Reporting "Anomalies"

The term "anomalies" as used here refers to unexpected foreign knowledge of U.S. national security information.

Actions by foreign individuals or governments sometimes provide a tip-off that classified or otherwise sensitive information has been compromised. Such tip-offs provide valuable counterintelligence clues. If properly reported and investigated, they may lead to identification and neutralization of a foreign intelligence operation. 

For example, a Greek official accidentally revealed his knowledge of information that could only have come from a secret communication between the State Department and the U.S. Embassy in Athens. Investigation of this incident led to the arrest of Steven Lalas. Lalas, a communications officer at the U.S. Embassy in Athens, was working for Greek intelligence.

The arrest of numerous CIA agents in the Soviet Union within a short period of time triggered a long investigation that eventually led to the arrest of CIA officer Aldrich Ames. The Soviet navy’s seeming foreknowledge of where U.S. ships were going was much later found to be attributable to the John Walker spy ring. Unexpected Soviet countermeasures blocked U.S. intelligence ability to exploit certain Soviet communications vulnerabilities. This was, much later, traced to the espionage of Ronald Pelton.

A National Security Council memorandum dated August 12, 1996, subject: Early Detection of Espionage and Other Intelligence Activities Through Identification and Referral of Anomalies, requires that such tip-offs or "anomalies" be reported to appropriate counterintelligence authorities. An anomaly is defined as "foreign power activity or knowledge, inconsistent with the expected norm, that suggests foreign knowledge of U.S. national security information, processes or capabilities." 

In other words, whenever a foreign country appears to have protected information that it shouldn’t have, this must be reported and investigated to determine the foreign country’s source.

Here is a list of some of circumstances that, if detected, must be promptly reported to your security or counterintelligence office.1

  • The appearance of classified or proprietary design features of U.S. weapon, delivery, or communication systems in comparable systems produced by foreign defense industry or deployed by foreign military units.
  • Foreknowledge of U.S. diplomatic positions, negotiating strategies, and strategic military contingencies by foreign representatives that becomes apparent in interpersonal or formal international discussions or negotiations.
  • Inquiry by a foreign commercial, military, or diplomatic representative in personal conversation about specific projects, new technologies, or sensitive programs by name, indicating prior knowledge of classified or sensitive information from other sources.
  • Information from classified or sensitive U.S. sources which begins to appear in foreign public media or governmental or industry publications.
  • The discovery, following military action, of enemy weapons, sensing equipment, or targeting devices left in the field which incorporate U.S. technology which had been controlled by export restrictions.
  • Advanced knowledge by a foreign government about the movement or positioning of U.S. naval forces during exercises or combat, demonstrated by the positioning of their ships or observers.
  • The sudden inability of a U.S. intelligence collection activity to continue exploiting a vulnerability of a target organization or military force.
  • The unexpected concealment or camouflaging of normally exposed military equipment or weapons at times scheduled or targeted for surveillance by U.S. intelligence systems.
  • The unexpected disappearance or neutralization of U.S. human intelligence sources and, as a consequence, the loss of valuable information provided by these sources.

1. Indicators of compromise are from Lynn Fischer, "Looking for the Unexpected," Security Awareness Bulletin, 3-96, 1996. Richmond, VA: DoD Security Institute.



The Chroma Group, Ltd.