Tag: counterintelligence

Posted on

The DNI Report: What is Missing?

seguridad national, espionage, contraespionage, contrainteligencia, c. constantin poindexter

It should come as no surprise in the current polarized political climate that certain threats to U.S. national security are omitted, some overly emphasized and others included but not give a more thorough review. Ironically (or perhaps not so ironically) the omissions and lack of more comprehensive address of certain threat are those very ones that are exacerbated by current Administration policies. The current DNI [unclassified version] contains no surprises, however there are some perils that decidedly lack the attention that they deserve. I’ll be brief.

The weaponization of artificial intelligence against the U.S. population poses and existential threat to the nation that we are not appropriately prepared for. The assessment identifies China’s AI capabilities in surveillance and disinformation, but underestimates the dangers posed by AI-generated disinformation and psychological operations targeting U.S. elections, civil cohesion, and trust in institutions. Synthetic media (deepfakes) at scale are unaddressed and present a very real menace. FIEs that excel in producing these fakes could fabricate major geopolitical incidents and/or falsely incriminate U.S. leaders. This is a “real-world crisis” scenario. Further, in our rush to load up our own AI capability, models trained on U.S. data pose an exposure to having them turned back against us in warfare, negotiation, or economic manipulation contexts. The DNI offers no significant discussion of how adversaries might use advanced LLMs and multi-modal AI to undermine decision-making at every level of our communities, from individual voters and first responders to senior policymakers.

There is a significant danger of the collapse of U.S. domestic infrastructure due to political paralysis and sabotage. The DNI identifies cyber threats to infrastructure (e.g., water, healthcare) however the report understates the systemic vulnerability of U.S. infrastructure to non-digital threats such as aged and neglected critical systems (e.g., bridges, power grids, water systems), and insider sabotage by ideologically motivated actors. White supremacist factionists and extremists like Timothy McVeigh come immediately to mind. Political paralysis and corruption that prevent modernization or resiliency efforts are the final ugly nail in the proverbial coffin. The loss of national security expertise as a result of wholesale firings/layoffs and the sidelining of individuals with decades of tradecraft and professional expertise based on party adherence are a very real threat. The assessment fails to meaningfully consider how polarization and our legislature’s unwillingness to work together are making the U.S. increasingly incapable of protecting or restoring its critical infrastructure after an attack or natural disaster. Don’t think for a moment that Chinese, Russian, Iranian and North Korean FIEs are failing to perceive these vulnerabilities that they can exploit.

Espionage, subversion and other nefarious covert operations against the U.S. and its interests via foreign investment and big-corporate influence are absent. There is really no excuse to omit identification and discussion of how “big money” has affected national security at every level, as even for a layperson is occurring in plain view. China’s cyber espionage and technology theft are addressed in depth, but why are foreign ownership of and influence in U.S. strategic sectors, including agriculture, pharmaceuticals, real estate near sensitive military sites and AI startups left alone? The use of shell corporations and fronting arrangements to embed operatives and proxies within sensitive sectors and policy circles is a serious threat as well. Strategic acquisition of distressed U.S. companies post-COVID by entities linked to FIEs are a mechanism and vehicles for subversion, espionage and sabotage. A brief look at our own history since the end of WWII reveals how these methods are effective and insidious, perhaps presenting a greater danger than cyber-attacks because they provide our adversaries to deep access, deniability and strategic gain that will serve them well for decades. Fragmenting and ‘bull in a china shop’ cancellation of funding paired with broken inter-agency oversight are extremely problematic.

Do better.

Posted on

The Peril of Pentagon Orders Russian Cyber Defense ‘Stand Down’

cyber, cyber operations, cyber threat, espionage, counterespionage, counterintelligence, russia

It if doesn’t frighten you, it should. “The Trump administration has ordered the United States to end offensive cyber operations targeting Russia, . . . (US News, Mar. 2025) Russia, or more particularly the Russian FIE poses a grave threat to U.S. national security. Threats posed by this state-actor and its state-supported proxies are grave both in terms of capability and intent. Russia has consistently demonstrated its capacity to execute sophisticated cyber operations targeting governments, corporations, critical infrastructure and individuals. The perils are multi-dimensional, including espionage, cyber warfare (or “war in the grey”), information operations, subversion, ransoming and economic disruption. Examples of Russia’s malign and nefarious cyber activity are plethora however recently the U.S. and Ukraine seem to enjoy the brunt of Putin’s ire. Here are some points to consider:

1. State-Sponsored Cyber Warfare

  • Russia’s GRU Unit 74455, a/k/a “Sandworm” conducts offensive cyber operations, often targeting critical infrastructure the U.S., its allies and shared economic interests.
  • The 2017 NotPetya attack caused over $10 billion in global damages, hitting Maersk, FedEx, and other major commercial concerns. This agent was designed for penetration of a particular type of accounting software used in Ukraine. While not specifically targeting the U.S., the global fallout of NotPetya getting into the wild is instructive. In financial terms, it was among the greatest events of “collateral damage during war” ever recorded.
  • Russian hackers have targeted Ukraine’s energy sector repeatedly. They have demonstrated a clear ability to take down critical infrastructure. Evidence of Russian FIS’s penetration of U.S. utilities, likely in search of weakness to exploit or to leave ‘back doors’ for future exploitation, has also been detected. Notably, Dragonfly 2.0, a Russian state-sponsored hacking group (also known as Energetic Bear), successfully infiltrated U.S. energy sector systems, including nuclear power plants.

2. Cyber Espionage

  • Groups like APT29 (Cozy Bear) and APT28 (Fancy Bear), linked to Russian FIE have hacked into government agencies. They have repeatedly compromised U.S. official networks. The SolarWinds penetration in 2020 is instructive.
  • Ongoing efforts to steal classified or proprietary information from defense, aerospace, and technology sectors save Russia billions in research and development. From 2020 to 2021, Russian hackers compromised multiple U.S. defense contractors that provide support to the Department of Defense (DoD), U.S. Air Force, and Navy APT28 “Fuzy Bear” stole information related to weapon systems (including fighter jets and missile defense technologies, communications and surveillance systems, naval and space-based defense projects.

3. Election Interference & Disinformation

  • Russia has weaponized social media. Troll farms such as the Internet Research Agency and more rescently AI-home-cooked content spread disinformation and misinformation to masssive audiences.
  • Russian cyber actors hacked the DNC and Clinton campaign, leaking emails via WikiLeaks in efforts to subvert the U.S. political process.
  • Operation Project Lakhta was ordered directly by Vladimir Putin. This was a “hacking and disinformation campaign” to damage Clinton’s presidential campaign.
  • The Justice Department seized thirty-two internet domains used in Russian government-directed foreign malign influence campaigns (“Doppelganger”).

4. Ransomware & Financial Cybercrime

  • Russia harbors cybercriminal groups like Conti, REvil, and LockBit, which launch ransomware attacks on U.S. hospitals, businesses, and municipal corporations.
  • Many ransomware gangs operate with tacit Kremlin approval—as long as they don’t target Russian entities. For instance, REvil’s malware is designed to avoid systems using languages from the Commonwealth of Independent States (CIS), which includes Russia. This evidences a deliberate effort to steer clear of Russian entities.

5. Potential for Cyber Escalation

  • Russia has declared NATO and the West and its “main enemy”. The risk of cyber retaliation is real. Russia has the capability to conduct supply chain attacks, disrupt banking systems, and interfere with military communications.
  • In 2020, Russian state-sponsored cyber actors compromised the software company SolarWinds, embedding malicious code into its Orion network management software. This supply chain attack affected approximately 18,000 organizations, including multiple U.S. government agencies and private sector companies. This was a surveillance mechanism which allowed Russia to monitor internal communications and exfiltrate sensitive data from the software users.
  • In 2008 Russia deployed specialty malware (“Agent.btz“) which penetrated the U.S. Department of Defense’s classified and unclassified networks. The breach, considered one of the most severe against U.S. military computers, led to the establishment of U.S. Cyber Command to bolster cyber defenses.

Conclusion

The Russian cyber threat is persistent, evolving, and highly strategic. The West has cyber defenses and deterrence strategies in place (like sanctions and counter-hacking operations) however the current Administration’s order to terminate much of that effort cripple U.S. national security.

Quick to react to reporting of the DoD’s posturing, the Cybersecurity and Infrastructure Security Agency (CISA) tweeted, “CISA’s mission is to defend against all cyber threats to U.S. Critical Infrastructure, including from Russia. There has been no change in our posture. Any reporting to the contrary is fake and undermines our national security.” Comforting however the words of a confidential source within CISA present a different picture. “A recent memo at the Cybersecurity and Infrastructure Security Agency (Cisa) set out new priorities for the agency, which is part of the Department of Homeland Security and monitors cyber threats against US critical infrastructure. The new directive set out priorities that included China and protecting local systems. It did not mention Russia, . . . analysts at the agency were verbally informed that they were not to follow or report on Russian threats, even though this had previously been a main focus for the agency.” (Guardian, Mar. 2025)

Russia is one of our most aggressive cyber adversaries as well as being recongnized by most nations as a ‘cyber threat pariah’ (i.e., most vocally by NATO, the EU and the U.N.). Given the President’s position on Russia, it’s impossible to say that U.S. continues to harden critical infrastructure, surveil Russian FIE cyber efforts and accomplish effective countermeasures. Russia’s offensive cyber capabilities will remain a major security challenge for the foreseeable future. The question is, are we willing to handicap our efforts to meet our adversaries with robust cyber capability or simply turn our heads away.

Posted on

The Challenge of Spying on China

spy, spies, espionage, counterespionage, intelligence, counterintelligence,carlyle poindexter, constantin poindexter

The WSJ article on Wednesday (Challenge of Spying on China) is a sad reminder of the United States Intelligence Community’s apparent failure to accomplish any broad covert or clandestine penetration of the People’s Republic of China (PRC) in recent history. The lack of HUMINT human intelligence sources (HUMINT) with meaningful access and placement deprives us of insight into Chinese decision making, immediate strategic threat intelligence and perhaps more importantly, gravely impairs U.S. offensive counterintelligence operations.

Moving beyond the obvious difficulties with HUMINT operations within the PRC, reminiscent of the Cold War hostile operational environments, the Intelligence Community is overdue for a paradigm shift in human asset recruitment methodology. For the better part of the last century, the United States Intelligence Community relied on a steady flow of “walk-ins”, volunteers from opposing foreign intelligence services or governments that offered their countries’ secrets. Intelligence officers enjoyed a large degree of success based on a fairly global perception that Americans were the “good guys”, representatives of the land of fairness, equality and justice, qualities that stood in stark contrast to the ruthless and despotic republics from whence they came. Unfortunately, the mystique has faded leaving outsiders to wonder if the values that we promote to the world are nothing more than a hypocritical farce. Mass diffusion of the “Big Lie” throwing fair elections into question, an attempted coup d’etat by an outgoing president, and military involvement under highly questionable intelligence assessments erode the view once held that the United States is the “shining beacon to the oppressed”.

Chinese citizens enjoy a better standard of living than at any time in China’s history. China can rightfully boast that it is a world power and its population can justifiably be proud of its progress. Personal financial success and pride in country promote loyalty. That there is no broad internal rejection of onerous mass surveillance, social credit controls and ethnic cleansing as is the case with the Uyghurs, is a testament to the PRC’s ability to deny facts, deceive its population and prevent the import of non-PRC approved “truths” about freedom and justice within China. The Chinese cultural tendency to identify with the collective rather than the individual is likewise amplified by the PRC’s massive social control machine, with opposing or antagonistic perspectives effectively blocked by the Great Firewall or simply drowned out of public discourse by the volumes of Party-approved propaganda. The PRC’s strategy has created an environment that is more resistant to traditional intelligence recruitment techniques such as economic coercion, ideology exploitation and ego-stroking. Chinese intelligence service recruiters lean on the cultural affinity of ethnically Chinese living in the United States to turn them into spies, coerce them by alluding to what might become of their families living in China or deploy the time-tested technique of guanxi to achieve intelligence asset recruitments. United States intelligence officers do not enjoy a parallel or equivalent.

FBI Director Wray stated, “We’ve now reached the point where the FBI is opening a new China-related counterintelligence case about every 10 hours.” The threat is grave and our twentieth-century countermeasures, techniques and tradecraft are not appropriate for what many in the Intelligence Community deem the greatest threat to United States national security. Retooling, reimagining the intelligence recruitment cycle and modernizing the way that we approach the recruitment of sources is imperative.

Posted on

Iran Cyber Operations Target Utility Infrastructure

cyber, cyber operations, espionage, counterespionage, counterintelligence, cyber defense, CISA, countermeasures, constantin poindexter

Per the U.S. Cybersecurity and Infrastructure Security Agency (CISA), “Since at least November 22, 2023, these IRGC-affiliated cyber actors have continued to compromise default credentials in Unitronics devices. The IRGC-affiliated cyber actors left a defacement image stating, “You have been hacked, down with Israel. Every piece of equipment ‘made in Israel’ is CyberAv3ngers legal target.” The victims span multiple U.S. states. The authoring agencies urge all organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate the risk of compromise from these IRGC-affiliated cyber actors.” (CISA, 12/01/2023)

The penetrations were aimed at critical utilities, in the extant case of U.S. water and water waste treatment infrastructure. Per CISA, “Beginning on November 22, 2023, IRGC cyber actors accessed multiple U.S.-based WWS facilities that operate Unitronics Vision Series PLCs with an HMI likely by compromising internet-accessible devices with default passwords. The targeted PLCs displayed the defacement message, “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is Cyberav3ngers legal target.” The Water and Wastewater Systems Sector (Water Sector) underpins the health, safety, economy, and security of the nation. It is vulnerable to both cyber and physical threats.” The warning is instructive. The fallout from a successful compromise of public water systems can be severe. Andrew Farr warns, “The imagination can run wild with worst-case scenarios about what a threat actor could do to a water system, but Arceneaux explains that sophisticated actors could hack a system and manipulate pumps or chemical feeds without the utility even knowing they were in the system. They could also create a water hammer that could lead to cracked pipes or release untreated wastewater back into a source water body. What if that happens [to a water system] in a medium or a big city? Maybe it’s only for a few hours, but it could go on for a few days or weeks, depending on how extensive the damage is.” (Farr, WF&M, 04/11/2022) Darktrace reports the very real consequence of a successful water system compromise. “Earlier this month, cyber-criminals broke into the systems of a water treatment facility in Florida and altered the chemical levels of the water supply.” (Matthew Wainwright, Darktrace) If potable water delivered to consumers contains dangerous contaminants or improper balances of the “good” chemicals blended to the product (fluoride, chlorine, chloramine, etc.), it can cause negative health effects. Gastrointestinal illness, nervous system damage, reproductive system damage, and chronic diseases such as cancer are very real risks associated with the same.

CISA cyber defense model of the “brute force” methodology deployed by IRGC operatives may be viewed at MITRE.

Posted on

What is OSINT all about?

OSINT, IMINT, constantin poindexter, carlyle poindexter, masters in intelligence studies, counterintelligence

OSINT is as ancient as written word. I suppose that there were cuniform tablets that were exchanged between Phoenician government functionaries, both public and sensitive that adversaries coveted. The Greeks were particularly good at intelligence. There is a really good book about it written by Frank Santi Russell. It’s super interesting to see what value a first-generation democracy put on information gathering. What is without question is that OSINT is valuable. Wild Bill Donovan said, “Even a regimented press will, again and again, betray their nation’s best interests to a painstaking observer.”

Like the other INTs, there are some definitions that most practitioners have settled on to describe OSINT. Information collected from the “wherever” is generally not intelligence. It is data or simply information. Intelligence is generally an analyzed and polished product that CONTAINS information. The Department of Defense defines OSINT under ¨§931 of Title Nine, “Open-source intelligence (OSINT) is intelligence that is produced from publicly available information and is collected, exploited, and disseminated in a timely manner to an appropriate audience for the purpose of addressing a specific intelligence requirement.” (50 U.S.C.) The Hassan and Hjazi publication which offered this statutory definition verbatim HOWEVER they added what I think are some really important distinctions of what composes OSINT (“components” as Dr. Saar has highlighted.), as follows, “, . . .

*Open-source data
*Open-source information
*Open-source intelligence
*Validated open-source intelligence”

These components are important not only for context and precedence, adhering to the currently accepted intelligence cycle, etc., but also to offer a framework for practitioners of other INTs to identify where to offer input, and from whence to retrieve reliable and timely data, information and/or intelligence for their own purposes.

OSINT has progressed over time, but not in its essential nature. OSINT has essentially existed since cavemen roamed the earth. Ug of the ooga booga tribe probably eavesdropped on conversation between the huti huchi tribesemen to discover where the best mastodon hunting ground was. Obviously, this oversimplifies something that is actually quite sophisticated now, . . . or is it? We now have written word and motions images á la the ubiquitous YouTube, but is observation and pondering (analysis) of those observations really an innovation? My position is that OSINT really hasn’t changed at all. The medium for presentation (or mass dissemination) of information, the sophistication of the sensors that we use to collect information, the volume of collection and the high-speed computer-driven analysis of the information have changed, NOT OSINT.

There are clear advantages to the development and deployment of a rigorous OSINT capability. First and foremost is risk. Passive OSINT presents almost no risk at to either the discovery of the inquiry and the fallout if collection is discovered. Done properly, OSINT projects are discovered by the betrayal of a practitioner. An intelligence manager must consider the likelihood of discovery and the severity of loss due to discovery. OSINT falls low on the risk index. It’s just smart business.

Another big benefit but as the same time, a serious challenge is the volume of data or information. The benefit of volume is generally an increased reliability of product. There are plenty of disinformation operations in the world’o’sphere but in a massive pool of data an enormous effort and resources are required to drown out factual information. Also, a really big pool offers the input of a broad variety of assets or sources. The diversity REALLY helps stabilize analyst’s effort to draw reliable conclusions. The negative of course is how to warehouse and process the huge, HUGE amount of data that an OSINT mission or tasking might produce. This is and will be solved by quantum computing but the OSINT discipline also benefits from the less rigorous processing that a technical INT might require. The Norton piece spoke specifically to the “volume” conundrum along with the vetting challenge. “OSINT is challenging because of its volume and because each piece of information must be verified or “vetted,” often in unique ways.” (Norton, 2011, p. 66)

Among the list of advantages, “shareability” is also important. Not only is dissemination of OSINT product helpful and perhaps imperative among members of the Intelligence Community. It can also be superlatively supportive our allies, the countries with whom we share special liaison or allied service relationships. There is little risk to “sources and methods” with regard to OSINT. The real risk of improper or over-dissemination of OSINT is tipping our hand as to what is important to us AND prejudicing the asset or source, ie., U.S. Adversary: “You are looking at “x”? Oh! You must have some strategic or tactical interest in “x”! We’d better look into shutting off that faucet and since it’s important to YOU, then we’d better figure out a countermeasure.” Russian FIS does this, . . . regularly.

There are some other positive qualities of OSINT, i.e., gives a baseline for understanding the results of more sensitive information collected clandestinely; timeliness, as open sources are often in open competition as to who can “break the story” first; a great enhancement to cultural and ethnic understanding, etc., however the three main attributes above I think are the most valuable and relevant.

I need to give a hat-tip to a crowdsourcing article. The author has offered a neat little diagram to identify it but the author’s statement, “Crowdsourced Intelligence is arguably a separate collection discipline from HUMINT or OSINT collection.” (Stottlemyre, 2015) I feel is prescient. I’m not sure that this fits neatly within the OSINT discipline, most especially if the source is a member of an adversarial government, military or FIS. There are also a lot of wildcards in here, i.e., crowd motivation, crowd identity, or whether it’s really a “crowd” or not. This one merits a deeper look.

Waters, Nick, “Google Maps Is a Better Spy Than James Bond”, Foreign Policy, September 25th, 2018. https://foreignpolicy.com/2018/09/25/google-maps-is-a-better-spy-than-james-bond/#:~:text=In%20the%20words%20of%20William,interests%20to%20a%20painstaking%20observer.%E2%80%9D

Norton, Dr. R.A., “Guide to Open Source Intelligence: A Growing Window into the World”, Journal of Intelligence Studies”, vol. 18, no. 2, Winter/Spring 2011

Stottlemyre, Steven A., “HUMINT, OSINT, or Something New? Defining Crowdsourced Intelligence”, International Journal of Intelligence and Counterintelligence, vol. 28, iss. 3, 2015