Information Security

Moscow Rules for CISOs

  • October 30, 2015

During the Cold War, CIA operatives considered Moscow to be the agency’s most difficult and hazardous assignment – “Wimbledon, center court,” according to former CIA member Jonna Mendez. “It’s the place where reputations were made, and was also the most dangerous.” There is wisdom that can be extracted from these rules which were developed in that harsh environment, which can be adopted by today’s Chief Information Security Officers in large organisations, who are facing unprecedented threats. Here for reference is a full list of The Moscow Rules.

The security game has changed

The security game has changed

In Moscow, a mistake did not simply result in a spy being declared a “persona non grata” and tossed out of the country – the usual penalty for spies caught in the act, Mendez said. A mistake could get you killed.

To handle the threat, over the years the CIA’s most seasoned Moscow hands developed informal “rules of engagement” to pass down to fledgling spies.

Known as the “Moscow Rules,” the 40 or so guidelines covered everything from saturation surveillance to the proper way to walk on the sidewalk. A surprising number of the rules simply emphasize the need for spies to trust their instincts. They were never officially or published and have existed in various guises, often referred to in films and books on the subject of espionage. The rules exist as urban legend, yet undoubtedly they very much had a basis in the reality of Cold War spycraft.

Although the rules were developed to counter the Soviet Union’s now-defunct KGB, they remain “universal truths”: every bit as applicable to the “denied areas” of today’s war on terrorism as they did to the heart of communism, Mendez said.

We think some of these rules can be thought provoking for Chief Information Security Officers, who spearhead the efforts of organisations against cyber criminality. Once CISOs operated on domestic missions, protecting internal assets. Now the security paradigm has shifted, so that they have almost no boundaries and the ‘enemy’ is frequently within. In order to maintain effective security in these unusual circumstances, some of the Moscow Rules could help.

Here is a list of all the rules we have seen written down, which we’ve organised into four sections.

Sharpen your Instincts

1. Rely on face-to-face meetings

2. Assume nothing

3. Never go against your gut; it is your operational antenna

4. Technology will always let you down

5. Murphy is right

6. Any operation can be aborted. If it feels wrong, it is wrong

7. Once is an accident. Twice is coincidence. Three times is an enemy action

8. If your gut says to act, overwhelm their senses

Planning around opposition

9. Pick the time and place for action

10. Build in opportunity, but use it sparingly

11. Everyone is potentially under opposition control

12. There is no limit to a human being’s ability to rationalize the truth

13. Keep your options open

14. Use misdirection, illusion and deception

15. Hide small operative motions in larger non-threatening motions

16. Float like a butterfly, sting like a bee

Limiting your vulnerability

17. Always be in a private setting when handing over items of value

18. Whenever carrying items of value (i.e. microfilm) carry them camouflaged for immediate discard

19. Don’t harass the opposition

20. Be non-threatening: keep them relaxed; mesmerize!

21. Keep any asset separated from you by time and distance until it is time

Working under observation

22. Maintain a natural pace

23. Stay consistent over time

24. Vary your pattern and stay within your profile

25. Establish a distinctive and dynamic profile and pattern

26. Make sure they can anticipate your destination

27. Go with the flow; use the terrain

28. Take the natural break of traffic

29. Lull them into a sense of complacency

30. Let them believe they lost you; act innocent.

31. Avoid static lookouts; stay away from chokepoints where they can reacquire you

32. Use of sign and counter-sign to signal (pins, chalk) that surroundings have been reconnoitred and coast is clear to proceed to rendezvous

33. Use of dead letter drops, and other “tradecraft”

34. Never travel directly to a rendezvous, never taking a single taxi to destination

35. Select a meeting site so you can overlook the scene

36. Execute a surveillance detection run designed to draw them out over time

37. If the asset has surveillance, then the operation has gone bad

38. Only approach the site when you are sure it is clean

39. Be aware of surveillance’s time tolerance so they aren’t forced to raise an alert

40. If an alert is issued, they must pay a price and so must you

41. Don’t look back – you are never completely alone

42. When free, in Obscura, immediately change direction and leave the area

43. Break your trail and blend into the local scene

44. After the meeting or act is done, “close the loop” at a logical cover destination

The wisdom extracted from these rules was part of a conference speech, first delivered in Hong Kong, November 2015. If you are interested to know more, please get in touch via the Contact Form.