I. Cold War Legacies: Still Relevant Lessons
From 1945 to 1991, the West fought a constant intelligence war with the Soviet Union. The Cold War turned into a crucible of counterintelligence, producing legendary cases that still shape operational doctrines today.
Early on, the Cambridge Five, a group of ideologically driven British moles, demonstrated that ongoing behavioral surveillance is more important than background checks and elite ancestry. George Blake, who betrayed Operation Gold—an Anglo-American tunnel under East Berlin—emphasized the risk of insider access even in the most sensitive technical operations.
In the 1980s—especially in 1985, dubbed the “Year of the Spy”—the U.S. reeled from a wave of betrayals: John Walker was discovered to have passed cryptographic keys to Moscow for 18 years, while Jonathan Pollard was arrested for giving vast amounts of SIGINT material to Israel, prompting fears of secondary compromise.
More damaging still were the espionage careers of Aldrich Ames and Robert Hanssen, who together sold out American HUMINT networks and operations to the Soviet Union (and then Russia) for nearly two decades. Their actions cost lives, nullified surveillance capabilities, and exposed deep flaws in internal CI systems.
Each of these betrayals taught us lessons. Taken together, they form a playbook that the U.S. and our foreign partners should always keep in mind.
To start with, these enduring axioms surfaced in this period:
- Always assume hostile services are targeting all parts of the U.S. government and therefore plan for depth and redundancy which allows for a quicker recovery.
- While technical weaknesses can be exploited, insider threats are more insidious, so an insider threat program is vital.
- The tools and laws for counterintelligence/counter-threat organizations and offices across the USIC and in our cleared contracting partners are vital.
- Specifically, in order to detect threats, tools to monitor system access and usage for anomalies are vital.
- System access, financial, and behavioral data must be integrated for real-time anomaly detection.
The USG and our closest partners agree that this is vital. The good news is that much of this is incorporated across the country in private industries as well, as IP theft is a real threat to them. However, there are gaps.
To understand the threats, let’s look at today’s CI landscape, focusing on China and Russia.
Experts are gathering at The Cipher Brief’s NatSecEDGE conference June 5-6 in Austin, TX to talk about the future of war. Be a part of the conversation.
II. China's legalized intelligence and strategic patience
The People's Republic of China (PRC) is a bona fide CI superpower. It uses state authority, a supportive legal system, and a worldwide economic presence to gather intelligence at scale. The definition of "state secrets" was greatly expanded by the 2023 revision of the Counter-Espionage Law, which made almost all international contacts illegal and made it possible to raid foreign companies, non-governmental organizations, and academic collaborations within China.
China's Ministry of State Security (MSS) spearheads expansive HUMINT and SIGINT campaigns. Cases like the U.S. conviction of MSS officer Yanjun Xu for attempting to steal aviation engine designs and the U.S. indictment of Linwei Ding, a former Google engineer, for theft of AI chip architecture illustrate the country’s focus on long-term technological advantage through espionage.
The MSS also operates talent-recruitment programs that target foreign and diaspora scientists and mid-level engineers to work on technologies that help their technical espionage goals. They do this by leveraging diaspora family pressure, national pride, or professional incentives. This is working for them: The FBI reports a 1,300% increase in China-linked intellectual property theft cases since 2010.
In cyberspace, China prefers stealth and persistence. The Volt Typhoon intrusion set burrowed into U.S. power, water, and telecom infrastructure using “living-off-the-land” techniques that evaded detection for years. These implants are designed for strategic activation, allowing Beijing to threaten domestic infrastructure in a crisis while complicating attribution.
And in space, China’s development of rendezvous-capable satellites such as Shijian-21, which demonstrated the ability to dock with and maneuver other spacecraft, suggests a capability to disable or capture high-value U.S. assets in geostationary orbit.
III. Russia’s post-expulsion reinvention
Russia has experienced some setbacks and is behind China in similar endeavors but is catching up quickly. Russia’s intelligence services, particularly the GRU and SVR, faced problems when more than 300 operatives were expelled from Europe in 2022. This no doubt disrupted their intelligence collection. Yet, although stripped of traditional diplomatic cover, Moscow adapted quickly. GRU Unit 29155 (which is responsible for special operations) shifted to using freelance saboteurs recruited online, to conduct arson, infrastructure disruption, and other forms of technical and psychological warfare intended to stretch European security forces and morale.
Cyber operations remain Russia’s strategic centerpiece. The SolarWinds breach in 2020, attributed to the SVR, penetrated over 100 U.S. government and private networks via compromised software updates, achieving months-long dwell time and deep access to internal systems. This would have allowed them to collect data and potentially leave behind cyber-sabotage tools.
This reflects Moscow’s doctrine of “information confrontation,” which combines the lines of espionage and influence operations. This is something the PRC does as well.
Proof of HUMINT operations informing technical operations can be found in the case of three German-Russian nationals who were arrested for surveilling U.S. bases for technology and planning bomb attacks on infrastructure used to support Ukraine in 2024. This underlines the risk of kinetic escalation via HUMINT collection.
In space, Russia is pursuing destructive kinetic capabilities, evidenced by Russia’s 2021 Nudol anti-satellite (ASAT) test, which generated over 1,500 pieces of debris and endangered astronauts aboard the ISS. These moves highlight the Russian aim to degrade U.S. space resilience during crises. The PRC is developing similar platforms to use in a time of war.
Sign up for The Cipher Brief’s Nightcap newsletter: the best way to unwind every day while still staying up to speed on national security.Sign up today.
IV. Common Tactics
Though distinct in each one’s structure and strategy, Russia and China now display apparent convergence on how they conduct their espionage and plan for winning a war against the democracies in Europe, the U.S. and FIVE -EYES partners, and our allies in Asia. Using their HUMINT and SIGINT capabilities above, they are already conducting operations to deny our abilities to defend, such as:
Proxy Operations: Both use third-party actors, freelancers, academic cut-outs, and contractors to avoid attribution while maintaining the ability to penetrate their main enemy.
Supply-Chain Compromise: Targeting developer tools (e.g., JetBrains, Ivanti VPNs) creates scalable, stealthy entry points missed by perimeter defenses.
Space Denial: Direct-ascent and co-orbital systems demonstrate that space systems are contested CI terrain.
V. A 21st-Century CI response: Recommendations for U.S. resilience
The United States must evolve its CI strategy from ad hoc protection to sustained, cross-domain campaigns to confront these threats.
How can it go about that?
HUMINT resilience:
Enhanced Vetting: Continuous evaluation should include psycholinguistic analytics, financial anomaly detection, and travel surveillance.
Offensive CI Cells: Expand the use of controlled dangles, double-agent operations, and deception feeds.
Diaspora Engagement: Work with community leaders to detect coercion, such as China’s “Fox Hunt” campaigns, and support voluntary reporting.
Cyber counterintelligence:
Zero-Trust Architecture: All IC systems should have identity-centric defenses with analytics on user behavior.
Public-Private Partnership: CI teams must implement proactive cyber deception and integrate with industry threat-sharing platforms.
Space domain protection redundancy & reconstitution:
Create launch-on-demand capabilities and numerous satellite constellations to achieve multiple redundant capabilities and decoys.
On-Orbit Deception: Install automated maneuvering scripts, laser-reflective coatings, and electromagnetic masking on satellites.
CI–SDA Integration: Co-locate CI analysts and counter-space operators to facilitate real-time attribution of orbital threats.
Integration of institutions:
CI Liaisons in CISA: Integrate CI officers into cyber defense teams to turn anomalies in the digital world into leads for human intelligence.
Supply Chain Security Board: Coordinate adversary technology dependencies with DHS, NCSC, DoD, and the Department of Commerce to achieve self- sustainable policies.
Allied Reciprocity Agreements: To speed up cueing, share raw threat data with important partners (like Five Eyes) rather than complete intelligence.
Modernization of the workforce and use of technology:
AI Copilots: Use LLMs for anomaly scanning in classified and open-source domains (in safe, air-gapped environments).
Language Depth: Provide IC case officers and federal agents with retention bonuses for Mandarin and Russian language immersion training.
Red Teaming: Evaluate agency preparedness and response mechanisms by simulating ASAT and day-after sabotage scenarios.
In summary, the Russia-China intelligence threat is an all-out, unabridged struggle for global influence rather than a short-term obstacle. The fundamental dynamics are still based on human vulnerability despite the new tools available. Even with today's fiber networks, cloud platforms, and orbital platforms, espionage still relies on coercion, ideology, and greed.
The US needs a resilient, integrated, and proactive CI architecture that has been developed for the threats of today and for future threats.
Integrating lessons learned from the Cold War with contemporary analytics, bringing CI into the private sector, and carefully and selectively training a new generation of professionals can create a defense that is as accurate as the threat against it.
Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.
The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals.
Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
