Tuesday, July 29, 2008

Counterintelligence: Worse than Security?

As a former Air Force intelligence officer, I'm very interested in counterintelligence. I've written about counterintelligence and the cyber-threat before. I'm reading a book about counterintelligence failures, and the following occurred to me. It is seldom in the self-interest of any single individual, department, or agency to identify homegrown spies. In other words, hardly anyone in the CIA wants to find a Russian spy working at Langley. If you disagree, examine the history of any agency suffering similar breaches. It isn't pretty; the degree to which people deny reality and then seek to cover it up is incredible.

In some ways this make sense. Nothing good comes from identifying a spy, other than (hopefully) a damage assessment of the spy's impact. Overall the national security of the country can be incredibly damaged, never mind the lives lost or harmed by the spy's actions. However, in case after case, the appeal to higher national security interests is frequently buried.

Reading this book, it also occurred to me that security has exactly the same problem. Spies are worse in most respects, and they could be equated to insider threats. However, just as with spies, in security it is seldom in the self-interest of any single individual, department, or agency to identify compromises. Despite the fact that an intruder is the perpetrator, the victim is often blamed for security breaches. The word "security failure" demonstrates that something bad has happened, so it must be the fault of the IT and security groups. (Imagine if a mugging was called a "personal security failure.")

Because of this reality, it seems that the only way to counter these self-interests is to task a central group, organizationally detached from the individual agencies, with identifying security breaches. In CI, this should be the job of the National Counterintelligence Executive (NCIX), but the Office of the Director of National Intelligence appears to have neutered the NCIX. In digital security, a headquarters-level group should independently assess the security of its constituents. These central groups must have the support of top management, or they will be ineffective.

Update: Fixed the "seldom" problem!

9 comments:

Anonymous said...

I haven't read the Gertz book yet, but your point is dead on. My father was an integral part of the espionage cases of the 80s and 90s and he would often complain that the CIA, State Dept., whoever, would suggest that everybody just go back to what they were doing before as if nothing had happened. I run into the same resistence in the network admin field. For some people, it's almost a reflex.

chris said...

I think you meant to say "it is seldom in the interest".

It's like self-reporting tip income. Sure, the aggregate social good is greater when income is truthfully reported and the government gets the proper tax revenue, but it is seldom (if ever) in an individual taxpayer's interest to truthfully report cash income.

Anonymous said...

What I know about counter intelligence I learned from movies so I could be way off base - but if you find the spy can't you try to flip them in to a double agent? So some benefit could come from finding a spy.

Edouard said...

it's not only applicable to security. in every social group i met, unless forced to, people wouldn't reveal what could be considered as a failure by the peers or/and the hierarchical leaders. this is all a matter of perceived consequences from the individuals and group as an entity. (where consequences may be loss of esteem, be it self or social, financial or judiciary sanction or whatever you may think of)


what we need to change, as security professionals, trainers and managers is just the perception itself. being compromised, is not a failur of our capacity to defend assets. it's a success of the attacker's (and i understand attacker here in the largest sense, be it a human or non human threat agent) one to outsmart, bypass, break or whatever we call it our measures.

calling a compromission a failure, is considering that the whole set of measure we took as nil. which couldn't be more false. we are actively, and successfully thwarting off countless numbers of security threats each day, it proves that we are indeed relatively successful in our mission. but this one attack, yes, we got caught. be it a smart cracker, be it a nice new suppa duppa polymorphic worm, be it an intelligence professional, he played better this time.

now, and this is IMHO where you can see true professionals at work, ok we got screwed, nice one, now we need to neutralize residual threat, assess damage done, and take whatever measures appropriate 1 : to mitigate damage (be it rolling back to backups or a PR campaign) and 2 : ensure we don't get screwed that way next time (tightening ISM or recruit an overly large security guard to look for tailgaters) and ensure the proper retaliatory measures are taken.

does anything here looks like a failure ? i am not talking about the proper case handling, which was intentionally overly general, but only of the perception of the event itself

not IHMO.

LonerVamp said...

Interesting observation! I think a lot to do with security can and maybe should be separated into detached groups that don't have such self-interest in ignoring security or breaches. Protection is a cost...discovery is a cost...remediation is a cost... Ugh.

In a way, we can partially blame the victims when they are not following best practices or being incompetent. I mean, it can be somewhat my fault if I decide to walk in a shady neighborhood with my ipod hanging out and texting on my new iphone while also looking vulnerable. Granted, the mugger still is the real target for punishment, but I really should also watch my ass.

Mobisop said...

speaking of enemies... i have no enemies. hehe

Rob Lewis said...

Since there are political ramifications for identifying a breach, this creates a need for counter-espionage technology.

Anonymous said...

I saw Ron Olieve (SA Ret.) give his talk about the FBI capture of Jonathan Pollard. Catch it if you can. He would disagree with you in no point here. Pollard walked out of DIA with suitcases (not brief cases) of TS/SCI and Code Word material. No one ever asked why someone with his tasking was getting room fulls (no lie) of material about the midEast.

Anonymous said...

This is an excellent point, but is not the only reason that CI must be both independent and centrally managed. Among other things, developing a complete picture of competing intelligence activities and, more importantly, developing comprehensive programs to thwart or exploit those activities requires central management. Alas, it will never, ever happen that way here, and we will be worse off for it.