Over the last few years, multiple media sources have published pieces making allegations that the CIA’s asset-handling methodologies were responsible for the compromise of assets. Assets who had entrusted their security to the Agency and were providing unique and valued intelligence via a means of covert communications or COVCOM designed to protect both their identity from compromise. Covert communications are essential to HUMINT missions for the CIA. But they can also be a nightmare when things aren’t secure.
CIA publicly criticized
Two recent pieces, one from Reuters discusses the alleged compromise of Iranian assets, and the second, from Project Brazen, a Brush Pass piece, discusses the compromise of assets in China and Iran. Both pieces take the Agency to task. Neither piece is laudatory towards the United State’s flagship intelligence agency. Both make the case that poor operational security and processes in the use of communications methodologies allowed for adversaries of the United States, in this case, China and Iran, to dissect, analyze, and ultimately, find and neutralize the CIA’s assets.
The CIA spokesperson, Tammy Kupperman Thorp, told Reuters, “CIA takes its obligations to protect the people that work with us very seriously and we know that many do so bravely at great personal risk. The notion that CIA would not work as hard as possible to safeguard them is false.”
The Reuters piece details the technological cookie-cutter nature of the system in question, based on the publicly available information (also detailed by Reuters) websites were purchased in bulk, layout (themes) were similar, and went well beyond just China and Iran, to include “… at least 20 countries, among them China, Brazil, Russia, Thailand, and Ghana” said analysts at Citizen Lab.
In the world of espionage, asset security is basic table-stakes for every intelligence organization. If one can’t keep their asset secure and their collaboration secret, one tends to not be able to recruit assets downstream. In other words, the two aforementioned pieces describe what one might consider a “self-inflicted” wound. The HUMINT (human intelligence) officer who is ultimately the one responsible for the care and safety of the asset, has to trust that those creating COVCOM systems are not using a conveyor belt, cookie-cutter methodology, and the axiom of “use once and only once” is adhered.
And therein lies the rub. One-off development of such systems doesn’t scale, and the cost, for many intelligence organizations, including those of the United States, would be prohibitive. Yet when viewed through the lens of an asset’s well-being, the cost-benefit analysis adjusts considerably. Ultimately, the HUMINT handler is responsible for ensuring the tools they choose or are directed to use are secure.
In the instance described in these two pieces, the security of a given contact, no matter where they were in the lifecycle of engagement (contact, development, recruited, established, or terminated) carried with it a risk of compromise completely outside of the operational control of the responsible officer – the handler. Now does this mean that the COVCOM systems were ultimately responsible for the alleged compromise, no it doesn’t. There are myriad actions by either the asset or handler that could have also caused the compromise. What we do learn from Reuter’s display of the inner workings is that this system had the potential to provide a counterintelligence or counterespionage entity a leg up in identifying an individual who was in contact with an intelligence entity.
What this means, unfortunately, is that the next intelligence officer to make an entrée to an Iranian, Chinese, or any targeted foreign national with access to information of interest to the policymakers of the United States will be faced with some very difficult questions, especially if the means of communications are to be virtual and utilize the internet.