The Snowden Operation

Chapter Three: Damage Control

The mere whiff of a breach acts like nerve poison on intelligence agencies. If you lose even a single document, or believe an unauthorised person has had access to it, assumptions must be of worst-case scenarios. Assume that the Russians learn that an outwardly boring Irish insurance broker in the Ukrainian capital Kiev, for example, is actually an undercover officer of Britain’s Secret Intelligence Service. What will they be able to do with that information? Will he be in danger? Will they able to find what agents he is running? If so, they must be brought out: they risk arrest. Maybe the agents are safe, but the operation cannot continue: in that case everyone involved must be stood down inconspicuously. What about colleagues? Safe houses? Dead-letter boxes? Another question is when the breach occurred. Can one be sure that this was the first instance? How solid is the ‘product’ (the intelligence obtained from the compromised network or individual)? Should it be assessed or analysed differently? Is it possible that the adversary used the breach to feed misleading information and then monitor the results? The answers to these questions may be ‘no’. But an experienced team of counter-intelligence officers must ask them, find the answers, check and double-check. The taint of even a minor breach must be analysed, contained and cleaned.

If a single breach is a serious problem, two make a nightmare—particularly if the missing material comes from different bits of the organisation. Documents which may on their own be quite anodyne can be gravely damaging if they are combined. Revealing an intelligence officer’s cover name may be no big deal. But combined with his previous travel, it could be the clue that gives the adversary details of an operation. Multiple breaches increase the problem exponentially. Each bit of compromised information must be assessed not only on its own, but in relation to every other piece of data. As the numbers mount, the maths becomes formidable. Four bits of information have 24 possible combinations. Seven have 5,040. Ten have more than three million. If Snowden has taken a million documents, the permutations that—in theory—need to be examined exceed the number of atoms in the universe.

Snowdenistas dispute claims of colossal damage. Foreign intelligence services in Russia or elsewhere do not and will not have access to the stolen material, they maintain. But dealing with secrets is a highly technical and complicated business. People build their careers on it. It requires elaborate procedures to store the information, to set and administer levels of access, to monitor who sees it, when, why and how, and particularly to authorise, log and track any copies made. It requires specially built premises, and staff who must be carefully recruited and trained and subjected to regular screening. The whole setup—with its physical, bureaucratic and human elements—involves regular checks, and possibly professional penetration tests, in which expert outsiders are tasked with trying to break the security systems. It is also designed to minimise the effects of any breach—for example by seeding the data with tell-tales (to highlight if it is being misused) or booby-traps (to act as a deterrent to malefactors). All of this takes place in the knowledge that the world’s most sophisticated intelligence agencies regard other countries’ secret data as a top priority.

Snowden’s allies may be admirable journalists. But they do not have the experience or resources to protect the information he has stolen. Their offices cannot be made safe against electronic eavesdropping. They do not know how to make their computers truly secure. The idea that the material is safe because it is encrypted is shockingly naïve: it is child’s play for a sophisticated adversary to place malware on a computer, remotely and invisibly, which logs every key stroke, and records everything that appears on the screen. Such ‘end-point vulnerabilities’ render even the heaviest encryption pointless. They can be delivered via a mobile phone or through an internet connection (or by some other subtle and secret means). Snowden knows this. It is possible that someone with his technical skills could keep the stolen data secure on his own computers, at least for a time and if he does not switch them on. But that becomes ever less likely over time.

Security becomes outright impossible when the material is handled by a team of amateurs. How many people have access? Who has screened them? What are their vulnerabilities—financial and psychological? Does anyone check their bank accounts? Are any of them vulnerable to blackmail? Do they have any training in avoiding ‘social-engineering’ attacks (such as impersonation)? What about the use of force? What happens if someone becomes disillusioned and leaves the team? A shocking example of carelessness came when Greenwald’s partner, David Miranda, was stopped while changing planes at London’s Heathrow Airport in August. His luggage included a number of ‘thumb’ USB drives and electronic devices, carrying some of the Snowden trove (as well as, some reports say, a password, apparently written on a bit of paper). Any public official who carried secret data this way would be fired and then prosecuted. A similarly sackable offence would be sending secret material across international borders by a commercial courier company such as FedEx. The editor of the Guardian, Alan Rusbridger, admits that he did just this, and jokes about it on his Twitter profile.[64] (Mr Rusbridger’s defenders say that the material was heavily encrypted and that both the sender and receiver were third parties; he may feel that this ruse is fail-safe but security professionals would not.)

It is hard to avoid the conclusion that Snowden conducted his activities within the NSA in order to be as damaging as possible. Among the so far unpublished material are (by the NSA’s account) 31,000 files which show what government customers asked the agency to find out about countries such as China, Iran and Russia, and its assessments of how it could respond. These ‘shopping lists’ are among the most closely guarded secrets in any intelligence agency. Once you know what the other side needs to find out, you can infer what they already know.[65]

All this counts as primary damage: to the sources, methods and self-confidence of an intelligence or security agency. But the ripples extend farther. A spy agency’s greatest asset is its reputation. Britain’s MI6, for example, enjoys free publicity from decades of films featuring James Bond. The real-life business of intelligence has little to do with the stunts on screen. But the brand helps attract able people to work as intelligence officers. A reputation for integrity and skill also makes it easier to recruit sources. If you are pondering whether to trust your life to a foreign country’s spies, you will want to have confidence in their ability to keep secrets. It is hard to conceive of a definition of America’s national interest that does not include keeping secret the identity of foreigners who trust the country with their views, secrets—and lives.[66] But the Snowden fan club, like the cheerleaders for WikiLeaks, takes no account of this. The NSA and other agencies cannot assume that, as Snowden so blithely puts it, there is a “zero chance” that adversaries have seen the stolen documents. They have to work on the assumption that they have done, or eventually will do so.

For all these reasons, the Snowden disclosures have had a catastrophic long-term effect on British and American intelligence. As I have explained above, even the threat of a breach is enough to endanger an intelligence operation. But publishing secrets in the media introduces a whole extra level of risk. It is bad enough if the Chinese and Russian intelligence services have knowledge of (or access to) the programmes compromised by Snowden. But when they are actively publicised, even the dimmest and worst informed terrorist, anarchist or criminal gets the message. Capabilities that work when deployed stealthily become useless once everyone knows about them. Once you learn that a computer screen can be read from far away through an open window, you draw the curtains. Once you know that a computer can plant malware on a mobile phone, or vice versa, you start keeping mobile devices in a lead-lined box. To be sure, the agencies will develop new capabilities. But if your navy has been sunk, it is little comfort to be told that you can always build another one. What are you going to do in the meantime?

The pleas of the Snowden-friendly media that they screen the material before publishing it cut little ice. It is nice of them to take advice, in some cases, from government security sources about disclosures that might be particularly damaging, and even to refrain from making them. Many of the more responsible media outlets have partially redacted the documents they have published, at least protecting the names of intelligence officers. But that does not stop Greenwald from offering the same material elsewhere. His petulant remarks after his partner Miranda was stopped at Heathrow Airport did not suggest a responsible attitude to the secrets he guards. ‘I will be far more aggressive in my reporting from now. I am going to publish many more documents. I am going to publish things on England too. I have many documents on England’s spy system. I think they will be sorry for what they did.’[67] Publishing secret documents is a grave responsibility. Surely the justification should be to expose wrongdoing, not to satisfy personal pique?

The damage was foreshadowed by WikiLeaks—a forerunner of the Snowden disclosures. A German politician, Helmut Metzner, had to resign and faced prosecution when he was outed as the anonymous source mentioned in a leaked American diplomatic cable (he denied wrongdoing and charges of espionage were eventually dropped). America’s State Department has spent a great deal of time and money trying to safeguard other individuals whose identities have been wholly or partially exposed in the leaked cables. To be fair, in the versions that WikiLeaks published initially, the names of interlocutors were redacted. But a mixture of carelessness and ignorance meant that the passphrase for the unedited versions of the cables became available. The result is unlikely to have increased foreigners’ willingness to meet and speak frankly with American diplomats about even mundane matters.

When intelligence sources, as opposed to mere diplomatic ones, are put at risk the damage is far greater. The stolen documents include the names of many NSA and GCHQ officers. Some of them will have been posted abroad—and may well have had sensitive contacts with locals. If their names and identities become known, then anyone who has met them, say in China, Iran or Russia, is in danger. Snowden says he will not release such material. So why did he steal it in the first place? In any case, as I have argued above, he cannot be sure that it will not leak out, given the amateurish way in which it is safeguarded. That is a profound worry to existing sources, and a grave deterrent to new ones.[68]

The disclosures of espionage by American allies damage them too. Diplomatic capital is consumed in issuing new assurances and tokens of friendship, as Australia has had to do with Indonesia. Other agreements may be put on hold. Trust is the most valuable commodity in espionage. Stolen secrets are fragile and perishable commodities. The instinctive desire of every intelligence officer and every spy service is to hoard, not to share. That preserves sources and methods, and makes the next secret easier to obtain. Handing hard-won material to a foreign partner is possible only when you believe that the country concerned is at least as trustworthy as you are yourself. The NSA’s failure to keep its secrets has dented America’s reputation as a trustworthy partner.

The quite unnecessary damage caused by Snowden makes it hard to believe that his aim was solely to expose wrongdoing. It looks far more likely that he was trying to cripple the NSA and its allies, and to hurt America’s standing in the world. Taking a huge cache of documents, and in a way that largely defies description, analysis or mitigation, is not the action of a patriotic whistleblower. It is the behaviour of a saboteur. It is a sign of the desperation now reigning in the NSA that some are willing to offer him an amnesty even now, if he will only hand back the missing files. Nobody can be confident that they have not been seen by others. But at least the agency will have a clearer idea of what was taken, and how.

All this damage, of course, suits Russia. The NSA and other American and allied intelligence and security agencies have been a prime target for the Kremlin since even before the Cold War. The successes have been great: recent triumphs include recruiting the heads of Soviet counter-intelligence at the FBI (Robert Hanssen) and the CIA (Aldrich Ames). Signals intelligence in the ‘Five-eyes’ alliance of America, Britain, Canada, Australia and New Zealand has been a particular target. Western countries have shifted their attention since the end of the Cold War. The reverse is not the case. The ten Russian ‘illegals’ arrested in America in June 2010 prompted a lengthy, disabling and so far fruitless search within the NSA for the sources which at least one of them was believed to have recruited there. Was Snowden’s decision to do what seems like deliberate damage to the NSA and America mere recklessness and vindictiveness? Or was there another motive, conscious or unconscious, in the background? No definitive answer to that is available on the evidence presently available. But some historical examples are instructive.