China used stolen data to expose CIA operatives in Africa and Europe
The discovery of US spy networks in China fueled a decade long global war over data between Beijing and Washington
Around 2013, US intelligence began noticing an alarming pattern: Undercover CIA personnel, flying into countries in Africa and Europe for sensitive work, were being rapidly and successfully identified by Chinese intelligence, according to three former US officials. The surveillance by Chinese operatives began in some cases as soon as the CIA officers had cleared passport control. Sometimes, the surveillance was so overt that US intelligence officials speculated that the Chinese wanted the US side to know they had identified the CIA operatives, disrupting their missions; other times, however, it was much more subtle and only detected through US spy agencies' own sophisticated technical countersurveillance capabilities.
The CIA had been taking advantage of China's own growing presence overseas to meet or recruit sources, according to one of these former officials. "We can't get to them in Beijing, but can in Djibouti. Heat map Belt and Road"—China's trillion-dollar infrastructure and influence initiative—"and you'd see our activity happening. It's where the targets are." The CIA recruits "Russians and Chinese hard in Africa," said a former agency official. "And they know that." China's new aggressive moves to track US operatives were likely a response to these US efforts.
At the CIA, these anomalies "alarmed chiefs of station and division leadership," said the first former intelligence official. The Chinese "never should have known" who or where these undercover CIA personnel were. US officials, lacking a smoking gun, puzzled over how China had managed to expose their spies. In a previous age, they might have begun a mole hunt, looking for a single traitor in a position to share this critical information with the other side, or perhaps scoured their records for a breach in a secret communications platform.
But instead, CIA officials believed the answer was likely data-driven—and related to a Chinese cyberespionage campaign devoted to stealing vast troves of sensitive personal private information, like travel and health data, as well as US government personnel records. US officials believed Chinese intelligence operatives had likely combed through and synthesized information from these massive, stolen caches to identify the undercover US intelligence officials. It was very likely a "suave and professional utilization" of these datasets, said the same former intelligence official. This "was not random or generic," this source said. "It's a big-data problem."
The battle over data—who controls it, who secures it, who can steal it, and how it can be used for economic and security objectives—is defining the global conflict between Washington and Beijing. Data has already critically shaped the course of Chinese politics, and it is altering the course of US foreign policy and intelligence gathering around the globe. Just as China has sought to wield data as a sword and shield against the United States, America's spy agencies have tried to penetrate Chinese data streams and to use their own big-data capabilities to try to pinpoint exactly what China knows about US personnel and operations.
This series, based on extensive interviews with over three dozen current and former US intelligence and national security officials, tells the story of that battle between the United States and China—a conflict in which many believe China possesses critical advantages, because of Beijing's panopticon-like digital penetration of its own citizens and Chinese companies' networks; its world-spanning cyberspying, which has included the successful theft of multiple huge US datasets; and China's ability to rapidly synthesize—and potentially weaponize—all this vast information from diverse sources.
China is "one of the leading collectors of bulk personal data around the globe, using both illegal and legal means," William Evanina, the United States' top counterintelligence official, told Foreign Policy. "Just through its cyberattacks alone, the PRC has vacuumed up the personal data of much of the American population, including data on our health, finances, travel and other sensitive information."
This war over data has taken on particularly critical importance for the United States'—and China's—spy agencies. In the intelligence world, "information is king, and the more information, the better," said Steve Ryan, who served until 2016 as deputy director of the National Security Agency's Threat Operations Center and is now the CEO of the cybersecurity service Trinity Cyber. In the US-Soviet Cold War, intelligence largely came in piecemeal and partial form: an electronic intercept here, a report from a secret human source there. Today, the data-driven nature of everyday life creates vast clusters of information that can be snatched in a single move—and then potentially used by Beijing to fuel everything from targeting individual American intelligence officers to bolstering Chinese state-backed businesses.
Fundamentally, current and former US officials say, China believes data provides security: It ensures regime stability in the face of internal and external threats to the Chinese Communist Party (CCP). It was a combination of those threats that created the impetus for China's most aggressive counterintelligence campaign against the United States yet.
The CIA declined to comment for this story. The Chinese Embassy in Washington, DC, did not respond to multiple requests for comment.
In 2010, a new decade was dawning, and Chinese officials were furious. The CIA, they had discovered, had systematically penetrated their government over the course of years, with US assets embedded in the military, the CCP, the intelligence apparatus, and elsewhere. The anger radiated upward to "the highest levels of the Chinese government," recalled a former senior counterintelligence executive.
Exploiting a flaw in the online system CIA operatives used to secretly communicate with their agents—a flaw first identified in Iran, which Tehran likely shared with Beijing—from 2010 to roughly 2012, Chinese intelligence officials ruthlessly uprooted the CIA's human source network in China, imprisoning and killing dozens of people.
Within the CIA, China's seething, retaliatory response wasn't entirely surprising, said a former senior agency official. "We often had [a] conversation internally, on how US policymakers would react to the degree of penetration CIA had of China"—that is, how angry US officials would have been if they discovered, as the Chinese did, that a global adversary had so thoroughly infiltrated their ranks.
The anger in Beijing wasn't just because of the penetration by the CIA but because of what it exposed about the degree of corruption in China. When the CIA recruits an asset, the further this asset rises within a county's power structure, the better. During the Cold War it had been hard to guarantee the rise of the CIA's Soviet agents; the very factors that made them vulnerable to recruitment—greed, ideology, blackmailable habits, and ego—often impeded their career prospects. And there was only so much that money could buy in the Soviet Union, especially with no sign of where it had come from.
But in the newly rich China of the 2000s, dirty money was flowing freely. The average income remained under 2,000 yuan a month (approximately $240 at contemporary exchange rates), but officials' informal earnings vastly exceeded their formal salaries. An official who wasn't participating in corruption was deemed a fool or a risk by his colleagues. Cash could buy anything, including careers, and the CIA had plenty of it.
At the time, CIA assets were often handsomely compensated. "In the 2000s, if you were a chief of station"—that is, the top spy in a foreign diplomatic facility—"for certain hard target services, you could make a million a year for working for us," said a former agency official. ("Hard target services" generally refers to Chinese, Russia, Iranian, and North Korean intelligence agencies.)
Over the course of their investigation into the CIA's China-based agent network, Chinese officials learned that the agency was secretly paying the "promotion fees" —in other words, the bribes—regularly required to rise up within the Chinese bureaucracy, according to four current and former officials. It was how the CIA got "disaffected people up in the ranks. But this was not done once, and wasn't done just in the [Chinese military]," recalled a current Capitol Hill staffer. "Paying their bribes was an example of long-term thinking that was extraordinary for us," said a former senior counterintelligence official. "Recruiting foreign military officers is nearly impossible. It was a way to exploit the corruption to our advantage." At the time, "promotion fees" sometimes ran into the millions of dollars, according to a former senior CIA official: "It was quite amazing the level of corruption that was going on." The compensation sometimes included paying tuition and board for children studying at expensive foreign universities, according to another CIA officer.
Chinese officials took notice. "They were forced to see their problems, and our mistakes helped them see what their problems were," recalled a former CIA executive. "We helped bring to fruition what they theoretically were scared of," said the Capitol Hill staffer. "We scared the shit out of them." Corruption was increasingly seen as the chief threat to the regime at home; as then-Party Secretary Hu Jintao told the Party Congress in 2012, "If we fail to handle this issue well, it could … even cause the collapse of the party and the fall of the state," he said. Even in China's heavily controlled media environment, corruption scandals were breaking daily, tainting the image of the CCP among the Chinese people. Party corruption was becoming a public problem, acknowledged by the CCP leadership itself.
But privately, US officials believe, Chinese leaders also feared the degree to which corruption had allowed the CIA to penetrate its inner circles. The CIA's incredible recruiting successes "showed the institutional rot of the party," said the former senior CIA official. "They ought to [have been] upset." The leadership realized that unchecked corruption wasn't just an existential threat for the party at home; it was also a major counterintelligence threat, providing a window for enemy intelligence services like the CIA to crawl through.
This was a global problem for the CCP. Corrupt officials, even if they hadn't been recruited by the CIA while in office, also often sought refuge overseas—where they could then be tapped for information by enterprising spy services. In late 2012, party head Xi Jinping announced a new anti-corruption campaign that would lead to the prosecution of hundreds of thousands of Chinese officials. Thousands were subject to extreme coercive pressure, bordering on kidnapping, to return from living abroad. "The anti-corruption drive was about consolidating power—but also about how Americans could take advantage of [the corruption]. And that had to do with the bribe and promotion process," said the former senior counterintelligence official.
The 2013 leaks from Edward Snowden, which revealed the NSA's deep penetration of the telecommunications company Huawei's China-based servers, also jarred Chinese officials, according to a former senior intelligence analyst. "Chinese officials were just beginning to learn how the internet and technology has been so thoroughly used against them, in ways they didn't conceptualize until then," the former analyst said. "At the intelligence level, it was driven by this fundamental [revelation] that, 'This is what we've been missing: This internet system we didn't create is being weaponized against us.'"
There were other ripple effects. By the late 2000s, US intelligence officials had observed a notable professionalizing of the Ministry of State Security, China's main civilian intelligence agency. Before Xi's purges, petty corruption within the agency was ubiquitous, former US intelligence officials say, with China's spies sometimes funneling money from operations into their own "nest eggs"; Chinese government-affiliated hackers operating under the protection of the Ministry of State Security would also sometimes moonlight as cybercriminals, passing a cut of their work to their bosses at the intelligence agency.
Under Xi's crackdown, these activities became increasingly untenable. But the discovery of the CIA networks in China helped supercharge this process, said current and former officials—and caused China to place a greater focus on external counterespionage work. "As they learned these things," the Chinese realized they "needed to start defending themselves," said the former CIA executive.
By about 2010, two former CIA officials recalled, the Chinese security services had instituted a sophisticated travel intelligence program, developing databases that tracked flights and passenger lists for espionage purposes. "We looked at it very carefully," said the former senior CIA official. China's spies "were actively using that for counterintelligence and offensive intelligence. The capability was there and was being utilized." China had also stepped up its hacking efforts targeting biometric and passenger data from transit hubs, former intelligence officials say—including a successful hack by Chinese intelligence of biometric data from Bangkok's international airport.
To be sure, China had stolen plenty of data before discovering how deeply infiltrated it was by US intelligence agencies. However, the shake-up between 2010 and 2012 gave Beijing an impetus not only to go after bigger, riskier targets, but also to put together the infrastructure needed to process the purloined information. It was around this time, said a former senior NSA official, that Chinese intelligence agencies transitioned from merely being able to steal large datasets en masse to actually rapidly sifting through information from within them for use. US officials also began to observe that intelligence facilities within China were being physically co-located near language and data processing centers, said this person.
For US intelligence personnel, these new capabilities made China's successful hack of the US Office of Personnel Management (OPM) that much more chilling. During the OPM breach, Chinese hackers stole detailed, often highly sensitive personnel data from 21.5 million current and former US officials, their spouses, and job applicants, including health, residency, employment, fingerprint, and financial data. In some cases, details from background investigations tied to the granting of security clearances—investigations that can delve deeply into individuals' mental health records, their sexual histories and proclivities, and whether a person's relatives abroad may be subject to government blackmail—were stolen as well. Though the United States did not disclose the breach until 2015, US intelligence officials became aware of the initial OPM hack in 2012, said the former counterintelligence executive. (It's not clear precisely when the compromise actually happened.)
"The US and China bump up against each other around the world. It opened up a global Pandora's box of problems."
When paired with travel details and other purloined data, information from the OPM breach likely provided Chinese intelligence potent clues about unusual behavior patterns, biographical information, or career milestones that marked individuals as likely US spies, officials say. Now, these officials feared, China could search for when suspected US spies were in certain locations—and potentially also meeting secretly with their Chinese sources. China "collects bulk personal data to help it track dissidents or other perceived enemies of China around the world," Evanina, the top US counterintelligence official, said.
Many felt the ground give way immediately. For some at the CIA, recalled Gail Helt, a former CIA China analyst, the reaction to the OPM breach was, "Oh my God, what is this going to mean for everybody who had ever traveled to China? But also what is it going to mean for people who we had formally recruited, people who might be suspected of talking to us, people who had family members there? And what will this mean for agency efforts to recruit people in the future? It was terrifying. Absolutely terrifying." Many feared the aftershocks would be widespread. "The concern just wasn't that [the OPM hack] would curtail info inside China," said a former senior national security official. "The US and China bump up against each other around the world. It opened up a global Pandora's box of problems."
Others were more resigned, if no less disturbed. "You operate under the assumption that good tradecraft"—and not the secrecy provided, in theory, by cover—"will protect your assets and operations," said Duyane Norman, a former senior CIA official. "So OPM wasn't some kind of eye-opener. It was confirmation of new threats we already knew existed."
There were other bad omens. During this same period, US officials concluded that Russian intelligence officials, likely exploiting a difference in payroll payments between real State Department employees and undercover CIA officers, had identified some of the CIA personnel working at the US Embassy in Moscow. Officials thought that this insight may have come from data derived from the OPM hack, provided by the Chinese to their Russian counterparts. US officials also wondered whether the OPM hack could be related to an uptick in attempted recruitments by Chinese intelligence of Chinese American translators working for US intelligence agencies when they visited family in China. "We also thought they were trying to get Mandarin speakers to apply for jobs as translators" within the US intelligence community, recalled the former senior counterintelligence official. US officials believed that Chinese intelligence was giving their agents "instructions on how to pass a polygraph."
But after the OPM breach, anomalies began to multiply. In 2012, senior US spy hunters began to puzzle over some "head-scratchers": In a few cases, spouses of US officials whose sensitive work should have been difficult to discern were being approached by Chinese and Russian intelligence operatives abroad, according to the former counterintelligence executive. In one case, Chinese operatives tried to harass and entrap a US official's wife while she accompanied her children on a school field trip to China. "The MO is that, usually at the end of the trip, the lightbulb goes on [and the foreign intelligence service identifies potential persons of interest]. But these were from day one, from the airport onward," the former official said.
Worries about what the Chinese now knew precipitated an intelligence community-wide damage assessment surrounding the OPM and other hacks, recalled Douglas Wise, a former senior CIA official who served deputy director of the Defense Intelligence Agency from 2014 to 2016. Some worried that China might have purposefully secretly altered data in individuals' OPM files to later use as leverage in recruitment attempts. Officials also believed that the Chinese might sift through the OPM data to try and craft the most ideal profiles for Chinese intelligence assets seeking to infiltrate the US government—since they now had granular knowledge of what the US government looked for, and what it didn't, while considering applicants for sensitive positions. US intelligence agencies altered their screening procedures to anticipate new, more finely tuned Chinese attempts at human spying, Wise said.
The Chinese now had unprecedented insight into the workings of the US system. The United States, meanwhile, was flying with one eye closed when dealing with China. With the CIA's carefully built network of Chinese agents utterly destroyed, the debate over how to handle China would become increasingly contentious—even as China's ambitions grew.
Zach Dorfman is senior staff writer at the Aspen Institute's Cybersecurity and Technology Program and a senior fellow at Carnegie Council for Ethics in International Affairs. Follow him on Twitter: @zachsdorfman.
Disclaimer: This article first appeared on ForeignPolicy.com, and is published by special syndication arrangement.