Category: Intelligence

Technology Proliferation, Influence Ops May Be as Disruptive as COVID-19


The COVID-19 pandemic has been globally disruptive in nearly every facet of life. But other things may prove as disruptive in the future, said leaders of the military intelligence community.

One advancement that may possibly be as disruptive as COVID-19 is the revolution in information technology that’s available to everybody — not just the U.S. and its allies, Navy Vice Adm. Robert Sharp, director of the National Geospatial-Intelligence Agency, said during an online forum today with the Armed Forces Communications and Electronics Association and the Intelligence and National Security Alliance.

“It’s this revolution in remotely-sensed and geo-located data, which is available to everyone,” he said. “It’s available to us, but it’s also available to our competitors. [Also] the revolution in smart machines and artificial intelligence — once again, [it’s a] great opportunity for us, but it’s not only our opportunity. That’s the competition space.”

Another area of concern is something Sharp called “GEOINT assurance.” With the growth of open-source geospatial intelligence coming from multiple sources, it becomes less certain that the information can be trusted, he said.

“How do you have confidence in the ones and zeros that you’re using for making decisions based off of,” he asked.

Army Gen. Paul Nakasone, director of the National Security Agency and commander of U.S. Cyber Command, cited influence operations as the next possible great disruptor. Influence operations, he said, have a very low barrier to entry, enabling just about anybody to engage in them.

“We’ve seen it now in our democratic processes,” Nakasone said. “I think we’re going to see it in our diplomatic processes, we’re going to see it in warfare, and we’re going to see it in sowing civil distrust in different countries.”

Influence operations, he said, are all enabled by the proliferation of inexpensive technology that allows anybody with an agenda to get online.

“The great technology that’s enabling so much of what we’re doing is also that dual-edged sword that malicious cyber actors and others are being able to use to create doubt, or to be able to question authority, or to be able to … to spread messages that are far from true,” he said. “I think influence operations, just in general, will be for us one of the things that we’ll be dealing with not just every two or four years, but this is the competitive space that we’re going to be in as intelligence agencies and as our nation”.

Blogs to Follow:

Defense.gov (September 2020)  Technology Proliferation, Influence Ops May Be as Disruptive as COVID-19

Former CIA Officer Arrested and Charged with Espionage


Alexander Yuk Ching Ma, 67, a former Central Intelligence Agency (CIA) officer, was arrested on Aug. 14, 2020, on a charge that he conspired with a relative of his who also was a former CIA officer to communicate classified information up to the Top Secret level to intelligence officials of the People’s Republic of China (PRC). 

The Criminal Complaint containing the charge was unsealed on Friday.

Assistant Attorney General for National Security John C. Demers, U.S. Attorney for the District of Hawaii Kenji M. Price, Assistant Director of the FBI’s Counterintelligence Division Alan E. Kohler Jr., and Special Agent in Charge of the FBI’s Honolulu Field Office Eli S. Miranda made the announcement.

“The trail of Chinese espionage is long and, sadly, strewn with former American intelligence officers who betrayed their colleagues, their country and its liberal democratic values to support an authoritarian communist regime,” said Assistant Attorney General for National Security John C. Demers.  “This betrayal is never worth it.  Whether immediately, or many years after they thought they got away with it, we will find these traitors and we will bring them to justice.  To the Chinese intelligence services, these individuals are expendable.  To us, they are sad but urgent reminders of the need to stay vigilant.”

 “The charges announced today are a sobering reminder to our communities in Hawaii of the constant threat posed by those who seek to jeopardize our nation’s security through acts of espionage,” said U.S. Attorney Price. “Of particular concern are the criminal acts of those who served in our nation’s intelligence community, but then choose to betray their former colleagues and the nation-at large by divulging classified national defense information to China. My office will continue to tenaciously pursue espionage cases.”

“This serious act of espionage is another example in a long string of illicit activities that the​People’s Republic of China is conducting within and against the United States,” said Alan E. Kohler Jr., Assistant Director of the FBI’s Counterintelligence Division.  “This case demonstrates that no matter the length or difficulty of the investigation, the men and women of the FBI will work tirelessly to protect our national security from the threat posed by Chinese intelligence services.  Let it be known that anyone who violates a position of trust to betray the United States will face justice, no matter how many years it takes to bring their crimes to light.”

“These cases are very complicated and take years if not decades to bring to a conclusion,” said Eli Miranda, Special Agent in Charge of the FBI’s Honolulu Division.  “I could not be more proud of the work done by the men and women of the FBI’s Honolulu Division in pursuing this case. Their dedication is a reminder that the FBI will never waiver when it comes to ensuring the safety and security of our nation.”

Ma is a naturalized U.S. citizen born in Hong Kong.

According to court documents, Ma began working for the CIA in 1982, maintained a Top Secret clearance, and signed numerous non-disclosure agreements in which he acknowledged his responsibility and ongoing duty to protect U.S. government secrets during his tenure at CIA.  Ma left the CIA in 1989 and lived and worked in Shanghai, China before arriving in Hawaii in 2001.

According to court documents, Ma and his relative (identified as co-conspirator #1) conspired with each other and multiple PRC intelligence officials to communicate classified national defense information over the course of a decade. 

The scheme began with three days of meetings in Hong Kong in March 2001 during which the two former CIA officers provided information to the foreign intelligence service about the CIA’s personnel, operations, and methods of concealing communications. 

Part of the meeting was captured on videotape, including a portion where Ma can be seen receiving and counting $50,000 in cash for the secrets they provided.

The court documents further allege that after Ma moved to Hawaii, he sought employment with the FBI in order to once again gain access to classified U.S. government information which he could in turn provide to his PRC handlers.

In 2004, the FBI’s Honolulu Field Office hired Ma as a contract linguist tasked with reviewing and translating Chinese language documents. 

Over the following six years, Ma regularly copied, photographed and stole documents that displayed U.S. classification markings such as “SECRET.” 

Ma took some of the stolen documents and images with him on his frequent trips to China with the intent to provide them to his handlers.  Ma often returned from China with thousands of dollars in cash and expensive gifts, such as a new set of golf clubs.

According to court documents, in spring 2019, over the course of two in-person meetings, Ma confirmed his espionage activities to an FBI undercover employee Ma believed was a representative of the PRC intelligence service, and accepted $2,000 in cash from the FBI undercover as “small token” of appreciation for Ma’s assistance to China.  Ma also offered to once again work for the PRC intelligence service. 

On August 12, 2020, during a meeting with an FBI undercover employee before arrest, Ma again accepted money for his past espionage activities, expressed his willingness to continue to help the Chinese government, and stated that he wanted “the motherland” to succeed.

Ma will make his initial appearance before a federal judge tomorrow in the U.S. District Court for the District of Hawaii.  He is charged with conspiracy to communicate national defense information to aid a foreign government and faces a maximum penalty of life imprisonment if convicted. 

The maximum sentence is prescribed by Congress and is provided here for informational purposes.  In the event Ma is convicted, a federal district court judge will determine any sentence after taking into account the advisory Sentencing Guidelines and other statutory factors.

The investigation was conducted by the FBI’s Honolulu and Los Angeles Field Offices. Assistant U.S. Attorney Ken Sorenson and Trial Attorneys Scott Claffee and Steve Marzen of the National Security Division’s Counterintelligence and Export Control Section are prosecuting the case.

Blogs to Follow:

Justice.gov (August 2020) Former CIA Officer Arrested and Charged with Espionage

CISA Releases Guide for America’s Election Administrators


Federal authorities say one of the gravest threats to the November election is a well-timed ransomware attack that could paralyze voting operations. The threat isn’t just from foreign governments, but any fortune-seeking criminal.

As a result, the Cybersecurity and Infrastructure Security Agency (CISA) released the Guide to Vulnerability Reporting for America’s Election Administrators. The guide walks election officials through the steps of establishing a vulnerability disclosure program. 

Vulnerability disclosures can be an effective way for organizations to benefit from cybersecurity expertise without having it resident to their organization.  

CISA released two new assessments and infographics on Election Infrastructure Cyber Risk and Mail-in Voting in 2020 Infrastructure Risk.

Each method of voting carries risk that you, as election officials, manage.

These assessments and infographics are voluntary resources intended to help the Federal Government and election officials understand and manage risks to election infrastructure and operations.

“Election officials have spent years beefing up security to their systems and closing these vulnerability gaps to keep our elections safe and secure,” said CISA Director Christopher Krebs. “Cybersecurity researchers can be great and responsible partners in this effort and we are creating this guide as a way to help state and local election officials understand the support they can offer and how to work with them in our collective, whole of nation effort to protect our elections.”  

The guide aims to help election officials understand the role that the cybersecurity research community can play in helping officials keep systems secure so that the American public’s voice can be clearly heard.

The guide includes a number of best practices for improving and addressing vulnerabilities within election systems, and offers a step-by-step guide for election administrators who seek to establish a successful vulnerability disclosure program.  

Accordingly, an electoral process that is both secure and resilient is a vital national interest and one of CISA’s highest priorities.

CISA is committed to working collaboratively with those on the front lines of elections—state and local governments, election officials, federal partners, and vendors—to manage risks to the Nation’s election infrastructure. CISA will remain transparent and agile in its vigorous efforts to secure America’s election infrastructure from new and evolving threats.

While ultimate responsibility for administering the Nation’s elections rests with state and local governments, CISA offers a variety of free services to help states ensure both the physical security and cybersecurity of their elections infrastructure.

Additionally, election infrastructure’s critical infrastructure designation enables CISA to provide services on a prioritized basis at the request of state and local elections officials.

Blogs to Follow:

CISA.gov (August 2020) CISA RELEASES GUIDE TO VULNERABILITY REPORTING FOR AMERICA’S ELECTION ADMINISTRATORS; ELECTION INFRASTRUCTURE SECURITY

UK Condemns Russian Intelligence Services over Vaccine Cyber Attacks


The Foreign Secretary has called out Russia’s unacceptable cyber attacks against COVID-19 vaccine developers.

On Thursday, the UK has called for an end to irresponsible cyber-attacks by the Russian Intelligence Services, who have been collecting information on vaccine development and research into the COVID-19 virus.

This follows a joint advisory today (16 July) by the UK’s National Cyber Security Centre (NCSC), the US and Canada on how to protect against these attacks.

The Foreign Secretary, Dominic Raab said, “It is completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic, while others pursue their selfish interests with reckless behavior, the UK and its allies are getting on with the hard work of finding a vaccine and protecting global health.”

“The UK will continue to counter those conducting such cyber-attacks, and work with our allies to hold perpetrators to account”, Raab said.

The UK shared some details:

  • The actors responsible are known and tracked in open source as APT29, Cozy Bear and The Dukes.
  • NCSC are almost certain (95%+) that APT29 are part of the Russian Intelligence Services. APT29 has targeted medical research and development organizations. NCSC assess it is highly likely (80 – 90%) that this activity was to collect information on COVID-19 vaccine research or research into the COVID-19 virus itself.
  • Find further details on the framework used by the UK government for all source intelligence assessments, including the probability yardstick.
  • NCSC advice on how to protect against this threat is available.

The UK released the report, “APT29 targets COVID-19 vaccine development” in which the report details recent Tactics, Techniques and Procedures (TTPs) of the group commonly known as ‘APT29’, also known as ‘the Dukes’ or ‘Cozy Bear’.

The report provides indicators of compromise as well as detection and mitigation advice.

The United Kingdom’s National Cyber Security Centre (NCSC) and Canada’s Communications Security Establishment (CSE) assess that APT29 (also known as ‘the Dukes’ or ‘Cozy Bear’) is a cyber espionage group, almost certainly part of the Russian intelligence services. The United States’ National Security Agency (NSA) agrees with this attribution and the details provided in this report.

The United States’ Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA) endorses the technical detail and mitigation advice provided in this advisory.

The group uses a variety of tools and techniques to predominantly target governmental, diplomatic, think-tank, healthcare and energy targets for intelligence gain.

Throughout 2020, APT29 has targeted various organizations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines.

APT29 is using custom malware known as ‘WellMess’ and ‘WellMail’ to target a number of organizations globally. This includes those organization’s involved with COVID-19 vaccine development. WellMess and WellMail have not previously been publicly associated to APT29.

Blogs to Follow:

NCSC.gov.uk; Gov.UK (July 2020) Advisory: APT29 targets COVID-19 vaccine development; UK condemns Russian Intelligence Services over vaccine cyber attacks

Berkeley County woman admits to willful retention of top secret national defense documents and international parental kidnapping


Elizabeth Jo Shirley, of Hedgesville, West Virginia, has admitted to unlawfully retaining a document containing national defense information and committing international parental kidnapping, Assistant Attorney General John C. Demers and U.S. Attorney William J. Powell for the Northern District of West Virginia announced.

Shirley, 46, pled guilty to one count of “Willful Retention of National Defense Information” and one count of “International Parental Kidnapping.” 

Shirley admitted to unlawfully retaining a National Security Agency (NSA) document containing information classified at the TOP SECRET/SECRET COMPARTMENTED INFORMATION (“TS/SCI”) level relating to the national defense that outlines intelligence information regarding a foreign government’s military and political issues. 

Shirley also admitted to removing her child, of whom she was the non-custodial parent, to Mexico with the intent to obstruct the lawful exercise of the custodial father’s parental rights.

“When Shirley took classified information from her work with the Intelligence Community and later fled to Mexico, she violated the confidence placed in her by the American people,” said Assistant Attorney General for National Security John C. Demers. “She doubled down on this betrayal when she sought to offer classified information to the Russian government.  We are grateful for our law enforcement partners’ timely work to locate and arrest the defendant in Mexico.  Given Shirley’s troubling conduct after fleeing the United States, the damage to national security could have been far greater had law enforcement not acted swiftly.  Shirley will now be held accountable for betraying the trust of the American people.”

“High level security clearance requires a commensurate level of trust.  Shirley breached that trust and attempted to put our country at risk.  National security is one of our highest priorities and always will be.  Shirley will now face the consequences of her actions,” said William J. Powell.

“Federal government employees and contractors with high level security clearances pledge to protect classified information from foreign adversaries. It’s an essential responsibility in guarding our country’s national security,” said FBI Pittsburgh Special Agent in Charge Michael Christman. “Ms. Shirley had a duty to safeguard classified information. Instead, she chose to break the law and trust placed in her and made plans to pass national defense information to Russian officials, which could have put our citizens at risk. The FBI does not take these violations lightly and will work to hold wrongdoers accountable to keep our country safe.”

Shirley served on active duty with the United States Air Force, and in August 1994, the Air Force granted Shirley her first TS/SCI security clearance. 

After leaving active duty, Shirley served in the United States Air Force Reserves and later in the United States Navy Reserves. 

While serving in the Air Force, she worked on assignments with the NSA. 

From May 2001 to August 2012, Shirley held various positions with the United States Navy’s Office of Naval Intelligence, the Department of Defense, the Department of Energy, the National Cyber Investigative Joint Task Force, and at least five different cleared defense contractors. 

In connection with these positions, Shirley held TOP SECRET/SCI security clearances at various times.

In July 2019, Shirley took her six-year-old daughter to Mexico with the intent to make contact with representatives of the Government of Russia to request resettlement in a country that would not extradite her to the United States. 

Shirley took with her to Mexico national defense information, which she had unlawfully retained. 

While in Mexico, Shirley prepared a written message to Russian Government officials, referencing “an urgent need” to have “items shipped from the USA related to [her] life’s work before they are seized and destroyed.”

On Aug. 13, 2019, the United States Marshals Service and Mexican law enforcement located Shirley and her daughter at a hotel in Mexico City.  Mexican authorities arrested Shirley pursuant to an arrest warrant the West Virginia State Police (WVSP) had obtained on a charge of concealment of a minor from a custodian.

The Federal Bureau of Investigation (FBI) subsequently executed search warrants on numerous of Shirley’s electronic devices, including devices she took to Mexico in July 2019 and devices the FBI seized from her Martinsburg storage unit in August 2019. 

Pursuant to the search of the storage unit, the FBI located the NSA document underlying the Willful Retention of National Defense Information offense. 

In addition, pursuant to searches of the electronic devices, the FBI found an Office of Naval Intelligence PowerPoint presentation containing information classified at the SECRET level and messages Shirley had drafted to Russian Government officials while in Mexico, the latter of which the Central Intelligence Agency has determined to include information classified at the SECRET level.

Shirley faces up to ten years of incarceration and a fine of up to $250,000 for the national security charge and up to three years of incarceration and fine of up to $250,000 for the kidnapping charge. 

Under the Federal Sentencing Guidelines, the actual sentence imposed will be based upon the seriousness of the offenses and the prior criminal history, if any, of the defendant.

Assistant U.S. Attorneys Jarod J. Douglas and Lara K. Omps-Botteicher and Trial Attorney Evan N. Turgeon with the Department of Justice’s Counterintelligence and Export Control Section, National Security Division, are prosecuting the case on behalf of the government. 

The FBI and WVSP investigated.  The Webster County Prosecuting Attorney’s Office cooperated in the investigation and prosecution of the case.

U.S. Magistrate Judge Robert W. Trumble presided.

Blogs to Follow:

Justice.gov (July 2020) Berkeley County woman admits to willful retention of top secret national defense documents and international parental kidnapping