Has the CIA lost their tradecraft mojo? Could the same agency that invented the forerunner to the modern devices like the Blackberry and iPhone lose dozens of spies in multiple countries from 2009-2013 through something as simple as a Google search? The terrifying answer is yes.
It would be far easier to understand the devastating losses if it had truly been something you could have found in a movie – some fabulous invention dreamed up by a brilliant criminal mastermind seeking to defeat his James Bond. But it wasn’t.
The catastrophic failure resulted in the loss of agents inside both China and Iran. According to one senior intelligence official, “We’re still dealing with the fallout. Dozens of people around the world were killed because of this.”
The failure was predicted, identified and reported in 2006 by a government contractor named John Reidy.
Reidy highlighted significant vulnerabilities in the covert communications system and determined that “…upwards of 70 percent of our operations had been compromised.” This was in 2006. Instead of fixing the flaws, and protecting CIA assets using the system, the CIA removed Reidy from his contract after he warned about “anomalies in our operations and conflicting intelligence reporting that indicated several of our operations had been compromised.”
According to a heavily redacted appeal to the CIA Inspector General, Reidy told them “Our method of operation made no sense but now it placed our officers in jeopardy. [REDACTED]. It was a recipe for disaster. We had a catastrophic failure on our hands that would ensnare a great many of our resources.”
Reidy had no way of knowing at the time how accurate his assessment was going to be.
Instead of fixing the problems, the CIA apparently buried them in typical intelligence community style. Reidy wrote in his appeal “[Center] insisted that we document the most damaging information in restricted handling channels... While restricted handling provides greater protection for certain cases, it is a widely known practice to ‘hide’ damaging information in these files due to their restricted access and limited number of people who can view the files. This information was intentionally meant to be buried by the individuals who had the most to lose by their blundering.”
It wasn’t just the information that got buried. More than 30 people – it’s unclear exactly how many, in Iran, Lebanon, and China – who had put their life on the line to commit treason against their home country literally got buried because of these flaws.
Iran was the first country to unwind the CIA’s asset network. They did it through simple deduction. When the existence of a secret underground enrichment facility was announced by the Obama administration in September of 2009, it sealed the fate of the covert communications system and the assets who used it to supply that information.
Working backwards from who knew the secret information, the mole hunt zeroed in and found its targets. Running a double agent back against the CIA, the covert communications system using fake corporate websites was discovered. This was announced on Iranian television with little fanfare. According to an ABC News report at the time, “In Iran, intelligence minister Heidar Moslehi announced in May that more than 30 U.S. and Israeli spies had been discovered and an Iranian television program, which acts as a front for Iran's government, showed images of internet sites used by the U.S. for secret communication with the spies.”
From there a simple Google search uncovered all of the other sites being used by the CIA. Using a string of specific identifiers unique to the newly discovered site, it was child’s play to find the rest.
As Zach Dorfman and Jenna McLaughlin for Yahoo News put it: “U.S. intelligence officials were well aware of Iran’s formidable cyber-espionage capabilities. But they were flabbergasted that Iran managed to extirpate an entire CIA spy network using a technique that one official described as rudimentary — something found in basic how-to books.”
I had the honor of being interviewed as part of a documentary on Iran called “True Iran – The Global Jihad.” I warned back then: “Any nation smart enough to build nuclear weapons is smart enough to conduct offensive cyber operations.” I should have included rudimentary Google searches in that description.
It appears Iran shared its discovery with China during 2011. As a result, dozens more spies were rounded up and killed. In China, an interim covert system was used with newly identified assets, just in case they were unreliable or a Chinese double agent. The theory was that if the ‘throwaway’ system was detected, it would not compromise the main system used for trusted assets. In theory that should have worked. But it didn’t.
China rolled up so many agents in such a short time, the CIA formed a special task force with the FBI to find out what went wrong. One of the technical approaches was for the FBI and NSA to conduct penetration tests — a method to look at a network like an adversary would to find vulnerabilities.
The penetration test was successful, much to the horror of the CIA. It was discovered that the interim system connected back by design to the CIA’s main covert communications system. The firewall that was supposed to protect the separate systems and keep them separated had a hole big enough to march the entire Chinese People’s Liberation Army through. The Chinese willing obliged and destroyed a network that had taken years to develop.
The hubris and misplaced belief that a system designed by the CIA was impregnable contributed to the deaths of many and set back our espionage efforts by years, if not decades.
The lack of accountability, and firing of John Reidy, in order to cover up gross negligence only made the problem worse.
And worst: It all could have been prevented.
The time to do a penetration test is not after you’ve lost over thirty agents. It’s when a trusted and vetted American raises the red flag and tells you there’s a problem. If the CIA had any concerns over how to conduct a proper penetration test, they simply could have Googled it.
Morgan Wright is an expert on cybersecurity strategy, cyberterrorism, identity theft and privacy. He previously worked as a senior advisor in the U.S. State Department Antiterrorism Assistance Program and as senior law enforcement advisor for the 2012 Republican National Convention. Follow him on Twitter @morganwright_us.