Office of the National Counterintelligence Executive
|This article relies too much on references to primary sources. (July 2007)|
Official Seal of the National Counterintelligence Executive
|Formed||January 5, 2001|
|Preceding Agency||National Counterintelligence Center|
|Jurisdiction||Counterintelligence on behalf of the Federal Government of the United States|
|Agency executive||William Evanina, National Counterintelligence Executive|
|Parent department||Director of National Intelligence|
The Office of the National Counterintelligence Executive (ONCIX) directs national counterintelligence (CI) for theUnited States government and is responsible to the Director of National Intelligence (DNI). The Office was established on January 5, 2001 by a directive from President Bill Clinton which also established the National Counterintelligence Board. It replaced the National Counterintelligence Center, which was created in 1994 in response to the arrest of CIA moleAldrich Ames.
The ONCIX facilitates and enhances US counterintelligence efforts and awareness by enabling the CI community to better identify, assess, prioritize and counter intelligence threats from foreign powers, terrorist groups, and other non-state entities; ensuring the CI community acts efficiently and effectively; and providing for the integration of all US counterintelligence activities. The Office characterizes its mission as: “Exploit and defeat adversarial intelligence activities directed against American interests; Protect the integrity of the US intelligence system; Provide incisive, actionable intelligence to decisionmakers at all levels; Protect vital national assets from adversarial intelligence activities; Neutralize and exploit adversarial intelligence activities targeting the armed forces.”
The National Counterintelligence Executive chairs the National Counterintelligence Policy Board, the principal inter-agency mechanism for developing national CI policies and procedures, and heads the Office of the National Counterintelligence Executive.
On August 7, 2006, Director of National Intelligence John D. Negroponte appointed Joel F. Brenner to serve as National Counterintelligence Executive and Mission Manager for Counterintelligence.
On September 21, 2009, Robert “Bear” Bryant was appointed as the National Counterintelligence Executive.
- Singh, Samir (January 19, 2001). “Clinton Establishes New Federal Counterintelligence Organizations”. American Association for the Advancement of Science. Retrieved 2007-09-08.
- Office of the National Counterintelligence Executive
- OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE
- Meet the Man Who’s Gauging the Damage From Snowden
|This United States government–related article is a stub. You can help Wikipedia by expanding it.|
- This article is a subset article of intelligence cycle security.
Counterintelligence (CI) refers to information gathered and activities conducted to protect against espionage, other intelligence activities, sabotage, or assassinations conducted for or on behalf of foreign powers, organizations or persons or international terrorist activities, but not including personnel, physical, document or communications security programs.
- 1 Categories of counterintelligence
- 2 Counterintelligence, counterterror, and government
- 3 Counterintelligence missions
- 4 Defensive counterintelligence operations
- 5 Theory of offensive counterintelligence
- 6 Types of offensive counterespionage operations
- 7 Running offensive counterespionage operations
- 8 Further reading
- 9 See also
- 10 References
- 11 External links
Categories of counterintelligence
Collective counterintelligence: gaining information about an opponent’s intelligence collection capabilities that might be aimed at an entity.
Defensive counterintelligence: thwarting efforts by hostile intelligence services to penetrate the service.
Offensive counterintelligence: having identified an opponent’s efforts against the system, trying to manipulate these attacks either by “turning” the opponent’s agents into double agents or by feeding them false information they will report home.
Counterintelligence, counterterror, and government
Many governments organize counterintelligence agencies separate and distinct from their intelligence collection services for specialized purposes. In most countries the counterintelligence mission is spread over multiple organizations, though one usually predominates.
The United Kingdom has the separate Security Service, also known as MI5, which does not have direct police powers but works closely with law enforcement calledSpecial Branch that can carry out arrests, do searches with a warrant, etc.
Canada separates the functions of general defensive counterintelligence (contre-ingérence), security intelligence (the intelligence preparation necessary to conduct offensive counterintelligence), law enforcement intelligence, and offensive counterintelligence.
Military organizations have their own counterintelligence forces, capable of conducting protective operations both at home and when deployed abroad. Depending on the country, there can be various mixtures of civilian and military in foreign operations. For example, while offensive counterintelligence is a mission of the US CIA‘sNational Clandestine Service, defensive counterintelligence is a mission of the U.S. Diplomatic Security Service (DSS), Department of State, who work on protective security for personnel and information processed abroad at US Embassies and Consulates.
The term counter-espionage is really specific to countering HUMINT, but, since virtually all offensive counterintelligence involves exploiting human sources, the term “offensive counterintelligence” is used here to avoid some ambiguous phrasing.
In the United States, there is a very careful line drawn between intelligence and law enforcement. In the United Kingdom, there is a distinction between the Security Service (MI5) and the Special Branch of the Metropolitan Police (“Scotland Yard”). Other countries also deal with the proper organization of defenses against FIS, often with separate services with no common authority below the head of government.
France, for example, builds its domestic counterterror in a law enforcement framework. In France, a senior anti-terror magistrate is in charge of defense against terrorism. French magistrates have multiple functions that overlap US and UK functions of investigators, prosecutors, and judges. An anti-terror magistrate may call upon France’s domestic intelligence service Direction de la surveillance du territoire (DST), which may work with the Direction générale de la sécurité extérieure(DGSE), foreign intelligence service.
Spain gives its Interior Ministry, with military support, the leadership in domestic counterterrorism. For international threats, the National Intelligence Center (CNI) has responsibility. CNI, which reports directly to the Prime Minister, is staffed principally by which is subordinated directly to the Prime Minister’s office. After the March 11,2004 Madrid train bombings, the national investigation found problems between the Interior Ministry and CNI, and. as a result, the National Anti-Terrorism Coordination Center was created. Spain’s 3/11 Commission called for this Center to do operational coordination as well as information collection and dissemination.The military has organic counterintelligence to meet specific military needs.
Frank Wisner, a well-known CIA operations executive said of the autobiography of Director of Central Intelligence Allen W. Dulles, that Dulles “disposes of the popular misconception that counterintelligence is essentially a negative and responsive activity, that it moves only or chiefly in reaction to situations thrust upon it and in counter to initiatives mounted by the opposition” Rather, he sees that can be most effective, both in information gathering and protecting friendly intelligence services, when it creatively but vigorously attacks the “structure and personnel of hostile intelligence services.” Today’s counterintelligence missions have broadened from the time when the threat was restricted to the foreign intelligence services (FIS) under the control of nation-states. Threats have broadened to include threats from non-national or trans-national groups, including internal insurgents, organized crime, and transnational based groups (often called “terrorists”, but that is limiting). Still, the FIS term remains the usual way of referring to the threat against which counterintelligence protects.
In modern practice, several missions are associated with counterintelligence from the national to the field level.
- Defensive analysis is the practice of looking for vulnerabilities in one’s own organization, and, with due regard for risk versus benefit, closing the discovered holes.
- Offensive Counterespionage is the set of techniques that, at a minimum, neutralizes discovered FIS personnel and arrests them or, in the case of diplomats, expels them by declaring them persona non grata. Beyond that minimum, it exploits FIS personnel to gain intelligence for one’s own side, or actively manipulates the FIS personnel to damage the hostile FIS organization.
- Counterintelligence Force Protection Source Operations (CFSO) are human source operations, conducted abroad that are intended to fill the existing gap in national level coverage in protecting a field station or force from terrorism and espionage.
Counterintelligence is part of intelligence cycle security, which, in turn, is part of intelligence cycle management. A variety of security disciplines also fall under intelligence security management and complement counterintelligence, including:
The disciplines involved in “positive security”, or measures by which one’s own society collects information on its actual or potential security, complement security. For example, when communications intelligence identifies a particular radio transmitter as one used only by a particular country, detecting that transmitter inside one’s own country suggests the presence of a spy that counterintelligence should target. In particular, counterintelligence has a significant relationship with the collection discipline of HUMINT and at least some relationship with the others. Counterintellingence can both produce information and protect it.
Governments try to protect three things:
- Their personnel
- Their installations
- Their operations
In many governments, the responsibility for protecting these things is split. Historically, CIA assigned responsibility for protecting its personnel and operations to its Office of Security, while it assigned the security of operations to multiple groups within the Directorate of Operations: the counterintelligence staff and the area (or functional) unit, such as Soviet Russia Division. At one point, the counterintelligence unit operated quite autonomously, under the direction of James Jesus Angleton. Later, operational divisions had subordinate counterintelligence branches, as well as a smaller central counterintelligence staff. Aldrich Ames was in the Counterintelligence Branch of Europe Division, where he was responsible for directing the analysis of Soviet intelligence operations. US military services have had a similar and even more complex split.
This kind of division clearly requires close coordination, and this in fact occurs on a daily basis. The interdependence of the US counterintelligence community is also manifest in our relationships with liaison services. We cannot cut off these relationships because of concern about security, but experience has certainly shown that we must calculate the risks involved.
On the other side of the CI coin, counterespionage has one purpose which transcends all others in importance: penetration. The emphasis which the KGB places on penetration is evident in the cases already discussed from the defensive, or security viewpoint. The best security system in the world cannot provide an adequate defense against it because the technique involves people. The only way to be sure that an enemy has been contained is to know his plans in advance and in detail.
“Moreover, only a high-level penetration of the opposition can tell you whether your own service is penetrated. A high-level defector can also do this, but the adversary knows that he defected and within limits can take remedial action. Conducting CE without the aid of penetrations is like fighting in the dark. Conducting CE with penetrations can be like shooting fish in a barrel.”
In the British service, the cases of the Cambridge Five, and the later suspicions about MI5 chief Sir Roger Hollis caused great internal dissension. Clearly, the British were penetrated by Philby, but it has never been determined, in any public forum, if there were other serious penetrations. In the US service, there was also significant disruption over the contradictory accusations about moles from defectors Anatoliy Golitsyn and Yuri Nosenko, and their respective supporters in CIA and the British Security Service (MI5). Golitsyn was generally believed by Angleton. George Kisevalter, the CIA operations officer that was the CIA side of the joint US-UK handling of Oleg Penkovsky, did not believe Angleton’s theory that Nosenko was a KGB plant. Nosenko had exposed John Vassall, a KGB asset principally in the British Admiralty, but there were arguments Vassall was a KGB sacrifice to protect other operations, including Nosenko and a possibly more valuable source on the Royal Navy.
Defensive counterintelligence starts by looking for places in one’s own organization that could easily be exploited by foreign intelligence services (FIS). FIS is an established term of art in the counterintelligence community, and, in today’s world, “foreign” is shorthand for “opposing”. Opposition might indeed be a country, but it could be a transnational group or an internal insurgent group. Operations against a FIS might be against one’s own nation, or another friendly nation. The range of actions that might be done to support a friendly government can include a wide range of functions, certainly including military or counterintelligence activities, but also humanitarian aid and aid to development (i.e., “nation building”).
Terminology here is still emerging, and “transnational group” could include not only terrorist groups but also transnational criminal organization. Transnational criminal organizations include the drug trade, money laundering, extortion targeted against computer or communications systems, smuggling, etc.
“Insurgent” could be a group opposing a recognized government by criminal or military means, as well as conducting clandestine intelligence and covert operations against the government in question, which could be one’s own or a friendly one.
Counterintelligence and counterterrorism analyses provide strategic assessments of foreign intelligence and terrorist groups and prepare tactical options for ongoing operations and investigations. Counterespionage may involve proactive acts against foreign intelligence services, such as double agents, deception, or recruiting foreign intelligence officers. While clandestine HUMINT sources can give the greatest insight into the adversary’s thinking, they may also be most vulnerable to the adversary’s attacks on one’s own organization. Before trusting an enemy agent, remember that such people started out as being trusted by their own countries. They may still be loyal to that country.
Offensive counterintelligence operations
Wisner emphasized his own, and Dulles’, views that the best defense against foreign attacks on, or infiltration of, intelligence services is active measures against those hostile services. This is often called counterespionage: measures taken to detect enemy espionage or physical attacks against friendly intelligence services, prevent damage and information loss, and, where possible, to turn the attempt back against its originator. Counterespionage goes beyond being reactive, and actively tries to subvert hostile intelligence services, by recruiting agents in the foreign service, by discrediting personnel actually loyal to their own service, and taking away resources that would be useful to the hostile service. All of these actions apply to non-national threats as well as to national organizations.
If the hostile action is in one’s own country, or in a friendly one with cooperating police, the hostile agents may be arrested, or, if diplomats, declared persona non grata. From the perspective of one’s own intelligence service, exploiting the situation to the advantage of one’s side is usually preferable to arrest or actions that might result in the death of the threat. The intelligence priority sometimes comes into conflict with the instincts of one’s own law enforcement organizations, especially when the foreign threat combines foreign personnel with citizens of one’s country.
In some circumstances, arrest may be a first step, in which the prisoner is given the choice of cooperating, or facing severe consequence up to and including a death sentence for espionage. Cooperation may consist of telling all one knows about the other service, but, preferably, actively assisting in deceptive actions against the hostile service.
Counterintelligence protection of intelligence services
Defensive counterintelligence specifically for intelligence services involves risk assessment of their culture, sources, methods and resources. Risk management must constantly reflect those assessments, since effective intelligence operations are often risk-taking. Even while taking calculated risks, the services need to mitigate risk with appropriate countermeasures.
FIS are especially able to explore open societies, and, in that environment, have been able to subvert insiders in the intelligence community. Offensive counterespionage is the most powerful tool for finding penetrators and neutralizing them, but it is not the only tool. Understanding what leads individuals to turn on their own side is the focus of Project Slammer. Without undue violations of personal privacy, systems can be developed to spot anomalous behavior, especially in the use of information systems.
“Decision makers require intelligence free from hostile control or manipulation. Since every intelligence discipline is subject to manipulation by our adversaries, validating the reliability of intelligence from all collection platforms is essential. Accordingly, each counterintelligence organization will validate the reliability of sources and methods that relate to the counterintelligence mission in accordance with common standards. For other mission areas, we will examine collection, analysis, dissemination practices, and other intelligence activities and will recommend improvements, best practices, and common standards.
Intelligence is vulnerable not only to external but also to internal threats. Subversion, treason, and leaks expose our vulnerabilities, our governmental and commercial secrets, and our intelligence sources and methods. This insider threat has been a source of extraordinary damage to US national security, as with Aldrich Ames,Robert Hanssen, and Edward Lee Howard, all of whom had access to major clandestine activities. Had an electronic system to detect anomalies in browsing through counterintellence files been in place, Robert Hanssen’s searches for suspicion of activities of his Soviet (and later Russian) paymasters might have surfaced early. Anomalies might simply show that an especially creative analyst has a trained intuition possible connections, and is trying to research them.
Adding these new tools and techniques to [national arsenals], the counterintelligence community will seek to manipulate foreign spies, conduct aggressive investigations, make arrests and, where foreign officials are involved, expel them for engaging in practices inconsistent with their diplomatic status or exploit them as an unwitting channel for deception, or turn them into witting double agents. “Witting” is a term of intelligence art that indicates that one is not only aware of a fact or piece of information but also aware of its connection to intelligence activities.
Victor Suvorov, the pseudonym of a former Soviet military intelligence (i.e., GRU) officer, makes the point that a defecting HUMINT officer is a special threat to walk-in or other volunteer assets of the country that he is leaving. Volunteers who are “warmly welcomed” do not take into consideration the fact that they are despised by hostile intelligence agents.
The Soviet operational officer, having seen a great deal of the ugly face of communism, very frequently feels the utmost repulsion to those who sell themselves to it willingly. And when a GRU or KGB officer decides to break with his criminal organization, something which fortunately happens quite often, the first thing he will do is try to expose the hated volunteer.”
Counterintelligence force protection source operations
Attacks against military, diplomatic and related facilities are a very real threat, as demonstrated by the 1983 attacks against French and US peacekeepers in Beirut, the 1996 attack on the Khobar Towers in Saudi Arabia, 1998 attacks on Colombian bases and on US embassies (and local buildings) in Kenya and Tanzania the 2000 attack on the USS Cole, and many others. The US military force protection measures are the set of actions taken against military personnel and family members, resources, facilities and critical information, and most countries have a similar doctrine for protecting those facilities and conserving the potential of the forces. Force protection is defined to be a defense against deliberate attack, not accidents or natural disasters.
Counterintelligence Force Protection Source Operations (CFSO) are human source operations, normally clandestine in nature, conducted abroad that are intended to fill the existing gap in national level coverage, as well as satisfying the combatant commander’s intelligence requirements. Military police and other patrols that mingle with local people may indeed be valuable HUMINT sources for counterintelligence awareness, but are not themselves likely to be CFSOs. Gleghorn distinguishes between the protection of national intelligence services, and the intelligence needed to provide combatant commands with the information they need for force protection. There are other HUMINT sources, such as military reconnaissance patrols that avoid mixing with foreign personnel, that indeed may provide HUMINT, but not HUMINT especially relevant to counterintelligence. Active countermeasures, whether for force protection, protection of intelligence services, or protection of national security interests, are apt to involve HUMINT disciplines, for the purpose of detecting FIS agents, involving screening and debriefing of non-tasked human sources, also called casual or incidental sources. such as:
- walk-ins and write-ins (individuals who volunteer information)
- unwitting sources (any individual providing useful information to counterintelligence, who in the process of divulging such information may not know they are aiding an investigation)
- defectors and enemy prisoners of war (EPW)
- refugee populations and expatriates
- interviewees (individuals contacted in the course of an investigation)
- official liaison sources.
“Physical security is important, but it does not override the role of force protection intelligence…Although all intelligence disciplines can be used to gather force protection intelligence, HUMINT collected by intelligence and CI agencies plays a key role in providing indications and warning of terrorist and other force protection threats.
Force protection, for forces deployed in host countries, occupation duty, and even at home, may not be supported sufficiently by a national-level counterterrorism organization alone. In a country, colocating FPCI personnel, of all services, with military assistance and advisory units, allows agents to build relationships with host nation law enforcement and intelligence agencies, get to know the local environments, and improve their language skills. FPCI needs a legal domestic capability to deal with domestic terrorism threats.
As an example of terrorist planning cycles, the Khobar Towers attack shows the need for long-term FPCI. “The Hizballah operatives believed to have conducted this attack began intelligence collection and planning activities in 1993. They recognized American military personnel were billeted at Khobar Towers in the fall of 1994, and began surveillance of the facility, and continued to plan, in June 1995. In March 1996, Saudi Arabian border guards arrested a Hizballah member attempting plastic explosive into the country, leading to the arrest of two more Hizballah members. Hizballah leaders recruited replacements for those arrested, and continued planning for the attack.”
Defensive counterintelligence operations
In US doctrine, although not necessarily that of other countries, CI is now seen as primarily a counter to FIS HUMINT. In the 1995 US Army counterintelligence manual, CI had a broader scope against the various intelligence collection disciplines. Some of the overarching CI tasks are described as
- Developing, maintaining, and disseminating multidiscipline threat data and intelligence files on organizations, locations, and individuals of CI interest. This includes insurgent and terrorist infrastructure and individuals who can assist in the CI mission.
- Educating personnel in all fields of security. A component of this is the multidiscipline threat briefing. Briefings can and should be tailored, both in scope and classification level. Briefings could then be used to familiarize supported commands with the nature of the multidiscipline threat posed against the command or activity.
More recent US joint intelligence doctrine restricts its primary scope to counter-HUMINT, which usually includes counter-terror. It is not always clear, under this doctrine, who is responsible for all intelligence collection threats against a military or other resource. The full scope of US military counterintelligence doctrine has been moved to a classified publication, Joint Publication (JP) 2-01.2, Counterintelligence and Human Intelligence Support to Joint Operations.
More specific countermeasures against intelligence collection disciplines are listed below
|Discipline||Offensive CI||Defensive CI|
|HUMINT||Counterreconnaissance, offensive counterespionage||Deception in operations security|
|SIGINT||Recommendations for kinetic and electronic attack||Radio OPSEC, use of secure telephones, SIGSEC, deception|
|IMINT||Recommendations for kinetic and electronic attack||Deception, OPSEC countermeasures, deception (decoys, camouflage)If accessible, use SATRAN reports of satellites overhead to hide or stop activities while being viewed|
Counter-HUMINT deals with both the detection of hostile HUMINT sources within an organization, or the detection of individuals likely to become hostile HUMINT sources, as a mole or double agent. There is an additional category relevant to the broad spectrum of counterintelligence: why one becomes a terrorist.
The acronym MICE:
- Compromise (or coercion)
describes the most common reasons people break trust and disclose classified materials, reveal operations to hostile services, or join terrorist groups. It makes sense, therefore, to monitor trusted personnel for risks in these areas, such as financial stress, extreme political views, potential vulnerabilities for blackmail, and excessive need for approval or intolerance of criticism. With luck, problems in an employee can be caught early, assistance can be provided to correct them, and not only is espionage avoided, but a useful employee retained. See Motives for spying for specific examples.
Sometimes, the preventive and neutralization tasks overlap, as in the case of Earl Edwin Pitts. Pitts had been an FBI agent who had sold secret information to the Soviets, and, after the fall of the USSR, to the Russians. He was caught by an FBI false flag sting, in which FBI agents, posing as Russian FSB agents, came to Pitts with an offer to “reactivate” him. His activities seemed motivated by both Money and Ego over perceived bad treatment when he was an FBI agent. His sentence required him to tell the FBI all he knew of foreign agents. Ironically, he told them of suspicious actions by Robert Hanssen, which were not taken seriously at the time.
Motivations for information and operations discloure
To go beyond slogans, Project Slammer was an effort of the Intelligence Community Staff, under the Director of Central Intelligence, to come up with characteristics of Project Slammer, an Intelligence Community sponsored study of espionage. It “examines espionage by interviewing and psychologically assessing actual espionage subjects. Additionally, persons knowledgeable of subjects are contacted to better understand the subjects’ private lives and how they are perceived by others while conducting espionage.”
|His basic belief structure||– Special, even unique.– Deserving.– His situation is not satisfactory.
– No other (easier) option (than to engage in espionage).
– Doing only what others frequently do.
– Not a bad person.
– His performance in his government job (if presently employed) is separate from espionage; espionage does not (really) discount his contribution in the workplace.
– Security procedures do not (really) apply to him.
– Security programs (e.g., briefings) have no meaning for him, unless they connect with something with which he can personally identify.
|He feels isolated from the consequences of his actions:||– He sees his situation in a context in which he faces continually narrowing options, until espionage seems reasonable. The process that evolves into espionage reduces barriers, making it essentially “Okay” to initiate the crime.– He sees espionage as a “Victimless” crime.– Once he considers espionage, he figures out how he might do it. These are mutually reinforcing, often simultaneous events.
– He finds that it is easy to go around security safeguards (he is able to solve that problem). He belittles the security system, feeling that if the information was really important espionage would be hard to do (the information would really be better protected). This “Ease of accomplishment” further reinforces his resolve.
|Attempts to cope with espionage activity||– He is anxious on initial hostile intelligence service contact (some also feel thrill and excitement).– After a relationship with espionage activity and HOIS develops, the process becomes much more bearable, espionage continues (even flourishes).– In the course of long term activity subjects may reconsider their involvement.
– Some consider breaking their role to become an operative for the government. This occurs when access to classified information is lost or there is a perceived need to prove themselves, or both.
– Others find that espionage activity becomes stressful, they no longer want it. Glamour (if present earlier) subsides. They are reluctant to continue. They may even break contact.
– Sometimes they consider telling authorities what they have done. Those wanting to reverse their role aren’t confessing, they’re negotiating. Those who are “Stressed out” want to confess. Neither wants punishment. Both attempt to minimize or avoid punishment.
According to a press report about Project Slammer and Congressional oversight of counterespionage, one fairly basic function is observing one’s own personnel for behavior that either suggests that they could be targets for foreign HUMINT, or may already have been subverted. News reports indicate that in hindsight, red flags were flying but not noticed. In several major penetrations of US services, such as Aldrich Ames, the Walker ring or Robert Hanssen, the individual showed patterns of spending inconsistent with their salary. Some people with changed spending may have a perfectly good reason, such as an inheritance or even winning the lottery, but such patterns should not be ignored.
Personnel in sensitive positions, who have difficulty getting along with peers, may become risks for being compromised with an approach based on ego. William Kampiles, a low-level worker in the CIA Watch Center, sold, for a small sum, the critical operations manual on the KH-11 reconnaissance satellite. To an interviewer,. Kampiles suggested that if someone had noted his “problem”—constant conflicts with supervisors and co-workers—and brought in outside counseling, he might not have stolen the KH-11 manual.
By 1997, the Project Slammer work was being presented at public meetings of the Security Policy Advisory Board. While a funding cut caused the loss of impetus in the mid-nineties, there are research data used throughout the security community. They emphasize the
“essential and multi-faceted motivational patterns underlying espionage. Future Slammer analyses will focus on newly developing issues in espionage such as the role of money, the new dimensions of loyalty and what seems to be a developing trend toward economic espionage.”
Military and security organizations will provide secure communications, and may monitor less secure systems, such as commercial telephones or general Internet connections, to detect inappropriate information being passed through them. Education on the need to use secure communications, and instruction on using them properly so that they do not become vulnerable to specialized technical interception.
The basic methods of countering IMINT are to know when the opponent will use imaging against one’s own side, and interfering with the taking of images. In some situations, especially in free societies, it must be accepted that public buildings may always be subject to photography or other techniques.
Countermeasures include putting visual shielding over sensitive targets or camouflaging them. When countering such threats as imaging satellites, awareness of the orbits can guide security personnel to stop an activity, or perhaps cover the sensitive parts, when the satellite is overhead. This also applies to imaging on aircraft and UAVs, although the more direct expedient of shooting them down, or attacking their launch and support area, is an option in wartime.
While the concept well precedes the recognition of a discipline of OSINT, the idea of censorship of material directly relevant to national security is a basic OSINT defense. In democratic societies, even in wartime, censorship must be watched carefully lest it violate reasonable freedom of the press, but the balance is set differently in different countries and at different times.
Great Britain is generally considered to have a very free press, but the UK does have the DA-Notice, formerly D-notice system. Many British journalists find that this system is used fairly, although there will always be arguments. In the specific context of counterintelligence, note that Peter Wright, a former senior member of theSecurity Service who left their service without his pension, moved to Australia before publishing his book Spycatcher. While much of the book was reasonable commentary, it did reveal some specific and sensitive techniques, such as Operation RAFTER, a means of detecting the existence and setting of radio receivers.
MASINT is mentioned here for completeness, but the discipline contains so varied a range of technologies that a type-by-type strategy is beyond the current scope. One example, however, can draw on the Operation RAFTER technique revealed in Wright’s book. With the knowledge that Radiofrequency MASINT was being used to pick up an internal frequency in radio receivers, it would be possible to design a shielded receiver that would not radiate the signal that RAFTER monitored.
Theory of offensive counterintelligence
Offensive techniques in current counterintelligence doctrine are principally directed against human sources, so counterespionage can be considered a synonym for offensive counterintelligence. At the heart of exploitation operations is the objective to degrade the effectiveness of an adversary’s intelligence service or a terrorist organization. Offensive counterespionage (and counterterrorism) is done one of two ways, either by manipulating the adversary (FIS or terrorist) in some manner or by disrupting the adversary’s normal operations.
Defensive counterintelligence operations that succeed in breaking up a clandestine network by arresting the persons involved or by exposing their actions demonstrate that disruption is quite measurable and effective against FIS if the right actions are taken. If defensive counterintelligence stops terrorist attacks, it has succeeded.
Offensive counterintelligence seeks to damage the long-term capability of the adversary. If it can lead a national adversary into putting large resources into protecting a nonexistent threat, or if it can lead terrorists to assume that all of their “sleeper” agents in a country have become unreliable and must be replaced (and possibly killed as security risks), there is a greater level of success than can be seen from defensive operations alone, To carry out offensive counterintelligence, however, the service must do more than detect; it must manipulate persons associated with the adversary.
The Canadian Department of National Defence makes some useful logical distinctions in its Directive on its National Counter-Intelligence Unit. The terminology is not the same as used by other services, but the distinctions are useful:
- “Counter-intelligence (contre-ingérence) means activities concerned with identifying and counteracting threats to the security of DND employees, CF members, and DND and CF property and information, that are posed by hostile intelligence services, organizations or individuals, who are or may be engaged in espionage, sabotage, subversion, terrorist activities, organized crime or other criminal activities.” This corresponds to defensive counterintelligence in other services.
- “Security intelligence (renseignement de sécurité) means intelligence on the identity, capabilities and intentions of hostile intelligence services, organizations or individuals, who are or may be engaged in espionage, sabotage, subversion, terrorist activities, organized crime or other criminal activities.” This does not (emphasis added) correspond directly to offensive counterintelligence, but is the intelligence preparation necessary to conduct offensive counterintelligence.
- The duties of the Canadian Forces National Counter-Intelligence Unit include “identifying, investigating and countering threats to the security of the DND and the CF from espionage, sabotage, subversion, terrorist activities, and other criminal activity;identifying, investigating and countering the actual or possible compromise of highly classified or special DND or CF material; conducting CI security investigations, operations and security briefings and debriefings to counter threats to, or to preserve, the security of DND and CF interests.” This mandate is a good statement of a mandate to conduct offensive counterintelligence.
DND further makes the useful clarification, “The security intelligence process should not be confused with the liaison conducted by members of the Canadian Forces National Investigation Service (CFNIS) for the purpose of obtaining criminal intelligence, as the collection of this type of information is within their mandate.”
Manipulating an intelligence professional, himself trained in counterintelligence, is no easy task, unless he is already predisposed toward the opposing side. Any effort that does not start with a sympathetic person will take a long-term commitment, and creative thinking to overcome the defenses of someone who knows he is a counterintelligence target and also knows counterintelligence techniques.
Terrorists on the other hand, although they engage in deception as a function of security appear to be more prone to manipulation or deception by a well-placed adversary than are foreign intelligence services. This is in part due to the fact that many terrorist groups, whose members “often mistrust and fight among each other, disagree, and vary in conviction.”, are not as internally cohesive as foreign intelligence services, potentially leaving them more vulnerable to both deception and manipulation.
A person willing to take on an offensive counterintelligence role, especially when not starting as a professional member of a service, can present in many ways. A person may be attracted by careful nurturing of a sense that someone may want to act against service A, or may be opportunistic: a walk-in or write-in.
Opportunistic acquisition, as of a walk-in, has the disadvantage of being unexpected and therefore unplanned for: the decision to run a double agent should be made only after a great deal of thought, assessment, and evaluation, and if the candidate comes as a volunteer, the service may have to act without sufficient time for reflection. In this situation the necessity of assessing the candidate conflicts also with the preservation of security, particularly if the officer approached is in covert status. Volunteers and walk-ins are tricky customers, and the possibility of provocation is always present. On the other hand, some of our best operations have been made possible by volunteers. The test of the professional skill of an intelligence organization is its ability to handle situations of this type.
When an agent candidate appears, judgments are needed on four essential questions to decide if a potential operation makes sense, if the candidate is the right person for the operation, and if one’s own service can support the operation.
|Has he told you everything?||Enough information can ordinarily be obtained in one or two sessions with the candidate to permit testing by polygraph, investigation of leads, and file checks. These steps must be taken very quickly because it is not possible to un-recruit a man. The two areas of possible concealment which are especially dangerous are prior intelligence ties and side-commo.|
|Does he have stayability?||This term combines two concepts—his ability to maintain access to the counterintelligence target for the foreseeable future, and his psychological stamina under the constant (and sometimes steadily increasing) pressure of the double agent’s role. If he lacks stayability he may still be useful, but the operation must then be planned for short range.|
|Does the adversary trust him?||Indications of adversary trust can be found in the level of the communications system given him, his length of service, the seniority of the adversary case officer, the nature and level of requirements, and the kind and extent of training provided. If the opposition keeps the agent at arm’s length, there is little prospect that doubling him will yield significant returns.|
|Can you control his communications both ways?||Control of communications on your own side can be difficult enough, especially if the agent lives in hostile territory. But control of adversary channels is hard under even the best of circumstances. It requires a great deal of time, technical skill, and—as a rule, manpower.|
Negative answers on one or even two of these questions are not ground for immediate rejection of the possible operation. But they are ground for requiring some unusually high entries on the credit side of the ledger.
The initial assessment comes from friendly debriefing or interview. The interviewing officer may be relaxed and casual, but underneath the surface his attitude is one of deliberate purpose: he is trying to find out enough to make an initial judgment of the man sensing the subject’s motivations, emotional state and mental processes.
For instance, if an agent walks in, says he is a member of another service, and reveals information so sensitive that the other service would surely not give it away just to establish the informant’s bona fides, there are two possibilities:
- either the agent is telling the truth
- he is attempting a provocation.
Sometimes, the manner in which the man conducts himself will suggest which of the two it is. In addition to establishing the individual’s true identity and examining his documents, there is also a need to gain information on the walk-in’s service.
It may be more difficult to determine the reason why the agent presented himself than to establish who he is and what service he represents, because motivation is a complex of mental and emotional drives. The question of the double agent’s motivation is approached by the interviewing officer from two angles:
- the agent’s professed reasons
- the officer’s own inferences from his story and behavior.
If a recruit speaks of a high regard for democratic ideology, but casual conversation about Western history and politics may reveal that the potential double agent really has no understanding of democracy. Ideology may not be the real reason why he is willing to cooperate. While it is possible such an individual created a romanticized fantasy of democracy, it is more likely that he is saying what he thinks the CI officer wants to hear. CI officers should make it comfortable for the agent to mention more base motivations: money or revenge. It can be informative to leave such things as luxury catalogs where the agent can see them, and observe if he reacts with desire, repugnance, or disbelief.
To decide between what the officer thinks the motive is and what the agent says it is not easy, because double agents act out of a wide variety of motivations, sometimes psychopathic ones like a masochistic desire for punishment by both services. Others have financial, religious, political, or vindictive motives. The last are often the best double agents: they get pleasure out of deceiving their comrades by their every act day after day.
Making the judgment about the agent’s psychological and physical suitability is also difficult. Sometimes a psychologist or psychiatrist can be called in under some pretext. Such professionals, or a well-trained CI officer, may recognize signs of sociopathic personality disorder in potential double agents. From the point of view of the double agent operation, here are their key traits:
|They are unusually calm and stable under stress but cannot tolerate routine or boredom||They do not form lasting and adult emotional relationships with other people because their attitude toward others is exploitative|
|They have above-average intelligence. They are good verbalizers—sometimes in two or more languages||They are skeptical and even cynical about the motives and abilities of others but have exaggerated notions about their own competence.|
|Their reliability as agents is largely determined by the extent to which the case officer’s instructions coincide with what they consider their own best interests.||They are ambitious only in a short range sense: they want much and they want it now. They do not have the patience to plod toward a distant reward.|
|They are naturally clandestine and enjoy secrecy and deception for its own sake.|
The candidate must be considered as a person and the operation as a potential. Possibilities which would otherwise be rejected out of hand can be accepted if the counterintelligence service is or will be in a position to obtain and maintain an independent view of both the double agent and the case.
The estimate of the potential value of the operation must take into consideration whether his service has the requisite personnel, facilities, and technical support; whether running the operation will prejudice other activities of his government; whether it will be necessary or desirable, at the outset or later, to share the case with foreign liaison; and whether the case has political implications.
Types of offensive counterespionage operations
A subject of offensive counterintelligence starts with a loyalty to one service. In these examples:
- Service A: Foreign Intelligence Service (FIS) or non-national group
- Service A1: a client, supporting organization, or ally of A
- Service B: One’s own or an allied service
- Service B1: a client, supporting organization, or ally of B
- Service C: A third country’s service, which, in this context, should be assumed to be neutral.
Double agents and defectors start out being loyal to service B, which immediately creates the potential for emotional conflict. False flag operations also have the potential for conflict, as these operations recruit people who believe they are working for service C, but they have not been told the truth: they are actually working for service A or B, depending on the nature of the operation.
Moles start out as loyal to service A, but may or may not be a trained intelligence officer of that service. Indeed, those that are not trained, but volunteer to penetrate a FIS, may either not understand the risk, or are tremendously brave individuals, highly motivated against Country B and willing to risk its retaliation if their limited preparation reveals their true affiliation.
- Starts in A
- Joins B
- Transmits to A or disrupts operations until leaves or disrupted
Note that some intelligence professionals reserve mole to refer to enemy personnel that personally know important things about enemy intelligence operations, technology, or military plans. A person such as a clerk or courier, who photographs many documents but is not really in a position to explore enemy thinking, is more generically an asset. To be clear, all moles are assets, but not all assets are moles.
One of the more difficult methods involves having the would-be-mole “dangled” – that is luring the adversary intelligence service (or terrorist group) to recruit the opposition’s clandestine intelligence officer who is posing as a “walk-in” (someone who voluntarily offers information) – in the hopes that the adversary will unknowingly take the bait.
Another special case is a “deep cover” or “sleeper” mole, who may enter a service, possibly at a young age, but definitely not reporting or doing anything that would attract suspicion, until reaching a senior position. Kim Philby is an example of an agent actively recruited by Britain while he was already committed to Communism.
A special case is a false-flag recruitment of a penetrator:
- Starts in C
- Believes being recruited by A
- Actually is recruited by B and sends false information to C
An individual may want to leave their service at once, perhaps from high-level disgust, or low-level risk of having been discovered in financial irregularities and is just ahead of arrest. Even so, the defector certainly brings knowledge with him, and may be able to bring documents or other materials of value.
- Starts in A
- Leaves and goes to B
Defector in place
Another method is to directly recruit an intelligence officer (or terrorist member) from within the ranks of the adversary service (terrorist group) and having that officer (terrorist) maintain their normal duties while spying on their parent service (organization); this is also referred to as recruiting an “agent” or defector in place.
- Starts in A
- Stays working in A but reporting to B
Before even considering double agent operations, a service has to consider its own resources. Managing that agent will take skill and sophistication, both at the local/case officer and central levels. Complexity goes up astronomically when the service cannot put physical controls on its doubles, as did the Double Cross Systemin World War II.
From beginning to end, a DA operation must be most carefully planned, executed, and above all, reported. The amount of detail and administrative backstopping seems unbearable at times in such matters. But since penetrations are always in short supply, and defectors can tell less and less of what we need to know as time goes on, because of their cut-off dates, double agents will continue to be part of the scene.
Services functioning abroad—and particularly those operating in areas where the police powers are in neutral or hostile hands—need professional subtlety as well. Case officers must know the agent’s area and have a nuanced understanding of his language; this is an extremely unwise situation for using interpreters, since the case officer needs to sense the emotional content of the agent’s communication and match it with the details of the information flowing in both directions. Depending on whether the operation is being run in one’s own country, an allied country, or hostile territory, the case officer needs to know the relevant laws. Even in friendly territory, the case officer needs both liaison with, and knowledge of, the routine law enforcement and security units in the area, so the operation is not blown because an ordinary policeman gets suspicious and brings the agent in for questioning.
The most preferable situation is that the service running the double agent have complete control of communications. When communications were by Morse code, each operator had a unique rhythm of keying, called a “fist”. MASINT techniques of the time recognized individual operators, so it was impossible to substitute a different operator than the agent. The agent also could make deliberate and subtle changes in his keying, to alert his side that he had been turned. While Morse is obsolete, voices are very recognizable and resistant to substitution. Even text communication can have patterns of grammar or word choice, known to the agent and his original service, that can hide a warning of capture.
Full knowledge of [the agent’s] past (and especially of any prior intelligence associations), a solid grasp of his behavior pattern (both as an individual and as a member of a national grouping), and rapport in the relationship with him.
The discovery of an adversary intelligence officer who has succeeded in penetrating one’s own organization offers the penetrated intelligence service the possibility of “turning” this officer in order to use him as a “double agent”. The way a double agent case starts deeply affects the operation throughout its life. Almost all of them begin in one of the three ways following:
- Walk-in or talk-in
- Detected and doubled, usually under duress
- Provocation agent
- Starts in A
- Recruited by B
- Defects and tells B all he knows (defector)
- operates in place (Agent doubled in place) and continues to tell B about A
False flag double agent
- Starts in A
- Assigned to C
- B creates a situation where agent believes he is talking to C, when actually receiving B disinformation
- Starts in A and is actually loyal to A
- Goes to B, says he works for A, but wants to switch sides. Gives B access to his communications channel with A
- Keeps second communications channel, X with A, about which B knows nothing
- Reports operational techniques of B to A via X
- Provides disinformation from A to B via X
- A does an analysis of C and determines what targets would be attractive to B
- A then recruits citizens of C, which A believes will be more loyal to B
- The A recruit, a citizen of C, volunteers to B
- A can then expose B’s penetration of C, hurting B-C relations.
This may be extremely difficult to accomplish, and even if accomplished the real difficulty is maintaining control of this “turned asset”. Controlling an enemy agent who has been turned is a many-faceted and complex exercise that essentially boils down to making certain that the agent’s new-found loyalty remains consistent, which means determining whether the “doubled” agent’s turning is genuine or false. However, this process can be quite convoluted and fraught with uncertainty and suspicion.
Where it concerns terrorist groups, a terrorist who betrays his organization can be thought of and run as a double-agent against the terrorist’s “parent” organization in much the same fashion as an intelligence officer from a foreign intelligence service. Therefore, for sake of ease, wherever double-agents are discussed the methodologies generally apply to activities conducted against terrorist groups as well.
A double agent is a person who engages in clandestine activity for two intelligence or security services (or more in joint operations), who provides information about one or about each to the other, and who wittingly withholds significant information from one on the instructions of the other or is unwittingly manipulated by one so that significant facts are withheld from the adversary. Peddlers, fabricators, and others who work for themselves rather than a service are not double agents because they are not agents. The fact that doubles have an agent relationship with both sides distinguishes them from penetrations, who normally are placed with the target service in a staff or officer capacity.
The unwitting double agent is an extremely rare bird. The manipulative skill required to deceive an agent into thinking that he is serving the adversary when in fact he is damaging its interests is plainly of the highest order.
For predictive purposes the most important clue imbedded in the origins of an operation is the agent’s original or primary affiliation, whether it was formed voluntarily or not, the length of its duration, and its intensity. The effects of years of clandestine association with the adversary are deep and subtle; the Service B case officer working with a double agent of service A is characterized by an ethnicity or religion may find those bonds run deep, even if the agent hates the government of A. The service B officer may care deeply for the double.
Another result of lengthy prior clandestine service is that the agent may be hard to control in most operations the case officer’s superior training and experience give him so decided an edge over the agent that recognition of this superiority makes the agent more tractable. But add to the fact that the experienced double agent may have been in the business longer than his U.S. control his further advantage in having gained a first-hand comparative knowledge of the workings of at least two disparate services, and it is obvious that the case officer’s margin of superiority diminishes, vanishes, or even is reversed.
One facet of the efforts to control a double agent operation is to ensure that the double agent is protected from discovery by the parent intelligence service; this is especially true in circumstances where the double agent is a defector-in-place.
Like all other intelligence operations, double agent cases are run to protect and enhance the national security. They serve this purpose principally by providing current counterintelligence about hostile intelligence and security services and about clandestine subversive activities. The service and officer considering a double agent possibility must weigh net national advantage thoughtfully, never forgetting that a double agent is, in effect, a condoned channel of communication with the enemy.
Doubled in place
A service discovering an adversary agent may offer him employment as a double. His agreement, obtained under open or implied duress, is unlikely, however, to be accompanied by a genuine switch of loyalties. The so-called redoubled agent whose duplicity in doubling for another service has been detected by his original sponsor and who has been persuaded to reverse his affections again also belongs to this dubious class. Many detected and doubled agents degenerate into what are sometimes called “piston agents” or “mailmen,” who change their attitudes with their visas as they shunt from side to side.
Operations based on them are little more than unauthorized liaison with the enemy, and usually time-wasting exercises in futility. A notable exception is the detected and unwillingly doubled agent who is relieved to be found out in his enforced service to the adversary.
There can be active and passive provocation agents. A double agent may serve as a means through which a provocation can be mounted against a person, an organization, an intelligence or security service, or any affiliated group to induce action to its own disadvantage. The provocation might be aimed at identifying members of the other service, at diverting it to less important objectives, at tying up or wasting its assets and facilities, at sowing dissension within its ranks, at inserting false data into its files to mislead it, at building up in it a tainted file for a specific purpose, at forcing it to surface an activity it wanted to keep hidden, or at bringing public discredit on it, making it look like an organization of idiots. The Soviets and some of the Satellite services, the Poles in particular, are extremely adept in the art of conspiratorial provocation. All kinds of mechanisms have been used to mount provocation operations; the double agent is only one of them.
An active one is sent by Service A to Service B to tell B that he works for A but wants to switch sides. Or he may be a talk-in rather than a walk-in. In any event, the significant information that he is withholding, in compliance with A’s orders, is the fact that his offer is being made at A’s instigation. He is also very likely to conceal one channel of communication with A-for example, a second secret writing system. Such “side-commo” enables A to keep in full touch while sending through the divulged communications channel only messages meant for adversary eyes. The provocateur may also conceal his true sponsor, claiming for example (and truthfully) to represent an A1 service (allied with A) whereas his actual control is the A-a fact which the Soviets conceal from the Satellite as carefully as from us.
Passive provocations are variants involving false-flag recruiting.
In Country C, Service A surveys the intelligence terrain through the eyes of Service B (a species of mirror-reading) and selects those citizens whose access to sources and other qualifications make them most attractive to B. Service A officers, posing as service B officers, recruit the citizens of country C. At some point, service A then exposes these individuals, and complains to country C that country B is subverting its citizens.
The stake-out has a far better chance of success in areas like Africa, where intelligence exploitation of local resources is far less intensive than in Europe, where persons with valuable access are likely to have been approached repeatedly by recruiting services during the postwar years.
Multiply turned agent
A triple agent can be a double agent that decides his true loyalty is to his original service, or could always have been loyal to his service but is part of an active provocation of your service. If managing a double agent is hard, agents that turned again (i.e., tripled) or another time after that are far more difficult, but in some rare cases, worthwhile.
Any service B controlling, or believing it controls, a double agent, must constantly evaluate the information that agent is providing on service A. While service A may have been willing to sacrifice meaningful information, or even other human assets, to help an intended penetration agent establish his bona fides, at some point, service A may start providing useless or misleading information as part of the goal of service A. In the World War II Double Cross System, another way the British controllers (i.e., service B in this example) kept the Nazis believing in their agent, was that the British let true information flow, but too late for the Germans to act on it. The double agent might send information indicating that a lucrative target was in range of a German submarine, but, by the time the information reaches the Germans, they confirm the report was true because the ship is now docked in a safe port that would have been a logical destination on the course reported by the agent. While the Double Cross System actively handled the double agent, the information sent to the Germans was part of the overall Operation Bodyguarddeception program of the London Controlling Section. Bodyguard was meant to convince the Germans that the Allies planned their main invasion at one of several places, none of which were Normandy. As long as the Germans found those deceptions credible, which they did, they reinforced the other locations. Even when the large landings came at Normandy, deception operations continued, convincing the Germans that Operation Neptune at Normandy was a feint, so that they held back their strategic reserves. By the time it became apparent that Normandy was indeed the main invasions, the strategic reserves had been under heavy air attack, and the lodgment was sufficiently strong that the reduced reserves could not push it back.
There are other benefits to analyzing the exchange of information between the double agent and his original service, such as learning the priorities of service A through the information requests they are sending to an individual they believe is working for them. If the requests all turn out to be for information that service B could not use against A, and this becomes a pattern, service A may have realized their agent has been turned.
Since maintaining control over double agents is tricky at best, it is not hard to see how problematic this methodology can become. The potential for multiple turnings of agents and perhaps worse, the turning of one’s own intelligence officers (especially those working within counterintelligence itself), poses a serious risk to any intelligence service wishing to employ these techniques. This may be the reason that triple-agent operations appear not to have been undertaken by U.S. counterintelligence in some espionage cases that have come to light in recent years, particularly among those involving high-level penetrations. Although the arrest and prosecution of Aldrich Ames of the CIA and Robert Hanssen of the FBI, both of whom were senior counterintelligence officers in their respective agencies who volunteered to spy for the Russians, hardly qualifies as conclusive evidence that triple-agent operations were not attempted throughout the community writ large, these two cases suggest that neutralization operations may be the preferred method of handling adversary double agent operations vice the more aggressive exploitation of these potential triple-agent sources.
- Starts out working for B
- Volunteers to be a defector-in-place for A
- Discovered by B
- Offers his communications with A to B, so B may gain operational data about A and send disinformation to A
A concern with triple agents, of course, is if they have changed loyalties twice, why not a third or even more times? Consider a variant where the agent remains fundamentally loyal to B
- Starts out working for B
- Volunteers to be a defector-in-place for A. Works out a signal by which he can inform A that B has discovered and is controlling him
- Discovered by B
- Offers his communications with A to B.
- B actually gets disinformation about A’s operational techniques
- A learns what B wants to know, such as potential vulnerabilities of A, which A will then correct
Successes such as the British Double Cross System or the German Operation North Pole show that these types of operations are indeed feasible. Therefore, despite the obviously very risky and extremely complex nature of double agent operations, the potentially quite lucrative intelligence windfall – the disruption or deception of an adversary service – makes them an inseparable component of exploitation operations.
If a double agent wants to come home to Service A, how can he offer a better way to redeem himself than recruiting the Service B case officer that was running his double agent case, essentially redoubling the direction of the operation? If the case officer refuses, that is apt to be the end of the operation. If the attempt fails, of course, the whole operation has to be terminated. A creative agent can tell his case office, even if he had not been tripled, that he had been loyal all along, and the case officer would, at best, be revealed as a fool.
Occasionally a service runs a double agent whom it knows to be under the control of the other service and therefore has little ability to manipulate or even one who it knows has been successfully redoubled. The question why a service sometimes does this is a valid one. One reason for us is humanitarian: when the other service has gained physical control of the agent by apprehending him in a denied area, we often continue the operation even though we know that he has been doubled back because we want to keep him alive if we can>.
Another reason might be a desire to determine how the other service conducts its double agent operations or what it uses for operational build-up or deception material and from what level it is disseminated. There might be other advantages, such as deceiving the opposition as to the service’s own capabilities, skills, intentions, etc. Perhaps the service might want to continue running the known redoubled agent in order to conceal other operations. It might want to tie up the facilities of the opposition. It might use the redoubled agent as an adjunct in a provocation being run against the opposition elsewhere.
Running a known redoubled agent is like playing poker against a professional who has marked the cards but who presumably is unaware that you can read the backs as well as he can.
Running offensive counterespionage operations
Control is the capacity of a case officer of country B to generate, alter, or halt agent behavior by using or indicating his capacity to use physical or psychological means of leverage. And a case officer working overseas does not control a double agent the way a policeman controls an informer. At best, the matter is in shades of gray. The case officer has to consider that the double from country A still has contact with country B.
Before the case officer pushes a button on the agent’s control panel he should know what is likely to happen next. For example, pressure exerted bluntly or blindly, without insight into the agent’s motivation and personality, may cause him to tell the truth to the adversary as a means of escaping from a painful situation.
The target service (A) inevitably exercises some control over the double agent, if only in his performance of the tasks that it assigns to him. B, in fact, has to be careful not to disrupt the double’s relation with his own service, warning service A of a control. Even if the positive side is being run so poorly that the misguided agent is in danger of coming to the attention of local authorities whose intervention would spoil the CI aspect too, the case officer must restrain his natural impulse to button up the adversary’s operation for him. At the very most, he can suggest that the agent complain to the hostile case officer about insecure practices, and then only if the agent’s sophistication and relationship with that case officer make such a complaint seem normal.
Physical control of the double is likely only with agents captured in war. The best possible outside capture is either to have the double live where he can be watched, or at least work in a place where he can be watched. Control of the agent’s communications is very close to physical control. Communications control, at least partial, is essential: the agent himself is controlled to a considerable extent if his communications are controlled. But even when his communications are completely controlled, a welltrained agent doubled against his will can appear to be cooperating but manage at an opportune moment to send a signal to his own service indicating that he is under duress.
With only partial control, if the agent is in communication with the opposition service through a courier, dead drop, or live drop, some control or surveillance has to be established over these meetings or servicings. The double agent who makes trips in and out of the area where he can be physically controlled presents a multiplicity of problems.
Balancing risk and reward in offensive counterespionage
The nature and value of the double agent’s functions depend greatly on his personal ability as well as on his mission for the other service. He can always report on the objectives and conduct of this mission and possibly more broadly on the positive and counterintelligence targets of the other service or on its plans. If he is skillful and well trained, he can do valuable work by exploiting the weaknesses of others: all intelligence officers of any service, despite their training, have some weaknesses.
One’s own side may triple an agent, or turn even more times than that. With each turn, the chances of deception increase, so in such operations, the quality of the agent’s services needs to be checked constantly. If the agent no longer elicits trust, he might be offered exfiltration if in a foreign country. He might be retired and given an advisory position where he handles no secrets, but might be useful as an occasional reference.
A rare agent may actually understand the thinking of the highest levels of government policy. This may not be purely a matter of his assignment; Oleg Penkovsky had social ties to high-ranking generals.
An agent, who has been with his service any appreciable time, will be able to provide a good deal of information on the practices, and possibly resources, of his FIS. Other than for the most important of agents, a service is not apt to invent new communications techniques, either for hard-copy passed by dead drop or courier, or for electronic transmission. Information on capabilities comes indirectly, from the level of technology and manufacturing quality with the country-specific equipment with which he was provided.
Some agencies, however, make a point of providing their agents with “sterile” equipment obtained commercially from third countries. If that is their pattern, it may become obvious only if multiple agents are compared at the national CI level. A sufficiently sophisticated agency may obtain different third-country equipment for different agents, leaving the operational instructions as the only detail that may establish a pattern.
The double agent serves also as a controlled channel through which information can be passed to the other service, either to build up the agent in its estimation or for purposes of deception. In the complex matter of deception we may distinguish here between
- operational deception, that concerning the service’s own capabilities, intentions, and control of the agent, and
- national deception, that concerning the intentions of the controlling government or other components of it.
National deception operations are usually very delicate, frequently involving the highest levels of the government, and therefore require prior coordination and approval at the national headquarters level.
The double agent channel can be used by the controlling service to insert data into the mechanisms of the other service with a number of possible objectives—for example, to detect its activities in some field. The inserted material is designed to induce certain actions on the part of the other service, which are then observed through another operation or group of operations. The material has to be designed very skillfully if it is to deceive the other service and produce the desired reactions. Such a situation might arise if a case officer handling several operations wanted to set up still another and needed to find out in advance what the pertinent operational pattern was.
Running the operation: do’s and dont’s
The following principles apply to the handling of all double agent operations in varying degrees. In composite they form a check-list against which ongoing operations might be periodically reviewed—and given special examination with the appearance of danger signals.
Monitoring, testing and managing the double agent
“Testing is a continuous process.” In accordance with the doctrine in force, use your own, or assistance from psychological specialists, look for changes in motivation. Where appropriate, use a polygraph or newer techniques for detecting emotional stress. Without revealing the penetration, cross-check the information from the agents, including technical analysis of documents and equipment, surveillance, and further research into verifying the agent’s story (i.e., “legend” in tradecraft) While “name traces cannot be run on every person mentioned by the agent, do not be stingy with them on persons who have familial, emotional, or business ties with him” in verifying his legend.
T, but only as a double.” Improve his own security and cover as a double. Do not, however, improve his intelligence collection skills. The hostile service might make use of information that he collects independently, or they may become suspicious if his skill and reporting suddenly improve. If he has been a bad speller in his reports to his service, don’t volunteer to copy edit!
“Require the agent to report and, as security permits, turn over to you everything he gets from the other side: money, gifts, equipment, documents, etc.” This is a delicate balance. If he thinks he doesn’t have to report something to you, he can become confused about who gets what. At the same time, use judgment to keep him motivated. Rather than confiscating payments to him, you might deposit them in a third-country bank account of which he is aware, and that he can access on termination.
“Prepare all briefings carefully.” Teaching him resistance to interrogation may improve his security, but it also may make his service suspicious if his manner, to them, changes.
“Keep analyzing the agent as well as the case.” Labels such as “anti-Communist”, “militant Jihadi”, “morally offended by own side” can oversimplify and interfere with your own understanding of his thinking.
“Review the case file periodically.” Always be thinking if the situation would be improved with improvements in your cover, his cover, or the cover for the operational techniques. Think about how new facts validate or invalidate the old. You may be able to ferret out the real priorities of the opposition with a historical perspective, looking at what they told him to follow up out of his reporting.
“Decide early in the operation how it will be terminated if the need arises.” The last thing you want to do is leave an angry agent in place, in a hostile service. Transfer him to another case officer or allied agency, or arrange his escape to your side.
Managing expectations of the hostile service
“Mirror-read” Constantly think about the operation as if you were in the opposing service. Think about what they are receiving from your agent, their satisfaction with it, and their perception of the agent and his capabilities. Do not assume the other side thinks as your service does, a special risk for the United States. The US tends to rely more on technical collection and OSINT than many other world services; the USSR regarded espionage as the most important collection technique, even when they could have used OSINT to collect the same information.
“Be careful about awakening in the hostile service an appetite which cannot later be satisfied without giving away too much.” Do not give the agent material, attractive to the other service, but that they might realize he could not have obtained on his own. As long as you are monitoring what he collects before sending it to the other side, let him operate in his own way. By letting him do this, you may detect vulnerabilities that have been missed by your own service, but you can stop the material being sent, or create appropriate disinformation.
“Avoid interference.” Let the other service solve—or not solve—agent problems in their usual manner. For example, if the agent is arrested, do not immediately and visibly intervene. In such a situation, the other side may expose additional resources either to support the agent or to provide alternate means of collection. This can always be explained to the agent, with some truth, that you are not giving obvious help to protect his security to his own service.
“Be constantly alert for hostile provocation”. If the agent reports a crisis with his service, do not take it at face value; always look for the plot within a plot, but keep perspective. The opposition are not supermen.
“If the adversary appears to be a Satellite [client] service”, do not forget that the more powerful organization may not be pulling the strings. A local ideological terror group may well be receiving direction from a distant transnational group. Consider the possibility of false-flag agents in such circumstances.
Protecting your own service
“Report the case frequently, quickly, and in detail.” The FIS has a headquarters staff looking globally for penetrations; why should you not take advantage of your central resources? “Only timely and full reporting to your headquarters will permit it to help you effectively.” Keep a full record, including dates, of all adversary assignments given the agent.
“Keep precise records” of any of your own side’s classified material fed to the agent. Both for protecting your service and yourself, keep careful notes about who approved the release.
“Do not plan a deception operation or pass deception material without prior headquarters approval.”
“Do not reveal your service’s assets or CI knowledge to a double.” It is vital that double agents be run within the framework of their own materials—the information which they themselves supply. The more you keep from an experienced double the information he should not have, the more he will be reassured that his own safety is in good hands.
“Do not run the operation in a vacuum.” Be aware of any political implications that it may have, locally or internationally. Ask for advice when you aren’t sure.
“If the operation is joint, weigh, its probable effect upon the liaison relationship.” What should you do if the joint service(s) change their priorities?
- Johnson, William R. Thwarting Enemies at Home and Abroad: How to Be a Counterintelligence Officer (2009)
- Bibi van Ginkel,Towards the intelligent use of intelligence: Quis Custodiet ipsos Custodes? (International Centre for Counter-Terrorism – The Hague, 2014)
- Irregular Warfare
- List of Counterintelligence Organizations
- Smersh (Soviet counter-intelligence, abbreviation of the phrase “Smash Spies”)
- X-2 Counter Espionage Branch
- The Institute of World Politics
- Executive Order 12333. (1981, December 4). United States Intelligence Activities, Section 3.4(a). EO provisions found in 46 FR 59941, 3 CFR, 1981 Comp., p.1
- Lowenthal, M. (2003). Intelligence: From secrets to policy. Washington, DC: CQ Press.
- “Counterintelligence Investigations”. Retrieved 2008-05-08.
- Archick, Kristen (2006-07-24). “European Approaches to Homeland Security and Counterterrorism” (PDF). Congressional Research Service. Retrieved 2007-11-05.
- Dulles, Allen W. (1977). The Craft of Intelligence. Greenwood. ISBN 0-8371-9452-0. Dulles-1977.
- Wisner, Frank G. (1993-09-22). “On “The Craft of Intelligence””. CIA-Wisner-1993. Retrieved 2007-11-03.
- Matschulat, Austin B. (1996-07-02). “Coordination and Cooperation in Counerintelligence”. Retrieved 2007-11-03.
- “Joint Publication 3-07.1: Joint Tactics, Techniques,and Procedures for Foreign Internal Defense (FID)” (PDF). 2004-04-30. Retrieved 2007-11-03.
- “National Counterintelligence Executive (NCIX)” (PDF). 2007.
- Suvorov, Victor (1984). “Chapter 4, Agent Recruiting”. Inside Soviet Military Intelligence. MacMillan Publishing Company.
- US Department of the Army (1995-10-03). “Field Manual 34-60: Counterintelligence”. Retrieved 2007-11-04.
- Gleghorn, Todd E. (September 2003). “Exposing the Seams: the Impetus for Reforming US Counterintelligence” (PDF). Retrieved 2007-11-02.
- US Department of Defense (2007-07-12). “Joint Publication 1-02 Department of Defense Dictionary of Military and Associated Terms” (PDF). Retrieved 2007-10-01.
- Imbus, Michael T (April 2002). “Identifying Threats: Improving Intelligence and Counterintelligence Support to Force Protection” (PDF). USAFCSC-Imbus-2002. Retrieved 2007-11-03.
- Joint Chiefs of Staff (2007-06-22). “Joint Publication 2-0: Intelligence” (PDF). US JP 2-0. Retrieved 2007-11-05.
- Intelligence Community Staff (12 April 1990). “Project Slammer Interim Progress Report”. Retrieved 2007-11-04.
- Stein, Jeff (July 5, 1994). “The Mole’s Manual”. New York Times. Retrieved 2007-11-04.
- Security Policy Advisory Board (12 December 1997). “Security Policy Advisory Board Meeting Minutes”. Retrieved 2007-11-04.
- “Canadian Forces National Counter-Intelligence Unit”. 2003-03-28. Canada-DND-DAOD 8002-2. Retrieved 2007-11-19.
- “Security Intelligence Liaison Program”. 2003-03-28. Canada-DND-DAOD 8002-3. Retrieved 2007-11-19.
- Begoum, F.M. (18 September 1995). “Observations on the Double Agent”. Studies in Intelligence. Retrieved 2007-11-03.
- Brown, Anthony Cave (1975). Bodyguard of Lies: The Extraordinary True Story Behind D-Day.
|Wikimedia Commons has media related to Counter espionage.|