The FBI’s Dangerous Failure to Adapt to the Digital Age

In 2011 Hezbollah apprehended a group of CIA informants based in Beirut. After obtaining access to Lebanon’s phone providers’ records—not exactly difficult for the terrorist organization that effectively controlled large portions of Beirut—Hezbollah was able to find “interesting” patterns of small sets of people who communicated exclusively with one another. In the intelligence world, these patterns can easily be used to identify agents connecting with informants. 

For over two decades, the U.S. had been using similar types of investigative techniques in Afghanistan and Iraq; it should have been no surprise that U.S. adversaries had adopted these methods to flush out their foes. The surprise was that the CIA had lacked the foresight to anticipate this, employing poor intelligence tradecraft that left agents vulnerable. Now, a recent report by the U.S. Department of Justice Office of the Inspector General (OIG) shows that today a different intelligence institution—the FBI—is similarly falling short in its efforts to adapt to novel adversarial threats enabled by technological transformation.

U.S. adversaries have turned the highly networked world the U.S. has built against it. Iranian hackers exploited data from Israeli home security cameras to improve missile targeting. The Russians used a similar technique in targeting sites in Kyiv. These foes may lack the ability to create new technologies, but they’re every bit as capable of exploiting the technology the U.S. developed. And now they’re playing David to the U.S.’s Goliath. Yet despite the 2011 loss of informants in Beirut, the current Iranian use of Israeli home security cameras, and all the examples in between, the FBI does not seem to have learned its lesson. 

The OIG report concluded that the FBI has failed to handle the threat of ubiquitous technical surveillance (UTS) inherent to our internet-connected society. The report follows an earlier December 2022 OIG memo that described FBI responses to UTS as “disjointed and inconsistent” and informed the bureau that its training efforts needed to be improved. Two-and-a-half years later, neither problem had been appropriately remedied. An FBI “red team” established to identify vulnerabilities created by new surveillance technologies failed to include already known ones. Meanwhile, current bureau practice for handling the UTS concern neglects to sufficiently leverage current agency expertise. The FBI’s failure to mitigate the risks of UTS points to a larger inability to adapt to the digital age—a shift that is long overdue. 

The UTS Problem

This is not just a hypothetical danger. Failure to adapt intelligence strategies to an increasingly networked world puts lives at risk. Agents and informers will be killed—indeed, they already have been. According to the OIG report, 

In 2018, while the FBI was working on the “El Chapo” drug cartel case, an individual connected to the cartel contacted an FBI case agent. This individual said that the cartel had hired a “hacker” who offered a menu of services related to exploiting mobile phones and other electronic devices. According to the individual, the hacker had observed people going in and out of the United States Embassy in Mexico City and identified “people of interest” for the cartel, including the FBI Assistant Legal Attache (ALAT), and then was able to use the ALAT’s mobile phone number to obtain calls made and received, as well as geolocation data, associated with the ALAT’s phone. According to the FBI, the hacker also used Mexico City’s camera system to follow the ALAT through the city and identify people the ALAT met with. According to the case agent, the cartel used that information to intimidate and, in some instances, kill potential sources or cooperating witnesses. 

Current training against the threat is inadequate. Advanced UTS courses offered by the FBI are optional—so not all personnel who should take them do—and overenrolled. Lack of training means agents and sources can end up in exceedingly dangerous situations. While much of the OIG’s report is classified, one part that isn’t includes this chilling vignette:

The leader of an organized crime family suspected an employee of being an FBI informant. To confirm this suspicion, the leader went through the call logs for the suspected employee’s cell phone looking for phone numbers that may be connected to law enforcement. An online search of one of the phone numbers [redacted].

One doesn’t have to have seen very many Hollywood movies to guess how this scene ended. It’s a situation that could—and should—have been avoided. 

Currently all FBI personnel take a 45-minute UTS course that they must repeat every two years. This is woefully inadequate. I work in cybersecurity policy. I know that understanding the proper use of Signal, Tor, Apple’s Advanced Data Protection, and other security-enhancing technologies takes hours and days, not 45 minutes once every two years. Understanding what can go wrong can take even longer. 

The OIG report emphasizes that improvement in FBI personnel training in UTS risks is critical. This is an understatement. Fully understanding the risks associated with UTS will have multiple benefits: Not only will FBI personnel and the bureau’s work be more secure against threats, but in the process agency personnel will also gain a more nuanced and deeper understanding of the security threats faced by the U.S. at home and abroad. Such knowledge should improve the FBI’s abilities in its public safety role. 

Adapting to the Digital Age

New technologies often present challenges, but in the case of the FBI and the digital age, the problem has been extreme. The bureau’s attempt in the early 2000s to update its Automated Case Support system to a Virtual Case File system failed—at a cost of $170 million. The failure occurred in part because FBI senior management did not recognize that such a shift involved something far more extensive than simply redoing manila files in electronic form. The digital age transformed investigations themselves; these days, at least 90 percent of evidence has a digital component. Developing the new case system was an opportunity to align with that fundamental shift in investigative processes. But as if the changes were only a technical makeover, FBI leadership left the remake—which should have been a whole-of-organization effort—to the agency’s chief information officer. The opportunity for meaningful change was therefore lost. 

A similar failure to anticipate the sweeping changes of the digital age led to the ill-advised Communications Assistance for Law Enforcement Act (CALEA), which requires that wiretap capabilities be built into digital phone switches. Salt Typhoon, the Chinese government cyber exploit into U.S. telecommunications systems uncovered last fall, penetrated the CALEA databases of U.S. government requests for communications data. Thus, Beijing learned which of their spies had been exposed—a counterintelligence coup. And the FBI’s long-standing opposition to widespread public access to end-to-end encryption, which secures communications so that only the sender and the receiver can view the unencrypted message, stems from the bureau’s dangerous misreckoning of the security and privacy threats of the digital age—dangers that Salt Typhoon laid bare. In the wake of those attacks, Australia, Canada, New Zealand, and the U.S. have now issued guidance on securing communications, including “[e]nsur[ing] that traffic is end-to-end encrypted to the maximum extent possible.” But the FBI should have recognized the seriousness of such threats far earlier—and that risk meant access to ubiquitous strong encryption is necessary for everyone, not just agents. 

The FBI’s failure to adjust to the digital age stands in sharp contrast to the National Security Agency’s (NSA’s) transformation in the late 1990s. By then it had become clear that the signal-intelligence agency’s ability to break encrypted communications was increasingly at risk (the polite description of this was “going deaf”). NSA pivoted, moving to focus on computer network exploitation, intelligence collection through extracting data from computer networks. As the Snowden disclosures demonstrated, that pivot was remarkably successful—and demonstrates that adaptation is possible. 

***

The FBI has failed to ensure that agents, informers, and the  bureau itself are secure in an era of ubiquitous technical surveillance, a problem requiring immediate attention. But the crisis is part of a larger failure far too important to ignore: the failure to recalibrate for the digital age. A coherent understanding of the bureau’s mission in a globalized, networked world is long overdue. The current crisis points to the critical need for the FBI to appropriately address these transformative changes—even if it is three decades too late.