Saturday, 2 November 2013

We Know *Tradecraft* So You Don't Have To...

"In the city always a reflection, in the woods always a sound."
"What about the desert?"
"You don't want to go in the desert."
- Spartan, 2003

Hello once more!

It is time for the promised Tradecraft post and there's a lot to cover! The highest degree of Tradecraft during the Cold War was known as the Moscow Rules, so named because it would allow an agent to operate within the extreme conditions of the heart of the Soviet Empire (conversely, Russian agents referred to the "Washington Rules").

Agent Handling

Identification of Potential Recruits
The Counter-Espionage 101 post covers the basic of identifying and assessing potential recruits.

Agent Value
Agent value is assessed by looking at the amount, quality, reliability and utility of the data they are providing. It is also context dependent. Having every bit of data about the amount of diesel fuel used by the 3rd Tank Division isn't necessarily useful in peacetime but just before the ground war kicks off it is helpful to know how far that Division can move before it must stop for resupply.

Short Term vs. Long Term
Agents may change between short and long term during their tenure. Depending on external pressures, access to documentation, internal suspicions etc. All of these things may switch an agent from one type to another. Long Term agents are obviously preferred as continued access is always better than a quick glance. High stress or Counter-Intelligence operatives closing in on the agent may lead to a request to extract the agent.

Agent Extraction
In real life, agent extraction is quite rare. Sending a team of heavily armed Navy SEALs in a Los Angeles-class sub to Arkangeslk to meet an agent on a starlit shoreline is certainly likely to be action packed and but is politically and financially not so bright. Agents can self-extract by crossing a border to a friendly nation, could be smuggled out by a small team or individual or in more extreme cases (and where subtlety is no longer required) even by using a Fulton STARS system.

Most importantly extraction must at least be attempted so that future agents will have heard that you at least tried. Recruitment is a lot easier if you can show the agent that you have a suitable retirement plan that doesn't involve two in the back of the head and a shallow grave in the woods outside town.

After Extraction
Once an agent is extracted they will be debriefed. This is a long and time consuming process as every interaction, every little bit of knowledge is noted and cross checked. Whilst the agent may have provided technical specifications on a new nuclear warhead design, trivial things like knowing that his boss always takes a specific route to work or that two of his colleagues are having an affair gives the agency additional opportunities to recruit new agents or exploit this knowledge.

The now ex-agent will be given a new official identity (similar to Witness Protection programs), a lump sum of money and a small stipend and otherwise will be left out to pasture. A lot of agents cannot cope with the boredom and find themselves wasting away. Alcoholism or drug dependency disturbingly common for those who have undergone such stressful events. Others may write memoirs, go on lecture tours and find a new life away from the game. It may even be possible to lure them back if one knew where to look and how best to exploit their inactivity.

Agent Role

Agent Provocateur
An agent whose job is to act as an attractor to possible enemy agent thus preventing their recruitment by the opposition.

Someone who wishes to be extracted immediately. One of the most famous defectors was Stalin's daughter who defected to the US in India, 1967. Defectors may bring information or (as in the case of Svetlana Stalin) political benefits that considerably outweigh any actual intelligence they bring.

Double/Triple Agent
An agent whose actual loyalty appears to belong to one agency but in fact belongs to an alternate agency. A double agent appears to work for Group A but in fact works for Group B. A triple agent professes to work for Group B against Group A but in fact does work for Group A providing a conduit for false information against Group B.

An agent that is trained and then left in place with the expectation that they will find employment with an opposition intelligence source. On receipt of a specific signal the agent is reactivated and begins to work for their agency.

Walk In
An agent that turns up and offers their services without being sought out.

Black Bag Operations

Originally an FBI term, these are jobs that involve breaking into denied locations with the intention of stealing, copying or planting evidence. These jobs require skills normally associated with thieves such as safecracking and lockpicking. During World War II, the Special Operations Executive went to the Police to find out who could teach them how to break into places of interest. The police recommended several expert burglars and safecrackers who then proceeded to impart their knowledge to the agents.

Without going into too much detail, the burglars must ascertain the following -
  • The number and habits of occupants (i.e. meal times and times of arrival and departure).
  • Covert lines of approach and retreat (avoiding lawns and grass borders, gravel, flower-beds, dust, dirt and mud).
  • Identify if pets are present.
  • Type and number of windows and doors.
  • Type of locks and whether key can be gained via insider (maid, workman, gardener, janitor, clerk, receptionist etc).
  • Location for external observation by lookout.
Once these questions have been answered the operation can take place – generally two or three people is best with two internally and one externally as lookout. One person designated the leader has the job of searching the location, the secondary is responsible for ensuring objects are returned to original positions, holding lights, lock-picks etc. Windows can be broken so long as done so with single blow. One crack will wake the occupants, two will cause them to investigate. Windows are to be taped with duct tape top to bottom and side to side and then struck once in a top corner. The glass will crack and be broken but due to the tape will shatter but not make too much noise.

The lookout must be in a location that is not obvious (bus stops are ideal assuming public transport runs in the area at the appropriate time). The lookout's job is to watch for police or occupants returning home (can be established if this is an occupant if they begin to check pockets as they approach for their keys). Signal to be simple but prearranged. One option is setting off alarm on the parked getaway car. This will provide the two inside with sufficient warning and also act as a distraction to the approaching occupant.

Internally the two burglars should communicate without speaking as much as is possible. Light should also be kept to a minimum, using either red filters for torches or night vision equipment. Gloves should always be worn and care must be taken to avoid leaving other trace information. A delaying action should be taken in each room just in case. This may involve locking a door, placing furniture in front of it etc. This allows the burglars to escape in case they are caught unawares. If the location of the fuse box can be identified, turning all the house lights off here will also give the agents sufficient time to react should an occupant return. The burglars should start in one specific location and move around the room in a single direction.

Once the job is complete agents should leave one at a time, the secondary moving first and meeting up with the lookout. The vehicle can be started and if they are not interrupted then the leader will make their way to the vehicle, enter and make off. Alternatively, agents can split up and make their own way to a rendezvous point. This second method allows them to shake any surveillance tails.

Codes, Cryptography and Steganography

I will be covering codes and cryptography at a later date as it is a huge topic. Currently, there is much discussion as to whether RSA public key crypto has been broken by the NSA. Let's assume the worst and it has been. In this case the best solution is the One Time Pad (OTP). An OTP is a substitution cypher that uses entirely random letters and is therefore unbreakable by using frequency analysis. The only way to get information encoded via OTP is to either access a physical copy of the OTP or if the letters within the OTP are not actually random.

Steganography -
Steganography or "Hidden writing" refers to data that has been concealed from view. The data may be clear or encrypted but it's concealment adds to the difficulty in interception and discovery.
Examples -
  • Melting a wax tablet, writing a message on the backing then pouring wax back over the tablet.
  • Shaving a messenger's head, tattooing a message on the bare skin and then allowing the hair to be re-grown before sending them on their way. Useless in instances where speed is of the essence. Also a tad permanent for the messenger.
  • Concealing files within a jpeg.
  • Microdot transmission.

Cut Outs

When dealing with agents a Case Officer may avoid direct contact after the initial meeting where instructions are given. The CO will normally take a step back and run the agent through a "cut-out". A cut-out is not always an intermediary person, it can be computer software or a physical dead drop. What it represents is putting a layer of deniability between the CO and their agent. See the example of tradecraft at the end of this article for a good example of cut-outs.

Dead Drops

Also known as a dead-letter box, a dead drop is a concealed location where information or objects can be left allowing covert communication between a CO and his agent(s). A dead drop can be a physical location or it can be a digital creation. It is named a dead drop as there is no meeting between the transmitter and receiver of the information. The transmitter leaves whatever one wishes to leave in the drop, leaves a signal in a prearranged location for the receiver who then goes to retrieve the contents of the drop. (Spy talk - Putting information or an object into a dead drop is "Loading" it - when full it is referred to as "Loaded").

COs will often have multiple dead drops prepared. This may be because they have more than one agent, they may switch between locations to confuse C-I operatives, they may find that one has been compromised by other factors and need a backup.

Physical Dead Drops
A physical dead drop is a location that can be accessed by and agent or their handler either out of sight of watchers or in such a way that it is not clear that it has taken place. The physical dead drop may take many forms - magnetic container, bolts, spikes or coins or may be as simple as a brick that can be removed and replaced easily out of sight. The options are endless.
PROS - May pass along devices or tools in addition to data, if chosen well, both the agent and CO can use the drop without being spotted by a surveillance team (Spy Talk - Also known as "Watchers") by using a location off the street or where surveillance is difficult (a sauna for example).
CONS - There is no chance to verify that a dead drop is being maintained by the real CO or agent. If one of them is compromised, a clever C-I officer can coerce the agent to use signal that the drop has been used and then catch the other person in the act

Electronic Dead Drops -
Back in 2006 the Russian FSB complained publicly to the UK about SIS use of electronic remote dead drops disguised as rocks. The CO and agent approached the rock which contained a small flash drive and a wireless transceiver. Data could be sent remotely via a key chain USB stick from a pocket as the agent walked by and retrieved in much the same way. It doesn't even need to be as complex as a custom rock. Any wireless transceiver can perform this function when programmed to do so, assuming you are able to gain access to the device even using the free wifi in a Starbucks becomes a possibility.
PROS - Allows remote access to a drop without visual clues, .
CONS - Wireless sniffing may detect the device, cannot transfer physical content, discovered devices may help identify the opposition (if device uses anything other than "off the shelf" kit for example).

Virtual Dead Drops -
There are web-based solutions that allow COs and agents to communicate and transmit and receive information including file-sharing dead-drops akin to torrent sites. The US military (via DARPA) is currently investigating military torrent file-sharing as part of it's battlefield communication project.
One method of passing on information that requires no actual transfer of information is setting up a shared email account. The agent and CO share an account together and use two factor authentication to sign in. Once in the agent and CO can write draft messages that are not sent (and thus cannot be intercepted) but that can also be retrieved simply by logging in and reading the draft. It can then be deleted immediately afterwards. This method unfortunately doesn't work if you're wanting to avoid GCHQ or NSA attention as they have direct access via the servers (the drafts are auto-saved server side) but combined with the OTP method it is almost undetectable and unbreakable by any other agency.
PROS - Undetectable by most intelligence agencies.
CONS - Can only be used for information already in electronic format, cannot be used with physical objects, server-side access to the email mailbox reduces the security of this method.


Another name for a cover story or fake identification used to get an intelligence officer out of trouble. There are different levels of cover legend from from one improvised on the spot with no documentation to ones that have years of records and are nearly impossible to prove as being fake. The latter sort of legend is what Positive Vetting (see Espionage 101 post previously) is designed to detect. I will break these legends down into eight categories for simplification but the degree of complexity in real life can cover virtually any combination of the following.

Improvised - think Han Solo's "Reactor Leak" moment - all fast talk. Approximate Cost $0.
Basic - Non-official identification only (library card, University ID). This is the sort that teenagers might have to allow them to get hold of alcohol. Approximate Cost $50.
Improved - High Quality Fake ID (Security Access cards, Police Badge). Approximate Cost $500.
Professional - Fake Driving Licence, Fake Passport, Fake Birth Certificate. Approximate Cost $5,000.
Bronze Service - High Quality Fake Driving Licence, High Quality Fake Passport, High Quality Driving Licence, High Quality Fake Birth Certificate. Approximate Cost $25,000.
Silver Service - Real Driving Licence, Real Passport with stamps, Real Birth Certificate. Approximate Cost $50,000.
Gold Service - <5years of Records, Driving Licence, Passport with Stamps, Birth Certificate, Employment History. Approximate Cost $100,000.
Platinum Service - Plastic surgery to change appearance, 5+ years of Records, Driving Licence, Biometric Passport with Stamps, Birth Certificate, Employment History, Retroactive Social Media presence. Approximate Cost $250,000.
Game Mechanics - Identification purchased with money in game costs no Cover points but the GM reserves the right to have had the forger arrested and give up your Legend to the police without you knowing. Those are the breaks when using cash not Cover points my friends.
Spy Talk - In the early days of the 20th century spies referred to a legend as "Shoes" and would visit a "Cobbler" to provide them a with a new set.

Live Transfers

There are various methods of passing information between CO and agent. These are referred to officially as Clandestine Transfers (Spy Talk - "Brush Pass" or "Car Toss")

Brush Pass
As it's name suggests, the brush pass involved two individuals closing to either bump into or brush past one another in a public area (the busier the better). Done at speed and with practice it is often difficult to tell whether there has even been an exchange between the two. As with most other sleight of hand tricks, misdirection and distraction is beneficial. Arranging for a third party to cause a commotion just prior to an exchange will distract the watchers and allow a slower, more careful but also more certain transfer.
PROS - Allows physical transfer between two parties, allows verification of both transmitter and receiver of content (with a dead drop, anyone could be accessing it and leaving the "loaded" signal), can be cancelled if watchers are too good or if either individual indicates they are "working under duress (Spy Talk - "Wave Off").
CONS - Performed poorly an agent could drop the content in plain sight of the watchers, if the pass is spotted the watchers now have eyes on both the CO and agent.

Car Toss
The Car Toss is a combination Live Transfer and Dead Drop. An individual can bend over to tie their shoes, momentarily drop out of sight of watchers and using a magnetic container attach the content to a specific car. That car can either belong to or be followed by the other agent and when it reaches it's destination the device can be retrieved. A second variant of the car toss is simply passing the information through an open window of a passing vehicle. This has the benefit of being possible even whilst being observed by watchers. With practice the agent can combine the action of throwing the device with checking a watch, lighting a cigarette or some other common motion. The vehicle can continue on it's way and the agent driving can verify if they are being followed as well.
PROS - as per the brush pass above with the added benefit of allowing one party to be able to make off in a vehicle, potentially drawing off surveillance from the other agent.
CONS - As per the brush pass above. Vehicle adds additional complexity, particularly with throwing through an open window. A missed throw and the car, it's occupants and the agent have all been caught.


CO (A)lpha wishes to leave a message for Agent (B)ravo. He is being watched by C-I (C)harlie and C-I (D)elta. A is already under suspicion as a CO but needs to get a message to B securely. C and D do not know who A is running. A leaves a chalk mark on the telegraph pole outside B's apartment to indicate that a specific drop is loaded is required but to throw C and D off the scent, rather than going directly to the drop location he uses a brush pass with CO (E)cho who is not on C and D's radar. A makes his way to a nice little bistro and sips a cup of coffee whilst his watchers waste their time. E loads the drop and B retrieves it.
C and D get chewed out by their boss...

So What Are These Moscow Rules Exactl


Many sources on the internet claim to have the official Moscow Rules - I choose to accept those from the International Spy Museum.
  1. Assume nothing.
  2. Never go against your gut.
  3. Everyone is potentially under opposition control.
  4. Don't look back; you are never completely alone.
  5. Go with the flow and blend in.
  6. Vary your pattern but stay within your cover.
  7. Lull the enemy into complacency.
  8. Don't harass the opposition.
  9. Make sure you pick the time and place for action.
  10. Keep your options open.

A recent series of tweets from a 20-year NSA veteran added several additional rules that are also appropriate. In the spirit of KISS (Keep It Simple, Stupid) I recommend sticking to the ten above. There are only ten, they are simple and that's the sort of thing real spies would want.