Counterintelligence Investigation Goldmines

Here is the entire post that James Rosen of Fox News published that led to the investigation and prosecution of Stephen Kim. I won’t comment on whether Rosen had a “right” to pushing (1A, yes); or whether he should have published (fuck no); or whether Kim should have been allowed to tell him classified information (yeah nah). Since the cases have concluded, there’s no point in discussing that.

Lets talk about counterintelligence investigations (or, counterespionage in this case) and what the problems are when intelligence services don’t worship at the altar of Our Lady of Source Protection.

The Fox News Post

NK’s Post UN Sanctions Plans, Revealed
June 11, 2009
By James Rosen, Fox News State Department Correspondent

He actually worked inside a State Department building when he was recruiting sources and writing these posts. Seriously.

U.S. intelligence officials have warned President Obama and other senior American officials that North Korea intends to respond to the passage of a U.N. Security Council resolution this week — condemning the communist country for its recent nuclear and ballistic missile tests — with another nuclear test, FOX News has learned.

US intelligence services have learned (or surmised) some future actions North Korea is planning. There will be a nuclear test. This could be from satellite images, an assessment made about “likely responses,” or any number of other sources. Doesn’t tell us enough to investigate.

What’s more, Pyongyang’s next nuclear detonation is but one of four planned actions the Central Intelligence Agency has learned, through sources inside North Korea, that the regime of Kim Jong-Il intends to take — but not announce — once the Security Council resolution is officially passed, likely on Friday.

Ah! The CIA (who dominate on HUMINT, i.e. recruiting people as sources) have learned that there will be four actions. They have learned this from sources inside North Korea (given the HUMINT angle, that suggests an agent rather than e.g. a cyber op.) The CIA also learned that Kim Jong-Il will execute these four actions, but not announce them. So the source has access to high level strategic planning, including the thinking of Kim Jong-Il. This suggests they have an asset in the highest ranks of the country’s leadership.

The other three actions include the reprocessing of all of the North’s spent plutonium fuel rods into weapons-grade plutonium; a major escalation in the North’s uranium-enrichment program; and the launching of another Taepodong-2 intercontinental ballistic missile from the Yunsong military complex on the west coast of North Korea. The North last launched a Taepodong-2 on April 5; it conducted its second nuclear test in the last three years on Memorial Day.

Here is a specific list of the other three actions: reprocessing all the plutonium; a major escalation in the uranium enrichment program, and launching an ICBM from a specific military base.

From this, we know the HUMINT source has good access to detailed strategic information. For investigators, this is pretty good info, it narrows the range of potential suspects quite well. There are probably only a small number of people within North Korea who had access to this specific set of info.

The intelligence community only learned of North Korea’s plans this week, prompting CIA to alert senior officials. Asked who would be briefed on this kind of data, a source told FOX News: “The top people: POTUS, DNI.” “POTUS” is acronym for the president of the United States; “DNI” refers to the director of the Office of National Intelligence.

A timeline! For an investigator this is really useful — they now know when the information was handed over to the CIA: after June 4th. Now the list of suspects can be examined in more detail, finding those who were in a position to pass the information to the Americans during that time frame.

It couldn’t get much better for a counterespionage investigation: a specific set of detailed strategic actions, including Dear Leader’s thinking, and a timeframe to look at for suspicious activity. This is wonderful solid foundation on which to build the investigation.

FOX News is withholding some details about the sources and methods by which American intelligence agencies learned of the North’s plans so as to avoid compromising sensitive overseas operations in a country — North Korea — U.S. spymasters regard as one of the world’s most difficult to penetrate.

Hahahahahahaha. Oh that’s rich. Acting as if the previous paragraphs did not just paint a fluorescent arrow pointing almost directly to the source. This last paragraph is an absolute joke, given the highly detailed information provided above:

  1. CIA, “the HUMINT guys”, have obtained information (probably from a human asset)
  2. Four actions planned for the future: nuke test; enrich all the plutonium; major escalation in uranium enrichment; launch an ICBM from Yunsong
  3. Kim Jong Il intends to carry out these actions, but not to announce them publicly, which is the sort of insight that an email intercept might not capture
  4. The information was passed to the Americans between June 3rd and June 11th.

For a counterespionage officer this level of detailed information is vital to locating and eliminating a penetration. There is usually significantly less data to work with when conducting counterintelligence investigations. The Rosen article provides basically a roadmap to the source’s house.

Sources Burned. Abort! Abort!

Did the North Koreans track down and eliminate the CIA’s source? I don’t know. Very possibly, although it is also possible they picked the wrong guy or that they never narrowed the scope sufficiently to take action.

Did the CIA lose access to the source? Almost certainly. Even if the North Koreans were unable to figure out exactly who the source was, the source would have to go silent to ensure their own safety. They would feel burned, and be extremely unlikely to ever contact the CIA again.

If the source was a cyber operation, or a technological acquisition (such as an audio bug) then it was probably compromised and not used again to ensure security.

Is that bad?

For the source, unquestionably so. North Korea is not known for their “softly softly” approach to handling suspected spies / traitors. But there is a much bigger problem — source protection is a promise by an agency to an agent that they will be able to protect them. If the agents do not believe that promise, they will not accept the risk of spying for that agency.

The Rosen article demonstrates to potential future sources for the CIA (and DIA, etc) that the American Intelligence Community is unable to protect them. This is a very visible “we break our promises, you’re going to be left on the hook” statement. It is a serious disincentive to future sources to ever work with the Americans. The main damage of this short blog post was not just that it exposed, and possibly killed, an extremely valuable asset within North Korea, but that it provides a strong reason for future sources to never ever work with the American IC.