“Hey Thorne. Don’t get caught, my wife likes it here.” That was the Deputy Chief of Station’s regular advice to all case officers prior to their agent meetings. The message was clear: identify threats to the operation, mitigate those risks, and fully understand the consequences for failure – arrest, detention, interrogation for the case officer and certain imprisonment; possible torture or death – for the source.
The removal of the DCOS and his wife following an operational failure by his subordinate was more than an inconvenience. It reduced the collection capabilities of the station and increased reputational risk for the larger organization. Few people, (informants and sources in espionage parlance and customers in the business vernacular), are likely to collaborate with an organization that cannot protect their most sensitive information. The components of classical espionage – obtaining privileged information, overcoming multiple levels of security, and protecting the source of the information – have useful lessons that extend to the rest of government, industry, and more specifically, the realm of cybersecurity. Cybersecurity and espionage share fundamental and unique characteristics – the protection of valuable information, identifying risks, communicating those risks to stake holders, and mitigating the risks to accomplish the mission.
Risk is an elastic term that takes on different meanings to different constituencies; military, intelligence, law enforcement, and business professionals each have their own risk vernacular. Even within the intelligence community, risk takes on different shades and hues: from the case officer who relies on humans for plans and intentions, the technical officer who places his or her confidence in the rigor and formulas of scientific systems, to the analyst who values all collection – but none too much. Risk criteria and risk parlance change within the IC based on what can be lost – human lives, complex and expensive systems, or the trust of policymakers.
The wars in Afghanistan, Iraq, and unnamed conflict zones has brought together professionals with diverse expertise in military operations, intelligence, and law enforcement towards a common goal. The participation in joint operations and combined task forces around the world has forged a common language through common experience. That same level of collaboration and cooperation found in the war zones can be applied to challenges of cybersecurity. Borrowing terminology from high threat occupations can establish a common lexicon of risk that is applicable to the private and public sector in this ever-evolving area of operation.
The world of human intelligence operations has a rich vocabulary of operational tradecraft – terms that describe the methods and techniques used to mitigate risk. Some of these terms have a cyber security corollary and provide a point of reflection for the daunting and complex task of information security in the cyber era. Here are a few to consider:
Collect: Survey your risk factors and know your risk status.
- HUMINT: What is my surveillance status? Who is collecting on me and how? What additional resources can I employ to defeat a more capable and better resourced adversary?
- Cybersecurity: What are the known threats to my information architecture – my technical network and the people that use it (such as an insider threat). What is security status of my network? Are my defenses up to date? What is the security status of the people I have employed to manage my network? You won’t find vulnerabilities if you don’t look for them. There are millions of phishing attempts and only one firewall.
Consequences: What are the consequences of failure?
- HUMINT: Arrest of a human source will result in loss of near-term information and have negative strategic consequences for future collection.
- Cybersecurity: Loss of intellectual property, revenue and reputation as well as negative impact to stock price and shareholders.
Mitigation: What actions can be taken to reduce risk?
- HUMINT: One could add resources to counter surveillance – longer detection routes and introduction of technical countermeasures, for example.
- Cybersecurity: One must ask: what additional resources do I need to monitor my network and information environment? Are they current? Am I defending against the most common threat? What about the correct threat?
Continuity: In the event of compromise, how do I continue the mission?
- HUMINT: Redundant and complementary informants will allow continued intelligence collection. Human sources can complement technical collection and technical collection can enhance human reporting.
- Cybersecurity: Multiple and redundant information systems allow business to continue in the event of a breach. What are the means of business communication and collaboration? How will a disruption to the network by power outage, natural disaster, or calamity affect business operations?
Communications: Do my team members, up and down the chain of command, understand the risks?
- HUMINT: Do operational managers understand the risks to the operation, station management, headquarters, policymakers, and the Ambassador?
- Cybersecurity: Do the members of the executive team understand where their information is located and the threats to that information? Do they understand and implement the necessary measures to protect their information?
Cybersecurity is fluid and dynamic – the lexicon to explain it needs to adapt as well.