Spies, Lies, and Algorithms: The History and Future of American Intelligence
Book written by Amy Zegart
Book review by Rick Howard
I don't recommend this nonfiction book for the Cybersecurity Canon Hall of Fame, but if you are interested in the topic, this is a good one to read.
Dr. Amy Zegart is a friend and colleague of mine. I first met her when she tapped me on the shoulder to participate in her "Educating Journalists about Cyber" conferences she hosted annually at Stanford University. I also worked with her on the Stanford Cyber Policy Program Advisory Council for a couple of years. So, when I heard that she published this book, I was excited. If anybody could shed some light on how the United States does intelligence, it was Dr. Zegart. And she delivers in spades.
As an academic, she is rightly concerned about the opacity of how the intelligence sausage is made. Because of all the layers-upon-layers of secrecy inherent in any intelligence organization, multiplied by the 18 different intelligence organizations officially operating with overlapping missions, and the inbred distrust that each has for the others, understanding the intelligence process is hard enough for an insider (like a congressional oversight committee member), let alone an academic trying to enlighten her students. And that's not even including the average citizen who get's their idea of how the CIA, the NSA, and the FBI operates from popular culture entertainment like "Zero Dark Thirty," "Enemy of the State," and "The Silence of the Lambs."
She covers an extensive history of U.S. spying starting with General Washington (code number 711) in the Revolutionary War, to the stops and starts of the intelligence function through the War of 1812, the Civil War, and the two World Wars. After WWII (1947), the U.S. Congress made it official and created the CIA "to coordinate the activities of different intelligence offices in the military services, the Justice Department, and the State Department." The section on how the CIA tracked down Osama Bin Laden is illuminating.
That same year (1947), President Truman gave the CIA authority to "conduct “covert psychological operations designed to counteract Soviet and Soviet-inspired activities.” According to Dr. Zegart, a covert action is “an activity or activities of the United States Government to influence political, economic, or military conditions abroad, where it is intended that the role of the United States Government will not be apparent or acknowledged publicly ... Covert action is active; its aim is to produce or affect outcomes. Espionage is more passive; its purpose is acquiring information."
But almost immediately, the CIA ran into controversy. The next year (1948), the NYTs claimed that the CIA is “one of the weakest links in our national security.” Because of the internal secrecy, the public rarely hears about the CIA's successes. But, when it screws up, the public scrutiny is loud (Bay of Pigs, CIA Assassination program, Domestic wire tapping, Iran-Contra, 9/11, WMD in Iraq, rendition and water boarding, etc).
And that's one of Dr. Zegart's criticisms. It's tough for anybody, but especially outsiders like academics, to assess how good the U.S. Intelligence Community (IC) is without access to information. This is one of my pet peeves too. I don't want the IC to reveal sources and methods. People die if that happens. But I would appreciate an honest discussion of goals and objectives. Dr. Zegart says that, "between 1961 and 1974, "the CIA conducted more than nine hundred major covert actions and thousands of smaller ones." What's the win-loss record there in terms of national security objectives? Those shouldn't be secret. A public discussion of what those goals and objectives are would be appreciated; maybe not at the moment, but soon after so that a national debate about what we are trying to do is public.
Dr. Zegart then describes why the business of intelligence is so hard; why, in hindsight, the CIA made obvious errors like the ones listed above. She doesn't try to excuse it, just explain it so that improvements can be made. Factors include asymmetric information pictures for all 18 agencies on the same topic, an unwillingness to share between groups, human bias, unclear objectives, and the fact that most humans don't understand probabilities. That last one is near and dear to the cybersecurity professional too.
Most leaders want a yes/no answer. Will the company succumb to a ransomware attack this year? Is Osama Bin Laden in the bunker? But the world isn't binary. The world is on a spectrum of uncertainty. What does a CEO do with the fact that there is a 20% chance of a successful ransomware attack this year? What does President Obama do when the range of answers from his staff about the location of Osama Bin Laden is between 30% and 80%? Those answers aren't satisfactory. But that's the world we live in. The question is can we make those predictions more accurate?
I was pleased to see Dr. Zegart advocate for Superforecasting as one solution. Made famous in the book "Superforecasting: The Art and Science of Prediction” by Philip E. Tetlock and Dan Gardner, I have been a fan of this Cybersecurity Canon Hall of Fame book for a long time. I have been advocating to security professionals the use of their Superforecasting techniques to calculate the probability of material impact due to a cyber event for a while now. They work and the results are much better than the standard heat maps that security professionals have been using for two decades. Tetlock and Gardner say that it's possible to learn how to forecast the probabilities to really complex questions (like cyber risk to the business and the chances that President Putin will get assassinated in the next three years) and he ran a five year experiment to test it out. The Superforecasters blew the other teams away with their accuracy.
The rest of the book covers several thorny subjects.
- Counterintelligence: The art of defending against the intelligence activities of others; especially moles.
- Coming to terms with covert action. This is serious stuff and it ranges from influence operations, to shifting the balance of political power in a foreign country, to destabilizing the economies of unfriendly regimes, and finally, to targeted killing. There are moral and ethical issues here. As Dr. Zegart insinuates, if you don't have a good way to measure wins and losses other than yes, we killed another terrorist, perhaps we should put the brakes on until we do.
- Congressional oversight. How does any government supervise spy operations when the entire enterprise is shrouded in secrecy and mistrust. Dr. Zegart highlights some of the historic clashes in American history
- Open source intelligence and assessing the nuclear threat. Nuclear threat assessment has moved away from being solely the province of government intelligence organizations to a cornucopia of non-governmental special interests.
- Cyber. The relatively new development (last 30 years) of nation state continuous low-level cyber conflict. Governments have realized that they can get a lot done in terms of espionage, influence, and even some light destruction for a fraction of what it costs in the physical world to accomplish the same effect and fall just short of actual warfare.
By covering all this material, Dr. Zegart is educating the reader about how the U.S. intelligence process works and highlighting the places where much improvement is required. For me, the takeaway is that the average U.S. citizen's knowledge of the country's intelligence apparatus mostly comes from movies and TV shows. She is advocating more transparency so that the academic world of scholars and big thinkers can help solve some of these problems.