This manual provides doctrinal guidance, techniques, and procedures for the employment of counterintelligence (CI) special agents in the Army. It outlines—
• CI investigations and operations.
• The CI special agent’s role within the intelligence warfighting function.
• The importance of aggressively countering foreign intelligence and security services (FISS) and international terrorist organizations (ITO).
• The roles and responsibilities of those providing command, control, and technical support to CI investigations and operations.
• The need for effective dissemination of CI reports and products and the importance of cross-cueing other intelligence disciplines.
• The significance of cultural awareness as a consideration to counter the foreign intelligence threat.
This manual expands upon the information in FM 2-0 and supersedes FM 34-60. It is consistent with doctrine in FM 3-0, FM 5-0, FM 100-15, and JP 2-0. When published, FM 2-22.2 will provide further information on CI activities when Army forces are employed in tactical operations.
1-1. CI focuses on negating, mitigating, or degrading the foreign intelligence and security services (FISS) and international terrorist organizations (ITO) collection threat that targets Army interests through the conduct of investigations, operations, collection, analysis, production, and technical services and support.
1-2. CI analyzes the threats posed by FISS and the intelligence activities of nonstate actors such as organized crime, terrorist groups, and drug traffickers. CI analysis incorporates all-source information and the results of CI investigations and operations to support a multidiscipline analysis of the force protection threat.
COUNTERINTELLIGENCE SPECIAL AGENT
1-3. The CI special agent has the distinct mission of detecting, identifying, countering, and neutralizing FISS and ITO threats directed towards the Army through the execution of all CI functions. CI special agents should not be confused with human intelligence (HUMINT) collectors, military occupational specialty (MOS) 35M, and warrant officer (WO) area of concentration (AOC) 351M. They are specifically trained and certified for, tasked with, and engage in the collection of information from individuals (HUMINT sources) for the purpose of answering HUMINT-specific requirements. Although CI and HUMINT personnel may use similar methods, their missions are separate and distinct. Commanders should not use them interchangeably. Using CI personnel for HUMINT missions degrades the Army’s ability to protect its forces, information, and critical technology that provides the Army operational and technological superiority over existing and future adversaries.
1-17. The mission of Army CI is to conduct aggressive, comprehensive, and coordinated operations, investigations, collection, analysis and production, and technical services. This CI mission is conducted worldwide to detect, identify, assess, counter, exploit, or neutralize the FISS and ITO collection threat to the Army and DOD to protect the lives, property, or security of Army forces. Army CI has four primary mission areas:
• Counterespionage (CE).
• Support to protection.
• Support to research and technology protection (RTP).
• Cyber CI.
1-18. CE detects, identifies, counters, exploits, or neutralizes the FISS and ITO collection threat targeting Army and DOD equities or U.S. interests. CE programs use both investigations and collection operations to conduct long-term operations to undermine, mitigate, or negate the ability of FISS and ITO to collect effectively on Army equities. CE programs also affect the adversarial visualization and decisionmaking concerning the plans, intentions, and capabilities of U.S. policy, goals, and objectives. The goal of CE is to—
• Limit the adversary’s knowledge of U.S. forces, plans, intentions, and capabilities through information denial.
• Limit the adversary’s ability to target effectively U.S. forces by disrupting their collection capability.
COUNTERINTELLIGENCE SUPPORT TO PROTECTION
1-19. CI support to protection ensures the survivability and mission accomplishment of Army and DOD forces.
1-20. CI’s objective in supporting protection is to—
• Limit the compromise and exploitation of personnel, facilities, operations, command and control (C2), and operational execution of U.S. forces.
• Negate, mitigate, or degrade adversarial planning and targeting of U.S. forces for exploitation or attack.
• Support the war on terrorism.
SUPPORT TO RESEARCH AND TECHNOLOGY PROTECTION
1-21. Support to RTP is focused on preventing the illegal diversion or loss of critical technology essential to the strategic advantage of the U.S.
1-22. CI’s objective in supporting RTP is to—
• Protect critical technology information from adversarial countermeasures development.
• Ensure U.S. technological overmatch against existing and future adversaries.
1-23. Cyber CI protects information networks and provides an offensive exploitation capability against adversarial networks to ensure information superiority of U.S. forces.
1-24. CI’s objective in conducting cyber CI activities is to—
• Maintain U.S. forces information dominance and superiority over existing and future adversaries.
• Protect critical information networks from adversarial attack or exploitation.
• Undermine adversarial information operations, systems, and networks.
COUNTERINTELLIGENCE INVESTIGATION OBJECTIVES
2-4. CI investigations are essential to counter threat collection efforts targeting Army equities. CI places emphasis on investigative activity to support force and technology protection, homeland defense, information assurance, and security programs. CI investigations focus on resolving allegations of known or suspected acts that may constitute national security crimes under U.S. law or the Uniform Code of Military Justice (UCMJ).
2-5. The initial objective of CI investigations is to identify people, organizations, and other entities engaging in national security crimes and to determine the full nature and extent of damage to national security. The intent is to develop information of sufficient value to permit its use in the appropriate civil or military court. However, investigations should not be limited to the production of evidence. Investigative reports should include all relevant information as it pertains to the person or incident involved in the investigation. CI investigations are conducted to—
• Identify people, organizations, and other entities engaging in national security crimes that impact Army equities.
• Determine the full nature of national security crimes within the authority and jurisdiction of Army CI.
• Prove or disprove allegations or indications that person or persons are engaged in national security crimes or incidents of CI interest.
• Prevent the loss, control, or compromise of sensitive or classified defense information and technology.
• Protect the security of Army personnel, information, operations, installations, and technology.
• Acquire and preserve evidence used to support exploitation, prosecution, or any other legal proceedings or punitive measures resulting from CI investigations.
• Detect and identify terrorist activities that may present a threat to Army, DOD, and national security.
2-6. CI investigations must conform to applicable U.S. laws and DOD and DA regulations. CI special agents must report information accurately and completely. They maintain files and records to allow transfer of an investigation without loss of control or efficiency. Coordination with other CI or law enforcement organizations ensures that investigations are conducted as rapidly as possible. It also reduces duplication and assists in resolving conflicts when jurisdictional lines are unclear or overlap. CI investigative activity must be discreet, ensuring the rights and privacy of individuals involved, as well as the preservation of all investigative prerogatives. This is required to protect the rights of individuals and to preserve the security of investigative techniques.
2-7. CI special agents need to have a thorough understanding of all investigative techniques and planning, approval processes, and legal requirements before requesting and initiating any type of CI investigative activity. A lack of understanding in any one of these areas may potentially invalidate any investigation from a prosecutorial standard and may jeopardize the ability to exploit a threat to the United States.
2-12. Army CI has investigative primacy for the national security crimes and incidents of CI interest listed below when they are committed by persons identified as subjects. If either the subject, potential subject, incident, or crime falls outside Army CI jurisdiction, Army CI may still retain joint investigative responsibilities.
• Aiding the enemy by providing intelligence to the enemy.
• Terrorism activities or materiel support to a known or suspected terrorist organization or person (DCS G-2, G-2 Memorandum (S//NF), 24 August 2005).
• Incidents of CI interest.
INCIDENTS OF COUNTERINTELLIGENCE INTEREST
2-17. The following is not an all-inclusive list of incidents of CI interest:
• The activities of ITO or material support to an ITO or person. Terrorist organizations are specified in DCS, G-2 Memorandum (S//NF), dated 13 February 2007, Operational Planning List (OPL) 2005 (U), as revised.
• Unreported contact with foreign government personnel, persons or groups involved in foreign terrorism or intelligence, or unauthorized requests for classified or sensitive unclassified information.
• Unauthorized disclosure of classified information or material. Not all incidents in this category may meet the threshold for a CI investigation. However, those that do will often include other indicators of espionage that are identified associated with the incident or when there are acts which are known methods of operations of FISS and ITO entities. Investigations are conducted to ascertain those entities involvement. CI special agents may also act to secure classified material and to determine if the actions of the subject were an act of omission or commission. The command requirements to report compromises or conduct inquiries as specified in AR 380-5, chapter VI, may also apply to these incidents.
• Matters developed as a result of counterintelligence scope polygraph (CSP) examination as specified in AR 381-20.
• Military personnel or DAC employees who perform unofficial travel to those countries designated in the operational planning list, who have unauthorized contact with official representatives of foreign countries, or who contact or visit foreign diplomatic facilities without authorization.
• Attempts by authorized users of information systems to gain unauthorized access.
• Known, suspected or attempted intrusions into classified or unclassified information systems when there is reasonable suspicion of foreign involvement or it has not been ruled out.
• Unauthorized removal of classified material or possession of classified material in unauthorized locations.
• Special category absentees (SCAs), which include those absent without leave (AWOL), deserters defectors, and military absentees who have had access to TS, SCI, SAP information, or TS cryptographic access or an assignment to a special mission unit within the year preceding the absence. CI special agents will conduct investigations of the circumstances surrounding the absences of SCA personnel using the guidelines presented in this manual.
• Army military, civilian, or overseas contractor personnel declared AWOL and deserters who had access within the preceding year to TS, SCI, critical military technology as defined in AR 381-20, chapter 7, SAPs; personnel who were assigned to a special mission unit; personnel in the DA Cryptographic Access Program (DACAP); and personnel with access to critical nuclear weapons design technology.
• Army military, civilian, or overseas contractor personnel who go absent without authority, AWOL, or deserters who do not have assignments or access; however, there are indications of FISS and ITO contact or involvement in their absence.
• DA military and civilian personnel who defect and those persons who are absent without authorization and travel to or through a foreign country other than the one in which they were stationed or assigned.
• DA military and civilian personnel detained or captured by a government, group, or adversary with interests inimical to those of the United States. Such personnel will be debriefed upon return to U.S. control.
• Attempted or actual suicide or suspicious death of a DA member if they have an intelligence background, were assigned to an SMU, or had access to classified information within the year preceding the incident, or where there are indications of FISS and ITO involvement.
• Suspected or actual unauthorized acquisition or illegal diversion of military critical technology, research and development information, or information concerning an Army acquisition program. If required, Army CI will ensure all appropriate military and civilian intelligence and LEAs are notified. Army CI will also ensure Army equities are articulated and either monitor the status of the agency with primary jurisdiction or coordinate for joint investigative authority.
• Impersonation of intelligence personnel or unlawful possession or use of Army intelligence identification, such as badge and credentials.
• Communications security (COMSEC) insecurities, except those which are administrative in nature. (See AR 380-40, chapter 7.)
• Suspected electronic intrusions or eavesdropping devices in secure areas which could be used for technical surveillance. DA personnel discovering such a device will not disturb it or discuss the discovery in the area where the device is located.
• Willful compromise of clandestine intelligence personnel and CI activities.
DECEPTION IDENTIFICATION AND DETECTION (BIOMETRICS)
6-38. Biometrics as a characteristic is a measurable biological and behavioral characteristic that can be used for automated recognition. Biometrics as a process is an automated method of recognizing a person based on a physiological or behavioral characteristic. Among the features measured are face, fingerprints, hand geometry, handwriting, iris, retinal, vein, and voice. Biometric technologies are becoming the foundation of an extensive array of highly secure identification and personal verification solutions. As the level of security breaches and transaction fraud increases, the need for highly secure identification and personal verification technologies is becoming apparent.
6-39. Identification specific mission areas that CI detection and identification processes and technologies support include, but are not limited to, the following:
• Countering foreign intelligence through the detection, identification, and neutralization of espionage activities.
• Support to military readiness and conduct of military operations through protection, including—
• Surveillance of air, land, or sea areas adjacent to deployed U.S. forces, sufficient to provide maximum warning of impending attack.
• Indication of hostile intelligence penetration or attempts at penetration.
• Support to law enforcement efforts to suppress CT.
• Identification and affiliation of terrorist groups.
• Assessment of group capabilities, including strengths and weaknesses.
• Locations of terrorist training camps or bases of operations.
• Weapons and technologies associated with identified terrorist elements.
6-43. Computer forensics is conducted to—
• Discover and recover evidence related to espionage, terrorism, or subversion against the Army.
• Develop CI investigative leads.
• Collect and report intelligence.
• Support exploitation efforts.
6-44. Processing and examining digital media evidence is a tedious and time-consuming process which requires specialized training and equipment. Failure to properly process and examine digital media evidence could corrupt the evidence or yield the evidence inadmissible during future legal proceedings. Due to the complexities of cyber investigations, computer forensics support to CI investigations will only be conducted by specially trained and qualified personnel assigned to cyber CI elements in each theater.
6-45. Requests for computer forensic support will be made through the appropriate ATCICA. Requests for assistance will include detailed descriptions of the digital media evidence to be seized and examined and will be germane to the approved CI investigative objectives.
6-46. Every CI special agent is responsible for identifying the need for computer forensics support to their investigations. Computer forensics examinations involve a methodical process which, depending on the size and complexity of the digital media evidence, may take a significant amount of time to complete. Computer forensic operations cannot be rushed and therefore investigative time lines may need to be adjusted to accommodate the time required to complete the support. If a CI special agent is in doubt about the capabilities of, or when to leverage, cyber CI units, the agent should contact his ATCICA for guidance.
COUNTERINTELLIGENCE NETWORK INTRUSION INVESTIGATIONS
7-10. CI network intrusion investigations involve collecting, processing, and analyzing evidence related to adversarial penetrations of Army information systems. These specialized CI investigations are generally conducted independently of other traditional CI investigations. However, given the jurisdictional issues which involve the Internet, network intrusion investigations may require coordination with other U.S. and foreign government intelligence and law enforcement entities.
7-11. Threats to Army information systems can range from exploitation of vulnerabilities in information systems which allow adversaries to penetrate Army computers and collect critical information, to trusted insiders who either willingly or unwittingly enable adversarial forces to exploit these critical infrastructure resources. Any adversary with the motive, means, opportunity, and intent to do harm poses a potential threat. Threats to Army information resources may include disruption, denial degradation, ex-filtration, destruction, corruption, exploitation, or unauthorized access to computer networks and information systems and data. Cyber CI units are uniquely qualified to investigate and counter these threats.
7-12. All CI network intrusion investigations will be coordinated, to the extent necessary, with the USACIDC, specifically the Cyber Criminal Investigations Unit (CCIU). This coordination is necessary to ensure that investigative activities are not duplicated and that each organization does not impede or disrupt each other’s investigative or prosecutorial options.
7-13. A CI network intrusion investigation may be initiated under, but not necessarily be limited to, the following circumstances:
• Known, suspected, or attempted intrusions into classified or unclassified information systems by unauthorized persons.
• Incidents which involve intrusions into systems containing or processing data on critical military technologies, export controlled technology, or other weapons systems related RDT&E data.
• Intrusions which replicate methods associated with foreign intelligence or adversary collection or which involve targeting that parallels known foreign intelligence or adversary collection requirements.
7-14. The purpose for conducting a CI network intrusion investigation will be to—
• Fully identify the FISS and ITO entity involved.
• Determine the FISS and ITO objectives.
• Determine the FISS and ITO tools, techniques, and procedures used.
• Assist the appropriate authorities with determining the extent of damage to Army and Department of Defense equities.
7-32. The trusted insider is the most serious threat to DOD information systems security. The following list of indicators that could be associated with an insider threat should be addressed during threat briefings to CI customers:
• Unauthorized attempts to elevate privileges.
• Unauthorized sniffers.
• Suspicious downloads of sensitive data.
• Unauthorized modems.
• Unexplained storage of encrypted data.
• Anomalous work hours and/or network activity.
• Unexplained modification of network security-related operating system settings.
• Unexplained modification of network security devices such as routers and firewalls.
• Malicious code that attempts to establish communication with systems other than the one which the code resides.
• Unexplained external physical network or computer connection.
• Unexplained modifications to network hardware.
• Unexplained file transfer protocol (FTP) servers on the inside of the security perimeter.
• Unexplained hardware or software found on internal networks.
• Network interface cards that are set in a “promiscuous” or “sniffer” mode.
• Unexpected open maintenance ports on network components.
• Any unusual activity associated with network-enabled peripheral devices, such as printers and copiers.