In the world of spying in general, and especially when you’re spying on allied nations, Rule No. 1 is “Don’t Get Caught.” Rule No. 2 is “Make Sure the Juice is Worth the Squeeze.” The U.S. broke both rules, several times, in Germany. For what?
Rule No. 1: Don’t Get Caught
Getting caught spying is never a good idea. Want to end a relationship? Have your girlfriend discover you looking through her cell phone. The same applies to nations. Though the adage “everyone spies on everyone” and its antecedent “spying is the world’s second oldest profession” are true, getting caught trumps both, especially when spying on a friendly nation.
In Germany, the U.S. was caught. Several times.
The Snowden revelations showed that not only did the United States (via the NSA) spy on Germany as a whole, vacuuming up all sorts of communications, but that it drilled down to the level of spying on Chancellor Angela Merkel’s personal cell phone. Recently, however, two more examples emerged.
The first involved a mid-level employee of the German intelligence service, arrested on July 2. The employee, identified only as Markus R., became of interest in May after he sent an email to the Russian consulate in Munich offering classified information. He even attached a sample intelligence document to his email, information suggesting another German official was a Russian spy.
German counterintelligence officials set up a trap, replying to Markus R. using a fake Russian email address, suggesting a meeting. Markus R. didn’t bite. Seeking help, the Germans forwarded Markus’ Gmail address to the Americans, asking if they recognized it. No reply from the Americans. Instead, Markus R.’s email address suddenly shut down. The Germans arrested Markus, who rolled over and provided proof he was spying for the U.S.
That other German official, maybe a Russian spy Markus dangled in front of the Russians? That took a curious twist. It turns out that German intelligence had had the guy on its radar since 2010, and had learned the man had taken trips paid for by an “American friend.” Soon after the Germans raided the guy’s home and, perhaps by coincidence, then immediately expelled the head of the CIA resident in Germany.
How Not to Get Caught
Sometimes things just go belly-up and there is not much you could have done. But often times there are things you could have done.
To begin, one must vet one’s agents, the foreign citizen who is paid to spy for you on his own country. Is he a flake? A fake? A glory seeker, an adventurer, a Walter Mitty-type? Has he shopped his information around to other spies? What is his motivation? If you pay him a lot of money, will he do stupid things like suddenly start buying luxury goods on a clerk’s salary? What are his weaknesses– if he talks too much to you when drunk, maybe he’ll do the same with others. If he can be played with women, men, drugs, gambling or whatever, well, the other side(s) knows how to do that too. The answers to these questions can help predict whether or not he can be trusted. After all, by your choosing to work with him, he now knows some of your secrets too.
Next up is assessing his ability to spy for you without doing things that will compromise the action. Does he understand how to communicate securely, how to be discreet, how to acquire documents without alerting his employer? Is he teachable, can he follow instructions on how to do all those things? If you give him secure ways to communicate, does he use them all the time, or does he panic and call over open channels? (Markus R., after his initial email(s), was apparently given a secure communications device by his American handler.)
What about the host nation? How good are they at counter-intelligence? How good are you at counter-counter-intelligence, knowing what they know about your activities? This dictates how much caution and discretion needs to be involved.
Markus R. apparently offered himself directly to the U.S. via an open email, and then went on to try the same with the Russians. In the latter instance, he communicated openly over Gmail, even attaching a sensitive document. Given the furor over the Snowden revelations in Germany, and his own position inside the German intelligence operation, it is impossible that he was unaware of the boneheadedness of such actions. This should have been a full-blown emergency sign inside the CIA.
Finally, don’t make it easy for the other side to catch you. Slamming shut the Gmail account right after the Germans asked the U.S. about it pretty much sealed the deal.
All of this brings us to Rule No. 2.
Rule No. 2: Is the Juice Worth the Squeeze?
In other words, for any given information (the juice), what effort is required to obtain it (the squeeze)? Similarly, what is the potential fallout if the squeeze is exposed? In the German caper, the violation of Rule No. 2 seems near-complete.
Following the Snowden revelations, it was dead solid perfect obvious that anything to do with additional spying inside Germany, never mind spying on Germany, would be sensitive enough to immediately reach the highest levels of both governments. That should have set off a careful evaluation of activity, with a risk analysis of each and every operation ongoing or planned. The question that should have been being asked was “If this gets out, given the likely bilateral fallout, can we justify that by what we learned?” In other words, was the info acquired so valuable to the U.S. that it was worth the firestorm that followed?
It does not appear that risk analysis was done, or if it was done, that anyone paid attention to it. Though full details are of course (for now…) unknown, it appears that Markus R. did not turn over documents critical to U.S. national security. Some reports claim what he revealed mostly dealt with what the German’s were doing about the earlier NSA revelations. According to one news source, Markus “admitted passing to an American contact details concerning a German parliamentary committee’s investigation of alleged U.S. eavesdropping disclosed by Edward Snowden.”
Though some agents are bought off very cheaply by the CIA, that seems less applicable in a first world nation such as Germany. You often do get what you pay for; the U.S. allegedly only paid Markus R. about $34,000.
Further risk was assumed by possibly involving a third country, also an ally. Reports suggest Markus R. traveled to Austria to meet his CIA handler, and that the whole operation was run primarily out of Austria. That can push the disruption of relations across a second border with little if any potential benefit to the United States.
There have been short-term negatives. The German Interior Ministry said it would cancel a contract with Verizon Communications. “The links revealed between foreign intelligence agencies and firms,” the ministry said in a statement, “show that the German government needs a high level of security for its essential networks.” A lot of rhetoric will pass. There is no doubt that American intelligence officers in Germany will come under greater scrutiny, likely reducing their effectiveness. Some points of intel cooperation between the U.S. and Germany may suffer.
But U.S.-German relations are long, deep and complex. The Markus R. incident, like the NSA revelations, will be hard to track in the broader picture. It will be hard to pinpoint specific changes in the relationship, as they will be subtle if not classified, or because they may not even occur.
Perhaps though the bigger lesson here is more domestic than foreign. Obama claims he was not informed of the Markus R. case, as he claimed he was not informed of NSA spying on Merkel’s cell phone. Was CIA action in the Markus case (and the NSA’s earlier actions) sensitive to their implications? Did the CIA act in concert with broader U.S. government goals and aims, or did they act with a lack of concern? The answers to those questions may tell us more about how things are working inside our own government than anything to do with foreign relations.
BONUS: There is a Rule No. 3, but if I told you that I’d have to kill you…
Photo by Astrin under Creative Commons license