Thursday, 31 October 2013

Counter-Espionage 101

Hello once again,

The following post contains some basic information about Counter-Espionage and Counter-Intelligence operations. I will try to cover a few basics and hopefully this will be useful to players whose characters have experience within this arena. Tradecraft will be covered in detail in a later post.

First of all, a little bit of background using the UK Security Service (MI5) as an example...

Current Focus of Intelligence Resources (Post-Cold War)

UK Security Service (MI5) Resources in Main Intelligence Areas (%)

Main Intelligence Area

- of which International
- of which Irish & Other Domestic
Serious Crime
Emerging Threats
(Sources: MI5, The Security Service (London, HMSO, 1996) and
This pattern of funding shows the change in focus of Western Intelligence Agencies in the post Cold-War era; from preventing Soviet-era spying through to terrorism and organised/serious crime in more recent times. As the Cold War wound down and the Troubles in Northern Ireland came to a conclusion, the available funding dropped. With the events of 9/11 and 7/7 overall intelligence funding has generally increased to a level higher than during the Cold War. This reflects the costs of an increased reliance on high technology (for Signals Intelligence or SIGINT collection) as well as the difficulty in securing inroads into terrorist and criminal organisations.

Modern Human Intelligence (HUMINT) C-I work still concentrates on the same Main Intelligence Areas as shown above but “non-state actors” are now a primary target for these activities. Counter-Intelligence officers may be expected to carry out the same operations as before but against organised criminal groups and terrorist organisations rather than enemy intelligence agencies.

Counter-Intelligence operations are carried out with the intent to prevent opposition forces from carrying out subversive activity, acts of sabotage, irregular warfare or intelligence gathering within the agency's home nation. Wikipedia’s List of National Counter-Intelligence Agencies here is comprehensive and shows who is responsible for what and where. 

C-I work is often subject to political and economic restrictions. It is not possible to watch everyone constantly and the sliding scale between security and openness often wavers from one side to the other. Even the East German Stasi who ran the most well-resourced and efficient counter-intelligence network in history could not cover every base. In more recent news the Snowden-NSA revelations while shocking to many prove that you can only cover a very small percentage of the global population.

C-I activities that take place within the home nation must be legally authorised to take place. Clearly, this is not always the case and laws are broken and bent both with official knowledge and without. Individuals working for the NSA have been caught out looking up SIGINT on current and previous romantic partners (so called LOVEINT). This is clearly not something that senior officers condone but in certain instances it is not unknown for rules to be circumvented if they impede ongoing activities.

Agencies must report to government ministers about ongoing operations (e.g. the United States House Permanent Select Committee on Intelligence or the Joint Intelligence Committee in the UK). There are often instances where intelligence agencies have revealed operations after the fact to these government bodies, usually with the explanation that the speed or secrecy of the operation would have been compromised by reporting it to the committee. This is allowable so long as the operations are reported within a reasonable period afterwards.

Defensive and Offensive Counter-Intelligence

C-I work has two different focuses: protecting classified intelligence (Defensive) and detecting, identifying and neutralising opposition intelligence gathering (Offensive).

Defensive operations primarily involve ensuring that appropriate security measures are in place and that they are used consistently. Ensuring the use of secure communications, protecting secure locations and deception are the hallmarks of Defensive C-I.

Offensive C-I is arguably more involved as rather than using passive means the C-I agency must actively pursue the enemy to reduce or remove threats. Offensive SIGINT C-I may involve locating and identifying agents through the use of Direction Finding (DF) or interception of communications. Ana Montes, the DIA agent arrested for spying on behalf of Cuba was identified through encrypted short wave transmissions she sent in response to the numbers station which issued her orders.

Offensive HUMINT Counter-Intelligence techniques focus on trying to identify enemy agents and their motivations with the end target of either turning them to one's own cause or removing them as a threat. This can be done by making them persona non grata and forcing a return to their country of origin (normally the case with Official Cover agents e.g. embassy staff) or arresting them for what is essentially criminal activity (recruited assets or Non-Official Cover agents - NOCs). In some more extreme cases, rendition or assassination are options that may be considered.

Defensive Counter Intelligence Techniques

Signals Intelligence (SIGINT) Defensive C-I is primarily concerned with maintaining Communications Security (COMSEC). This revolves around making sure that forms of communication involving restricted materials are kept secure from physical or electronic interception, maintenance of hardware and software relating to communications, cryptography, Emissions Security (EMSEC) e.g. making sure that hardware does not radiate information that can be picked up by TEMPEST gear etc. The Wikileaks and Snowden cases indicate that the weakest part of SIGINT C-I work is always the human element (see HUMINT below).

Image Intelligence (IMINT) Defensive C-I involves camouflaging military or secure civilian installations so that they appear to be something else. It may also involve using mocked up vehicles to indicate a military build up to draw attention away from genuine operations.

Human Intelligence (HUMINT) Defensive C-I is the act of monitoring your own agents for signs of subversion allowing preventative measures to be employed. If the agent’s motivation for turning can be established then these motivations can be nullified and allow for false information to be passed on to the enemy.

Offensive Counter Intelligence Techniques

Offensive HUMINT CI involves identifying and subverting enemy agents allowing the C-I operative to funnel back false information to the enemy. This work also includes surveillance, wire-tapping, infiltration of subversive organisations, psychological operations and turning opposition agents into double agents. Less scrupulous C-I activities include interrogation and torture, using agent provocateurs, breaking and entering and planting evidence.

One of the techniques used to identify enemy recruits within one's own organisation is known as the "canary trap". This is where information is passed on to suspected leakers but with each intelligence package containing different data. On release of the leak, the specific data will identify which party has breached security.

The old adage of “the best defence is a good offence” is also applicable when looking at Offensive C-I operations. By infiltrating your own agents within the enemy organisation you can find out what they know about your own operations. Some of the highest value recruits in espionage history have been agents within the enemy’s own C-I infrastructure.

Falsely planting evidence that you have penetrated this structure is another way to impact the enemy’s abilities to function efficiently.  The CIA Chief of Counter-Intelligence from 1954-1975, James Jesus Angleton, was obsessed with the idea of there being a mole within the CIA and his single-minded hunt for this infiltrator sowed mistrust and confusion within the organisation for many years.

Criminal Counter Espionage

The David Cronenberg film “Eastern Promises” shows the method by which criminal groups carry out their own unique counter-espionage activities. Vory V Zakone (“Thieves in Law”) are tattooed with their prison history including the terms they have served, where they have served. In the film it is mentioned that he has dual cross tattoos - these show he served a term at Kresty ("Cross") Prison in St. Petersburg.

Giving an agent a “passport” of tattoos is not something intelligence agencies (or their recruits) are willing to do and therefore criminal groups like the Russian Bratvas, Japanese Yakuza, and Neo-Nazi gangs often use this to prevent infiltrators. Very few spies would be willing to have a swastika tattooed on their neck which significantly reduces the threat of investigators gaining access to the group.

Criminal gangs which require recruits to be “blooded” are also difficult to break into. The expectation that gang recruits actually commit criminal acts is also a difficult sell to intelligence agencies. It might be easy for an agency to authorise an agent to take part in a theft or act of non-lethal sabotage but murder would be an impossible hurdle to cross (with the small possibility in the even of targeting a known criminal or enemy of the state). Criminal gangs in the US have been known to use this technique in the knowledge that infiltrators will not be able to carry out the request and remain untarnished.

As a result of these criminal counter-espionage techniques, agent handlers will try to recruit targets within the enemy organisation using the MICE technique (see below) to identify potential operatives. This is particularly the case with ethnically homogenous groups which may otherwise prove extremely difficult to infiltrate. Informers and recruited agents alike may be given more leeway than a direct employee of the agency with a promise of immunity for acts committed during the course of investigations.

Agent Motivation and Viability

HUMINT agent handlers are known as Case Officers (COs) and their role is a combination of psychologist, actor, confessor, interrogator, and Human Resources manager. They must identify assets that can be turned to the CO's benefit and use the acronym "MICE" as a simplistic way to describe agent motivation -

(M)oney - the target simply works for financial gain. 
(I)deology - the target identifies with different objectives than those of the group they are supposedly loyal to.
(C)oercion - the target is forced into working for the enemy by threats to themselves or those around them.
(E)go - the target believes themselves to be superior to those around them and chooses to work for the enemy to prove how much smarter they are.

Historically most US double agents have been lured initially by either Ego or Money. Once hooked, the agent may become a victim of Coercion. If you have given the enemy information in exchange for money they can turn a trickle into a stream by threatening to inform on the agent to their home agency. This technique can often backfire as a threatened agent may decide to own up to their actions and become a triple agent, feeding disinformation to his handler.

In the UK, the most famous group of double agents, the Cambridge Five, were motivated primarily by Ego and Ideology. Sharing distrust and hatred of right-wing fascism, the group decided that their best way to fight encroaching fascism within and without the UK and Europe would be to approach the Russians. Ego was certainly a part of it as well. These elite intellectuals saw themselves as above those around them and the Soviets pandered to this ably.

Both the SVR, Russia's external intelligence agency, and Mossad, the Israeli intelligence service, are well known for using attractive women to bait targets in "Honey Trap" operations. Once the target has taken the bait they may use Coercion, either threatening to reveal the relationship to damage the standing of the recruit or pretending to hold the "loved one" until the agent cooperates. Coercion can involve more direct threats to a person's wellbeing or other loved ones or the revelation of information about the individual’s personal life which may be embarrassing. Until fairly recently this was often the reason why homosexuals were considered security risks (see Security Vetting below).

Agent viability is based on the answers to a few simple questions -
  • What information has the recruit volunteered about themselves and what have they withheld?
  • Can the recruit remain stable under a high degree of stress?
  • What intelligence value can be gained by recruiting this agent?
  • Are they currently trusted by their own group?
  • Can the CO maintain strict control over all communications with the recruit?
The perfect agent will be honest and up-front with the CO as to the reasons they are turning against their employers, is currently trusted by their own group, has strength of mind sufficient to deal with stress, has continued access high value intelligence and is willing to send or receive information only under the strictest circumstances as established by their CO.

Few agents are perfect and in certain situations negative or imperfect answers to these questions would not prevent the agent's recruitment. A good example would be a potential recruit with low current trust amongst their peers or a reduced ability to cope with stress. If they had access to extremely high value intelligence they might be offered the option of extraction. Their value as an agent in place would be low, but the payoff of immediate access to high value data before the opposition remove their access would easily outweigh this.

Once the recruits viability has been established the CO will contact them, usually through a "cut-out" offering financial support, basic training in tradecraft, extraction options (where appropriate) etc.

It should be noted that counter intelligence agents do not normally infiltrate groups themselves. The idea of handing over a trained professional with knowledge of one’s own tactics and capabilities to an enemy is too high a risk. More detailed information around Case Officers and agent handling will be shown within the Tradecraft post.

Security Vetting

Baseline/Positive/Negative Vetting
Baseline, Positive and Negative Vetting are the processes whereby agencies establish the security bona fides of recruits and those who will have access to TOP SECRET (TS) or TOP SECRET/SPECIAL ACCESS PROGRAM (TS/SAP) AKA “Codeword” information.

Baseline Vetting (BV) is required for any role which requires access to PROTECTED information and involves a very basic 5-year background check, psychological interview, providing certified copies of birth certificate, passport etc. Applicants may be expected to provide relationship information, whether they have used recreational drugs etc.

Negative Vetting (NV) involves a higher degree of detail and is required for access to PROTECTED, CONFIDENTIAL and SECRET information. Applicants may be required to provide personal information going back up to 10 years along with a psychological interview and certified documentation (birth certificate, passport, driving licence etc.). You may also be required to provide at least 10 years of evidence that you are who you say you are as well as 3 years of banking records. Any foreign internationals you have had contact with will also be noted. With NV the information is taken at face value i.e. it is assumed that the applicant is telling the truth.

Positive Vetting (PV) is the more detailed level and can take anything from 2 to 12 months (average is 10 months) to complete. Clearing PV allows access to PROTECTED, CONFIDENTIAL, SECRET, TOP SECRET and TS/SAP. During this period the recruit will not be allowed alone within the agency building, even during bathroom breaks. PV requires the same level of detail as NV but in addition may include interviews with friends and family, school records and previous employment records. Nothing is left to chance and all provided information is verified.

The main difference between Negative and Positive Vetting is that in Positive Vetting, everything you provide is assumed to be invalid until proven otherwise.