技术手段不过关，CIA在华谍网被端，转入地下

It was considered one of the CIA’s worst failures in decades: Over a two-year period starting in late 2010, Chinese authorities systematically dismantled the agency’s network of agents across the country, executing dozens of suspected U.S. spies. But since then, a question has loomed over the entire debacle.

2010-2012年中情局在中国的间谍很多被抓、被杀。

How were the Chinese able to roll up the network?

中国人怎么揪出他们的？

Now, nearly eight years later, it appears that the agency botched the communication system it used to interact with its sources, according to five current and former intelligence officials. The CIA had imported the system from its Middle East operations, where the online environment was considerably less hazardous, and apparently underestimated China’s ability to penetrate it.

关键在于间谍用于互相联络的通讯网络。中情局当时把中东那一套系统直接搬到中国来，显然低估了中国的反情报能力。

“The attitude was that we’ve got this, we’re untouchable,” said one of the officials who, like the others, declined to be named discussing sensitive information. The former official described the attitude of those in the agency who worked on China at the time as “invincible.”

美国人当时觉得自己屌得不行。

Other factors played a role as well, including China’s alleged recruitment of former CIA officer Jerry Chun Shing Lee around the same time. Federal prosecutors indicted Lee earlier this year in connection with the affair.

美国情报网被攻破的原因之一是前中情局探员、美国华裔李振成向中国传递信息。

But the penetration of the communication system seems to account for the speed and accuracy with which Chinese authorities moved against the CIA’s China-based assets.

但其实更重要的是通讯网被破解，这才导致中国反间谍行动一抓一个准。

“You could tell the Chinese weren’t guessing. The Ministry of State Security [which handles both foreign intelligence and domestic security] were always pulling in the right people,” one of the officials said.

“When things started going bad, they went bad fast.”

美国人发现，中国人不是靠猜的，每次出击都瞄的很准。

The former officials also said the real number of CIA assets and those in their orbit executed by China during the two-year period was around 30, though some sources spoke of higher figures. The New York Times, which first reported the story last year, put the number at “more than a dozen.” All the CIA assets detained by Chinese intelligence around this time were eventually killed, the former officials said.

CIA内部人员说当时中国处决了30个美国间谍，有些口径的数字更高一些。反正被抓的间谍都被处死了。

The CIA, FBI, and National Security Agency declined to comment for this story. The Chinese Embassy in Washington did not respond to requests for comment.

中美两国官方都不愿意评论这件事。

At first, U.S. intelligence officials were “shellshocked,” said one former official. Eventually, rescue operations were mounted, and several sources managed to make their way out of China.

但这件事给美国情报机构触动很大。美国想要救人，后来也救了一部分间谍离境。

One of the former officials said the last CIA case officer to have meetings with sources in China distributed large sums of cash to the agents who remained behind, hoping the money would help them flee.

美国给留下来的间谍发了很多钱，让他们自谋出路。

When the intelligence breach became known, the CIA formed a special task force along with the FBI to figure out what went wrong. During the investigation, the task force identified three potential causes of the failure, the former officials said: A possible agent had provided Chinese authorities with information about the CIA asset network, some of the CIA’s spy work had been sloppy and might have been detected by Chinese authorities, and the communications system had been compromised. The investigators concluded that a “confluence and combination of events” had wiped out the spy network, according to one of the former officials.

中情局成立专案小组调查这件事，列出三种可能性：①某个特工向中国招供，暴露间谍网；②间谍工作不细致，暴露了马脚；③间谍之间的通讯系统被攻破。专案小组认为几种因素都有，最后导致间谍网被一锅端。

Eventually, U.S. counterintelligence officials identified Lee, the former CIA officer who had worked extensively in Beijing, as China’s likely informant. Court documents suggest Lee was in contact with his handlers at the Ministry of State Security through at least 2011.

美国查到了李振成。

Chinese authorities paid Lee hundreds of thousands of dollars for his efforts, according to the documents. He was indicted in May of this year on a charge of conspiracy to commit espionage.

李被美国判处密谋间谍罪。

But Lee’s alleged betrayal alone could not explain all the damage that occurred in China during 2011 and 2012, the former officials said. Information about sources is so highly compartmentalized that Lee would not have known their identities. That fact and others reinforced the theory that China had managed to eavesdrop on the communications between agents and their CIA handlers.

但李不足以解释美国谍网被端的事。因为线人的信息是分开由不同人掌握的，李不可能直到所有间谍的身份，所以美国怀疑中国监测到了间谍和中情局官员之间的联络。

When CIA officers begin working with a new source, they often use an interim covert communications system—in case the person turns out to be a double agent.

实际上，为了保证安全，中情局有两套通讯系统，一套是专门给刚收编不久的新间谍用的，防止他们是双面间谍，一套主系统是给可靠的间谍用的。

The communications system used in China during this period was internet-based and accessible from laptop or desktop computers, two of the former officials said.

这套系统是基于网络的。

This interim, or “throwaway,” system, an encrypted digital program, allows for remote communication between an intelligence officer and a source, but it is also separated from the main communications system used with vetted sources, reducing the risk if an asset goes bad.

反正就是两套系统分开，最大程度保证核心探员的安全。

Although they used some of the same coding, the interim system and the main covert communication platform used in China at this time were supposed to be clearly separated. In theory, if the interim system were discovered or turned over to Chinese intelligence, people using the main system would still be protected—and there would be no way to trace the communication back to the CIA. But the CIA’s interim system contained a technical error: It connected back architecturally to the CIA’s main covert communications platform. When the compromise was suspected, the FBI and NSA both ran “penetration tests” to determine the security of the interim system. They found that cyber experts with access to the interim system could also access the broader covert communications system the agency was using to interact with its vetted sources, according to the former officials.

主副两套系统在某些地方用了同一种代码。按道理说，副系统被破解，中国反间谍组织也查不到主系统上来。但其实副系统存在技术漏洞，从结构上可以追溯到主系统。美国人自己破解了一遍，发现只要破了副系统就能破主系统。

In the words of one of the former officials, the CIA had “fucked up the firewall” between the two systems.

反正就是两套系统应该没有联系，但事实上有联系，然后联系被顺藤摸瓜找到了。

U.S. intelligence officers were also able to identify digital links between the covert communications system and the U.S. government itself, according to one former official—links the Chinese agencies almost certainly found as well. These digital links would have made it relatively easy for China to deduce that the covert communications system was being used by the CIA. In fact, some of these links pointed back to parts of the CIA’s own website, according to the former official.

更糟糕的是，这个通讯系统上可以辨识出它与美国政府的联系，甚至有链接直接通到中情局网页，这留下了间谍罪的证据，中国可以推测出这个系统是中情局使用的。

The covert communications system used in China was first employed by U.S. security forces in war zones in the Middle East, where the security challenges and tactical objectives are different, the sources said. “It migrated to countries with sophisticated counterintelligence operations, like China,” one of the officials said.

这套系统本来是给中情局在中东的间谍用的，那里没有中国这么发达的反间谍组织。

The system was not designed to withstand the scrutiny of a place like China, where the CIA faced a highly sophisticated intelligence service and a completely different online environment.

所以这套系统在中国网络环境中经不起监测。

As part of China’s Great Firewall, internet traffic there is watched closely, and unusual patterns are flagged. Even in 2010, online anonymity of any kind was proving increasingly difficult.

中国管控互联网，排查可疑行为，互联网实名制，都使美国的间谍很难在网上开展行动。

Once Chinese intelligence obtained access to the interim communications system,­ penetrating the main system would have been relatively straightforward, according to the former intelligence officials. The window between the two systems may have only been open for a few months before the gap was closed, but the Chinese broke in during this period of vulnerability.

一般来讲，主副系统之间有几个月的窗口期，用副系统的人可以升级用更隐秘的主系统。但中国反谍报组织抓住窗口期，从副系统入手顺藤摸瓜找出了主系统。

Precisely how the system was breached remains unclear. The Ministry of State Security might have run a double agent who was given the communication platform by his CIA handler. Another possibility is that Chinese authorities identified a U.S. agent—perhaps through information provided by Lee—and seized that person’s computer. Alternatively, authorities might have identified the system through a pattern analysis of suspicious online activities.

具体怎么做的很难说，可能是中情局特工被抓招供，供出部分人员，或者是缴获了间谍的个人电脑，或者是通过排查网络可疑行为找到了这套系统。

China was so determined to crack the system that it had set up a special task force composed of members of the Ministry of State Security and the Chinese military’s signals directorate (roughly equivalent to the NSA), one former official said.

美国人认为，国安总参三部联合起来把中情局情报网端了。

Once one person was identified as a CIA asset, Chinese intelligence could then track the agent’s meetings with handlers and unravel the entire network. (Some CIA assets whose identities became known to the Ministry of State Security were not active users of the communications system, the sources said.)

放长线钓大鱼，找到嫌疑人不马上逮捕，让他去接头，然后一网打尽。这样的方法抓到了根本没有使用通讯网络的隐秘间谍。

One of the former officials said the agency had “strong indications” that China shared its findings with Russia, where some CIA assets were using a similar covert communications system. Around the time the CIA’s source network in China was being eviscerated, multiple sources in Russia suddenly severed their relationship with their CIA handlers, according to an NBC News report that aired in January—and confirmed by this former official.

美国人认为中俄情报共享，在中国的间谍被抓，很多在俄罗斯的间谍切断了与中情局的联系。

The failure of the communications system has reignited a debate within the intelligence community about the merits of older, lower-tech methods for covert interactions with sources, according to the former officials.

美国人开始反思，网络技术有时候还不如线下接头靠得住。

There is an inherent paradox to covert communications systems, one of the former officials said: The easier a system is to use, the less secure it is.

越便捷的系统越不安全。

The former officials said CIA officers operating in China since the debacle had reverted to older methods of communication, including interacting surreptitiously in person with sources. Such methods can be time-consuming and carry their own risks.

所以，中情局在中国的特工开始转入传统地下工作。天王盖地虎，宝塔镇河妖那种传统接头方式。

The disaster in China has led some officials to conclude that internet-based systems, even ones that employ sophisticated encryption, can never be counted on to shield assets.

复杂加密的网络系统也有被攻破的时候，不能完全指望网络保护特工身份。

“Will a system always stay encrypted, given the advances in technology? You’re supposed to protect people forever,” one of the former officials said.

随着科技进步，加密解密就是魔高一尺道高一丈。