Can A Computer Catch A Spy?
Thirty years ago finding a traitor required intuition, a kind of sixth-sensy feeling that something wasn't quite right. Before the Internet, widespread GPS and Google, it required paper trails, human intelligence and gumshoe investigations. Sandy Grimes experienced that firsthand, though almost by accident: She lost a source.
"Working in this kind of business you have a personal relationship with those people who when they agreed to work for the United States government put their lives in our hands," she said, which is why she may have taken it so personally when one of the spies she was running, a KGB official in Lagos, Nigeria, disappeared.
"He didn't appear for the first re-contact, didn't appear for the second re-contact," she said. It turned out he had been arrested, the first in a roster of Soviet double agents who were discovered to be working for the West. "One after another we were losing them," Grimes said, "And you couldn't cut it any other way: We failed them."
The big mystery was whether the agency was dealing with a spy in the ranks or a code breaker in Moscow. Had today's analytics existed back then, it might have sped up the process of discovery. Modern algorithms would have racked and stacked employee locations, found suspicious patterns in their work habits and tracked their movements.
But back then, in the late 1980s as the Cold War was drawing to a close, all the CIA could really count on were seasoned intelligence professionals like Grimes. So, in 1991, the agency launched an investigation called Operation Playactor. It largely comprised a small task force with Grimes, a young Office of Security employee named Dan Payne, a longtime CIA analyst named Jeanne Vertefeuille, and two FBI agents, Special Agent Jim Holt and a Soviet analyst named Jim Milburn. ("We called them Jim Squared," Grimes said.)
The investigation was one that required spreadsheets, paper files and interrogations, and after months of chewing through all those analog tools the team managed to narrow its list down to about 150 CIA employees — far too many people for a small team to suspect or investigate. So they came up with an incredibly unscientific solution: They asked each other to list the names of five or six people at the agency who made them uneasy and then ranked them.
While some of the names on the team lists overlapped, for Grimes there was really only one suspect: someone she had known for years and with whom she'd actually carpooled; someone who had just recently returned from a posting overseas: a man named Aldrich Ames.
The name might ring a bell. As a member of the CIA's Department of Operations responsible for Soviet counterintelligence he became one of the highest-ranking and most damaging spies in U.S. history. And Grimes suspected him for a reason no algorithm would have divined: He just seemed different. "When he came back from Italy in 1989, he was a different human being, truly a different human being," Grimes said, explaining why he topped her list. "It was as if he were surveying his property and it was almost this attitude, 'I know something you don't know.' "
A fishy inventory problem
Around the same time that the Playactor team began its search for a traitor, a data scientist named Jeff Jonas began a new job in Las Vegas. Months earlier he had received a phone call from The Mirage Casino asking if he could build some special software for it. "They said, 'We have an inventory problem,' " Jonas recalled. "And I said, 'Oh, I'm good at inventory systems.' And then they said, 'Good, it's for fish.' "
The Mirage had just opened and already was having a problem it hadn't anticipated: Its landmark 20,000-gallon fish tank was becoming a financial drain. It contained thousands of expensive and rare tropical fish that could not be accounted for. "I think they were spending like a million dollars a year to maintain the fish tank," Jonas said, "and they were trying to keep track of what's eating what."
Jonas ended up creating something that we would now consider one of the early data analytics programs. His software not only tracked the fish but allowed the casino to make better decisions about how it stocked the tank. "I didn't really know at the time that was going to turn into my life's work," Jonas said. Jonas' specialty is matching identities. It began with fish and then moved to people. "Matching identities just happens to be a hard problem," he said.
After Jonas helped the Mirage with its fish program, casinos along the strip began asking him if he could help them modernize their security systems. In the early 1990s, the state of the art for tracking people in Vegas was, literally, a 3-by-5-inch index card. "They were making cards of employees and they would sort it by name and they'd have another set of cards for the same employees sorted by address," Jonas recalled. "It was just like the library but instead of subject, title, author, it would be name, address, phone."
Jonas began by digitizing all those cards, and then he created a system he called Non-Obvious Relationship Awareness, or NORA. "And it kind of earned that name because I started finding stuff that you didn't expect it to find," he said. The system would flag someone at a gaming table who might have had the same phone number as an employee. If someone listed more than one birth date in a lifetime, NORA would identify that, too. "A lot of times data lands and it's no big deal," Jonas said. "But sometimes as data lands it is important." NORA was creating systems that would help focus human attention on those important bits.
Among other things, NORA focused human attention on a group of college students who seemed to be incredibly lucky at the blackjack tables. They weren't cheating, it seemed. But it was odd that so many young players were doing so well. NORA eventually figured out that those young people were counting cards — and were members of the MIT Blackjack Team. (Card counting isn't illegal, but card counters are typically asked to leave the casino. The team created an "investment" company to spot players cash and then distributed their winnings. Eventually its leading players were banned from most casinos.)
Had Grimes and the CIA team known about NORA, it might have been just the thing they needed to help them find and convict their own suspect.
A very analog system
What Grimes had instead was a kind of human NORA equivalent. Among other things, she had had a long personal interaction with Ames. She observed his behavior, up close, long before he ever fell under suspicion, and she could assess what she considered out of the ordinary behavior for a CIA agent. "During the carpool days, he was always late," she said. "He'd come running out of the apartment, the shirt would be hanging out, different-colored socks on. He was a slob."
An episode involving his wife, Rosario, also gave her pause. Rosario had asked a CIA colleague to send her prenatal vitamins when she and Ames were posted in Rome back in 1988. When Grimes ran into the helpful colleague who had sent the vitamins months later, she was wearing a beautiful Gucci scarf. "Where did you get that?" Grimes asked her. The colleague said Ames' wife had sent it to her after receiving the vitamins. "I said, 'Well, that's quite a gift.' "
In isolation, these things would have meant little, but the NORA system in Grimes' head kept pinging at her as the Playactor team interviewed other suspects. One of the questions they asked everyone on their long list — regardless of their ranking on that list — was this: If you were going to spy, or volunteer, how would you do it? Most of the people they talked to saw the question as a mental exercise; Ames was flummoxed by the question. "He was tongue-tied," Grimes said. "Of course we're not saying anything, right? We're sitting there listening. But afterwards we were just in total shock that he found that question uncomfortable."
It became a data point in a very analog system the team had been creating on its agency computers. Payne, the young FBI agent, started getting warrants for Ames' financial statements and bank deposits. Grimes started pulling together a chronology, listing Ames' various CIA assignments, whom he had reported meeting in Italy, the cases he was working on in America. She added other random data points: When did he come in and out of the office? When did he badge out for a smoke?
She put all this into a word processing document on her computer, which in itself presented some challenges. Every single morning when she would log in she would have to wait 20 minutes for it to load to where she had left off. "Every day it was a frustration," she said. "It was mind-numbing."
One of the issues was that for the document to be useful and searchable, it needed to be absolutely consistent. You couldn't write March 7 on one day and then write 03/07 the next. There couldn't be any typos or stray spaces. "At the end of the day, I had to go back and review everything I had typed," Grimes said. "And it could be that little piece of information that makes all the difference."
That attention to detail eventually paid off one morning when Payne arrived in the office with an envelope full of financial statements. He fished some deposit slips out of the folder and then started adding the information to a spreadsheet on his computer. And then, as was their habit, he passed the slips over the cubicle wall to Grimes, who would then scroll down to the correct date in the chronology and add them in.
"I just happened to glance at the line above and I went, 'Oh, my gosh, the day before, lunch with Chuvakhin," Grimes said. "And I thought, what a strange coincidence." Sergei Chuvakhin was a Soviet diplomat stationed in Washington. "The second deposit slip comes over the cubicle wall to me." It was a $5,000 deposit in cash made on July 5. Three days earlier the chronology read: Lunch with Chuvakhin. Grimes knit her brow and grabbed the last deposit slip. It was for $8,500 in cash, deposited on July 31. And the chronology showed that on the very same day — Ames had had lunch with Chuvakhin.
"That was it for Sandy," Grimes said, referring to herself by name. "I said, 'You guys won't believe it, this is it — you won't believe it." She ran down the hall to tell the head of the CIA's counterintelligence division, Paul Redmond. "I closed the door and I didn't wait for him, I just said, 'It doesn't take a rocket scientist to see what's going on here: Rick is a goddamn Soviet spy." (Grimes said she and Redmond are still arguing over her exact words. He says she used a more colorful word, one that Grimes said is one of his favorites.)
"The finest case of insubordination I ever met"
The FBI opened a formal investigation into Ames a short time later; but to build the case the bureau depended on what would seem today to be some incredibly analog things: phone taps, listening devices, stakeouts, airplanes, even trash operations.
"Sometimes you have to drill into the wallboard to put the microphones in," said Robert "Bear" Bryant, who would become deputy director of the FBI and who supervised the Ames investigation. "If you have to go into the drywall, you've got to hook up an electric line, but the hardest thing is to get the drywall to match."
This is the first time Bryant has talked publicly about the Ames case. "We put microphones in his car, in his house; we covered the guy almost from the time he left for work." They even had an airplane in the air following him as he drove from his house in Arlington, Va., not far from Langley. "You had one guy with a set of binoculars and he sits there and he looks at the subject when they're moving," Bryant said. "It's the best way not to lose somebody."
But it was something that Bryant had specifically asked the agents not to do that led them to a break in the case: They did what's known as a "trash cover." "When a person puts their trash out, if it's on public property you can seize that trash and make a search of it," says Bryant. "They did it against my orders."
Then in the fall of 1993, Bryant recalls one of his agents waving a plastic bag with a piece of yellow paper at him as he walked into the office. "I said, 'What the hell is that?' He said, 'We got it out of the trash.' "
It was a note Ames had written to himself about a meeting he was supposed to have with a KGB handler in Bogotá, Colombia. "It was the key to the case, and a big key because we knew where he was going to make a drop. Later, I was asked about it and I said it was the finest case of insubordination I ever met."
A folder in your head
Jonas' non-obvious relationship program in Vegas decades ago has been replaced with something known in the insider threat industry as Entity Resolution. It is an attempt to teach a computer to make the same associations that, without our being fully aware, our brains make almost instantaneously.
Consider the musician Prince. That symbol he used for his name might be one of the first things that came to mind. We don't know how to explain that we associate that symbol with Prince — we just know we do. Then other connections are made: the song "Purple Rain," a purple guitar, a velvet suit.
"All those things you've picked up over time about Prince live in a folder in your head," Jonas explains. "And they came at different times and they were described differently but Entity Resolution rubber-banded [them] together."
What makes Entity Resolution different from traditional algorithms is that instead of chewing through huge datasets to see what it can find, it tries to organize things more like the brain does. It asks: How is a Social Security number like a vehicle identification number or like a serial number on a router? How is a date of birth like a car's make or model? And the way they are the same is they generally all identify a single, discrete thing.
If you find the identical VIN on a roster of cars, the computer notices that and flags it as an anomaly. As the algorithm develops, it might find other things that don't compute. In the case of Ames, it might see that he just paid $400,000 cash for a house but that he makes less than $70,000 a year. The algorithm might flag that as odd, so it probably requires another look.
"Probably the fanciest thing in our algorithm is that it can change its mind about the past," Jonas said. In other words, it can go back in time to see whether a new piece of information suggests a new way to think about what you're analyzing. You see that there is lunch with a Soviet diplomat in D.C. at the end of July; does that raise any questions about those kinds of meetings in the past? Was there a pattern we might have missed?
When Grimes added the deposit slip information to her chronology she happened to glance at the line above and then saw the lunches with the Soviet diplomat. That's an analog version of what Entity Resolution now tries to do.
"That's the story of data finds data," Jonas said. "The thing that gets me about the Ames case ... is you have to wait for humans to have questions; you have to wait for bad things to happen. Today what you would do is take a copy of everything on his personal laptop and once they could peek into his bank account, new data emerges."
Humans need lots of time to process that information. Computers don't. No unwieldy, hand-typed chronologies. And critically, Jonas says, there is little reliance on gut feeling or intuition. "[Making] a list of people we have a hunch about, that's not always going to work," he said. Entity Resolution may be the technology that bridges that gap.
For years before Ames' arrest, it didn't occur to anyone to notice that his work patterns had changed. There were no algorithms that might have put together that he was drinking, had gone through a costly divorce, paid cash for his house, was driving a new car and arrived at the office early and left late. Those were things that Ames himself admitted should have tipped off authorities. It was only something they saw in hindsight.
"What the algorithm has zero insight into is, did that person change their pattern because maybe they had a baby and now they come in at different hours, or maybe they were sick so they've been doing a series of physical therapy in the morning," said Yael Eisenstat, a former CIA analyst who is now a visiting fellow at Cornell Tech. Eisenstat studies the effect of algorithms and technology on society. "There are so many actual human things that could make that abnormality in the pattern, the algorithm isn't going to know," she said.
Which is why algorithms still need humans to put two and two together, like Grimes did. In retrospect, her spidey-sense was more effective than any algorithm could be. Even much later she said that it was Ames' hubris that helped her figure out that he was their man. He thought he was smarter than everyone else and even gave Grimes and Vertefeuille advice on what the Playactor investigation should look for.
"He told me, 'You look at the good cases and you look at the bad cases and see what's different,' " Grimes said. She remembers thinking to herself at the time, "It's a good thing you think I'm so stupid. You know, he thought we were two dumb broads."
Two dumb broads who caught a spy.
Copyright 2020 NPR. To see more, visit https://www.npr.org.