The spies of tomorrow will need to love data
The spies of tomorrow will need to love data
MAGAZINE 07 APRIL 16 by GORDON CORERA
You could forgive the chief of MI6 – known as C – a slight shudder as he watched the latest Bond movie, Spectre. Not the scene in which the MI6 HQ is blown up, but the more worrisome plot that his secret service was going to be swallowed by a new data-driven super-agency. The shudder? Because the storyline is worryingly close to today’s reality. The world of spying may be as old as the ages and MI6 may be one of the most storied intelligence services but, make no mistake, it is in an existential battle. And the reason for that is data.
The current C, Alex Younger, 52, talks of an “arms race” when it comes to exploiting technology. The intelligence services that succeed in mastering data will prosper against adversaries. Those that fail to adapt will find themselves irrelevant. To avoid that fate, MI6 is trying to answer two questions: what is secrecy in the digital age? And how do you protect it?
Spying involves stealing secrets. There are various ways of doing that. One is by intercepting communications and breaking codes known as SIGINT (signals intelligence). This is the province of agencies such as GCHQ (the UK government communications) and the NSA (in the US). Human intelligence (HUMINT) involves getting those secrets from people who have access – known as agents (the staff who work for MI6 are officers, not agents).
During the cold war, machines played a marginal role in human intelligence. Their preferred habitat was the alleyways of Berlin and Vienna meeting agents while trying to shake a KGB tail.
But, a quarter of a century ago, the spread of networked computers began to revolutionise the spy business. First, the KGB and then GCHQ and NSA realised other governments kept valuable information on networks connected to the internet. For a while, MI6 looked on nervously as operators at GCHQ began to remotely steal documents that would previously have required a human agent in a foreign ministry snapping hurried photos of material in a safe. It was clear that cyber espionage was transformative. It allowed information to be extracted in huge volumes remotely – massively reducing the risks involved. Where does that leave the old-fashioned spooks?
From an office on the executive floor of the MI6 building in Vauxhall, Younger, a veteran spy, has the job of answering that question. So what’s the strategy? In a nutshell: to master data, to stay secret and to be able to operate anywhere.
Technology offers opportunity and threat. The initial stage of recruiting an agent is “targeting”. Imagine you want to know if a country is secretly working on a nuclear-weapons programme. The best source might be a businessman in the illicit procurement chain. A spy agency needs to find out who has the access to secrets, the motivation to pass them on and how to get close to that individual. All of that is now data driven.
The data may be open source – publicly available information on who works for a company. Social media can play a role in understanding an individual’s interests and connections, building a picture of their lives. Spies say if you want to understand a target you now have to understand the expression of their life online as well as in the physical world – because dissonance between their “real world” and ”online” behaviour can be telling.
Increasingly important is what the government calls “bulk personal data sets”. MI6 told one inquiry that these “are increasingly used to identify the people that we believe that we have an interest in; and also to identify the linkages between those individuals and the UK that we might be able to exploit”. The exact nature of this data is secret, but it could include a foreign state’s employment records, the booking records of a hotel or subscribers to particular magazines. Some of these data sets can contain millions of records including those of innocent people. Spies maintain that both acquisition and then access is tightly controlled – any specific search needs to be compliant with the Human Rights Act in terms of being lawful, necessary and proportionate. The “proportionality” test in interrogating bulk personal data sets means if any query returns too many people then it is less useful and potentially against the rules.
A query might reveal an engineer had money problems. The next step would be an approach. Systems can alert a team when an individual books a hotel. An MI6 officer would wait in the lobby – a crucial method of contact that depends on human skills.
The transfer of material from agent to handler has always been the moment of greatest operational vulnerability. Catching one person handing over an envelope to another person meant both were “bang to rights”. Now, the transfer of information can be done remotely using specially developed communications tech. In 2006, Russian security services made claims about a “spy rock” set up by British spies. The rock was said to contain a short-range transmitter/receiver into which an agent could transfer data by walking past. A case officer could later walk past and upload the information. MI6 has always refused to comment but a senior Downing Street official later said that the Russians “had us bang to rights”. Ten years later, it’s likely communication can be carried out more remotely, minimising the risk of being caught.
“Using data offers us a priceless opportunity to be deliberate and targeted in what we do and thus be better at protecting our agents and this country,” Younger said in his first public speech, at a Whitehall event in March 2015. “That is good news. The bad news is that the same technology in opposition hands allows them to see what we are doing and put our people and agents at risk.” Technology helps spies find their targets, but it can also be used by foreign security services to identify British spies and their sources.
FACEBOOK BLOWS YOUR COVER
Stealing secrets also requires keeping them. And that is getting harder. The first signs of that challenge emerged just over a decade ago with the spread of biometric databases at international borders. Once, a faked passport might have been enough to build a cover story for an MI6 officer travelling to meet an agent. An officer could breeze across a border, conduct the debrief and leave. But if their iris or fingerprints were scanned at an airport then that data would be associated with the false cover. Would they be identified as a spy? The old days of using a simple cover to meet agents abroad were passing.
The next challenge was social media. In the past, a spy would want no details or pictures of themselves in the public domain. But today, what kind of person under 30 doesn’t have a social-media trail and digital profile? That in itself is pretty much enough to mark you out as someone unusually protective of their privacy and, to foreign intelligence services, possibly a spy. A test was run at MI6 a few years ago: how long would it take for an officer’s cover to endure when subjected to a series of Google searches? The answer: about a minute.
Veteran officers say that, at first, many spies were deeply resistant to understanding the new dangers. But then came the lessons. In February 2003, a CIA team was sent to Milan to conduct an “extraordinary rendition” of a suspected radical Islamist: Abu Omar was plucked off the streets and transported to Egypt. Three years later, an Italian prosecutor using link analysis of phones, hotel reservations, car rentals and credit cards had been able to identify about two dozen members of the CIA team and prosecute them in absentia.
What about bulk data? The fear of what could be done by using large data sets against spies was evident in Washington’s neuralgic reaction to the cyber-intrusion into the federal government’s Office of Personnel Management (OPM) when the personal details of 21 million government workers were stolen. The personal details of CIA officers and other spies were not listed. That was precisely the problem – a smart intelligence service could simply correlate who at an embassy was on the OPM database and, by a process of elimination, work out that anyone not on the database was an undercover intelligence officer. In the wake of the breach, British officials were assured that there was no single database in the UK with the same amount of detail.
YOUR DIGITAL EXHAUST IS SHOWING
The moment of meeting an agent has become trickier. In the past a fleeting brush-past on a street or conversation in an alley would leave no trace unless someone had been followed. Now CCTV is everywhere and so is the data – from mobile phones and other digital tools – of where you have been. What is more, it’s stored. The digital exhaust we leave behind has completely altered the ways in which spies can operate.
Countries are moving towards large biometric databases of identifiers which can offer them knowledge about their own population. “When I joined MI6, I was trained to spot people tracking me or telephone tapping or intercepting radio communication,” John Sawers, who joined MI6 in the late 70s before going to the Foreign Office and coming back as chief from 2009 to 2014, said in a speech in January 2015. “Today, those labour-intensive techniques are supported by high-end software: face recognition, footstep recognition, etc.”
Sawers was brought back to MI6 in 2009 as a moderniser. That included integrating technology and the Service’s “Q” team into operations much more closely. A technologist and data analyst would be brought into planning operations from the outset rather than as a last minute add-on and the case officer (who recruited the agent) became more part of a team rather than the “fighter pilot” whom everyone else served. Now the data analyst drives the operations as much as the case officer does.
Working in an age where everything is recorded and leaves a digital footprint requires different tradecraft. In some cases it means you have to, in the words of some in MI6, “go medieval” and stay offline and use old-fashioned methods of communication. Some countries were reported to have bought old typewriters in the wake of the Snowden disclosures and techniques such as secret ink are said to be making a return.
DON’T OVERLOOK OPEN SOURCE
The next stage in technological transformation is coming with the growth of open-source intelligence, big data and predictive analysis. Open-source intelligence was something that spies looked down on a decade ago. Real intelligence was something that had been obtained through low cunning, not a web search.
“Open source was about routine monitoring of foreign newspapers and broadcasts for useful snippets,” says Cameron Colquhoun, who worked as a government intelligence analyst before founding Neon Century, a London-based open-source intelligence company. That changed first with the Green Movement in Iran in 2009 and then with 2011’s Arab Spring which was organised, in part, on social media. “The richness of the data – geolocated, time-stamped and verifiable – meant that open source was not just something analysts could monitor but something you could use to run intelligence investigations.”
One British general estimates that 85 per cent of military intelligence can now be obtained from open sources. Mapping and terrain information are simple to pick up; an understanding of local populations can be drawn using sentiment-analysis tools. So why spend huge amounts of money and take risks to get secrets when much of the information can be found? The rise of Islamic State (IS) made the importance of social media clear: British jihadists were using platforms such as Facebook to lure others in the UK to follow them.
Intelligence analysts still struggle with this world. After all, their work computers are air-gapped from the internet, they have been encouraged not to be on social media and they normally cannot bring personal smartphones into the office. The internet is a prime vector for espionage. Foreign spies could use it to access the systems at Vauxhall Cross. The advantages of cross-referencing information and integrating open and secret data are also huge risks because of the fear of cross-infection. Today’s challenge is to leverage the internet while not letting it into the building.
Today, analytical techniques for open data are often developed by the private sector rather than the state. The most advanced tools are being built by startups interested in sentiment analysis for commercial purposes. Just as an intelligence agency might be interested in working out who is expressing positive and influential views about a gruesome IS video, a consumer brand might be interested in social-media influencers for its product. In the US, Palantir was originally funded by In-Q-Tel, the CIA VC firm, and supports military and security programmes as well as selling its tech to consumer-facing companies.
In the UK, the startup Ripjar is moving into a similar space. “The aggregation of data is paramount to joining the dots and exposing criminal behaviour,” says Tom Griffin, the company’s CEO. “This is similar to the commercial world, where the true value of data is exposed when you combine the business knowledge, analytical thinking and many disparate data sets.” He argues that employing techniques of machine learning and natural-language processing will not negate the need for human analysts but allows them to make sense of vast tides of data such as tweets sent by IS.
THE HUMAN FACTOR
The agencies hope that big data will open the way for better intelligence analysis to avoid “strategic surprise” and provide early warning and horizon scanning. Senior CIA officials talk of their desire to build an “anticipatory intelligence capability”. Sentiment analysis aims to look for early indicators of political and social crisis, unrest such as riots, signs of nascent economic instability or resource shortage. The new Alan Turing Institute, at the British Library, has formed a partnership of industry, government and academics to work on data-led solutions to various challenges, including national security.
But is it possible – given the volume of data and the unpredictability of human behaviour – for agencies to conduct truly insightful predictive analysis? There was an upsurge in data analysis after 9/11 when, for instance, bomb factories in Iraq were identified using patterns of phone usage by insurgents.
In the UK, GCHQ and MI6 work hand in glove. So-called bulk data is used for what is called “target discovery” – finding people based on their data trails – so that more specialised techniques can be deployed. This is much harder than it used to be. In the past, a single GCHQ analyst might be able to track a dozen targets; now it can take a dozen analysts to track a single target who knows what they’re doing. This means human intelligence still plays a part. A spy inside a group such as al-Qaeda can tell you who’s who and where they are even if that person practises good comms security. Targeting individuals might be done by a close integration of human and technical intel: analysts at GCHQ might identify patters in online activity, whereas MI6 officers would try and recruit agents on the ground.
GCHQ and MI6 are moving closer together. GCHQ will sometimes need a human spy to enable an operation: think of the US-Israeli Stuxnet virus targeting Iran’s nuclear programme – it needed an engineer to put a USB stick into a system. There are also pieces of info a human spy can tell you that data can’t reveal. But the balance is shifting – GCHQ is roughly double the size of MI6. Inside MI6, there’s an understanding that they will need a new type of spy and everyone will need digital skills.
It’s becoming ever harder to keep secrets. For spies, this new world means deconstructing everything they do and analysing it for new opportunities and weaknesses, seeking out new sources of data and the latest tools to exploit. Every new trick they use to spy on someone else needs to be tested to ensure it doesn’t offer an opportunity to the other side. Nation states are working hard to exploit the insights that data offers in a new arms race of technology-driven espionage. To the victor the spoils. To the loser – as with the rest of the tech-based world, but with greater consequences – defeat and irrelevance.
Gordon Corera is is the BBC’s security correspondent and author of Intercept: The Secret history of Computers and Spies (W&N)