Management lessons from the espionage of Ana Montes

The recurring media coverage of cyber attacks on the U.S. public and private sectors have undoubtedly advanced the rapid growth of IT security industry solutions for predicting, preventing, and responding to cyber threats. Reliable IT systems and infrastructure are crucial to the successful management, stability, and growth of most American companies.

A major data compromise can be damaging to profits, prestige, and strategy, not to mention disastrous to a company’s competitive edge and downright embarrassing. Add the risk of a potential Snowden insider to the threat of a cyber attack, and American businesses can hardly be blamed for perceiving computer vulnerabilities to be the biggest risk to company security and in turn focusing their risk management efforts and spending on IT security.

As companies shop for expensive IT security software packages, hire information assurance specialists, or enter into contracts with IT security firms to provide up-to-date cyber threat intelligence, they should not overlook the threats posed to company data from traditional espionage tradecraft. Not even the most robust computer security measures or the latest behavioral analytic/machine learning algorithms can defeat the insider who does not rely on a computer or the exploitation of to steal company information. In this respect, the espionage case of Ana Montes provides important lessons for every business.

In 1984, Montes worked as a paralegal at the Department of Justice while attending Johns Hopkins University as a part-time graduate student. At the university, Montes’ outspoken views against U.S. policy in Latin America caught the attention of a fellow student who happened to be an access agent for the Cuban Intelligence Service. Identifying potential Cuban interest in Montes for the country’s clandestine war with the United States, the agent arranged to introduce her to Cuban intelligence officers in New York City. At this meeting, Montes impressed the Cuban intelligence officers with her views against U.S. foreign policy and sympathy toward the Cuban cause. It was clear to the Cubans that they had found a comrade.

[ ALSO  ON CSO: 7 of the most famous spies ]

An intelligence service typically recruits spies because of their access to information, organizations, or people of interest. Montes at the time, however, did not have access to information of significant interest. The Cubans rolled the dice and recruited her anyway seeing potential for her to acquire future access. The gamble paid off. In 1985, Montes began work as an intelligence analyst at the Defense Intelligence Agency (DIA) and eventually assumed responsibility for the DIA’s Cuba portfolio.

For the next 16 years, while rising through the ranks of DIA, Montes leveraged her access to classified information to steal U.S. government secrets for the Cubans. Despite her lack of access when she was recruited, as a DIA analyst Montes became uniquely positioned to provide significant insight into U.S. military knowledge of Cuba’s armed forces and advanced warning of U.S. operations that might affect the island nation. It should come as no surprise that the Cubans held Montes in high regard.

Other than reimbursements for some miscellaneous expenses, Montes took no money from the Cubans while working for them. She also never brought a document out of DIA to give to her handlers. Instead she remembered details of classified documents she read and then typed up the information on her own personal computer at home. She was also careful not to seek information she did not have a need to know, thereby avoiding the risk of raising her profile among her colleagues and employer. By employing this tradecraft, Montes was able to continue her clandestine relationship for many years until a colleague reported to security a suspicion that Montes may be under the influence of Cuban intelligence.

While this report did not spell the end for Montes, it was the first sign something might be amiss. More clues would follow. Once investigators started piecing together information pointing to Montes as a potential spy, a picture of her espionage career developed, revealing the double life she was living. She was arrested in September 2001, pled guilty, and was sentenced to 25 years’ imprisonment. According to a Department of Defense counterintelligence official, Montes was caught because “we got lucky.”

What are the lessons for the private sector? Like Montes, a prospective employee could be applying for a company position because of the access it will provide and not because of any special desire to advance her career or join the company. Montes did not become disgruntled on the job and decide to take revenge. She targeted DIA for the information she could steal. While she explored other employment opportunities in addition to DIA, her raison d’être for getting any job was to obtain access to information that could help the Cuban government.

The Montes case also demonstrates that adversaries with intentions to steal company information can be anywhere. While we envision spies being recruited by intelligence officers in dark corners of the world, Montes was spotted in a “safe,” open academic environment in the United States by a fellow student, who was also a Cuban spy. From there, Montes was introduced to the world of espionage. For an American business with secrets to keep, it is important to recognize that employees with no apparent history of contact with adversaries or competitors could have come under the spell of espionage in unsuspecting ways and in nonthreatening locations.

Montes also proves the exception to the notion that spies are motivated by money and greed. Although money may not be the driving force in an espionage relationship, it is generally expected to play some role. Montes was instead motivated by ideological beliefs, a rarity today in traditional espionage cases. Because money and greed played no role, Montes did not exhibit traits common to many spies, such as financial vulnerabilities. Similarly, by not taking money, Montes denied counterintelligence investigators the financial evidentiary trail sometimes used to uncover espionage. During her 16 years as a spy, Montes continued to live frugally within the means her government salary provided. A spy within the midst of an American company with purely ideological or nationalistic motivations could be just as difficult to find.

The most important lesson American businesses can learn from the Montes case is that IT security measures will not be enough to prevent the determined insider and a sophisticated intelligence service or competitor from stealing corporate secrets. Montes never removed documents from DIA. She never copied documents to a thumbdrive or CD, never sent them out by e-mail, or downloaded malicious software to open DIA systems to electronic exfiltration. Instead, she relied solely on her required access and memory to steal classified information and give it to the Cubans.

[ ALSO ON CSO: Review: Hot new tools to fight insider threats ]

Although this method may have resulted in a slower trickle of information for the Cubans, it allowed Montes to remain undetected inside the walls of DIA for 16 years. As a result, she could continually acquire significant information as it became available and did not run the risk of early detection and loss of access that could have occurred had she pilfered one large trove of information for the Cubans. There is also some debate as to whether Montes’ position provided her the opportunity to influence U.S. policy toward Cuba. While this has not been proven, such a coup for the Cubans would have been the ultimate payoff and arguably more significant than a one-time batch of information, no matter how large.

As companies increasingly focus on securing their IT infrastructure, they must also recognize that traditional methods of espionage—which is theft, plain and simple—can be just as damaging, if not more so, in the long run to a company’s bottom line. An employee who takes by cyber means risks leaving a forensic trail that can be uncovered if the company is watching and has the right tools in place. Outside cyber penetrations are also preventable and vulnerable to detection. An employee like Montes, however, can keep stealing, year after year, until the company’s luck finally catches up to her or hers runs out, neither of which may happen.

A sophisticated intelligence service understands the benefits of a Montes and will use spies like her when it can find them. The spy-working-in-place will always be preferable to an intelligence service over the one-time take it receives from a cyber dump or careless employee with a thumb drive. Intelligence services are in the game for the long haul and their mission is to acquire information without their agents being caught.

For every new security measure a company puts in place, an intelligence service will look for a way around it. If that means reverting to traditional methods of espionage where computers are not relied on to acquire sensitive information, then that is the road that will be taken. Companies need to recognize these threats and take steps to prevent and uncover the well-run insider, in addition to enhancing their IT security tools. Companies focused on catching the next Snowden or preventing the next cyber attack could be overlooking the quiet employee in the cubicle who is causing grave damage to its future.