By: Anthony Phan
In November 2022, suspected Chinese government-linked hackers used infected USB drives to deliver malware to public and private organizations in the United States as part of a yearlong espionage campaign. Five months later, Iranian state-linked hackers targeted U.S. critical infrastructure, and that of other countries, deploying a “previously unseen customized dropper malware.” The following month, malware infrastructure for Russia’s “most sophisticated cyber espionage tool”—Snake—was identified, in more than fifty countries worldwide, by the National Security Agency (NSA) and several partner agencies. In August 2023, suspected North Korean hackers launched spear phishing email attacks against a joint U.S.-South Korean military exercise on countering nuclear threats from Pyongyang. These events make one truth evident: cyber espionage poses a serious threat to national security. In an era of rapid technological growth, especially related to artificial intelligence (AI), the time to address the threat is now.
This article provides a general overview of the risks emerging technologies present to national security when adversaries exploit those tools for malicious ends. From a counterintelligence (CI) perspective, this article examines whether U.S. laws and regulations are keeping pace with technology and how the intelligence enterprise can adapt to changes in cyberspace. This article also discusses the ways in which technologies impact CI operations and what the ability to meet the demands of a malleable threat environment means for America’s future spies. To stay competitive globally, the United States must bolster its cyber capabilities with modern policy and legislation, like the Intelligence Authorization Act for Fiscal Year 2025 (FY25 IAA). Such an endeavor, though challenging, is achievable through a reasoned, well-informed approach—one that mitigates technology’s potential for harm by equipping CI professionals with preemptive measures. At the core of any framework should be the ingenuity and foresight that have characterized American espionage since its inception.
“From the American Revolution to the Cyber Revolution”
American espionage originated during the Revolutionary War. During the war, the British recruited colonists to become operatives, building networks of informants to infiltrate the Continental Army and the Continental Congress. The Loyalists also infiltrated “an overseas diplomatic mission negotiating with America’s future allies.” Outnumbered, Patriot forces rallied behind founding father John Jay, who was appointed to lead the Committee for Detecting and Defeating Conspiracies. The Committee worked toward “inquiring into, detecting and defeating all conspiracies which may be formed . . . against the liberties of America.” This effort gave rise to American counterintelligence, which proved instrumental to the developing nation’s victory.
Today, the United States faces a similarly grave danger from multiple threat vectors in a non-physical domain: cyber. The Center for Strategic and International Studies (CSIS), through its survey of Chinese espionage in the United States since 2000, found 224 reported instances—46% of which involved cyber espionage. Hacking, according to CSIS, is Beijing’s “preferred mode of espionage.” The survey revealed 104 instances of reported Chinese cyber espionage within the preceding ten years. Based on open-source material, these findings underscore the immeasurable damage that the People’s Republic of China (PRC) has caused to U.S. national security. In recent years, the PRC has stolen personal information on a massive scale and has influenced or coerced their victims for political aims across government, information technology (IT), social media, and academia. Although CSIS claims that the instances in total “far outnumber those by any other country,” countries like Russia, Iran, and North Korea remain cyber threats to the United States.
The Office of the Director of National Intelligence’s (ODNI) 2024 Annual Threat Assessment (ATA) acknowledges not only China’s active threat to American cybersecurity, but also that of other state actors. According to the ATA, Russia has demonstrated its capacity to target critical infrastructure, such as underwater cables and industrial control systems, and to use generative AI to influence U.S. elections. Iran’s “opportunistic approach” to cyber attacks makes it a major threat to network and data security. Like Moscow, Tehran conducts malign influence operations to “undermine U.S. political processes and amplify discord.” In 2020, Iranian cyber actors threatened U.S. voters by email and spread election disinformation. North Korea, on the other hand, is known for committing cybercrimes like “cryptocurrency heists,” laundering and cashing out its stolen earnings.
Despite the four state actors’ dominance, the ATA reports that cyber threats also include non-state actors, particularly transnational criminal organizations (TCOs). TCOs present a unique challenge for the U.S. Intelligence Community (IC) because of the decentralized and specialized nature of cybercriminal activity. Cybercriminals who use ransomware can extort funds, disrupt critical services, and expose sensitive data. Furthermore, the interconnectedness and accessibility of online infrastructure means more efficient attacks and lower barriers to entry for criminals.
The National Counterintelligence and Security Center (NCSC) delivers strategic guidance on combatting cyber activity from both state and non-state actors. The National Counterintelligence Strategy outlines three objectives: (1) foster strong partnerships across all levels of government, the private sector, academia and with foreign partners; (2) improve cross-disciplinary collaboration and coordination with federal partners; and (3) cooperate with allies and partners to “conduct integrated, scalable, prioritized, proactive CI activities.” Notably, the NCSC strategy stresses a need to leverage appropriate authorities. It is important to analyze the relevant legal authorities and determine whether the law is up to the task.
“To Promote the National Security”
Section 3(3) of the National Security Act of 1947 (the Act) defines counterintelligence as information and activities that obstruct espionage, including sabotage and assassinations, by foreign governments, organizations, persons, or international terrorists. Section 2.3(b) of Executive Order (EO) No. 12333 authorizes IC elements to collect, retain, or disseminate information that constitutes counterintelligence, including “corporations or other commercial organizations.” With its focus on U.S. persons, Section 2.3(b) is pertinent to impeding cyber espionage because many Americans using products or services from U.S.-based companies fall prey to malicious foreign actors, often by means of spyware. Spyware lets users remotely surveil and control a target device and collect data therefrom without the owner’s knowledge or consent. Enabling a user to target any device from anywhere in the world, this technology in the wrong hands can cause severe damage to national security.
Section 1102A of the Act, as amended, sets forth “[m]easures to mitigate counterintelligence threats from proliferation and use of foreign commercial spyware.” Subsection (c) grants the Director of National Intelligence (DNI) sole authority to prohibit an IC element from acquiring, or entering into an agreement with a company that has acquired, foreign commercial spyware (the 2024 ATA reports that “at least 74 countries contracted with private companies to obtain commercial spyware” between 2011 and 2023). Given spyware’s clear and direct threat to national security, subsection (c) is crucial. Nevertheless, reserving this responsibility for the DNI alone could inadvertently give foreign commercial spyware firms more time to “craft and deploy highly targeted lures” if the DNI is unavailable to prohibit an acquisition or an agreement involving spyware, the possible misuse of which the DNI might deem to pose an excessive risk.
Section 1.4(e) of EO 12333 authorizes the IC, consistent with applicable federal law and under the DNI’s leadership, to procure “technical systems and devices relating to authorized functions and missions.” Seeing the urgency of spyware’s growing threat, as is evident in EO 14093, subsection (c) of Section 1102A may more efficiently serve the national security interests by granting the DNI authority to delegate discretionary authority, if necessary, to another senior-level official—for instance, the Principal Deputy Director. EO 14093 forbids federal agencies from using spyware that poses significant CI or security risks to the U.S. Government or significant risks of improper foreign use. Yet, the order allows agency use of spyware for “testing, research, analysis, cybersecurity, or the development of countermeasures” against CI or security risks. This exception reinforces the authorities at the IC’s disposal. It further reflects the purposes of two provisions within the Act, which the IC could apply to spyware and other technologies.
Sections 1112 and 1113 are such provisions. Section 1112 of the Act requires the Directors of the Central Intelligence Agency (CIA) and the NSA, in coordination with the DNI, to submit to the congressional intelligence committees an annual report through 2026 on “foreign commercial providers” and “cyber vulnerabilities” that the IC has procured through the providers. The IC may either research and develop these vulnerabilities or operationalize them to impair target devices, networks, or systems, by the definition in Section 1112(d)(2). Beyond procurement details, Section 1112(b) stipulates that the Directors present first, an assessment of the IC’s ability to manipulate the vulnerability; and second, an assessment of foreign commercial providers that pose a significant national security threat, among additional stipulations. Furthermore, Section 1113 requires the DNI, in coordination with various agency and department heads, to submit a report every four years on the IC’s technology strategy to the same committees.
Both provisions ideally increase transparency, thereby ensuring oversight and accountability and streamlining CI methodologies. Several ways to achieve those goals are notification requirements, periodic updates, and suggested deadlines for submission. The congressionally mandated reports may not directly affect operations but, if done diligently, may strengthen strategic posture, community-wide integration, and overall workforce readiness through better awareness of programmatic issues or inefficiencies. Also beneficial to professionals are the provisions on emerging technologies under Title V of FY25 IAA, specifically Sections 512 and 514. Section 512 recognizes “foreign ransomware organizations” as “hostile foreign cyber actors” that adherents of the provision should treat as such. This recognition facilitates enemy targeting by CI operatives because it offers an appropriate designation. Section 514 requires the DNI to regard ransomware threats as a “national intelligence priority component” to the National Intelligence Priorities Framework. The DNI must then report on the threats’ implications. These requirements compel the IC and, by design, the CI community to align risk management with mission performance in response to ransomware. Other technologies that the Senate Select Committee on Intelligence mentions in its Comments and Direction, but does not expand upon, however, are social media, cryptocurrency, and encrypted communications. While the bill makes clear the IC’s authorities to address some of the United States’ more pressing issues, it could benefit from additional requirements to prevent foreign manipulation of otherwise innocuous tools.
The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001, which contains provisions on electronic surveillance, does not appear to accommodate more modern developments like malware or spyware. Section 214 of the USA PATRIOT Act concerns pen register and trap and trace authority, though current information and communication technology (ICT) involves email, text messaging, and social media. Section 217 elucidates interception of computer communications, defining a computer trespasser (i.e., a hacker) as “a person who accesses a protected computer without authorization and thus has no reasonable expectation of privacy.” This insertion clarifies whom CI agents may surveil. The Intelligence Reform and Terrorism Prevention Act of 2004 likewise lacks modernized provisions to rival emerging technologies and therefore warrants amendments. Nevertheless, Section 1052 pertains to open-source intelligence (OSINT), deeming the collection method “a valuable source that must be integrated into the intelligence cycle.” OSINT enables CI agents to gather evidence on foreign intelligence entities (FIEs) through publicly or commercially available information, employing generative AI to “quickly summariz[e] large amounts of text.”
CI governance, undeniably, has been making strides, but there are still opportunities for improvement. While Section 1102A of the amended National Security Act, enacted less than two years ago, does address spyware, the concept originated in 1995. This lag in legislation is not the only instance. For example, none of the authorities mention quantum computing, which conceptually has been around since the 1980s and which FIEs could exploit for “illegal or otherwise illicit technology transfer” by performing “mathematical computations impossible for traditional computers,” according to the Federal Bureau of Investigation (FBI). Possible quantum computing legislation might include provisions for quantum encryption and decryption or applications to cloud computing for greater processing speeds. The ATA warns that AI and machine learning (ML) models could yield “unintended consequences,” from deepfakes and misinformation to AI-generated computer viruses. Yet the authorities, except for the FY25 IAA, are silent on AI/ML, both of which emerged in the 1950s.
Cyberattacks occur partly because “systems have flaws.” To protect the United States from foreign adversaries, the IC must secure its own systems. A key step toward system—and national—security is confronting spyware. Through a project called Mythical Beasts and Where to Find Them, the Atlantic Council’s Digital Forensics Research Lab (DFRLab) offers a set of policy recommendations to navigate the global spyware market. The first recommendation is to mandate “Know Your Vendor” (KYV) requirements, which the U.S. Federal Acquisition Regulatory Council could set. KYV requirements would have spyware vendors disclose supplier and investor relationships. Doing so could produce more transparency in a market of “shifting vendor identities and supply chains,” according to DFRLab. An outcome is better information about foreign commercial providers. Though a key step toward greater security, spyware is but one piece in the puzzle of cyber espionage. The IC can prepare for new and emerging threats by communicating with regulatory partners and members of Congress.
As John Jay and his fellow Committee members were armed with new legal authorities, so too should today’s CI personnel have updated authorities to match the dynamic threat landscape. One might argue the impracticality of attempting to enumerate every technology as it emerges. However, the key to thwarting ICT abuse lies not just in listing the technologies, but perhaps in categorizing their functions and capabilities, giving personnel the means to respond accordingly. This task would demand a deep understanding of the relevant fields, gained through dialogue between the public and private sectors and academia. Stakeholders should practice information sharing across sectors and disciplines to encourage synergy.
“Foundations for Safeguarding Our Future”
To endure in cyberspace, the IC must stay vigilant and agile, not by trying to predict future inventions or innovations, but by anticipating disruptive technologies’ potential for harm. Such vigilance and agility equate to conscientious policies, laws, rules, and regulations that govern efficient operations without sacrificing effectiveness. One groundbreaking law, notwithstanding its late passage, is Section 1102A. Future legislation should maintain the momentum of its predecessors but account for 1102A’s deficiencies, considering timeliness and relevance. Of course, activities involving AI or different tools should abide by common principles and ethics. “[J]ust as our adversaries and the threats we face continue to evolve,” said former NCSC Director William R. Evanina, “counter-intelligence and security professionals—as custodians of our nation’s secrets—must evolve as well.” With an arsenal of modernized CI governance, professionals can expect an evolution to hinder the United States’ most formidable foes.
Комментарии