Facebook Icon   Linkedin Icon   Twitter Icon   YouTube Icon

The Importance of Policies and Procedures in
Improving Security Awareness

Written by David G. Patterson, CHS-III, MEA, CPP, PSP

Counterintelligence has traditionally been a battle of spies versus counter-spies, where national intelligence agencies have been pitted one against the other in an effort to advance their own nations' policies and expand their strategic influence. While these threats from national intelligence agencies still exist, we are now also faced with non-traditional counterintelligence threats in which individuals are targeting United States interests without being directly controlled by a foreign intelligence agency or terrorist group. This article examines emerging non-traditional counterintelligence threats and makes recommendations on how to best address them. The vision for the future of counterintelligence is one of integrated agencies, where the whole is greater than the sum of its individual parts. Counterintelligence must be agile, able to adjust to changing conditions and developing threats, and able to respond to the full range of intelligence threats facing United States national and homeland security.

Non-Traditional Counterintelligence Threats

The Department of Defense (2011, p.85) defined counterintelligence as: "Information gathered and activities conducted to identify, deceive, exploit, disrupt, or protect against espionage, other intelligence activities, sabotage, or assassinations conducted for or on behalf of foreign powers, organizations or persons or their agents, or international terrorist organizations or activities." Counterintelligence has traditionally been a battle of spies versus counter-spies, where national intelligence agencies have been pitted one against the other in an effort to advance their own nations' policies and expand their strategic influence. Counterintelligence is an important part of both national defense and homeland security, but historically counterintelligence has not been given the same emphasis as other functions within the intelligence community. The Commission on the Intelligence Capabilities of the United States Regarding Weapons of Mass Destruction (2005, p. 485) stated: "counterintelligence efforts remain fractured, myopic, and marginally effective. Our counterintelligence philosophy and practices need dramatic change, starting with centralizing counterintelligence leadership, bringing order to bureaucratic disarray, and taking our counterintelligence fight overseas to adversaries currently safe from scrutiny." This weakness in the nation's counterintelligence capability is one of the major challenges faced in today's national and homeland security environment—a challenge that must be addressed.

The fall of the Berlin Wall, the dissolution of the Warsaw Pact, and the defeat of Soviet Communism did not bring an end to foreign intelligence services targeting the United States for espionage and subversion. The United States still faces a foreign intelligence threat from countries such as the People's Republic of China and Russia. Even long-standing U.S. allies such as France, Israel, and India use espionage to acquire American political, military, and trade secrets. Michelle K. Van Cleave, National Counterintelligence Executive from 2003 to 2006, stated that the majority of the world's governments and 35 separate terrorist organizations target the United States through human intelligence (HUMINT) collection (Van Cleave, 2007). Robert Mueller III, Director of the FBI, emphasized this continuing espionage threat in a statement before the Senate Judiciary Committee, but pointed out that the United States also faces threats from non-traditional collectors (Mueller III, 2011).

Initially, it might be argued that non-traditional adversaries lack the capabilities to penetrate deeply into U.S. Government agencies. They lack the funding, training, resources, and technical capabilities of a national level foreign intelligence service. The intelligence threats from countries such as China or Russia, it may be argued, are more plausible and likely adversaries faced by the United States (Harber, 2009).

However, while espionage and subversion conducted by national level foreign intelligence services poses a continuing threat and certainly should not be discounted, recent history is filled with examples of non-traditional threats.

Bradley E. Manning
In March 2010, Bradley E. Manning, a U.S. Army enlisted intelligence analyst, was arrested and charged with providing classified U.S. diplomatic cables, classified military documents, and videos to persons who then posted this information to the WikiLeaks (http://www.wikileaks.ch/) website. Unlike traditional espionage, Manning did not appear to have been working as an asset of a foreign intelligence service. In times of war, however, access to the type of information stolen by Manning would certainly aid the enemy. Even if it can be argued that Manning had no specific intent to aid the enemy, it is certain that information released into the public venue would be accessed by enemies of the United States and therefore detrimental to the security of the United States.
Nidal Malik Hasan
On November 5, 2009, Nidal Malik Hasan, a U.S. Army commissioned officer, went on a shooting rampage at Fort Hood, TX, where he killed 13 people and wounded 32 others. Although Hasan was in regular e-mail communication with Anwar al Awlaki (a radical Yemeni cleric and suspected terrorist leader) it does not appear that Hasan was acting under specific instructions from al Awlaki when he conducted his attack against U.S. military personnel at Fort Hood. However, in the e-mails exchanged between Hasan and Anwar al Awlaki there were clear indications that Hasan had turned against the United States and was likely planning to take some action to kill Americans. According to Ross and Schwartz (2009), Hasan wrote in e-mails to Anwar al Awlaki, "I can't wait to join you in afterlife." This wording was something that, to Lt. Col. Tony Shaffer, a military analyst at the Center for Advanced Defense Studies, indicated that Hasan was offering himself up for death, or that he had already crossed that line in his own mind. Investigation also found that Hasan had donated between $20,000 and $30,000 per year to Islamic charities overseas, and that a "number of Islamic charities have been identified by U.S. authorities as conduits to terror groups" (Ross and Schwartz, 2009).
Countering the Non-Traditional Threat

The actions of individuals like Manning and Hasan are unique in that while they are committing acts of espionage and terrorism, they are not working directly for a foreign intelligence service or identified terrorist organization. The indicators (such as undue affluence) that might allow counterintelligence personnel to detect espionage conducted for a foreign intelligence service simply do not exist with the non-traditional threats. However, other indicators do exist which, if identified, analyzed, and properly responded to, can mitigate or neutralize these non-traditional counterintelligence threats. A centralized system for suspicious activity reporting is essential for effective counterintelligence operations.

In February 2002, Department of Defense Directive (DoDD) 5105.67 established the Counterintelligence Field Activity (CIFA). The purpose of CIFA was to develop and manage counterintelligence programs within the Department of Defense, and to protect "against foreign influence and manipulation, as well as to detect and neutralize espionage against the Department" (DoDD 5105.67, para.3). The formation of CIFA was a significant step in improving counterintelligence capability within the Department of Defense. The Threat and Local Observation Notice (TALON) reporting system, adopted by CIFA from the U.S. Air Force, provided "the ability to acquire and analyze suspicious activity reports for indications of possible terrorist pre-attack activities (which) is an absolutely critical component of the intelligence support to (the) force protection mission"(Reichelson, 2007). In addition to receiving reports from the military, CIFA's reporting system also included the Joint Protection Enterprise Network (JPEN), which allowed for input from law enforcement agencies and other elements within the intelligence community.

The TALON/JPEN reporting system was an effective tool for reporting and tracking non-traditional counterintelligence threats. The Inspector General of the United States Department of Defense (2007, pp.1) stated:

The TALON report is a law enforcement report designed to report anomalies, observations that are suspicious against the steady state context, and immediate indicators of potential threats or antiterrorism concerns. TALONs are raw, non-validated information, may or may not be related to an actual threat, and by their very nature, may be fragmented and incomplete.

This ability to report on anomalies and suspicious activity was a significant tool in identifying non-traditional threats. In almost all cases of threat activity there are indicators that if observed, reported, and analyzed can be acted upon to neutralize or mitigate the identified threat. What may seem to be a small or insignificant incident when viewed alone may turn out to be a key indicator of a terrorist or other criminal threat when analyzed with other similar pieces of information. An example of these criminal acts was provided by the Pierce County, WA Sheriff's Department stating that anti-military protestors at Joint Base Lewis-McChord, WA had disrupted traffic, assaulted police officers, and committed arsons during their protests (Pawloski, 2011). It is important to remember that little things catch big things.

The Inspector General of the United States Department of Defense (2007) found that as part of the TALON/JPEN reporting system CIFA legally collected information about individuals protesting the military. The information was collected for law enforcement and force protection purposes as permitted under Department of Defense regulations. CIFA did not violate the law in collecting information about anti-military demonstrations.

Reviewing a sample of 157 reports discussing actual anti-military events showed 75 reports that identified events where the individuals involved had committed acts of violence or destruction of property, resulting in arrests and court appearances. Thus 48% of the reports identified an actual and specific threat against military personnel or facilities. Although CIFA was found to be acting within the law and the reporting through TALON/JPEN identified specific and actual threats, there was significant negative press concerning the possibility of violation of civil rights and intelligence gathering on U.S. citizens. According to a letter from Acting Deputy Undersecretary of Defense Roger W. Rogalski in response to a request from Vermont Senator Patrick Leahy, a review of the TALON/JPEN database found only 43 names that had been improperly added to the system. These names were all from reports related to anti-military protests and demonstrations (MSNBC, 2006).

Because of concerns regarding the collection of information on U.S. citizens, the TALON/JPEN system was deactivated in June 2006, and CIFA was shut down in August 2008. At the same time that CIFA was shut down, the Department of Defense set up the Defense Counterintelligence and Human Intelligence Center (CI/HUMINT Center) under the direction of the Defense Intelligence Agency. However, the newly established CI/HUMINT Center did not have the law enforcement designation that was held by CIFA (Office of the Assistant Secretary of Defense [Public Affairs], 2008). The lack of a law enforcement designation meant that much of the reporting and analysis that existed with CIFA was not available to the CI/HUMINT Center.

The current counterintelligence reporting system and information-sharing environment need to be enhanced and integrated into all aspects of the national and homeland security environment. Personnel from all levels of law enforcement, homeland security, intelligence, national defense, and private-sector partners must be included in a system that allows for reporting of suspicious activity and threat indicators, that provides for analysis and development of intelligence, and that disseminates this information to end-users in a timely manner.


There are several counterintelligence challenges faced by the United States. These include foreign powers—such as China and Russia—opposing U.S. interests. Non-state actors such as terrorist groups, violent extremists, insurgents, and transnational criminal groups pose a continuing threat to the United States. Global economics, energy demand and consumption, changing technologies, and pandemic disease must be addressed by U.S. national and homeland security strategies (Director of National Intelligence, 2009). Counterintelligence is a function that is essential to all sectors of the nation's infrastructure and a function that should be incorporated into each of the critical infrastructure sectors.

Information sharing has an essential role in both national and homeland security strategies. Greater emphasis on information sharing with the private-sector, and making information more readily available to private-sector end-users must be incorporated into future counterintelligence and security strategies.

A publicly accessible database to screen individuals that pose a threat to homeland security (similar to the National Sex Offender Public Registry - http://www.nsopw.gov/) is necessary to aid the private sector in safeguarding their facilities and assets. This database should include identified homeland security threats, a consolidation of most-wanted lists from law enforcement agencies, and a screening capability to verify U.S. citizenship and lawful presence in the United States (similar to the e-Verify System). Although there are several 'most wanted' lists posted online (e.g. FBI 10 Most Wanted, U.S. Marshals Service 15 Most Wanted, and various state and local law enforcement agency most wanted lists), there is no publically available consolidated database where names can be searched and criminals and other threats identified.

Security of cyberspace plays a key role in national and homeland security. Emphasis should be placed on the funding and development of cyber-security technologies. Crimes committed by exploiting cyber-vulnerabilities should be vigorously prosecuted. Integrating counterintelligence with cyber-security helps to incorporate the counterintelligence function into each of the critical infrastructure sectors.

Enhanced counterintelligence capability is needed to safeguard U.S. national interests against foreign penetration and insider threat. In addition to its defensive capabilities, counterintelligence must develop its offensive capabilities and expand operations against targets overseas.

The U.S. Intelligence Community should work in conjunction with the private-sector to develop, obtain, and maintain an economic advantage in international business. A competitive intelligence (business intelligence) capability should be developed and maintained within the Intelligence Community and led by counterintelligence personnel.

The vision for the future of counterintelligence is one of integrated agencies, where the whole is greater than the sum of its individual parts. Counterintelligence must be agile, able to adjust to changing conditions and developing threats, and able to respond to the full range of intelligence threats facing United States national and homeland security. Finally, counterintelligence must operate within the rule of law, safeguarding the privacy and civil rights of the American people while targeting threats to the United States (Director of National Intelligence, 2009).


Commission on the Intelligence Capabilities of the United States Regarding Weapons of Mass Destruction. (2005). Unclassified Version of the Report of the Commission on the Intelligence Capabilities of the United States Regarding Weapons of Mass Destruction. March 31, 2005. Retrieved from http://www.gpoaccess.gov/wmd/

Department of Defense. (2011). Joint Publication 1-02, DOD Dictionary of Military and Associated Terms. Washington, DC. Retrieved from http://www.dtic.mil/doctrine/dod_dictionary/

Director of National Intelligence. (2009). National intelligence strategy. August 2009. Retrieved from http://www.dni.gov/reports/2009_NIS.pdf

Harber, J.R. (2009). Unconventional spies: The counterintelligence threat from non-state actors. International Journal of Intelligence and Counterintelligence. 22( 2), 221-236. Retrieved from http://dx.doi.org/10.1080/08850600802698200

Inspector General, United States Department of Defense. (2007). The Threat and Local Observation Notice (TALON) Report Program ( 07-INTEL-09).. Retrieved from http://www.fas.org/irp/agency/dod/talon.pdf

MSNBC. (2011, Mar 10). Pentagon admits errors in spying on protesters. Retrieved from http://www.msnbc.msn.com/id/11751418/ns/us_news/t/pentagon-admits-errors-spying-protesters/

Mueller III, R.S. (2011). Statement before the Senate Judiciary Committee. Retrieved from http://www.fbi.gov/news/testimony/oversight-of-the-federal-bureau-of-investigation-1

Office of the Assistant Secretary of Defense (Public Affairs). (2008). DoD activates Defense Counterintelligence and Human Intelligence Center.. Retrieved from http://www.defense.gov/releases/release.aspx?releaseid=12106

Pawloski, J. (2011, Jan 25). Ex-worker at JBLM collected activist data. The Olympian Newspaper. Retrieved from http://www.theolympian.com/2011/01/25/1518687/ex-worker-at-jblm-collected-activist.html

Richelson, J. (2007). The Pentagon's counterspies: The Counterintelligence Field Activity (CIFA). In National Security Electronic Briefing Book No. 230. Retrieved from: http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB230/index.htm

Ross, B. & Schwartz, R. (2009, Nov 19). Major Hasan's E-Mail: 'I Can't Wait to Join You' in Afterlife'. ABC News. Retrieved from http://abcnews.go.com/Blotter/major-hasans-mail-wait-join-afterlife/story?id=9130339#.T0puzPVnXqU

Van Cleave, M.K. (2007). Counterintelligence and national strategy.. Retrieved from http://www.dtic.mil/cgibin/GetTRDoc?Location=U2&doc=GetTRDoc.pdf&AD=ADA471485

Author Bio

Michael Chesbro, BA, MA, CHS-III, IAC is a crime and intelligence analyst working for the Department of Defense. He is responsible for analyzing and evaluating criminal information and developing law enforcement intelligence products. He served more than 20 years in the United States Army as a radio communications specialist and as a counterintelligence special agent, until his retirement from military service in 2001. Mr. Chesbro is currently pursuing a second master's degree in intelligence studies from the American Military University, to be completed in 2013. He is also a licensed private investigator in Washington State.

icons fonts

Copyright © 2017 American Board for Certification in Homeland Security, CHS®. All Rights Reserved.
2750 East Sunshine St. Springfield, MO 65804   -  1 (877) 219-2519