Hiding in Plain Sight: Maintaining A Spy’s Cover in the Internet Era

Photo: iStock.com/gremlin

Tradecraft. A term popularized in the novels of John le Carré, but practiced by spies throughout history. Tradecraft includes a number of methodologies, ranging from chalk-marked dead drops, and honey traps, to wiretapping, losing a tail, and safe houses. Spies have to master their craft if they are to be effective in the job while evading ever-suspicious counterintelligence units.

One of the most fundamental needs for a spy is their legend, or a well-prepared but made-up or assumed identity, also known as a cover. Legends allow intelligence officers unique access into companies, ministries, and groups of interest where they can recruit agents, manipulate unwitting insiders, or observe, report, and take direct action themselves.

However, tradecraft in the digital age is changing, and maintaining a legend may be more challenging than in the past – though not impossible. How does virtual recordkeeping, modern surveillance technology, and having vast amounts of a person’s background accessible on open-source platforms such as social media affect an intelligence officer’s ability to operate overseas?

Broadly speaking, intelligence officers operate under three forms of cover – diplomatic, official, and nonofficial. Diplomatic cover – under which an intelligence officer takes on the face of a diplomat – is likely the most common, as it grants diplomatic immunity as an insurance policy if discovered. Official covers are disclosed to the host governments and those operating under them openly cooperate and liaise directly with intelligence services in allied countries, creating a backchannel for sensitive interactions. Nonofficial cover, also known as deep cover, includes assuming a made-up identity such as a business person, student, or photographer. Those under nonofficial cover operate without the knowledge of the host government. If caught, they could face severe repercussions.

From a counterintelligence standpoint, a host country, such as the United States, might immediately evaluate new foreign embassy staff members to determine whether they are intelligence officers or genuine diplomats. Mark Kelton, the former deputy director for counterintelligence in the CIA’s National Clandestine Service, notes that “if officer X comes into an embassy, you ask: what did his predecessor do, what do we know about his predecessor, is that a position that is traditionally occupied by an intelligence officer or is it traditionally occupied by a real diplomat? Then you look individually at the person. What do we know about this person’s background and is it consistent?”

Diplomatic positions such as a “passport control manager” or “cultural attaché” may very well be filled with intelligence officers. Even those operating under diplomatic cover, though, can be historically parsed from actual diplomats. When Kelton worked out of the U.S. Embassy in the former Czechoslovakia, he says there was a noticeable profile of what a CIA officer looked like. “We worked longer hours, we had better cars, we were out and about around town – whereas legitimate diplomats tended to go home and stay home,” says Kelton. “All of those things were indicators that they would look at and say we have to put this person under a question mark.”

During the Cold War, Soviet spies seeking to enter the West, would often assume a cover that was built upon someone who had died at a young age. Back in the days of paper recordkeeping, following up on such a background cover required extensive physical research and interviews. The complexity of maintaining a cover often depended on the scrutiny an intelligence officer thought it would receive. In the old days, spies operating under cover could simply create a fake business entity or association with a particular organization, and someone who wanted to follow up on them would call and validate their identity. Perhaps the intelligence official expected someone would drive by the listed street address or walk in and make an inquiry.

Technological advances have since allowed extensive recordkeeping of peoples’ lives through social media, as well as identity verification at borders with biometrics. Counterintelligence teams could be scraping LinkedIn all the time, and if an intelligence officer said they had worked at a job for two years, but their LinkedIn profile just showed up the week before, that would create a red flag. Counterintelligence units can also scan social media, pull images down, and apply facial recognition software correlated with biometrics collected at the border-crossings.

At the same time, the complete absence of a detailed social media presence can be a red flag, causing counterintelligence investigators to scrutinize individuals further. “Young people today are out on the internet all the time and most people have a social media presence,” said Kelton. “If they don’t, then you ask why and look at the nature of that presence – who are they in touch with, what are they doing, is it something they actively keep up, or is it something that sits dormant, why would it sit dormant? All of those questions come to mind.”

Traditional models of joining an intelligence agency and then creating a cover background for a new intelligence officer are fraught with potential vulnerabilities. An intelligence officer’s presence on social media must be consistent with their cover and cannot be subject to historical revision. This means those operating under cover have to be thinking about this as a long-term strategy, whereas in the past this process was maybe seen as more short-term. Once recruits join an intelligence service, they will likely have to seamlessly blend their previous social media presence into their new role. Intelligence agencies may already be building social media profiles for future officers to assume when they join in a decade.

While many intelligence officers could simply sync their legends to their online presence – essentially acting normal by hiding in plain sight – failures in other areas of tradecraft could spark suspicion, and retroactive analysis can now be relatively comprehensive. Take, for example, the 2010 Israeli assassination of the high-ranking Hamas member Mohmoud Al-Mabhouh in Dubai, whose body was discovered in his hotel room. The discovery prompted an investigation that was able to identify the Mossad officers through hundreds of hours of surveillance footage cross-referenced with airport and hotel registries, phone records, and other sources of information. The entire operation was posted in a video on YouTube for the world to see, and their covers were blown.

“Frequently, it is just one mistake or one error that can roll up an entire operation or lead to a compromise,” says Kelton. “The issues of cameras, and that sort of thing, are something you have to consider now universally in the intelligence arena.”

Another example of poor tradecraft exposing networks of intelligence officers can be found following the reported CIA’s 2003 operation to abduct an Egyptian cleric known as Abu Omar in Milan and take him to Egypt for interrogation. Warrants for the arrest of 22 individuals thought to be CIA officers were issued in 2005 after tracking their extensive cellphone records that allowed Italian police to determine their movements and link them together. “The commonalities for the operations that have been exposed are tradecraft errors and those who were involved in those operations probably were not as cognizant as they should have been of the technology that could be deployed against them,” says Daniel Hoffman, a former CIA chief of station. “That is part of understanding the new battlespace.”

While mistakes – or even just border-crossings – can draw attention and trigger retroactive analysis of an intelligence officer’s background, advances in data analytic tools could also reveal them in the background noise. Similar to how social media companies are designing algorithms for finding those susceptible to radicalization, systems can be designed to recognize patterns of an intelligence officer’s digital footprint by comparing them with the patterns of spies already known.

“Hostile intelligence services focus on our social media,” says Hoffman. “They have to pick and choose whose social media on which to focus but if they suspect someone of being an intelligence officer or a person of interest worth tracking, then they are going to dissect their social media”

Not only does this create a problem for intelligence officers operating overseas, but it also creates a counterintelligence problem for the United States. By observing someone’s online presence, foreign intelligence services can “also seek to determine whether a person of interest might be vulnerable to a recruitment pitch,” said Hoffman.

Another problem intelligence officers now encounter is the audience size social media can garner should their identities be discovered and published. Revealing the identities of intelligence officers has always been a strategic opportunity for foreign governments and others. For example, Philip Agree, a former CIA officer, published the names of CIA case officers in his book and the magazine CounterSpy, potentially leading to the assassinations of some of those revealed. This prompted Congress to pass the 1982 U.S. Intelligence Identities Protection Act making it illegal to expose the identities of covert agents.

“Today our enemies are using the same sort of strategy, but with different tactics – using wildly asymmetric cyberspace for delivery that carries a lot more force compared to Philip Agee’s book,” said Hoffman.

In the age of social media, published identities of those working for intelligence  – such as those found in the leaks by the Shadow Brokers or in the lists of names released by an ISIS-affiliated hacking group – reach much broader audiences. The goals of releasing this personal information, a practice sometimes referred to as doxing, include making it difficult for intelligence officials to do their jobs, undermining recruitment and workforce confidence, broadcasting that the U.S. conducts operations it often criticizes other countries for, or, most damaging, inspiring violence against intelligence officers.

Ultimately, an intelligence officer’s online presence, much like that in the physical world, must reflect a person who is historically and actively living the life they present themselves as living. While the underlying principles of tradecraft might remain the same, this requires a change in mindset – where it was common to keep a low profile, it now might be required to have a prominent and public online persona like so many others. “You want to look as normal as you can, because the adversary will scrutinize you,” said Kelton. “What you don’t want to be is cloistered.”

“The challenge,” he says, “is to adapt intelligence activities to the modern social media world.”

Levi Maxey is a cyber and technology analyst at The Cipher Brief. Follow him on Twitter @lemax13.