Schneier on Security

Randle • February 7, 2007 10:37 AM

Half Cover Will Travel
By
Randle Flagg

This opinion article is submitted to be distributed freely and to generate opinions.

When is the government or better yet intelligence agencies going to get serious about cover for its employees? Now I know people might say, before 911 they had not a clue, well I am here to say in my opinion, after 911 they still are not doing enough. That is until someone proves me wrong. The CIA and others have recently told potential applicants not to tell anyone if possible of their intentions of applying as it might make it hard for them to do cover work.

The role of cover as defined is :To protect by contrivance or expedient, to hide from sight or knowledge. Let us take a for instance.

When a Person ( Bob) applies for a job at the National Security Agency or Central Intelligence Agency, Defense Intelligence Agency, Federal Bureau of Investigation or any of the others, that is considered of national security, it is usually done through several ways. First through the agency website. Now if I do not want anyone to know that I am going to apply there, how do I know that my connection is safe. For argument sake, I apply through my home computer, which uses a Internet connection supplied by the wonderfully fast XYZ Inc. Which is a USA owned company. Now I have been surfing, find the agency website and apply. Everything up to the point when I apply is open for my provider, XYZ to see. Unless I use a secure connection or anonymizer, but do we really think the government would let exist such communications without being able to monitor, ya right. For argument sake lets say XYZ is a growing company with billions of dollars, and in need of many people to handle administration to networks , router, switches and customer accounts. I am joe hiring manager and I need 100 service reps to handle customer accounts and phone issues. I need another 100 to handle the telecoms infrastructure and I need another 100 for software programming. XYZ is a consciousness company and is concerned about getting the right people hired and for argument sake they only advertise to hire US citizens. As joe hiring manager I am super busy and rely on my crack Human Resource team to vet all employees. Human Resources, has the best software and does online background checks on theses employees and all 300 pass muster. WOW, Human Resources must be really good and they did a background check, meaning they looked back 5 maybe 10 years on a credit report. Red Flag! Also, they did not call references or run names through FBI as they were too busy thinking of their next move to get Human Resources elevated to a boardroom seat and the FBI does not have the people to handle running names for every corporate company, even though it is only 300 people that XYZ has in their entire company. So now as joe hiring manager I have 300 people composed of Asian, Indian, American, Muslim, and other assorted people who are god loving USA loving patriots and I have nothing to worry about, WRONG.

Whats wrong with this picture? The fact is that XYZ has 80,000 employees not 300, is that no where in this chain can a company total guard against the potential wrong insider or foreign intelligence service. Worse yet, lets figure that of the 80,000 only 10 are bad folks and of that 10 only 5 are supplanted by a foreign country to gather Intel. Yes I said supplanted! Do you think for one second that foreign Intel services have not instructed their students going to college here for 10 years or more to assimilate, become one and then suck us dry. The fact is the FBI has said publicly that just china alone has over 3000 front businesses, never mind the tens of thousands of students. Foreign intelligence tells their people to go to the USA and set up a life, get a house, marry, join the local clubs, establish a credit history and perhaps a SS#. Oh did I mentioned that my crack Human Resources department ran social security numbers and none came back as bad. Why, because the system is broke and the social security administration cannot verify a foreign intelligence agent as they have been here for 10 years and got a number the legal way!

Do you think for one second that foreign intelligence services would rather milk our USA companies for intelligence rather then try to plant spies inside the intelligence agencies themselves as it is way to hard and the failure rate would be cost prohibitive, but I am sure they point a few of them that way for yucks. Now back to our bright, well educated person,Bob who has looked up every grain of sand on his next employer, with his XYZ connection -in this case the intelligence agencies and then applied. That might be a nice piece of info combined with their IP address, account on XYZ , where they live, what restaurants they like to research and eat at ( nice for a bump into meeting),who they email, what school they go to or current job, who they write love letters to - behind their spouses back, what porn they surf, what electronics they buy and might have in their house--( don't think for one minute that foreign Intel services are not capable of engineering a micro camera and or recording devices into your house, TV , stereo, alarm system or whatever if they know you are going to work for any Intel outfit or area of interest. Just because USA Intel does it does not mean they are the only game in town. The point is, Bob's cover is blown before he even starts. What about Bob's neighbors, are they hacking him by WiFi??

Let us go one step further; Bob uses a secure connection to surf and apply, he gets a interview and a letter is sent from the agency which he applied to his address at home or at the 600 unit apartment building he rents at and bang, the postal guy accidentally puts Bobs interview letter/ form that the agency sent into his neighbors box. His neighbor, might be someone he knows, does not know, is a blabber mouth, or just happens to be someone who is a collector of information and sees who it is from and it now ends up on the Internet or makes note of it or does not even give the letter to Bob and reads it himself (Numan) so much for Bob's cover. Lets say Bob has made it through the tests for the job and now has to have a background investigation. This now means that Bob, has to has atleasts 8 people he knows, know he is doing something a little out of the ordinary and the background investigator is going to knock on his neighbors doors who might be foreign Intel or blabber mouths or gossip kings and queens at their local country club. red flag. Even if the investigator tells all these people he works for the local consulting company and is just checking references, he still has to ask the questions on the SF86 and others that totally blow any covertness.

Moving on,now lets say Bob has not had a breach of security though the interview and is hired. He has to have direct deposit to his Bank, Bank of The United States and they only have 1000 employees ya right make that 200,000 and operate in several countries and/or share personal information for marketing purposes with companies that are of suspect origin. red flag! forget that last foe pa! Bob is under cover working for a Intel agency, what shows up in his bank statements??? I bet it has something to do with the government, red flag! What about his health insurance he has through the government, surely company XYZ has it under control. What does it look like when half his premium gets paid by a government entity? red flag! What about the life insurance, long term care, errors and emission insurance; which many Intel folks buy to CYA, but who is CYAing them and the company? So all these red flags, and lets say for argument sake he has not been found out. Wait a minute Bob gets sick and goes to the hospital and presents his health insurance card, the admission person see this and says, oh you work for the government, my friend I know has the same insurance and works for the intelligence agencies. red flag! Or one of Bob's family members has to use health ins or other covered service,if Bob had a family, were they given instructions on how to present themselves or will his wife or if it were Alice, her husband, blab about it the work? red flag.

How about this; one day Bob is mowing his lawn and sees his neighbor,our man Flynn,who starts talking to him and asks, hey Bob, what do you do for a living, ( Bob replies ) oh I work for the DOD, wrong answer. red flag. I work for a consulting company,XYZ, wrong answer, red flag,a lie that now must have to be proven true, you see our man Flynn is in the Intel business and knows already that several of the neighbors are consultants but really work for NSA,CIA etc.. You see Bob, was never given a ( Non Official Cover and story ) to aid him or never told not to tell anyone or trained in rehearsing the company line. In addition to Bobs latest foe par, Bob has been going to many meetings in the government sector, and private sector as a scientist and putting down his real name, agency email address and agency address on all the sign-in sheets, Bad Bob. He also was never given a cover name, because, well the agency did not think he needed it or it is to expensive to think up one with a cover story. Bob is FU&*ed throughout this entire process.

OK, I know you might be saying , your crazy , paranoid, ma sugar, bats in the belfry. Reverting back to the XYZ example, lets forget that it was a USA owned Internet company. How about a French owned telecoms or perhaps a china telecoms or how about Print, Herizon, Xtel ( Not there real names but sound like) get the picture. There are many companies both USA owned and foreign owned that have connections / business in the USA that Bob is F*c*ed before he even wakes up. Any company that thinks it can compartmentalize like a intelligence agency and still say they operate like a public business and can assure you that your privacy is safe, can now get up and leave the room single file. Lets take another example, I am a Intel officer of a foreign company outside the USA but surfing with Google. I plug the following inquiry in:XYZ.gov
Dam that returns Bob's email address and a leads right to a Intel agency along with all the other agencies Bob has been emailing, thus the names of people who might have thought they wanted to work under cover at one time but have been compromised and did not even know it. What if I only want excel spreadsheets,word docs, PDF's! That brings up meetings with all kinds of folks emails and affiliations

How about the other USA Intel domains. What about a search on the Intel agencies name plus Resume. I suspect folks who list there resume online and work history's at the government places mentioned are asking for foreign Intel to make a note so next time they travel on vacation to an overseas location, our man Flynn or one of his brothers will be on your left!