Why counterintelligence is considered the neglected element of US intelligence and where we can see it at work in modern policy

It’s easy to generate a mental picture of what a counterintelligence operation might look like.  Analysts behind screens recording tapped phone conversations; agents in trench coats intercepting enemy operatives on the streets; perhaps a tracking device placed in someone’s briefcase or an electronic countermeasure launched to disrupt an invading virus.  But mental theatrics aside, what does counterintelligence really look like behind the scenes of the stereotypical spy-movie-esque cover?

This article briefly discusses the definition, uses, and implications of counterintelligence, and expounds upon them through an interview with Dr. Jonathan Binnie.  Dr. Binnie has taught the Counterintelligence course at Patrick Henry College for ten years, and his wealth of insight and 22 years of experience as an FBI Special Agent have informed his analysis of the questions raised below.

To begin, what is the definition of “counterintelligence”?  Executive Order 12333, “United States Intelligence Activities”, provides us with the official US Intelligence Community definition:

Counterintelligence means information gathered and activities conducted to identify, deceive, exploit, disrupt, or protect against espionage, other intelligence activities, sabotage, or assassinations conducted for or on behalf of foreign powers, organizations, or persons, or their agents, or international terrorist organizations or activities.¹

For context, EO 12333 (pronounced “twelve-triple-three”) is widely regarded as “the Bible” governing US intelligence practices.  The definition provided here is referred to in many other executive orders and in several statutes.  Using this framework as a foundation, Dr. Binnie’s commentary builds upon our real-world understanding of counterintelligence.

QUESTION 1: Given this definition, what types of activities or intelligence gathering methods are not encompassed by counterintelligence that people often mistakenly place under its umbrella?

Some sort of controlling Intelligence Community Executive Order has been around since President Ford signed one in 1976. A successor, EO 12333, was signed by President Reagan in 1981 and has been amended three times. In 2008, the definition of counterintelligence was somewhat altered to the one quoted above.  Counterintelligence can use any activity or method to carry out its purpose that is not barred by statute or policy.  But there are tried and true basic methodologies that work and that can also be transferred into the many new technologies we have to deal with.

Nearly everyone confuses counterintelligence with security.  When we started calling our “national foreign intelligence program” the “national security program” things started getting muddled.  Counterintelligence and security need to operate closely but they are different disciplines.  Security is focused on physical “gates, guards, and locks” and the cyber versions.  It is defensive.  There is a defensive side to counterintelligence too but there is a very strong offensive side that doesn’t get much publicity.

QUESTION 2: When we hear about major threats in the news, what sorts of roles should we understand that US counterintelligence is playing in response to them?

From the definition, we know that intelligence activity is something that counterintelligence has an interest in.  Knowledge of any sort of activity conducted by an adversary has value.  However, since intelligence services conduct their activities clandestinely there isn’t the abundance of this knowledge one might think from some media accounts and popular fiction. That’s why the EO (executive order) begins its list of objectives with “identify”. Identifying intelligence service activities, targets, personnel, and techniques       (intelligence techniques are called “tradecraft”) is the beginning.

Identification is where a great deal of resources are spent by the intelligence community.  Once identification is accomplished then counterintelligence can “deceive, exploit, disrupt, or protect against espionage” and other bad things.  These countering activities are done in a strategic fashion rather than one at a time as isolated incidents.

2.1: How does CI help us to deal with our cautious relationship with Russia, and trace hacking and other forms of espionage back to them?

When the Cold War ended Russian espionage did not; it is as robust today as it ever was.  By counterintelligence penetration of Russian intelligence services, we learn what their intelligence services focus on so that their actions can be prevented or otherwise controlled. This is where the EO’s use of “deceive, exploit, disrupt and protect against” comes in.

Obviously, I cannot provide current examples and I’ve been off the front lines for several years but in 2010, the FBI arrested 10 Russian intelligence officers who were operating in the US under non-official cover (NOC, pronounced “knock”).  NOCs are also known as “illegals” in contrast to “legal” intelligence officers who operate out of their nation’s diplomatic establishments under diplomatic cover and have diplomatic immunity.  FBI counterintelligence actually ran these NOCs by intercepting their clandestine communications and then having FBI undercover personnel meet them and provide tasking instructions.  The NOCs were deceived and exploited and then their operations disrupted when they were arrested.  For this to have gone on for so long it meant that Russian intelligence headquarters were also being deceived, exploited, etc. too.

As I recall, their principle reason for being here was to get into positions to influence US policy and also identify (aka “spot”) other US citizens who would be good targets for the Russian service to attempt to recruit to work for it .  The full story of this operation along with photos and videos is on the FBI website under “Ghost Stories.”

Again, while I don’t know specifics since I’ve been retired a good number of years, I do know that counterintelligence attempts to penetrate hacker organizations, whether government or private sector, in order to prevent them from being successful.  As we’ve seen recently, this has not been going particularly well.  Cyber security is critically important but security is not counterintelligence though there is certainly a nexus.

2.2: Does CI give us information about China’s economy, military efforts, and propensity to hack US systems?

Counterintelligence can provide insight into these matters but they are primarily the province of our intelligence services.  The advantage we get here is to know what a nation’s policy makers are truly interested in rather than relying solely on diplomatic statements.

2.3: Does CI have a distinct role in the discovery of Iran’s progress toward more workable nuclear technology and its threats toward us and Israel?

Recently, James Clapper, the Director of National Intelligence (DNI) advised a Congressional committee in open testimony that we have adequate intelligence capabilities to verify Iran’s future compliance with the pending nuclear agreement.  Again, this is first an area for our positive intelligence collection but counterintelligence often becomes part of this.  When counterintelligence recruits an adversarial intelligence officer in order to combat the officer’s service, that individual may be able to provide much needed information in these key subject matters.

2.4: Where does the line get drawn between counterintelligence and counterterrorism efforts, especially regarding groups like ISIS?

According to the EO, international terrorism is a subset of counterintelligence.  It’s simply an adversary of another type.  Right now, the terrorism problem is so enormous and perilous it is addressed separately  in a managerial sense.  Essentially, the same manner of strategies, goals, objectives, and tradecraft are used against terrorist groups.

QUESTION 3: What significant processes exist for prioritizing threats like the above four in the context of an Issue Threat List or Country Threat List format? ²

Because resources are always limited and not all threats are equal, counterintelligence prioritizes threats.  Prioritization can go to specific nations and also to particular issues.  In part, what is taken into account are matters like the intent, capability, and presence of the intelligence service in question.  Also, the level and type of intelligence activity that it is conducted.  Finally, what is being targeted and how aggressively is it being carried out.  What is most threatening moves to the top of the page.

Again, in the case of the FBI, in its website discussion of its national counterintelligence strategy, the issue that is at the top of the page is to “keep weapons of mass destruction, advanced conventional weapons, and related technology from falling into the wrong hands”.  In 2002, I was a member of the small group that wrote this strategy and I remember our discussions on these matters.  After the strategy was approved I was given the job of implementing it nationally.

QUESTION 4: In what way has CI become a neglected element in the US Intelligence Community?

There are several aspects to counterintelligence that have led some intelligence scholars to refer to it as a neglected element of intelligence.  First, you don’t hear much about it until something bad happens.  Even though the spy is arrested, everyone wants to know how could this have happened? Why did it go on for so long? When the FBI arrested Robert Hanssen, one of its own, he had been in a clandestine relationship for over 20-years giving away the crown jewels. What was missed was that he was identified because a brilliant FBI Special Agent by the name of Michael Rochford specifically sought to penetrate the Russian service in a manner that would reveal who they were running in the intelligence community and he succeeded.

Years before the Hanssen case, FBI Director William Webster expressed it this way in Congressional testimony: “When you’re catching spies, you have a bad counterintelligence service.  When you’re not catching spies, you have a bad counterintelligence service.  You can’t have it both ways!”

Second and related to the first, the media and consequently, the public thinks counterintelligence is only about spy catching.  That is certainly what we hear about the most but there is so much more to it.  But the really big coups rarely become public.  One that did is known as the Farewell Dossier.  It involved the French developing a source in the old Soviet KGB who revealed to them and then to us how the KGB was clandestinely collecting science and technology across the West and specifically who among its personnel was doing it.  The French made some arrests and declared the KGB officers in France persona non grata.³  We, however, engaged them in a well-conceived and masterful deception plan by giving them data that sounded good but was bad. But done in a way that it would take a long time to discover and only after a lot of Soviet money was spent. This was part of the plan to bankrupt the Soviet Union. ■

Resources and Further Reading

• More on: the FBI’s “Ghost Stories” Russian spy investigation referenced by Dr. Binnie: https://www.fbi.gov/news/stories/2011/october/russian_103111/russian_103111.
• More on: the Robert Hanssen case and Michael Rochford: http://www.washingtontimes.com/news/2002/dec/8/20021208-104626-5780r/.
• More on: the Farewell Dossier: https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/csi-studies/studies/96unclass/farewell.htm.

1. 12333: http://www.ncsc.gov/publications/policy/docs/EO_12333.pdf.
2. National Security Threat List: http://www.wrc.noaa.gov/wrso/security_guide/nstl.htm.
3. persona non grata: literally meaning “an unwelcome person,” refers to a foreign person whose entering or remaining in a particular country is prohibited by that country’s government.