There have been various rumbling mentions of this before, but the Yahoo News article recently by Zach Dorfman and Jenna McLaughlin gives lots of juicy details. The CIA had its communications with covert agents in Iran and China intercepted by the Iranians and Chinese and, as a result, many agents where arrested and killed while others only escaped thanks to heroic James Bondian efforts to get them out of the country.

Most critically the article reveals that the Iranian and Chinese counterespionage effort was aided by Google (albeit unintentionally):

U.S. officials believe Iranian intelligence was then able to compromise the covert communications system. At the CIA, there was “shock and awe” about the simplicity of the technique the Iranians used to successfully compromise the system, said one former official.

In fact, the Iranians used Google to identify the website the CIA was using to communicate with agents. Because Google is continuously scraping the internet for information about all the world’s websites, it can function as a tremendous investigative tool — even for counter-espionage purposes. And Google’s search functions allow users to employ advanced operators — like “AND,” “OR,” and other, much more sophisticated ones — that weed out and isolate websites and online data with extreme specificity.

According to the former intelligence official, once the Iranian double agent showed Iranian intelligence the website used to communicate with his or her CIA handlers, they began to scour the internet for websites with similar digital signifiers or components — eventually hitting on the right string of advanced search terms to locate other secret CIA websites. From there, Iranian intelligence tracked who was visiting these sites, and from where, and began to unravel the wider CIA network.

In other words the Iranians were able to use a Google Dork to locate the CIA’s various covert comms websites and then watched to see who from Iran went to them. It is fairly well known that Google and other search engines are an absolute godsend for spies and criminals when it comes to looking for systems to hack – there are endless examples – but hitherto I was not aware of them being used by counter-espionage teams before.

To be honest, now that I’ve read about it, I’m not surprised that it happened. It seems pretty obvious that the CIA got sloppy and reused a system that worked when mostly spying against non-nation-state actors (i.e. Al Qada, ISIS etc.) when spying against other nations without grasping that there are differences between the two sorts of adversary.

Former U.S. officials said the internet-based platform, which was first used in war zones in the Middle East, was not built to withstand the sophisticated counterintelligence efforts of a state actor like China or Iran. “It was never meant to be used long term for people to talk to sources,” said one former official. “The issue was that it was working well for too long, with too many people. But it was an elementary system.”

“Everyone was using it far beyond its intention,” said another former official.

The risks posed by the system appeared to have been overlooked in part because it was easy to use, said the former intelligence officials. There is no foolproof way to communicate — especially with expediency and urgency — with sources in hostile environments like Iran and China, noted the former officials. But a sense of confidence in the system kept it in operation far longer than was safe or advisable, said former officials. The CIA’s directorate of science and technology, which is responsible for the secure communications system, “says, ‘our s***’s impregnable,’ but it’s obviously not,” said one former official.

I’m fairly sure I know what the key difference is. Iran and the PRC can go to their ISPs and install monitoring devices and redirection devices that allow them to track the sources of traffic to locations of interest, which is not something a non-state actor can do so easily.

I’m also entirely unsurprised at the CIA’s apparent response to all this was to not hold any of the bureaucrats responsible, even though they seem to have been responsible not just for the initial hole but also to burying reports by a whistleblower who found it and tried to get it fixed. This sort of behavior is, IMHO, absolutely standard in large unaccountable bureaucracies.

One of the central concerns among those familiar with the scope of the breakdown is the institutions responsible for it were never held accountable. Doing a comprehensive investigation isn’t easy, “but you have an absolute obligation to do that, because if you don’t, all you’re doing is rolling the dice with future lives,” said one former senior official.

Even several years after the breach, the concern within the intelligence community is accountability.

“When we continuously allow things like this to happen, and Congress doesn’t do anything, and the institutions don’t do anything, you’re going to have worse issues,” said another former official.

“People will say, ‘I went to the inspector general and it didn’t work; I went elsewhere and it didn’t work.’ People will see it as a game. It will lead to corruption, and it will lead to espionage. When people see that the system is corrupt, it affects everything.”

The problem boils down to the fact that the internet offers a lot of apparent security and anonymity, but actually turns out to be pretty poor at both. It’s particularly bad if you repeatedly do similar things.

Any number of Nigerian and Eastern European free lance wealth distributionists can attest to the fact that anonymity is easy as long as you only do something on the internet once. Creating a throwaway email address, buying a burner phone, setting up a phishing site through a VPN and so on is relatively easy. And if you take care at every step none of it can be tracked back to you. So that makes it fairly easy to set up the first fraud (or if you’re the CIA, handle the first spy).

But the more times you do it the more tracks you leave. You’ll use the same registrar, the same VPN, the same throwaway email address for your follow-on frauds. And that means people can start associating those different details – email adress/phone/VPN etc. – to a single entity. And then they can dig down further and find the times when you were sloppy. When the VPN went down and you didn’t notice. When you forgot to click on the anonymity option when buying the domain. And so on. And eventually those various slips combine to tell investigators who you are and, that often means, they then set a trap for you and then abruptly the tables are turned and you are the one in trouble. (There’s a great interview about BEC and the war on it on Brian Krebs’ site).

This doesn’t just hold for a particular individual. People who don’t know each other but are part of the same organization can end up leaking data that gives away, say, critical locations of that organization – see Strava’s Targeted Exercise goof. Or the Norwegian lady soldiers on Tinder:

The old assumption was that on the internet “no one knew you were a dog” let alone where you bit the postman. Gradually we have realized that this assumption was not true for large (Western) government agencies or large (Western) internet companies (i.e. Google Facebook etc.), but now we need to understand that the techniques are usable by everyone including random technically clueful individuals and governments of all stripes and sizes.

If you don’t want to be tracked, don’t use the internet and don’t use a computer (and computers include those portable ones called “phones”). The CIA is almost certainly not the only institution which will find out the truth of this the hard way. The only way this will be fixed is if the people at the top of these institutions personally face life-altering negative consequences when things fail.