intelligence - C. Constantin Poindexter Salcedo

June 23, 2026June 23, 2026

The Gabbard–Butler Matter as Counterintelligence Disaster, a Controller in the Blind Spot

Tulsi Gabbard, ODNI, DNI, espionage, counterespionage, intelligence, counterintelligence, CIA, NSA, C. Constantin Poindexter

There is nothing pretty at all about this Tulsi Gabbard insanity. The documented relationship between former Director of National Intelligence Tulsi Gabbard and Chris Butler, founder of the Science of Identity Foundation (SIF), constitutes a counterintelligence failure of f* first order. Drawing on the Washington Post investigation by Jon Swaine (2026) and the broader scholarly and governmental literature on high-control groups, I assess that the preponderance of indicators points to a ranking member of the Intelligence Community who was, at minimum, subject to sustained, concealed, and operationally structured external direction by a fringe cult of personality. I situate the issue within the established framework of undue influence and the agent-of-influence problem, and I argue, with some comparison to six historical cases (the Unification Church, the Church of Scientology, Aum Shinrikyo, the Rajneeshpuram commune, the Peoples Temple, and NXIVM), that the United States possesses ample precedent for treating charismatic-leader organizations as national security threats rather than as private spiritual matters. The distinguishing and aggravating feature of the present case is the controller’s tradecraft of concealment, which mirrors the operational security of a hostile clandestine service and may well have defeated, for more than a decade, the vetting mechanisms that should have DQ’d this crazy lady.

My thesis stated plainly

A counterintelligence operator does not require proof of espionage to break the glass. The discipline is preventive and structural. It concerns itself with vulnerabilities, channels, and concealment long before it concerns itself with the transfer of any specific secret. By that standard, the facts now in the public record describe a disaster. A person who rose to the statutory apex of the United States Intelligence Community, with derivative access to the most sensitive compartmented information the government produces, appears to have operated for much of her political career under the directive influence of an unaccountable external oddball, through a channel deliberately engineered to evade discovery, while publicly denying the relationship that the now publicly aired documentary record describes (Swaine 2026). That sentence, if its components hold, is a textbook description of the precondition for compromise. I am not stating that Tulsi Gabbard was a foreign agent. I don’t subscribe to bullshit conspiracy theories and I am not C.I.-spooky enough to see an enemy behind every corner, however, the architecture of her influence relationship is indistinguishable, in its mechanics and its concealment, from the architecture a hostile service would build. This architecture was permitted to reach the top of the I.C. either undetected or, detected and ignored. I am not going to address Gabbard’s bullshit support of dictators and despots, as that is outside of my purpose here, however, my thoughts about what Swaine has reported may leave you wondering about her positions on Syria, Russia and other U.S. adversaries.

The evidentiary record

The factual spine of my assessment is the year-long investigation by Washington Post reporter Jon Swaine, who obtained more than twenty-five thousand pages of emails, memos, and related messages, including hundreds of confidential memos spanning the years 2011 to 2017, most of them coinciding with Gabbard’s first two congressional terms (Swaine 2026). The material was furnished by Rebecca Saltzburg, a former SIF member who had worked on digital strategy for several of Gabbard’s congressional campaigns. According to the reporting, the memos issued from email addresses on the Nine Isles domain, identified as reserved for the office of Chris Butler, and contained directives on legislation Gabbard should introduce, policy positions she should adopt, and the manner in which she should conduct herself on television (Swaine 2026).

Two features of the record deserve emphasis at the outset. The parallelism between directive and action. The Post documented instances in which a memo preceded a corresponding public act within days, a 2014 memo pressing for legislation to penalize countries whose citizens had joined the Islamic State was followed by a Gabbard statement the next day and a bill within the week (Swaine 2026). Second, attribution methodology. Because the memos were authored anonymously, Swaine resorted to stylometric analysis (the statistical study of authorial fingerprints in word choice and usage) comparing the memos against Butler’s archive of recorded lectures as well as the writing of two other candidate authors. Nonstandard usages such as “duplistic” and “judgmentalism” recurred across the memos and Butler’s lectures, and a first-person reference to a Hawaiian adolescence fit Butler rather than his deputy Sunil Khemaney, who had claimed authorship (Swaine 2026). Stylometry as a forensic instrument is not novel. It is the same family of methods that Mosteller and Wallace (1964) used to resolve the disputed authorship of The Federalist. Its probative weight here is considerable precisely because the controller took pains to remain anonymous.

For the integrity of the assessment, there are some limits to put on the record. The documents cover 2011 to 2017 and therefore cannot establish whether the directive relationship continued into Gabbard’s later terms or into her tenure as Director of National Intelligence (Swaine 2026). The provenance is a single defector with a possible motive, and Gabbard’s office has characterized the reporting as flowing from a failed extortion attempt and as an instance of anti-Hindu bigotry (Swaine 2026). I treat these caveats seriously a bit later. They constrain the claim. They do not dissolve it.

The analytical framework: influence, control, and the agent of influence

Counterintelligence distinguishes among three phenomena that the non-CI folk tend to collapse: ordinary influence, coercive control, and espionage. Political actors are influenced by mentors, donors, and constituencies as a matter of course, which is unremarkable. Espionage, the witting transfer of protected information to an adversary, is a discrete crime for which the public record here offers no evidence. The category that matters for this case is the middle one, and it has a specific name in the literature of hostile intelligence, “the agent of influence”, an individual who advances another principal’s objectives within a target government, whether wittingly or not, often through a relationship the target population does not perceive (Andrew and Mitrokhin 1999).

The agent-of-influence problem is dangerous in proportion to two variables: the access of the individual and the concealment of the channel. The personnel security system encodes precisely this logic. The National Security Adjudicative Guidelines promulgated under Security Executive Agent Directive 4 treat foreign and external influence (Guideline B), personal conduct involving concealment (Guideline E), and susceptibility to manipulation, coercion, or duress as core disqualifying conditions for access to classified information (ODNI 2017). A relationship that an applicant conceals, and especially one she has publicly denied, is doubly disqualifying: it establishes both the undue-influence vulnerability and the demonstrated willingness to deceive about it.

The clinical literature on high-control groups supplies the mechanism by which such a relationship can produce a level of direction far exceeding ordinary mentorship. Lifton’s (1961) study of thought reform identified milieu control, the demand for purity, the cult of confession, and the doctrine of “sacred science” as instruments of totalist control; Singer (1995) catalogued the systematic conditions under which adult autonomy is overridden within such groups; and Hassan (1988) formalized the analysis as the BITE model, the coordinated control of Behavior, Information, Thought, and Emotion. The salient point for counterintelligence is that a person conditioned within such a system from childhood does not present the profile the vetting system is designed to detect. There is no recruitment event, no foreign handler meeting, no financial inducement to find. The control predates adult life. This is the deepest reason the present case is not merely serious but novel. I’ll return to it a bit later.

The Unification Church: cult as influence vehicle with an intelligence nexus

The closest precedent in American constitutional history for treating a charismatic-leader organization as a counterintelligence matter is the investigation of the Unification Church conducted by the Subcommittee on International Organizations of the House Committee on International Relations, chaired by Representative Donald Fraser. The Fraser Committee found that the Moon organization and its many religious and secular fronts constituted “essentially one international organization” over which Sun Myung Moon exercised substantial control in pursuit of political objectives (U.S. House 1978). It further found active cooperation between the Korean Central Intelligence Agency and Moon-related entities, that some church members worked as volunteers in congressional offices, and that the apparatus operated as an instrument of a foreign government’s influence campaign on American politics (U.S. House 1978; Boettcher 1980).

The structural analogy to SIF is exact at the level that matters: a single charismatic principal exercising centralized control over a transnational network of nominally independent entities, deploying that network toward political ends, and placing adherents inside the offices of elected officials. The Japanese variant of the same organization later achieved the same penetration of the Liberal Democratic Party, again by placing followers as legislative secretaries and by delivering bloc votes (Nippon.com 2026). The Fraser precedent establishes the principle I am invoking: when a cult of personality reaches into the staffing and policy of a government, the United States Congress has already determined, on the record, that the appropriate frame is counterintelligence, not comparative religion. The defensive rhetoric is also precedent-setting. Moon’s deputy Bo Hi Pak met the subcommittee’s questions by denouncing the chairman as “an instrument of the Devil” rather than by answering them (U.S. House 1978). The contemporary invocation of bigotry to foreclose inquiry into SIF occupies the same rhetorical position.

The Church of Scientology: tradecraft and the vetting failure

If the Unification Church supplies the template for influence, the Church of Scientology’s Operation Snow White supplies the template for tradecraft and for the failure of government to detect it. Between 1973 and 1977, the Church’s Guardian’s Office mounted what federal prosecutors and the sentencing court described as the single largest infiltration of the United States government by a private entity, placing operatives with forged credentials inside the Internal Revenue Service, the Department of Justice, the Drug Enforcement Administration, the Coast Guard intelligence service, and a United States Attorney’s office, among more than one hundred agencies (Urban 2011). Eleven senior officials, including Mary Sue Hubbard, were convicted of conspiracy, burglary of government offices, and theft of government property (Urban 2011).

There are two direct lessons here. The first is the insulation of the principal. L. Ron Hubbard was named an unindicted co-conspirator because the prosecution concluded that all direct communication ran through his wife rather than through him, leaving insufficient evidence to convict the man at the center (Urban 2011). The Guardian’s Office had, in other words, engineered deniability for its leader as a structural feature. The second lesson concerns the failure mode of vetting. Operatives bearing false identification sat inside sensitive federal offices for years before discovery. Snow White demonstrates that a closed, disciplined group will develop and deploy clandestine tradecraft comparable to a state intelligence service, and that the credentialing and personnel systems of the United States government are not intrinsically resistant to it. The relevance to a controller who refused to commit his directives to any medium attributable to himself, and who routed them through anonymized intermediaries, requires no elaboration.

Aum Shinrikyo: penetration of the security services and the radar-screen problem

The case of Aum Shinrikyo is instructive at the upper bound of the threat model and, more pointedly, on the question of detection. The 1995 staff study of the Senate Permanent Subcommittee on Investigations found that the cult had recruited scientists and technical experts to pursue chemical, biological, and nuclear weapons, had deployed sarin and VX, and, decisively for my argument, had “successfully infiltrated various levels of the Japanese government and industry including elements of its law enforcement and military” (U.S. Senate 1995). Members within the Japan Defense Forces passed the group advance warning of a planned police raid (U.S. Senate 1995). This is cult penetration of the cleared security establishment, documented by a committee of the United States Senate.

The study’s conclusion on detection is the sentence every counterintelligence operator should keep in mind. Despite the cult’s overt and far-flung activities, “not a single U.S. enforcement or intelligence agency perceived them as dangerous, much less a threat to national security,” prior to the Tokyo subway attack. In the words of one officer, “they simply were not on anybody’s radar screen” (U.S. Senate 1995). The institutional pathology Aum exposed was a fixation on official state proliferation that rendered a non-state, ideologically motivated actor effectively invisible to the apparatus. The Gabbard–Butler matter exposes the analogous blind spot, i.e., a vetting system oriented toward foreign handlers and financial inducements is structurally weak. It is poorly equipped to perceive a domestic cult of personality as a control threat, even when that cult exhibits the operational characteristics of one.

Rajneeshpuram and the Peoples Temple: the manipulation of democratic processes and the violence end-state

Two other cases bracket the behavioral repertoire of high-control groups in their relation to the state. The first is the Rajneeshpuram commune, whose leadership in 1984 deliberately contaminated salad bars at ten restaurants in The Dalles, Oregon, with Salmonella Typhimurium, sickening at least seven hundred fifty-one people, in a trial run intended to incapacitate the voting population and swing a county election (Török et al. 1997; Carus 2001). It remains the largest bioterrorist attack in United States history, and its target was the integrity of an American election. The relevance to the present case is the SIF apparatus’s documented operation of a network of inauthentic social media accounts, bearing false names and misappropriated avatar images, to defend and amplify Gabbard during her congressional years (Swaine 2026). The manipulation of democratic processes is squarely within the repertoire of such groups, and the inauthentic-account operation should be read in that light rather than as an isolated public relations excess.

The Peoples Temple case marks the terminal point of unchecked charismatic control over a population. In 1978, the Temple’s response to congressional oversight was the murder of Representative Leo Ryan on a Guyanese airstrip, followed by the deaths of more than nine hundred members (U.S. House 1979; Reiterman and Jacobs 1982). I am not citing Jonestown to suggest violence is imminent in the present matter. I am doing so in order to fix the outer boundary of what total psychological control of a population by a charismatic leader has produced in living American memory, a lesson that the federal government paid with the life of a sitting member of Congress. Underestimating such a group is an invitation to disaster.

NXIVM: the modern coercive-control and political-cultivation template

The most recent adjudicated precedent is NXIVM, whose leader Keith Raniere was convicted in 2019 in the Eastern District of New York on racketeering, sex trafficking, and related counts (U.S. DOJ 2019). NXIVM is the contemporary demonstration of three mechanisms relevant here. It combined coercive control with the systematic collection of “collateral,” compromising material held over members to ensure compliance, which is to say it manufactured the very blackmail vulnerability that counterintelligence fears. It deployed substantial private wealth and data operations toward the cultivation of political figures, including efforts directed at political circles abroad. And it demonstrated that a coercive-control organization will direct its capabilities toward access and influence as a matter of design. NXIVM establishes, in a federal record of conviction rather than mere allegation, that the threat model I am describing is not historical exotica but a live and recent feature of the American landscape.

Butler’s “tradecraft”: the concealment that converts influence into a counterintelligence problem

Everything above is prologue to the feature that, in my assessment, elevates the Gabbard–Butler matter from a troubling association to a counterintelligence nightmare, the controller’s tradecraft of concealment. Ordinary spiritual mentorship is conducted openly. What the record describes is the opposite, a sustained effort to exercise direction while defeating attribution.

Look at these elements in combination. Butler, by the account of the defector who produced the documents, does not use a computer. He delivered his directives verbally to secretaries who transcribed them, and the resulting memos were authored anonymously. The anonymity was described as intentional, designed to mask his identity if the documents ever surfaced (Swaine 2026). This is not the behavior of a teacher. It is the behavior of a principal practicing source protection. The use of human intermediaries to avoid committing direction to any attributable medium is a countersurveillance red alert, the functional equivalent of the cut-out in classical tradecraft. It succeeded to the point that a deputy could later step forward to claim authorship and thereby absorb attribution on the controller’s behalf (Swaine 2026). That the claim was defeated only by stylometric analysis demonstrates how close the concealment came to working.

Consider the management of disclosure as a deliberate question. The record includes an internal discussion in March 2015 about whether Gabbard should publicly admit she was Butler’s disciple (Swaine 2026). The relationship was CLEARLY understood, by the apparatus itself, as something to be managed and selectively concealed. This is corroborated by Gabbard’s own public conduct, which oscillated between private acknowledgment and public denial. In 2015 she acknowledged Butler as her guru at an ISKCON anniversary event and described him as her “beloved grandfather” and “spiritual master” (Science of Identity Foundation, in Wikipedia 2026; Sanneh 2017), yet in 2019, when asked directly whether Butler had been her political mentor, she answered, “No, no, not at all” (Bhasha Times 2026). When the New York magazine journalist Kerry Howley submitted questions about Butler, SIF, and related matters, Gabbard’s reply declined even to mention them (Civil Beat 2019). Concealment that is selective, deliberate, and sustained across years is not the signature of an innocent association. It is the signature of a relationship the parties knew would draw a shitstorm in the daylight.

The counterintelligence significance is structural. Butler’s intentions are irrelevant. A controlling node that is hidden is an unmonitored channel into the principal. An unmonitored channel into a cleared person is an attack surface available to any third party that discovers it. No one has to suspect that Butler is a foreign agent in order to recognize the peril. If a hostile service were to identify that a single organization could shape the conduct of a top U.S. I.C. official, the rational operational play would be to penetrate or pressure that organization. That would be my move, and there is precedent reaching all the way back to the Greeks of antiquity. The concealed controller is a vulnerability but more tragically, a force multiplier for any adversary sophisticated enough to notice him (and there was ample circumstantial evidence to do so). This is the precise logic the Fraser Committee applied to the KCIA’s exploitation of the Moon organization (U.S. House 1978), and it applies here with equal force.

Is there a Counterargument?

Intellectual honesty requires that the strongest objections be stated and answered. The first objection is religious, i.e., that a Hindu public figure’s deference to a guru is ordinary within a guru-shishya tradition of hundreds of millions of adherents. To pathologize it is bigotry (Shukla 2021). I am FINE with the premise and reject its bullshit application. The objection would be decisive if SIF were a mainstream Vaishnava lineage and if the relationship were open. It is neither. SIF is a breakaway personality cult that numerous former members describe as demanding absolute fealty and treating its founder as akin to a deity (Sanneh 2017; Swaine 2026), and the relationship at issue was concealed and publicly denied. As the Hindu American Foundation’s own propaganda puts it, a guru in the mainstream tradition “is a guide, not a master, and certainly not a controller” (Shukla 2021). This is specifically the distinction I am drawing here. The bigotry objection protects open spiritual practice. It does not protect a concealed directive channel. Conflating the two is itself a category error that the controller’s defenders have incentive to encourage.

The second objection is evidentiary, that the documents derive from a single defector with a financial motive, and that Gabbard’s office attributes the matter to a failed extortion attempt (Swaine 2026). The source’s motive is a legitimate. I am giving Gabbard the discount, but three factors raise the record WAY above bare single-source allegation. The volume is extraordinary, more than twenty-five thousand pages. The internal corroboration is strong in the documented sequence of directives followed by public acts. The independent stylometric attribution, defeating an affirmative false claim of authorship by the deputy, is the kind of forensic confirmation that fabrication does not readily survive (Swaine 2026; Mosteller and Wallace 1964). A disgruntled volunteer can lie. She can’t easily manufacture a decade of timestamped parallelism and a consistent authorial fingerprint matched to a separate lecture archive.

A third objection may be the most important and the most honest, that influence is not espionage, and that the documentary window closes in 2017, before Gabbard held national security office (Swaine 2026). Ok, fine. I have been careful not to allege a classified breach. My thesis here does not require one. The counterintelligence disaster is the demonstrated existence of a concealed, directive, deniable channel of external control over a person who subsequently received the highest access in the government, coupled with a vetting apparatus that failed to surface or act on a relationship documented across more than two dozen of her congressional decisions. The 2017 evidentiary boundary is itself part of the indictment, not a mitigation, because the proper governmental response to an unresolved control relationship is to establish whether it continued, and the public record gives no indication that this was ever done before her confirmation.

My Parting Thoughts

My call? With the caveats stated, the Gabbard–Butler matter satisfies the criteria for a counterintelligence disaster. The indicators are not ambiguous in their structure even where they remain contested in their details, i.e., a charismatic controller exercising directive influence over a principal’s legislation and public conduct; a channel built for deniability and protected by recognizable countersurveillance practice; a pattern of deliberate, selective concealment culminating in flat public denial; and a personnel security system that allowed the entire arrangement to reach the summit of the I.C. undetected or at the very least unappreciated. Both scenarios are equally galling because the sneakiness, denials and obfuscation should have been a glass-breaking moment.

The historical cases I have collected here establish that none of this is unprecedented in its parts. The Unification Church shows the cult as a foreign-exploited influence vehicle. Scientology shows the tradecraft and the vetting failure. Aum shows the penetration of cleared services and the radar-screen blindness. Rajneeshpuram shows a willingness to subvert democratic processes. The Peoples Temple shows the price already paid in a congressman’s life, and NXIVM shows the coercive-control and political-cultivation template alive in the present. What is unprecedented is the convergence of these elements in a single individual who held the office of Director of National Intelligence.

The appropriate response is an immediate retrospective damage assessment of the relevant tenure, an audit of the vetting file to determine whether this relationship was surfaced and overridden or simply missed, an inquiry into whether the directive relationship persisted past 2017, and an assessment of whether the controlling organization was itself ever a target of foreign penetration: these are the minimum measures the matter demands. A counterintelligence mechanism that declines to ask these questions because the controller wears the costume of a religion will have learned nothing from the cases above, each of which was, in its time, dismissed as somebody else’s eccentricity, . . . until it was not.

~ C. Constantin Poindexter, MA in Intelligence, Graduate Certificate in Counterintelligence, JD, CISA/NCISS OSINT certification, DoD/DoS BFFOC Certification

Bibliography

Andrew, Christopher, and Vasili Mitrokhin. 1999. The Sword and the Shield: The Mitrokhin Archive and the Secret History of the KGB. New York: Basic Books.
Bhasha Times. 2026. “Documents Reveal How Guru Shaped Tulsi Gabbard’s Political Career.” June. https://www.bhashatimes.com/en/world/documents-reveal-guru-influence-tulsi-gabbard.
Boettcher, Robert, with Gordon L. Freedman. 1980. Gifts of Deceit: Sun Myung Moon, Tongsun Park, and the Korean Scandal. New York: Holt, Rinehart and Winston.
Carus, W. Seth. 2001. Bioterrorism and Biocrimes: The Illicit Use of Biological Agents Since 1900. Washington, DC: Center for Counterproliferation Research, National Defense University.
Honolulu Civil Beat. 2019. “NY Magazine Looks at Gabbard’s Science of Identity Foundation Background.” June. https://civilbeat.org/beat/ny-magazine-looks-at-gabbards-science-of-identity-foundation-background/.
Hassan, Steven. 1988. Combating Cult Mind Control. Rochester, VT: Park Street Press.
Lifton, Robert Jay. 1961. Thought Reform and the Psychology of Totalism: A Study of “Brainwashing” in China. New York: Norton.
Lifton, Robert Jay. 1999. Destroying the World to Save It: Aum Shinrikyo, Apocalyptic Violence, and the New Global Terrorism. New York: Metropolitan Books.
Mosteller, Frederick, and David L. Wallace. 1964. Inference and Disputed Authorship: The Federalist. Reading, MA: Addison-Wesley.
Nippon.com. 2026. “An Unholy Alliance: How the Unification Church Penetrated Japan’s Ruling Liberal Democratic Party.” January. https://www.nippon.com/en/japan-topics/c12101/.
Office of the Director of National Intelligence (ODNI). 2017. Security Executive Agent Directive 4: National Security Adjudicative Guidelines. Washington, DC: ODNI.
Reiterman, Tim, and John Jacobs. 1982. Raven: The Untold Story of the Rev. Jim Jones and His People. New York: Dutton.
Sanneh, Kelefa. 2017. “What Does Tulsi Gabbard Believe?” The New Yorker, November 6.
Shukla, Aseem. 2021. “When the New Yorker Otherized Tulsi Gabbard’s Faith.” Hindu American Foundation. https://www.hinduamerican.org/blog/when-the-new-yorker-otherized-tulsi-gabbards-faith/.
Singer, Margaret Thaler. 1995. Cults in Our Midst: The Hidden Menace in Our Everyday Lives. San Francisco: Jossey-Bass.
Swaine, Jon. 2026. “Tulsi Gabbard, Her Guru and the Mysterious Messages That Helped Shape Her Political Career.” The Washington Post, June 21. https://www.washingtonpost.com/investigations/2026/06/21/tulsi-gabbard-her-guru-mysterious-messages-that-helped-shape-her-political-career/.
Török, Thomas J., Robert V. Tauxe, Robert P. Wise, John R. Livengood, Robert Sokolow, Steven Mauvais, Kristin A. Birkness, Michael R. Skeels, John M. Horan, and Laurence R. Foster. 1997. “A Large Community Outbreak of Salmonellosis Caused by Intentional Contamination of Restaurant Salad Bars.” JAMA 278 (5): 389–395.
Urban, Hugh B. 2011. The Church of Scientology: A History of a New Religion. Princeton, NJ: Princeton University Press.
U.S. Department of Justice (U.S. DOJ). 2019. “NXIVM Leader Keith Raniere Convicted of Racketeering and Other Crimes.” Press release, Eastern District of New York, June 19.
U.S. House of Representatives. 1978. Investigation of Korean-American Relations: Report of the Subcommittee on International Organizations of the Committee on International Relations. 95th Cong., 2nd sess. Washington, DC: Government Printing Office.
U.S. House of Representatives. 1979. The Assassination of Representative Leo J. Ryan and the Jonestown, Guyana Tragedy: Report of a Staff Investigative Group to the Committee on Foreign Affairs. 96th Cong., 1st sess. Washington, DC: Government Printing Office.
U.S. Senate. 1995. Global Proliferation of Weapons of Mass Destruction: A Case Study on the Aum Shinrikyo. Staff Statement, Permanent Subcommittee on Investigations, Committee on Governmental Affairs. October 31. Washington, DC: Government Printing Office.
Wikipedia. 2026. “Science of Identity Foundation.” Accessed June. https://en.wikipedia.org/wiki/Science_of_Identity_Foundation.

Share this post:

June 10, 2026June 10, 2026

Double Agent Warning Signs: A Counterintelligence Guide

Reading the Dangle: A Practitioner’s Field Guide to the Controlled Source and the Reform of Asset Validation. An essay in the voice of a former C.I. guy.

The hardest thing in human intelligence is not recruiting a source. It is knowing whether the source you have recruited belongs to you. Alexander Orleans’s recent open-source reconstruction of the GTPROLOGUE case (the KGB’s 1987 dispatch of staff officer Aleksandr “Sasha” Zhomov against the CIA’s Moscow Station) is the best publicly released anatomy in years of how a hostile service builds, in Churchill’s phrase, a bodyguard of lies around a single operational truth (Orleans 2025). Zhomov was run for roughly three years before the CIA concluded he had been controlled from the first contact. What makes the case instructive is not that the CIA was fooled. That happens to the very best services. It is that the case threw up nearly every classic warning flag. The flags were seen, debated, and the case survived (Orleans 2025; Bearden and Risen 2003).

I am have compiled here a working catalogue of those flags and others drawn from a bit wider literature, each anchored to a real case, followed by the improvements that the counterintelligence mechanism should institutionalize. I have tried to stay as close to actual tradecraft as the open record allows. None of this requires classified access to understand. The painful truth is that the indicators are well known and have been since at least F. M. Begoum’s foundational 1962 Studies in Intelligence treatment of the double agent (Begoum 1962). We keep relearning them, unfortunately.

The Indicators

Production disproportionate to access. The most durable tell is a source who sits on a mountain of secrets but hands you gravel. Zhomov was a First Department staff officer supervising surveillance of the Moscow chief of station, yet he claimed only “peripheral or infrequent access” to the very material his posting should have made routine (Orleans 2025; Grimes and Vertefeuille 2012). The Soviets had a structural reason for this: strict doctrine forbade releasing genuine high-grade feed, and officers feared a Stalin-style reckoning for over-disclosure, so their dangles were trained to plead thin access (Diamond 2008; Earley 1997). When a source’s reporting is consistently and conveniently below the ceiling his placement implies, ask who benefits from the rationing.

The source controls the communications plan and the tempo. Control is the running service’s capacity to start, alter, or stop the agent’s behavior (Begoum 1962). Zhomov arrived with a fully formed, impersonal commo plan, i.e., letter drops through Downing’s unlocked car, contact at Zhomov’s discretion, no extended face-to-face meetings, that placed every lever in KGB hands and even constrained the physical movements of his CIA handlers (Orleans 2025; Bearden and Risen 2003). Compare the gold standard of the opposite arrangement: the British XX Committee in the Second World War, which physically and communicationally owned every German agent in the United Kingdom and therefore could feed Berlin with confidence (Masterman 1972). When the agent dictates the architecture of contact, you are not running him. He is running you.

Motivation that is thin, generic, or unbackstopped. Espionage against one’s own service is a profound psychological act. A credible asset or source can convincingly narrate why he crossed that line, and the story holds up under collateral. Zhomov offered the boilerplate of a souring system and a failing marriage (and the independent debriefing of defector Sergey Papushin flatly contradicted it) describing Zhomov as happily married and devoted to his daughter (Orleans 2025; Grimes and Vertefeuille 2012). A motive that cannot survive a second source is not a motive; it is a legend.

The “too good to be true” arrival. Hostile services read your collection gaps and fill them on cue. Zhomov surfaced precisely when CIA was desperate to explain the catastrophic 1985–86 asset losses, with exactly the access to “explain” them (Orleans 2025). “Too good” and “true” are not mutually exclusive. Genuine walk-ins do occur at the worst possible moment, however, topicality this perfect should raise the burden of proof, not lower it (Johnson 2009). The Cuban debacle is the cautionary monument here. When Major Florentino Aspillaga Lombard defected in Vienna in June 1987, he revealed that essentially every Cuban national CIA believed it had recruited since the early 1960s had been a double agent run by Havana, which had deliberately marketed its officers as Latino amateurs to operate under the radar (Latell 2012). Decades of “successes” were a single, patient deception.

No genuine urgency about exfiltration. A man who says he wants out, and that he is hoarding his best material for his debriefing on safe ground should eventually ask, “When do I leave?” Zhomov never requested a timeline. When he was finally offered an exfiltration route in 1990, he repudiated it as too risky and melted back into his surveillance team (Orleans 2025; Bearden and Risen 2003). The professed defector who never wants to defect is bullshitting, not packing a bug-out bag.

Self-validating bona fides and feed that never truly wounds the parent service. A controlled source builds credibility with material that looks costly but is not. Zhomov handed over an accurate roster of the 1985–86 losses, damaging on its face but wrapped it inside the false “badass infallible SCD” narrative that the losses were due to brilliant Soviet tradecraft rather than a mole (Orleans 2025). The feed validated the channel while protecting the secret the channel existed to protect, Aldrich Ames. Scrutinize whether your source’s “crown jewels” actually cost his service anything, or whether each disclosure quietly advances his service’s interests. To put it into risk language, if it doesn’t represent a peril to the parent service, it’s worthless.

Opposition tradecraft errors inconsistent with claimed competence. Zhomov’s reporting foretold a wave of KGB dangles. The CIA then watched the KGB run them so sloppily that two were blatantly exposed as provocations. Moscow Station rationalized the lapse as endemic Soviet carelessness, never noticing that careless tradecraft was logically irreconcilable with the omniscient SCD Zhomov was boasting (Orleans 2025). A service cannot be simultaneously infallible and sloppy. When the picture that your asset paints contradicts the behavior you observe, believe your eyes.

The denied-area home-field advantage. The environment is itself an indicator because it shapes which other indicators you can even test. The entire Zhomov case unfolded inside Moscow, where the KGB controlled the street, precluded long debriefings, and could refuse any meeting on the unanswerable grounds that he could not evade his own surveillance teams (Orleans 2025). Paul Redmond’s candid summary of denied-area validation, i.e., few or no collateral sources, heavy reliance on the value of the take and on how the case began, etc., describes a problem the opposition deliberately engineers (Redmond 2010). A case born and raised entirely on the adversary’s turf has had its validation options strangled at birth.

Resistance to operational testing, and its scary f* inverse. Zhomov met hard vetting questions with answers his own counterintelligence officers found vague or improbable, and deflected with the promise to tell all after extraction (Orleans 2025; Grimes and Vertefeuille 2012). Reluctance to be tested, i.e., evasion of the polygraph, of provocative taskings, of the “shopping list” designed to catch him out, is itself prescient and instructive. This indicator carries a warning that the GTPROLOGUE case does not supply, and which the profession must internalize. Paranoia burns real sources too. The protracted, brutal handling of Soviet defector Yuri Nosenko as a presumed provocation, and the suspicion that nearly cost CIA the genuinely priceless GRU general Dmitri Polyakov, are the equal-and-opposite pathology of the credulity that protected Zhomov (Bagley 2007; Wise 1992). Validation is calibrated doubt, not a reflex in either direction.

“The hunger,” and the incentives that feed it. Orleans names the quiet culprit, the case officer’s appetite for a spectacular coup, the institutional reluctance to push a glittering source hard enough to lose him (Orleans 2025). Redmond was blunter, attributing post-Angleton validation failures partly to officers who would not believe their own cases could be fabricated, “particularly when promotions were involved” (Redmond 2010). The Cuban catastrophe metastasized in exactly this soil, an organizational will to believe in recruitments that flattered the recruiters (Latell 2012). The most expensive flag is the one we choose not to see because seeing it costs us a career achievement.

What the Counterintelligence Function Should Implement

The indicators are necessary but not sufficient; an agency that merely lists them will still be deceived, because Zhomov’s case proves the flags can be flying and the operation still survive. The reforms below are about forcing the indicators to bite.

Institutionalize continuous revalidation. CIA’s response to the burnings of the 1980s was the Agent Validation System, developed beginning in 1987 and formally introduced to the Directorate of Operations in 1991 (Mahle 2004; Olson 2019). The principle is sound and should be doctrine across the community: bona fides established once are not established forever. An asset must be re-graded on a recurring schedule against all six classical validation methods, i.e., corroboration by other sources, specific taskings and operational testing, collection on the asset, polygraph, penetration of his parent service, and surveillance of him. Nothing can be assumed about what has happened to a source since he last proved himself (Orleans 2025; Olson 2019).

Separate the validator from the handler. The officer who recruited a source and the officer who certifies him should not be the same person, and ideally not the same chain of command. The hunger is a conflict of interest; structure must neutralize it by giving an independent counterintelligence cell standing authority to challenge any case, with protection for the analyst who dissents. The GTPROLOGUE record shows the system was half-working. Gerber and Redmond stayed skeptical and the counterintelligence staff kept raising concerns, but those concerns were repeatedly subordinated to the desire not to “make him mad” (Orleans 2025). Dissent that can be overruled by the case’s owners is ugly wall art.

Treat “controlled” as a standing hypothesis to be disproven. Richard Heuer’s discipline of Analysis of Competing Hypotheses belongs at the center of validation. Enumerate the hypotheses (bona fide, fabricator, controlled), and weigh each datum by its diagnostic value, how well it discriminates between them rather than by how well it fits the answer you want (Heuer 1999). Most of Zhomov’s “bona fides” were consistent with both a genuine volunteer and a dangle. They had near-zero diagnostic value, yet they were treated as confirmation. An asset who survives a deliberate effort to prove him hostile is worth far more than one who was merely never seriously doubted.

Privilege penetration of the opposition as the only decisive validator. This is the lesson written in blood across all these cases. Zhomov was unmasked by a defector, Papushin (Orleans 2025). The Cuban deception was unmasked by a defector, Aspillaga (Latell 2012). Ames himself was ultimately run to ground with the help of sources inside Russian FIS. A source’s own production literally never resolves his bona fides. The inside of the adversary’s service does. This is precisely why Olson ranks “Be Offensive” first among his Ten Commandments of Counterintelligence. The recruitment of penetrations and the aggressive running of double agents is not a luxury but the engine of validation itself (Olson 2019).

Design incentives against ‘the hunger’. This is, of course, the quality over quantity argument. If promotion rewards recruitment volume, officers will recruit, defend, and inflate. The corrective countermeasure is a damage-assessment culture in which surfacing a fabricator or a controlled case is treated as a professional success rather than an “F”, and in which money paid to a source is understood as an operational investment, not a sunk cost that must be justified (Orleans 2025).

My parting thoughts

Zhomov was, as Orleans concedes, solid work. Each element, from setting to feed to commo plan, was engineered to seize and hold the initiative (Orleans 2025). The case also confirms, however, a maxim as old as Begoum. Production alone never establishes bona fides, and no single metric should ever excuse a source from continued scrutiny, least of all a potential penetration, who is the most dangerous thing of all if he turns out to belong to the other side (Begoum 1962; Orleans 2025). The discipline is not paranoia, which destroyed Nosenko’s years and nearly Polyakov’s life; nor is it the hunger, which delivered Havana a quarter-century of phantom victories. It is the willingness to keep testing a source you want desperately to believe in, and to take seriously the colleague at the table who will not stop asking the uncomfortable question.

Everything happens once for the first time, including a staff officer dangled by a service that “would never” dangle a staff officer. The counterintelligence officer who forgets that sentence is somewhere, already being run.

~ C. Constantin Poindexter, MA in Intelligence, Graduate Certificate in Counterintelligence, JD, CISA/NCISS OSINT certification, DoD/DoS BFFOC Certification

Bibliography

Bagley, Tennent H. 2007. Spy Wars: Moles, Mysteries, and Deadly Games. New Haven, CT: Yale University Press.
Bearden, Milt, and James Risen. 2003. The Main Enemy: The Inside Story of the CIA’s Final Showdown with the KGB. New York: Random House.
Begoum, F. M. 1962. “Observations on the Double Agent.” Studies in Intelligence 6, no. 1: 57–72.
Diamond, John. 2008. The CIA and the Culture of Failure: U.S. Intelligence from the End of the Cold War to the Invasion of Iraq. Stanford, CA: Stanford Security Studies.
Earley, Pete. 1997. Confessions of a Spy: The Real Story of Aldrich Ames. New York: G. P. Putnam’s Sons.
Grimes, Sandra, and Jeanne Vertefeuille. 2012. Circle of Treason: A CIA Account of Traitor Aldrich Ames and the Men He Betrayed. Annapolis, MD: Naval Institute Press.
Heuer, Richards J., Jr. 1999. Psychology of Intelligence Analysis. Washington, DC: Center for the Study of Intelligence, Central Intelligence Agency.
Johnson, William R. 2009. Thwarting Enemies at Home and Abroad: How to Be a Counterintelligence Officer. Washington, DC: Georgetown University Press.
Latell, Brian. 2012. Castro’s Secrets: Cuban Intelligence, the CIA, and the Assassination of John F. Kennedy. New York: Palgrave Macmillan.
Mahle, Melissa Boyle. 2004. Denial and Deception: An Insider’s View of the CIA. New York: Nation Books.
Masterman, J. C. 1972. The Double-Cross System in the War of 1939 to 1945. New Haven, CT: Yale University Press.
Olson, James M. 2019. To Catch a Spy: The Art of Counterintelligence. Washington, DC: Georgetown University Press.
Orleans, Alexander. 2025. “Beautiful in Another Context: A Counterintelligence Assessment of GTPROLOGUE.” Studies in Intelligence 69, no. 2 (Extracts, June).
Redmond, Paul J. 2010. “The Challenges of Counterintelligence.” In The Oxford Handbook of National Security Intelligence, edited by Loch K. Johnson, 537–54. New York: Oxford University Press.
Wise, David. 1992. Molehunt: The Secret Search for Traitors That Shattered the CIA. New York: Random House.

Share this post:

May 30, 2026May 30, 2026

Deliberate Disarmament: How the United States is Systematically Dismantling its Disinformation Defenses

disinformation, information warfare, grey zone, influence operations, Russian FIS, psyops, intelligence, counterintelligence, DIA, CIA, NSA;

In the contemporary geopolitical landscape, the battle against disinformation has emerged as a critical front in maintaining national security and democratic integrity. It is hybrid warfare, plain and simple, . . . offensive operations in the “grey zone” the theorists like to call it. The United States has been systematically and purposefully disarming itself in this information warfare through a series of policy decisions and institutional changes that constitute nothing less than a strategic surrender. By examining the dismantling of counter-disinformation agencies, reduction of international alliances, constraints on broadcasting capabilities, prioritization of tech deregulation, and the purging of experienced intelligence personnel, my thoughts here demonstrate how these actions collectively represent a deliberate retreat rather than a mere series of isolated administrative changes. I am also going to share here my opinion on the implications of this unilateral disarmament for U.S. national security interests and the broader information ecosystem, concluding with a stark assessment of America’s vulnerability in an era of escalating information warfare.

The information environment has become a critical domain of modern warfare, where adversaries can achieve strategic objectives without firing a single shot. Russia’s 2026 budget allocation of $1.77 billion for propaganda efforts, supplemented by covert troll farms, front organizations, and cyber operations, demonstrates the seriousness with which state actors approach information warfare (Geraghty, 2026). Against this backdrop of escalating adversarial investment, the United States has paradoxically moved in the opposite direction, systematically dismantling its counter-disinformation infrastructure and capabilities in what can only be described as a deliberate act of strategic self-immolation.

My blog essay here examines how the United States has unilaterally disarmed itself in the information war through a series of deliberate policy choices that extend beyond mere administrative inefficiency to constitute a comprehensive strategic withdrawal. The evidence suggests this represents a fundamental recalibration of America’s approach to information warfare with profound and deeply troubling implications for national security. By examining the various dimensions of this disarmament, from institutional dismantling to personnel purges, we can better understand the emerging vulnerabilities in America’s information defenses and the strategic vacuum being created for adversaries to exploit.

The Systematic Dismantling of Counter-Disinformation Infrastructure

The most striking example of America’s unilateral disarmament in the information war is the systematic dismantling of its counter-disinformation infrastructure. The Trump administration has implemented policies that effectively prohibit federal agencies from combating misinformation or disinformation not tied to criminal activity, barring efforts that had previously been central to America’s information defense strategy (Nurick, 2026). This policy shift represents a fundamental reorientation of federal priorities away from proactive counter-disinformation work toward a reactive posture that only addresses disinformation when it rises to the level of criminal activity, a threshold that most sophisticated influence operations never cross.

The impact of this policy shift has been particularly devastating for agencies that had developed specialized expertise in tracking and countering foreign influence operations. The Global Engagement Center (GEC) at the State Department, which had been at the forefront of exposing Russian, Chinese, and Iranian disinformation campaigns, has seen its mandate severely constrained. Similarly, the Cybersecurity & Infrastructure Security Agency’s “Mis-, Dis-, and Malinformation Resource Library” has been effectively sidelined as part of a broader effort to scrub references to “misinformation” and “disinformation” from technical documents and official communications (Nurick, 2026). This linguistic cleansing reflects a deeper ideological opposition to the very concept of counter-disinformation as a legitimate government function.

Perhaps most alarmingly, the Trump administration has moved to politicize the research funding process that underpins America’s ability to understand and counter disinformation. A recent proposal would give political appointees at federal science agencies the role of approving all scientific research awards, replacing the traditional merit-based system determined by apolitical expert scientists (Lofgren, 2026). As Ranking Member Zoe Lofgren has warned, this move “would destroy what remains of merit-based review, dealing a crippling blow to science” and specifically targets research on topics deemed “politically inconvenient” (Lofgren, 2026). This politicization of research funding effectively ensures that studies of foreign disinformation campaigns and their effects will be starved of resources, leaving America blind to the very threats it should be countering.

The Purging of Expertise and Institutional Knowledge

The deliberate disarmament of America’s counter-disinformation capabilities extends beyond institutional structures to include the systematic purging of experienced personnel from key agencies. The Trump administration has targeted career intelligence analysts and counter-disinformation specialists for removal, replacing them with political loyalists lacking the specialized expertise necessary to understand and counter sophisticated influence operations. This personnel purging represents perhaps the most damaging aspect of America’s unilateral disarmament, as it destroys institutional knowledge that cannot be quickly rebuilt.

The impact of these personnel losses is particularly acute in the counterintelligence domain, where understanding adversary tactics and intentions requires years of specialized experience and the development of deep analytic tradecraft. The departure of these experts has left critical gaps in America’s ability to detect and counter foreign influence operations, creating vulnerabilities that adversaries have been quick to exploit. Even more troubling, the administration has attempted to require all current and future federal employees to sign loyalty oaths that effectively prioritize political alignment over professional expertise (PBS NewsHour, 2026). This approach ensures that the remaining counter-disinformation capabilities will be staffed by personnel selected for their political reliability rather than their analytic acumen.

The personnel purges have also disrupted the continuity of counter-disinformation efforts and severed critical professional networks. Many of the departed officials had developed deep expertise in specific adversary approaches and maintained professional relationships with their counterparts in other countries. Their departure has not only eliminated this expertise from government service but has also disrupted these critical networks and relationships, further isolating the U.S. from the broader counter-disinformation community. This isolation is particularly damaging given the transnational nature of modern influence operations, which require coordinated multinational responses to be effectively countered.

The Strategic Withdrawal from International Information Partnerships

The U.S. retreat from counter-disinformation extends beyond domestic institutions to include the weakening of international alliances and partnerships that had proven effective in combating foreign influence operations. The Trump administration’s “America First” approach has systematically undermined the collaborative frameworks that had been developed to share information about disinformation campaigns and coordinate responses across borders. This withdrawal from international partnerships represents a strategic miscalculation that leaves both the United States and its allies more vulnerable to foreign influence operations.

The impact of this withdrawal is already visible in the declining effectiveness of multinational initiatives like the EU vs Disinfo program and NATO’s strategic communications center, which had worked closely with U.S. agencies to expose Russian and Chinese influence operations. Without U.S. leadership and intelligence support, these partnerships have struggled to maintain their effectiveness against increasingly sophisticated adversaries. This is particularly damaging for smaller nations that lack the resources to develop their own counter-disinformation capabilities and have relied on U.S. support to counter foreign influence operations.

The strategic withdrawal from international partnerships is particularly concerning given the evolving nature of modern influence operations. As Russia, China, and other state actors have developed more sophisticated approaches to information warfare, they have increasingly targeted not just the United States but its allies and partners as well. By withdrawing from these partnerships, the United States has not only isolated itself but has also left its allies more vulnerable to influence operations that ultimately serve to undermine the broader Western alliance system. This strategic withdrawal represents a failure to recognize that information warfare is fundamentally a transnational threat that requires coordinated multinational responses.

The Constraining of Broadcasting and Public Diplomacy Capabilities

The constraints on Voice of America (VOA) and other international broadcasters represent a particularly damaging form of unilateral disarmament. These services had developed sophisticated approaches to reaching audiences in closed societies, often at great risk to their local partners and journalists. By providing independent news and information to audiences that otherwise lack access to unbiased reporting, these broadcasters served as a critical counterweight to state-sponsored propaganda and an important tool of public diplomacy.

The Trump administration has systematically undermined these broadcasting capabilities through budget cuts, leadership changes, and policy directives that have effectively neutered their ability to fulfill their missions. The administration has instructed managers to “reduce performance, . . . to the minimum presence and function required by law,” effectively gutting these organizations’ ability to conduct meaningful public diplomacy (Nurick, 2026). This approach stands in stark contrast to the investments being made by adversaries like Russia, which has expanded its RT network (a known Russian FIS propaganda channel forced to register as a foreign agent) from a traditional broadcaster to an entity with sophisticated cyber capabilities that conducts information operations and covert influence activities worldwide.

The constraining of U.S. broadcasting capabilities is particularly damaging in the context of modern authoritarianism, which increasingly relies on controlling information environments to maintain power. By limiting the ability of U.S. broadcasters to reach these audiences, the United States has effectively abandoned one of its most effective tools for supporting democratic aspirations and countering state propaganda. This retreat is particularly ironic given that these same broadcasters had been instrumental in countering Soviet propaganda during the Cold War—a historical precedent that suggests their current value should be recognized rather than diminished.

The Prioritization of Tech Deregulation Over Information Security

Another dimension of America’s unilateral disarmament in the information war is the prioritization of tech deregulation over information security. While private technology platforms have become the primary battleground for influence operations, the U.S. has moved toward reducing oversight rather than strengthening it. This approach reflects a fundamental misunderstanding of the role that technology platforms play in modern information warfare and the responsibility that both government and industry share for protecting the information ecosystem.

The Trump administration has consistently opposed regulation of technology platforms, even as evidence mounts that these platforms are being exploited by foreign actors to conduct influence operations. This deregulatory approach stands in stark contrast to the recognition by previous administrations that technology platforms play a critical role in both the dissemination of accurate information and the propagation of disinformation. By prioritizing deregulation over information security, the United States has effectively surrendered one of its most potent tools for countering foreign influence operations.

The impact of this deregulatory focus is particularly concerning given the evolving tactics of foreign influence operations. As state actors have developed more sophisticated approaches to information warfare, they have increasingly exploited the vulnerabilities of technology platforms to conduct influence operations at scale. Without adequate oversight and cooperation between government and technology companies, these platforms remain vulnerable to manipulation by foreign actors. The U.S. approach of prioritizing deregulation over information security effectively ensures that these vulnerabilities will remain unaddressed, creating significant opportunities for adversaries to exploit.

The Strategic Implications of Unilateral Disarmament

The cumulative effect of these various dimensions of unilateral disarmament is a significant reduction in America’s ability to compete in the information environment. This retreat has several deeply troubling strategic implications that extend beyond immediate tactical considerations to fundamental questions about America’s ability to protect its interests in an era of information warfare.

Unilateral disarmament creates asymmetries that adversaries can exploit with increasing effectiveness. While Russia, China, and other state actors continue to invest heavily in influence operations—with Russia alone allocating $1.77 billion to propaganda efforts in its 2026 budget—the United States has reduced its capabilities to counter these activities (Geraghty, 2026). This imbalance allows adversaries to shape narratives and influence public opinion with minimal resistance, creating strategic opportunities that they are already exploiting to advance their interests at America’s expense.

The U.S. withdrawal undermines the credibility of its commitments to allies and partners. The inability or unwillingness to maintain counter-disinformation capabilities raises questions about America’s reliability as a security partner, particularly for nations facing intense information warfare campaigns from adversaries. This credibility gap has already begun to reshape alliance dynamics, with some partners questioning whether they can count on U.S. support in the face of foreign influence operations. These doubts have broader implications for alliance cohesion and the ability of the United States to lead collective responses to shared security challenges.

Unilateral disarmament erodes America’s ability to protect its own democratic institutions from foreign influence. As foreign disinformation campaigns aim to “manipulate and weaken adversaries” through tactics designed to “discredit, divide, disarm, and demoralize them,” the United States becomes increasingly vulnerable to these influence operations (Geraghty, 2026). The January 6th Capitol attack and subsequent events have demonstrated how effectively foreign influence operations can exploit existing divisions within American society, a vulnerability that will only grow as counter-disinformation capabilities continue to be dismantled.

The Ideological Dimensions of the Disarmament Strategy

Perhaps most troubling about America’s unilateral disarmament in the information war is the ideological dimension that underlies these policy choices. The systematic dismantling of counter-disinformation capabilities appears to be driven not by pragmatic considerations of effectiveness or efficiency but by a fundamental ideological opposition to the very concept of government involvement in countering disinformation. This ideological opposition manifests in policies that prioritize political loyalty over expertise, deregulation over security, and isolation over cooperation.

The ideological dimensions of this disarmament strategy are particularly evident in the Trump administration’s approach to research funding and scientific expertise. By seeking to place political appointees in control of research funding decisions, the administration has demonstrated a preference for politically convenient narratives over evidence-based analysis (Lofgren, 2026). This approach extends to the very language used to discuss information warfare, with terms like “misinformation” and “disinformation” being systematically scrubbed from official documents and communications (Nurick, 2026). This linguistic cleansing reflects a deeper ideological opposition to acknowledging the existence and threat of foreign influence operations.

The ideological dimensions of the disarmament strategy are also evident in the administration’s approach to international partnerships and alliances. The systematic withdrawal from multinational counter-disinformation initiatives reflects not just a pragmatic assessment of costs and benefits but a deeper ideological opposition to collective approaches to security challenges. This “America First” approach assumes that the United States can effectively address information warfare threats on its own, despite abundant evidence to the contrary. This ideological isolationism leaves America more vulnerable to influence operations while simultaneously undermining the collective security architecture that had been developed to counter these threats.

The Path to Strategic Vulnerability

The evidence that I have presented in this piece demonstrates that the United States has been systematically and purposefully disarming itself in the war on disinformation. Through the dismantling of counter-disinformation agencies, cutting of international alliances, constraints on broadcasting capabilities, prioritization of tech deregulation, banning of funding for independent researchers, and purging of experienced intelligence personnel, the U.S. has created significant vulnerabilities in its information defenses.

This unilateral disarmament is particularly concerning given the escalating investments by adversaries in influence operations. As Russia’s 2026 budget allocation of $1.77 billion for propaganda efforts demonstrates, state actors are increasingly viewing the information environment as a critical domain of warfare (Geraghty, 2026). The U.S. retreat from this domain represents not just a strategic miscalculation but a deliberate surrender with profound implications for national security and the future of democratic governance.

Reversing this unilateral disarmament will require more than simply restoring previous programs and initiatives. It will require a fundamental reorientation of America’s approach to information warfare. This must include rebuilding counter-disinformation capabilities, restoring international partnerships, redeveloping expertise in countering foreign influence operations, and most importantly, rejecting the ideological opposition to government involvement in countering disinformation. Until such efforts are undertaken, the United States will remain at a significant disadvantage in the information environment, unable to effectively counter the sophisticated influence operations being conducted by its adversaries.

The stakes in this information war could not be higher. As foreign actors continue to exploit America’s self-inflicted vulnerabilities, the very foundations of democratic governance are at risk. The unilateral disarmament of America’s counter-disinformation capabilities represents not just a strategic retreat but a betrayal of the government’s fundamental responsibility to protect the nation from foreign threats, both conventional and informational, and both foreign and domestic. So pronounced is the betrayal that experienced elements in the U.S. Intelligence Community, addressing the malign information operations of Russian FIS as an example, have stated clearly, “We couldn’t do a worse job if Putin himself was sitting in the White House and giving orders.” Without a course correction, the United States will continue to cede the information environment to its adversaries, with consequences that will reverberate for generations to come.

~ C. Constantin Poindexter, MA in Intelligence, Graduate Certificate in Counterintelligence, JD, CISA/NCISS OSINT certification, DoD/DoS BFFOC Certification

Bibliography

Geraghty, Jim. 2026. “In the disinformation war, the U.S. unilaterally disarmed.” The Washington Post, May 26.
Lofgren, Zoe. 2026. “Ranking Member Lofgren Slams Trump Administration for Plan to Politicize Research Funding Process, Undermine Expert Review.” House Committee on Science, Space, and Technology Democrats, May 29.
Nurick, Jacob K. 2026. “The Trump administration’s goals, outlined in Project 2025, were to weaken federal…” Facebook post, April 15.
PBS NewsHour. 2026. “The Trump administration wants all current and future federal…” Facebook post, March 22.
Myers, Steven Lee. 2026. “Trump Officials Try to Fight Foreign Disinformation They Once…” The New York Times, April 1.

Share this post:

May 24, 2026May 24, 2026

Narrative Engineering for Deception in the Age of A.I.? Yes, but with some Caveats

Henry W. Prunckun’s Narrative Engineering for Deception (NED) framework offers a disciplined architecture for thinking about operational deception. His recent piece, Engineering Plausibility in Deception Operations, published in the International Journal of Intelligence and CounterIntelligence, is just another in a long list of robust scholarship on intelligence and counterintelligence matters, many volumes of which I had the pleasure of reading and citing during my Master’s Degree in Intelligence studies years past. By treating plausibility as a behavioral threshold rather than an epistemic state, and audit resilience as expected time to falsification, Prunckun reframes the deception planner’s work as a problem of structural engineering rather than improvisational craft. The seven levers he identifies, namely point of view, coherence, persona, pacing, texture, cognitive alignment, and exit strategy, provide a vocabulary that is parsimonious AND operationally tractable. The framework deserves the respect it has begun to receive in professional literature.

The framework was calibrated for an operational environment that is already disappearing. Verification in the twentieth and early twenty-first centuries was human-paced, institutionally siloed, and bounded by the labor cost of cross-domain correlation. Each of those constraints has now collapsed under the combined weight of machine learning, aggregated commercial datasets, and what the United States Intelligence Community now formally designates Ubiquitous Technical Surveillance (Office of the Director of National Intelligence 2024). The thesis of this essay is therefore qualified rather than dismissive: NED remains a coherent and useful design discipline, but several of its central levers invert under machine audit, and the framework requires recalibration toward operational ephemerality rather than durable cover.

The Pre-A.I. Verification Environment that NED Presupposes

NED’s levers presume a particular kind of adversary. The adversary is intelligent, motivated, and possibly skilled, but is also resource-constrained. The adversary tires. The adversary works within bureaucratic procedures that batch information rather than fuse it. The adversary’s analysts each see a portion of the picture, and the seams between their views are exploitable. Prunckun’s pacing lever, for instance, exists precisely because human auditors trade thoroughness for speed under workload pressure. His texture lever exists because mundane detail saturates limited human attention. His cognitive alignment lever depends on biases (anchoring, fluency, confirmation, closure) that are characteristically human (Kahneman 2011).

These presumptions described real adversaries for most of the twentieth century. The operational histories Prunckun draws on, Argo and Operation Copperhead, succeeded against human pattern recognition operating without machine support. Tony Méndez exploited the bureaucratic fluency of customs officers reviewing paperwork at human speed (Méndez and Baglio 2012). M.E. Clifton James exploited the visual heuristic that famous generals look like themselves (Crowdy 2008). Both operations would have run differently, and arguably failed, against modern fused intelligence.

How Machine Audit Screws with the Levers

The transition from human to machine-assisted verification does not merely accelerate audit. It changes its kind. Five of Prunckun’s seven levers face structural inversion.
Texture inverts most sharply. Prunckun treats mundane detail as camouflage, on the premise that ordinary noise occupies the auditor’s attention without rewarding scrutiny. Under machine audit, metadata is more legible to algorithms than to humans. Aggregated commercial datasets, including those acquired in bulk by foreign services, permit rapid correlation of timestamps, registries, travel records, financial transactions, and social graphs (Sherman 2025). What was once camouflage becomes signal density. The receipts, routine emails, and habitual patterns that grounded a cover identity in the human era now feed anomaly detection systems that thrive on exactly such structured exhaust. The Federal Bureau of Investigation’s recent Office of Inspector General review found UTS to constitute, in plain language, an existential threat to operational security across U.S. federal law enforcement (Department of Justice Office of the Inspector General 2025).

Coherence faces a parallel inversion. Prunckun’s lever assumes coherence is tested within a domain by an analyst with limited cross-domain access. Machine systems test coherence across domains simultaneously. A timeline that is internally consistent across an identity’s documentary record may nonetheless contradict ambient cellular geolocation, satellite imagery cadence, or financial network rails the planner did not know were being correlated. Former Central Intelligence Agency Deputy Director for Science and Technology Dawn Meyerriecks publicly acknowledged in 2018 that in roughly thirty countries, CIA officers were no longer followed by local services because surveillance density made physical followers redundant (Dorfman 2020). The point generalizes: the auditor’s view has become panoramic in ways no individual analyst could previously achieve.

Persona degrades under stylometric, biometric, and behavioral pattern analysis. Prunckun lists idiolect as a persona strength, reasoning that distinctive speech patterns reinforce credibility under contact. Machine learning systems now cluster on idiolect as a fingerprint (Constâncio et al. 2023). Facial recognition, gait analysis, voice print identification, and writing pattern matching collectively render alias work, in former intelligence officials’ assessment, likely impossible across hard target environments such as China, Russia and perhaps Iran within the next operational generation (Dorfman 2020). The persona that survives casual human interrogation may yet fail silently against a database query the target never visibly executed.

Pacing loses its purchase. The lever depends on the gap between heuristic and deep verification, the seam through which an operation completes its objective before slow checks catch up. Machine systems do not batch, do not tire, and do not have a casual inspection mode. The seam narrows toward zero for anything machine auditable. Verification that previously took days now runs in seconds, and runs continuously rather than on prompt.

Cognitive alignment, the lever Prunckun treats as cross-cutting, breaks hardest against algorithmic auditors. Anchoring, fluency, confirmation, availability, and closure are human cognitive shortcuts. A trained classifier does not weight early evidence more heavily simply because it arrived first, does not find fluent narratives more credible, and does not seek closure in ways that suppress further inquiry (Constâncio et al. 2023). The bias terrain on which Prunckun’s framework operates is, at the machine layer, largely flat.

The Levers that Survive, and Why

Two levers retain force under machine audit, though with shifted emphasis.
Point of view survives because what an auditing system checks is determined by what an operation triggers it to check. A well-constructed narrative that does not enter high-resolution surveillance regimes, or that does not trip the thresholds that escalate routine screening to a targeted investigation, may still slip through. Footprint minimization is the modern expression of the point of view lever. The planner shapes not the auditor’s interpretation of signals but the auditor’s decision to collect them.

Exit strategy survives, and arguably becomes more important. Where machine audit makes durable cover increasingly infeasible, the disposability of an operation becomes a planning variable rather than a contingency. The National Security Commission on Artificial Intelligence warned explicitly that adversary adoption of AI tools makes the U.S. Intelligence Community more vulnerable to deception, source exposure, and counterintelligence pressure, and the Commission’s framing implicitly favors operations designed to complete and dissolve before correlation catches them (National Security Commission on Artificial Intelligence 2021).

The Two Audience Dilemma

A critical refinement is required. Even in an environment of machine audit, the ultimate target of most deception operations remains a human decision maker. Machine systems flag anomalies; humans decide whether to escalate, act, or stand down. The behavioral threshold that NED targets is still crossed inside a human head, and the cognitive biases that align with the lever framework still operate at that level.

So, modern deception is a two-audience problem. The first audience is the machine filter, which is governed by data, correlation, and statistical anomaly. The second audience is the human decision maker downstream, who is governed by attention, narrative, and the cognitive shortcuts NED was designed to exploit. The framework retains substantial force at the second audience and substantially less at the first.

This insight reframes the planning problem. The operation must clear the machine filter not by being credible to it but by being uninteresting to it, that is, by minimizing the data footprint the filter has to correlate. Once past the filter, the operation may then engage human cognition through the classical levers of persona, texture, and pacing. Phase compression becomes structural rather than optional. The operation must complete its work in the window between machine flagging and human investigation.

Generative A.I. and the Offense Defense Balance

The picture is not uniformly bleak for the deception planner. Generative artificial intelligence cuts in both directions. Mandiant has documented threat actors using generative models to produce backstop content for inauthentic personas, including profile imagery, plausible filler text, and language-localized communications that previously required substantial human labor (Mandiant 2024). The Federal Reserve and the World Economic Forum have separately documented the rise of agentic AI fraud systems that create synthetic identities, interact with verification systems in real time, and adjust behavior based on outcomes (Federal Reserve 2024; World Economic Forum 2025). The Office of the Director of National Intelligence has noted, in an unclassified discussion of foreign intelligence service activity, that adversary services now reportedly generate inauthentic communications and synthetic digital identities at operational scale (Goldman 2026).

What this means for NED is that the framework’s underlying logic, treating narrative elements as engineerable parameters under verification pressure, becomes more rather than less relevant. The arms race is not planner versus machine but planner with machine versus auditor with machine. Defense holds the structural advantage of aggregation, where one anomaly is enough, but offense retains the advantage of needing only a short operational window. Whether the balance favors offense or defense in any given operation is now a function of phase compression, footprint discipline, and exit modularity, all of which Prunckun’s framework already names, though without developing them to the depth current conditions require.

A Recalibrated NED

What survives the transition, then, is the framework’s grammar rather than its operational parameters. The constructs of plausibility as behavioral threshold and audit resilience as time to falsification remain valid and arguably become sharper under machine audit, where falsification windows are measurable in hours rather than months. The seven levers remain a useful vocabulary for design discussion, though several require inversion in their operational settings. The phase model retains explanatory power, though its emphasis shifts decisively toward the withdrawal phase.

The honest version of post-A.I. NED might be like the following. Assume verification windows in hours or days, not months. Build for phase compression. Minimize footprint to the bone, accepting thinner cover in exchange for fewer correlation points. Design the exit before the entry. Treat texture not as camouflage but as a controlled liability whose volume must be calibrated against the data exhaust it generates. Assume that idiolect, gait, and metadata signatures are identifying even when the underlying identity claim is uncontested. Treat the human decision maker as a distinct audience from the machine filter, and design lever settings appropriate to each.

Prunckun has given the field a vocabulary it badly needed. Aside from just loving this guy and appreciating the depth and breadth of his knowledge in our subject matter, the discipline of treating deception as engineering rather than as intuitive craft will outlast the particular operational environment in and for which he is currently articulating the framework. What changes is the calibration. The durable, texture-rich, persona-deep cover that worked against human auditors in the bureaucratic era is increasingly infeasible against A.I.-assisted verification in a world of ubiquitous data exhaust. What replaces it is something closer to operational ephemerality, . . . thin, fast, disposable narratives engineered to complete their behavioral work before correlation completes its analytic work. NED in the age of A.I. is not obsolete. It is, however, a different framework than the one initially described, and the gap between the framework as written and the framework as required is the territory in which the next generation of operational deception is going to be contested.

~ C. Constantin Poindexter, MA in Intelligence, Graduate Certificate in Counterintelligence, JD, CISA/NCISS OSINT certification, DoD/DoS BFFOC Certification

Bibliography

Constâncio, Alex Sebastião, Denise Fukumi Tsunoda, Helena de Fátima Nunes Silva, Jocelaine Martins da Silveira, and Deborah Ribeiro Carvalho. 2023. “Deception Detection with Machine Learning: A Systematic Review and Statistical Analysis.” PLOS ONE 18 (2): e0281323.
Crowdy, Terry. 2008. Deceiving Hitler: Double Cross and Deception in World War II. Oxford: Osprey Publishing.
Department of Justice, Office of the Inspector General. 2025. Audit of the Federal Bureau of Investigation’s Efforts to Mitigate the Effects of Ubiquitous Technical Surveillance. Washington, DC: U.S. Department of Justice.
Dorfman, Zach. 2020. “Shattered: Inside the Secret Battle to Save America’s Undercover Spies in the Digital Age.” Yahoo News, December 30, 2020.
Federal Reserve. 2024. Generative Artificial Intelligence Increases Synthetic Identity Fraud Threats. Federal Reserve Financial Services Synthetic Identity Fraud Mitigation Toolkit.
Goldman, Adam. 2026. “AI and the Reconfiguration of the Counterintelligence Battlefield.” International Journal of Intelligence and CounterIntelligence. Advance online publication.
Kahneman, Daniel. 2011. Thinking, Fast and Slow. New York: Farrar, Straus and Giroux.
Mandiant. 2024. Threat Actors are Interested in Generative AI, but Use Remains Limited. Google Cloud Threat Intelligence Report. Mountain View, CA: Mandiant.
Méndez, Antonio J., and Matt Baglio. 2012. Argo: How the CIA and Hollywood Pulled Off the Most Audacious Rescue in History. New York: Viking.
National Security Commission on Artificial Intelligence. 2021. Final Report. Washington, DC: NSCAI.
Office of the Director of National Intelligence. 2024. Unifying Intelligence Strategy for Counterintelligence. Washington, DC: National Counterintelligence and Security Center.
Prunckun, Henry W. 2025. “Engineering Plausibility in Deception Operations.” Journal of Intelligence and Counterintelligence Studies. Advance online publication.
Sherman, Justin. 2025. “Ubiquitous Technical Surveillance Demands Broader Data Protections.” Lawfare, July 25, 2025.
World Economic Forum. 2025. The Global Risks Report 2026: Identity Fraud in the Age of AI. Geneva: World Economic Forum.

Share this post:

March 26, 2026March 26, 2026

Operation Merlin: A D&D Failure by Strategic Compromise

Operation Merlin, denial and deception, d and d, intelligence, counterintelligence, espionage, counterespionage, HUMIN, C. Constantin Poindexter, CIA, NSA, DIA

Operation Merlin: A Denial and Deception Case Study in Covert Sabotage and the Anatomy of a Strategic Blunder of Enormous Proportions

Operation Merlin was a clandestine CIA program designed to undermine Iran’s nuclear weapons development program by inserting deliberately sabotaged warhead component blueprints through a recruited human asset. Executed from approximately 1998 through the early 2000s, the operation was an ambitious attempt at deception against a state-level nuclear proliferator. I am going to share my thoughts here about Operation Merlin through the lens of Denial and Deception (D&D) doctrine, evaluate its design, execution, and compromise against accepted deception planning frameworks. Drawing on trial exhibits from United States v. Sterling (2015), investigative reports, and foundational D&D literature, my opinion is that Operation Merlin, while possessing a sound deception concept, suffered from catastrophic failures in channel selection, feedback architecture, operational security, and post-compromise institutional decision-making that collectively rendered it not merely ineffective but potentially counterproductive to the national security interests it was designed to serve.

I. Introduction: Deception as Counterproliferation

The use of deception as a counterproliferation tool occupies an uncomfortable space in American intelligence history. Unlike tactical battlefield deception or strategic wartime misdirection, i.e., domains in which the United States and its allies developed sophisticated doctrinal frameworks during the Second World War, deception operations targeting foreign weapons programs operate in a gray zone where the consequences of failure are measured not in lost engagements but in accelerated existential threats. Operation Merlin sits at the center of this tension: an operation whose architects understood the strategic imperative but whose execution betrayed a fundamental misapprehension of the doctrinal requirements for successful material deception against a sophisticated state adversary.

To offer a robust eveluation of Merlin, we need to move beyond the narrative of its public exposure (the prosecution of CIA case officer Jeffrey Sterling, the journalism of James Risen, the spectacle of a federal trial in which CIA operatives testified behind seven-foot partitions) and instead subject the operation to the same analytical framework that professional deception planners apply to their own work. This essay applies the six-element D&D planning framework derived from Barton Whaley’s foundational taxonomy in Stratagem: Deception and Surprise in War (Whaley, 2007), Richards Heuer’s cognitive analytical model from Psychology of Intelligence Analysis (Heuer, 1999), and the operational principles codified in Joint Publication 3-13.4, Military Deception (Joint Chiefs of Staff, 2012), supplemented by the historical precedent of the XX Committee’s Double Cross System as the benchmark for successful material deception at scale.

II. Strategic Context and the Deception Concept

By the late 1990s, the U.S. Intelligence Community assessed with growing confidence that Iran was pursuing nuclear weapons capability, though the evidentiary basis for this assessment remained contested internally. The 2001 National Intelligence Estimate, the first to formally conclude that Iran was working toward a nuclear weapon, was later characterized by Paul Pillar, then the CIA’s National Intelligence Officer for the Near East and South Asia, as resting on “a matter of inference” rather than direct evidence (Porter, 2014). Nevertheless, the policy imperative to disrupt Iran’s nuclear trajectory was acute, and the menu of available options was constrained by the absence of a viable military target set and the diplomatic limitations of the post-JCPOA environment that would not materialize for another fifteen years.

Into this gap stepped the CIA’s Directorate of Operations with a proposal rooted in material deception: recruit a Russian nuclear scientist with legitimate technical credentials, provide him with doctored blueprints for a nuclear warhead firing set, and direct him to deliver these blueprints to Iranian officials under the legend of a mercenary walk-in seeking financial compensation for proliferation-grade technical intelligence (Risen, 2006).

Within Whaley’s taxonomy, this concept falls squarely under the category of “mimicking”, creating a false artifact that imitates a real one closely enough to be accepted as authentic by the target (Whaley, 2007). The doctored blueprints were not fabrications from whole cloth; they were based on genuine Russian weapons designs, modified to contain dozens of hidden engineering flaws that would cause any device constructed from them to fail. The deception’s success depended on the flaws being sufficiently subtle to evade detection by Iranian scientists while being sufficiently fundamental to render the resulting weapon inoperable.

The concept was sound. Material deception (the introduction of fabricated or corrupted physical artifacts into an adversary’s intelligence or procurement stream ) has a long and occasionally successful history, from Operation Mincemeat’s fictitious invasion plans in 1943 to the CIA’s Cold War-era contamination of Soviet technical collection channels. The critical question was never whether the concept could work in principle, but whether the CIA possessed the operational infrastructure, tradecraft discipline, and institutional patience to execute it against a counterintelligence-aware adversary like Iran.

III. Operational Design and Execution

The operation’s centerpiece was a human asset — a Russian nuclear engineer recruited by the CIA and referred to at trial under the cryptonym “Merlin” (United States Department of Justice [USDOJ], 2015). Merlin possessed genuine scientific credentials, making him a plausible vector for the delivery of proliferation-grade material. His CIA handler from November 1998 through May 2000 was case officer Jeffrey Alexander Sterling, who managed the asset relationship and coordinated the operational logistics of the delivery (USDOJ, 2015).

The delivery was designed to exploit a known vulnerability in Iran’s procurement architecture: its reliance on intermediaries and walk-in sources for weapons-relevant technical intelligence. Merlin was directed to approach Iran’s mission to the International Atomic Energy Agency (IAEA) in Vienna, Austria, and provide an incomplete set of the doctored blueprints. The incompleteness was deliberate. It created an incentive structure requiring the Iranians to re-contact Merlin for the remaining schematics, thereby confirming acceptance of the bait and potentially opening a sustained intelligence collection channel into Iran’s nuclear procurement apparatus (Risen, 2006).

Former National Security Adviser Condoleezza Rice testified at Sterling’s trial that the program was “one of the only levers we had to try to disrupt Iran’s nuclear program” and characterized it as among the government’s “most closely held secrets” (Barakat, 2015). Rice further stated that she personally intervened with the New York Times to suppress publication of a story about the operation, arguing that exposure could result in catastrophic loss of life (Gerstein, 2015).

The execution in February 2000 deviated significantly from the operational plan. Merlin’s testimony at trial revealed that he had difficulty locating the Iranian mission in Vienna. When he found it, no one answered the door. He ultimately placed the envelope containing the blueprints in a mailbox and covered it with a newspaper (Solomon, 2015). Additionally, Merlin deviated from his handlers’ instructions regarding the contact mechanism: rather than providing an American mailing address as directed, he substituted an email address, reasoning that an American postal address would appear suspicious to Iranian counterintelligence and could be traced back to him (Solomon, 2015).

These deviations carry BIG implications when evaluated against D&D doctrine. An asset who autonomously modifies operational parameters based on his own risk calculus (however rational that calculus may be) introduces uncontrolled variables into the deception architecture. More critically, Merlin’s technical competence, which made him a credible channel, simultaneously made him capable of evaluating the material he was tasked to deliver. According to Risen’s account, Merlin recognized the deliberate flaws in the schematics and transmitted his belief along with the delivery which signaled to the Iranians that the blueprints were intelligence service-manufactured, allowing Iranian scientists to identify and discard the sabotaged elements while extracting legitimate technical data (Risen, 2006). Merlin denied these characterizations under oath, testifying that Risen’s depiction of him as reluctant was “completely untrue” (Solomon, 2015). The divergence itself is analytically significant: if Risen’s source was not Merlin, then whoever provided those details possessed the kind of intimate operational knowledge consistent with a case officer’s access.

IV. D&D Doctrinal Evaluation

A. Desired Perception

The foundational requirement of any deception operation is a clearly defined desired perception, i.e., the specific belief the operation is designed to induce in the target’s mind (Joint Chiefs of Staff, 2012). Operation Merlin’s desired perception was straightforward: that the blueprints were genuine proliferation material obtained through an illicit procurement channel (a disgruntled or mercenary Russian scientist selling weapons knowledge for financial gain).

This perception was plausible on its face. Russian nuclear scientists in the post-Soviet period were documented to be underpaid, underemployed, and in some cases actively solicited by proliferating states. The desired perception exploited a real phenomenon, which is doctrinally correct. The most effective deceptions are those anchored in patterns the target already recognizes and expects (Heuer, 1999). Assessment: Adequate.

B. The Deception Story

The constructed narrative, a Russian scientist approaching Iran’s IAEA mission as a walk-in, offering warhead-grade schematics for money, was coherent as a standalone legend. Walk-in approaches by foreign nationals offering technical intelligence were not unprecedented in proliferation networks.

However, there is no indication in the trial record that the CIA subjected this story to rigorous adversarial analysis “red-teaming” we call it. The planners missed specifically examining how Iran’s Ministry of Intelligence and Security (VEVAK) would process and evaluate a cold-approach walk-in offering firing set blueprints. VEVAK had extensive institutional experience identifying Western intelligence provocations, and a walk-in of this nature. An unsolicited player offering the single most sensitive category of weapons data, with no prior relationship or established bona fides would have triggered significant counterintelligence scrutiny. The absence of documented red-team analysis suggests the deception story was evaluated for internal plausibility rather than adversarial resilience. Assessment: Deficient.

C. Channel Selection

D&D doctrine, codified in lessons from the London Controlling Section’s World War II operations and subsequent CIA and DoD guidance, instructs that the credibility of the delivery channel is the single most critical variable in material deception. The channel must be one that the adversary already trusts or is predisposed to trust, typically because the source has previously provided verified intelligence, is embedded in a network the adversary already exploits, or mimics an approach pattern the adversary has successfully used before (Holt, 2004).

From Iranian FIS’s perspective Merlin possessed none of these attributes . He was an unknown entity conducting a cold approach. His operational execution was amateurish, i.e., unable to locate the mission, leaving material in an unattended mailbox, etc.. From an Iranian counterintelligence officer’s perspective, applying the analytical principles Heuer articulated, the approach contained no prior cognitive anchor that would predispose acceptance (Heuer, 1999). The channel was cold, unvetted from the target’s vantage point, and operationally clumsy.

Taking a lesson from history, the Double Cross System is instructive. The XX Committee’s deception channels, turned German agents who fed disinformation to the Abwehr, were effective precisely because they were channels the adversary had already accepted and validated through prior intelligence exchanges. Double Cross built credibility over months and years of carefully calibrated true-false reporting mixtures before introducing critical strategic deceptions like FORTITUDE. Operation Merlin attempted to deliver the equivalent of FORTITUDE-grade material through a channel with zero established credibility. Assessment: Critically Deficient.

D. Feedback Architecture

The operation’s feedback mechanism was its most elegant design element: the deliberate incompleteness of the blueprints created a natural trigger requiring Iran to re-contact Merlin for the remaining schematics, thereby confirming acceptance.

The problem was singular and fatal: Iran never responded. This silence created an analytical void that the operation had no means to resolve. The CIA could not determine whether Iran had detected the deception and discarded it, had accepted the material but chose to develop it independently, had never routed the material to a competent analyst, or whether VEVAK had flagged the approach as a provocation and filed it as a counterintelligence reference.

Well-designed deception operations maintain redundant feedback mechanisms precisely to prevent this kind of interpretive paralysis. The Double Cross System’s feedback architecture, continuous monitoring of German assessments through ULTRA decrypts of Abwehr and OKW communications, allowed deception planners to observe in near-real-time whether their false intelligence was being accepted, rejected, or partially integrated, and to adjust their deception stories accordingly (Howard, 1995). Operation Merlin had a single feedback point, and when that point went silent, the operation was effectively blind. No secondary collection mechanism (SIGINT, HUMINT from other sources inside Iran’s nuclear apparatus, or technical surveillance of Iranian procurement activity) was established to provide independent confirmation of the operation’s effect. Assessment: Critically Deficient.

E. Adaptability

Nothing in the trial record indicates that the CIA developed contingency plans for the various failure modes the operation might encounter — Iranian detection, asset compromise, the asset’s autonomous deviation from instructions, or operational exposure through internal security breaches. The reassignment of Sterling in May 2000 without documented succession planning or compartmentation review further suggests that continuity of operations planning was inadequate (USDOJ, 2015). He was the only player with intimate knowledge of the asset. When Sterling subsequently entered an adversarial posture with the agency, there was no adaptive mechanism to contain the resulting vulnerability. Assessment: Critically Deficient.

F. Operational Security

This is where Operation Merlin became a catastrophic F.U. The universe of individuals with knowledge of the operation expanded and expanded. The President, the National Security Adviser, senior CIA leadership, multiple case officers, the Russian asset and his wife, and after Sterling raised concerns through ostensibly proper channels, staffers on the Senate Select Committee on Intelligence knew it all. Each additional read-in was a point of compromise.

The most fundamental security failure was personnel-related. Sterling possessed direct, intimate knowledge of the operation, the asset’s identity, the tradecraft, and the operational dynamics. He was reassigned and then, within three months, became an Agency “adversary”. Counterintelligence doctrine requires enhanced monitoring of personnel with access to sensitive compartmented information who demonstrate indicators of potential unreliability. That would ABSOLUTELY include legal disputes with the employing I.C. agency. There is no indication that any such monitoring was implemented (Gerstein, 2015; Solomon, 2015). Assessment: Catastrophically Deficient.

V. The Vectors of Compromise

Operation Merlin was compromised through three distinct vectors, each representing a failure at a different level of the D&D security architecture.

The asset’s autonomous judgment constituted the first vector. Merlin’s technical competence, the very attribute that made him a credible channel, enabled him to evaluate and potentially undermine the material he was tasked to deliver. This is a structural paradox inherent in using technically sophisticated assets for material deception: the more credible the channel, the more capable it is of detecting and subverting the deception it carries.

The case officer’s grievance constituted the second vector. The prosecution established through communications metadata that Sterling and Risen were in contact during the periods preceding and following the publication of State of War, i.e., phone calls to Risen’s residence, emails containing articles related to Sterling’s former operational portfolio, and continued contact from December 2003 through November 2005 (USDOJ, 2015). Sterling’s defense argued that Senate Intelligence Committee staffers were a more plausible source and that the government’s evidence proved only communication, not the transmission of classified content (Wheeler, 2015). The jury found the circumstantial evidence sufficient, convicting Sterling on nine felony counts on January 26, 2015, and Judge Leonie Brinkema sentenced him to forty-two months (USDOJ, 2015).

The government’s self-compromise constituted the third and most strategically damaging vector. In prosecuting Sterling under the Espionage Act, the government introduced CIA operational cables, internal planning documents, and testimony from twenty-three CIA officers into the public record of a federal courtroom (Solomon, 2015). The trial revealed the operational concept, the asset’s role, the delivery methodology, the nature of the sabotaged blueprints, and the strategic rationale in far greater specificity than Risen’s book had disclosed. Bloomberg News reported from Vienna that the IAEA would “probably review intelligence they received about Iran as a result of the revelations,” with a former British envoy to the IAEA warning that the disclosures suggested “a possibility that hostile intelligence agencies could decide to plant a ‘smoking gun’ in Iran for the IAEA to find” (Solomon, 2015). Prosecutor James Trump acknowledged at sentencing that the exposure “ended the use of the nuclear-plans ruse against other countries” (Gerstein, 2015).

This third vector represents the most consequential D&D failure. In attempting to punish a compromise that had exposed a single operation, the government’s prosecution compromised an entire deception methodology. Any state with access to the public trial record — which now constitutes the most comprehensive open-source documentation of a CIA material deception program targeting a foreign nuclear capability — could retroactively audit its own procurement channels for similar operations and inoculate itself against future attempts. This is SPECIFICALLY why I refer to this as a strategic rather than tactical or operational disaster.

The Anti-Double Cross

Evaluated in its totality against the D&D planning framework, Operation Merlin represents something approaching the inverse of the Double Cross System. Where Double Cross maintained dozens of simultaneous channels with established credibility, Merlin relied on a single cold channel with no prior validation. Where Double Cross monitored adversary acceptance in near-real-time through ULTRA, Merlin had a single feedback mechanism that produced silence. Where Double Cross adapted its deception narratives continuously based on observed adversary reactions, Merlin had no adaptive capability. Where Double Cross maintained ruthless operational security — including the execution of compromised agents — Merlin allowed a disaffected case officer with comprehensive operational knowledge to depart the agency in an adversarial posture without enhanced counterintelligence monitoring.

The strategic concept underlying Operation Merlin (using sabotaged technical intelligence to misdirect a proliferating state’s weapons development) was theoretically sound. In a different operational context, I believe that it was completely viable. The failure was not conceptual but executional: a series of compounding deficiencies in channel selection, feedback architecture, adaptability, and operational security that transformed an ambitious deception operation into what may ultimately have been a net intelligence gain for the very adversary it was designed to deceive.

For the counterintelligence professional, Operation Merlin’s most enduring lesson may be its final chapter. The institutional impulse to punish unauthorized disclosure, when pursued through the adversarial transparency of a federal prosecution, can inflict damage orders of magnitude greater than the original compromise. The prosecution of Jeffrey Sterling did not restore the secrecy of Operation Merlin. It annihilated it. With it went the viability of an entire category of covert action against nuclear proliferators for the foreseeable future.

Regardless of which and what was worse, the results ware and are BAAADD. The op. is now a template. Any state with a competent intelligence service and access to the trial record (which is to say, absolutely everyone) can now retroactively audit its own procurement channels for operations matching this kind of pattern. The Agency has also created a counterintelligence inoculation of the adversary set. Every proliferating state now possesses a known reference case for how the U.S. I.C. constructs material deception against nuclear programs. Add to that the diplomatic blowback with the IAEA and lingering Iran-theatre analytical poisoning, and this becomes even uglier.

~ C. Constantin Poindexter, MA in Intelligence, Graduate Certificate in Counterintelligence, JD, CISA/NCISS OSINT certification, DoD/DoS BFFOC Certification

Bibliography

Barakat, M. (2015, January 16). CIA asset ‘Merlin’ testifies about mission at CIA leak trial. Associated Press.
Gerstein, J. (2015, May 11). Former CIA officer sentenced to 3-1/2 years for leaking Iran details. Politico.
Heuer, R. J. (1999). Psychology of intelligence analysis. Center for the Study of Intelligence, Central Intelligence Agency.
Holt, T. (2004). The deceivers: Allied military deception in the Second World War. Scribner.
Howard, M. (1995). Strategic deception in the Second World War: British intelligence operations against the German High Command. W. W. Norton.
Joint Chiefs of Staff. (2012). Joint Publication 3-13.4: Military deception. U.S. Department of Defense.
Porter, G. (2014). Manufactured crisis: The untold story of the Iran nuclear scare. Just World Books.
Risen, J. (2006). State of war: The secret history of the NSA and the Bush administration. Free Press.
Solomon, N. (2015, February 27). CIA evidence from whistleblower trial could tilt Iran nuclear talks. Guernica.
United States Department of Justice. (2015, May 11). Former CIA officer sentenced to 42 months in prison for leaking classified information and obstruction of justice [Press release].
United States of America v. Jeffrey Alexander Sterling, No. 1:11-cr-00005 (E.D. Va. 2015). Selected case files. Federation of American Scientists, Project on Government Secrecy.
Whaley, B. (2007). Stratagem: Deception and surprise in war. Artech House.
Wheeler, M. (2015, February 21). What was the CIA really doing with Merlin by 2003? EmptyWheel.

Share this post:

March 19, 2026March 19, 2026

Partizan Crap Characterizes the 2026 I.C. Threat Assessment

national threat assessment, intelligence community, CIA, NSA, DIA, espionage, counterespionage, intelligence, counterintelligence, C. Constantin Poindexter

Unvarnished No More: The 2026 Annual Threat Assessment and the Politicization of American Intelligence, a Critical Analysis of Departures from Intelligence Community Analytical Traditions

On March 18, 2026, Director of National Intelligence Tulsi Gabbard presented the 2026 Annual Threat Assessment (ATA) to the Senate Select Committee on Intelligence, fulfilling the Intelligence Community’s statutory obligation under Section 617 of the FY21 Intelligence Authorization Act. The document’s own introduction pledges to deliver “nuanced, independent, and unvarnished intelligence” to policymakers (Office of the Director of National Intelligence [ODNI], 2026, p. 2). Yet a careful comparison of the 2026 ATA with its predecessors reveals systematic omissions, rhetorical softening, and political editorializing that collectively undermine the document’s claim to analytical independence. I argue that the 2026 ATA departs from Intelligence Community analytical traditions in ways that align with the administration’s political preferences, particularly regarding Russia, domestic extremism, and climate, and that these departures represent a failure of the DNI’s duty to provide unvarnished intelligence to Congress and the American people.

The significance of this argument cannot be overstated. The ATA exists precisely because democratic governance requires that elected officials receive honest assessments of threats, unfiltered by political convenience. Intelligence Community Directive 203, issued in 2007, codified the community’s formal tradecraft standards, mandating objectivity, transparency regarding sources and assumptions, and independence from political considerations (Just Security, 2025). The Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) further requires that the DNI ensure intelligence products are “timely, objective, independent of political considerations, based upon all sources of available intelligence, and employ the standards of proper analytic tradecraft” (Pub. L. No. 108-458, § 1019). When an ATA is shaped to avoid contradicting the sitting president’s preferred narratives, it ceases to function as intelligence and instead becomes an instrument of political communication.

The Softening of Russia as a Strategic Threat

The 2024 ATA, produced under DNI Avril Haines, described Russia’s aggression in Ukraine as underscoring that Moscow “remains a threat to the rules-based international order” (ODNI, 2024, p. 5). The 2026 ATA, by contrast, introduces conciliatory language throughout its Russia analysis that reads less like threat assessment and more like diplomatic aspiration. It states that “Russia’s aspirations for multipolarity could allow for selective collaboration with the U.S. if Moscow’s threat perceptions regarding Washington were to diminish” and suggests that “a durable settlement to the war in Ukraine could open the door for a thaw in U.S.–Russia relations and an improved bilateral geostrategic and commercial relationship” (ODNI, 2026, pp. 27–28). This framing mirrors the administration’s diplomatic posture toward Moscow rather than the IC’s traditional threat-focused analytical lens.

The document further characterizes the concept of adversary alignment among China, Russia, Iran, and North Korea as overstated, calling it “limited and primarily bilateral” and asserting that the notion “overstates the depth of cooperation that is currently occurring” (ODNI, 2026, p. 20). This downgrading arrives despite the IC’s own acknowledgment in the same document that North Korea deployed over 11,000 troops to support Russian combat operations in Ukraine (ODNI, 2026, p. 24). The analytical minimization of adversary cooperation is consistent with President Trump’s longstanding reluctance to characterize Russia as an adversary, a posture that dates to his public siding with Vladimir Putin over U.S. intelligence findings at the 2018 Helsinki summit (Foreign Policy Research Institute [FPRI], 2019) as well as the point of view expressed by Gabbard publicly even predating her position within the I.C.

The Disappearance of Foreign Election Interference

Perhaps the most conspicuous omission in the 2026 ATA is the near-total absence of any discussion of foreign interference in U.S. elections. As Defense One reported, this marks the first time in nearly a decade that foreign threats to U.S. elections have been omitted from the annual threat assessment (Defense One, 2026). The 2024 ATA explicitly warned that China, Russia, and Iran would attempt to interfere in U.S. elections using generative AI and other means (ODNI, 2024). The 2025 DHS Homeland Threat Assessment similarly identified the 2024 election cycle as “an attractive target for many adversaries” and warned that nation-state-aligned actors would “continue to target democratic processes” (DHS, 2024, p. 4). The ODNI itself published a separate report titled “Foreign Threats to US Elections After Voting Ends in 2024” (ODNI, 2024b). That this entire threat category has vanished from the 2026 ATA is analytically inexplicable absent political motivation.

When Senator Mark Warner, the panel’s top Democrat, pressed Gabbard on this omission at the March 18 hearing, asking whether there was “no foreign threat to our elections in the midterms this year,” Gabbard’s response was evasive, stating only that the IC “has been and continues to remain focused on any collection and intelligence that show a potential foreign threat” (Defense One, 2026). This non-answer is consistent with DNI Gabbard’s broader pattern of minimizing Russian interference in American democracy. In July 2025, Gabbard declassified documents she claimed exposed a “treasonous conspiracy” by Obama-era officials regarding the 2016 Russian interference findings—allegations that multiple investigations, including the Republican-led Senate Intelligence Committee’s own probe, had already examined and found unsubstantiated (CNN, 2025; Lawfare, 2025). As the Council on Foreign Relations assessed, Gabbard’s actions have “deprived her of any pretension to analytical judgment independent of the president” (Betts, 2025).

The Erasure of Domestic Violent Extremism

The 2026 ATA’s terrorism section is focused almost exclusively on Islamist terrorism. Domestic violent extremism (DVE)—a category that encompasses racially or ethnically motivated extremism, anti-government militias, and other ideologically motivated domestic threats—receives no dedicated treatment. This stands in stark contrast to years of IC and DHS assessments that identified DVE as among the most persistent threats to the homeland. The DHS’s 2024 Homeland Threat Assessment warned that domestic violent extremists “driven by various anti-government, racial, or gender-related motivations” had conducted multiple attacks and that law enforcement had disrupted additional plots (DHS, 2024). The FBI reported over 1,700 domestic terrorism investigations underway as of late 2024 (House Homeland Security Committee, 2025). The Government Accountability Office released a comprehensive report in 2025 documenting the federal government’s ongoing domestic terrorism strategies and the persistent nature of the threat (GAO, 2025).

The omission of DVE from the 2026 ATA aligns with the Trump administration’s broader effort to reframe the terrorism discourse around Islamist ideology while downplaying threats from domestic actors whose motivations often overlap with right-wing political movements. The 2026 ATA’s extended discussion of the Muslim Brotherhood and its characterization of Islamist ideology as a “fundamental threat to freedom and foundational principles that underpin Western Civilization” (ODNI, 2026, p. 8) represents an analytical emphasis not seen in prior ATAs, which treated the terrorism landscape as ideologically diverse. This selective emphasis serves the administration’s political narrative while leaving Congress and the public without the IC’s assessment of a threat category that the FBI’s own data indicates remains active and lethal. It also unironically gives cover to a not insignificant group of Trump supporters, certainly purposeful by design.

The Removal of Climate Change as a Security Threat

The 2024 ATA treated climate change as a significant threat multiplier, stating that “the accelerating effects of climate change are placing more of the world’s population, particularly in low- and middle-income countries, at greater risk from extreme weather, food and water insecurity, and humanitarian disasters, fueling migration flows and increasing the risks of future pandemics” (ODNI, 2024, p. 5). Climate change appeared throughout that document as a driver of instability across multiple regions, including in assessments of Iran’s water scarcity challenges. The 2026 ATA eliminates climate change entirely as a named threat category. The term does not appear once. A single passing reference to “extreme weather events” in the migration section (ODNI, 2026, p. 7) is the only remnant of what had been a substantial analytical thread across multiple prior assessments.

This excision is not analytically defensible. The physical phenomena that made climate change a security concern in 2024 have not abated in 2026; if anything, the scientific consensus has strengthened. The removal reflects the Trump administration’s hostility toward climate science as a policy matter—a political preference that has no legitimate bearing on an intelligence community’s assessment of how environmental change affects geopolitical stability, food security, migration patterns, and conflict risk. The DNI’s role is to present the IC’s best assessment of reality, not to curate that reality to avoid topics the White House considers ideologically inconvenient.

Political Editorializing in an Intelligence Product

The 2026 ATA’s Foreword contains language that would have been unthinkable in prior assessments. It credits “President Trump sealing the U.S.–Mexico border” for enforcement successes and notes that “fentanyl seizures by weight have decreased 56 percent at the U.S.–Mexico border since President Trump took office” (ODNI, 2026, pp. 4–5). Annual threat assessments have traditionally employed dry, institutional prose that avoids attributing policy outcomes to individual political leaders by name. The function of an ATA is to assess threats, not to validate a president’s policy record. This departure transforms portions of what should be an analytical document into something resembling a political communication.

The editorializing extends beyond border policy. The Foreword adopts the administration’s rhetorical framework wholesale, stating that “we should be cautious about thinking that every problem in the world directly threatens us” (ODNI, 2026, p. 4)—a statement that, while perhaps reasonable in isolation, mirrors the administration’s America First foreign policy framing rather than reflecting IC analytical tradition. As scholars at the Foreign Policy Research Institute have warned, when political appointees shape intelligence products to serve the president’s messaging priorities, the core mission of the intelligence community—to provide independent analysis that may contradict leadership preferences—is fundamentally compromised (FPRI, 2019). The AEI documented how Gabbard fired the acting chair of the National Intelligence Council and his deputy after they produced assessments that contradicted administration positions, then physically relocated the NIC to her office to prevent what she characterized as “politicization” (American Enterprise Institute, 2025).

My Thoughts

From my view, the cumulative effect of these five departures, i.e., the softening of Russia’s threat profile, the erasure of foreign election interference, the omission of domestic violent extremism, the elimination of climate change as a security concern, and the introduction of political editorializing, is an Annual Threat Assessment that fails its statutory and institutional purpose. Each omission or distortion aligns with known political preferences of the Trump administration, and each contradicts the IC’s own recent analytical record. The IRTPA requires the DNI to ensure that intelligence is “independent of political considerations.” Intelligence Community Directive 203 mandates “objectivity, transparency regarding sources and assumptions, and independence from political considerations” (Just Security, 2025). The 2026 ATA, by its own internal evidence, fails both standards.

The consequences of this failure extend beyond the document itself. When intelligence products become vehicles for political messaging, policymakers lose the independent analytical baseline they need to make informed decisions. Congressional oversight is undermined when the IC’s primary public-facing threat assessment omits entire threat categories for political reasons. And public trust in the intelligence community, already strained by decades of controversy, erodes further when citizens can compare successive ATAs and observe that threats appear and disappear not because the world has changed but because the White House has changed. As Richard Betts of the Council on Foreign Relations observed, intelligence’s prime value often lies in telling leaders facts or implications they do not want to hear (Betts, 2025). A DNI who cannot or will not fulfill that function has, in the most consequential sense, abdicated the office’s reason for existing. The inconvenient truth is that the DNI’s acts and omissions are willful, a fact on perfect display during the Congressional hearing today (March 18th), during which Gabbard said, “Senator, the only person who can determine what is and is not an imminent threat is the president.” The Intelligence Community’s primary task is to provide warning intelligence, which is the very definition of the reporting of an “imminent threat”.

~ C. Constantin Poindexter, MA in Intelligence, Graduate Certificate in Counterintelligence, JD, CISA/NCISS OSINT certification, DoD/DoS BFFOC Certification

References

American Enterprise Institute. (2025, May 21). The politicization of intelligence. AEI. https://www.aei.org/articles/the-politicization-of-intelligence/
Betts, R. K. (2025, August 21). The intelligence community’s politicization: Dueling to discredit. Council on Foreign Relations. https://www.cfr.org/articles/intelligence-communitys-politicization-dueling-discredit
Defense One. (2026, March 18). Annual threat assessment omits election security. https://www.defenseone.com/policy/2026/03/annual-threat-assessment-election-security/412217/
Department of Homeland Security. (2024). 2025 Homeland Threat Assessment. https://www.dhs.gov/sites/default/files/2024-10/24_1002_ia_homeland-threat-assessment-2025.pdf
Foreign Policy Research Institute. (2019, August 12). A nadir is reached in the politicization of U.S. intelligence. https://www.fpri.org/article/2019/08/a-nadir-is-reached-in-the-politicization-of-u-s-intelligence/
Government Accountability Office. (2025). Domestic terrorism: Additional actions needed to implement the national strategy (GAO-25-107030). https://www.gao.gov/assets/gao-25-107030.pdf
House Homeland Security Committee. (2025, December 19). Threat snapshot: House Homeland unveils updated “Terror Threat Snapshot” assessment. https://homeland.house.gov/2025/12/19/threat-snapshot/
Intelligence Reform and Terrorism Prevention Act of 2004, Pub. L. No. 108-458, 118 Stat. 3638.
Just Security. (2025, June 20). When intelligence stops bounding uncertainty: The dangerous tilt toward politicization under Trump. https://www.justsecurity.org/114297/trump-administration-politicized-intelligence/
Lawfare. (2025, August 6). From Russian interference to revisionist innuendo: What the Gabbard files actually say. https://www.lawfaremedia.org/article/from-russian-interference-to-revisionist-innuendo–what-the-gabbard-files-actually-say
NBC News. (2024, December 11). Would Tulsi Gabbard bring a pro-Russian bias to intelligence reporting? https://www.nbcnews.com/politics/national-security/will-tulsi-gabbard-bring-russian-bias-intelligence-reporting-rcna180248
Office of the Director of National Intelligence. (2024). 2024 Annual Threat Assessment of the U.S. Intelligence Community. https://www.dni.gov/files/ODNI/documents/assessments/ATA-2024-Unclassified-Report.pdf
Office of the Director of National Intelligence. (2026). 2026 Annual Threat Assessment of the U.S. Intelligence Community. https://www.dni.gov/files/ODNI/documents/assessments/ATA-2026-Unclassified-Report.pdf
PBS NewsHour. (2025, July 24). Gabbard pushes report on Obama and Russia probe. https://www.pbs.org/newshour/show/gabbard-pushes-report-on-obama-and-russia-probe-as-trump-faces-pressure-over-epstein
Wittes, B. (2025, July 22). The situation: The lies of Tulsi Gabbard. Lawfare. https://www.lawfaremedia.org/article/the-situation–the-lies-of-tulsi-gabbard

Share this post:

March 3, 2026March 3, 2026

Silent Surveillance: The Threat of Tire Pressure Monitors

tire pressure monitoring system surveillance, intelligence, counterintelligence, counterespionage, C. Constantin Poindexter, CIA, NSA, DIA

Sneaking a covert GPS tracker into (or under) a motor vehicle is no longer spy-chic. Surveillants and counterintelligence players see a discreet new option.

In the contemporary era of information operations, the adversary’s toolkit has expanded beyond surveillance and HUMINT to include the exploitation of ubiquitous, low-power wireless signals. As a counterintelligence operator or surveillance professional, maintaining operational security requires a granular understanding of how standard automotive telemetry can be weaponized for tracking and profiling. While traditionally viewed as a mere safety mechanism, the Tire Pressure Monitoring System (TPMS) presents a sophisticated, low-cost vector for persistent surveillance. Here are my thoughts, technical architecture of TPMS vulnerabilities, the operational utility of its data streams, and the strategic implications for intelligence collection and target analysis, the new “AUTO-INT”.

Technical Architecture and Signal Vulnerabilities

The TPMS functions as a distributed sensing network within a vehicle, designed to ensure safety and optimize fuel efficiency by alerting drivers to under-inflated tires. In the United States, Federal Motor Vehicle Safety Standard (FMVSS) No. 138 mandates the use of direct TPMS in all light vehicles manufactured after September 2007 (Kobayashi, 2019). Technically, these systems consist of pressure sensors located within each wheel assembly, which periodically transmit radio frequency (RF) data to a central receiver module.

The critical vulnerability for intelligence collection lies in the transmission protocol and data integrity. Unlike modern communication standards, TPMS signals are transmitted in clear text without any form of encryption or authentication (Kobayashi, 2019). This lack of cryptographic protection renders the signals easily interceptable by any third party in proximity. Furthermore, these sensors broadcast a unique, static identifier for each tire that remains constant throughout the sensor’s operational life (Kobayashi, 2019). This static ID allows for the long-term tracking of a specific vehicle, as the identifier persists regardless of the sensor’s physical location or the vehicle’s operational status.

The range and reliability of interception capabilities further amplify the threat. Research indicates that TPMS signals can be intercepted at distances exceeding 40 meters from the vehicle (Kobayashi, 2019). Recent advancements in receiver technology have demonstrated that data capture is possible from distances of up to 50 meters and even when the receiver is located inside a building without direct line-of-sight to the vehicle (Vijayan, 2026). This capability allows for the passive collection of telemetry from vehicles parked in secured compounds, residential garages, or office parking lots, providing a persistent tracking vector that does not require the subject to be actively driving.

Operational Utility for Tracking and Behavioral Profiling

The operational value of TPMS extends beyond simple geolocation. It provides a rich dataset for behavioral profiling and movement analysis. A seminal study conducted by researchers at the University of Cantabria and distributed by Dark Reading demonstrated the feasibility of tracking a fleet of vehicles using a network of low-cost spectrum receivers (Vijayan, 2026). The research team captured over six million TPMS transmissions from approximately 20,000 vehicles over 10 weeks, successfully matching signals from different tires to the same vehicle to reconstruct movement patterns.

This data allows for the reconstruction of detailed movement profiles. By analyzing the timing, frequency, and intensity of transmissions, an operator can infer the subject’s driving patterns, such as commute routes, rest periods, and travel velocity. The researchers noted that TPMS transmissions can be systematically used to infer sensitive information, including the presence, type, or weight of the driver (Vijayan, 2026). Variations in tire pressure readings can correlate with changes in vehicle load, providing clues about whether a passenger is present or if cargo has been loaded or unloaded. In a counterintelligence context, this could reveal the presence of a handler, a meeting partner, or the movement of sensitive materials.

Implications for Operational Security and Countermeasures

For the counterintelligence operator, the existence of silent tracking via TPMS has profound implications for Operational Security (OPSEC). Traditional methods of tracking, such as visual tailing or license plate recognition, can be compromised if the target is aware of the surveillance. TPMS offers a covert alternative that operates passively and without direct interaction with the subject. An adversary could deploy a stationary receiver node in a strategic location, such as a choke point on a target’s daily commute, and aggregate data over time to build a comprehensive movement dossier without alerting the subject to the surveillance.

Furthermore, the ubiquity of TPMS makes this a scalable surveillance technique. The researchers utilized receivers priced at approximately $100 each, making it a cost-effective tool for intelligence collection compared to more sophisticated tracking hardware (Vijayan, 2026). The technology is not dependent on the subject’s connectivity to the internet or the activation of location services on a smartphone; it relies solely on the vehicle’s own safety systems.

My Take

The Tire Pressure Monitoring System represents a significant component of the modern surveillance landscape. Its inherent vulnerabilities (i.e., unencrypted, authenticated, and ubiquitous) make it an effective tool for tracking and profiling targets. For the counterintelligence operator or a surveillant, recognizing the capabilities of TPMS is crucial for assessing the security of one’s own movements and anticipating the methods adversaries may employ to monitor them. As vehicle systems become increasingly interconnected and digitized, the utility of standard automotive features for intelligence gathering will only continue to grow. We are going to need a much broader understanding of the “Internet of Vehicles” within the context of national and agency operational security.

~ C. Constantin Poindexter, MA in Intelligence, Graduate Certificate in Counterintelligence, JD, CISA/NCISS OSINT certification, DoD/DoS BFFOC Certification

Bibliography

Kobayashi, M. (2019). Understanding TPMS: A Guide to Tire Pressure Monitoring Systems. SAE International.
Vijayan, J. (2026, March 3). Vehicle Tire Pressure Sensors Enable Silent Tracking. Dark Reading. https://www.darkreading.com/ics-ot-security/tire-pressure-sensors-silent-tracking
Khan, H. (2020). Wireless Sensor Networks: Principles and Applications. CRC Press.
Alippi, C., & Camplani, R. (2019). Wireless Sensor Networks: Performance Analysis and Applications. Academic Press.
Stankovic, J. A. (2016). “Wireless Sensor Networks for Industrial Applications.” Proceedings of the IEEE, 104(5), 1013-1022.
IEEE. (2021). IEEE Standard for Low-Rate Wireless Networks for Industrial, Scientific, and Medical (ISM) Applications. IEEE 802.15.4-2021.
Brown, T. (2022). Cybersecurity for the Internet of Things: Protecting Critical Infrastructure. Wiley.

Share this post:

March 3, 2026March 3, 2026

The Takaichi “Prompt Exploit” as Novel Tradecraft: A Counterintelligence Operator’s View of AI Enabled Influence Operations

disinformation, information operations, espionage, counterespionage, intelligence, counterintelligence, psyops, C. Constantin Poindexter, CIA, DIA, NSA

AI Enabled Smear Operations and Counterintelligence Detection: Lessons from the Attempted ChatGPT Exploit Targeting Sanae Takaichi

The attempted exploitation of ChatGPT to support a covert smear campaign against Japanese Prime Minister Sanae Takaichi is not a novelty story about AI gone wrong. It is a clear operational vignette of how modern state-linked actors or FIS attempt to compress the intelligence cycle and accelerate influence effects with generative tools. OpenAI’s February 25, 2026 threat reporting describes a now banned ChatGPT account linked to an individual associated with Chinese law enforcement who attempted in mid October 2025 to leverage the model to plan and execute a covert influence operation aimed at discrediting Takaichi, followed by later requests to edit “cyber special operations” status reports after the model refused the original operational ask (OpenAI, 2026). Public reporting based on that disclosure adds that the actor’s plan included coordinated negative commentary, impersonation techniques, and wedge framing designed to mobilize resentment around U.S. tariffs and immigration narratives (Jiji Press, 2026; Reuters, 2026; Axios, 2026). From a counterintelligence perspective, this is a case study in how an adversary treats a commercial large language model as a low-friction staff officer: ideation, drafting, message discipline, and iterative refinement, all without needing to recruit a human asset or expose internal tradecraft through overt tasking channels.

What makes the episode analytically valuable is the specificity of the improper tasking. Reporting indicates that the actor asked ChatGPT to draft a multi part plan to discredit Takaichi, to generate and help post and spread negative comments attacking her stances including immigration, to polish narratives and recurring status reports describing ongoing cyber special operations, and to inflame wedge grievances by amplifying anger over U.S. tariffs on Japan (Jiji Press, 2026; Axios, 2026; OpenAI, 2026). These requests form a recognizable information operations workflow: design the campaign, manufacture content, distribute content, or at least create distribution-ready material, and assess and iterate based on reporting. In classical counterintelligence terms, the operator sought to maximize plausible deniability, minimize cost, and raise tempo, substituting generative capacity for time-consuming human copywriting while reducing the number of personnel who must be read into the narrative engineering function (CISA, 2022; ODNI FMIC, 2024).

The most important counterintelligence observation is that the exploit is not primarily technical. It is procedural and behavioral. Operators do not need to jailbreak a model to gain advantage. They can ask for adjacent assistance such as language polishing, translation, formatting, summarization of internal memos, and audience-tailored variations. OpenAI’s reporting explicitly notes the actor returned after an initial refusal and asked for edits to operational status reports, which is precisely how professional services are laundered in many influence pipelines: when direct enablement is blocked, pivot to editorial support and documentation hygiene (OpenAI, 2026). This aligns with U.S. government’s framing of foreign malign influence as subversive, undeclared, coercive, or criminal activity that uses multiple pathways and intermediaries, often blending overt platforms with covert personas and synthetic content (ODNI FMIC, 2024; DOJ, n.d.). The model is not the operation. It becomes a friction reducer within the operation.

Seen through the lens of the intelligence cycle, the actor’s approach collapses collection, analysis, production, and dissemination into a tight loop. The multi-part plan request is campaign design, meaning objective, target audience, narrative lines, channels, and timing. The post-and-spread request is dissemination planning and, at minimum, the production of ready-to-publish material. The status report editing request is assessment: codifying observed effects, identifying what resonated, and deciding next moves (OpenAI, 2026; Axios, 2026). When an influence apparatus scales, this loop becomes industrialized: many accounts, multi-platform content seeding, and iterative narrative tuning. Reporting around the OpenAI threat case underscores that these efforts can be large-scale, resource-intensive, and sustained, consistent with a bureaucracy rather than hobbyist trolling (Reuters, 2026; CyberScoop, 2026). As Ben Nimmo has emphasized, the intent is to apply pressure everywhere, all at once, which is characteristic of FIS or state-linked coercive information operations rather than organic political discourse (Axios, 2026).

The operational targeting of Takaichi is also instructive for counterintelligence because it sits at the intersection of influence operations and transnational repression. While this case focuses on a smear campaign against a Japanese political figure, OpenAI’s broader description of the actor’s uploaded materials suggests a wider ecosystem aimed at suppressing dissent and silencing critics, including tactics such as forged documentation and intimidation narratives (OpenAI, 2026; CyberScoop, 2026). The FBI defines transnational repression to include online disinformation campaigns, harassment, intimidation, and abuse of legal processes, exactly the kinds of tools that can be amplified or routinized by AI-assisted content generation (FBI, n.d.). In counterintelligence risk terms, that convergence matters. When an adversary blends influence effects, shaping attitudes, with coercive effects, punishing or deterring speech, the target set expands from voters to voices, and the operational threshold for harm drops.

The wedge grievance element, stoking resentment over U.S. tariffs, illustrates classic influence tradecraft. Hijack a real grievance, inflate it, and attach it to the target as a blame object. This is not persuasion via factual argument. It is agitation via emotional mobilization. CISA guidance on foreign influence operations describes how adversaries exploit mis, dis, and malinformation narratives to bias policy and undermine social cohesion, often by inflaming divisive issues (CISA, 2022). The tariff frame is particularly useful because it can be pitched simultaneously as anti-U.S., blaming Washington, and anti-target, blaming Takaichi’s posture for provoking friction, with variants tailored to different audiences. In counterintelligence vocabulary, this is narrative multi-casting: the same kernel is repackaged into mutually reinforcing storylines for disparate communities.

The cross platform distribution pattern referenced in public reporting, activity on X and other sites, with relatively low engagement but persistent output, resembles the known Chinese influence pattern commonly labeled Spamouflage or Dragonbridge: high volume, mixed quality, low authentic engagement, but sustained presence and periodic tactical evolution (Reuters, 2026; NATO StratCom COE, 2023; Graphika, 2025). Low engagement does not mean low intent or low risk. It can indicate poor tradecraft, early-stage testing, or a campaign optimized for secondary effects such as search pollution, narrative seeding for later pickup, or creating “evidence” of public sentiment that can be cited elsewhere. Counterintelligence professionals should treat low engagement content as potential scaffolding. The objective may be to build a lattice of posts, screenshots, and proof artifacts that can later be laundered into higher credibility channels.

From the defender’s side, the case clarifies what model refusal can and cannot do. OpenAI reports that ChatGPT refused overtly malicious prompts, yet the actor appears to have proceeded using other tools and later used ChatGPT for editing (OpenAI, 2026). This reveals a strategic limitation. Safety filters reduce direct enablement. They do not eliminate the underlying operational capability of a state apparatus that can shift to domestic models, human copywriters, or alternative platforms. Effective mitigation requires a layered approach: model-side safeguards, platform-side enforcement, and inter-organizational intelligence sharing that treats AI as one component in a broader influence toolkit (OpenAI, 2026; CISA, 2024). The IC’s Foreign Malign Influence Center has emphasized that foreign malign influence is multi-actor and multi-pathway by design, which implies countermeasures must also be multi-pathway. Detection in one node rarely collapses the whole network (ODNI FMIC, 2024).

For counterintelligence operators, three takeaways are operationally salient. First, generative AI is best understood as an accelerant of existing influence doctrine rather than a replacement. It speeds up drafting, localization, and A B testing of narratives while enabling bureaucratic reporting to be produced faster and with greater stylistic consistency (OpenAI, 2026; CISA, 2022). Second, the human factor remains the decisive vulnerability. The actor’s interaction with ChatGPT created an evidentiary trail that allowed defenders to correlate intent, post-and-spread negative commentary with observed online activity. This is a reminder that operational security failures frequently occur in routine administrative behavior (OpenAI, 2026; CyberScoop, 2026). Third, influence and repression are increasingly convergent lines of effort. When disinformation is used not only to persuade but to intimidate, deplatform, or socially punish, the problem set expands to include civil liberties impacts, diaspora targeting, and sovereignty challenges (FBI, n.d.; DOJ, 2023).

In countermeasures terms, the Takaichi case underscores the value of structured analytic techniques in attribution and mitigation. Analysts should separate narrative content, behavioral signals such as posting cadence and account creation patterns, infrastructure signals such as hosting and coordinated link sharing, and procedural artifacts such as templated emails, repeated phrasing, and report formats. OpenAI’s account-level disruption, combined with open-source correlation to online hashtags and posts referenced in operational materials, is a template for fusion analysis that pairs platform telemetry with OSINT validation (OpenAI, 2026). NATO-aligned research similarly emphasizes that state-sponsored or FIS information operations exploit differences across platforms and jurisdictions. Defenders should expect rapid lateral movement when friction increases on any single platform (NATO StratCom COE, 2023).

The attempted exploit is best characterized as an “AI-enabled influence operation reconnaissance and production cycle, with the model treated as a drafting cell embedded in a broader state-linked apparatus”. The key question is not whether a model can be tasked with dissemination directly. It is whether it can generate dissemination-ready content, standardize narrative discipline, and reduce the time and training required to run a coordinated smear campaign. In this case, it could at least partially, until refusal controls forced the actor to route around and repurpose the model for editing and reporting (OpenAI, 2026; Jiji Press, 2026). For counterintelligence professionals, that reality demands a posture shift.. We must defend not only against disinformation artifacts but against the process improvements that AI grants adversaries. Faster cycles, lower labor costs, and more plausible linguistic camouflage are the new norm. The Takaichi operation appears to have underperformed in engagement, yet it is a forward indicator of how state-backed influence operational tradecraft is adapting to generative systems. They are persistent, multi-platform and procedurally agile (Reuters, 2026; Graphika, 2025).

~ C. Constantin Poindexter, MA in Intelligence, Graduate Certificate in Counterintelligence, JD, CISA/NCISS OSINT certification, DoD/DoS BFFOC Certification

Bibliography

Axios. (2026, February 25). Reporting on OpenAI’s disclosure of a China linked attempt to use ChatGPT to plan and refine a smear campaign targeting Japan’s Prime Minister Sanae Takaichi.
Cybersecurity and Infrastructure Security Agency. (2022). Preparing for and mitigating foreign influence operations (CISA Insight).
Cybersecurity and Infrastructure Security Agency. (2024, April 17). Guidance for securing election infrastructure against tactics of foreign malign influence (Joint guidance release with FBI and ODNI).
CyberScoop. (2026, February 25). Reporting on OpenAI’s threat report and Chinese law enforcement linked “cyber special operations” materials uploaded for editing.
Federal Bureau of Investigation. (n.d.). Transnational repression (Overview page describing tactics including online disinformation campaigns, harassment, and intimidation).
Graphika. (2025). Chinese state influence (Selected insights from Graphika ATLAS reporting, November 2024 to January 2025).
Jiji Press. (2026, February 27). Reporting summarized by Nippon.com on OpenAI’s claim that a Chinese law enforcement official asked ChatGPT to draft a plan to discredit Takaichi and to post and spread negative comments.
NATO Strategic Communications Centre of Excellence. (2023). Dragons roar and bears howl: Convergence in Sino Russian information operations in NATO countries.
OpenAI. (2026, February 25). Disrupting malicious uses of AI (Threat report describing disruption of accounts, including an influence operation attempt targeting Sanae Takaichi).
Reuters. (2026, February 25). Reporting on OpenAI’s threat report detailing misuse of ChatGPT for scams and influence operations, including a smear campaign targeting Japan’s prime minister.
Reuters. (2026, February 26). Reporting on a Foundation for Defense of Democracies analysis of China linked influence operations targeting Japan’s elections and Prime Minister Sanae Takaichi, consistent with Spamouflage and Dragonbridge patterns.
U.S. Department of Justice. (2023, April 17; updated 2025, February 6). Press release describing charges tied to transnational repression schemes and the use of fake online personas to harass dissidents and disseminate state narratives.
U.S. Office of the Director of National Intelligence, Foreign Malign Influence Center. (2024). FMI Primer (Public release defining foreign malign influence and its pathways).

Share this post:

February 26, 2026February 27, 2026

A U.S. Attack on Iran, a Catastrophic Unforced Error

war, warfighter, Iran, U.S., intelligence, counterintelligence, espionage, counterespionage, C. Constantin Poindexter, CIA, NSA

Public and Congressional Support: The Decisive Constraint That Can Turn U.S. Military Dominance Over Iran Into Strategic Defeat

The United States retains overwhelming advantages in the material and operational prerequisites of high-end conventional warfare. In any prospective conflict with Iran, Washington can assume advantages in air and naval superiority, intelligence and surveillance coverage, precision strike capacity, suppression of enemy air defenses, long-distance logistics, and advanced cyber and electronic warfare. Yet those advantages do not automatically translate into strategic success. The decisive variable is not whether the United States can destroy targets faster than an adversary can replace them, but whether the United States can sustain the political mandate to keep fighting after the initial shock of combat wears off, the costs become visible, and the enemy adapts.

This is the core vulnerability of a discretionary war with Iran. Public support and congressional support are not merely background noise or messaging challenges. They are strategic enablers. When they are absent or brittle, they shape rules of engagement, constrain time horizons, narrow acceptable costs, and fracture coalition cohesion. In that environment, even tactically brilliant operations can fail to achieve the most important objectives because political will collapses sooner than the enemy’s capacity to resist. Vo Nguyen Giap articulated this logic explicitly. A belligerent can leave enemy forces partly intact if it can destroy the enemy’s will to remain in the war. (PBS, n.d.) That insight was operationalized against the United States in Vietnam, echoed in Afghanistan, and remains relevant to any prospective United States-Iran war.

The Strategic Center of Gravity: Legitimacy and Endurance

Clausewitz argued that war is a continuation of politics by other means. In American practice, the political character of war is inseparable from constitutional structure and democratic consent. A war that begins without clear congressional authorization, or that proceeds amid broad public skepticism, can win battles while steadily losing its domestic foundation. The War Powers Resolution codifies Congress’s position that the President introduces U.S. forces into hostilities only pursuant to a declaration of war, specific statutory authorization, or a national emergency created by an attack on the United States or its forces. (50 U.S.C. § 1541, 1973) In a discretionary strike campaign that grows into sustained hostilities, the gap between executive action and legislative consent becomes a recurring legitimacy crisis rather than a one-time procedural dispute.

Recent reporting underscores that this institutional fault line is not theoretical. Reuters reported that the U.S. Senate rejected a bid to curb presidential Iran war powers, reflecting a live and lively, contested debate over authority and oversight in potential Iran hostilities. (Reuters, 2025) That debate matters operationally because contested legitimacy does not remain in Washington. It affects allied basing decisions, overflight permissions, intelligence sharing, escalation thresholds, and the credibility of U.S. signals to both adversaries and partners. A campaign that looks unilateral, politically improvised, or domestically unpopular becomes harder to sustain and easier for Iran and its proxy network to frame as illegitimate aggression.

Material Superiority Versus Political Fragility

From my perspective (military/intelligence), the United States can plausibly execute many of the classic prerequisites you listed. But those capabilities do not eliminate the central political question: what is the concrete objective, and how long will the American public accept the costs required to achieve it?

Public sentiment data indicates a serious constraint. A University of Maryland Critical Issues Poll found only 21 percent favor the United States initiating an attack on Iran, with 49 percent opposed and 30 percent unsure. (University of Maryland Critical Issues Poll, 2026) A YouGov report covering an Economist YouGov poll likewise found Americans more likely to oppose than to support using military force to attack Iran, with 49 percent opposing and 27 percent supporting, and with significant partisan and independent resistance. (YouGov, 2026) Meanwhile, an AP NORC poll found that while many Americans view Iran as an enemy and express concern about Iran’s nuclear program, they have low trust in presidential judgment on the use of military force, with only about three in ten expressing high trust and more than half expressing little or no trust. (Associated Press NORC, 2026)

The former being said, all of this has strategic implications. They suggest that domestic consent is not merely divided. It is structurally thin, with a large, uncertain middle and a relatively small affirmative mandate for initiating war. Low confidence in the decision maker’s judgment means that early setbacks or civilian casualties can rapidly convert uncertainty into opposition. Further, thin consent invites legislative confrontation, and legislative confrontation invites operational constraints. This is exactly the kind of environment in which an adversary designs a strategy of political attrition rather than symmetrical military competition.

Vietnam: Giap’s Theory of Victory Was Political

The claim that “North Vietnam did not win the Vietnam War” can be true in a narrow kinetic sense. The United States inflicted vast battlefield losses and dominated many tactical engagements. Yet North Vietnam and the Viet Cong were able to outlast the United States by targeting the political will that sustained American participation. Giap described the objective as breaking “the American will to remain in the war,” using operations intended to force de-escalation and reshape the political calculus in Washington. (PBS, n.d.) The point is not that one event alone decided the outcome. The point is that the adversary’s theory of victory treated American domestic endurance as the center of gravity. Once that center weakened, America’s material advantages could not convert into a stable political settlement on acceptable terms.

For an Iran scenario, the parallel is not an exact replay of Vietnam’s terrain or insurgency structure. The parallel is “strategic method”. Iran does not need to win a conventional air-sea contest. It needs to ensure that the United States does not achieve its most important objectives at a politically acceptable cost. If Iran can force Washington into a cycle of escalation and retaliation, or can trigger regional proxy pressure that steadily raises the price of engagement, then the war becomes a contest of domestic patience more than a contest of platforms.

Afghanistan and the Logic of “Time”

The Afghanistan experience reinforces the same strategic logic through a different mode of war. A saying widely attributed to Taliban fighters captures the asymmetry of time horizons: “You have the watches, we have the time.” (Maclean’s, 2017) The exact provenance of the phrase is less important than its strategic meaning. The U.S. Administration is about fall into the same bullshit trap. Democracies fight under time constraints produced by elections, news cycles, budget politics, and public casualty sensitivity. Insurgent and revolutionary actors often fight under generational horizons, with lower sensitivity to near term losses and a stronger tolerance for prolonged hardship.

Iran’s leadership and its proxy network have repeatedly demonstrated a long-horizon approach to regional strategy. In a conflict, Iran can employ calibrated escalation through proxies, maritime harassment, missile and drone pressure, and political warfare aimed at eroding coalition cohesion (a “coalition” of states that have already publicly objected to U.S. warplanning). The objective is not necessarily to defeat U.S. forces in the field. It is to make the conflict feel indefinite, morally ambiguous, and strategically distracting, which are precisely the conditions that drain public support in the United States.

“Shock and Awe” Does Not Solve the Political Problem

Advocates of rapid strike campaigns often argue that overwhelming early force can preempt political attrition by ending the conflict quickly. History offers caution. Initial public support (pretty clearly NOT the case today) can be high at the onset of a war, but it can erode sharply as the war’s duration and costs expand, particularly if the rationale becomes contested. The Iraq example is instructive: Gallup reported 72 percent support for the war against Iraq in late March 2003. (Gallup, 2003) Yet Gallup later documented substantial erosion in perceived worth and support over time as realities on the ground diverged from initial expectations. (Gallup, 2006) The Brookings analysis of early Iraq war opinion similarly underscores the rally effect and its limits. (Kull, Ramsay, and Lewis, 2003)

For Iran, the political risk is heightened because current polling suggests the United States would begin without anything like the 2003 level of public backing. (University of Maryland Critical Issues Poll, 2026) (YouGov, 2026) (Associated Press NORC, 2026) Without a broad initial mandate, the usual pattern reverses: instead of rallying, creating a cushion against early shocks, early shocks can collapse a narrow coalition of support. Moreover, Iran is structurally capable of generating early shocks through proxy responses and regional disruption, meaning that the political challenge may begin immediately, not after months or years.

Congress as a Strategic Actor, Not a Background Variable

In a system where Congress controls funding and has constitutional war powers, the legislative branch becomes a de facto strategic actor. When Congress is divided, when authorization is ambiguous, or when the public is skeptical, Congress can constrain the war through funding restrictions, reporting requirements, and political signaling that affects allied behavior. Reuters reporting on war powers debates around Iran illustrates that these conflicts are not hypothetical. (Reuters, 2025) Even the sycophants are likely to run out of patience for another endless foray, largely due to constituent pressure rather than disloyalty to their cult.

This really matters. Strategic clarity requires durable political consensus. If objectives are unclear or expand, congressional opposition becomes more likely and more intense. Further, Iran can exploit visible domestic division through information operations, propaganda, and calibrated escalation intended to polarize U.S. politics. In that sense, a weak domestic mandate is not merely a constraint on U.S. freedom of action. It becomes a targetable vulnerability. The North Vietnamese knew it. The Afghans knew it, and the more sober members of the Department of Defense know it.

A Missing Ingredient: Defined, Credible Political Objectives

Even if the United States can strike nuclear facilities, degrade air defenses, and disrupt command networks, the strategic question remains what “winning” means and what settlement conditions are realistically attainable. If the objective is limited, such as delaying nuclear capabilities, the question becomes whether limited objectives justify the costs and risks of regional escalation. If the objective expands to regime change, the problem becomes far harder because military destruction does not automatically produce political legitimacy, stable governance, or a non-hostile successor regime. Here, the user’s final criterion is decisive. Post-conflict planning, a wicked difficult peril that we have botched over and over again, will repeat itself. History shows that military victory without a stabilization strategy yields strategic failure, and the public tends to punish wars that feel open-ended, morally muddled, or poorly planned.

In the Iran case, this risk is amplified because a strike campaign can trigger proxy retaliation in multiple theaters, raise energy and shipping risks, and produce unpredictable political reverberations, all of which can be framed domestically as an optional war of choice rather than a necessary act of self-defense. When a war’s necessity is contested, public support becomes the decisive front.

Dominance in Combat Power Does Not Guarantee Strategic Success

The United States may indeed be dominant across many of the operational categories that matter for battlefield performance. Yet wars are not won solely by platform superiority. They are won by aligning military means with politically sustainable ends. Current public opinion suggests a narrow and fragile mandate for initiating an attack on Iran, combined with low confidence in executive judgment about the use of force. (University of Maryland Critical Issues Poll, 2026) (YouGov, 2026) (Associated Press NORC, 2026) In that environment, congressional contention over authorization and war powers becomes a predictable friction point, not an occasional procedural dispute. (50 U.S.C. § 1541, 1973) (Reuters, 2025) Iran and its proxy network do not need to defeat the United States conventionally to succeed strategically. They need to prolong, complicate, and regionalize the conflict until the United States loses the will and domestic legitimacy to continue, echoing Giap’s theory of victory in Vietnam and the time horizon logic captured by the Afghanistan aphorism. (PBS, n.d.) (Maclean’s, 2017)

A United States attack on Iran will NOT end well. We’ll have tactical dominance paired with a complete strategic disaster. Without sustained public and congressional support, the United States will fail to achieve its most important objectives (if the Administration can even articulate them) at an acceptable cost. The venture will not end with a clear victory, but with political exhaustion and a forced search for exit ramps. That is not my political critique. It is a strategic assessment rooted in how democratic states actually choose war and wage war. My call? Don’t f. do it. Exaggerations about “days from completing a nuclear weapon” coupled with no clear objective or endgame is a movie that we’ve seen before.

~ C. Constantin Poindexter, MA in Intelligence, Graduate Certificate in Counterintelligence, JD, CISA/NCISS OSINT certification, DoD/DoS BFFOC Certification

Bibliography

Associated Press NORC Center for Public Affairs Research. 2026. “Most Americans see Iran as enemy but doubt Trump on military force: poll.” Associated Press.
50 U.S.C. § 1541. 1973. War Powers Resolution, “Purpose and policy.” Legal Information Institute, Cornell Law School.
Gallup. 2003. “Seventy Two Percent of Americans Support War Against Iraq.” Gallup News Service, March 24, 2003.
Gallup. 2006. “Three Years of War Have Eroded Public Support.” Gallup News Service, March 17, 2006.
Kull, Steven, Clay Ramsay, and Evan Lewis. 2003. “Rally Round the Flag: Opinion in the United States before and after the Iraq War.” Brookings Institution.
Maclean’s. 2017. “Fighting in Afghanistan: ‘You have the watches. We have the time’.” September 2, 2017.
PBS. n.d. “Peoples Century: Guerrilla Wars: Vo Nguyen Giap Transcript.” Public Broadcasting Service.
Reuters. 2025. “US Senate rejects bid to curb Trump’s Iran war powers.” June 27, 2025.
University of Maryland Critical Issues Poll. 2026. “Do Americans Favor Attacking Iran Under the Current Circumstances? The Latest Critical Issues Poll Findings.”
YouGov. 2026. “Few Americans support U.S. military action against Iran, but a majority think it’s likely.” Economist YouGov poll, February 20 to 23, 2026.

Share this post:

February 25, 2026February 25, 2026

AI as a Force Multiplier in Recent Intrusion Operations

AI, artificial intelligence, intelligence, counterintelligence, espionage, counterespionage, hacker, cyber, cyber security, C. Constantin Poindexter

AI as a Force Multiplier in Cyber Intrusions: Counterintelligence Lessons from the Amazon Threat Intelligence FortiGate Campaign, AI-Assisted Attack Planning, and Scalable Post-Exploitation Tradecraft

From a counterintelligence professional’s perspective, I read Amazon Threat Intelligence’s February 2026 report less as a novelty story about “hackers using AI” and more as a warning about a structural change in operational economics. The important point is not that a threat actor used a large language model. It is that a presumably low-to-medium skill, financially motivated Russian-speaking actor was able to scale intrusion activity across more than 600 FortiGate devices in over 55 countries in roughly five weeks by integrating commercial AI services into every phase of the attack workflow (Moses, 2026). In counterintelligence terms, this is a capability amplification event. AI did not make the actor sophisticated. It made the actor productive (Moses, 2026).

That distinction matters. Amazon’s analysis is unusually valuable because it documents both sides of the phenomenon. On one hand, the actor used AI to generate attack plans, write tooling, sequence actions, and coordinate operations at a tempo that would traditionally imply a larger team. On the other hand, the same actor repeatedly failed when facing hardened environments, patched systems, or nonstandard conditions. Amazon explicitly notes that the actor could not reliably compile custom exploits, debug failures, or creatively pivot beyond straightforward automated paths (Moses, 2026). This is exactly what a counterintelligence officer should expect from a force multiplier: improved throughput without equivalent gains in judgment, tradecraft, or adaptability.

The Amazon case is especially useful because it separates hype from mechanism. The campaign did not depend on exotic zero-days. Amazon states that no FortiGate vulnerability exploitation was observed in the campaign it analyzed; instead, the actor exploited exposed management interfaces, weak credentials, and single-factor authentication, then used AI to execute these known methods at scale (Moses, 2026). That is a profound lesson for defenders. AI is not changing the laws of intrusion. It is compressing the time and labor required to exploit organizations that still fail at fundamentals.

From a counterintelligence perspective, this changes how we should think about indications and warnings. Historically, broad multi-country infrastructure access, custom scripts in multiple languages, and organized post-exploitation playbooks would often suggest a resourced team such as an FIS, state-supported private operator, or at least a mature criminal crew. Amazon’s report shows that this inference is no longer reliable. The actor’s infrastructure contained numerous scripts and dashboards with hallmarks of AI generation, and Amazon concluded that a single actor or very small group likely produced a toolkit whose volume would previously imply a development team (Moses, 2026). In intelligence analysis, this is a warning against legacy heuristics. Scale is no longer a clean proxy for organizational size or skill.

Amazon’s “AI as a force multiplier” section is the core of the matter. The actor used at least two distinct commercial LLM providers in complementary ways. One served as the primary tool developer and operational assistant, while another was used as a supplementary planner when the actor needed help pivoting inside a compromised network (Moses, 2026). In one observed instance, the actor reportedly submitted a victim’s internal topology, hostnames, credentials, and identified services to obtain a step-by-step compromise plan (Moses, 2026). For counterintelligence professionals, this is not just a cyber issue. It is a tradecraft issue. The actor is externalizing planning and decision-support functions to commercial platforms, effectively outsourcing parts of the “staff work” that junior operators or analysts would otherwise perform.

This pattern aligns with broader reporting from major providers and threat intelligence teams. Google Threat Intelligence Group’s February 2026 AI Threat Tracker documents growing adversary integration of AI across reconnaissance, phishing enablement, malware/tooling development, and post-compromise support, while also emphasizing that it has not yet observed “breakthrough capabilities” that fundamentally change the threat landscape (Google Threat Intelligence Group, 2026). That is highly consistent with the Amazon case: AI is improving speed, coverage, and consistency more than it is producing genuine operational innovation (Google Threat Intelligence Group, 2026; Moses, 2026). Microsoft’s Digital Defense Report 2025 similarly describes adversaries using generative AI for scaling social engineering, reconnaissance, code generation, exploit development support, and automation of exfiltration-to-lateral movement pipelines (Microsoft, 2025). The convergence across independent sources is notable. Different organizations are observing the same pattern from different vantage points.

Anthropic’s 2025 report on “vibe hacking” extends this trend in a particularly important direction. Anthropic described a disrupted criminal operation in which an actor used an AI coding agent not only as a technical consultant but as an active operator embedded into the attack lifecycle, supporting reconnaissance, credential harvesting, penetration, and extortion-related tasks (Anthropic, 2025). Whether one agrees with every framing choice in vendor reports, the operational implication is clear: AI-enabled actors are increasingly turning language models and coding agents into workflow engines. They are not merely asking for snippets of code. They are building repeatable campaign infrastructure around AI-assisted execution (Anthropic, 2025; Moses, 2026).

For counterintelligence practitioners, the strategic concern is not limited to criminal ransomware precursors. The same force-multiplier logic applies to espionage, access development, insider targeting, and influence preparation. Google’s reporting notes that government-backed actors are using AI for technical research, target development, and rapid phishing lure generation, including reconnaissance activities that support subsequent operations (Google Threat Intelligence Group, 2026). The FBI has also publicly warned that AI increases the speed, scale, and realism of phishing and social engineering, including voice and video cloning (FBI San Francisco, 2024). In the CI domain, this means hostile services and proxies can expand target coverage, improve linguistic quality, and accelerate social graph exploitation with lower manpower. AI narrows the gap between intent and execution.

There is also an analytical security issue that deserves more attention: data exposure to AI platforms during live operations. Amazon’s report indicates that the actor submitted internal victim topology, credentials, and service data into a commercial AI workflow (Moses, 2026). From a counterintelligence standpoint, this is a double-edged phenomenon. It may increase adversary effectiveness, but it also creates potential collection and disruption opportunities, depending on provider visibility, legal authorities, and industry cooperation. More importantly, it means that operationally sensitive network intelligence is now moving through third-party AI services as part of adversary tradecraft. That should influence how we think about public-private partnerships, lawful reporting channels, and rapid deconfliction.

The Fortinet context reinforces a second CI principle, i.e, adversary success often begins with governance failure, not advanced tradecraft. Fortinet’s January 2026 PSIRT analysis documented abuse of FortiCloud SSO and repeatedly emphasized best practices such as restricting administrative access, disabling vulnerable SSO paths, and monitoring for malicious admin creation and anomalous logins (Windsor, 2026). NIST’s National Vulnerability Database entry for CVE-2026-24858 further confirms the seriousness of the authentication bypass exposure affecting multiple Fortinet product lines when FortiCloud SSO was enabled (NIST NVD, 2026). Even if the Amazon campaign did not depend on that specific exploit path, the environment is the same: internet-exposed edge infrastructure, identity weaknesses, and uneven patching create permissive terrain that AI-enabled actors can mine at scale (Moses, 2026; Windsor, 2026; NIST NVD, 2026).

The practical implication is that counterintelligence and cybersecurity must converge more tightly on defensive prioritization. In many organizations, CI is still treated as a narrow insider-threat or foreign-intelligence problem, while cyber defense handles perimeter hygiene and incident response. That separation is increasingly artificial. AI-augmented threat actors blur the boundaries between criminal and state-adjacent tradecraft, between opportunistic access and strategic exploitation, and between cyber intrusion and intelligence preparation of the environment. Europol’s 2025 organized crime threat assessment reporting, as reflected in major coverage, likewise points to AI lowering costs and increasing the scale and sophistication of criminal operations, including cyber-enabled activity and proxy behavior that can intersect with geopolitical interests (Reuters, 2025). The ecosystem is converging.

In my view, the correct response is not panic over “autonomous AI hackers.” Amazon’s report itself argues against that caricature. The actor remained brittle, shallow, and dependent on weak targets (Moses, 2026). The right response is disciplined adaptation in three areas.

Organizations must treat identity and edge administration as counterintelligence terrain, not merely IT hygiene. Exposed management interfaces, weak credentials, and single-factor authentication are now high-confidence enablers of AI-scaled intrusion campaigns (Moses, 2026). MFA, restricted administration paths, credential rotation, and segmentation are not basic controls anymore; they are anti-scaling controls.

Defenders need telemetry designed for workflow detection rather than malware signatures. Amazon explicitly notes the campaign’s use of legitimate open-source tools and recommends behavioral detection over IOC dependence (Moses, 2026). That aligns with the broader AI-enabled threat model. When AI helps actors orchestrate legitimate tools more efficiently, the artifact footprint looks cleaner while the behavioral pattern becomes more machine-like and more repeatable.

Intelligence organizations and enterprises should expand analytic models for adversary assessment. When a low-skill actor can produce high-volume tooling and broad campaign coverage, we must stop equating output polish with strategic sophistication. The key discriminators will be resilience under friction, adaptation under failure, target discipline, and operational security. In the Amazon case, the actor’s poor OPSEC and inability to improvise revealed the underlying limitations despite impressive scale (Moses, 2026). Those are precisely the indicators that counterintelligence tradecraft has always prioritized.

My take, the AI force multiplier threat is real, but its significance is often misunderstood. It really resembles a “brute force” attack reminiscent of the first generation hackers but on steroids. AI is the “steroid”. So, the immediate danger is not superintelligence. It is operational leverage. AI gives mediocre actors the ability to behave like nation-state FIS against poorly defended targets. It accelerates reconnaissance, scripting, planning, and social engineering. It reduces labor costs and time-to-action. It increases campaign breadth. And it does all of this without solving the deeper human problems of judgment, creativity, and tradecraft. For counterintelligence professionals, that means the threat landscape is becoming more crowded, faster-moving, and harder to triage. The strategic answer remains the same as ever: protect critical access, harden identity, improve detection, and refine analytic tradecraft. What has changed is the speed at which failure to do so will be exploited (Moses, 2026; Google Threat Intelligence Group, 2026; Microsoft, 2025; Anthropic, 2025; FBI San Francisco, 2024).

~ C. Constantin Poindexter, MA in Intelligence, Graduate Certificate in Counterintelligence, JD, CISA/NCISS OSINT certification, DoD/DoS BFFOC Certification

Bibliography

Anthropic. (2025, August). Vibe hacking: How cybercriminals are using AI coding agents to scale data extortion operations. Anthropic.
Bleiberg, J. (2026, February 25). Hackers used AI to breach 600 firewalls in weeks, Amazon says. Insurance Journal.
FBI San Francisco. (2024, May 8). FBI warns of increasing threat of cyber criminals utilizing artificial intelligence. Federal Bureau of Investigation.
Google Threat Intelligence Group. (2026, February 12). GTIG AI Threat Tracker: Distillation, experimentation, and (continued) integration of AI for adversarial use. Google Cloud Blog.
Microsoft. (2025). Microsoft Digital Defense Report 2025: Safeguarding trust in the AI era. Microsoft.
Moses, C. (2026, February 20). AI-augmented threat actor accesses FortiGate devices at scale. AWS Security Blog.
National Institute of Standards and Technology, National Vulnerability Database. (2026). CVE-2026-24858 detail. NVD.
Reuters. (2025, March 18). Europol warns of AI-driven crime threats. Reuters.
Windsor, C. (2026, January 22). Analysis of Single Sign-On Abuse on FortiOS. Fortinet PSIRT Blog.

Share this post: