At the CIA, a fix to communications system that left trail of dead agents remains elusive
More than five years after a major failure was identified in a system used to communicate with CIA agents on the ground around the world, the agency has yet to fully fix the problem, according to sources directly familiar with the matter.
Between around 2009 and 2013, the CIA’s online method of communicating with its human sources on the ground all over the world was tragically compromised — leading to the exfiltration, imprisonment or death of dozens of people spying for the agency, according to a November investigation by Yahoo News.
The failure started when Iranian officials used a double agent to trace back a series of websites the CIA was using to communicate with its sources. Iran then located, detained and in some instances executed CIA sources it identified using this system. The problem then spread to China, where roughly 30 CIA sources were eventually executed. Once Iran and China were able to locate users of these covert CIA platforms in their own countries, sources told Yahoo News, they were very likely able to discover a large number of CIA sources using similar systems worldwide.
But the fallout from that disaster, including internal battles at the CIA and struggles to replace and fix a complex web of interlocking technical systems, continues to rage on to this day, according to five former intelligence community sources familiar with the matter.
The CIA declined to comment for this piece.
Because of the scope of the problem, fixing it was also a staggering task. It’s not just “a single flawed system that needed to be fixed,” according to one former CIA official. “It was a universe of systems.”
The issues with internet-based covert communications systems cannot be fully solved piecemeal and will require an immense allocation of resources. “A patch won’t solve the problem,” said one of the former officials. “We’re not talking about billions of dollars, we’re talking about hundreds of billions of dollars to fix” these systems.
A second former official was more charitable, arguing that while the problem is not entirely solved, “there’s been major improvement” in the communications system. But, the source added, “it doesn’t serve everyone equally.”
As a result, many who are directly responsible for working with sources on the ground within the CIA’s Directorate of Operations are furious, said a former official who was more critical about the agency’s progress.
The fiascos in Iran and China continue to be sticking points between the Directorate of Operations and the CIA’s Directorate of Science and Technology (DS&T) — the technical scientists. “There is a disconnect between the two directorates,” said one former CIA official. “I’m not sure that will be fixed anytime soon.”
The CIA’s website says that the agency is wholly in charge of “providing secure communications for CIA assets.” But the agency acquires its cutting-edge tech through multiple channels, including through contracts with defense companies. It also invests money in startups through In-Q-Tel, the CIA’s nonprofit venture capital wing.
The agency does some in-house research and development within DS&T, which houses many of the CIA’s tech experts, who often work directly with external defense contractors developing technology to fit agency needs.
Former intelligence officials described longstanding tensions between the two directorates, as well as dysfunction within DS&T itself. DS&T’s budget has grown tremendously, said one former official, and the division was known for “wasting a lot money over the years.”
A deeper issue was the lack of congruence between the covert communications platforms and the actual stated needs of CIA officers in the field, said former officials. DS&T employees, who seemed intent on “empire building,” had a “take it or leave it’ attitude,” said one former senior official.
However, introducing technology into sensitive operations is always risky, particularly in countries like Iran where the United States doesn’t have a dedicated diplomatic presence. Internet-based covert communications provide sources the opportunity to hide in plain sight, using innocuous seeming websites — but the systems are inherently less secure and prone to exposure, especially in placed where the internet is heavily surveilled.
Even under the best of circumstances, said one former senior official, internet-based communications systems create counterintelligence challenges. CIA agents using the system were supposed to conduct “electronic surveillance detection routes” — that is, to bounce around on various sites on the internet before accessing the system, in order to cover their tracks — but often failed to do so, creating potentially suspicious patterns of internet usage, said this person.
Entire careers in the CIA’s Office of Technical Service — the part of DS&T directly responsible for developing covert communications systems — were built on these internet-based systems, said a former senior official. Raising concerns about them was “like calling someone’s baby ugly,” said this person.
Distrust also built up over DS&T’s perceived lack of truthfulness about its own capabilities, or that of its contracting partners. DS&T has a “nasty habit” of overpromising and underdelivering, said the same former official. “In official traffic they say, ‘Yes, we can do that.” But over direct message, they’d say, ‘We can’t.’”
In the case of the initial covert communications failure in Iran, contractors were deeply involved in the mission, including locating and targeting specific sources on the ground that the CIA might recruit. John Reidy, a contractor with Virginia defense company SAIC, was one such employee. In 2008, he blew the whistle on concerns that a massive technical failure might occur.
His complaints were not heeded for several years.
The reliance on major defense contractors within the Pentagon and the intelligence community is a controversial one. The Congressional Research Service examined the issue in 2015 following former NSA contractor Edward Snowden’s leak of a large cache of internal classified documents on global surveillance. Among other concerns, CRS cited the risk that the government may not have “sufficient capacity to monitor contractor employees who perform critical functions” and may “run the risk of ceding control over their mission and operations to contractors.”
Problems with complex technical systems are nothing new in the national security community. But typically when those problem occur in unclassified Pentagon contracts, they are publicized, like with a $5 billion intelligence fusion network acquired by the U.S. Army that at one point was deemed “not survivable” or “effective.”
But when problems occur with classified contracts, the issues tend to stay under the radar.
“They keep paying shitty defense contractors” to work on covert communications and other projects, said one of the sources.
The problem is also potentially larger than just the CIA, said one former senior intelligence official. In the past, the Defense Clandestine Service, the Defense Intelligence Agency’s covert human-intelligence gathering arm, has employed CIA-developed internet-based covert communications platforms, as has the United Kingdom’s Secret Intelligence Service during joint operations conducted with the agency, said this person.
At the CIA, it’s unclear whether the exposure of the failure will lead to any major changes. However, CIA Director Gina Haspel spent decades undercover in the Directorate of Operations and has spoken about the near sacred place human sources hold for her and the agency.
“Within the intelligence community, CIA is the keeper of the human intelligence mission. Technical forms of collection are vital, but a good human source is unique and can deliver decisive intelligence on our adversaries’ secrets — even their intent,” she said during a speech at the University of Louisville in Kentucky in September.
One longstanding proposal has been to put the Office of Technical Service under the direct authority of the Directorate of Operations — a move resisted by DS&T, said a former senior official. The same former official also decried shortfalls among the agency’s technical staff. “We used to recruit tech officers from a variety of fields,” said this person. “And the agency would produce its own COVCOM [covert communications] systems in-house. We’d test it there. In denied areas, we had special systems.”
These systems were not internet-based, said this person, and functioned more like “electronic dead-drops.”
Now, said this person, tech officers “only know about computers.” The ease of using these online systems lulled people into false confidence about their security, said former officials.
Additionally, it’s possible congressional investigators could again take up the mantle to oversee the ongoing procurement process and the effectiveness of the technology in use overseas to communicate with sources.
But with the investigation into Russian electoral interference dominating the agenda of the oversight committees, they’re unlikely to pursue the matter aggressively, said one former senior intelligence official.
“Heads should roll because of this,” said this person. “Agents were killed. But to protect people’s careers and egos, we buried counterintelligence problems.”
Read more from Yahoo News:
Trump asks why Mueller hasn’t interviewed ‘hundreds’ of campaign staffers
George Conway: Republican Party has become a ‘personality cult’ under Trump
Trump administration defends asylum crackdown after judge’s ruling
An American killing: Why did the U.S. Park Police fatally shoot Bijan Ghaisar?
Cory Booker: I will ‘take some time over the coming months’ to consider 2020 bid