American Amateurism

Botched CIA Communications System Helped Blow Cover of Chinese Agents
The number of informants executed in the debacle is higher than initially thought.
BY ZACH DORFMAN

It was considered one of the CIA’s worst failures in decades: Over a two-year period starting in late 2010, Chinese authorities systematically dismantled the agency’s network of agents across the country, executing dozens of U.S. spies. 

But since then, a question has loomed over the entire debacle.
How were the Chinese able to roll up the network?
Now, nearly eight years later, it appears that the agency botched the communication system it used to interact with its sources, according to five current and former intelligence officials. 

The CIA had imported the system from its Middle East operations, where the online environment was considerably less hazardous, and underestimated China’s ability to penetrate it.
“The attitude was that we’ve got this, we’re untouchable,” said one of the officials who, like the others, declined to be named discussing sensitive information. 

The former official described the attitude of those in the agency who worked on China at the time as “invincible.”
Other factors played a role as well, including China’s recruitment of former CIA officer Jerry Chun Shing Lee around the same time. 

Chinese mole: Ex-CIA officer Jerry Chun Shing Lee

Federal prosecutors indicted Lee earlier this year in connection with the affair.
But the penetration of the communication system seems to account for the speed and accuracy with which Chinese authorities moved against the CIA’s China-based assets.
“You could tell the Chinese weren’t guessing. The Ministry of State Security [which handles both foreign intelligence and domestic security] were always pulling in the right people,” one of the officials said.
“When things started going bad, they went bad fast.”
The former officials also said the real number of CIA assets and those in their orbit executed by China during the two-year period was around 30, though some sources spoke of higher figures. 

All the CIA assets detained by Chinese intelligence around this time were eventually killed.
The CIA, FBI, and National Security Agency declined to comment for this story. 

The Chinese Embassy in Washington did not respond to requests for comment.
At first, U.S. intelligence officials were “shellshocked,” said one former official. 

Eventually, rescue operations were mounted, and several sources managed to make their way out of China.
One of the former officials said the last CIA case officer to have meetings with sources in China distributed large sums of cash to the agents who remained behind, hoping the money would help them flee.
When the intelligence breach became known, the CIA formed a special task force along with the FBI to figure out what went wrong. 

During the investigation, the task force identified three potential causes of the failure, the former officials said: A possible agent had provided Chinese authorities with information about the CIA asset network, some of the CIA’s spy work had been sloppy and might have been detected by Chinese authorities, and the communications system had been compromised. 

The investigators concluded that a “confluence and combination of events” had wiped out the spy network, according to one of the former officials.
Eventually, U.S. counterintelligence officials identified Lee, the former CIA officer who had worked extensively in Beijing, as China’s informant. 

Lee was in contact with his handlers at the Ministry of State Security through at least 2011.
Chinese authorities paid Lee hundreds of thousands of dollars for his efforts, according to the documents. 

He was indicted in May of this year on a charge of conspiracy to commit espionage.
But Lee’s betrayal alone could not explain all the damage that occurred in China during 2011 and 2012, the former officials said. 

Information about sources is so highly compartmentalized that Lee would not have known their identities. 

That fact and others reinforced the theory that China had managed to eavesdrop on the communications between agents and their CIA handlers.
When CIA officers begin working with a new source, they often use an interim covert communications system—in case the person turns out to be a double agent.
The communications system used in China during this period was internet-based and accessible from laptop or desktop computers, two of the former officials said.
This interim, or “throwaway,” system, an encrypted digital program, allows for remote communication between an intelligence officer and a source, but it is also separated from the main communications system used with vetted sources, reducing the risk if an asset goes bad.
Although they used some of the same coding, the interim system and the main covert communication platform used in China at this time were supposed to be clearly separated. 

In theory, if the interim system were discovered or turned over to Chinese intelligence, people using the main system would still be protected—and there would be no way to trace the communication back to the CIA. 

But the CIA’s interim system contained a technical error: It connected back architecturally to the CIA’s main covert communications platform. 

When the compromise was suspected, the FBI and NSA both ran “penetration tests” to determine the security of the interim system. 

They found that cyber experts with access to the interim system could also access the broader covert communications system the agency was using to interact with its vetted sources, according to the former officials.
In the words of one of the former officials, the CIA had “fucked up the firewall” between the two systems.
U.S. intelligence officers were also able to identify digital links between the covert communications system and the U.S. government itself, according to one former official—links the Chinese agencies almost certainly found as well. 

These digital links would have made it relatively easy for China to deduce that the covert communications system was being used by the CIA. 

In fact, some of these links pointed back to parts of the CIA’s own website, according to the former official.
The covert communications system used in China was first employed by U.S. security forces in war zones in the Middle East, where the security challenges and tactical objectives are different, the sources said. 

“It migrated to countries with sophisticated counterintelligence operations, like China,” one of the officials said.
The system was not designed to withstand the scrutiny of a place like China, where the CIA faced a highly sophisticated intelligence service and a completely different online environment.
As part of China’s Great Firewall, internet traffic there is watched closely, and unusual patterns are flagged. 

Even in 2010, online anonymity of any kind was proving increasingly difficult.
Once Chinese intelligence obtained access to the interim communications system,­ penetrating the main system would have been relatively straightforward, according to the former intelligence officials. 

The window between the two systems may have only been open for a few months before the gap was closed, but the Chinese broke in during this period of vulnerability.
Precisely how the system was breached remains unclear. 

The Ministry of State Security might have run a double agent who was given the communication platform by his CIA handler. 

Another possibility is that Chinese authorities identified a U.S. agent—through information provided by Lee—and seized that person’s computer. 

Alternatively, authorities might have identified the system through a pattern analysis of suspicious online activities.
China was so determined to crack the system that it had set up a special task force composed of members of the Ministry of State Security and the Chinese military’s signals directorate (roughly equivalent to the NSA), one former official said.
Once one person was identified as a CIA asset, Chinese intelligence could then track the agent’s meetings with handlers and unravel the entire network. (Some CIA assets whose identities became known to the Ministry of State Security were not active users of the communications system, the sources said.)
One of the former officials said the agency had “strong indications” that China shared its findings with Russia, where some CIA assets were using a similar covert communications system. 

Around the time the CIA’s source network in China was being eviscerated, multiple sources in Russia suddenly severed their relationship with their CIA handlers, according to an NBC News report that aired in January—and confirmed by this former official.
The failure of the communications system has reignited a debate within the intelligence community about the merits of older, lower-tech methods for covert interactions with sources, according to the former officials.
There is an inherent paradox to covert communications systems, one of the former officials said: The easier a system is to use, the less secure it is.
The former officials said CIA officers operating in China since the debacle had reverted to older methods of communication, including interacting surreptitiously in person with sources. 

Such methods can be time-consuming and carry their own risks.
The disaster in China has led some officials to conclude that internet-based systems, even ones that employ sophisticated encryption, can never be counted on to shield assets.
“Will a system always stay encrypted, given the advances in technology? You’re supposed to protect people forever,” one of the former officials said.

Chinese-American Double Loyalty

Killing C.I.A. Informants, China Crippled U.S. Spying Operations
By MARK MAZZETTI, ADAM GOLDMAN, MICHAEL S. SCHMIDT and MATT APUZZO

The Chinese killed or imprisoned 18 to 20 C.I.A sources from 2010 through 2012. 

WASHINGTON — The Chinese government systematically dismantled C.I.A. spying operations in the country starting in 2010, killing or imprisoning more than a dozen sources over two years and crippling intelligence gathering there for years afterward.
American officials described the intelligence breach as one of the worst in decades. 

It set off a scramble in Washington’s intelligence and law enforcement agencies to contain the fallout, but investigators were bitterly divided over the cause. 

Some were convinced that a mole within the C.I.A. had betrayed the United States. 

Others believed that the Chinese had hacked the covert system the C.I.A. used to communicate with its foreign sources. 

Years later, that debate remains unresolved.
But there was no disagreement about the damage. 

From the final weeks of 2010 through the end of 2012, according to former American officials, the Chinese killed at least a dozen of the C.I.A.’s sources. 

According to three of the officials, one was shot in front of his colleagues in the courtyard of a government building — a message to others who might have been working for the C.I.A.
Still others were put in jail. 

All told, the Chinese killed or imprisoned 18 to 20 of the C.I.A.’s sources in China, according to two former senior American officials, effectively unraveling a network that had taken years to build.

Assessing the fallout from an exposed spy operation can be difficult, but the episode was considered particularly damaging. 

The number of American assets lost in China rivaled those lost in the Soviet Union and Russia during the betrayals of both Aldrich Ames and Robert Hanssen, formerly of the C.I.A. and the F.B.I., who divulged intelligence operations to Moscow for years.
The previously unreported episode shows how successful the Chinese were in disrupting American spying efforts and stealing secrets years before a well-publicized breach in 2015 gave Beijing access to thousands of government personnel records, including intelligence contractors. 

The C.I.A. considers spying in China one of its top priorities, but the country’s extensive security apparatus makes it exceptionally hard for Western spy services to develop sources there.
At a time when the C.I.A. is trying to figure out how some of its most sensitive documents were leaked onto the internet two months ago by WikiLeaks, and the F.B.I. investigates ties between Trump’s campaign and Russia, the unsettled nature of the China investigation demonstrates the difficulty of conducting counterespionage investigations into sophisticated spy services like those in Russia and China.
The C.I.A. and the F.B.I. both declined to comment.
Details about the investigation have been tightly held. 

Ten American officials described the investigation on the condition of anonymity because they did not want to be identified discussing the information.

Investigators still disagree how it happened, but the unsettled nature of the China investigation demonstrates the difficulty of conducting counterespionage investigations into sophisticated spy services.

The first signs of trouble emerged in 2010. 

At the time, the quality of the C.I.A.’s information about the inner workings of the Chinese government was the best it had been for years, the result of recruiting sources deep inside the bureaucracy in Beijing, four former officials said. 

Some were Chinese nationals who the C.I.A. believed had become disillusioned with the Chinese government’s corruption.
But by the end of the year, the flow of information began to dry up. 

By early 2011, senior agency officers realized they had a problem: Assets in China, one of their most precious resources, were disappearing.
The F.B.I. and the C.I.A. opened a joint investigation run by top counterintelligence officials at both agencies. 

Working out of a secret office in Northern Virginia, they began analyzing every operation being run in Beijing. 

One former senior American official said the investigation had been code-named Honey Badger.
As more and more sources vanished, the operation took on increased urgency. 

Nearly every employee at the American Embassy was scrutinized, no matter how high ranking. 

Some investigators believed the Chinese had cracked the encrypted method that the C.I.A. used to communicate with its assets.

Others suspected a traitor in the C.I.A., a theory that agency officials were at first reluctant to embrace — and that some in both agencies still do not believe.
Their debates were punctuated with macabre phone calls — “We lost another one” — and urgent questions from the Obama administration wondering why intelligence about the Chinese had slowed.
The mole hunt eventually zeroed in on a former agency operative who had worked in the C.I.A.’s division overseeing China.

But efforts to gather enough evidence to arrest him failed, and he is now living in another Asian country, current and former officials said.
There was good reason to suspect an insider, some former officials say. 

Around that time, Chinese spies compromised National Security Agency surveillance in Taiwan by infiltrating Taiwanese intelligence, an American partner, according to two former officials. 

And the C.I.A. had discovered Chinese operatives in the agency’s hiring pipeline, according to officials and court documents.
But the C.I.A.’s top spy hunter, Mark Kelton, resisted the mole theory, at least initially, former officials say. 

Mr. Kelton had been close friends with Brian J. Kelley, a C.I.A. officer who in the 1990s was wrongly suspected by the F.B.I. of being a Russian spy. 

The real traitor, it turned out, was Mr. Hanssen. 

Mr. Kelton often mentioned Mr. Kelley’s mistreatment in meetings during the China episode, former colleagues say, and said he would not accuse someone without ironclad evidence.
Those who rejected the mole theory attributed the losses to sloppy American tradecraft at a time when the Chinese were becoming better at monitoring American espionage activities in the country. Some F.B.I. agents became convinced that C.I.A. handlers in Beijing too often traveled the same routes to the same meeting points, which would have helped China’s vast surveillance network identify the spies in its midst.
Some officers met their sources at a restaurant where Chinese agents had planted listening devices, former officials said, and even the waiters worked for Chinese intelligence.
This carelessness, coupled with the possibility that the Chinese had hacked the covert communications channel, would explain many, if not all, of the disappearances and deaths, some former officials said.
Some in the agency, particularly those who had helped build the spy network, resisted this theory and believed they had been caught in the middle of a turf war within the C.I.A.
Still, the Chinese picked off more and more of the agency’s spies, continuing through 2011 and into 2012.

As investigators narrowed the list of suspects with access to the information, they started focusing on a Chinese-American who had left the C.I.A. shortly before the intelligence losses began. 

Investigators believed he had become disgruntled and had begun spying for China. 

The man had access to the identities of C.I.A. informants and fit all the indicators on a matrix used to identify espionage threats.
After leaving the C.I.A., the man decided to remain in Asia with his family and pursue a business opportunity, which some officials suspect that Chinese intelligence agents had arranged.
Officials said the F.B.I. and the C.I.A. lured the man back to the United States around 2012 with a ruse about a possible contract with the agency, an arrangement common among former officers. Agents questioned the man, asking why he had decided to stay in Asia, concerned that he possessed a number of secrets that would be valuable to the Chinese. 

It’s not clear whether agents confronted the man about whether he had spied for China.
The man defended his reasons for living in Asia and did not admit any wrongdoing, an official said. He then returned to Asia.
By 2013, the F.B.I. and the C.I.A. concluded that China’s success in identifying C.I.A. agents had been blunted — it is not clear how — but the damage had been done.
The C.I.A. has tried to rebuild its network of spies in China, officials said, an expensive and time-consuming effort led at one time by the former chief of the East Asia Division. 

The former chief was particularly bitter because he had worked with the suspected mole and recruited some of the spies in China who were ultimately executed.
China has been particularly aggressive in its espionage in recent years, beyond the breach of the Office of Personnel Management records in 2015, American officials said. 

Last year, an F.B.I. employee pleaded guilty to acting as a Chinese agent for years, passing sensitive technology information to Beijing in exchange for cash, lavish hotel rooms during foreign travel and prostitutes.
In March, prosecutors announced the arrest of a longtime State Department employee, Candace Marie Claiborne, accused of lying to investigators about her contacts with Chinese officials. According to to the criminal complaint against Ms. Claiborne, who pleaded not guilty, Chinese agents wired cash into her bank account and showered her with gifts that included an iPhone, a laptop and tuition at a Chinese fashion school. 

In addition, according to the complaint, she received a fully furnished apartment and a stipend.