Professional Documents
Culture Documents
Counterintelligence: Best Practices For Cleared Industry
Counterintelligence: Best Practices For Cleared Industry
Counterintelligence: Best Practices For Cleared Industry
• Social engineering, electronic elicitation, email >> Suspicious Contacts Increased awareness of the targeted information
spoofing, spear phishing, whale phishing, or and methods of operation used by foreign entities is
direct questioning, such as through social • Requests for information that make an individual critical to improving our ability to identify and thwart
networking sites suspicious, including questionable contacts or collection attempts.
• Malicious codes or blended threats such as interaction
Timely and accurate reporting from cleared
viruses, worms, trojans, logic bombs, malware,
>> Suspicious Financial Activity industry is the primary tool DSS uses to identify and
spyware, or browser hijackers, especially those
mitigate collection efforts targeting information and
used for clandestine data exfiltration
• Unexplained expensive purchases not reasonably technology resident in cleared industry.
• Any credible anomaly, finding, observation, supported by the individual’s income
or indicator associated with other activity or Immediately report suspicious activities, behaviors,
behavior that may also be an indicator of • Sudden unexplained reversal of a negative and contacts to your facility security officer.
terrorism or espionage financial situation or repayment of large debts
• Any cyber activity linked to the law enforcement
or counterintelligence suspicious indicators
provided by the FBI, DSS, Defense Intelligence
Agency or by any other cyber centers
Be Alert! Be Aware! Report suspicious activity to your local security official.
defense-oriented companies to obtain access
EXPLOITATION OF BUSINESS ACTIVITIES to otherwise denied information, programs,
technology, or associated U.S. personnel. This
method of operation relies on the appearance of
What is Exploitation of Business Activities? • Joint ventures legitimacy provided by the established commercial
• Official agreements or business activity.
Attempts to establish a commercial relationship via
joint ventures, partnerships, mergers and acquisitions, • Social networking services Conversely, U.S. company personnel, cleared or
foreign military sales, or service providers. not, seeking to build positive relationships and gain
Who is Being Targeted? future business with foreign partners, may unwittingly
Attempts to leverage an existing commercial provide information beyond the scope of the
relationship in order to obtain access to protected Any company with cleared, that works in support business activity for which the relationship exists.
information, technology, or persons. of cleared facilities, or that works with sensitive,
restricted, or classified information relating to >> Five examples of how this exploitation can be
What are the Primary Methods of Exploitation? the Department of Defense (DoD) or other U.S. effective are illustrated below:
Government agencies’ programs or systems.
• Personal contact • Foreign ownership of, or financial interest in, a
• Cultural commonality Foreign collectors, or their agents, often target U.S. company may provide access to intellectual
employees involved in business development, sales, property rights held by the U.S. company;
• Foreign visits marketing, information sharing, or other “professional
• Business activity may allow the foreign company
• Foreign military sales collaborative efforts” in order to develop a
access to information on the U.S. company’s
• Direct commercial sales relationship.
network;
• Conferences, conventions, or tradeshows Once such an entity establishes a business • Foreign-produced hardware and software sold
• Cyber operations relationship, they seek to take advantage of that to a cleared company may include design
relationship to contact other cleared employees vulnerabilities that could provide foreign
• Email requests actors access to a company’s networks and
working with targeted information and technology.
• Business propositions and solicitations information;
• Academic solicitations Why is it Effective? • Foreign collectors prey upon cleared employees’
eagerness to develop or expand commercial
• Web form submissions Foreign entities exploit legitimate activities with relationship to increase sales or revenues;
• A joint venture with a foreign company formed >> These commercial and business relationships
using the U.S. company’s name, allowing foreign include:
employees to use the U.S. company’s name on
business cards; • Misrepresenting themselves as a foreign
• Cleared employees not informed and educated representative for a U.S. company;
on the business and security limits of the • Selling and installing hardware or software
commercial agreement or the export control in cleared contractor or sensitive facilities or
restriction of technology may commit a security networks;
violation by unwittingly providing information that
• Buying a substantial or majority interest in U.S.
should not be shared, based on the established
companies to gain intellectual property rights for
relationship.
technology, as well as to share data or appoint
key management personnel in the acquired
How Can You Recognize It? company.
A foreign partner (current or prospective), client, Successful exploitation of business activity can have
or owner attempting to leverage a business a catastrophic impact on national security and
activity to obtain unauthorized access to classified have adverse business ramifications for the targeted
information to compromise a cleared employee company and its subsidiaries.
constitutes a suspicious contact, and is reportable
by cleared companies to DSS under the terms of the
NISPOM 1-302b. It is vital that suspicious incidents are promptly
and appropriately reported, including those
DSS annually produces an informative publication, involving foreign corporate partners or clients, to
Targeting U.S. Technologies: A Trend Analysis of the company’s facility security officer and, when
Cleared Industry Reporting. This document includes warranted, the DSS representative.
many examples of reporting trends and technological
issues of interest from foreign perspectives, which
lead to suspicious contacts.
• Dealers offering short lead times for large orders • Establish and maintain an effective insider threat • Create incentives for suppliers who: implement
of components program required security safeguards, promote
transparency into their organizational process
• Shipping containers show signs of tampering • Train workforce to identify and promptly report and security practices, provide additional
suspicious activities vetting of the processes and security practices
Countermeasures of sub-suppliers, restrict purchases from specific
>> To mitigate the threat of counterfeit components: suppliers, and provide contract language
>> To mitigate tampering with components at the regarding the prohibition of uncompromised or
cleared facility during assembly and production: • Use available all-source intelligence analysis to counterfeit components
inform the tailoring of acquisition strategies, tools, • Always use independent verification and
• Ensure security protocols are in place and and methods validation for obsolete microelectronics and vet
adhered to for access to the facility, assembly • Integrate acquisition offices with other offices external testing houses;
and production lines, and networks including the information assurance and security • Consider lifetime buys for components to avoid
offices purchasing grey market nonconforming parts.
Reporting • Inadvertent or deliberate attempts to break a Successful exploitation of supply chain can have
trusted chain of custody a catastrophic impact. It is vital that personnel
The introduction of counterfeit or malicious • Introduction of counterfeit components into a promptly report suspected incidents to their facility
products or materials into the supply chain to gain U.S. Government system during production security officer or DSS representative.
unauthorized access to classified information,
to alter data, disrupt operations, or to interrupt • Unauthorized personnel of any nationality
communications related to classified contracts or accessing restricted areas of a cleared facility
cleared constitutes a “suspicious contact,” and is involved in the production of components for
reportable by cleared companies to DSS (NISPOM DoD systems
1-302b). • Efforts by any individual, regardless of nationality,
to compromise a cleared employee involved in
>> Examples of reportable activity include: manufacturing, assembling, or maintaining DoD
systems
• Devices that exhibit functionality that was
outside the original design
• A device, or multiple devices from a lot, that
exhibits a unique error or failure
Be Alert! Be Aware! Report suspicious activity to your local security official.
How can you Recognize it?
EXPLOITATION OF INSIDER ACCESS
Detecting potentially malicious behavior among
employees with access to classified or controlled
What is an Insider Threat? advances, they have the ability to sensitive information involves gathering information
cause more harm than ever before. from many sources and analyzing that information
Insiders: Any person with What used to take years to collect for clues or behaviors of concern. In most cases, co-
authorized access to any now takes minutes because of the workers admit they noticed questionable activities
government or contract resource increased use of removable media. but failed to report incidents because they did not
to include personnel, facilities, recognize the pattern and did not want to get
information, equipment, networks Insiders are often aware of your involved or cause problems for their co-workers.
or systems. This can include company’s vulnerabilities and
employees, former employees, can exploit that knowledge to A single indicator may say little; however, if taken
consultants, and anyone with their benefit. Not every suspicious together with other indicators, a pattern of behavior
access. circumstance or behavior may be evident.
represents an insider threat,
Insider Threat: The threat that but every situation needs to be Ignoring questionable behaviors can only increase
an insider will use his or her examined to determine potential the potential damage the insider can have on
access, wittingly or unwittingly, risk. national security or employee safety. While each
to do harm to the security of the insider threat may have different motivation, the
United States. This threat includes An insider can have a negative indicators are generally consistent.
damage to the United States through espionage, impact on national security and industry resulting in:
terrorism, unauthorized disclosure of national Potential Espionage Indicators
security information, or the loss or degradation • Loss or compromise of classified or controlled
of government, company, contract or program sensitive information • Repeated security violations and a general
information, resources, or capabilities. • Weapons systems cloned, destroyed, or disregard for security rules
countered • Failure to report overseas travel or contact with
Why is it Effective?
• Loss of technological superiority foreign nationals when required to do so
Insiders have arguably caused more damage • Economic loss • Seeking to gain higher clearance or expand
to the security of the United States than foreign access outside the job scope without bona fide
• Physical harm or loss of life
intelligence officers, and with today’s technological need for the access
• Engaging in classified conversations without a • Attempting to access classified information Reporting
need to know without authorization
• Attempting to enter areas not granted access • Obtaining access to sensitive information You are the first line of defense against insider
to inconsistent with present duty requirements threats. Help protect our national security by
reporting any suspicious behavior that may be
• Working hours inconsistent with job assignment • Questionable downloads related to an insider threat.
or unusual insistence on working in private • Unauthorized use of removable media
• Accessing information not needed for job Each employee has a responsibility to ensure the
protection of classified and controlled sensitive
>> Information Transmittal
information entrusted to them.
Behavioral Indicators*
• Using an unclassified medium to
Be aware of potential issues and
• Depression transmit classified materials
the actions of those around you
• Stress in personal life • Discussing classified materials and report suspicious behaviors and
• Exploitable behavior traits: on a non-secure telephone or in activities to your local security official.
nonsecure emails or text messages
-- Use of alcohol or drugs
• Removing the classification
-- Gambling markings from documents
• Financial trouble • Unnecessary copying of classified
• Prior disciplinary issues material
You can be the target of a foreign intelligence Overseas travelers are most vulnerable during
or security service at any time and in any place; transit. Travelers should be wary of extensive
however, the risk is greater when you travel overseas. questioning from airport security, luggage searches,
When overseas, foreign intelligence services have and downloading of information from computers
better access to you, and their actions are not and personal electronic devices.
restricted within their own country’s borders.
Travelers should maintain heightened awareness
While traveling overseas, any information once they reach their destination. Many hotel
electronically transmitted over wires or airwaves rooms overseas are under surveillance. In countries
is vulnerable to foreign intelligence services’ with very active intelligence/security services,
interception and exploitation. Suspicious entities everything foreign travelers do (including inside their
can easily intercept voice, fax, cellular, data, and hotel room) may be monitored and recorded.
video signals.
Entities can analyze their recorded observations
Many countries have sophisticated eavesdropping/ for collecting information or exploiting personal >> Collection Techniques Travelers Should Be
intercept technology and are capable of collecting vulnerabilities. This information is useful for future Wary of:
information we want to protect, especially targeting and recruitment approaches.
overseas. Numerous foreign intelligence services • Bugged hotel rooms or airline cabins (including
target telephone and fax transmissions. Another favored tactic for industrial spies is to attend video surveillance)
tradeshows and conferences. This environment
Your diligence determines whether or not our allows them to ask questions, including questions • Intercepts of fax and email transmissions
sensitive information is protected from unauthorized that might seem more suspect in a different • Recording of telephone calls or conversations
disclosure. environment.
• Unauthorized access and downloading,
including outright theft of hardware and software
• Installation of malicious software on computers or • Use temporary email addresses not associated
personal electronic devices with your company
• Intrusions into or searches of hotel rooms, • Perform a comprehensive anti-virus scan on all
briefcases, luggage, etc. electronic devices prior to departure and upon
• Recruitment or substitution of flight attendants return
• Individuals appearing to try and eaves-drop on • Encrypt data, hard drives, and storage devices
your conversations whenever possible
• Individuals attempting to read your computer • Use complex passwords • Limit sensitive discussions; public areas are rarely
screen or documents over your shoulder suitable for discussion of sensitive information
• Enable login credentials on laptops and devices
• Do not use computer or fax equipment at foreign
Countermeasures • Do not publicize travel plans and limit sharing of hotels or business centers for sensitive matters
this information to people who need to know • Ignore or deflect intrusive or suspicious inquiries
• Leave unneeded electronic devices at home or conversations about professional or personal
• Do not post pictures or mention you are on travel
• Use designated travel laptops that contain no on social media until your return matters
sensitive or exploitable information • Keep unwanted sensitive material until it can be
• Attend pre-travel security briefings disposed of securely
• Maintain control of sensitive information, media, • Attend post-travel debriefing and report any and
and equipment. Pack them in your carry-on all suspicious activity
luggage and maintain control of them at all
times. Do not leave them unattended in hotel
rooms or stored in hotel safes
• Keep hotel room doors locked. Note how the
room looks when you leave compared to when
you return
• Information, technical specifications, and pictures Conferences, conventions, or tradeshows host a wide
of the systems displayed at booths array of presenters, vendors, and attendees, which
• Exploitable information about both cleared and provide a permissive environment for traditional
uncleared employees and non-traditional collectors to question vendors,
develop business/social relationships, access actual
• Information about which cleared and uncleared or mockups of targeted technology, interact with
employees have access to technologies of subject matter experts. Foreign intelligence officers
interest use these occasions to spot and assess individuals
• Personal information about cleared and for potential recruitment. They frequently use charm
uncleared individuals, including hobbies, family and/or potential business incentives to attempt to
information, and interests. This information can be soften their target.
used to either exploit or build a relationship with
the individual at a later date
• Personal or professional information that can be
used as a pretext for ongoing or future contact
One aspect of this method of contact is foreign Traditional intelligence officers will apply elicitation • Attend security briefings and de-briefings
travel related to the event. During travel, attendees techniques to subtly extract information about you, • Create a plan to protect any classified or
are subject to search and seizure of documents and your work, or your colleagues. You may experience controlled sensitive technology or information
electronic devices by host or transit nation security the following elicitation techniques while attending brought overseas and consider whether
personnel, as well as surveillance at the venue, while conferences, conventions, and tradeshows: equipment or software can be adequately
socializing, and while resident intheir hotels. protected
• Detailed and probing questions about specific
• Request a threat assessment from the program
How can you Recognize it? technology
office and your local DSS representative prior
• Overt questions about sensitive or classified to traveling to a conference, convention, or
At the conferences, conventions, or tradeshows you information tradeshow
may witness:
• Casual questions directed at individual • Do not publicize travel plans; limit sharing of this
• Attempts to steal actual or mockups of employees regarding personal information that information to people who need to know
technologies on display collectors can use to target them later
• Maintain control of classified or sensitive
• Attempts to access your electronic devices – • Prompting employees to discuss their duties, information and equipment
laptop, smartphones, etc access, or clearance level
• Immediately report suspicious activity to the
• Photography of displays, especially when appropriate authorities at the event and your
photography is explicitly prohibited facility security officer
• Requesting information from you beyond the • Do not post pictures or mention you are on travel
scope of the conference on social media
• Individual requesting same information from • Retain unwanted sensitive material pending
different personnel at your booth proper disposal
• Do not use foreign computers or fax machines,
and limit sensitive discussions
What to Report • Strangers trying to establish personal relationships
outside work parameters
• Offers to you to act as a foreign sales agent • Unusual or suspicious attempts at ongoing
• Attempts to steer conversations toward your contact, including sending a follow-up email
job duties or access to sensitive information or upon your return to the office
technology • Multiple individuals simultaneously asking
• Insistent questioning outside the scope of what questions, attempting to get you to reveal more
you’re cleared to discuss in an unclassified than you should
environment • Theft of or missing items from your booth/display
• Taking excessive photographs, especially in
areas that prohibit photography Immediately notify your facility security officer if
• Individuals returning to the same booth multiple you observe any of the above behaviors or believe
times in an attempt to speak with different you were targeted by an individual attempting to
cleared employees working the booth obtain illegal or unauthorized access to classified
information.
COUNTERINTELLIGENCE
www.dss.mil
National Counterintelligence
and Security Center
https://www.dni.gov/index.php/ncsc-home