Intelligence: Getting it Right!
He was an award-winning horticulturalist successfully growing the rarest of orchids. He was an expert fly fisher and a documenter of river systems. He was a poet and publisher, as well as a long time correspondent of T.S. Eliot. He was schooled in the art of New Criticism while attending Yale, and later studied law at Harvard. But more than anything, he was the unrelenting hunter of “moles” within the CIA and, by extension, many governments and agencies of the Western world during the height of the Cold War.
James Angleton was the counter-intelligence chief to no less than six CIA Directors. A complex man, he was the first to raise the flag of suspicion regarding Soviet KGB mole Kim Philby (a senior British intelligence official and member of the infamous Cambridge Spy Ring). Angleton was also the chief interrogator of Yuri Nosenko and Anatoliy Golitsyn – both believed to be KGB officers, and one likely a plant to misinform and misdirect Western intelligence. Sadly for Nosenko, who was not believed by Angleton and his intimates, he spent several years in a solitary CIA interrogation cell. Golitsyn, however, became the source who fuelled Angleton’s single minded obsession with uncovering treachery within. Over two decades, he led the most invasive mole hunt at the CIA and which impacted all Western agencies. Unfortunately, however, it resulted mainly in shattered careers, strained alliances, and organizations beset with internecine warfare.
To this day, the Angleton legacy stands as a tale of caution for those considering the revival of enhanced counter-intelligence in the aftermath of the treacherous activities of Canadian Naval Lieutenant Jeffrey Paul Delisle.
(Also see: http://news.nationalpost.com/2012/10/10/jeffrey-paul-delisle-pleads-guil...)
It is clear that the depth of extremist violence in the decade following the collapse of the Twin Towers on September 11 re-focused our attention on the threat of terrorism. So much so, that it propelled both the general public and those charged with protecting national security or the proprietary information of private companies, to reduce priorities relative to “spying” in favour of anti-terrorism concerns. Critical life threatening cases or the need by the private sector to “harden” corporate assets from the threat of terror, demanded no less. Despite the legitimacy of emphasizing the prevention of terrorism or improving the physical protection of corporate activities abroad, it is now important for us to face a simple truth: spies are indeed among us.
While some now postulate that spies returned to the scene to commit new crimes, the reality is: they never left.
Others believe the shift in the perceptual lens is the result of the growing list of cyber attacks and, more recently, the number of prosecutions of those effectively pursuing the art of human intelligence (HUMINT) – or in the vernacular: “spying”.
The 2010 arrest by U.S. officials of 11 Russian “illegals” who had assumed the identities of dead Americans and were living “normal” middle class lives in the homeland, was a stark reminder that classic espionage was alive and well. Lt. Delisle’s guilty plea makes it “local” or relevant for Canadians and, of course, shocking in terms of how he did it.
So what motivates the continuance of an activity that is often characterized as unseemly, yet has been with us since biblical times? Is it ideology, money, sex, revenge? The short answer is: yes. All of these drivers fit the pathology of spy cases through the ages. However, and in my experience, revenge has been a core motivation, with money or profit in immediate tow. Whether in a “spy versus spy” case snaring agents of the state, or one of corporate spying where intellectual property has been the prize, ego and greed have featured prominently.
Motivation notwithstanding, objectives have remained consistent: to gain political, military, security or intellectual and commercial advantage. However, the prioritization of those objectives, the methods applied and the targets being pursued have transformed to fit 21st century reality.
Classic HUMINT efforts against traditional targets (such as government-held secrets) remain a clear and present danger. However, there has been a sharp convergence of state and non-state interests and activities – all focused on economic or commercial insights and advantage. In other words, the intelligence capabilities of many countries, as well as corporate outliers using contracted means, are aggressively stealing intellectual property to gain market advantage, establish a dominant global position, or deliver assurance of access to strategic industries or resources. Equally troubling is that the “human spy” method is being supplemented by anonymous, cost effective, and increasingly successful Internet-based cyber attacks.
A High Price to Pay
What then is the effect or cost of all this alleged loss of proprietary information, be it government or corporate? It is both incalculable and growing. In the extreme, and as witnessed throughout history, intelligence collection assets have been arrested and executed; years of military, security or economic planning have been lost; and decades of research and development have been wasted. Overall, economic and societal advantages (in the form of products, services, policies or initiatives) have been stolen, countered, copied or thwarted. Reputations of persons and entities have been damaged through the loss of public trust or through shareholder revolt (Ministers of the Crown resigning, corporate executives removed). Given current trends, it is predictable that such outcomes will intensify, particularly due to the potency of this new form of combined espionage threat, which has benefitted from an unfortunate measure of complacency, innocence or neglect.
If true, the response to the challenge must be simple:
- Turn up the security volume by enhanced vetting of those within or aspiring to join the inner circles of knowledge;
- Restrict information system access to only those who truly need to know; and
- Closely watch the suspicious.
Though not an unreasonable response, what happens if you get it wrong? What are the consequences of acting on erroneous information? Who pays the price if, or when, aggrieved parties pursue justifiable recourse or redress?
The 2011 case of three Renault SA executives unjustly dismissed over a corporate espionage caper involving product development secrets for an electric car will likely cost the company significant coin. Similar issues and events have also plagued public policy areas, where persons who were denied a security clearance have sought justification for their dismissal or the limits placed on their ability to increase their scope of responsibility and remuneration. Most of those Canadian public service cases become long, costly affairs with outcomes that tend to leave both sides bitter and exhausted.
In the most practical of ways, the pilfering of knowledge or secret information cannot be so easily arrested. Reducing the risk of loss is a very tricky business in an increasingly complex world. This is the new reality in a world where data flow, social networking, collaborative tools, and open source intelligence (OSINT) exploitation, to name just a few, have been the very key to the success of our open societies and free market prosperity.
Equally, the rights of employees, particularly those governing privacy, as well as employer/employee relations, are increasingly clear. A number of tribunals and court decisions have placed limits on the measures an organization can invoke to stem the negative effects of inappropriate access and misuse of proprietary information and systems.
Information and Threat
Diminishing access to information will have an immediate, and likely painful, negative effect, irrespective of the organization’s mission. In stark terms, profits will be lost, companies will cease to be competitive, governments will be hampered in achieving targeted service rates for citizens – and terrorists will be successful.
It is not impossible to imagine that, in a reduced-information-flow environment, Canada would experience a significant terrorist event – up to and including loss of life – a price too high for most.
Finally, we have now constructed concentric circles of open and closed information ecosystems. Information is reliant on information. Analysts require broad and varied sources of useable data to provide relevant and prescient assessments that inform decision making.
Limiting one system can have extended effects on other sources and processes – sometimes several layers removed. Also of considerable importance to this calculation is the human factor. Those trained minds under the age of 40 will not likely remain engaged, nor will they be meeting expectations on results, if they find their access to both open and closed data and networks being limited for reasons that will seem at best remote, and at worse esoteric or irrelevant.
Getting it Right
So what does an institution or corporation do in a “wilderness of mirrors”? How does that entity navigate the delicate balance between delivering a high level of security for its people and facilities, while ensuring that the lights – that is, the intelligence behind the decisions that create progress or profits – are not turned off? Or, how does the organization ensure that adjustments do not negatively impact labour regulations, staff morale or public confidence?
A measured approach, based on a clear understanding of what is at risk, is a reasonable formula. Fundamental to this is a clear initial assessment: who are the potential threat actors; what assets are likely to be targeted; when are opportunities to compromise at their best or worst; where will organizational assets be subject to compromise; and, why would this threat manifest itself in the first place?
Engaging in global business ventures or pursuing statecraft can be accomplished with measurable levels of security assurance, irrespective of the growing complexity and reach of the threats being faced.
As most experienced organizational leads will attest, no outcome or threat impact can be predicted with absolute certainty. Having said that, threats and risks can be identified, and most can be mitigated with considerable effect. The remaining threats may just be the cost of doing business, be it public or private. However, not knowing what might “bite” an organization is simply not tolerable, from the perspective of public trust and accountability, to corporate governance matters involving shareholders.
Getting it right involves paying attention, understanding the nature of what might ail, as well as being thoughtful in regards to remedies. In other words, ensuring that the actions of management are tailored to organizational circumstances. If the construct is appropriately weighted, effective security will be achieved.
Ray Boisvert is President & CEO of I-Sec Integrated Strategies and is the former Assistant Director, Intelligence at the Canadian Security Intelligence Service (CSIS).
© Frontline Security 2012