Counterintelligence Awareness

We may think it only happens in movies, but espionage is a very real threat. Spies are out there, they are targeting our nation’s most valuable information and technology, and they are more active than ever before.
 
The truth is that U.S. information and technologies are targeted every day. Advancements in technology have only made the modern day spy’s job easier.
 
Our position as the dominant political, economic, and military force in the world means that every country, friendly or not, wants to know our secret sauce and they will do whatever it takes to get it.
 
Every one of us plays a role in protecting our country and we must be vigilant.
 
What is Counterintelligence?
Counterintelligence is information gathered, and activities conducted to identify, deceive, exploit, disrupt, or protect against espionage, other intelligence activities, sabotage, or assassinations conducted for or on behalf of foreign powers, organizations, or persons, or their agents, or international terrorist organizations or activities.
 
The goal of counterintelligence is to:

• Protect U.S. sensitive, controlled unclassified, and classified information and technology
• Protect our nation's critical assets: our people, advanced technologies, and protected information in the defense, intelligence, economic, financial, public health, and science and technology sectors.
• Counter the activities of foreign spies.
• Keep weapons of mass destruction from falling into the wrong hands.

 
The U.S. technological lead, competitive edge, and strategic military advantage are at risk. If not protected, our national security interests could be compromised. Countering this threat requires knowledge of the threat and diligence on the part of all personnel charged with protecting information.
 
Are You a Potential Target?
In short, anyone that has, or could have, access to targeted information, knowledge of information systems, or security procedures, is a potential target to foreign intelligence services.
 
As individuals working in the U.S. government space, we are all part of the process and, as such, we are all targets. This includes, but is not limited to:

• Developers that research and develop leading technologies
• Technicians that operate, test, maintain, or repair targeted technologies
• Supply Chain Personnel that source and purchase components integrated with deliverable defense products or technology
• Information Systems Personnel that have access to cleared facility networks and knowledge of network security protocols
• Business Development Personnel that support marketing and sales for both domestic and foreign markets
• Human Resources (HR) and Recruiting Personnel that have access to sensitive information, serve as public company contacts, and may be initial screeners of prospective and current employees
• Foreign Access Points, such as foreign travelers, personnel hosting or escorting foreign visitors, and personnel with foreign contacts
• Senior Managers, such as company owners, leadership, managers, especially those listed on open source web content and business records
• Subject Matter Experts (SMEs), especially those involved with targeted technology publishing in technical journals, participating in professional associations and/or academia, and patent owners
• Administrative Staff that may have access to leadership calendars, contact lists, and company proprietary information
• Janitorial, Maintenance, and Support Staff that may have access to personnel, information, and technology
• Anyone that has access to national defense information

 
MCMO (Methods of Contact and Methods of Operation)
Those seeking to steal protected data and technology use a variety of collection methods to further their agenda. It is important to understand that protected information includes both Controlled Unclassified (CUI) and Classified information, as both are of interest to foreign entities and must be protected.
 
Common collection methods include, but may not be limited to:
 
Requests for Information (RFI) and Solicitations: Attempts to collect protected information, directly or indirectly, by asking, petitioning, requesting, or eliciting protected information, technology, or persons.
 
Exploitation of Relationships: Attempts to leverage personal or authorized relationships to gain access to protected information.
 
Attempted Acquisition of Technology: Attempts to acquire controlled information or technology through direct contact, front companies, or intermediaries. Of particular interest are equipment, diagrams, schematics, plans, or product spec sheets, etc.
 
Exploitation of Business Activities: Attempts to establish or leverage relationships to obtain access to protected information and/or technology. Most commonly through joint ventures, partnerships, mergers and acquisitions, foreign military sales, service providers.
 
Exploitation of Cyber Operations: Attempts to conduct actions that could compromise or risk confidentiality, integrity, or availability of targeted networks, applications, credentials, or data to obtain access to, manipulate, or exfiltrate protected information, technology, or personnel information.
 
Exploitation of Experts: Attempts to obtain access to protected information, technology, or people through requests for peer or scientific review of academic papers, presentations, requests to consult with faculty members or subject matter experts, invites to participate in foreign conferences, lectures, tradeshows, requests to collaborate with foreign academic institutions, or attempts to entice subject matter experts to travel abroad or consult for foreign entities.
 
Exploitation of Insider Access: Attempts by trusted insiders to exploit their authorized placement or access or to cause other harm to compromise protected information, technology, or persons.
 
Exploitation of Security Protocols: Attempts by visitors or unauthorized people to circumvent or disregard security procedures, or behaviors by cleared or otherwise authorized individuals that may indicate a risk to protected information, technology, or people.
 
Exploitation of Supply Chain: Any activities intended to compromise supply chains. May include introduction of counterfeit or malicious products or materials to gain unauthorized access to protected data, alter data, disrupt operations, or interrupt communications.
 
Resume Submission: Applications and/or submission of resumes by foreign individuals seeking academic or professional placement that could facilitate access to protected information, whether by need or proximity.
 
Search and Seizure: Temporarily accessing, taking, or permanently dispossessing an individual of property or restricting freedom of movement via tampering or physical searches of persons, environs, or property.
 
Surveillance: Observation of equipment, facilities, sites, or personnel associated with classified contracts to identify vulnerabilities and/or collect information, through visual, aural, electronic, photographic, or other means
 
Theft: Attempts to acquire protected information with no pretense or plausibility of legitimate acquisition.
 
Common methods of contact include, by may not be limited to:

• Email requests
• Phishing operations (Phishing, Spear, cloning, whaling, etc.)
• Web Form Submissions
• Conferences, Conventions, or Tradeshows
• Resume/CV Submittal (Academic and/or professional)
• Social or Professional Networking
• Cyber Operations (Cyber network attacks, exploitation, collection; Exploiting Mobile Devices; Patch management; Water Holes (Using compromised websites to target visitors, including 3rd party or company websites, to access people of interest); Introduction of Backdoor Access Panels)
• Foreign Travel
• Foreign Visits
• Foreign Sales
• Personal contact (person to person via any means)
• Phone
• Mail

 
Countermeasures
Countermeasures are actions we can take to protect against threats that aim to neutralize or mitigate threats posed by foreign intelligence entities or individuals acting on their behalf. Deploying countermeasures is critical to protecting information, technology, and people.
 
A strong countermeasures plan utilizes defensive, offensive, and investigative measures to both detect and deter threats. The plan should be proactive, adaptive, and integrated throughout the organization.
 
Countermeasures may include:

• Security Education and Counterintelligence Briefings
• Physical Security measures
• Cybersecurity measures
• Personnel Security measures and training
• Insider Threat Programs 
• Supply Chain Security
• Security Audits
• Insider Threat Investigations
• Foreign Collection Methods Analysis and Threat Assessments
• Technology Control Plans (TCPs)
• OPSEC Plans
• HUMINT
• Offensive Cyber Operations 
• Offensive Disinformation
• Offensive Counterespionage
• Honey Pots

 
Clearance Advertising is Prohibited
The simple fact that an organization has been granted the ability to perform work in the U.S. Government space makes that organization, and everyone in it, a target for exploitation. Organizations that have been granted facility clearance under the National Industrial Security Program (NISP) are bound by 32 CFR Part 117 (NISPOM) which states that a cleared contractor may not use its favorable entity eligibility determination for advertising or promotional purposes.
 
“Advertising” that a company has a facility clearance is strictly prohibited. You may never state that your organization is a cleared facility, nor include any facility clearance information in any public facing space (on websites, social media, etc.), nor in any promotional or marketing materials.
 
Advertising that you, personally, have been granted a security clearance puts a bullseye on you and your organization. While not expressly prohibited, as with facility clearances, individuals that have been granted a security clearance should take extreme caution when sharing information about their clearance and the work that they do, with anyone, and should NEVER:

• Include their security clearance information on their resume when posting it in a public forum
• Post that they have a security clearance on social media, in chats, or on any public facing sites

Reporting Requirements
If you have any reason to suspect that you, someone you know, or your company is being targeted by a foreign intelligence service or any other potentially malicious actor, please contact your FSO immediately.
 
Recognizing and reporting indicators is critical to disrupting counterintelligence threats and mitigating risks.

Resources and Additional Learning

• DCSA CI MCMO Countermeasures Matrix
• CI MCMO Video
• Counterintelligence Awareness and Reporting Course for DOD
• Counterintelligence Job Aids
• Counterintelligence Tool Kit
• Unauthorized Disclosure (UD) of Classified Information and Controlled Unclassified Information 
• OPSEC Awareness for Military Members, DOD Employees and Contractors GS130.16
• DOD Unauthorized Disclosure Desk Reference
• Unauthorized Disclosure Toolkit
• Deliver Uncompromised Toolkit
• Suspicious Emails
• Case Study Library
• 32 CFR Part 117 (NISPOM Rule)
• 32 CFR Part 147 (Adjudicative Guidelines)

 
As always, if you have any questions about whether or not a situation requires reporting, ask your FSO! Your company’s FSO is the best person to help you navigate any questions you have about security compliance, briefing, and reporting requirements.  As security professionals, FSO PROS is here to help you navigate things to ensure you fulfill all requirements.