Permanent Record(47)

I didn’t and they weren’t.

In sum, during my time in the field, the field was rapidly changing. The agency was increasingly adamant that COs enter the new millennium, and technical field officers like myself were tasked with helping them do that in addition to all of our other duties. We put them online, and they put up with us.

Geneva was regarded as ground zero for this transition because it contained the world’s richest environment of sophisticated targets, from the global headquarters of the United Nations to the home offices of numerous specialized UN agencies and international nongovernmental organizations. There was the International Atomic Energy Agency, which promotes nuclear technology and safety standards worldwide, including those that relate to nuclear weaponry; the International Telecommunication Union, which—through its influence over technical standards for everything from the radio spectrum to satellite orbits—determines what can be communicated and how; and the World Trade Organization, which—through its regulation of the trade of goods, services, and intellectual property among participating nations—determines what can be sold and how. Finally, there was Geneva’s role as the capital of private finance, which allowed great fortunes to be stashed and spent without much public scrutiny regardless of whether those fortunes were ill-gotten or well earned.

The notoriously slow and meticulous methods of traditional spycraft certainly had their successes in manipulating these systems for America’s benefit, but ultimately too few to satisfy the ever-increasing appetite of the American policy makers who read the IC’s reports, especially as the Swiss banking sector—along with the rest of the world—went digital. With the world’s deepest secrets now stored on computers, which were more often than not connected to the open Internet, it was only logical that America’s intelligence agencies would want to use those very same connections to steal them.

Before the advent of the Internet, if an agency wanted to gain access to a target’s computer it had to recruit an asset who had physical access to it. This was obviously a dangerous proposition: the asset might be caught in the act of downloading the secrets, or of implanting the exploitative hardware and software that would radio the secrets to their handlers. The global spread of digital technology simplified this process enormously. This new world of “digital network intelligence” or “computer network operations” meant that physical access was almost never required, which reduced the level of human risk and permanently realigned the HUMINT/SIGINT balance. An agent now could just send the target a message, such as an email, with attachments or links that unleashed malware that would allow the agency to surveil not just the target’s computer but its entire network. Given this innovation, the CIA’s HUMINT would be dedicated to the identification of targets of interest, and SIGINT would take care of the rest. Instead of a CO cultivating a target into an asset—through cash-on-the-barrel bribery, or coercion and blackmail if the bribery failed—a few clever computer hacks would provide a similar benefit. What’s more, with this method the target would remain unwitting, in what would inevitably be a cleaner process.

That, at least, was the hope. But as intelligence increasingly became “cyberintelligence” (a term used to distinguish it from the old phone-and-fax forms of off-line SIGINT), old concerns also had to be updated to the new medium of the Internet. For example: how to research a target while remaining anonymous online.

This issue would typically emerge when a CO would search the name of a person from a country like Iran or China in the agency’s databases and come up empty-handed. For casual searches of prospective targets like these, No Results was actually a fairly common outcome: the CIA’s databases were mostly filled with people already of interest to the agency, or citizens of friendly countries whose records were more easily available. When faced with No Results, a CO would have to do the same thing you do when you want to look someone up: they’d turn to the public Internet. This was risky.

Normally when you go online, your request for any website travels from your computer more or less directly to the server that hosts your final destination—the website you’re trying to visit. At every stop along the way, however, your request cheerfully announces exactly where on the Internet it came from, and exactly where on the Internet it’s going, thanks to identifiers called source and destination headers, which you can think of as the address information on a postcard. Because of these headers, your Internet browsing can easily be identified as yours by, among others, webmasters, network administrators, and foreign intelligence services.

It may be hard to believe, but the agency at the time had no good answer for what a case officer should do in this situation, beyond weakly recommending that they ask CIA headquarters to take over the search on their behalf. Formally, the way this ridiculous procedure was supposed to work was that someone back in McLean would go online from a specific computer terminal and use what was called a “nonattributable research system.” This was set up to proxy—that is, fake the origin of—a query before sending it to Google. If anyone tried to look into who had run that particular search, all they would find would be an anodyne business located somewhere in America—one of the myriad fake executive-headhunter or personnel-services companies the CIA used as cover.

I can’t say that anyone ever definitively explained to me why the agency liked to use “job search” businesses as a front; presumably they were the only companies that might plausibly look up a nuclear engineer in Pakistan one day and a retired Polish general the next. I can say with absolute certainty, however, that the process was ineffective, onerous, and expensive. To create just one of these covers, the agency had to invent the purpose and name of a company, secure a credible physical address somewhere in America, register a credible URL, put up a credible website, and then rent servers in the company’s name. Furthermore, the agency had to create an encrypted connection from those servers that allowed it to communicate with the CIA network without anyone noticing the connection. Here’s the kicker: After all of that effort and money was expended just to let us anonymously Google a name, whatever front business was being used as a proxy would immediately be burned—by which I mean its connection to the CIA would be revealed to our adversaries—the moment some analyst decided to take a break from their research to log in to their personal Facebook account on that same computer. Since few of the people at headquarters were undercover, that Facebook account would often openly declare, “I work at the CIA,” or just as tellingly, “I work at the State Department, but in McLean.”