Skip to content

Fortune Favors the Prepared

Semper Paratus, Semper Gumby

Menu
  • The Continuity Chronicles
  • Intelligence Reports
        • DAILY THREAT REPORT
        • DAILY THREAT REPORT – LITE
        • DAILY PREPAREDNESS BRIEF
        • Analytical Standards and Tradecraft
        • Acronym & Abbreviations Glossary
        • Source Registry
        • FLASH & SPECIAL REPORTS
        • Area-Specific Assessment Report
        • SOFT TARGET SECURITY BRIEF
        • THE HOUSEHOLD BRIEF
        • COMMS WATCH
        • FINANCE SECTOR
        • HEALTHCARE SECTOR
        • TRANSPORTATION & LOGISTICS SECTOR
        • AI, DATA CENTER & INFRASTRUCTURE REPORT
        • CONSTRUCTION & MANUFACTURING SECTOR
        • Water and Wastewater Security Report
        • Energy Sector Report
        • Strategic Intelligence Supplement
  • WATCH DESK
  • About
        • The Why
        • Vision and Mission
        • Services
          • Business Resiliency
        • Testimonials
        • Insider
        • Friends
          • Patriot Volunteer Examiner (VE) Team
          • Angery American
          • Signal Stuff
          • Forward Observer
  • Communications
        • Stump Knocker
          • SOI
          • STUMP KNOCKER DMR UPDATES
          • MMDVM Hotspot
        • Preparedness Communications
          • What Radio Should I Get for Preparedness?
            • What Radio to Buy?
              • What Radio to Buy? – video
              • Ham Radio on a Budget
              • Live – What Radio to Buy?
              • Portable Radio Kit
              • Mobile Communications
          • Emergency Communications Principles
          • Communications Options
          • Starter Radio Paths by Preparedness Scenario
          • How Communications Fail
          • HF Communications
            • SHTF HF Communications
            • Simple Antenna Builds for HF – video
            • NVIS in Amateur Radio
        • Amateur (HAM) Radio
          • Why Do I Need a Ham License?
            • How to Obtain Your Amateur Radio License
              • Amateur Radio Learning Resources
              • Finding a Ham Exam
                • HAM Exam Accommodation
              • Getting Into Ham Radio – Video
            • Are You Expired?
            • Why You Should Upgrade to a General Ham License
          • HAM Simplex Frequency Card
          • Analog versus Digital
          • Analog vs Digital Voice: A Preparedness-Focused Comparison
          • What are CTCSS and DCS
          • Programming Radios with Software
          • ARES, RACES, ACS and AUXCOMM
          • Ham Radio Beyond Line-of-Sight
            • Linked Analog Repeaters
            • EchoLink and IRLP
            • AllStarLink
            • Yaesu System Fusion & WIRES-X
            • D-STAR
            • Digital Mobile Radio (DMR)
            • P25 in Amateur Radio
            • NXDN in Amateur Radio
            • Amateur Radio Satellites (AMSAT)
            • The 60-Meter Band (5 MHz)
          • Meshtastic
          • HAM VoIP
        • Personal Radio Services
          • FCC Rules for Personal Radio Services
          • Family Radio Service (FRS)
          • General Mobile Radio Service (GMRS)
            • GMRS Repeaters
            • Getting a GMRS License
            • FRS / GMRS / MURS Frequency Card
          • Multi-Use Radio Service (MURS)
          • Citizen Band (CB) Radio
            • CB Frequency Card
        • Other Radio Services
          • Communications Continuity Programs and Capabilities
          • Marine Communications
        • Cell Sites and Their Services
          • When Cell Service Fails
          • Radio over LTE and Rapid Radios
            • LTE Radio Comparison
        • Satellite Communications
          • America’s Secret Eyes
          • The Commercial Eye
          • Seeing Through Everything (SAR)
            • Remote Area Emergency Communication Devices
            • Which Beacon Should You Carry?
          • Personal Satellite Communications
        • Wired Communications
          • MAG Phone System
          • TA-312/PT Field Telephone and SB-22/PT Switchboard
          • Understanding Telephone Wiring
          • The AT&T Long Lines Program
        • Communications Planning
          • Communications Plan Annex
            • Communications P.A.C.E.
            • Finding Information for Your Communications Plan
            • Area-Specific Assessment Report
          • Automatic Link Establishment (ALE)
          • Understanding Communications Resiliency
        • Communications Resiliency Programs
          • ARES, RACES and ACS
          • Auxiliary Communications (AUXCOMM)
          • Military Auxiliary Radio System (MARS)
          • U.S. Coast Guard Auxiliary Communications
          • Civil Air Patrol Communications
          • The 60-Meter Band (5 MHz)
            • Understanding the 60-Meter Band
        • Government Communications Continuity Programs
          • Government Emergency Telecommunications Service (GETS) and Wireless Priority Service (WPS)
          • National Warning System (NAWAS)
          • National Interoperable Frequencies
          • The FEMA National Net (FNARS)
          • National Emergency Communications Network (NECN)
          • The SHARES Program
          • State Emergency Capability Using Radio Effectively (Operation SECURE)
          • The High Frequency Global Communications System (HFGCS)
          • Satellite Mutual Aid Radio Talkgroup (SMART)
          • The AT&T Long Lines Program
        • Communications & Emissions Discipline
          • Communications Security (COMSEC)
            • Book Cipher
            • One Time Pads (OTP)
              • Decrypting One Time Pad Message
              • One Time Pads (OTP) Live Video
              • One Time Pad Training
          • Cryptographic Security (CRYPTOSEC)
          • Transmission Security (TRANSEC)
          • Communications Transmission Discipline (TRANSDISC)
          • Emissions Control (EMCON)
          • Communications & Emissions Training Framework
        • DMR Programming
          • DMR Programming – Talk Groups
          • DMR Programming - Roaming
          • MMDVM and Yaesu System Fusion (YSF)
          • Encryption in DMR Radios
        • Digital Mobile Radio (DMR) Networks
          • WR3IRS Interstate DMR Network
            • South Central PA (SC PA)
            • North East PA (NE PA)
            • Washington-Baltimore (W-B)
            • West Central Florida (WCF)
          • Florida Digital Amateur Radio Network (F-DARN)
          • Southeast Florida DMR Repeater Network W2GGI
          • Virginia DMR (DMRVA)
          • NC PRN DMR Network
          • SC Hospital Emergency Amateur Radio Team (SCHEART)
          • HEARS – Hospital Emergency Amateur Radio System
          • New England Digital Emergency Communications Network (NEDECN)
        • Baofeng/BTECH Radios Quick Guide
          • Manually Programming a Baofeng Radio – Video
          • A User’s User Manual for Baofeng Radios
        • MESSAGES & REPORTS
          • Phonetics
          • Procedure Words (Prowords)
          • Date Time Group (DTG)
          • NTS Radiogram Form
            • ARL Numbered Radiograms
          • SALUTE, SPOT, and SALT Reports
          • ACE/LACE Reports
          • GOTWA Report
          • CASREP (Casualty Report) Format
          • MEDEVAC Request Report
          • Formatted Messages (downloads)
        • Communications Knowledge Library
          • Communications Resiliency
          • Radio Etiquette, Jargon, and Best Practices
          • AmRRON RESOURCES & REFERENCES
          • Anytone Programmable Keys
          • Phonetics
          • Amateur Radio Colorado
            • Colorado Linked Repeater Systems
        • COMMUNICATIONS REFERENCES
  • Planning
        • Family Emergency Plan – The Basics
          • Family Emergency Plan
            • Area-Specific Assessment Report
          • Why Every Family Needs an Emergency Plan
        • Family Contingency Binder
          • Family Contingency Binder MindMap
        • Triggers
          • Preparedness Conditions – PREP-CON
            • Preparedness Conditions (PREP-CON) MindMap
          • Space Weather
        • Family Emergency Plan Workbook
          • Family Emergency Plan Workbook - owner resources
            • Area-Specific Assessment Report
            • Family Emergency Planning Form
            • Communications Plan
              • P.A.C.E.
            • Emergency Evacuation
            • Emergency Food Supplies
            • Family Contingency Binder
            • Message Drops
            • Get Home Bag
            • Bug Out Bag & Bins
            • Miscellaneous
        • Household Recovery Workbook
          • Household Recovery Workbook Updates
          • Disaster Debris — What to Do at the Curb
          • Dealing With Grief
        • Next of Kin Workbook
          • Next of Kin Workbook Updates
        • METT-TC: Decision Discipline
          • METT-TC - tactical planning
        • Planning Your Preps
          • Charity in Planning
        • Mutual Assistance Group
          • Mutual Assistance Group Workbook
            • MAG Workbook Forms & Updates
          • Mutual Assistance Groups (MAGs): Skills, Vetting, and Building Real Resilience
          • Mutual Assistance Group (MAG): Recruitment Code of Conduct
          • MAG: Private Vetting & Intake Process
          • Compartmentalization in Mutual Assistance Groups (MAGs)
          • Resiliency Index
          • Continuity of Government & Application to MAGs
  • Threat Assessment
        • Personal Preparedness Assessment Workbook
          • Personal Preparedness Assessment Report
          • Personal Preparedness Assessment Workbook - owner resources
        • Readiness Conditions for Preparedness
          • PREP-CON - Preparedness Conditions
          • COMCON – Communications Readiness Condition
          • WX-CON Weather Conditions
          • SWX-CON Space Weather Condition
          • CONCON – Civilian Continuity Conditions
        • Readiness Conditions – Hierarchy and Relationships
          • LERTCON – Alert Condition
          • DEFCON – Defense Readiness Condition
          • COGCON - Continuity of Government
          • INFOCON – Information Operations Condition
          • FPCON – Force Protection Condition
          • EMERCON – Emergency Condition
          • CYBERCON – Cyber Readiness Conditions
          • CPCON – Cyberspace Protection Condition
          • WATCHCON – Watch Condition
          • SIPRNet – Secret Internet Protocol Router Network
          • REDCON – Readiness Condition
          • NC3CON – Nuclear Command, Control, and Communications
        • Readiness Conditions in The Conspiracy Chronicles
          • CERCON – Cerberus Readiness Condition
          • COMCON – Communications Readiness Condition
          • C-OPS – CERBERUS Operational Status Conditions
          • CONCON – Civilian Continuity Conditions
        • Being Prepared for Civil Unrest
          • Civil Unrest – Area Intelligence
          • Civil Unrest – Be Prepared
          • Civil Unrest – Defense
          • Civil Unrest – Defense (part 2)
        • Staying Informed Before, During and After Emergencies
          • Weather Awareness
            • Weather Event Codes
            • Weather Radio Comparison
        • Cascade Analysis & Infrastructure
          • Cascade Effects
          • Community Lifelines
          • Area Intelligence
          • Area-Specific Assessment Report
          • National Power Grid
  • Intelligence
        • ANALYSIS, TRADECRAFT & REPORTING
          • Analytical Standards and Tradecraft
          • Analytical Tradecraft: A Guide to OSINT Analysis
            • OSINT Analysis Study & Reference Guide
          • Understanding Intelligence Analysis Tools
            • Understanding Analysis of Competing Hypotheses (ACH)
            • Understanding MDCOA
            • Understanding OAKOC
        • Operations Security (OPSEC)
          • OPSEC for Teens
          • OPSEC for Kids
          • The Gray Man
          • OPSEC: Don't Become the Target
          • Counterintelligence Tradecraft for the Prepared
        • Community Intelligence
          • Area Intelligence – Now!
            • Area-Specific Assessment Report
          • Community SITREP
          • Radio Traffic Situational Analysis During Emergencies
          • SALUTE, SPOT, and SALT Reports
        • ELECTRONIC THREAT & SURVEILLANCE
          • Staying Informed Before, During and After Emergencies
          • Integrated Public Alert and Warning System (IPAWS)
          • Communications Continuity Programs and Capabilities
          • Short Wave Scanning
          • Seeing Through Everything (SAR)
            • Which Beacon Should You Carry?
          • Wireless Recon Devices
        • The Architecture of Intelligence
        • Intelligence Gathering & Analysis
        • INTELLIGENCE DISCIPLINES
          • Communications Intelligence (COMINT)
          • Electronic Intelligence (ELINT)
          • Tactical Electronic Intelligence (TACELINT)
          • Signals Intelligence (SIGINT) – the basics (2020)
          • Signals Intelligence – Information Gathering Basics (2022)
          • Signals Intelligence (SIGINT)
          • Technical & Infrastructure Intelligence (TECHINT)
          • Electronic Counter-Surveillance
          • Open-Source Intelligence (OSINT)
            • How to Conduct a Daily Threat Analysis Using OSINT
          • Measurement and Signature Intelligence (MASINT)
          • Electronic Surveillance (ES)
          • Overhead Imagery & Geospatial Intelligence (IMINT / GEOINT)
        • INTELLIGENCE REFERENCES
  • Medical
        • Medical Training
          • Patient Assessment & Casualty Management
            • MARCH-PAWS Rapid Assessment
              • MARCH-PAWS TRAINING CURRICULUM
            • DCAP-BTLS – Secondary Trauma Assessment
            • SAMPLE + OPQRST Secondary Assessment
              • Medical History as a Preparedness Skill
            • START Triage
            • MEDEVAC Request Report
            • Patient Assessment – Documentation
              • Patient Care Report Forms
              • CASREP (Casualty Report) Format
        • Medical Kits
          • Individual First Aid Kit (IFAK)
          • BooBoo and IFAK Kits Video
          • BooBoo & IFAK Kit Mind Map
          • Large Kit - video
        • Medical Myths
          • Medical Myths – Tampons
          • Medical Myths – Ingested Poisoning
        • MEDICAL REFERENCES
  • Transportation
    • Transportation Plan B
    • Improvised Transportation
    • Preparedness For Winter Travel
  • Animals
    • Preparedness for Pets
  • Food
        • Why You Should Start a Food Storage Plan
        • Food Storage Quick Start
        • Buying in Bulk
        • Inventory Tracking
        • FOOD PRESERVATION RESOURCES
  • Water
  • Power
        • Power Grid
        • UPS
  • Bags etc.
        • Bug Out versus Get Home Bags
        • Get Home Bag – Contents
          • Get Home Bag – video
          • Get Home and Bug Out Bags - video from live 2-10
  • Navigation & Signalling
        • Practitioners Guide to GPS
          • Quick Instruction Sets
        • Emergency Signaling
        • Covert Signals
        • Which Emergency Beacon Should You Carry?
        • Sketched Strip Map
  • References
        • PLANNING & OPERATIONS
        • SECURITY OPERATIONS
        • INTELLIGENCE
        • CRYPTOLOGY
        • COMMUNICATIONS
        • REPORTING FORMATS
        • GENERAL/MISC
        • MEDICAL
        • FOOD PRESERVATION
        • CRITICAL INFRASTRUCTURE
        • SURVIVAL MANUALS
        • OPSEC
        • COUNTER INSURGENCY & CIVIL DISTURBANCE
        • EMP / CME
        • Training
          • Training Videos
          • One Time Pad (OTP) Exercises
            • 45662
            • 222135ZDEC22
  • Blog
    • Boomer
      • Day 1 – The Journey Home
      • Day 2 – First Day in the New Home
      • Day 3 – More Training
      • Day 4 – Dad Goes Back to Work
      • Day 5 – A Day at Home with More Training with Dad (Boomer’s version)
      • Day 6 – More Training with Dad at Home
      • Day 7 – Dad Goes Back to Work, Boring Day
    • Mountain Readiness Fallout Workshops
    • Mapping DMR Repeaters
    • COMMUNICATIONS RESILIENCY
    • Getting The Message Through
    • What are you preparing for?
    • Never Let an Opportunity Go To Waste
    • Cascade Effects and the Perfect Storm
    • DO NOT REPLY
    • Space Weather Warning
    • Good, and Sad, News
    • Necessity vs. Luxury
    • Don’t Put off Until Tomorrow
    • No Plan Survives First Contact
    • Threat and Hazard Identification and Risk Assessment (THIRA)
    • Live – What Radio to Buy?
    • Big Daddy Unlimited Affiliate
    • Food – Tue 16th 7pm MST
    • Live from 2021-2-3
    • Live 2021-01-26
    • FLASH SALE
    • Live 2021-01-11
    • What Is Freedom?
    • Preparedness for Pets
    • What If The Lights Go Out?
    • Hoarding or Prepping?
    • Why Do I Need a Ham License?
    • How Bad is the SolarWinds Orion Issue?
    • How To Begin Prepping
    • Members Only Live Videos
    • Live 11/24
    • Ham Radio VoIP Phone
    • Training Calendar
    • A Chat (with some whisky)
    • Blog 2020 11 02
    • Live with Charlie Hogwood
    • EARTH EX 2020
    • A Live with Angery American
    • Have You Woken Up Yet?
    • BUG OUT READY
    • The Gray Man
    • Area Intelligence – Now!
    • Being Prepared for Civil Unrest
    • It Depends
    • The Art of Being Prepared – The New Prepper
    • Get Home versus Bug Out Bags
    • Why You Need an IFAK AND Training
  • Training Curriculum
  • Shop
  • Contact
    • Mailing List
  • Media and Press
Menu

Counterintelligence

Cold War Architecture  |  Series Overview  |  Part 1: Origins  |  Part 2: Secret Eyes  |  Part 3: Five Eyes Network  |  Part 4: UKUSA Agreement  |  Part 5: 1947 Architecture  |  Part 6: Counterintelligence  |  Part 7: Post-9/11 Rebuild  |  Part 8: The Commercial Layer

Cold War Architecture · Part 6 of 11 · Patreon members only

Counterintelligence: The Defensive Game

Reading time: ~15 minutes

BLUF

Every collection capability described in this series has a mirror image: an adversary running the same systems, against you. Counterintelligence — CI — is the discipline that identifies, neutralizes, and exploits that adversary effort. It is simultaneously the most operationally important and least publicly understood corner of the intelligence world. The United States has been penetrated at the highest levels of every major agency it has built: the CIA had Aldrich Ames for nine years; the FBI had Robert Hanssen for twenty-two; the NSA had its own failures that remain partly classified; and the military services have produced a steady stream of espionage cases that rarely receive sustained public attention. This article explains what counterintelligence actually is, how it is organized in the US system, what the major penetration cases revealed about structural vulnerabilities, and why the lessons from those cases are directly applicable to anyone building a serious security posture — organizational or personal.

What Counterintelligence Is — and Is Not

Counterintelligence is formally defined in Executive Order 12333 as “information gathered and activities conducted to identify, deceive, exploit, disrupt, or protect against espionage, other intelligence activities, sabotage, or assassinations conducted for or on behalf of foreign powers, organizations, or persons, or their agents.” That definition covers three distinct operational functions that practitioners distinguish carefully.

Defensive CI is the function most people associate with the term: identifying and stopping foreign intelligence services from penetrating your own organization. This includes personnel security programs, polygraph examinations, access controls, insider threat monitoring, and the investigation of suspected espionage cases. Defensive CI is fundamentally reactive — it responds to a threat that already exists or is suspected.

Offensive CI — sometimes called “CI operations” — goes further. Rather than simply stopping an adversary’s intelligence officer, offensive CI attempts to identify, assess, recruit, or manipulate that officer to work for your side. A foreign intelligence officer who has been identified, approached, and turned becomes a source on his own service’s collection priorities, methods, and personnel. This is among the highest-value intelligence an agency can acquire, and it is also among the most operationally complex to handle safely.

CI analysis synthesizes reporting from both defensive and offensive operations to produce strategic assessments: which foreign services are most active against which US targets, what collection methods they are using, where previous penetrations may have occurred, and what the indicators of future operations might look like. CI analysis is what connects individual cases to the broader threat picture.

The Fundamental Paradox

Counterintelligence operates under a structural tension that never fully resolves. Effective CI requires suspicion — the willingness to treat colleagues, sources, and liaison partners as potential adversary assets until they are proven otherwise. Taken too far, that suspicion becomes paralytic, destroying the trust that operational work requires and producing false positives that damage innocent careers. James Jesus Angleton, the CIA’s chief of counterintelligence from 1954 to 1974, pursued the Soviet mole hunt with such intensity that he effectively crippled the agency’s Soviet operations division for years. The mole he was hunting — if he existed at all — may never have been conclusively identified. The damage Angleton caused in the hunt was real and documented.

How US Counterintelligence Is Organized

Unlike the collection mission — which is divided relatively cleanly among the CIA (HUMINT), NSA (SIGINT), and NRO (IMINT) — the counterintelligence mission is fragmented across multiple agencies with overlapping jurisdiction and a history of institutional friction.

The FBI is the lead CI agency for domestic operations. Its National Security Branch, and within it the Counterintelligence Division, is responsible for investigating foreign intelligence activities on US soil, running double-agent operations against foreign services operating in the United States, and protecting US persons and organizations from foreign intelligence threats. The FBI’s CI jurisdiction is domestic; it does not run operations overseas.

The CIA’s Counterintelligence Center (CIC), now part of the Directorate of Operations, is responsible for CI operations overseas and for protecting CIA personnel, sources, and methods from foreign penetration. The CIA’s CI function also includes managing the liaison relationships with foreign intelligence services — relationships that are themselves potential vectors for penetration.

The Defense Counterintelligence and Security Agency (DCSA), formerly DISA’s security arm, manages personnel security and insider threat programs across the defense industrial base. The military services each maintain their own CI organizations — the Army’s Counterintelligence Command, the Air Force Office of Special Investigations (AFOSI), the Naval Criminal Investigative Service (NCIS) — that handle CI investigations within their respective services.

The National Counterintelligence and Security Center (NCSC), established under the Office of the Director of National Intelligence, is supposed to coordinate all of these efforts across the IC. Whether it succeeds at that coordination is, charitably, a work in progress.

Organization Primary CI Jurisdiction Lead Threat Focus
FBI / National Security Branch Domestic — US soil Foreign intelligence services operating in US; insider threats
CIA / Counterintelligence Center Overseas; CIA personnel and sources Foreign penetration of CIA; hostile liaison services
DCSA Defense industrial base; cleared contractors Insider threats; technology theft; foreign ownership
Military Service CI (AFOSI, NCIS, etc.) Within respective military service Service member espionage; foreign contact reporting
NCSC (ODNI) IC-wide coordination Strategic CI assessment; threat reporting; awareness programs

The Major Cases: What Penetration Actually Looks Like

The history of US counterintelligence is substantially a history of failure — of foreign services running long-term penetrations of US intelligence agencies that went undetected for years or decades. Each major case produced a post-mortem identifying systemic vulnerabilities. Most of those vulnerabilities were structural, not individual, and several appeared in multiple agencies across multiple decades.

Aldrich Ames — CIA, 1985–1994

Aldrich Ames was a career CIA case officer who began spying for the Soviet KGB in April 1985. Over the next nine years he compromised virtually every Soviet and Eastern European asset the CIA was running, resulting in the execution of at least ten CIA sources and the imprisonment of others. The damage to US intelligence collection against the Soviet Union during the final years of the Cold War was catastrophic and is still not fully quantifiable.

The failure to detect Ames was not primarily an analytical failure — there were clear indicators as early as 1986 that a penetration had occurred. Sources were being rolled up at a rate that defied coincidence. The failure was institutional: the CIA’s CI staff was too small, its analytical tools too limited, and its organizational culture too resistant to the conclusion that a case officer was the source. Ames spent freely, drove an expensive car, and bought a $540,000 house in cash on a government salary. No one formally investigated his finances for years. When investigators finally ran a financial analysis in 1993, the case broke quickly.

Robert Hanssen — FBI, 1979–2001

Robert Hanssen was an FBI special agent who sold intelligence to Soviet — and later Russian — intelligence services for twenty-two years across three separate espionage periods. He revealed to Moscow the identities of Soviet officials who had been recruited by US intelligence (at least three of whom were subsequently executed), disclosed the existence of a classified tunnel the NSA had built under the Soviet Embassy in Washington, and betrayed the existence of a classified continuity-of-government program — directly relevant to this series — along with nuclear war planning and defensive measures.

Hanssen was an FBI counterintelligence officer. He understood exactly how he would be investigated and structured his communications with his handlers to minimize the evidence trail. He never met his handlers in person. He communicated through dead drops. He refused to provide his true name. He was caught not by FBI investigation but by CIA officers who acquired a KGB file containing Hanssen’s fingerprints and a sample of his DNA in 2000 — after more than two decades of operation.

Jonathan Pollard — Navy, 1984–1985

Jonathan Pollard was a US Navy intelligence analyst who passed classified material to Israel — a formal Five Eyes-adjacent partner — over an eighteen-month period. The damage assessment, portions of which remain classified, indicated he had provided an extraordinary volume of material: satellite imagery, signals intelligence collection methods, the identities of US intelligence sources in the Arab world, and NSA reports on Soviet weapons systems. Pollard’s case is significant not just for its damage but for what it revealed about CI gaps in allied intelligence relationships: the assumption that close allies do not conduct collection against each other is operationally naive. Every intelligence service collects against every target it deems valuable, including allies.

Ana Montes — DIA, 1985–2001

Ana Montes was a senior Defense Intelligence Agency analyst specializing in Cuba who had been working for Cuban intelligence since before she joined the DIA. For sixteen years she passed classified assessments, intelligence methods, and the identities of four US intelligence assets in Cuba — at least one of whom was executed — while producing DIA analytical products that shaped US Cuba policy. She was arrested in September 2001, ten days after the 9/11 attacks, based on an investigation that had begun the previous year. Montes’s case illustrates a CI problem distinct from the Ames and Hanssen cases: she was not a walk-in who volunteered to a foreign service for money. She was ideologically motivated, recruited before she had access, and then placed inside the target agency. The CI defense against that threat model is significantly harder than detecting financial anomalies in a mid-career officer.

The Common Thread

Each of the major cases shares a structural feature: the penetration survived far longer than it should have because no one was actively looking. Ames’s finances were anomalous for years before anyone ran a formal analysis. Hanssen’s security file contained unresolved derogatory information that was never aggressively pursued. Montes was flagged by a colleague’s suspicion in 1996 — five years before her arrest. In each case the CI apparatus was reactive rather than proactive, and the organizational culture discouraged the aggressive internal scrutiny that effective CI requires.

How Foreign Services Actually Recruit

Understanding what CI is defending against requires understanding how foreign intelligence services actually develop and recruit sources. The Hollywood model — the midnight approach by a shadowy figure with a briefcase of cash — describes a small fraction of actual recruitment operations. The real process is slower, more methodical, and considerably more difficult to detect.

Recruitment typically follows a sequence intelligence professionals call the MICE framework — Money, Ideology, Compromise, and Ego. Each element represents a different motivational pathway that a foreign service can exploit.

Money was the dominant motivation in the Ames case — he needed cash for his wife’s family financial obligations and calculated that his access was worth selling. Financial stress, lifestyle inflation, and debt are among the most reliable indicators of recruitment vulnerability, which is why security programs track financial anomalies. Ames passed two polygraphs while actively spying. Financial analysis caught him.

Ideology drove Montes and, in a different form, Pollard. True believers are among the most damaging penetrations because their motivation is not correctable by financial improvement and they may not show behavioral indicators that security programs are designed to detect. Ideological recruitment often happens before the target has access — the foreign service is patient enough to wait.

Compromise — coercion based on real or fabricated damaging information — has been less common in US cases but is a documented recruitment method in adversary services, particularly against targets with exploitable personal vulnerabilities.

Ego is underestimated in the public picture. The sense that one’s expertise is undervalued, that one’s assessments are being ignored, that the organization does not deserve one’s loyalty — this is a recruitment pathway that foreign services actively cultivate through flattery, apparent professional respect, and the carefully constructed impression that the adversary service would appreciate what the target’s own organization does not. Several recruitment operations against cleared US personnel have begun with nothing more sinister than a professional conference and a foreign intelligence officer who was an unusually good listener.

The Current Threat Picture

The CI threat has not diminished since the Cold War ended. It has diversified. The Soviet KGB’s successor services — the FSB (domestic) and SVR (foreign) — continue to run aggressive human intelligence operations against US government and defense industry targets, with an operational tempo that has increased noticeably since 2014. Chinese intelligence services, primarily the Ministry of State Security (MSS) and the People’s Liberation Army’s Intelligence Support Force, run the largest and most systematic foreign intelligence collection operation currently directed against the United States, with a particular focus on technology transfer, defense programs, and long-term penetration of government and academic institutions.

The Chinese approach differs structurally from the Soviet model. Rather than recruiting a single high-access agent like Ames or Hanssen, Chinese intelligence services have been documented running what CI professionals call “thousand grains of sand” operations — collecting from large numbers of lower-access sources simultaneously, each providing a small piece of a mosaic that becomes strategically significant in aggregate. This approach is harder to detect because no single collection event is significant enough to trigger investigation, and harder to prosecute because each individual source may be providing material that appears marginally classified or commercially sensitive rather than obviously damaging.

Cyber intrusion has transformed the CI threat in a way that the 1947 architecture was not built to handle. A foreign intelligence service that penetrates a cleared contractor’s network does not need a human source inside the agency — it can collect the product of that source’s work directly. The OPM breach of 2014–2015, attributed to Chinese state actors, exfiltrated the personnel records of approximately 21.5 million current and former federal employees, including the detailed security clearance investigation files of four million cleared individuals. The CI damage from that single operation — identifying every cleared US government employee, their foreign contacts, their financial history, and their personal vulnerabilities — will take decades to fully assess.

Double Agent Operations: Turning the Threat

The offensive side of CI — running double agents against foreign intelligence services — is among the most operationally complex activities the IC undertakes, and among the most valuable when it succeeds. A well-run double agent operation provides continuous insight into a foreign service’s collection priorities, methods, and personnel; allows the US side to feed false or misleading information to the adversary; and may ultimately enable the identification and neutralization of the adversary’s entire US operation.

The FBI’s Double Agent Program has been running since the Cold War, typically with the FBI providing the controlled source and the CIA providing foreign intelligence context. The program’s results are largely classified, but documented successes include operations that identified KGB officers operating under diplomatic cover in the US, mapped Soviet collection priorities during critical periods of the Cold War, and allowed the US side to control what Moscow believed about specific US capabilities and programs.

The risk in double agent operations is significant. A poorly controlled double may actually be a triple — working for the foreign service while appearing to work for you, feeding you what the adversary wants you to believe while reporting your actual CI methods back to his real handlers. Angleton’s obsessive mole hunt at the CIA was partly driven by his belief — shared by his KGB defector source Anatoli Golitsyn — that several prominent CIA defectors from Soviet intelligence were themselves controlled provocations designed to mislead US CI efforts. Whether Angleton was right, partly right, or entirely wrong about specific cases remains disputed among historians and former practitioners.

What This Means for the Prepared

Counterintelligence is not a subject that applies only to cleared government employees and intelligence professionals. The principles that govern effective CI at the national level apply directly to organizational and personal security at every level.

The insider threat is the hardest threat to defend against. Every major penetration case in this article involved someone with authorized access. External attackers — foreign intelligence officers trying to collect from the outside — face access barriers that insiders have already cleared. The CI lesson is that security programs which focus primarily on external threats while treating internal access as inherently safe are structurally incomplete. Anomaly monitoring, financial review, behavioral indicators, and a culture that normalizes reporting concerns are not bureaucratic overhead — they are the primary defense against the threat that has historically caused the most damage.

Access is the target. Foreign intelligence services do not recruit people randomly. They identify individuals with access to material they want and develop them over time. The implication: access to sensitive information, systems, or facilities creates a recruitment profile whether the individual recognizes it or not. Understanding that you are a potential target — because of what you know, who you work for, or what systems you can reach — is the precondition for taking appropriate protective measures.

MICE is a pre-screening tool, not just a history lesson. The motivational pathways that produced Ames, Hanssen, Montes, and Pollard — financial stress, ideological grievance, perceived disrespect, personal compromise — are identifiable in advance. Personal security hygiene includes honest self-assessment of financial vulnerabilities, awareness of foreign contacts and their potential intelligence affiliations, and recognition that flattery from unexpected sources in high-access contexts is a recruitment vector, not a compliment.

The digital attack surface dwarfs the human one. The OPM breach produced more CI damage than most human penetrations of the previous thirty years combined. Network security, access controls, and endpoint monitoring are not IT concerns that sit outside the CI mission — they are the primary terrain on which the current generation of foreign intelligence collection is occurring.

Operational Implication

Every organization with sensitive operations, proprietary information, or critical infrastructure dependencies is a CI target. The question is not whether a foreign intelligence service has an interest in your organization’s information — it is whether you have built the defensive CI architecture to detect collection attempts and the culture to report them. The federal government built that architecture over seventy years, was penetrated at the highest levels anyway, and is still working to close the gaps. Private organizations that treat insider threat and foreign intelligence collection as abstract federal concerns rather than operational realities are not wrong that their threat picture differs from the NSA’s. They are wrong that the difference means they are not targets.

Continue the Series

Part 7: The Post-9/11 Rebuild — DNI, Fusion Centers, and Information Sharing. How the worst domestic intelligence failure since Pearl Harbor forced the most significant restructuring of the US intelligence community since 1947.

Part 5: Founding the Watchers: CIA, NSA, NRO and the 1947 Architecture — the collection organizations that counterintelligence is built to protect.

Part 4: The UKUSA Agreement: How Five Eyes Actually Works — the alliance architecture that creates additional CI complexity through shared access and liaison relationships.

See Also

  • Founding the Watchers: CIA, NSA, NRO and the 1947 Architecture (Part 5)
  • The UKUSA Agreement: How Five Eyes Actually Works (Part 4)
  • OPSEC: Don’t Become the Target
  • Human Intelligence (HUMINT)
  • Communications Intelligence (COMINT)
  • Communications Security (COMSEC)
  • How We Watch: The FFTP Intelligence Collection and Production System

Bibliography & Further Reading

  1. Executive Order 12333, “United States Intelligence Activities” (as amended). dni.gov
  2. National Counterintelligence and Security Center. “Foreign Economic Espionage in Cyberspace,” 2018. dni.gov
  3. Senate Select Committee on Intelligence. “An Assessment of the Aldrich H. Ames Espionage Case and Its Implications for U.S. Intelligence,” November 1, 1994. intelligence.senate.gov
  4. Department of Justice. “Robert Philip Hanssen Espionage Case.” Press release and supporting materials, February 2001. justice.gov
  5. Office of the Inspector General, Department of Defense. “Review of the Actions Taken to Deter, Detect, and Investigate the Espionage Activities of Ana Belen Montes,” August 2005. Partially declassified.
  6. Office of Personnel Management. “OPM Cybersecurity Incidents.” opm.gov
  7. Wise, David. Spy: The Inside Story of How the FBI’s Robert Hanssen Betrayed America. Random House, 2002.
  8. Earley, Pete. Confessions of a Spy: The Real Story of Aldrich Ames. Putnam, 1997.
  9. Waller, Douglas. Disciples: The World War II Missions of the CIA Directors Who Fought for Wild Bill Donovan. Simon & Schuster, 2015.
  10. Angleton, James Jesus. Oral history interviews, declassified. Available through the CIA Historical Collections. cia.gov
  11. Stein, Jeff. “How China Stole the Keys to the US Personnel Kingdom.” Newsweek, March 2015. (On the OPM breach.)
  12. National Counterintelligence and Security Center. “Know the Risk, Raise Your Shield: Awareness Materials.” dni.gov

The Fiction Counterpart

The Continuity Chronicles

The counterintelligence architecture, the penetration cases, and the offensive CI operations described in this article are the operational foundation for The Continuity Chronicles techno-thriller series by Nick Meacher. The insider threat dynamics, the double agent tradecraft, and the structural vulnerabilities of the US intelligence community that drive the novels’ plots are grounded in the documented history described here.

Book 1

The Meadow Protocol

Book 2

The Brush

Book 3

Unassigned Authority

Book 4

In development

Explore the Series at FFTP
thecontinuitychronicles.net ↗

Login with Patreon

Login with Patreon

Search Site

Products

  • Family Emergency Plan and Household Recovery Workbooks - Patreon Family Emergency Plan and Household Recovery Workbooks - Patreon $34.95
  • Bundle - Family Emergency Plan and Household Recovery Workbooks Bundle - Family Emergency Plan and Household Recovery Workbooks $46.95
  • Household Recovery Workbook Household Recovery Workbook $29.95
  • The Continuity Chronicles Seal Decal The Continuity Chronicles Seal Decal $5.00 Original price was: $5.00.$3.00Current price is: $3.00.
  • Family Emergency Plan Workbook - Patreon Family Emergency Plan Workbook - Patreon $19.95
  • Personal Preparedness Assessment Workbook - Patreon Personal Preparedness Assessment Workbook - Patreon $19.95
  • The Next of Kin Workbook - Patreon The Next of Kin Workbook - Patreon $23.95
  • Personal Preparedness Assessment Report Personal Preparedness Assessment Report $179.95
  • Bundle - Family Emergency Plan + Next of Kin Workbooks Bundle - Family Emergency Plan + Next of Kin Workbooks $49.95
  • The Next of Kin Workbook The Next of Kin Workbook $29.95
  • ASAR — 50 Mile Radius ASAR — 50 Mile Radius $139.95
  • ASAR 50-MILE + FEP WORKBOOK ASAR 50-MILE + FEP WORKBOOK $169.95
  • ASAR — 50 Mile Radius - Patreon ASAR — 50 Mile Radius - Patreon $39.95
  • Bundle - The Series Starter (Paperback) Bundle - The Series Starter (Paperback) $29.98
  • The Brush (Paperback) The Brush (Paperback) $15.99
  • The Meadow Protocol (Paperback) The Meadow Protocol (Paperback) $13.99
  • Cards (4x6) - Brevity Cards for OTP Cards (4x6) - Brevity Cards for OTP $24.95
  • Communications Card bundle (13 cards) Communications Card bundle (13 cards) $41.95
  • Personal Preparedness Assessment Workbook Personal Preparedness Assessment Workbook $24.95
  • Family Emergency Plan Workbook Family Emergency Plan Workbook $24.95

Product categories

Cart

©2026 Fortune Favors the Prepared | Built using WordPress and Responsive Blogily theme by Superb