Intelligence officers’ tradecraft is highly guarded for good reason. One of its most important aspects is establishing a cover identity so foreign governments and hostile groups are not aware who is spying on them. The Cipher Brief’s Levi Maxey spoke with Daniel Hoffman, a former CIA station chief, about what it takes to work under a cover, particularly with the advent of digital technology and the surveillance capabilities that come with it.
The Cipher Brief: How do intelligence covers broadly work?
Daniel Hoffman: The key principle is that cover is about looking like someone else. You are pretending to be somebody else, whom you are not. You should know what that person looks like and you have to know how they behave. Then you have to be able to mirror them. If you don’t do that, then you draw scrutiny on yourself.
TCB: What are the key elements to keep in mind when building a cover and how long does it take to do so?
Hoffman: There are two things to keep in mind. One is the anticipated level of scrutiny. This would be off-the-charts high in a place like Russia, for example. Second is the operational task. Based on these two factors, you can build an appropriate cover. The time required to build cover varies, depending on those two factors.
TCB: What are ways that you can backstop a cover? For example, is it simply establishing a made-up company with people answering the phone?
Hoffman: Things like that and some pocket litter or business cards might have been enough many years ago. They still matter, but in today’s world you need the right kind of social media profile. It also depends on what you’re doing and where you are working.
TCB: How do intelligence officers view social media? Is this something that they want no presence on, or do they have a long-established presence that is in line with their cover?
Hoffman: I wouldn’t generalize because I think every intelligence officer is different. My personal view of social media is that it’s a fact of life. You just have to be careful about what you post on social media. But I think the rules that apply for intelligence officers, as far as being discreet and careful about what you are posting on social media, apply as well to other government employees and beyond into the private sector. Social media can be a wonderful force multiplier for free expression but also put you at great risk. It is just a different price you pay whether you are an intelligence officer, serving in the U.S. military, a private businessman, or even a college student. There are risks to using social media and there is a lot of gain as well.
TCB: Do you think there are data analytic tools similar to how social media companies are seeking to identify those susceptible to radicalization, but used for pattern recognition analysis in identifying intelligence officials?
Hoffman: There are some computer programs – cognitive computing – that have been used, for example, to conduct assessment on insider threats. This is based on word analysis of an individual’s script, including emails. There have been some interesting articles written which assessed Snowden’s email activity.
Hostile intelligence services focus on our social media. They have to pick and choose whose social media on which to focus, but if they suspect someone of being an intelligence officer or a person of interest worth tracking, then they are going to dissect their social media. I am sure that in Russia and China, for example, they are going to assess that data and determine what it might mean in terms of an individual’s status as an intelligence officer. They could also seek to determine whether a person of interest might be vulnerable to a recruitment pitch.
TCB: What kind of counterintelligence effect then could something like the 2015 Office of Personnel Management breach have?
Hoffman: An intelligence service that is focused on determining who the identities of foreign intelligence officers in their country will use a variety of collection and analytic methods. First, they will seek to penetrate the embassy. Cover is about looking like somebody else, and some of the people most adept at seeing who the outliers are – those who might not quite be fitting in with their cover profile – are local embassy hires. Russian intelligence, for example, is particularly focused on local national hires. Hostile intelligence services have also sought to penetrate the State Department’s “sensitive but unclassified” computer system, which could give them information on who is who, and who does what.
As far as the OPM breach, that means we lost 21 million records to the Chinese, who might have shared this treasure trove of information with others. That information – albeit a snapshot in time – is valuable and when it is married up with the theft of medical records, which were also hacked, foreign intelligence services can learn a lot about people’s vulnerabilities. It just gives them a leg up on spotting potential operational targets whom they might want to recruit.
TCB: How can all this information be aggregated and retroactively analyzed if suspicion that someone is an intelligence officer is triggered? How does this impact operational security? For example, an Israeli operation in Dubai was discovered and posted on YouTube.
Hoffman: Governments with the resources will use increasingly sophisticated technology for counterintelligence purposes. It is an adjunct to their other collection, including traditional surveillance. CCTV cameras, for example, are a really effective additional capability of which one should be cognizant.
The commonalities for the operations that have been exposed are tradecraft errors. And those who were involved in those operations probably were not as cognizant as they should have been of the technology that could be deployed against them. That is part of understanding the new battlespace. You should assess the extent to which your enemies have the capability and interest in scrutinizing you.
TCB: After the Dubai operation we saw the cover identities of Mossad officers posted on social media. We have seen the Shadow Brokers publish NSA identities. How does publicly revealing the identities of intelligence officials play into a broader strategy by foreign intelligence services?
Hoffman: When I started serving a long time ago, one of our chief concerns were traitors like Philip Agee, who were publishing the names of CIA officers and putting them at great personal risk as a result. Today our enemies are using the same sort of strategy, but with different tactics – using wildly asymmetric cyberspace for delivery that carries a lot more force compared to Philip Agee’s book. A hostile service does not have to publish something that is necessarily true to do damage. For example, a few years back the Russians tried to smear a State Department diplomat in Moscow with a fake video disseminated online.