The ‘Mosaic’ Method and the Value of CIA Names to U.S. Adversaries
Published by The Lawfare Institute
in Cooperation With
On Feb. 5, The New York Times reported:
The C.I.A. sent the White House an unclassified email listing all employees hired by the spy agency over the last two years to comply with an executive order to shrink the federal work force, in a move that former officials say risked the list leaking to adversaries.
The list included first names and the first initial of the last name of the new hires, who are still on probation — and thus easy to dismiss. It included a large crop of young analysts and operatives who were hired specifically to focus on China, and whose identities are usually closely guarded because Chinese hackers are constantly seeking to identify them.
The agency normally would prefer not to put these names in an unclassified system. Some former officials said they worried that the list could be passed on to a team of newly hired young software experts working with Elon Musk and his government efficiency team. If that happened, the names of the employees might be more easily targeted by China, Russia or other foreign intelligence services.
One former agency officer called the reporting of the names in an unclassified email a “counterintelligence disaster.”
Current officials confirmed that the C.I.A. had sent the names of employees to the White House’s Office of Management and Budget, complying with an executive order signed by President Trump. But the officials downplayed security concerns. By sending just the first names and initials of the probationary employees, one U.S. official said, they hoped the information would be protected.
But former officials scoffed at the explanation, saying that the names and initials could be combined with other information — from driver’s license and car registration systems, social media accounts and publicly available data from universities that the agency uses as recruiting grounds — to piece together a more complete list.
One of the most fundamental principles of counterespionage, inculcated into CIA officers from their very first day on the job, is the "mosaic" concept. Individual items of information can be combined with other data to provide a picture that discloses sensitive intelligence.
For example, enrollment data from academic institutions may be combined with flight data from travel providers, attendance lists from non-governmental conferences, lists of published materials, social media inquiries about medical conditions, and commercially available credit information. Carefully sorted and correlated, this information can enable an adversary to identify individuals with access to sensitive information who may be amenable to approach or recruitment, and to craft the most effective means by which to contact them and develop a relationship.
Even partially identifying information, such as first names and last initials—whether accurate or pseudonymous—can be aggregated along with other publicly available information to establish the identity of intelligence officers. Hostile nations can use that data to interfere with U.S. intelligence activities, whether by directly challenging those U.S. personnel, enhancing their own capabilities to deny the United States access to information, or crafting disinformation operations to misdirect U.S. activities.
Another first principle underscored on day one is that all unclassified systems must be presumed to be penetrated by our adversaries. Neither classified information, nor unclassified information that could be assembled with other data to create a mosaic, may be transmitted by nonsecure means such as unclassified email or regular telephone lines.
It may be counterintuitive to most people, but those of us who have served in the intelligence community operate on the assumption that anything we say on an open telephone line, send over an unclassified email system, or speak in any location apart from a "Secure Compartmented Information Facility" may be intercepted by any number of foreign actors. When we make plane reservations, for example, we expect that the Russian intelligence service has access to them. When we send emails, we understand that the People's Republic of China's espionage agents may read them.
Yet another first principle is that specific information such as the names of CIA employees, the number of Agency employees, the pace of hiring, and the level of effort devoted to any particular subject area, such as China or counterterrorism, are of great use to our adversaries and in many instances classified in and of themselves. We do not share that information in whole or in part except via secure, classified channels to appropriately cleared personnel. As noted on the Agency's own web page:
Neither the number of employees nor the size of the Agency's budget can, at present, be publicly disclosed. A common misconception is that the Agency has an unlimited budget, which is far from true. While classified, the budget and size of CIA are known in detail and examined by the Office of Management and Budget and by the Senate Select Committee on Intelligence, the House Permanent Select Committee on Intelligence, and the Defense Subcommittees of the Appropriations Committees in both houses of Congress. The resources allocated to CIA are subject to the same rigorous examination and approval process that applies to all other government organizations.
For example, the Agency's budget, its personnel complement, and its scope of activities are regularly developed in coordination with the National Security Council, the Office of Management and Budget, the House Permanent Select Committee on Intelligence, and the Senate Select Committee on Intelligence. That information is not provided via unclassified channels which must be assumed to be available to unauthorized personnel, including foreign espionage agencies.
Beyond the issue of classification, the provision of names to the political echelon violates another critical norm. It is certainly the President's responsibility to appoint the senior leadership of the intelligence community, with the advice and consent of the Senate where provided by law, and for the National Security Council and Congressional oversight committees to know the identities of key personnel, it is a striking and dangerous departure for any Administration or the Congress to request names of working level employees.
Senior officials are responsible for the management and direction of their agencies, and they are accountable for the proper implementation of their responsibilities. Rank and file employees may be redirected from one priority to another; agencies may reduce or increase their personnel complements from time to time; and funds may be reassigned from one objective to another. The provision of identities of working level personnel is neither necessary nor sufficient for those purposes.
The National Security Act of 1947 requires the Director of National Intelligence, and through her the Directors of the various U.S. intelligence agencies, to protect intelligence sources and methods. If the reporting in the Times is accurate, that obligation has not been honored. The apparent statements from unnamed officials to the effect that by providing first names and last initials only, even over unclassified systems, no damage has been done, reflects either ignorance or indifference. Neither enhance the security of our nation.
-final.png?sfvrsn=b70826ae_3)
