Counterintelligence is a broad field and one shrouded in secrecy for obvious reasons: At its core, it is about spies and the people who try to catch them. It is not possible for me to provide a comprehensive treatment of the field here, but I’ll try to highlight a few key points that I think are at the root of what counterintelligence is about. I have tried to make my points below regarding counterintelligence broadly applicable, but I acknowledge that, given my background, they are more U.S- and FBI-centric.

... [I]t is important to define what we are talking about when we speak of counterintelligence. One definition I find useful is that used in Executive Order No. 12333, as amended, which is the principal executive order governing the activities of the U.S. intelligence community. Section 3.5(a) of the executive order states: “Counterintelligence means information gathered and activities conducted to identify, deceive, exploit, disrupt, or protect against espionage, other intelligence activities, sabotage, or assassinations conducted for or on behalf of foreign powers, organizations, or persons, or their agents, or international terrorist organizations or activities.” I will talk about various aspects of that definition below but mostly in relation to the activities of the foreign intelligence services of hostile foreign nations and their agents, which can include actual officers of such services (intelligence officers, or “IOs”) but also individuals those services recruit, co-opt or dupe into assisting them. In practice, dealing with that threat is the main focus of counterintelligence agencies...

Under Executive Order 12333, several elements of the U.S. intelligence community have counterintelligence responsibilities, but the FBI has assumed the lead counterintelligence role within the United States. The FBI, which has been in the counterintelligence business since 1917, says that its main counterintelligence goals are to:

... [H]ere are 10 general points that I think are relevant to understanding the counterintelligence world:

Counterintelligence is reactive. Counterintelligence is about stopping bad things from happening. It is about identifying and countering the intelligence activities of hostile foreign intelligence services and other hostile foreign actors (such as terrorist organizations). This includes countering both clandestine intelligence gathering activities and otherclandestine intelligence activities. The former category is what many might think of as traditional spying; the latter is more like conducting sabotage and secret influence and disinformation campaigns to manipulate a foreign population. Those “other” clandestine intelligence activities would fall within the category of what we in the United States would think of as “covert action”—activities seeking to influence political, economic or military conditions abroad, where it is intended that the role of the particular government is kept secret.

Counterintelligence is proactive. To be effective, counterintelligence must not be just reactive; it also must be aggressively proactive. So if you are a counterintelligence official, you are proactively trying to collect information about the identities of your adversaries; what they are thinking, planning and doing; and whom they have recruited, co-opted or fooled to help them. You have to be willing to take thoughtful and well-considered risks in order to recruit sources inside hostile foreign intelligence services and on foreign soil. You have to deploy sensitive technical collection techniques, tactics and procedures to spy on adversaries. All activities in this regard need to be intelligence-driven, strategic and executed using the best possible tradecraft.

Counterintelligence is protective. As a counterintelligence official, you are trying to protect and defend the nation, its people, its assets, and those of its allies from your adversaries. Indeed, the motto of the British Security Service (or MI-5 as it is more widely known), which is Britain’s lead counterintelligence agency, is “Regnum Defende” ("Defence of the Realm"). MI-5 says that its “mission is to keep the country safe. For more than a century we have worked to protect our people from danger whether it be from terrorism or damaging espionage by hostile states.” You have to understand comprehensively and deeply what are the most important national assets to protect. For example, you might need a comprehensive “heat map” of all the valuable assets of the entire nation; or of a particular geographic region or of important sectors of the economy, telecommunications system or the defense industrial base that you need to protect.... You also need to understand what the bad guys think they need to do regarding what you are trying to protect—in other words, what do they think they need to steal or corrupt? Unfortunately, you will never be certain about whether you or they have a better picture of what assets they should focus on.

Counterintelligence challenges are overwhelming. There are too many adversaries and too much to protect. In a free society, you can’t defend against everyone everywhere all the time. You have to prioritize the threats and what you are trying to protect (your heat map will help). Too often, the adversaries will win.

Counterintelligence is done at home. Counterintelligence activities occur mainly domestically, even though they are focused on hostile foreign intelligence services. Of course, adversaries operate globally, and they will try to recruit and exploit Americans abroad and will engage in malicious cyber activities anywhere, but mostly they focus on the U.S. homeland. This means that counterintelligence authorities must find foreign intelligence operatives who are hiding domestically and mixing in and interacting with the very people you are trying to protect. As a result, it is often hard to find the bad guys as well as the Americans who are helping them, either wittingly or unwittingly. This is the same type of problem counterterrorism officials face. Because all of this is happening at home, counterintelligence activities intended to identify and disrupt intelligence threats domestically necessarily pose risks to the civil liberties of Americans. To be effective, counterintelligence officials must engage in a range of intrusive clandestine activities in the United States intended to thwart their adversaries, including electronic surveillance, surreptitious searches, recruitment of sources, physical surveillance and undercover operations. Such activities undertaken here at home invariably implicate the rights of Americans no matter how hard counterintelligence officials try to avoid doing so.

Counterintelligence is confusing. Your adversary is actively trying to deceive you, and it is hard to figure out what is going on. It is easy to make mistakes—you can easily miss real threats, plots and actors, and you can waste time, resources and effort following the wrong people or countering the wrong (or nonexistent) plot. Your adversary is trying to get you to be complacent or chase your tail, and, if you are not careful, it is all too easy to let that happen.

Counterintelligence is sophisticated. Effective foreign intelligence services are very important for the security, political stability and economic well-being of nations. Foreign intelligence collection provides national leaders and government agencies with the information they need to make informed military, diplomatic, economic and other important decisions; anticipate and address the actions of foreign nations; and protect the nation from attack, sabotage and other threatening activities by adversaries. As a result, countries are going to invest a lot in making sure that their intelligence services can defeat counterintelligence efforts to stop them. Accordingly, foreign intelligence adversaries are well resourced, experienced, dedicated, motivated and aggressive. They use complex, novel and subtle means to defeat counterintelligence services. They recruit and place sources; they co-opt or threaten insiders; they conduct physical and electronic surveillance and break-ins; and they engage in sophisticated intelligence tradecraft to obscure their activities and deceive adversaries and innocent third parties. Moreover, the spy business has changed a great deal over the years with the advent of the Internet and the explosion of open-source information. And intelligence activities are now inextricably intertwined with the digital ecosystem, malicious cyber activities, and advanced perception management and manipulation campaigns. The essence of the clandestine intelligence-gathering business (i.e., espionage) is to collect secret information by secret means. In other words: (a) someone wants to protect information, data, technology, weapons systems or other important assets from being stolen, damaged or destroyed; (b) spies want to steal or do other bad things to those assets; and (c) the spies want to do so, if at all possible, in a way that keeps the victim from knowing or understanding what happened. From the spy’s perspective, it is best if the victim never knows that something was stolen or corrupted or, if the victim does find out that something bad happened to the asset, that the victim does not know the identity or role of the spy in the activity. U.S. counterintelligence officials must figure out how to deal with all of this. And while they have to adhere strictly to the Constitution and laws of the United States, their adversaries follow different rules or no rules at all. The same is true for our closest foreign partners, who must follow the rules of their own countries. Some people have likened the counterterrorism challenge to that faced by a soccer team that cannot allow the opposing side to score even one goal. In both the counterterrorism and counterintelligence contexts the situation is actually much worse. Imagine that the soccer team not only needs to prevent the opposing team from scoring any goals but also has to deal with an opposing side that may be either invisible or wearing uniforms identical to their own; that plays by different rules or no rules at all; that can score by leaving the field and lifting up the net from behind and putting the ball in for a goal; and that all of this is happening on a field that is undulating and otherwise changing constantly because of the dynamic nature of technology, the economy and the intelligence needs of adversaries. Counterintelligence is hard and requires sophistication, in part, because the environment can be highly disorienting. For a variety of reasons, the field of counterintelligence has at times been considered a backwater by some and has played second fiddle to efforts to address ordinary crime (before 9/11) and counterterrorism (after 9/11). Counterintelligence investigations, however, present some of the most complex and vexing problems that a national security agency can face. For example, the counterintelligence investigations of Robert Hanssen, the Russian illegals network (eventually known as “Ghost Stories”), the Russian efforts to influence the 2016 presidential election, and a plethora of cyber-enabled foreign intelligence activities by China and others demonstrate the sophisticated nature of counterintelligence work. In order to disrupt appropriately the activities of foreign intelligence services while preserving the long-term efficacy of their sensitive sources and methods, counterintelligence officials are regularly called upon to make hard choices about whether, when and how to carry out affect such disruptions.

Counterintelligence is forever. Hostile foreign intelligence services represent persistent threats. Nation-state adversaries generally don’t go away or give up, even if regimes change. For example, the FBI has been dealing with intelligence threats from the Soviet Union and the Russian Federation since 1917. The FBI will be dealing with the intelligence threat from China for as long as it exists. To be sure, the clandestine intelligence activities of foreign powers change over time depending upon the needs of the country and developments in fields such as science and technology, politics, and the economy. So counterintelligence officials must be adaptive and creative over an extended period.

Counterintelligence is powerful. The FBI has all of its national security and law enforcement authorities available to use against hostile foreign intelligence services and their agents. It can leverage the resources of its partners in the U.S. intelligence community; other federal agencies; its foreign intelligence, counterintelligence, and law enforcement partners around the globe; and approximately 18,000 domestic law enforcement agencies. It has the authority and capability to conduct highly intrusive electronic surveillance and searches of Americans and others in the United States (generally without ever being required to tell them that it did so). It can arrest Americans and others in the United States, and seek the arrest and extradition of anyone anywhere. But as many casual observers do not understand, arrest and prosecution of foreign intelligence operatives are not the only ways to thwart the intelligence activities of hostile foreign adversaries. Without going into much detail here, counterintelligence officials have a range of other options available to identify, understand and disrupt the activities of foreign powers and their agents. These include recruiting and doubling-back sources the adversaries themselves have recruited (i.e., “double agents”); deporting foreign nationals (with the help of the Department of Homeland Security) and kicking foreign diplomats out of the country (with the help of the State Department); providing information to support diplomatic actions or the imposition of economic sanctions; public exposure; and providing defensive briefings to individuals or organizations that are being targeted by a hostile service. Counterintelligence officials can accomplish their mission even if no one is ever prosecuted or jailed, and they will continue their mission even if there is no prospect of arrests and prosecutions. Combined with the forever nature of counterintelligence, this point has important implications. There is a constant spy-vs.-spy quality to counterintelligence: us watching them, and them watching us. It has a plethora of different modalities. And it never stops.