In Oslo, Norway on November 20, a security guard at the U.S. Embassy was arrested on suspicion of espionage. John Christian Elden, the unidentified man’s attorney said that his client had been in touch with both Russian and Iranian intelligence officers. In the world of espionage the phrase, “Who watches the watchers” is often viewed as a vulnerability as these individuals have a trusted position, where they watch for anomalies, security threats, risky behavior, etc., yet should they themselves break trust, who will detect their actions?
It is important to note that the individual appears to be part of the locally hired security team whose access is largely limited to perimeter security, first contact with visitors, and does not include access to the classified areas of the embassy. These employees are often contracted from a local security company and it is not unusual for one company to have multiple contract with various nation’s embassies in a given local. They are not, normally, U.S. government employees, rather, employees of the contracting service provider. These contracts would normally be responsive to the embassy’s security officer.
What we know about the alleged espionage
The individual is a male in his twenties. He is being held in isolation during the first week of isolation and may be held, according to the Norwegian court for an initial four weeks while the police conduct their investigation. The Norwegian Security Service (PST) spokesperson, Thomas Blom, noted the individual was cooperating, talking with officers and a “large amount of digital material” had been confiscated. Blom went on to say, “We have just scraped the top and we are working our way through it.”
The individual has been identified as also being a student at the UiT _ Norway’s Artic University where he is studying for a bachelor’s degree in security and preparedness. The university’s director, Jørgen Fossland, stated that to their knowledge there is no linkage between the individual’s charged crime and the university.
Norwegian Broadcasting reports that the accused has admitted to collecting and sharing information with both Russia and Iranian. The media outlet explained that if convicted of “attempted gross intelligence activities against state secrets” he would face up to ten years in prison. Furthermore, the reading of the Norwegian detention order indicates that he was responding to tasking from an unidentified handler (nationality not shared).
In addition the accused has been identified as a co-owner of the security company which was hired to provide which provides local security services which was approved in November 2023 from Oslo police to provide security services.
Remember the Bundestag insider?
Interest in official buildings and entities is not hyperbole or theory. It was almost three years ago when we learned of the Russian GRU having secured the services of a German citizen to provide information on the Budestag (lower house of parliament). This individual provided his information in digital format and it included blueprints and floorplans of the building.
Insider risk realized
What is unfolding in Oslo is a very real case of insider risk, realized with the watcher being found to be in contact, with two separate adversary country intelligence officers.
His ability to provide situational and pattern analysis of the activities at the embassy, to include access to visitor logs, perhaps information about the embassy’s infrastructure and security posture would be of interest to a hostile foreign intelligence service.
While it is certainly possible for Iran and Russia to be cooperative in an intelligence operation, the comment from PST’s Blom that his contact with the Russian intelligence was somewhat limited is a clue that this was not a joint operation targeting the U.S. Embassy. The fact that the individual has admitted that he has provided information to both Iranian and Russian intelligence officers is indicative of an individual who peddled his access. In other words, saw there was interest with one intelligence entity and decided to sell the information twice (or more) to other entities.
