Don’t be afraid to admit it. In my experience, the general public does not fully grasp what “counterintelligence” (CI) really means in practice; they assume it has to do with catching spies and that’s about it. (That’s actually counterespionage, an aspect of CI, but lets not get ahead of ourselves.) Here I’m going to provide what the technical definition of CI is — i.e. the one the U.S. government formally operates under — and what I believe that means in practice.
The United States government’s current authoritative definition of “counterintelligence,” contained in Executive Order (EO) 12333 as amended in 2008, reads:
Counterintelligence means information gathered and activities conducted to identify, deceive, exploit, disrupt, or protect against espionage, other intelligence activities, sabotage, or assassinations conducted for or on behalf of foreign powers, organizations, or persons, or their agents, or international terrorist organizations or activities.
This definition is noteworthy in several ways. First, counterintelligence exists both as a type of information as well as set of activities. Second, this definition includes the activities of deception, exploitation, and disruption — something the definition in the original 1981 version of EO 12333 did not. Third, counterintelligence is applied not only to foreign powers but terrorist organizations as well. Fourth, this definition excludes traditional security activities — such as the safeguarding of information, personnel, and facilities — which reflects the reality that counterintelligence and security are distinct fields and activities that in practice complement each other. However, it is important to note that security activities are often conflated with counterintelligence in the minds of many both in and out of government.
Counterintelligence, both as a type of information and as a set of activities, is aimed at achieving two related goals. First is detecting, defending against, and denying adversarial actors — particularly their intelligence apparatuses — access to sensitive information and intelligence, thus preserving the secrecy necessary to effectively conduct sensitive government matters ranging from espionage and covert action to economic negotiations and foreign policy formulation. Second is engaging and confronting adversarial intelligence apparatuses in an effort to assess, monitor, deceive, or otherwise exploit them and their masters. These are the respective goals of the defensive and offensive aspects of counterintelligence, but both fundamentally aim to frustrate the intelligence activities of adversaries. Both types of counterintelligence encompass a variety of active and passive activities and sometimes the key to determining if an action is offensive or defensive is not the action itself, but the intent behind the action.
“Counterintelligence information” is information collected during the intelligence process that relates to a foreign intelligence entity (FIE) — especially information related to such an entity’s knowledge, intentions, capabilities, and tradecraft. This includes the recruitment of human penetrations within an FIE or electronic compromise of an FIE’s communications or networks. Foreign intelligence and security service (FISSes) and foreign terrorist organizations (FTOs) both qualify as FIEs. Collection efforts targeting FISSs and FTOs both qualify as “counterintelligence collection,” although the former is usually termed as such while the latter is now called “counterterrorism collection.”
Defensive counterintelligence activities include efforts taken to prevent penetration of the United States by hostile actors, asset validation (efforts undertaken to establish the bona fides of intelligence assets), and counterespionage (the practice of spy-catching). As the result of a variety of factors, including a perception of the American counterintelligence enterprise as being largely reactive in both fiction and public discourse, the typical American’s conception of counterintelligence overemphasizes the defensive, particularly the idea that counterespionage is the central function of all counterintelligence.
Offensive counterintelligence includes the sort of counterintelligence collection described above, especially the cultivation of penetrations — human or otherwise — within foreign intelligence entities. But offensive CI also includes activities aimed at capitalizing on counterintelligence information to mount operations that disinform, deceive, exploit, manipulate, or otherwise disrupt a given FIE. These are often referred to as “degradation operations.” In the modern political and networked environment, degradation operations may appear to mirror the sort of information operations that the public would associate now with covert action, albeit with a very narrow target audience.
The analysis of information gleaned from both offensive and defensive counterintelligence has great potential as a force multiplier. Counterintelligence analysis does this through its ability to lay bare adversary patterns of — among other things — operation, manipulation, and vulnerability. Such analysis benefits not only counterintelligence efforts, but also foreign intelligence, and policy formulation.
And I hope this analysis has benefited you, the reader.