From Top Secret to Twitter

Signals intelligence (SIGINT) agencies sit at an inflection point. Historically clandestine organisations, they are now adopting a more publicly facing outlook. Through conference appearances, media statements and their use of social media, SIGINT agencies now regularly interact in full public view. This transition has largely come out of necessity with a shifting political and security landscape demanding adaptation. Increased public engagement therefore extends beyond just a development in PR and in fact represents a much more strategic shift — one that reflects the changing nature of modern SIGINT agencies.

Despite the importance of this transition, the process has not always been smooth. Intelligence agencies grew up allergic to the press; teething problems from such a drammatic change in posture are therefore inevitable. As SIGINT agencies open up and communicate with the public, they confront altogether new challenges previously outside their purview.

Gone are the days when spy agencies did not officially exist with their personnel and activities guarded surreptitiously away from the public view. The existence of GCHQ was only officially confirmed in the 1994 Intelligence Services Act. Meanwhile, the NSA existed for a long time outside of Congresses’ knowledge and without serious laws prohibiting its activity. Today, the public nature of these agencies has changed significantly. Canada’s Communication Security Establishment has published a cyber journal on its website since 2012. The US Office of the Director of National Intelligence has had a Tumblr account since 2014. Former NSA Director Admiral Mike Rogers appeared regularly at conferences and panels. On the other side of the Atlantic, both the current and former Director’s of GCHQ have published op-eds in major British papers. The UK SIGINT agency also broke with both historical precedent and British understatement when it commented on allegations about its activities, dismissing the unhelpful allegations about the agency’s role in spying on Trump claiming that they were ‘utterly ridiculous and should be ignored’.

Intelligence agencies have of course featured in the media before. Whether allegations of torture, or suspicions over surveillance programs, these agencies have long been the target of journalistic outrage. Their culture of secrecy, combined with a tendency of playing to the edge has led to a buffer between public expectations and the actual activities of SIGINT agencies. This means that when intelligence gathering procedures are revealed (as is increasingly common via leaks), the public often feel uncomfortable. Shifting public opinion confuse matters further: electorates are naturally more supportive of enhanced intelligence gathering powers in the immediate aftermath of a terrorist attack when compared to five years down the line when memories of such atrocities are not quite so raw. Whilst shifting public opinion should be respected in a democracy, surveillance law and policy understandably struggles to keep up with such volatility, leading to a mismatch between the activities of intelligence agencies and public demand.

Despite a long track record of intelligence agencies appearing in headlines, previous PR strategies have been predominantly reactive — damage limitation being the name of the game . The SIGINT agencies of today, however, are proactively seeking to shape their agenda through public engagement. Despite the risks and bear traps of becoming more open, future policy must recognise and embrace the need for such a change. SIGINT agencies that remain overly covert will find themselves increasingly on the backfoot.

SIGINT agencies are becoming more publicly facing for a variety of reasons. This blog series will explore these themes, examining the emerging challenges for SIGINT agencies, how greater public engagement can help to mitigate them, as well as the new hurdles that arise from such a changes in strategy.

Cyber Security

SIGINT agencies face a paradox in confronting the cyber security challenge. One the one hand, they possess some of the rare pockets of cyber security expertise that sit within government. The traditional mission of SIGINT agencies has involved intercepting electronic and telephone communications — an experience that has also given them rich insight into how systems can be defended. This means SIGINT agencies are often seen as the natural choice for governments delegating cyber security responsibilities.

At the same time, however, SIGINT agencies typically lack both the strategic outlook and organisational culture required for cyber security. Unlike the game of espionage, cyber security requires a far more open and communicative response. Government organisations responsible for cyber security must publicly engage with three sets of stakeholders: the general public, businesses and adversaires.

Big Business

With the majority of cyber security threats targeting businesses, it is vital for SIGINT agencies responsible for nation-wide cyber security to work closely with the private sector. These public-private partnerships involve a number of dimensions. Joint public-private cyber simulation exercises provide useful learning opportunities for states seeking to develop preparedness for significant crisis situations. SIGINT agencies bring a wealth of experience and insight to these situations when they are willing to engage.

Government cyber security entities also represent a source of advice for the private sector. The most effective communication strategies for imparting such wisdom will also tailor the interaction based on the firm at hand. While cyber security fundamentals are often universal, a different set of challenges and expectations naturally exist for a large multinational when compared to a small business that employs under ten people. Government cyber security communication must therefore be multi-tiered with messages packaged and delivered through various channels.

In addition to working with business in a broad sense, SIGINT agencies should also work directly with the cyber security industry. Various SIGINT agencies have developed information sharing partnerships with other domestic stakeholders, providing all members with better threat intelligence and useful examples of best practice. As the then Chief of NSA’s Tailored Access Operations, Rob Joyce helped to clarify the approach of offensive nation state operations, and crucially the measures that can be introduced to improve defences at a cyber security conference in 2016. The cyber security industry would only gain from similar embodiments of leadership.

I Want to Live Like Common People

Communication with the public is also increasingly important. The general level of cyber security awareness is still too low. To improve the security of nation-scale, reducing the low hanging fruit can go a long way in raising the bar for attackers. Public awareness campaigns or the introduction of basic cyber security education in school curricula can go a long way in correcting the imbalance.

This opens up broader questions related to how the government cyber security remit should be delegated. While cyber security awareness campaigns with adverts plastered on the side of buses might be important, it is not a process familiar to the spooks of Cheltenham and Fort Meade. Governments therefore face a number of policy choices: they may seek to refresh the strategies of SIGINT agencies in order to develop a more public facing outlook, delegate the task of public engagement to other government organisations or even create new government departments and organisations entirely. Even when SIGINT agencies aren’t the primary organisation communicating with the public in this way, they are likely to still play an important supporting role. It is therefore increasingly inevitable that SIGINT agencies will be involved with public messaging in some capacity.

The need for a departure from the traditional SIGINT mentality has been recognised most clearly in the UK. In 2016, the UK government established the National Cyber Security Centre (NCSC). The NCSC remains part of GCHQ, but is a distinct identity, and crucially one that is more far more publicly facing and approachable. The centre has given several senior GCHQ staff a greater platform to engage publicly and this has led to an appreciable difference in public engagement with a number of NCSC staff now appearing at conferences and writing blog posts that articulate the centre’s vision in an informative, yet entertaining manner. The NCSC deserves credit for its clear messaging strategy in the aftermath of serious cyber incidents and data breaches. The WannaCry ransomware outbreak provides a case in point with the NCSC issuing statements and advice to the press, businesses and public alike both during and after the incident.

While the UK model of creating a new centre that exists within a SIGINT agency has proved a success, it represents one of the many ways to proceed and may not be an appropriate model for other states. Ultimately, however, the utility of SIGINT agencies’ cyber security expertise will be severely handicapped if it remains in a top secret drawer.

Name and shame

Governments and SIGINT agencies must decide when and how to publicly attribute state perpetrators of serious cyber attacks, a topic I have discussed before. SIGINT agencies have long attributed cyber attacks internally — the decision to go public is therefore based primarily on political calculations, rather than due to the level of certainty over the perpetrator’s identity. States have a range of options in relation to attribution including staying silent, publicly declaring the responsible state and even announcing the responsible state in addition to releasing more detailed technical information about the attack (or conversely only releasing technical information without the accompanying political attribution). Attribution strategies should be based on an assessment of the likely trade-offs and outcomes of the various options at hand, a topic that remains underanalysed.

Western governments are also attributing in tandem with each other — a variety of Five Eyes and European states all attributed both WannaCry and NotPetya worms (to North Korea and Russia) at the same time. These coalitions offer some prospect for developing international norms surrounding what constitutes unacceptable behaviour in a way that previous norm-building exercises have largely failed to achieve.

While calling out and revealing an aggressor’s offensive capability may raise the stakes in itself, it can also lay the foundation for further action. This has included the indictment of hackers behind an attack as well as the introduction of sanctions. The European Union (EU) could also soon begin to exercise its diplomatic clout in responding to cyber attacks: in 2017 the European Council agreed to develop a framework for a joint EU response to malicious cyber attacksthat will make full use of measures within the Common Foreign and Security Policy, including restrictive measures if necessary.

Public attribution is a topic of rising importance and one increasingly landing on policymakers’ agendas. SIGINT agencies therefore find themselves in unfamiliar territory with public attribution claims putting them centre stage in newspaper headlines. Even when public attribution claims are made by other government entities (e.g. foreign offices, state departments or executives), SIGINT agencies inevitably become key protagonists in the following reporting.

The public facing side of SIGINT agencies is therefore growing in importance — going beyond a PR issue to one featuring centrally in a government’s cyber security and foreign policy strategies.

Privacy and Surveillance Debates

It is no coincidence that SIGINT agencies have become more publicly facing at a time when they have witnessed their reputations corrode. The classified NSA documents leaked by Edward Snowden in 2013 renewed long-standing privacy debates and led to public mistrust over the US intelligence community. In 2015, the majority of Americans opposed the US government collecting bulk data and two-thirds believed there were not adequate limits on what type of data can be collected.

A more publicly facing outlook provides a means to overcome the current trust deficit. Public appearances by senior SIGINT agency staff creates the perception of a more transparent and open culture. SIGINT agencies have turned to social media to inform the public about the positive achievements in their history. The Twitter accounts of GCHQ, NSA and CEA, all regularly post about the role of these agencies in WWII for example. Agencies have also sought to bring the positive case for their role today — GCHQ claims that information it has gathered stopped six alleged terrorist plots in 2015 alone.

Events, Dear Boy

Despite these efforts to become more public, the perception of SIGINT activities sits largely outside of their control. Public confidence is predominantly shaped by events rather than SIGINT PR departments. Terrorist incidents inevitably precede newspaper headlines about the failures of intelligence agencies. While such arguments are often unreasonable, they play a significant role in shaping public trust. Ultimately, when it comes to reputation, perceptions trump.

In addition to events, the role of Hollywood should also not be underestimated. The Imitation Game, a 2014 thriller about Alan Turing’s role in cracking Nazi codes during World War II, has led to a renewed interest in Bletchley Park and helped GCHQ to improve its reputation and recruitment efforts. By contrast, Snowden, a 2016 Oliver Stone drama, portrayed the NSA in less flattering terms. Former NSA Deputy Director Chris Inglis acknowledged that the film could further shift public perceptions against US intelligence agencies.

Political processes inhibit intelligence agencies’ ability to engage in debates about their role. Most governments have decided (rightly) that intelligence agencies should refrain from making arguments about the scope of their powers and remit directly. The idea being that intelligence policy, while executed by intelligence agencies, is decided upon by elected officials — thereby establishing a greater democratic legitimacy around the process. Yet, those that argue against the activities of SIGINT agencies do not face these constraints. The pro-privacy community, which condemns the role of SIGINT agencies, therefore enjoys a much more visible public profile. Privacy advocates can criticise intelligence gathering activity directly — often on public platforms without any serious counter-arguments being made. Technology firms have also publicly opposed intelligence gathering activity that harms their commercial interests (a trend that has picked up significantly since the Snowden outlined cooperation methods between the NSA and technology firms).

Although it is right that intelligence agencies and their respective PR department avoid commenting on these issues directly, SIGINT agencies find themselves on the back foot and largely unable to defend their record as a result. In short, SIGINT agencies face inherent structural barriers in confronting these emerging debates.

The SIGINT PR agency

Where intelligence agencies don’t speak, others make arguments on their behalf — whether that be senior government officials, former intelligence staff or journalists. Whilst government officials might be the legitimate representatives for these intelligent-related issues, they have not always demonstrated an appreciation of the finer details. Too often, government officials make proposals on issues such as encryption that are outside the bounds of technical reality and largely mocked within the technology sector and mainstream media. This harms not only the reputation of the official in question, but also the SIGINT agency that they represent.

It is therefore vital for officials to truly understand the issues that they comment on, including broader trade-offs (such as the cyber security and privacy implications related to encryption policy). Here, SIGINT agencies can play a supportive function, using their expertise to work with officials to help them formulate more educated public policy positions and ensure proposals stand on a solid technical footing.

Former intelligence staff are also able to comment publicly on general policy matters. Former heads of intelligence agencies enjoy the most substantial following and it is they who typically write newspaper op-eds and are invited for TV interviews. Whilst these individuals tend to be intelligent, savvy and media trained, by virtue of their previous seniority they are often be out of date with more nascent security issues (a former intelligence head who retired twenty years ago may not fully appreciate the arguments related to the current vulnerability equity process debate for example). While former intelligence heads represent a useful resource for public debate, their efforts could be further complemented by alternative sources of insight. A significant number of intelligence agency staffers leave much earlier in their careers. Often younger and more dynamic, these former staffers have gone on to establish successful careers in cyber security and offer nuanced perspectives on nascent intelligence and cyber security issues. Going forward, the public debate, as well as intelligence agencies, would benefit from this group of former staffers being given a greater public platform on more mainstream outlets media outlets. Governments and SIGINT agencies have a limited ability to create such a platform, yet it nevertheless represents a fruitful area for growth.

Shifting the debate

Governments and intelligence agencies could pursue a more conciliatory tone in their public messaging. As recent encryption debates have suggested, when governments seek to compel the assistance of technology firms, media coverage and public opinion largely sides with technology firms. Going forward, a more cooperative tone from both sides would prove more productive. Governments therefore have an opportunity to work with other stakeholders to reframe current debates to make proposals based on partnerships rather than strong arm tactics.

SIGINT agencies deserve credit for the ways they have become more open and promoted the positive role their agencies can play in recent years. As discussed above, however, these agencies also face inherent structural barriers that prevent them from participating fully in current privacy debates. The public engagement strategy of SIGINT agencies must therefore broaden and become more collaborative.

Recruitment

Intelligence agencies have turned to social media and advertising campaigns as recruitment tools in an increasingly competitive job market. The limited supply of those with skills in computer science and cyber security means that university graduates can earn significant sums in the private sector that government agencies have struggled to match. It is therefore no surprise that SIGINT agencies struggle to recruit and retain the necessary talent.

Even for graduates that opt for a government career, there is an additional intragovernmental competition with various government organisations competing for the same skilled recruits. According to Alan Paller, research director of the SANS Institute, ‘there’s a head-to-head battle between CIA and NSA for every new cyber employee.’ Furthermore, as discussed in my previous blog on privacy debates, SIGINT agencies have seen their reputations suffer as a result of Snowden’s leaked NSA documents. Working for a SIGINT agency is likely met with a greater stigma today that it might have done previously. Reaching out publicly is one way SIGINT agencies can reverse this trend.

CSE, GCHQ and the NSA routinely tweet on their qualities as an employer (the NSA even has a separate careers twitter handle). GCHQ has used reverse graffiti to advertise careers in Shoreditch — a trendy borough of London frequented by tech-savvy hipster graduates. GCHQ has also created more cyber security pathways through summer schools, initiatives to get more women into the industry and an improved presence at both schools and universities — measures that both correct the cyber security skill shortage and enhance their reputation in the process.

Recognising that they cannot compete on pay with the private sector, these agencies have responded with competitive non-salary benefits. Promises of an interesting mission and meaningful work feature prominently in their recruitment message. Flexible working hours and generous holiday allowances are mentioned as a part of these agencies’ family-friendly brand while a significant investment in employee education and training reassures potential recruits that they can further develop their skills and career capital by joining. Yet, none of these attractive non-salary benefits will help SIGINT agencies hit their recruitment targets if potential applicants are not aware of them — public engagement is therefore vital to ongoing recruitment challenges.

Emerging Challenges

In addition to the ongoing challenges I have discussed in previous blogs, there are also two future challenges that remain largely neglected although critical to address in the long-term.

I’m Not Running

SIGINT agencies are under increased pressure to avoid the perception that they have become politicised or act in a partisan manner. Russian interference in the US 2016 election provides an example of this challenge, pushing the US intelligence community into an awkward position. While intelligence agencies strive to be non-partisan, maintaining a neutrality (and the public perception of neutrality) has proved increasingly difficult. This was seen most clearly with the Federal Bureau Investigation (FBI) although the lessons apply to SIGINT agencies as well. Intelligence agencies are ultimately faced with a difficult balancing act, having to provide factual analysis without appearing to conspire against a political party or movement.

Intelligence agencies risk becoming politicised. Image created by Razvan Vezeteu.

The difficulties of politicisation have also been observed in the UK. Whilst it has transpired that Russia did interfere in the 2016 Brexit, the extent of interference appears to be largely insignificant. Yet for government officials and SIGINT agencies, commenting on the matter remains difficult. Bringing attention to what was minimal Russian activity, can lead to a perception that government institutions are undermining or questioning the legitimacy of the referendum result — an accusation readily made by polemic pro-Brexit news and media outlets. The UK government was able to avoid such thorny issues, claiming that while Russia did interfere, it was unsuccessful. However, where an aggressor’s disruption attempts have a more significant effect — as observed in the US election for example — the challenges for SIGINT agencies become significantly more complex.

SIGINT agencies find themselves in the middle of what are profoundly political issues. This will remain an ongoing challenge given that disinformation and political interference campaigns are trends set to continue. Although there are no easy answers, intelligence agencies should at least establish clearer protocols for communicating with the public during periods of disinformation and instability. Protocols could include guidance on how intelligence agencies should respond to accusations of their own partisan interference in an election for example. Governments would also benefit from broadcasting concerns in advance. Canada’s CSE deserves credit for outlining the cyber threats it anticipates will surface in its 2019 during federal elections for example. The key here is that such protocols are established ahead of time and then stuck to — making decisions on these issues in an ad hoc and reactive manner only invites negative accusations.

Leaky Leaky

A second challenge that SIGINT agencies are now grappling with is the increasing amount of their material now being leaked. The Snowden disclosures provided the most visible example of sensitive files being stolen, although the NSA has since struggled to plug the gap. Harold Martin, Reality Winner and Nghia Hoang Pho are three NSA employees found to have retained or taken classified NSA files out of official premises and this has likely contributed to damaging leaks, such as the NSA tools distributed by the Shadow brokers.

The negative impact of leaks extend beyond damaged reputations. The Shadow Broker leak also undermined security with the NSA tools that were released online subsequently being used by North Korea in the WannaCry ransomware outbreak that disrupted systems across the world, including those in the UK National Health Service. Leaks may also undermine SIGINT agencies’ manoeuvrability. After NSA offensive tools ended up in the wrong hands — as was the case with the Shadow Brokers and WannaCry — questions arose about the extent to which the agency should be able to hold on to knowledge of vulnerabilities and led to renewed focus on vulnerability equity process debates.

If leaks are to continue, SIGINT agencies require robust PR strategies. They find themselves in a media battle against organisation’s with dubious motivations including WikiLeaks, a willing participant in state disinformation campaigns. With leaks provoking debates around the VEP and the future role of SIGINT agencies’, failure to successfully contain and limit negative headlines in the aftermath of a leak will increasingly harm SIGINT agencies. Governments are more likely to constrain their powers and tighten up VEP procedures in a climate where SIGINT agencies are not trusted for example.

Out Of the Shadows and Beyond

Rather than a second-order question of brand management issue, this blog series has illustrated how the public facing outlook of SIGINT agencies is now a core strategic concern. Crucially, the implications of a damaged reputation are profound. As SIGNT agencies suffer negative headlines, government leaders are more likely to reign their powers and capabilities in; recruitment in an already tough market becomes harder and their status as an authority on issues such as cyber security and public attribution is undermined.

Not all SIGINT agencies will want to pursue the same public engagement strategy. The focus here has been on Western SIGINT agencies and with a focus on the US and UK examples. Other states and cultures may approach these challenges in other unique ways. Different priorities, constraints and government institutional organisation setups all affect how SIGINT agencies can and should communicate publicly. The differences between SIGINT and HUMINT agencies should also be appreciated. While HUMINT organisations may face similar challenges in areas such as recruitment, embracing social media is not necessarily a viable strategy when a clandestine culture is more important in order to reassure human sources that their safety and anonymity is a key priority.

Yet, public engagement provides a useful, and increasingly necessary, tool for SIGINT agencies seeking to address challenges regarding the public perception of their role, as well as the challenges of cyber security, public attribution and recruitment. Public engagement policy should therefore be deeply strategic: its use should be directly tied to an organisation’s long-term interests. Key decisions makers in SIGINT agencies should start viewing public engagement not as just a risk, but also a clear opportunity.

Whilst many in the intelligence community will be cautious in shifting from a status quo of secrecy, the biggest risk arises not from going public, but in remaining deeply in the shadows.