Expert Commentary

Staying Secret in the Age of Social Media

Mark Kelton
Former Deputy Director for Counterintelligence, CIA National Clandestine Service

Intelligence officers must often use a false identity – a legend or cover. How has social media and digital technology changed how they create and preserve these cover identities, and what have counterintelligence units traditionally looked for when trying to identify foreign spies? The Cipher Brief’s Levi Maxey spoke with Mark Kelton, the former deputy director for counterintelligence at the CIA’s National Clandestine Service, about challenges in establishing cover and operational security in the digital age.

TCB: Intelligence officers often enter a foreign country under diplomatic cover while working from their embassy. Could you talk about how you might discover whether they are spies or not?

Kelton: Where it is foreign intelligence services looking at us or us looking at foreign intelligence services, there is a predicate to all of it. So if somebody comes out, you might know something about that person beforehand. They have a background. You can start looking at their background. They come into a position, let’s say, in an embassy – what is the history of that position, who occupied it before? That is something that has traditionally been done.

So if Officer X comes into the embassy, you ask, what did his predecessor do, what do we know about his predecessor, is that a position that is traditionally occupied by an intelligence officer or is it traditionally occupied by a real diplomat? Then you look individually at the person. What do we know about this person’s background and is it consistent?

TCB: Do you investigate this primarily through open-source now?

Kelton: Open-source and clandestine sources – it’s a mix. Anything you can get your hands on. So whether you have clandestine or secret intelligence – either signals intelligence or human intelligence – that gives you a picture of what the foreign intelligence presence might look like in a given place. Even if they don’t give you specifics, they may tell you about numbers or profiles. There are a lot of things you can learn.

In the old days, when a Soviet illegal would come into the United States, or come into the West, almost invariably they had a cover that was built upon someone who died – someone who had actually lived and they just assumed that life. In many cases it would be from Finland, Karelia, or some occupied area of the Soviet Union, or they would find in the United States someone who had passed on in youth, and they would assume that identity.

In the analog era, recordkeeping made it pretty hard to go and dig up information. If you have a baby that died at age 5 in Illinois and that baby’s identity is assumed by, for example, the female in the show The Americans, that person can appear in the U.S. as an American. Researching and discovering the holes in that story was not easy, and it took a lot of physical work and actual interviews. You couldn’t do it from your desktop.

The challenge now for an illegal coming in is that there has to be a background that stands up. If somebody has a Facebook account that suddenly appears, it begs the question: where did that come from? Young people today are out on the internet all the time and most people have a social media presence. If they don’t, then you ask why. If they do, then you look at the nature of that presence – who are they in touch with, what are they doing, is it something they actively keep up, or is it something that sits dormant, why would it sit dormant? All of those questions come to mind.

Essentially, is their online presence something that reflects a person that is actively living a life they present themselves as living? Social media is a living thing, and some of it is private, but a lot of it is public too. You are engaged with people all the time. Intelligence officers don’t traditionally do that. So the challenge is to adapt intelligence activities to the modern social media world.

TCB: Do intelligence services then have to build these online personas far before someone actually uses them for covers?

Kelton: Yes, they do, or else there is an inconsistency there. Why did it start when this person was 21 and ostensibly went to work for the Ministry of Foreign Affairs? Why did it change when that happened? So that leads you to one logical conclusion, which is that the person’s secret work must be consistent with their private life. That is the only way to do it.

But again, the principles are the same. In my first assignment abroad, I was in Czechoslovakia in Eastern Europe, and we knew that the Czechoslovak services have a certain profile of what we, CIA officers, looked like. We worked longer hours, we had better cars, we were out and about around town – whereas legitimate diplomats tended to go home and stay home – we drove around a lot, we would disappear from our desks for parts of the day. All of those things were indicators that they would look at and say we have to put this person into under a question mark. This allowed them to bring more resources to bear, saying we have to take a closer look at this person.

TCB: During an Israeli operation in Dubai, police matched intelligence officers through things like CCTV cameras, financial transactions, and telephone records. The operation ended up on YouTube. Could you talk about the operational security problems digital technology presents for such covert or clandestine activities?

Kelton: With the Israeli operation, the thing that people tend to forget about it is that they left a clue behind – a body. Whether that was the plan or not, the fact of the matter is that it led to an investigation, and the investigation led to everything else. Frequently, it is just one mistake or one error that can roll up an entire operation or lead to a compromise. Now, I don’t know whether the Israelis had calculated that this was possible, and just didn’t care because they felt that the target was worth it, or if there were operational errors. I tend to think the latter.

The issues of cameras, and that sort of thing, are something you have to consider now universally in the intelligence arena. But again, that operation was exceptional in that they left a body behind. Let’s just say that they were just there doing an activity and hadn’t left a body behind, nobody would have been the wiser. Let’s say they had gone into his room and stolen something instead.

So the risk of compromise goes up based on what sort of activity you are undertaking. So if you are undertaking a clandestine intelligence operation, but you are not going to kill somebody – you are just going to go out and do collection – and you can pose or present yourself as just a normal person, those other factors become factors to be considered, but not factors that obviate the ability to mount the operation. So again, it is a question of living a life that is consistent with the activity that you want to do.

TCB: Is there an “on and off” switch to operational security when intelligence officers are abroad versus when they go home?

Kelton: Certainly when you are overseas, you are 24/7 operational – or should be in most environments. There is no off switch. When you go back home, people don’t tend to worry about that as much. Frankly, it is living a life that allows you to do your operational activity. I marvel when people talk about all of these things being insurmountable challenges. They are not, because people are infinitely creative. Discipline as to how you do your activities, does not end with doing those activities.

As an intelligence officer – particularly one operating under a cover identity – you are never not working. Never. So you step through that door, and there is a different world where your life is that work. But that does not mean you don’t have a life when you are living in that world. Intelligence officers have families; they have all of those things. It is just that everything you do takes place within the context of that activity, of that work.

It’s really not work. It’s a calling. That is the only way to describe it, because it is an overwhelming sense of obligation to do things as well as you can possibly do them in service of the end goal. That does not mean that you don’t have a life and can’t live a life, and that life can’t be consistent with what you are trying to do. In fact, it can help you greatly to live a life because you want to look normal. You want to look as normal as you can, because the adversary will scrutinize you. In the long run, living your life helps you do your job better. What you don’t want to be is cloistered. 

The Author is Mark Kelton

Mark Kelton is currently Director of Threat Insider Solutions at Cipher Systems, LLC. Kelton is a retired senior Central Intelligence Agency executive with 34 years of experience in intelligence operations.  He completed his career in 2015 after serving as Deputy Director of the National Clandestine Service for Counterintelligence.  Mr. Kelton's distinguished career includes sixteen years of overseas service, to include four assignments in key CIA field leadership positions.

Learn more about The Cipher's Network here