"When you come to a fork in the road, take it." (Yogi Berra)

    Counterintelligence activities occur not only between governments but between industries and other entities as well, but the term is most commonly reserved for describing activities which protect against foreign espionage, sabotage, and enemy infiltration.  In other words, what is protected is the intelligence cycle itself.  Both Executive Order 12333 and the DoD dictionary of military terms define counterintelligence (also called CI) as "information gathered and activities conducted to protect against espionage, other intelligence activities, sabotage, or assassinations conducted by or on behalf of foreign governments or elements thereof, foreign organizations, or foreign persons, or international terrorist activities."  In practice, counterintelligence is much broader than this and should definitely not be confused with counterespionage which refers specifically to infiltration by HUMINT.  Threats to integrity of the intelligence cycle come in an amazing variety of forms.   By definition, CI involves investigation, operations, collections, and analysis.  It can be thought of as an "intelligence community within an intelligence community" if you will.  Much of the practice of CI consists mainly of efforts to protect secrets, preventing an intelligence mechanism from being manipulated, and also exploiting the intelligence activities of other entities or organizations.  Given the breadth and depth of this field, only the basics can be covered here.

    A distinction is usually made between defensive counterintelligence and offensive counterintelligence.  Defensive counterintelligence refers to looking within one's own organization for weaknesses that could be exploited by an adversary.  In the U.S., that function is mostly assigned to the Diplomatic Security Service (DSS) of the Department of State.  Offensive counterintelligence refers to degrading the effectiveness of an adversary's intelligence operation, and that function is typically carried out by the CIA.  In some circles, the concept of counterespionage and offensive counterintelligence are synonymous.  Decisions to carry out (or run) an offensive counterintelligence operation must take into consideration the risk and reward ratio.  Nearly-constant monitoring and/or testing is also usually necessary to measure psychological changes in motivation.  In other words, agents as well as operations are closely scrutinized in counterintelligence operations.  Reporting must also be frequent, quick, and in detail.     

    Counterintelligence operations can be various degrees of passive or active, depending somewhat upon the level of secrecy involved.  Passive or defensive counterintelligence is synonymous with security, and involves locating, screening, and identifying people, limiting their access to classified material, and instituting accounting systems to trace losses. Active counterintelligence can be considered a type of countermeasure, and involves specific protections using specific tactics such as neutralizing an enemy or deceiving them.  In cases where a potential security breach is identified, counterintelligence would normally try to keep the communication channel unaltered (or monitored) to stay one step ahead of them, and to capitalize on potential vulnerabilities that may be exploited later on.  On the downside, counterintelligence produces some of the most confusing information and disinformation in the world, and several nations and/or entities play the game well, but even the best players screw it up at times.  Deception operations are the trickiest.  Historically, the U.S. has been pretty good at it (misinformation leaks to the press seem to be an American pattern), but other nations and/or entities have gotten pretty advanced at it, and it's interesting to see how lies and conspiracies build upon one another at times.  In comparative perspective, many nations in the world tend to mix their counterintelligence operations with domestic counterterrorism more than the U.S., so the levels of public misinformation are usually much higher in such nations. 

    In some quarters, effective counterintelligence begins (and ends) with the notion of security classification levels; i.e., unclassified, confidential, secret, top secret, etc., of the kind one applies for via SF-86 and the like.  Recent years have seen the development of higher, "compartmentalized" levels, and developments like these have contributed to debates, of course, over whether there's too much fuss over security levels.  Above top secret includes designations like TS/SCI where SCI stands for Special Compartmented Intelligence, and each compartment is further indicated by a codeword; e.g., KEYHOLE for satellite information, or UMBRA for communications intelligence.  This codeword is sometimes called a "ticket" and serves as a topical access barrier for those who do not have similar tickets.  There are other designations that modify other classification levels; e.g. NOFORN for No Foreign Nationals, WNINTEL for Warning Notice, Intelligence Sources and Methods, and LIMDIS for Limited Dissemination.  ORCON, or Originator Control, also prohibits sharing information with agencies outside the intelligence community if that outside agency is not the originator of that information.  ORCON has become a big issue in the post-9/11 environment where there is a strong need for inter-agency sharing.  At the lower levels, a big issue involves whether or not there should be an additional security level between unclassified and confidential.  The United Kingdom has one called "restricted" but the United States doesn't really have a truly "restricted" level, instead relying upon fairly weak mechanisms like "For Official Use Only" or "Not for Attribution" or the "Sensitive" label.  The assignment of security levels to people is (or should be) part of CI's role in personnel security, which encompasses much broader issues, but just as important is premises security, which typically involves sweeping premises for bugs and controlling access to certain storage areas.  Counterintelligence might also find itself involved in audits of secure facilities, but audits should not be seen as the security mechanisms themselves.

    A basic principle of secrecy is that just having a certain clearance level doesn't entitle somebody to have access.  There is the all-important "need to know" requirement that overrides a security level, and just having a certain level of clearance doesn't automatically entitle someone to see every piece of data at that clearance level.  Counterintelligence usually comes in when it is suspected that secrecy is broken - or you've got a leak - and what you need to do is figure out a way to take advantage of that.  At some point, you're probably going to be launching a counterespionage operation, but for starters, you need to put your leak under surveillance.  You might have a mole, a defector, a double agent, or what is called a "dangle," someone who pretends to spy for someone but is really loyal to someone else.  Expect double-crosses from these kind of people, and in fact, it's probably not a good idea to rely too much on double agents.  Heavy dependence on HUMINT in CI runs the risk of increasing your vulnerability to being deceived.  What you need to do is find out how they transmit their information to the enemy.  Once you find out that channel, you can then use it to send and/or receive information to your liking.


    What is called multidisciplinary counterintelligence involves giving serious consideration to supplementing HUMINT with TECHINT, via some kind of technology-based means, such as COMSEC.  Chances are you'll be dealing with encryption or ciphers anyway, and breaking these will give you some insight into the enemy's capabilities.  Knowing the enemy's technological capabilities (even if it's just communications chatter) will assist you in developing technical countermeasures.  However, getting back to the importance of keeping those leaky channels open, what you want to do is use those channels for deception or disinformation.  If the enemy is spying on you, keep those channels open, and use them to feed the enemy a bunch of lies, but not blatant lies, lies that are just close enough to the truth to throw them off.  Now, this is all an elaborate game of deception and counterdeception, as the enemy is probably going to figure out how much of what you're feeding them is truth and how much is falsehood.  Above all, don't confuse yourself or the enemy so much by sending such a mix of true and false signals that nobody can tell the difference anymore.  What goes and comes through as true is called "feedback" if you are able to separate the falsehoods by "back-channel" collaboration.  This game works best if you are able to send the enemy deceptive or manufactured information that they think is true anyway.  Also, the more elaborate, long-term, and strategic the deception, the more important is the good intelligence feedback you'll get from it.


    Typically, subversive threats which occur domestically can have a foreign connection.  It is not wise to always assume this, but prudent to be aware of the possibility.  More typical and substantial threats are likely to come directly from foreign intelligence services which include major adversaries, like China, Cuba, Iran and Russia, along with major allies, like Japan, France, England, Canada, Mexico, Germany, South Korea, and Israel.  As an example of an adversary threat, the Cuban Intelligence Service (CuIS) is notable because they extensively use both "illegals" and "legals" defined respectively, as trained intelligence officers sent abroad with false identities who maintain no overt contact with their government, and trained intelligence officers under official or diplomatic cover.  It is "hostile" precisely because both types of operatives use heavily coded means of communication, often infiltrate military security, and influence U.S. citizens or officials to lobby for easing sanctions against Cuba.  In the mid-1990s, the U.S. successfully broke up a ring of Cuban spies in Miami using the Foreign Agents Registration Act, which serves several purposes.  Originally drafted in 1938 to levy criminal penalties against Nazi propagandists, the Act has evolved into much more than that, most notably the requirement that agents of foreign lobbyists register and file letters on intent.  Another significant piece of legislation is the much older Logan Act which forbids U.S. citizens from negotiating with foreign governments.

    Regarding threats from allies, friends do not normally spy on one another in military or political matters, but when it comes to economic and technological competition, friends are competitors, not allies.  The most frequent target of such competitive spying is the dual-use technology on the Militarily Critical Technology List (a classified document).  Dual-use technology has both military and civilian applications, but the list is intended to enumerate items critical to maintaining superior U.S. military capabilities.     

    Counterintelligence threats not only come from nation-states (although most of the aggressive and persistent threats do), but from private sector players like businessmen, scientists, academics, and students.  Intelligence collection is also done by foreign corporations acting independently of their governments as well as by foreign intelligence services.  Most of these players may or may not know they are assisting a foreign government, and are commonly duped into it, chasing a desire for profit or acclaim, or acting out of misplaced loyalties.  The range of motivation is diverse, and it is the job of CI to sort out the various motivations.  In addition, globalization and computerization have made it much easier to steal sensitive technology and trade secrets under the guise of international conferences and posting research work online.  In fact, it is quite often the case that secrets no longer stay secrets at trade shows, conferences, symposia, visits, and open houses.  The growing openness of the scientific and educational communities has facilitated the flow of secrets across borders as a "brain drain" escalates within and between countries.  Cyberespionage crossing international borders has also increased.


    Export control usually refers to licensing procedures and other economic restrictions on the so-called "merchant of death" industry where the government prohibits certain munitions (there is another classified document called the Munitions List) as well as dual-use technology that can be used to kill people.  Nuclear technology is the most frequent item of concern here, and the suppliers themselves (see Nuclear Suppliers Group) have put regime controls in place.  Both the US and a few developed countries have been somewhat successful at controlling exports of technology with military applications.  Despite some disputes between allies, the Coordinating Committee for Multilateral Export Controls (CoCom) was a remarkably effective method of economic warfare during the Cold War.  CoCom was abolished in 1994, and replaced by the Wassenaar Agreement (WA) in 1996, where a much larger group of countries are involved and concern is institutionalized for the economic welfare of affected states.  Exports are often restrained rather than banned by the WA.  So-called "pariah states" are identified by consensus in the WA.  In fact, membership in the WA is open to anyone who engages in "responsible" export policies with a WA-maintained list of pariah states.  According to one of the WA's High Level Meeting statements, a pariah state is one which has "suspected ties to terrorism, attempts to develop WMD, and has possible designs on territorial expansion or other forms of behavior that raise questions about their commitment to regional and global stability."

    One of the problems with export control is the so-called "deemed export" exemption in the Export Administration Regulations (EAR).  This allows the release of technology to a foreign national in the United States as if such release were an export to the country in which the foreign national holds citizenship status, but deems it a export violation if a regulatory violation occurs.  It typically takes the form of technical data or technical assistance under the auspices of visual inspection in a secure U.S. facility, or it may take the form of an oral exchanges of information between scientists or visiting dignitaries.  Naturalized US citizens and foreign nationals holding valid permanent resident status in the United States (green card holders) are not subject to the deemed export rule.  The problem is that few cases are ever prosecuted under export law because of the difficulty in observing deemed exports.  With no observable movement of goods, the transfer is virtually impossible to detect, let alone prosecute.  Clearly, there is a need for better laws in this regard.


  1. Moles -- a mole may or may not be a trained intelligence agent, but they start out as loyal to one service and then switch to loyalty with another service.  A low-level mole is called an "asset" and higher-level moles are known as "sleepers" or being under deep cover.  Sometimes, intelligence agencies will "dangle" a false mole in front of an adversary in order to draw out the case officer of the adversary.

  2. False-flag perpetrator -- this is a person fooled into thinking they are really working for one service but is actually working for another service.  They are used to get information that the second service needs or more often fed misinformation to pass onto the original service they think they're working for.

  3. Defector-in-place --  this is a person who had switched loyalty and is normally referred to as an "agent."

  4. Double agent -- these are agents who usually have a very specialized area of expertise or special access of some kind, and they have usually come into existence because they have been blackmailed or put under duress of some kind (possibly by both sides).

  5. Agent provocateur -- this is usually an infiltrator or instigator whose job it is to penetrate some organization (usually a protest or dissent group) and stir up trouble and/or recruit more valuable adherents to the organization.

  6. Triple agent -- these are agents who have been turned more than once (re-doubled) and are used primarily in double-cross operations or efforts to tie up the resources of an adversary in figuring out the primary loyalty.  Quadruple agents (and more) also exist.

Army FM 34-60 Counterintelligence
Hostile Intelligence Threats on U.S. Technology (pdf)
March 2005 National Counterintelligence Strategy for the U.S. (pdf)

NDU Article on Counterintelligence and National Strategy (pdf)
Office of National Counterintelligence Executive
Wikipedia Entry on Counterintelligence

Benny, D. (2013). Industrial espionage: Developing a counterespionage program. Boca Raton: CRC Press.
Carlisle, R. (2003). The encyclopedia of intelligence and counterintelligence. Armonk, NY: M.E. Sharpe, Inc
Dulles, A. (1963). The craft of intelligence. NY: Harper Collins.
Lowenthal, M. (2003). Intelligence: From secrets to policy, 2e. Washington D.C.: CQ Press.
Posen, Barry. (2003). "The struggle against terrorism: Grand strategy, strategy, and tactics," pp. 391-403 in Russell Howard & Reid Sawyer (eds.) Terrorism and counterterrorism.  Guilford, CT: McGraw Hill.
White, C. (2005). Intelligence/Counterintelligence. NY: AuthorHouse.

Last updated: Jan. 19, 2014
Not an official webpage of APSU, copyright restrictions apply, see Megalinks in Criminal Justice
O'Connor, T.  (2014). "Counterintelligence," MegaLinks in Criminal Justice. Retrieved from