Counterintelligence: Worse than Security?

As a former Air Force intelligence officer, I'm very interested in counterintelligence. I've written about counterintelligence and the cyber-threat before. I'm reading a book about counterintelligence failures, and the following occurred to me. It is seldom in the self-interest of any single individual, department, or agency to identify homegrown spies. In other words, hardly anyone in the CIA wants to find a Russian spy working at Langley. If you disagree, examine the history of any agency suffering similar breaches. It isn't pretty; the degree to which people deny reality and then seek to cover it up is incredible.

In some ways this make sense. Nothing good comes from identifying a spy, other than (hopefully) a damage assessment of the spy's impact. Overall the national security of the country can be incredibly damaged, never mind the lives lost or harmed by the spy's actions. However, in case after case, the appeal to higher national security interests is frequently buried.

Reading this book, it also occurred to me that security has exactly the same problem. Spies are worse in most respects, and they could be equated to insider threats. However, just as with spies, in security it is seldom in the self-interest of any single individual, department, or agency to identify compromises. Despite the fact that an intruder is the perpetrator, the victim is often blamed for security breaches. The word "security failure" demonstrates that something bad has happened, so it must be the fault of the IT and security groups. (Imagine if a mugging was called a "personal security failure.")

Because of this reality, it seems that the only way to counter these self-interests is to task a central group, organizationally detached from the individual agencies, with identifying security breaches. In CI, this should be the job of the National Counterintelligence Executive (NCIX), but the Office of the Director of National Intelligence appears to have neutered the NCIX. In digital security, a headquarters-level group should independently assess the security of its constituents. These central groups must have the support of top management, or they will be ineffective.

Update: Fixed the "seldom" problem!

Comments

Anonymous said…
I haven't read the Gertz book yet, but your point is dead on. My father was an integral part of the espionage cases of the 80s and 90s and he would often complain that the CIA, State Dept., whoever, would suggest that everybody just go back to what they were doing before as if nothing had happened. I run into the same resistence in the network admin field. For some people, it's almost a reflex.
8:32 AM
Anonymous said…
I think you meant to say "it is seldom in the interest".

It's like self-reporting tip income. Sure, the aggregate social good is greater when income is truthfully reported and the government gets the proper tax revenue, but it is seldom (if ever) in an individual taxpayer's interest to truthfully report cash income.
9:59 AM
Anonymous said…
What I know about counter intelligence I learned from movies so I could be way off base - but if you find the spy can't you try to flip them in to a double agent? So some benefit could come from finding a spy.
8:23 PM
Edouard said…
it's not only applicable to security. in every social group i met, unless forced to, people wouldn't reveal what could be considered as a failure by the peers or/and the hierarchical leaders. this is all a matter of perceived consequences from the individuals and group as an entity. (where consequences may be loss of esteem, be it self or social, financial or judiciary sanction or whatever you may think of)


what we need to change, as security professionals, trainers and managers is just the perception itself. being compromised, is not a failur of our capacity to defend assets. it's a success of the attacker's (and i understand attacker here in the largest sense, be it a human or non human threat agent) one to outsmart, bypass, break or whatever we call it our measures.

calling a compromission a failure, is considering that the whole set of measure we took as nil. which couldn't be more false. we are actively, and successfully thwarting off countless numbers of security threats each day, it proves that we are indeed relatively successful in our mission. but this one attack, yes, we got caught. be it a smart cracker, be it a nice new suppa duppa polymorphic worm, be it an intelligence professional, he played better this time.

now, and this is IMHO where you can see true professionals at work, ok we got screwed, nice one, now we need to neutralize residual threat, assess damage done, and take whatever measures appropriate 1 : to mitigate damage (be it rolling back to backups or a PR campaign) and 2 : ensure we don't get screwed that way next time (tightening ISM or recruit an overly large security guard to look for tailgaters) and ensure the proper retaliatory measures are taken.

does anything here looks like a failure ? i am not talking about the proper case handling, which was intentionally overly general, but only of the perception of the event itself

not IHMO.
4:53 AM
Unknown said…
Interesting observation! I think a lot to do with security can and maybe should be separated into detached groups that don't have such self-interest in ignoring security or breaches. Protection is a cost...discovery is a cost...remediation is a cost... Ugh.

In a way, we can partially blame the victims when they are not following best practices or being incompetent. I mean, it can be somewhat my fault if I decide to walk in a shady neighborhood with my ipod hanging out and texting on my new iphone while also looking vulnerable. Granted, the mugger still is the real target for punishment, but I really should also watch my ass.
5:36 PM
Anonymous said…
speaking of enemies... i have no enemies. hehe
3:54 AM
Anonymous said…
Since there are political ramifications for identifying a breach, this creates a need for counter-espionage technology.
9:09 PM
Anonymous said…
I saw Ron Olieve (SA Ret.) give his talk about the FBI capture of Jonathan Pollard. Catch it if you can. He would disagree with you in no point here. Pollard walked out of DIA with suitcases (not brief cases) of TS/SCI and Code Word material. No one ever asked why someone with his tasking was getting room fulls (no lie) of material about the midEast.
2:46 PM
Anonymous said…
This is an excellent point, but is not the only reason that CI must be both independent and centrally managed. Among other things, developing a complete picture of competing intelligence activities and, more importantly, developing comprehensive programs to thwart or exploit those activities requires central management. Alas, it will never, ever happen that way here, and we will be worse off for it.
9:51 PM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more