Despite the use of increasingly advanced technical means, the deception, duplicity, and betrayal of espionage are a human problem that requires a human solution. 

By John Irvin, NOIR Team

In all, around 3.6 million individuals were impacted by two breaches of Office of Personnel Management (OPM) electronic databases, one announced in June 2015 and the second just a month later.  In the two attacks, hackers made off with the sort of information that could be used not only to identify individuals holding US government security clearances, but also perhaps to reveal private, exploitable vulnerabilities.

To a hostile foreign intelligence service (think Russia’s SVR or Iran’s MOIS), vulnerabilities are the all-too-human problems – financial, health, family, or whatever – that would make a person more inclined to accept an offer to betray his or her country and reveal classified information.  The attacks were subsequently attributed to hackers likely working on behalf of the Chinese government.[1]

On the private side, hackers recently broke into and stole the client list of the adultery-oriented website Ashley Madison.  Perhaps not surprisingly, when the list was made public it was found to include hundreds of government employees.[2]  So far that hacking doesn’t appear to be linked to any foreign government or intelligence service.  It does demonstrate, however, that a government employee’s online activities outside of work may also be subject to unexpected compromise.  For those holding security clearances, it’s something more than just embarrassing.

In the meantime, an August 2014 report by the internet research company Gartner estimated that global information security spending would increase by 8.2 percent in 2015 to reach a total of $76.9 billion.[3]  Hardly a day passes without a newspaper or online article announcing a new organization or project created to address the seemingly unstoppable threat from foreign government or private hackers.

No less an authority on data theft than NSA-leaker Edward Snowden made a point of claiming in a May 2014 interview, “It’s no secret that the US tends to get more and better intelligence out of computers nowadays than they do out of people.”[4]  The obvious conclusion would be that what works for the US also works for other countries, private organizations, and skilled individuals.

If Snowden is right, that the way to get “more and better intelligence” (i.e., secrets) is by hacking into computers rather than the traditional, lengthy and often dangerous practice of recruiting human beings, so-called “insider spies,” what does that say about the future of espionage?

While seemingly unlimited, in reality US intelligence resources are finite.  Where should they focus their collection and counterintelligence efforts?  Who needs George Smiley when you can get “more and better intelligence” from an army of hackers?  Who needs a gun-toting, martini-drinking James Bond when a slight, bespectacled, unnoteworthy IT contractor can walk away with 1.7 million classified documents?

In short, is old-fashioned espionage passé?  Are we witnessing the twilight of the insider spy and his or her clandestine agent handler?

The sheer magnitude of the information lost in recent computer hacking attacks, the overwhelming volume of media reports on cyber security issues, and the huge sums of money being spent by governments and private industry to protect their electronic databases could certainly lead one to that conclusion.

That conclusion, however, would be wrong.  Despite the inclination of the technically-minded to remove the messy human element from the espionage equation, psychology suggests otherwise.  Cyber-attacks on secure systems are a very real danger that has already resulted in significant damage to national security.[5]  Every reasonable effort should be made to counter this threat.

Nevertheless, to assume that computers will somehow replace humans as the most important target for intelligence collection is not so much a revelation as simply a reflection of the quirky way humans think.  One issue is the availability heuristic.  This is a cognitive bias that relies on immediate examples that come to mind when evaluating a specific topic, concept, method or decision, and operates on the notion that if something can be recalled, it must be important, or at least more important than alternative solutions which are not as readily recalled.[6]

The availability heuristic is also the reason why we think the world is going to hell in a handbasket after watching the evening news.  If the only news you hear is bad news (and good news tends not to make headlines or broadcasts), you’ll assume that’s all there is.  If the only espionage you hear about it cyber, you’ll assume that’s all there is as well.  Amidst all the clamor and activity, the insider spy is still sitting there, silent and unseen.

Another problem is a human knack for confusing the means with the motivation.  Snowden’s comment that “…the US tends to get more and better intelligence out of computers nowadays than they do out of people” is akin to the famous, but ultimately false, quote attributed to career bank robber Willie Sutton.  When asked why he robbed banks, Sutton was reported to have replied, “Because that’s where the money is.”[7]  Why do hackers attack secure databases today?  How can data thieves abscond with so much information from computers?  Because that’s where the secrets are.

Still, there’s a problem with this logic that becomes clear when Snowden’s comment is backdated to the year Alvin Toffler first warned us that technology advances at a rate faster than our human ability to adapt to it.[8]  Speaking in 1970, a Snowden equivalent would have stated, “It’s no secret that the US tends to get more and better intelligence out of filing cabinets nowadays than they do out of people.”  In other words, what we’re witnessing isn’t a paradigm shift in the practice of espionage so much as another example of our recurring failure of fully assessing the consequences of adopting new technologies.

We will, after considerable time and effort and with inevitable failures, fix the problem of cyber espionage.  It’s a technical problem that will eventually find a technical solution.  When that happens some parties will still be predictably shocked that all the expense and effort does not bring about an end to espionage.  That’s because, despite the use of increasingly advanced technical means, the deception, duplicity, and betrayal of espionage are a human problem that requires a human solution.  Snowden was wrong – espionage is about people, not computers.  It always has been.

Perhaps a more useful insight comes from Willie Sutton himself, who attempted to correct the record by writing in his own biography, “Why did I rob banks?  Because I enjoyed it.  I loved it.  I was more alive when I was inside a bank, robbing it, than at any other time in my life.  I enjoyed everything about it so much that one or two weeks later I’d be out looking for the next job.  But to me the money was the chips, that’s all.”  In all likelihood the same might be said of the hacker or data thief working independently or on behalf of a government or some organization.  Espionage is a profoundly human activity.

The problem with focusing almost exclusively on cyber espionage is that it takes away resources from the continuing, if less high-profile (for the moment) problem of insider espionage.  For a fraction of the money being spent on cyber solutions, a National Office for Intelligence Reconciliation (NOIR) could be established based on the theories developed by Dr. David Charney regarding the True Psychology of the Insider Spy.[9]  Technology has continually changed throughout history.  The one constant is the human mind, the way we think, which is ultimately the source of all acts of espionage.  We should not lose sight of that.

In the meantime, insider spies are currently sitting in cubicles or walking the hallways of government or the many private contracting firms supporting federal agencies.  In a bureaucracy as vast as the US government, it is naive or delusional to suggest they aren’t there.  They are no doubt somewhat comforted by the focus on cyber espionage, since it shifts focus away from them.  The better informed among them know that despite the best tradecraft on their part or that of their handlers, they live a precarious existence.  Most insider spies are ultimately exposed by another insider spy working for the opposition.

So when, during a staff meeting or at lunch with colleagues, the conversation turns to cyber espionage, it’s understandably that a slight, knowing grin, unnoticed or disregarded by bosses and co-workers, emerges on the Janus face of the insider spy.  In the swirling, conspiratorial mind that lies hidden beneath an innocent veneer, he or she relaxes somewhat, enjoying the fact that the heat is off, at least for now.

Notes

[1] http://www.nationaljournal.com/tech/2015/07/09/OPM-Announces-More-Than-21-Million-Affected-Second-Data-Breach?mrefid=related

[2] http://bigstory.ap.org/article/065953e72e9649e0bc6efb69b06295ed/evidence-infidelities-spreads-online-wake-hack

[3] http://www.gartner.com/technology/why_gartner.jsp

[4] http://time.com/121231/edward-snowden-interview/

[5] Computer Spies Breach Fighter-Jet Project, WSJ, April 21, 2009; Pentagon Official Says Flash Drive Used in Classified Cyberattack, AoL News, August 25, 2010.

[6] Esgate, Anthony; Groome, David. An Introduction to Applied Cognitive Psychology. Psychology Press (2005).

[7] Sutton W, Linn E. Where the Money Was: The Memoirs of a Bank Robber. Viking Press (1976).

[8] Toffler A. Future Shock. Random House (1970).

[9] https://noir4usa.org/noir-papers/noir-white-paper/

1 Comment

  1. The growth of the cyber arena as a venue for espionage has increased not decreased the threat of the insider. Yes, it is true that lapses in computer security and the continued use of poor operating systems is a major cause of weakness in the USG’s information infrastructure, and allows attacks from outside. But now the most serious threat may be the “CYBER-INSIDER” a person such as Snowdon who is recruited by a foreign and hostile intelligence service, and uses their inside access to information systems to steal information. What the growth of information systems has done is to simply magnify the damage that an insider can do.

What do you think?