Nation States' Espionage and Counterespionage

An overview of the 2007 Global Economic Espionage Landscape

1 2 3 4 Page 4
Page 4 of 4
  • "Business Alliance"—focused efforts involving U.S. government contractors who have U.S. government security clearances in the provision of counterintelligence awareness and sharing of "actionable intelligence" that will increase the ability of the contractor to better protect their own intellectual property.
  • "Academic Alliance"—this portion of the program has two distinct components:
  • "National Security Higher Education Advisory Board"—presidents and chancellors from public and private research institutions constitute the board, which meets with regularity and provides a forum for FBI leadership and academia to discuss national security issues.
  • "The College and University Security Effort"—The Special Agent in Charge (SAC) of the regional FBI office engages the heads of local colleges and universities for national security discussions, to include threats the institutions may be facing. In addition, the program provides counterintelligence protection via explanation of how foreign services may wish to steal the college or university's intellectual property.
  • "Counterintelligence Working Groups"—this effort is divided into two working groups:
  • National Counterintelligence Working Group, designed "to establish strategic interagency partnerships at the senior executive level among the United States Intelligence Community (USIC), academia, industry, and defense contractors."
  • Regional Counterintelligence Working Group, a government-only group. "U.S.government counterintelligence entities that meet and discuss counterintelligence strategies, initiatives, operations, and best practices pertaining to the counterintelligence mission."
  • Research and Technology Protection Special Interest Group—the follow-on to the previously sponsored and supported "Infragard" (Infrastructure Guard), an alliance between the FBI and the public dedicated to preventing physical and electronic attacks against our nation's critical infrastructure.

Interestingly, Mahlik's comments and the focus of the various parts of the Domain program seem to advocate that companies shoulder their own counterintelligence needs, with respect to protecting themselves from the nation-state threat, albeit with the expectation that the enterprises have a counterintelligence function as an integral part of their asset protection strategy and are ready and willing to work with the FBI to protect these assets. Mahlik noted that the means by which intellectual property exits enterprises has evolved. "This isn't about traditional spies anymore; the engineer, student, or business partner are the threat now, and these people are being given increased access to corporate secrets, intellectual property and pre-patent research information at universities," Mahlik said. "These types of people are being actively used to exfiltrate key pieces of information back to their homelands, as there is always a race to establish a competitive advantage."

Couple the messages coming from the FBI, the DOJ and the U.S.'s national counterintelligence executive, and the message is consistent: The threat is an insider threat, i.e. from an individual allowed inside the environment being protected by technology, policy and procedures.

As said above, the FBI went so far as to place an advertisement in various Chinese language dailies, soliciting volunteers with information about Chinese interest in U.S. firms, and especially those who may have information about the activities of the Ministry of State Security. Brazen and unprecedented, but perhaps quite effective, although we'll never know just how successful. One can only assume the noise factor of MSS activities in the U.S. had reached such a level that the leadership of the FBI had decided that the political fallout of their advertisement far outweighed the potential positive results of their efforts—the verification and identification of Chinese espionage activity in the U.S. against public and private entities. The FBI should be commended for being proactive.

One doesn't need a dowsing stick to divine from where the nation-state threat originates or exists. Corporations everywhere have arrived at the correct conclusion: They are potentially up to their hips in deep water with respect to protecting their intellectual property from a number of interested nation-states.

As evidenced from the aforementioned examples, the protection of corporate technologies and intellectual properties has become a global phenomenon, the need for which shows no signs of abating. It is clear, however, that two countries lead the list of those most invested in the illicit acquisition of advanced technologies from companies, research institutes and enterprises to both advance their own economies, as well as provide data points with respect to their own national security strategies, and those are China and Russia.

The cacophony of complaints and call-outs both from the countries that are discovering the handiwork of others, as well as their own self-described interest in the activity, are both clear and concise. If you do business with or in either of these countries, be aware.

The U.S. National Counterintelligence Executive Joel Brenner offered his opinion on what he called "acquisition risk" in his October 24, 2007, speech to the National Reconnaissance Office/National Military Intelligence Association Counterintelligence Symposium on strategic counterintelligence issues of the 21st century. The topic of acquisition risk and especially product manipulation, according to Brenner, is one of significant and strategic counterintelligence import to the U.S. government but clearly applicable to all governments and corporations. "What are we buying?" he said. "What does "Made in USA" mean when components come from overseas and the software in the electronics may have been written by God-only-knows-whom? Unknown or sketchy provenance raises the risk that a foreign government or organization could program vulnerabilities into our most sensitive information systems."

Brenner is right with respect to the importance of acquisition risk. And governments, which are defending against the nation-state counterintelligence problem, must assign adequate resources to address this threat. But often, the question rises, Whose problem is this, really? If governments do not partner with industry in providing detailed threat data, how are industries expected to know of the threat and take appropriate steps to address the threat in a secure and economical manner? And these threats are not limited to the national security scenario; they are also used for competitive advantage and/or economic superiority.

It would not surprise anyone with a profit/loss perspective that if the cost to mitigate against unknown threats exceeds the value the government is willing to pay for this mitigation, then governments will find themselves without adequate protection, as they attempt to get by on the cheap with a low-bid, vs. most-secure mentality and methodology. But what is the corporation to do?

To his credit, Brenner admitted, "We in government can do a better job of helping [business] handle cyber vulnerabilities through a better warning system. Specifically, our rules for what we can tell you (our "cooperation model," if I may put it that way) is a function of our classification model. That is, if you're doing classified work, we can and may provide you with information about actual or potential attacks on your system that we cannot provide if you're not working on a classified contract."

It begs the question: What about the majority of U.S. businesses not involved in government work and, therefore, without access to the "classified U.S. government briefings?" Perhaps the FBI's Domain program will be the avenue by which individual U.S. companies will be provided the necessary data points to protect themselves from the nation-state's nefarious efforts. But the FBI Domain program is U.S.-centric and does not appear to be modeled in other countries. What is the multinational corporation to do? When will other nations follow the FBI's lead?

It is not enough to say to companies, "This nation or that nation is a threat to you," and "Yes, you should tighten up your intellectual property security." Nor is it sufficient to warn that the insider is a threat, especially from those who are foreign nationals.How ludicrous is this advice? What multinational company does not have a mix of nationalities?

Perhaps more appropriately, governments issuing the warnings can find a means to step forward and identify the modus operandi of the offending nations. Then and only then will companies be in a position to recognize the "tells" of the threatening nation and perhaps succeed in protecting themselves. If this should occur in 2008, perhaps we won't have such a robust list of economic espionage events to talk about at the end of the year.

Copyright © 2008 IDG Communications, Inc.

1 2 3 4 Page 4
Page 4 of 4
7 hot cybersecurity trends (and 2 going cold)