Spycraft Rebooted: How Technology is Changing Espionage (Kindle Single), page 1
OTHER TITLES BY EDWARD LUCAS
The New Cold War: How the Kremlin Menaces both Russia and the West
Deception: Spies, Lies and How Russia Dupes the West
Cyberphobia: Identity, Trust, Security and the Internet
The Snowden Operation: Inside the West’s Greatest Intelligence Disaster
Text copyright © 2018 by Edward Lucas
All rights reserved.
No part of this work may be reproduced, or stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without express written permission of the publisher.
Published by Amazon Publishing, Seattle
www.apub.com
Amazon, the Amazon logo, and Amazon Publishing are trademarks of Amazon.com, Inc., or its affiliates.
eISBN: 9781503957459
Cover design by RBDA Studio
To C.D.S. and colleagues
CONTENTS
Introduction
Chapter One: Signals and Noises
Chapter Two: The Looking-glass World
Chapter Three: Danger on the Line
Chapter Four: Painting by Numbers
Chapter Five: A Safe Way Out of Moscow
Chapter Six: The Snail’s Trail
Conclusion
ABOUT THE AUTHOR
ENDNOTES
Introduction
The piano player in the canteen barely attracted attention from the masters of revolutionary Petrograd.1 If they bothered to speak to him at all, they would notice nothing unusual in his destitute appearance and accentless Russian. They would toss a few coins towards him, eat their meals and resume their work of hunting down spies and counter-revolutionaries. As civil war raged across Russia, the capital city was rife with informers, and run by a paranoid and ruthlessly violent clique of fanatics. It was the most dangerous place in the world to be a Western spy.
Yet had the Cheka—the Bolshevik secret police—only known, their ultimate foe was sitting among them. Sir Paul Dukes, the greatest intelligence officer in the history of Britain’s MI6, ran a stunningly successful network of agents, wholly undetected in the years after the 1917 revolution. Dukes not only slipped into Russia unnoticed but for many months passed the Communist regime’s most closely guarded secrets to spymasters in London. He did this not while living in the sewers, or skulking in an attic, but hiding boldly in plain sight, as the pianist in the Cheka’s canteen: an excellent place for observation, and one which conveniently rendered him above suspicion or scrutiny.
That required audacity, ingenuity, meticulous attention to detail, and nerves, all of which he had in abundance. But his bosses did not worry about creating a watertight false identity that would enable him to cross the border without arousing suspicion. Nor did they provide him with gadgets and disguises. “C”, as Sir Mansfield Cumming, the first head of the Secret Intelligence Service, was known, told him simply:
As to the means whereby you gain access to the country, under what cover you will live there, and how you will send out reports, we shall leave it to you . . . to make suggestions.i
Modern Russia is a far less frenetic and fearful environment. Yet replicating his achievements nowadays would be harder. The reason—the subject of this book—is technology. The combination of ubiquitous data, limitless storage and formidable processing power make the inconspicuousness which lies at the heart of traditional spycraft risky as never before.
Documents prove our identity. But from the invention of printing until the creation of computerised databases, checking their authenticity was hard. In prisoner-of-war camps, inmates planning their escape would even create identity documents, laboriously, with pen and ink, using whatever paper was available. Even an imperfect forgery had a good chance of passing muster. Imperfections could be the result of careless printing. A suspect document could be checked against a central register, but that was a time-consuming manual process, involving sending telegrams and checking serial numbers. Comparing photographs is even harder: a few people have flukish abilities to remember large numbers of faces, but their talents are too scarce to be used for routine checks.
Dukes therefore needed only a few props, easily purloined or faked, to switch identities smoothly and convincingly. He would clean himself up, put on the right uniform and convincingly impersonate a soldier, party official or secret policeman.
His exploits are still on the curriculum at British and other spy schools. Modern spies study his people skills, survival instincts and grit. But modern technology would make copying his fieldwork insanely risky.
This book highlights the effects of pervasive collection, storage and processing of information about individuals. The result, especially in countries where the authorities have no qualms about breaching individual privacy, is a surveillance system in which spycatchers have a decisive advantage over their targets.
It is still possible to produce a fake identity document which will pass visual examination. That may allow an intelligence officer to check into a hotel, to hire a car or even to board a plane under an alias. But making sure that the forgery will fool computerised scrutiny, such as passport control, is much harder. Where was the document issued? Has it been reported stolen? Is the person to whom it was issued actually dead? All those questions are easier to answer thanks to electronic databases.
ID documents used to have only a photograph. Now they contain other biometric data, such as fingerprints and retina scans. These create huge problems for forgers. You may be able to change the photo in a passport, but can you also change the data on the chip it contains? Cameras and other devices can capture all physical features—not only faces, fingerprints and retinas, but also gait, posture and expressions. Computers can check those details against hundreds of millions of records. A single picture can be enough to identify someone definitively; once stored on a database it is available anywhere, forever.
A formidable array of other checks can also be brought to bear on international travellers. Every twist and turn of modern life leaves a trail of electronic interactions. We leave these digital traces not only with our active communications—phone calls, text messages, emails and social-media posts, but also with our payments and movements. Faking this digital snail’s trail is hard; its absence is deeply suspicious.
As a result, a retired British intelligence officer says ruefully, “Checks that used to take two weeks now take two minutes.” So a latter-day Paul Dukes faces a dilemma. If you cross the border pretending to be someone else, you risk being caught, with unprecedentedly catastrophic consequences (of which more later). If you cross as yourself, then the watchers can look at most of your life history to see who you really are. The slightest sign that your identity is fake, or that you work for an intelligence service, means constant scrutiny for every minute of your time in Russia, China, Iran or whichever other authoritarian society you are trying to spy on. Everything you do is compromised; anybody you meet is in danger.
Few outsiders realise the scale of the revolution technology has brought to the spy world.ii Drawing on dozens of off-the-record interviews with current and former intelligence officers from many countries, this book explains how the changing world of spycraft hampers our own efforts in clandestine and covert operations.2 Conversely, they make us more vulnerable to attack from hostile foreign powers such as China and Russia. It concludes by considering what defensive and offensive measures our democratic, law-governed societies should take in response.
* * *
1 Founded in 1703 by Peter the Great, St Petersburg was renamed Petrograd after the outbreak of the First World War because of anti-German sentiment. The Bolsheviks renamed it Leningrad in 1924, after the revolutionary leader’s death. It reverted to St Petersburg after the Soviet Union collapsed in 1991.
2 A clandestine operation is one where the means and the outcome should remain secret, such as obtaining confidential material from an adversary. In a covert operation, the means should remain secret, but the outcome will become known. Assassination, sabotage and disinformation attacks are all examples of covert work.
Chapter One: Signals and Noises
Espionage involves stealing secrets and getting other people to break promises. It also necessarily means breaking rules, and doing so without getting caught. Get it wrong, and you pay with your career, and the people who trusted you face jail, torture or execution. As the best way not to be caught is never to be noticed, inconspicuousness is the intelligence officer’s watchword. Nobody should see you eyeing up (“spotting”, in espionage parlance) potential sources. Nobody should notice you recruiting them, messaging them, receiving information from them or rewarding them. Nobody should remember you or be able to describe you. Nobody should know (or be able to deduce) anything about you that could link you to your mission, your colleagues, your other sources or your employer. Your actions must be offstage, either in remote, secluded locations, or concealed as random behaviour. You hide your signal in the noise of modern life.
The paradox of modern espionage is that in a world dependent on computers and networks, it has never been easier to be anonymous in the electronic ether, or “cyberspace”. The internet—the central nervous system of modern life—gives huge scope to spies engaged in stealing information from computers and networks, or “hacking”. For mili
For electronic espionage, therefore, the blessings of technology easily outnumber the curses. But in human intelligence, it is the other way round. Secret activity, as explained above, depends on hiding a signal within background noise. That can fail if the adversary identifies your activity, either as an anomaly or as a suspicious pattern. In the era of manual examination, that was costly, laborious and slow. Computers do the same work automatically and instantly. They turn analogue data, such as sights and sounds, into digital data: 1s and 0s. They transmit that information anywhere in the world almost instantaneously, store it at a trivial cost and process it at lightning speed. These capabilities far outstrip the human brain. Cameras and microphones can see and hear better than our ears and eyes. The electronic brain can spot patterns and anomalies better than a human one can. And it never forgets anything.
Computers are also immune to human trickery. Evolution has made us friendly and trusting. We are hard-wired to reciprocate when people do us favours. We like to show off. Exploiting these traits of human nature is at the heart of successful spycraft. “Can you help me?” is one of the most powerful questions in espionage. So is asking a seemingly trivial favour with, “I suppose this would be completely out of the question.” Most people dislike giving a categorical “no” to a polite request. But it can start the target down the slippery slope of cooperation, which ends in recruitment. We can use social tricks to avoid scrutiny too. If you are caught in a building where you have no business, the best tactic is to pretend you are lost and ask for help in finding the exit. You may have to abort your mission, but you are unlikely to be caught.3
In the past, we could rely on our human propensity to trust strangers. A convincing-looking passport, driving licence or other paper document is generally taken at face value. A human glance can check that the picture looks roughly like its holder; an experienced eye may detect a crude forgery. But in the pre-digital age, scrutiny could not go much further.
This was a boon to people planning intelligence operations. As a government agency, a spy service could issue a passport, with any personal details it chose. Visa stamps could easily be added to match the cover story. A retired spymaster recalls having “seven or eight” passports when his career started in the 1960s. The holder of the passport would have to remember the details it contained, such as the date of birth. If the cover story was important or liable to inspection, then a lot more effort would be needed. But for the adversary, making such checks was a slow, hard business. A suspicious spycatcher would have to go to the country concerned and search birth registers to see if someone of that name had actually been born on the day concerned. Even then, the verification was not reliable. Intelligence services are quite capable of using the birth certificates of dead people, or of those with profound mental or physical disabilities who live their lives out of public view. As a Chinese or Russian counter-intelligence officer, you can prove that someone called Edward Lucas was indeed born on 3 May 1962. But is the Edward Lucas who is visiting your country really Edward Lucas?
The only other easy backup was the telephone directory. Edward Lucas’s address (perhaps given on a visa form or hotel registration) can be checked to see if it matches a listed phone number. If it doesn’t, or if that phone number is answered by an Edward Lucas, then the person currently visiting Moscow or Beijing may warrant more probing. But you cannot be certain. Even in the days when landlines were common, not everyone had them. The subscriber might be a friend or housemate. Or the number might be unlisted. And even conducting these checks was cumbersome and risky.
Digital technology changes that. The combination of a camera and a computer can photograph your face, convert the picture into binary numbers and then check a vast database in the blink of an eye. The spycatcher can then tell instantly that the face belonging to the person now claiming to be Edward Lucas in Moscow crossed the border in four other countries in the past five years, each time under a different name and passport. These checks are not failsafe. But as a later chapter will explain, in the risk-averse world of espionage, the increased possibility of being caught marks a daunting change in the operational environment.
* * *
3 To illustrate this, consider this true story from the early 1980s, at a company then known as Westland Helicopters, a British arms manufacturer. Bored night-shift workers had built a small boat in the corner of a workshop, using pilfered lightweight alloys. When the boat was complete, they had to work out how to get it out of the factory. In the dead of night, they began manhandling the craft over a fence in a remote corner of the premises. But a security alarm went off, and the workers found themselves surrounded by guards demanding an explanation. The ringleader of the group, in a flash of inspiration, said that he and his mates had merely been trying to bring the boat over the fence in order to paint it. The guards crossly ordered them to take it away. Technology would not be so easily fooled. Had Westland had CCTV surveillance of its perimeter fence and workshops, every stage in the project would have been easily exposed. The boat would probably never have been built.
Chapter Two: The Looking-glass World
Mia Ash was a beautiful and flirtatious photographer, with a convincing professional profile and a lively presence on social-media and business-networking sites such as LinkedIn, Facebook, Blogger and WhatsApp. The people she befriended—mostly middle-aged men—were flattered and happy to exchange messages with the 30-year-old London-based woman, who listed her relationship status coyly as “it’s complicated”. Which it was: Mia Ash did not exist. She was the creation of an Iranian espionage project nicknamed Cobalt Gypsy, which aimed to plant malicious software, known as PupyRAT, on the computer networks of companies and governments of interest to the Islamic Republic’s spymasters. Her biography was fabricated—mostly copied from other people. Her photo was stolen too.
The fictitious Ms Ash came to light thanks to some detective work by the cyber-security company SecureWorks (a subsidiary of Dell Technologies).iii One of Ms Ash’s friends (a business executive known only as Victim A) downloaded and opened an attachment she had sent to him by email. The file, seemingly an innocuous spreadsheet for a photography survey she was conducting, contained malicious code which would have given outsiders control over any network on which it was allowed to run.
Luckily, Victim A’s company (whose identity has not been published) had software installed which detected and blocked the rogue program before it could do any damage. It alerted SecureWorks, whose investigators then asked Victim A about the source of the file. That led the search to Ms Ash’s electronic presence, which rapidly proved to be fake. Investigators were also able to see revealing patterns in her network of friends. Having befriended prominent photographers to establish credibility, she then targeted middle-ranking male executives in businesses and organisations in the Middle East and the United States.
The episode illustrates one of the profound changes technology has brought to the world of espionage. Victim A did not need to be particularly interesting as an intelligence source. He did not need to know any secrets. The only thing that mattered was that he had access to his company’s computer network. Once PupyRAT was installed there, he could be discarded and forgotten. The Iranian hackers could then move on to the next stage of their operation—perhaps stealing commercially sensitive information from databases—or to new and more important recruitment targets.
Selection of sources is the most important part of any intelligence service’s work. You can be the most persuasive of recruiters, the most solicitous of case officers, the most brilliant of analysts, the most diligent defender of secrecy, the most exemplary manager and the most formidable representative of your service in the rest of officialdom—but if you have the wrong sources of information, your efforts are in vain.
