Hans Holmer: It actually - it became a thing. Ultimately, the domain where I really made - was able to make a difference was in the area of cyber because I understood technology and had an aptitude for it, and I had an aptitude for tradecraft. And once I fell into the office that did that in the latter half of the '90s, suddenly I was one of a small number of people that could deal with these issues in ways where I could talk to programmers and tell them what was needed. And I could talk to the people in the area divisions who had specific requirements, and I could help them make sure that they managed their operations well in the sense that, when you steal something, it probably has to be translated. You don't want to steal more than you need. So you have to understand where the secrets are. And there's a whole bunch of logistics that go with good cyber. And then, of course, just conventional tradecraft - you know, how you're going to react to this when it goes wrong. That turned out to be, as I said, the area where I could make a difference that few other people could.
Andrew Hammond: Can you tell us a little bit more about the contribution?
Hans Holmer: Let me go back to the start.
Andrew Hammond: Sure.
Hans Holmer: My first tour was in the subcontinent as a case officer, and I was not very good at that. And I returned to Washington after a year and took a job running surveillance teams in training. And I think surveillance on the street is about as much fun as you can have in public and sober. I just really like it. And - 'cause it's constantly moving. You have to outwit the target. You have to manage the team. You might be driving a car, riding a motorcycle. There's a lot of stuff going on. And I still, to this day, think that running surveillance teams is so much fun. That sort of period of my life - it ended with me living overseas, not working inside an embassy and having spent a lot of time thinking about surveillance and how surveillance teams work and how you defeat surveillance when you are the target. And I'd had a lot of fun experiences.
Hans Holmer: In one case, a little later on, we were demonstrating a technique to a foreign service, and part of this involved me being surveilled by a group of people for a week. And so I was supposed to do certain things, morning and afternoon, every day of the week. And I knew I was going to have surveillance, and so I'd go out in the morning, and I would spot these guys. I later found out they were cops, and they did not know that I was a trained intelligence officer. So they treated me like a criminal. And they were so easy to spot. But I had my thing to do. I didn't worry about it. I didn't have to evade them, anything like that. And then in the afternoons, I could never spot them. And it was driving me bonkers, right? And I was considering all these techniques they could be using. This is before mobile phones, when you had a tracking device in your pocket. But it just drove me bonkers. And I was considering all kinds of techniques that they might be using. And it wasn't until the end of the - that week that I found out that they just weren't there in the afternoons. So I was driving myself nuts trying to spot them...
Andrew Hammond: (Laughter).
Hans Holmer: ...'Cause I knew they were easy to spot, and I knew they were supposed to be there. But it never struck me that they wouldn't be there if they were told to do so. So I'd had a lot of fun. And my overseas tour out of the embassy ended when Aldrich Ames got arrested. I saw that in the Herald Tribune. And my insider triggered a non-sched - an unscheduled meeting. So I went out in the evening, and he said, you know, you've probably read about Aldrich Ames. We think he compromised you - 'cause he was working right around the corner from my mom. And how quickly can you get home? So I basically pre-paid three months of rent with taxpayers' money, sold my motorcycle, sold pretty much everything I had that I couldn't put in a suitcase, and then I moved back to the U.S. in a week.
Hans Holmer: A couple of years later, the FBI put out a notice saying that they had - they were done with Aldrich Ames, and they had told him - or he had told them everything that he wanted to know. So I sent an email to counterintelligence asking whether he had compromised me. And they - their answer was, no, he didn't, but Nicholson did - 'cause Nicholson had spied for the Russian - or the Soviets then a couple of years later. I guess you just never know, right? You can't take your operational security for granted.
Hans Holmer: And there was another episode where - in the city where I lived, there was a man blackmailing department stores. He would set a fire and then put a ransom note. These ransom notes were very entertaining. Like, the first one said, put a bag of money in this box of sand that they use to prevent ice in the winters. And they put a bag in the box, and then they watched it and nothing happened. So they went and opened up, and they found that he had built the box and come in through the sewer system, opened the backpack, found it full of newspaper and then disappeared again. So he set another fire. And there are two or three more events like this, and the police were being really beaten up in the press for being incompetent and stuff like that. And Ames gets arrested and I'm - I have better things to think about.
Hans Holmer: And then a week or two after I get back to the U.S., I see in the newspaper that they arrested this blackmailer. And what they had found out was part of his MO was exactly the same MO that my colleagues and I were using. So completely unbeknownst to us, the police were looking for people with our profile because they thought we might be blackmailers. We have no idea, right? We were doing everything right - good tradecraft. But they are - for reasons outside of what we had to deal with, they could have picked us up. And we're just lucky they didn't, which was a major lesson for me.
Hans Holmer: But by then, I had spent a - you know, time overseas as a - as an officer who didn't work in an embassy, and I ended up in the cyber office, being both a technologist and a able tradecraft person. And that - and I enjoyed that. That was a tremendous amount of fun because it was a new domain. And we were inventing new ways to do stuff all the time. And it was - that was a lot of fun.
Andrew Hammond: So you started off as a case officer, and then you transitioned more to teaching tradecraft and being involved in technology and cyber. Is that right?
Hans Holmer: Yes. One of the interesting things was there were a bunch of case officers who basically were the interface to the area divisions. And they told us, you know, you're not doing the job of case officers in the traditional manner, and so you should go for these other job titles which are less focused on recruiting and handling. But of course, the change in the nature of intelligence is going to outpace the bureaucratic system very rapidly. And we were misfits in the technology domain because we weren't engineers, but we also weren't doing things that would get us promoted, which is one of the weird American things that I never really understood. You know, they kept talking - what are you going to do for your career? And I'm going, I don't want a career. I'm here because I want to contribute. And the purpose isn't a career, which is very Scandinavian approach to the world. But that's how I thought.
Hans Holmer: And that led to a proposition where - again, this is the - by now, the late '90s, and we - we being the U.S. Intelligence Community - wanted to find a way to install a piece of NSA software and some critical infrastructure in the Balkans. And they came to me because I had all - I had the experience living overseas, not being a part of the embassy. I had an aptitude for technology - and asked if I wanted to play in this. And at first, we were really debating, do you take someone who's an expert in this particular technology and teach them how to be a good case officer, or do you take a case officer and teach him how to fake being an expert in this technology? And they're equally difficult and require equal amounts of experience. And we were just going around and round and couldn't really come up with a good way to think of how to do it. And that went on till one of my bosses said, oh, that's easy. What kind of mistakes would you rather have? So I had to learn to become a critical infrastructure engineer, which took about a year.
Andrew Hammond: And just coming on to the cyber and counterintelligence angle, I know that that's something that you're very busy and involved with at the moment. Can you tell us a little bit more about that - counterintelligence and cyber and what's - I know it's a huge topic, but break it down for us.
Hans Holmer: Yeah. Part of what I found really entertaining was towards the end of my career, I worked in technical counterintelligence. And my pet peeve was, what does an - a normal person look like in a digital world? For example, the credit card companies - they have lists of every residence in the U.S. So if you, you know, try to claim a residence on a credit card, they can say, oh, nobody's ever lived there before. So there's an enormous amount of data that goes with a normal person, right? You have neighbors. You've probably existed before, right? You can't, like, take my Social Security number. It has existed since I was 13. And there are lists of Social Security numbers that went out of - have gone out of service, for example. The reason my Social Security number starts when I was 13 was that was when my mother registered my birth as an American even though I was born an American citizen. She didn't do the work.
Hans Holmer: But normal people have a Social Security number right from the start, and it gets registered in a bunch of ways. And when you apply for credit, for example, in college, there's your Social Security number. So - and also what I discovered was there was something like a 70% chance that your gender, your ZIP code and your age are unique, right? So you don't have to know me as Hans. It's enough to know that there is a guy with a date of birth in 1961 who's male and lives in the ZIP code. And there's a 70% chance that I'm the only person that matches those criteria. So there's lots of alternative ways of identifying a unique identity.
Hans Holmer: I was making the argument that you have to be able to match that, or otherwise, there would eventually be trouble. And that was not very popular. And my argument wasn't - it wasn't that you can't work, but you have to work differently. And I ended up giving several speeches about, you know, what does a normal identity look like? Like, when you're traveling to and from work with a mobile phone, the accuracy of a mobile phone in location is not very good. Say it's somewhere around a hundred meters. But even when my phone is not moving, it's still calling home, I used to say, at a minimum six to eight times an hour. So you can tell where someone sleeps, and your accuracy of multiple connections to the cellular network is such that the area gets very small. And you can tell which bedroom someone actually lived in.
Hans Holmer: And I was very affected. There was a guy. I wish I could remember his name. He came up with nonobvious relationship analysis while working for the casinos in Las Vegas. And part of what he would look for is, is there a guest in the casino who has the same address as one of the croupiers, for example? Or do they own the same cars? Do they use the same credit cards? There's all this data that goes with a normal human being that reveals patterns, right? Where you take your phone will reveal where in the headquarters parking lot you like to park.
Hans Holmer: And if you turn off your phone, well, why are you turning off your phone? Nobody turns off their phones, right? It's a tracking device with a speech capability. And I came up with a word that we - we were shedding digital dandruff. That was what I called it. Nobody thought that was very popular or a good politic thing to say. But that was sort of one of the things that really interested me - was what does a normal - oh, the guy who invented nonobvious relationship analysis is Jeff Jonas, a very smart man. And I stole a lot of his ideas and apply them to the business.
Andrew Hammond: Give us just a few ways that we can break that down. What does looking normal in the digital age look like?
Hans Holmer: Well, for an example, T-Mobile has shed my data at least four times, and I assume I was in the last breach as well. And in that data, there is my Social Security number. There is my credit ratings. There is my address, probably my phone number. And they keep this data even though I haven't lived the U.S. for four years. I don't have any contact with T-Mobile whatsoever. But they have no incentive to get rid of the data 'cause it might be useful.
Hans Holmer: And there is a huge trade in data about people. Take Andrew, for example, right? You've lived in the U.S. for X amount of time. You have a visa of some sort and a work permit. If you had worked for the U.S. government, Office of Personnel Management managed to let the Chinese steal all that data, right? So the Chinese know a shitload about me. For all I know, it actually has my current address. I don't know. But the U.S. is particularly unique in allowing enormous amounts of data about individuals in the pursuit of profit, whereas here in Europe, you have much stricter law about personal data.
Andrew Hammond: We'll be right back after a word from our sponsors.
Andrew Hammond: I guess, like, partly what you're seeing is it depends on if you're living in the United States or if you're living in Europe. But ultimately, if you're involved in espionage, then you want to hide in plain sight. So if you're the one person that doesn't have a cell phone, you're - or already turn your cell phone off when other people keep theirs on, then you're drawing attention to yourself, and you're no longer hiding in plain sight.
Hans Holmer: Actually, I don't know if you're familiar with Bellingcat.
Andrew Hammond: Uh-huh (ph).
Hans Holmer: Yes. They do excellent job of exposing these vulnerabilities, fortunately, with the Russian intelligence officers - right? - where there are things - like by Russian law, if your car is registered in a Russian government facility, you cannot get parking fines or speeding fines. So a huge percentage of the Russian military intelligence, the GRU - they register their cars in GRU headquarters, right? But your car registration also has your name. So then you can correlate names with - of cars that are registered there with employees.
Hans Holmer: So there's all these data connections that - Bellingcat has done a really good job of correlating when people turn off their personal phone or they happen to use their personal phone to call their work colleagues. They've done an exceptional job on the assassinations in the U.K. and other places where they can actually see the assassins and the controller. They can see where they trained. They can see where they travelled. They were able to detect an assassination attempt on a Russian political activist.
Hans Holmer: But based on how they had targeted Navalny, they were able to disclose another attack on another politician several years back looking at travel patterns and identities that were being used. And that's basically what I was warning against 10 years ago. And apparently, the Russians did not manage to steal that, or they didn't heed it. And they make other mistakes, like sequential passports. They - you know, if you see two Russian-speaking men who are entering from Poland and they have sequential passports even though they're born, you know, years apart and they're newly issued passports, there are all these markers where you could go, hmm (ph). That's interesting. How did that happen - right? - because the odds of two people traveling together having passports issued sequentially are really slim.
Andrew Hammond: And what are some of the ways that it can be dealt with? What are some of the - human history's always this challenge and response dynamic where - you know, where there's one piece of technology and there's, like, a counter response. Like, what are some of the ways to deal with this?
Hans Holmer: I think you have to avoid presenting your identity as much as possible. I can't get into - I've - I'm pretty sure the agency would not think it funny if I revealed how I did it.
Andrew Hammond: Sure (laughter). Yeah. No, I certainly don't want to get...
Hans Holmer: Yeah.
Andrew Hammond: ...You in trouble. I think one of the things that I find interesting more generally, as you've said, the SpyCast listeners - they shouldn't be relying on the government to protect their information, right?
Hans Holmer: Yeah. But often, it's - I have a very rude analogy, and I haven't been able to come up with a better one. And that is that cybersecurity is just like birth control. We know what techniques you have to use. You just can't get people to do it. And I've spent years trying to come up with a better analogy. But it really is a people problem - right? - because the government cannot possibly protect every computer, and we must all do what's necessary. I'm lucky I'm retired now, so I don't have that much to worry about. I still look for surveillance out of habit. And if I detect them, I'm going to take them for a ride unless I think they're trying to kill me, in which case I'm in the nearest police station.
Hans Holmer: I think we all have to take it seriously and learn how to use anonymized browsers. I have also, I think for years now, been arguing that the way to improve cybersecurity in the U.S. is very simple. Any company that loses personally identifiable information, payment card information, health care information, HIPAA data or access to critical infrastructure has to pay each victim a dollar a day from the beginning of the breach till it's been closed off and they've been notified. And the average breach lasts about 100 days, and we're getting close to now some of the more recent breaches are 100 million people. So imagine 100 million people who get a dollar a day for 100 days. Companies would take that seriously.
Hans Holmer: And it is as easy to protect - for example, I brought up T-Mobile where I haven't had any contact with them with four year - for four years. But they still have my data because there's no cost to doing this. I don't know how many people were reliant on Colonial Pipeline, right? But it's the entire East Coast, so say that's 100 million people. And how long did that go on - three weeks? So 2,100 million - I know this is a number bigger than I can calculate. But if companies knew that was what they had to - what they had at risk, then they might take it seriously.
Andrew Hammond: So it's about the incentives, partly.
Hans Holmer: I think so.
Andrew Hammond: It seems to me that what you're saying is that the information - the gains from the information are privatized, but the losses from the information are collectivized.
Hans Holmer: Are socialized. That's right.
Andrew Hammond: Or socialized.
Hans Holmer: That's exactly it. Yep.
Andrew Hammond: I guess this kind of stuff's been normalized. Or, this data's been leaked; that data's been leaked - it just seems like part of everyday life now. But you're saying that there are concrete steps that these huge companies can take that are going to make it more secure and this type of stuff less normal.
Hans Holmer: Sure. I mean, if you look at the breaches - all this ransomware, none of those are technically interesting. They generally rely on well-known vulnerabilities, right? They're not zero-days. So they could easily have been prevented. I think it's the Verizon data breach investigation report - the DPIR from six, seven, eight years ago said something like most breaches are found by a third party, could easily have been prevented. The bottom line is that technically, none of these are interesting and could easily be prevented, right?
Hans Holmer: One of the current obvious things that Microsoft, for example, says everybody should do is two-factor authentication. And it should be a little USB plug, not your mobile phone. But a lot of the breaches - a lot of the companies just are not investing in cybersecurity. And they don't want to have the relevant personnel. They don't want to have a monthly report saying, here are all the known vulnerabilities, right?
Hans Holmer: If a company had a monthly report that said, we have so many computers that are not fully patched; we have so many industrial control networks that are not behind a VPN or a firewall - right? - because I would argue that any industrial control system should be considered unfit to be on the internet. They're there all the time, or they go through the corporate network, which also isn't protected. It's been slightly over a decade since the last breach that I've seen that made me go, wow, I - that's really interesting and cool. What you're seeing is just dull.
Andrew Hammond: With this type of stuff, is it possible - like, could a SpyCast listener, like, get all of the sensitive information back and kind of neutralize it or protect it? Or is it - it's kind of, for example, that T-Mobile owned that and they can do whatever the heck they want with it?
Hans Holmer: Sometimes you can force them to get it back. There are some things - Brian Krebs, who has the Krebs on Security - he has some very good, informative articles on how to protect your credit card because there's a lot of credit card fraud. And that is preventable in part by making sure that only you allow someone to check your credit. So some of it, at least the financial stuff, can be prevented. But the - it's the incentive that needs to be changed because the technology isn't that hard, like birth control, sadly.
Andrew Hammond: And, you know, you've been involved in this stuff for such a long time - like you say, learning to program in the '70s. So you've seen the whole narrative arc of all of the stuff. So what I was wondering was, for our listeners who are relatively new to this stuff, give them, like, a few things that - Hans' top tips. This is what you suggest that they do as soon as they listen to this podcast if they're not already doing it.
Andrew Hammond: So the first part is, like, give them a few words of wisdom. And then the second one is, for people that are, you know, more up to date with cyber or that are working in this space, like, as Hans Holmer, the guy who's been programming since the '70s, what kind of wisdom would you share with them? So, you know, let's say Joe's your average man on the street, and Jane is a systems administrator. What wisdom would you give to Joe and Jane?
Hans Holmer: I think one of the keys is still patch your computers. When Microsoft puts out a new patch for your computer, install it. Second, if your computer is no longer getting patched by Microsoft, you need to buy a new computer. Do backups. Figure out which data's important to you. Make sure it's backed up somewhere so, if your computer fails or it gets hacked, you still have the data - right? - because that's - the computer's a tool for managing data, not the other way around.
Hans Holmer: Also, use a password manager. Do not reuse passwords, right? You should have a separate password for everything that you care about. And if you use a password manager, it can take care of it. I have hundreds of passwords, and I know two or three of them. And the vast majority of them are complete gibberish. I remember for the one operation in the Balkans, the password for my communications systems was 25 characters, which was on the advice of one of my colleagues who was far better at this than me. So password hygiene, if you will, is tremendously important.
Hans Holmer: And just doing things - you know, make sure you have a password on your computer. Have separate accounts if multiple people are using the computer. Use browsers that focus on security, which - I like Firefox. They're far more attuned to privacy. Same for the - thing with your phones. They're also computers. If it - if you're no longer getting updates for your phone, then it's no longer secure. Get a new phone. I think those are the baseline things. And if you do that reliably, you will be a lot more secure. And you're still not perfectly secure. There's, you know, places like NSO that will apparently sell software to anybody and can attack the latest phones. But for people who are targets of NSO, apparently, their software lives entirely in the memory of the phone. So if you turn your phone off every morning and turn it back on, then they have to reload the software. So there are things you have to do.
Hans Holmer: For organizations, put somebody in charge of it, right? You should have a person in charge of cybersecurity. That person should be the equal of the chief information officer, the CIO. And there ought to be a month report saying, here are all the vulnerable devices that we know of, because it's not about the hackers, right? You can't control what the hackers will do. They're like gravity. Where there is a hole, they will come in. But you can reduce the number of holes that you have in your systems. And you have to be able to tell management, the responsible people, here's what - the risks you're accepting by not investing in new computers or updates or whatever it is.
Andrew Hammond: What about for the people that are more discerning customers, someone that works in cybersecurity or something? What wisdom of your, you know, many decades working in that space, anything that you would offer to them - because you've seen tremendous, like, change during the time you've been interested in this. Like you said at the beginning, there were things that were the size of dishwashers. And now the average cellphone is more powerful than them.
Hans Holmer: One of the things I enjoyed about my job was being in there in between the hackers, the ones who really knew how to code - right? - because they were way better than me. My son is much better than me. It's - think about tradecraft. I think, as an operations officer, we explicitly had to think about, how can this go wrong? And if you ask yourself that - right? - you don't assume that you will never get caught, because a lot of the breaches you read about of intelligence services, they're being arrogant. They're assuming, I'm so smart. Nobody will ever think of this. And the FBI can't catch me. Well, the FBI is very good. So is NSA and CIA. So you should assume that it can go wrong.
Hans Holmer: And you should take elementary measures for thinking about, what should I do? How do I protect myself? And as you saw with Snowden - right? - the amount of data he had access to because he was a system administrator and the apparent lack of auditing of what he was doing - in retrospect, it's quite easy to see the patterns. In prospect, it's a lot harder. You can't predict this. But there has to be some kind of process in place to think about, how can this go wrong? And how do we mediate it? And make sure that when somebody goes wrong, you reduce the impact of that event.
Andrew Hammond: You mentioned even now, like, out of habit, thinking about being surveilled. And if you notice someone on your tail, you take them for a ride unless they're threatening your life. And I'm assuming and hoping that no one's threatened your life. But do you ever - as an old spook in a city that's famous for espionage, Vienna, do you ever catch anyone on your tail these days or have you?
Hans Holmer: So far, I haven't. But also, I mean, I'm carrying my cellphone. You don't need to surveil me. You can see where the cellphone is going and then look for patterns. Do I, you know, turn off my phone suddenly every once in a while? I have friends here who are convinced I'm still working. And I - you know, I tell them, you know, I spent my whole career lying about where I worked. I did stop now - if it wasn't for a particular reason, namely that I am retired. But you had a guest a couple of episodes ago who joked about herself that she kept saying we about the CIA, even though she's retired. And I do that, too. And I think it is a way of life. I enjoyed it tremendously. I'd do it again in a heartbeat. And I'm always looking for vulnerabilities. And just the other day, I was sitting in front of a government building at a cafe with a friend, chatting. And I was noticing what people were doing to lock the door when they were leaving after hours to - because they had to stop and make sure and wait for the clicking sound of the extra door lock. And I still think like that. And I can't help it. And I just - I try not to act on it.
Andrew Hammond: Is there anything that we haven't touched on that you think - is there any ingredients that we should have been checking but I forgot to incorporate?
Hans Holmer: Yeah. It's hard to think of things. There are so many adventures. I volunteered to go to Afghanistan in 2002 after I read "A Bright Shining Lie: John Paul Vann In Vietnam." And one of the really important things is orientation - right? - how you think about a problem. Because in cyber, our orientation is that the U.S. government should protect us the same way they stopped the German and Japanese navies in World War II, because there's this big body of water. There's a limited number of possible ships. And that's no longer relevant, right? There's an infinite number of ways into the U.S. in the cyber domain. There's an infinite number of targets. And there's no way the government could actually do this. And we made the same problem in Afghanistan and Iraq. We thought about this as a war that you would fight in roughly the same way that you would fight the Russians in the Fulda Gap. And there were some generals who thought better of it. But even then, it was considered a military problem, not a much greater problem of, how do you get out of this?
Hans Holmer: And I think that is the thing that I keep returning to - is, am I asking the right questions to get answers that are relevant to the current situation rather than to whatever happened in history? And that's - I think a lot of corporations are vulnerable to that, right? Clearly, if I became the CEO, I must have been really smart, and I've done everything right and no better than anyone else. And there's no chance in hell that I was just lucky. There's no substitute for luck.
Hans Holmer: I think there's a lovely story after World War I, right? The British and the French and the American military says, hey; we won; we're really good, whereas the German military said, that didn't go so well; we have to rethink how we do war. And so they thought about auftragstaktik and all these other techniques for how to avoid fighting World War I again. And so they had reinvented themselves while then, you know, World War II starts. And there's the German - or, sorry - the British Army with roughly the same generals who had won World War I. And Churchill is going, nope, nope, nope, next. Right? They're struggling for ideas 'cause success breeds being placid.
Hans Holmer: But understanding how technology changes our world and thinking about it and thinking of it as an intelligence officer - right? - asking, how can this go wrong? - 'cause we really did - in many cases, it was my tail that was on the line. So I took that very seriously because I did want to go home, and I wanted to accomplish the mission. But that is an unusual way of thinking 'cause it's not about the money - right? - which - most companies are only rated on what's your profits, and nothing else matters. And the cost of losing my data is insignificant. And after Colonial Pipeline, while they were still not producing, I told a friend of mine that it didn't affect their stock price, and I was right.
Andrew Hammond: Wow.
Hans Holmer: And that's part of it, right? You know that there is no cost to losing my data or losing my access to buying gasoline.
Andrew Hammond: Yeah, you could even extrapolate out from follow the money to just follow the incentives.
Hans Holmer: Yeah. And you, of course, have limited control. But certainly, terrorism was one of those domains where it suddenly changed how the world worked for us because before 9/11, you could predict, you know, what does the Pentagon want to know about the Russian military? And then you give them as much of that as you have. But with terrorism, what does the Pentagon need to know about Group X - you know, whatever it is - some minor group in Yemen or al-Qaida, right? Al-Qaida wasn't a big deal for the U.S. government. There was not a huge hue and cry saying, we need more information about al-Qaida, right? The CIA was basically an outlier in saying al-Qaida is worth following. You know, it wasn't like Congress was asking, what are you doing on al-Qaida today?
Hans Holmer: And that's why collaboration between police services and domestic intelligence services and international services is completely different - 'cause I don't know what a service needs. I don't know what they don't know. But also, the more of data I give away from U.S. collection, the more likely I make it that other countries will see what I'm collecting then figure out who the sources are. So it's much harder to protect sources and methods.
Andrew Hammond: Tell us a little bit more about your experience in Afghanistan if you can. And, you know, yeah, you mentioned - I know we said we weren't going to talk about countries, but since you brought this one up, I wondered if you could give us a little bit more.
Hans Holmer: The thing that struck me - I volunteered in the summertime, and then they wanted people to go for the holiday period. And I told my wife that going early was going to be more fun and it'd be a shorter tour. So I got to do their holiday periods in late 2002, early 2003. They took us back to headquarters, in part because they wanted to have our DNA in case we got blown to bits. And then we're sitting there in a room somewhere in headquarters, in a new headquarters building, being briefed by a guy who's going to the White House every afternoon to brief the president. And he says, you were hired for your ability to improvise. Now go improvise.
Hans Holmer: And I'm sitting there, and I believe my jaw hit the floor. It's just like, that's the plan - I go improvise? And sadly, it was, right? This - I remember walking on the streets somewhere in eastern Afghanistan, and I was the senior U.S. government official. And, you know, I hadn't - I had barely heard of the town that I was in a week before. And hearing that the military were withdrawing people so they could focus on Iraq and just thinking to myself, oh, what a dumb idea that was - and actually, at the end of my tour in Afghanistan, I asked for permission to go back to headquarters in order to tell them how we were not doing it right. And they let me do it, which is amazing. So frequently, the management does the right thing, and they're not afraid of letting people go back.
Hans Holmer: The one other sort of story out of Afghanistan that I remember is - you know, there's a weapons training course, because you're going into a war zone, among other things. And I get to Afghanistan, and the security officer in our office takes me to a small broom closet, pulls out an M-4 rifle and says, do you know how to handle this? I go, yeah. And he just hands it to me. There was no tracking of it. Agency had never trained me beyond the M-4. The army had trained me on the M-16, so I did indeed know how to use it.
Hans Holmer: But that's the kind of organization the CIA is, right? If somebody says they know how to handle that weapon, you trust each other. And I don't know of any other organization that does that. But ultimately, no. No. To steal a quote from David Kilcullen - almost a quote; I've perverted it - no amount of tactics will make up for lack of a strategy. That's Kilcullen's line. And then in cyber, it's no amount of technology will make up for a lack of a strategy. And that strategy has to be based on your orientation. You have to understand the conflict you're in and then choose a strategy that will work in getting the outcomes you seek.
Andrew Hammond: It reminds me a little bit of another saying. You can't out-train a bad diet. The diet has to go hand-in-hand...
Hans Holmer: That's right.
Andrew Hammond: ...With the training.
Hans Holmer: Yeah.
Andrew Hammond: You know, I'm just thinking - the chairman of the Joint Chiefs of Staff was just before Congress, saying that there's no other words for what's happened in Afghanistan than a strategic failure. To go back to what you were saying, thinking like an intelligence officer, you have to think, what could go wrong going into Afghanistan? Where could we go wrong? OK, the border, Pakistan, a bigger system being imposed on a decentralized country, Iraq - where could this go wrong? Well, we're diverting bandwidth, money, material and focus all to somewhere that wasn't involved in 9/11. That could potentially undercut what we're trying to do in Afghanistan. Intelligence officers don't make these decisions, but it doesn't seem like there's been much thinking like an intelligence officer. Would you agree?
Hans Holmer: I think there's been very little thinking. I - General Milley has my greatest sympathy. And I - as late as yesterday, I challenged somebody to tell me what they would do if they were in Milley's position. For years, I used to argue that the worst job in the U.S. government was carrying the nuclear suitcase for the president - right? - because you know what's going on. And that strategic failure is not on the shoulders of the military or the civil servants in the U.S. government. It's on Congress and on the White House. It's on lack of curiosity. It's on a conviction in our own greatness. People are distracted by stuff that isn't relevant to the greater needs of the country, which are living up to the ideals of the American Revolution and the Constitution.
Andrew Hammond: I think we've put the world right, Hans.
Andrew Hammond: Well, thanks so much for a fascinating chat. Hopefully, I'll get to meet you in person one day. Let me know if you're ever back in Washington.
Hans Holmer: Will do. Thank you very much for having me. It was great fun.
Andrew Hammond: Thanks for listening to this episode of "SpyCast." Go to our web page, where you can find links to further resources, detailed show notes and full transcripts. We have over 500 episodes in our back catalog for you to explore. Please follow the show on Twitter at @intlspycast, and share your favorite quotes and insights or start a conversation. If you have any additional feedback, please email us at firstname.lastname@example.org. I'm your host Dr. Andrew Hammond, and you can connect with me on LinkedIn or follow me on Twitter at @spyhistorian.
Andrew Hammond: The show is brought to you from the home of the world's preeminent collection of intelligence and espionage-related artifacts, the International Spy Museum. The "SpyCast" team includes Mike Mincey and Memphis Vaughn III. See you for next week's show.