Editing Counterintelligence (section)

== Counterintelligence missions ==
[[Frank Wisner]], a well-known CIA operations executive said of the autobiography of Director of Central Intelligence [[Allen W. Dulles]],<ref name=Dulles>{{cite book
 | last = Dulles | title = The Craft of Intelligence
 | author-link = Allen W. Dulles
 | first = Allen W.
 | publisher = Greenwood
 | year = 1977
 | isbn = 0-8371-9452-0
 | id = Dulles-1977
}}</ref> that Dulles "disposes of the popular misconception that counterintelligence is essentially a negative and responsive activity, that it moves only or chiefly in reaction to situations thrust upon it and in counter to initiatives mounted by the opposition." Rather, he sees that it can be most effective, both in information gathering and protecting friendly intelligence services, when it creatively but vigorously attacks the "structure and personnel of hostile intelligence services."<ref name=Wisner>{{cite web
 | title = On "The Craft of Intelligence"
 | last = Wisner
 | first = Frank G.
 | date = 1993-09-22
 | id = CIA-Wisner-1993
 | url = https://www.cia.gov/library/center-for-the-study-of-intelligence/kent-csi/docs/v08i1a07p_0004.htm
 | access-date = 2007-11-03
 | archive-url = https://web.archive.org/web/20071115004339/https://www.cia.gov/library/center-for-the-study-of-intelligence/kent-csi/docs/v08i1a07p_0004.htm
 | archive-date = 2007-11-15
 | url-status = dead
 }}</ref> Today's counterintelligence missions have broadened from the time when the threat was restricted to the foreign intelligence services (FIS) under the control of nation-states. Threats have broadened to include threats from non-national or trans-national groups, including internal insurgents, organized crime, and transnational based groups (often called "terrorists", but that is limiting). Still, the FIS term remains the usual way of referring to the threat against which counterintelligence protects.

In modern practice, several missions are associated with counterintelligence from the national to the field level.
* Defensive analysis is the practice of looking for vulnerabilities in one's own organization, and, with due regard for risk versus benefit, closing the discovered holes.
* Offensive counterespionage is the set of techniques that at least neutralizes discovered FIS personnel and arrests them or, in the case of diplomats, expels them by declaring them [[persona non grata]]. Beyond that minimum, it exploits FIS personnel to gain intelligence for one's own side, or actively manipulates the FIS personnel to damage the hostile FIS organization.
* Counterintelligence force protection source operations (CFSO) are human source operations, conducted abroad that are intended to fill the existing gap in national-level coverage in protecting a field station or force from terrorism and espionage.

Counterintelligence is part of [[intelligence cycle security]], which, in turn, is part of [[intelligence cycle management]]. A variety of security disciplines also fall under intelligence security management and complement counterintelligence, including:
* [[Physical security]]
* [[Intelligence cycle security#Personnel security|Personnel security]]
* [[Communications security]] (COMSEC)
* [[Information security|Informations system security]] (INFOSEC)
* [[Classified information|security classification]]
* [[Operations security]] (OPSEC)

The disciplines involved in "positive security," measures by which one's own society collects information on its actual or potential security, complement security. For example, when communications intelligence identifies a particular radio transmitter as one used only by a particular country, detecting that transmitter inside one's own country suggests the presence of a spy that counterintelligence should target. In particular, counterintelligence has a significant relationship with the collection discipline of [[HUMINT]] and at least some relationship with the others. Counterintelligence can both produce information and protect it.

All US departments and agencies with intelligence functions are responsible for their own security abroad, except those that fall under [[Chief of Mission]] authority.<ref name=Matschulat>{{cite web
 |url=https://www.cia.gov/library/center-for-the-study-of-intelligence/kent-csi/docs/v13i2a05p_0001.htm 
 |first=Austin B. 
 |last=Matschulat 
 |title=Coordination and Cooperation in Counerintelligence 
 |date=1996-07-02 
 |access-date=2007-11-03 
 |url-status=dead 
 |archive-url=https://web.archive.org/web/20071010091345/https://www.cia.gov/library/center-for-the-study-of-intelligence/kent-csi/docs/v13i2a05p_0001.htm 
 |archive-date=2007-10-10 
}}</ref>

Governments try to protect three things:
*Their personnel
*Their installations
*Their operations

In many governments, the responsibility for protecting these things is split. Historically, the CIA assigned responsibility for protecting its personnel and operations to its Office of Security, while it assigned the security of operations to multiple groups within the Directorate of Operations: the counterintelligence staff and the area (or functional) unit, such as Soviet Russia Division. At one point, the counterintelligence unit operated quite autonomously, under the direction of [[James Jesus Angleton]]. Later, operational divisions had subordinate counterintelligence branches, as well as a smaller central counterintelligence staff. [[Aldrich Ames]] was in the Counterintelligence Branch of Europe Division, where he was responsible for directing the analysis of Soviet intelligence operations. US military services have had a similar and even more complex split.

This kind of division clearly requires close coordination, and this in fact occurs on a daily basis. The interdependence of the US counterintelligence community is also manifest in its relationships with liaison services. The counterintelligence community cannot cut off these relationships because of concern about security, but experience has shown that it must calculate the risks involved.<ref name = Matschulat/>

On the other side of the CI coin, counterespionage has one purpose that transcends all others in importance: penetration. The emphasis which the KGB places on penetration is evident in the cases already discussed from the defensive or security viewpoint. The best security system in the world cannot provide an adequate defense against it because the technique involves people. The only way to be sure that an enemy has been contained is to know his plans in advance and in detail.

{{blockquote|Moreover, only a high-level penetration of the opposition can tell you whether your own service is penetrated. A high-level defector can also do this, but the adversary knows that he defected and within limits can take remedial action. Conducting CE without the aid of penetrations is like fighting in the dark. Conducting CE with penetrations can be like [[shooting fish in a barrel]].<ref name=Matschulat />}}

In the British service, the cases of the [[Cambridge Five]], and the later suspicions about MI5 chief Sir [[Roger Hollis]] caused great internal dissension. Clearly, the British were penetrated by Philby, but it has never been determined, in any public forum, if there were other serious penetrations. In the US service, there was also significant disruption over the contradictory accusations about moles from defectors [[Anatoliy Golitsyn]] and [[Yuri Nosenko]], and their [[James Jesus Angleton#Golitsyn and Nosenko|respective supporters in CIA and the British Security Service (MI5)]]. Golitsyn was generally believed by Angleton. [[George Kisevalter]], the CIA operations officer that was the CIA side of the joint US-UK handling of [[Oleg Penkovsky]], did not believe Angleton's theory that Nosenko was a [[KGB]] plant. Nosenko had exposed [[John Vassall]], a [[KGB]] asset principally in the British Admiralty, but there were arguments Vassall was a KGB sacrifice to protect other operations, including Nosenko and a possibly more valuable source on the Royal Navy.

=== Defensive counterintelligence ===
Defensive counterintelligence starts by looking for places in one's own organization that could easily be exploited by foreign intelligence services (FIS). FIS is an established term of art in the counterintelligence community, and, in today's world, "foreign" is shorthand for "opposing." Opposition might indeed be a country, but it could be a transnational group or an internal insurgent group. Operations against a FIS might be against one's own nation, or another friendly nation. The range of actions that might be done to support a friendly government can include a wide range of functions, certainly including military or counterintelligence activities, but also humanitarian aid and aid to development ("nation building").<ref name=JP3-07.1>{{cite web
 | url = https://fas.org/irp/doddir/dod/jp3_07_1.pdf
 | title = Joint Publication 3-07.1: Joint Tactics, Techniques, and Procedures for Foreign Internal Defense (FID)
 | date = 2004-04-30
 | access-date = 2007-11-03
}}</ref>

Terminology here is still emerging, and "transnational group" could include not only terrorist groups but also transnational criminal organization. Transnational criminal organizations include the drug trade, money laundering, extortion targeted against computer or communications systems, smuggling, etc.

"Insurgent" could be a group opposing a recognized government by criminal or military means, as well as conducting clandestine intelligence and covert operations against the government in question, which could be one's own or a friendly one.

Counterintelligence and counterterrorism analyses provide strategic assessments of foreign intelligence and terrorist groups and prepare tactical options for ongoing operations and investigations. Counterespionage may involve proactive acts against foreign intelligence services, such as [[double agent]]s, [[deception]], or recruiting foreign intelligence officers. While clandestine [[HUMINT]] sources can give the greatest insight into the adversary's thinking, they may also be most vulnerable to the adversary's attacks on one's own organization. Before trusting an enemy agent, remember that such people started out as being trusted by their own countries and may still be loyal to that country.

=== Offensive counterintelligence operations ===
Wisner emphasized his own, and Dulles', views that the best defense against foreign attacks on, or infiltration of, intelligence services is active measures against those hostile services.<ref name=Wisner /> This is often called '''counterespionage''': measures taken to detect enemy espionage or physical attacks against friendly intelligence services, prevent damage and information loss, and, where possible, to turn the attempt back against its originator. Counterespionage goes beyond being reactive and actively tries to subvert hostile intelligence service, by recruiting agents in the foreign service, by discrediting personnel actually loyal to their own service, and taking away resources that would be useful to the hostile service. All of these actions apply to non-national threats as well as to national organizations.

If the hostile action is in one's own country or in a friendly one with co-operating police, the hostile agents may be arrested, or, if diplomats, declared [[persona non grata]]. From the perspective of one's own intelligence service, exploiting the situation to the advantage of one's side is usually preferable to arrest or actions that might result in the death of the threat. The intelligence priority sometimes comes into conflict with the instincts of one's own law enforcement organizations, especially when the foreign threat combines foreign personnel with citizens of one's country.

In some circumstances, arrest may be a first step in which the prisoner is given the choice of co-operating or facing severe consequence up to and including a death sentence for espionage. Co-operation may consist of telling all one knows about the other service but preferably actively assisting in deceptive actions against the hostile service.

=== Counterintelligence protection of intelligence services ===
Defensive counterintelligence specifically for intelligence services involves risk assessment of their culture, sources, methods and resources. Risk management must constantly reflect those assessments, since effective intelligence operations are often risk-taking. Even while taking calculated risks, the services need to mitigate risk with appropriate countermeasures.

FIS are especially able to explore open societies and, in that environment, have been able to subvert insiders in the intelligence community. Offensive counterespionage is the most powerful tool for finding penetrators and neutralizing them, but it is not the only tool. Understanding what leads individuals to turn on their own side is the focus of Project Slammer. Without undue violations of personal privacy, systems can be developed to spot anomalous behavior, especially in the use of information systems.

Decision makers require intelligence free from hostile control or manipulation. Since every intelligence discipline is subject to manipulation by our adversaries, validating the reliability of intelligence from all collection platforms is essential. Accordingly, each counterintelligence organization will validate the reliability of sources and methods that relate to the counterintelligence mission in accordance with common standards. For other mission areas, the USIC will examine collection, analysis, dissemination practices, and other intelligence activities and will recommend improvements, best practices, and common standards.<ref name=NCIX>{{Cite web
 | url = https://fas.org/irp/ops/ci/cistrategy2007.pdf
 | title = National Counterintelligence Executive (NCIX)
 | year = 2007
 }}</ref>

Intelligence is vulnerable not only to external but also to internal threats. Subversion, treason, and leaks expose vulnerabilities, governmental and commercial secrets, and intelligence sources and methods. The insider threat has been a source of extraordinary damage to US national security, as with [[Counterintelligence failures#Aldrich Ames|Aldrich Ames]], [[Counterintelligence failures#Robert Hanssen|Robert Hanssen]], and [[Counterintelligence failures#Edward Lee Howard|Edward Lee Howard]], all of whom had access to major clandestine activities. Had an electronic system to detect anomalies in browsing through counterintelligence files been in place, [[Counterintelligence failures#Robert Hanssen|Robert Hanssen]]'s searches for suspicion of activities of his Soviet (and later Russian) paymasters might have surfaced early. Anomalies might simply show that an especially-creative analyst has a [[Intelligence analysis#Trained intuition|trained intuition]] possible connections and is trying to research them.

Adding the new tools and techniques to [national arsenals], the counterintelligence community will seek to manipulate foreign spies, conduct aggressive investigations, make arrests and,
where foreign officials are involved, expel them for engaging in practices inconsistent
with their diplomatic status or exploit them as an unwitting channel for deception, or turn them into witting double agents.<ref name=NCIX /> "Witting" is a term of intelligence art that indicates that one is not only aware of a fact or piece of information but also aware of its connection to intelligence activities.

[[Victor Suvorov]], the pseudonym of a former Soviet military intelligence ([[Glavnoye Razvedyvatel'noye Upravleniye|GRU]]) officer, makes the point that a defecting HUMINT officer is a special threat to walk-in or other volunteer assets of the country that he is leaving. Volunteers who are "warmly welcomed" do not take into consideration the fact that they are despised by hostile intelligence agents.
{{blockquote|The Soviet operational officer, having seen a great deal of the ugly face of communism, very frequently feels the utmost repulsion to those who sell themselves to it willingly. And when a GRU or KGB officer decides to break with his criminal organization, something which fortunately happens quite often, the first thing he will do is try to expose the hated volunteer.<ref name=Suvorov-IM-04>{{Cite book
 | first = Victor | last = Suvorov
 | title = Inside Soviet Military Intelligence
 | url = http://militera.lib.ru/research/suvorov8/16.html
 | publisher = MacMillan Publishing Company
 | year = 1984
 | chapter = Chapter 4, Agent Recruiting
 }}</ref>}}

=== Counterintelligence force protection source operations ===
Attacks against military, diplomatic, and related facilities are a very real threat, as demonstrated by the 1983 attacks against French and US peacekeepers in Beirut, the 1996 attack on the Khobar Towers in Saudi Arabia, 1998 attacks on Colombian bases and on U.S. embassies (and local buildings) in Kenya and Tanzania the 2000 attack on the ''USS Cole'', and many others. The U.S. military force protection measures are the set of actions taken against military personnel and family members, resources, facilities and critical information, and most countries have a similar doctrine for protecting those facilities and conserving the potential of the forces. Force protection is defined to be a defense against deliberate attack, not accidents or natural disasters.

Counterintelligence Force Protection Source Operations (CFSO) are human source operations, normally clandestine in nature, conducted abroad that are intended to fill the existing gap in national level coverage, as well as satisfying the combatant commander's intelligence requirements.<ref name=FM34-60>{{cite web
 | author = US Department of the Army
 | title = Field Manual 34–60: Counterintelligence
 | date = 1995-10-03
 | url = https://fas.org/irp/doddir/army/fm34-60/
 | access-date = 2007-11-04
}}</ref> Military police and other patrols that mingle with local people may indeed be valuable HUMINT sources for counterintelligence awareness, but are not themselves likely to be CFSOs. Gleghorn distinguishes between the protection of national intelligence services, and the intelligence needed to provide combatant commands with the information they need for force protection. There are other HUMINT sources, such as military reconnaissance patrols that avoid mixing with foreign personnel, that indeed may provide HUMINT, but not HUMINT especially relevant to counterintelligence.<ref name=Gleghorn>{{cite web
 | last = Gleghorn
 | first = Todd E.
 | title = Exposing the Seams: the Impetus for Reforming US Counterintelligence
 |date=September 2003
 | url = http://www.nps.edu/academics/sigs/nsa/publicationsandresearch/studenttheses/theses/gleghorn03.pdf
 | access-date = 2007-11-02
}}</ref> Active countermeasures, whether for force protection, protection of intelligence services, or protection of national security interests, are apt to involve [[HUMINT#Basic HUMINT operations|HUMINT disciplines]], for the purpose of detecting FIS agents, involving screening and debriefing of non-tasked human sources, also called casual or incidental sources. such as:
* walk-ins and write-ins (individuals who volunteer information)
* unwitting sources (any individual providing useful information to counterintelligence, who in the process of divulging such information may not know they are aiding an investigation)
* defectors and enemy prisoners of war (EPW)
* refugee populations and expatriates
* interviewees (individuals contacted in the course of an investigation)
* official liaison sources.

{{blockquote|Physical security is important, but it does not override the role of force protection intelligence... Although all intelligence disciplines can be used to gather force protection intelligence, HUMINT collected by intelligence and CI agencies plays a key role in providing indications and warning of terrorist and other force protection threats.<ref>{{cite web
 |last=US Department of Defense 
 |author-link=United States Department of Defense 
 |title=Joint Publication 1-02 Department of Defense Dictionary of Military and Associated Terms 
 |date=2007-07-12 
 |url=http://www.dtic.mil/doctrine/jel/new_pubs/jp1_02.pdf 
 |access-date=2007-10-01 
 |url-status=dead 
 |archive-url=https://web.archive.org/web/20081123014953/http://www.dtic.mil/doctrine/jel/new_pubs/jp1_02.pdf 
 |archive-date=2008-11-23 
}}</ref>}}

Force protection, for forces deployed in host countries, occupation duty, and even at home, may not be supported sufficiently by a national-level counterterrorism organization alone. In a country, colocating FPCI personnel, of all services, with military assistance and advisory units, allows agents to build relationships with host nation law enforcement and intelligence agencies, get to know the local environments, and improve their language skills. FPCI needs a legal domestic capability to deal with domestic terrorism threats.

As an example of terrorist planning cycles, the [[Khobar Towers]] attack shows the need for long-term FPCI. "The Hizballah operatives believed to have conducted this attack began intelligence collection and planning activities in 1993. They recognized American military personnel were billeted at Khobar Towers in the fall of 1994 and began surveillance of the facility, and continued to plan, in June 1995. In March 1996, Saudi Arabian border guards arrested a Hizballah member attempting plastic explosive into the country, leading to the arrest of two more Hizballah members. Hizballah leaders recruited replacements for those arrested, and continued planning for the attack."<ref>{{Cite web
  | last = Imbus
  | first = Michael T
  | title = Identifying Threats: Improving Intelligence and Counterintelligence Support to Force Protection
  | date = April 2002
  | id = USAFCSC-Imbus-2002
  | url = http://www.au.af.mil/au/awc/awcgate/acsc/02-059.pdf
  | archive-url = https://web.archive.org/web/20040302065734/http://www.au.af.mil/au/awc/awcgate/acsc/02-059.pdf
  | url-status = dead
  | archive-date = March 2, 2004
  | access-date = 2007-11-03
  }}</ref>