What is the purpose of counter intelligence?

Office of National Counterintelligence Executive

Since 1995, the Office of the National Counterintelligence Executive (ONCIX) has been mandated to gather data and submit an annual report to Congress on the state of foreign economic intelligence collection, industrial espionage, and export control violations.

Data for the report is collected from government agencies that comprise the U.S. counterintelligence community. What is particularly new in ONCIX’s most recent report (Office of the National Counterintelligence Executive, 2011) are remarks regarding the increasing new modes of communication and social networking that provide uncharted opportunities for transferring information, and spying by enterprising foreign intelligence services. Also, companies encouraging outsourcing of their R&D and establishing foreign bases of operation, providing foreign entities with more opportunities to target U.S. information and technologies. A consequence is that it is increasingly difficult to accurately measure the extent of espionage and illegal acquisitions of U.S. trade secrets.

These and other studies, for many of us, prompt additional questions about economic and competitive-advantage adversaries, including insiders. There is a need to identify and assess factors that are related to employee reactions to the intensity and frequency of being targeted and solicited by external adversaries to engage in theft, misappropriation, or economic espionage of proprietary know-how and intellectual property. Certain factors can affect an employee’s propensity to engage in information asset theft or economic espionage, by encouraging a receptivity to external buyers and solicitors of intangible assets, and/or prompt them to actively independently seek out prospective buyers.

If such propensities are contemplated and coincide with or become exacerbated by conventional motivators, such as disgruntlement, unmet expectations, personal predispositions, or personal finance stressors, the challenges presented by these threats become more acute and immediate.

One potential “patch” to these threats is that the complexities of personnel policies, procedures, practices, laws, and monitoring must be revisited. In the interim, companies should give favorable consideration to adopting a mode of sustaining control, use, ownership, and monitoring the value, materiality, and risks to their proprietary intellectual and structural capital—that is, their intangible assets.

Going on the Offensive: Deceiving Video

In the intelligence world, the acronym “CI” typically refers to counterintelligence. Law enforcement agencies and large commercial companies also employ CI to their respective missions. Recently, the Ford Motor Company deployed a CI technique that allowed the company to test drive prototyped models on public roadways but prevented the autos from accurately being photographed or captured on video (MacDonald, 2016). According to Ford Motor Company (2016), camera technology is only going to become more advanced, and it is necessary for the company to maintain their competitive edge by implementing camouflage in the form of vinyl stickers with patterns that trick the eye and create optical illusions. This type of misdirection helps Ford hide the actual design of the car. Ford has an entire “camouflage team” that works with various other concealment techniques so that corporate spies and others armed with video cameras cannot get a glimpse of their new vehicles before they are officially unveiled.

The application of CI to deceive video is not a new concept. One amazing example from history was the use of tactical deception in World War II, specifically the artistry and magic of the 23rd Headquarters Special Troops or the “Ghost Army” (Kneece, 2001). The Ghost Army was made up of 1100 US Army soldiers who were, prior to the war, artists, carpenters, engineers, electricians, and writers (Beyer, 2013). The unique blend of skills enabled these men to create illusions on the ground in theater. As enemy aircraft conducted reconnaissance missions from above, the Germans and their allies were filming critical Ally positions (Gerard, 2002). The American military knew about these surveillance fly-bys and decided that the Nazis could be fooled into believing erroneous positions and strategies (Beyer & Sayles, 2015). So the Ghost Army set up entire American encampments complete with inflatable tanks, trucks, planes, and buildings (Fig. 6.3) (Beyer, 2013).

These newly fabricated Army units included such artistry to assist in believability of the battlefield deception. Painters added tread marks in the ground to simulate truck and tank movements within the camps and runways complete with aircraft skid marks (Beyer, 2013). No detail was overlooked. According to Beyer and Sayles (2015), the Ghost Army was broken into three specialties or units: 1) visual deception conducted by the 603rd Camouflage Engineers; 2) sonic deception conducted by the 3132 Signal Service Company Special; and 3) radio deception conducted by the Signal Company. In addition to the inflatables and painted landscape “special effects,” the Ghost Army used sound to further exploit their deception. Thus if enemy scouts were sent out to investigate the positions of the American camps, they would hear normal sounds and acoustics coming from the empty compounds generated from speakers and amplifiers. The engineers mimicked and recorded actual sounds from a base and created playback broadcasters (Beyer, 2013). To complete the deception, radio specialists created fake radio traffic and Morse code, knowing that the opposition would be listening. Altogether, the Ghost Army engaged in more than 20 battlefield deceptions across Europe (Gerard, 2002).

The creation and implementation of the Ghost Army is not that different from Ford Motor Company’s camouflage team. But with the proliferation of smartphones, video-taking drones, and video-capturing low-orbit satellites, perhaps it is necessary in today’s world to utilize some of the other magic used during World War II. Currently, in order to protect sensitive facilities or the contents of those facilities, organizations may be reaching back in time to implement some of the camouflage techniques of the 1940s. Nosy drones, satellites, and publicly available imagery (i.e., Google Earth) may necessitate governments, corporations, and even individuals to purposely modify their geographic space. A new industry may have to fashion itself after the misdirection and defensive deception created in Burbank at the Lockheed Martin Airfield. “Operation Camouflage” was created to protect the production of airplanes occurring at the Lockheed Martin facility directly after the bombing of Pearl Harbor in 1941 (Breuer, 2001). According to Lockheed Martin (2016), a group of their executives, along with the US military, enlisted Colonel John F. Ohmer to create a disguise for the Lockheed Martin production facility.

Using some of the special effect geniuses of the time from the Hollywood Studios, painters, scenic designers, landscape architects, artists, and prop masters created a three-dimensional covering for the entire aircraft facility. From the air, the once obvious aircraft manufacturing center was now just a regular neighborhood in Burbank, California (Fig. 6.4) (Breuer, 2001).

Most facilities and homes today have already been captured by Google Maps and Google Street View. In some cases, personal items or sensitive information has been captured in the photographs and is available for all to see such as license plate numbers, the inside of garages, and methods of ingress and egress to properties (Jennings, 2013). To assist with hiding homes or other facilities, Google Maps offers an API on their developer’s webpage with code for graphical overlays. The other way to “hide your home” is to go to Google Maps Street View, put in your home address, and then look for the “Send Feedback” link on the bottom right of the screen. The “Send Feedback” option will provide a form to fill out, including the choice to blur your home. However, the digital tools offered to prevent anyone from seeing a particular location divulged by Google or similar services will not prevent the dedicated threat actor or nosy-barker from using flyover video options to document a location unless more drastic and physical deception measures are taken to alter the landscape. The art and creativity of CI that was instituted in the 1940s needs to be reevaluated and adapted for the current environment to deceive contemporary adversaries. Hollywood special effect skills may be employed once again to deceive and deflect the now ever-present and growing age of video capture.

Counterintelligence in general

One of the most important aspects of a successful operation is the necessity of not drawing attention. The moment a hacker group has raised suspicion or has been profiled, the more complicated it becomes to operate stealthily and achieve their goals. To determine what precautions must be taken and what measures must be implemented to prevent detection of the operations, it is important to understand how the targeted organization(s) and possibly other investigative bodies try to perform their intelligence gathering and how they implement their detective measures.

Many counterintelligence and law enforcement agencies are involved in fighting digital operations and cyber intrusions. As such, the guerilla band can also become a subject of investigation. Although little knowledge is available on how most law enforcement agencies deal with cyber attacks, it is generally known that the moment that these investigative bodies can connect a digital identity to a natural person or group, they can easily be tracked and caught. For example, if the true identity of a (digital) suspect is revealed, these agencies can use more traditional means (such as physical posting, direct communications tapping, property searching, and interrogating) to investigate possible involvement in offensive cyber operations. Therefore, it is of utmost importance that the guerilla band ensures that their physical identities remain secret.

For a hacker group it is important to understand how counterintelligence generally is performed. Many counterintelligence strategies are based on some form of profiling, targeting, tasking, and action. In the end, the workload for the counterintelligence agency to identify the guerillas should be disproportional to the reward or value of a successful identification. For example, it is disproportional for an investigative body to establish a multimillion dollar operation to identify a 16-year-old kid who performs digital vandalism by attacking web shops, thereby causing damage for “only” $10,000.

In general, the following profiling levels can be distinguished:

Known identity, known risk. The counterintelligence body has determined the risk for specific identities, such as groups or individuals. The identities can be actively monitored (eg, through watch lists).

Known identity, unknown risk. The counterintelligence body has determined that specific identities might form a risk, but the risk is unknown. It will perform (automatic) monitoring based on profiles and indicators of risk.

Unknown identity, unknown risk. Both the risk and identity are unknown. Therefore, the counterintelligence should perform manual profiling to determine either one of the two. This method is logically the least cost effective.

It goes without saying that the guerilla band ensures they remain in the third group (unknown identity, unknown risk).

If the hacker group is growing quickly and has performed multiple (successful) campaigns and cyber operations, there is another profiling risk it has to deal with: stylometry. Counterintelligence bodies can fingerprint specific campaigns and determine (code) patterns and signatures, for example, the means and methods used, to determine if a cyber operation was conducted by the same hacker group. To decrease the probability of stylometry, the guerilla band should ensure that they implement strict guidelines with respect to initiating, executing, and finishing offensive operations. These guidelines should at least cover procedures for programming malware, methods to perform reconnaissance, usage of tools, geographical distribution, and leaving digital fingerprints. For instance, if a programmer makes the same coding errors, he can be identified in subsequent attacks. A real-world example is a hacker group which used attacks that matched the work hours in the Moscow time zone and the Russian holiday schedule.

Countermeasures

The first step in keeping information assets secure is to identify and classify it according to its value. Smith (2013: 767) refers to the important concept of classified information and defines it as “information explicitly protected by particular laws or regulations and marked to indicate its status.” Governments typically classify information involving national security and intelligence activities. If a company has a Department of Defense (DOD) contract, then strict DOD criteria would apply. Each classification has rules for marking, handling, transmitting, storing, and access. The higher the classification the greater are the controls. Businesses without a DOD contract vary widely on information protection methods. Table 18-1 shows DOD and corporate classifications, explanations, and illustrations. ASIS International (2007: 37–39) offers the following classification system: unrestricted, internal use, restricted, and highly restricted.

Table 18-1. Classification Systems

The list that follows here for an information security program is from multiple sources (Smith, 2013; Lowenthal, 2012; Office of the National Counterintelligence Executive, 2011). The reader should refer to the Chapter 16 list on IT security to compare and contrast both lists for comprehensive security.

Prevention is a key strategy to protect information assets, which can be stolen without anything being physically missing, and information assets often are not covered by insurance.

Establish formal policies and procedures for such activities as identifying and classifying information assets, handling, use, distribution, release of information on a “need-to-know” basis, storage, and disposal. Other examples are use of mobile devices, storage devices and devices owned by employees, security over passwords, and maintaining a “clean desk” policy so important items are not left in the open when they should be in a locked container.

Provide training and awareness programs for employees on all aspects of information security, including policies, methods used by spies, social engineering (see Chapter 16), reporting incidents, investigations, and auditing of the program.

Reinforce countermeasures through new employee orientation, the employee handbook, and performance evaluations.

Carefully screen employment applicants, maintain an insider threat program, and establish employee exit procedures (e.g., to remind them of protecting proprietary information).

Use employee nondisclosure agreements and employee noncompete agreements.

Implement physical security and access controls for people and property entering, leaving, and circulating within a facility (Figure 18-4).

Secure information assets.

Review works written by employees prior to publication and their speeches, ensure protection during trade shows, and control media relations.

Control destruction of information assets.

Maintain state-of-the-art IT security. Refer to best practices such as ISO/IEC 27002:2005 (see Chapter 16). Use passwords, encrypt data, establish multi-factor authentication measures (e.g., biometrics, PINS, passwords, and knowledge-based questions), and create policies on mobile devices in the workplace and use of social media.

Be cautious when logging online in a wireless area. Ensure that your computer is not automatically connected to wireless access points that are unsecured.

Mark laptops with company name and telephone number and apply special software to increase the chances of recovery in case of theft.

Protect all forms of electronic communication—e-mail, network, fax, telephone, etc.

Establish controls over devices that contain a hard drive, electronic storage capacity, or embedded camera. Data are being stored in smaller spaces and so many ordinary items (e.g., pen, knife, watch) can contain a data storage device.

Control the variety of office machines (e.g., the combination copy machine, fax, scanner, and printer) that contain hard drives.

CDs and DVDs, rather than paper, are increasingly being used to store information. If a duplicator makes a copy of a master CD to its hard drive and then burns multiple copies, the information is available to people who can access the duplicator, unless the data is purged.

Plan for resilience. Ensure that important data has a backup copy in case data are stolen, a disaster strikes, or IT fails.

Use technical surveillance countermeasures (TSCM).

To strengthen protection, conduct penetration testing and use internal and independent security audits

Destruction of Information Assets

Records, documents, computers, hard drives, cell phones, mobile devices, and other items that contain information assets should not simply be thrown into trash bins or discarded when no longer needed, because spies and other adversaries may retrieve the information. Total destruction affords better information security. Before pollution restrictions against burning, many firms placed unwanted records in incinerators. Today, strip-cut shredders (producing long strips of paper ¼ inch wide) are used by many organizations. However, security is limited. This became painfully evident in 1979, when Iranian militants stormed the U.S. Embassy in Tehran and pieced together top-secret documents that had been shredded by a strip-cut shredder. For increased security, particle-cut shredders (smaller pieces of paper) are the alternative (Figure 18-5). Cross-cut shredders offer higher security and disintegrators offer even more security. Other methods of destruction include chemical decomposition and composting. Vendors that sell high-security shredders seek to meet government national security standards.

Figure 18-5. A determined adversary might take the time to put small pieces of paper together for information.

Many companies outsource shredding to service firms that send a mobile shredding truck to the client to shred a variety of items besides paper. Examples are CDs, DVDs, hard drives, and credit cards. Security practitioners should exercise due diligence with shredding service firms and investigate the chain of custody of the shredded product. The National Association of Information Destruction (NAID) promotes professionalism and ethics of its member companies.

Shredding has increased in popularity because of privacy laws (e.g., HIPAA and FACTA), the problem of identity theft, and the U.S. Supreme Court case, California v. Greenwood, which permits police warrantless search and seizure of garbage left on the street for collection (Wikipedia, 2012).

Unshredding is a growing specialization. Although unshredding can be done manually, computer technology speeds the process by scanning pieces on both sides and then the computer determines how the strips should be joined. In the Enron accounting case, many documents were fed through a shredder incorrectly, which made the pieces easier to put together. In reference to forensic identification, shredders contain device-specific characteristics that can be used to determine the specific device that shredded an item.

Comprehensive information security must consider that information is stored in many types of devices. Examples are servers, computers, handheld devices, phones, faxes, printers, copiers, cameras, access cards, readers, flash drives, mapping and navigation devices, and various media. When these devices are to be discarded, the information must be destroyed. If this is not accomplished in-house, vendors are available to contract this service. References on information destruction can be found through standards (e.g., NIST) and NAID.

Besides information destruction, we should remember that devices can be lost or stolen. Policies, security, software, and investigative methods are part of a comprehensive information security program. Information in a device that is “in the wrong hands” can be rendered inaccessible (e.g., passwords and encryption), destroyed (e.g., remotely), or recovered (e.g., GPS or other method).

Defenders against espionage must not fall into the trap of emphasizing certain counter-measures while “leaving the back door open.”

How the Military Defends Against SE

As discussed earlier, the military has been in the spy-counterspy business from the beginning. The counterspy techniques are the same skills needed to defend against SE. Today’s solider needs to understand counterintelligence (CI), counterterrorism, force protection, and Operational Security (OPSEC) techniques. This section will focus on the tactical level actions that can be done for CI. First let’s review the doctrinal definitions for the key concepts:

CI: Information gathered and activities conducted to protect against espionage, other intelligence activities, sabotage, or assassinations conducted by or on behalf of foreign governments or elements thereof, foreign organizations, or foreign persons, or international terrorist activities [6].

Cyber CI: Measures to identify, penetrate, or neutralize foreign operations that use cyber means as the primary tradecraft methodology, as well as foreign intelligence service collection efforts that use traditional methods to gauge cyber capabilities and intentions [6].

Counterespionage: That aspect of CI designed to detect, destroy, neutralize, exploit, or prevent espionage activities through identification, penetration, manipulation, deception, and repression of individuals, groups, or organizations conducting or suspected of conducting espionage activities [6].

Counterterrorism: Actions taken directly against terrorist networks and indirectly to influence and render global and regional environments inhospitable to terrorist networks [6].

Force Protection: Preventive measures taken to mitigate hostile actions against Department of Defense personnel (to include family members), resources, facilities, and critical information. Force protection does not include actions to defeat the enemy or protect against accidents, weather, or disease [6].

OPSEC: A process of identifying critical information and subsequently analyzing friendly actions attendant to military operations and other activities to: (a) identify those actions that can be observed by adversary intelligence systems; (b) determine indicators that adversary intelligence systems might obtain that could be interpreted or pieced together to derive critical information in time to be useful to adversaries; and (c) select and execute measures that eliminate or reduce to an acceptable level the vulnerabilities of friendly actions to adversary exploitation [6].

The military depends on confidentiality and secrecy. They deploy encryption, data classification, clearances for their personnel, and a thorough set of processes and regulations. Soldiers, airmen, seamen, and marines understand the trust they have been given and the level of national security compromise that could occur (not necessarily through a single loss of data but the aggregate knowledge impact as well). Cybersecurity has become a critical component of the National Counterintelligence Strategy (see Figure 8.3). The mission to secure the nation against foreign espionage and electronic penetration of the IC, DoD, and to protect U.S. economic advantage, trade secrets, and know-how is becoming a core responsibility for the military.

CI has an offensive aspect as well. There is a need to set up internal traps or as they are called in cyberspace “honey pots” to attract insiders accessing information they are not authorized for. These honey pots will also capture outside threats that have gained access. Another technique organizations should consider is to have enticing files with embedded beacons that report back on where they end up when stolen to provide situational awareness on what has leaked out and who did it. Organizations need to fund programs to gain access to the types of organizations that have the motives and means to attack the United States and see what they have stolen. Organizations need to conduct exercises and tests on our personnel to assess our readiness level. Finally, we need to enforce consequences on individuals caught violating policies.

Middle East

Finally, there are the Israelis, who are renowned for their business spying. However, it is important to remember that nearly all the intelligence agencies of most Middle Eastern nations will collect business-related information during the course of their intelligence activities. Some experts from within the intelligence communities have rated the Israeli intelligence services capabilities as among the top four of the world (along with the U.S., Russia, China). Israeli spying in the business arena tends to be more in military areas. The case of Michael Haephrati and his wife is an exception to that as in this case an independent Israeli computer programmer created a Trojan program that allowed his customers (Israeli private investigators) to potentially spy on their client’s competition— for a price.

Counter Punch published an article on March 12, 2009, by Christopher Ketcham, detailing the Israeli methods of operation. “Israel conducts an aggressive and damaging espionage campaign in the U.S. this sensitive issue is never mentioned in the media or discussed by the government, mainly because of the special, sensitive relations between Israel and the U.S. and the influence of the Israeli lobby, which punishes any American lawmaker that dares to criticize Israel.” According to Ketcham, proof can be found in the annual “Business Espionage” FBI report to Congress. Israel is reported as a hostile intelligence threat second only to China—and by a small margin. In the 2005 report, for example, the FBI claims that “Israel conducts an information gathering campaign in the U.S.” 10 A 1996 report by the Counterintelligence Services, a branch of the Pentagon, contained a warning that “Israel considers scientific data gathering in the U.S. to be its third priority, right after information gathered in the neighboring Arab states and information on American policy decisions regarding Israel.”11According to a U.S. CIA report the infiltrations used by Israeli intelligence are perpetrated using advanced methods.12

Former FBI Deputy Director for counterintelligence, Harry B. Brandon, reported in a congressional hearing that “Israel is looking for business information as well as military secrets. One of the best methods they have is exploiting business partnerships between Israeli and American firms which supply software to the entire U.S. market and the various government agencies. In this way they get access to the information they’re looking for.”13

The primary Israeli business espionage collection agency is called the “LAKAM,” and is one of Israel’s most effective intelligence organizations. LAKAM is a Hebrew acronym for the Israeli Defense Minister’s Scientific Liaison Bureau. Its agents operate in the United States, Japan, France, Germany, Italy, Great Britain, Switzerland, and Sweden. LAKAM’s biggest operation is inside the U.S. Their agents operate out of the Israeli embassy in Washington. D.C. and have two other offices—one in Los Angeles and the other in New York City. Their operations in these cities are believed to include 35 full-time agents with several dozen more informants. Israeli industries/companies that benefit the most include aerospace, chemical producers, and electronics firms.

In addition to regular agents, Israel also uses deep-cover agents posing as business people and scientists traveling to the United States or other countries. Most of the time the agents are in direct contact with the Prime Minister’s office and will use diplomatic pouches to transport the most sensitive information or materials.14

Current and Future Threats to Economic Security

We’ve discussed a number of cases that provide a taste of the intrigue concerning how the geo-political milieu can have a direct effect on the fortunes of private enterprises. But really, just how serious is the issue? In the United States, it is very serious. The United States is under economic attack, according to the United States National Counterintelligence Executive’s report to Congress in February 2005. In March 2005, the National Counterintelligence Strategy was outlined, and in May 2005, the National Counterintelligence Executive noted that U.S. businesses must not only protect themselves against their competitors, but also the foreign intelligence services of their competitors’ countries. The report goes into some depth in identifying the types of foreign entities conducting industrial and economic espionage; the kind of information targeted by these foreign entities; and which foreign entities are attempting to acquire sensitive U.S. technology (either classified or proprietary)— be they private or governmental.

It is prudent to discuss the reports findings since it is directly germane to this discussion. The report indicates that individuals from almost 100 separate countries attempted to acquire sensitive U.S. information. The role of the state-supported intelligence collection effort against U.S. technology/IP was characterized in the report’s findings with the statement, “It is clear, however, that some foreign countries, including the major players, also continued to employ state actors—including their intelligence services—as well as commercial enterprises, particularly when seeking the most sensitive and difficult-to-acquire technologies.”

The report identified the following dual-use areas as being targeted: information systems, military production processes and communication systems, aeronautics, electronics, and armaments and energetic materials. The report laments the difficulty in tracking foreign targeting of purely civilian technologies and highlights the reluctance of U.S. firms to share information. The report opines that such reluctance is due to U.S. firms not wishing to highlight their loss, as doing so may have a deleterious effect on “investor and consumer confidence and stock prices.” That said, the identified commercial technologies stolen by foreign entities included semiconductor production processes, computer microprocessors, software, proprietary information, and chemical formulas.

It is especially noteworthy, that the U.S. Counterintelligence Community expects no decline in foreign intelligence activities, while also noting that stemming the flow of information will become more difficult. Specifically mentioned is the challenge of isolating trade secrets from foreign managers and employees, and U.S. firms increasing practice of placing their research and development centers in foreign environs. The reality of this is that the theft of intellectual property will continue to be a thorn in the side of both industry and governments.

In 2006, the Defense Security Service upped the number of countries engaged in industrial espionage in the United States The UN has only 119 member states, so it would have been easier to simply note the 17 nations not involved.

The FBI estimates that more than 3,000 Chinese “front companies” operate in the U.S. with the express purpose of gathering intelligence and technology. Much of this is “dual use,” with both civil and military uses. The FBI has stated publicly that the number of Chinese counterintelligence cases in Silicon Valley alone is increasing by 20 to 30 percent each year.

Can we in good conscience advocate a change in current U.S. policy, simply because other countries engage in such practices? Maintaining the current policy would seem to be the prudent course of action at this time, since it is one thing to ask our law enforcement and intelligence personnel and entities to take extraordinary risks to protect the nation from external threats (both physical and economical) and quite another to ask these same entities to take a similar level of risk to provide information that may help a specific company’s bottom line. In the global marketplace, the free market economy should be the arbiter. Those with the best product, service, execution, and so on, will achieve the greatest fiscal success and be the market victor.

According to a study published in late October 2005 by USA for Innovation, a nonprofit organization dedicated to the protection of intellectual property (IP), the United States alone carried a value of US$5–5.5 trillion, equivalent to 45 percent of the United State’s GDP, far larger than the GDP of any other nation. In essence, the IP retained by companies in the United States is the heart of the economic security in the U.S. This study also indicates that there exists a direct correlation between the level of a nation state’s protection of foreign-owned IP and the level of foreign investment in that same country -- Where the state increases protection of the investor’s IP; investors increase their investment in the nation’s economy. In sum, U.S. corporations must take appropriate steps, on their own, to incorporate security procedures to effectively protect their IP against the efforts of foreign governments eager to obtain that same IP.

Cases of Travelers Becoming Victims of Business Espionage

In addition to the examples of travelers being targeted that are covered in other chapters, the following are examples of how travelers can be extremely vulnerable to business spying if they are not prepared and do not employ the appropriate countermeasures. There are a number of examples where governments and competitors have broken into hotel rooms, offices, or have otherwise electronically monitored travelers.

For example, in the 1990s when Russia was transitioning from Communism and the Committee for State Security (KGB) was replaced by the Russian Federal Security Service or FSB, there was hope that the electronic monitoring that took place with visitors to the Soviet Union would no longer happen. Unfortunately, the monitoring is still widely occurring in Russia.

During the transition period, a couple, both of whom were mid-level employees of a company, went to a tourist hotel in Russia. Interestingly, the company they worked for required a pre-travel briefing because the company did some defense-related work. The couple was pre-briefed by corporate security and was told that their room would probably have audio and/or video monitoring. The couple was asked to come back for a debriefing by corporate security after they returned from travel to Russia. When the couple was being debriefed by corporate security they described a situation in Moscow where they were having trouble sleeping because of the suspected monitoring. While they were told to do nothing to remove suspected devices, the couple admitted that they had not followed that advice. The husband said that he saw a “lump” under the carpet. The carpet was not fastened down and was only rolled over the floor and there was a small bump in the carpet at about the center of the room. He said he rolled the carpet back and saw what he thought was a “pressure plate.” The couple described the “pressure plate” as a metal circular disk, fastened down by a series of bolts around the edge of the disk. The man said he was fairly certain that when you entered the room and stepped upon the carpet, it pressed down on the “plate” and activated the monitoring equipment. He therefore removed the nuts/bolts and lifted the pressure plate off and then rolled the carpet back. No longer being monitored, in their minds, the couple said they had a good night’s sleep. The next morning, they said, as they walked through the lobby, hotel staff came up to them and asked if they were in room 812. The couple said they smiled and acknowledged that that was indeed their room. The hotel staff then asked if they were okay and everything was all right. Again, the couple smiled (knowingly) and said they were fine. The hotel staff revealed they were happy to hear that and shared that sometime during the night, the light fixture mounted on the ceiling of room 712 had fallen on the occupants of that room right below this couple’s room. While this is humorous, in a sense, it does illustrate that travel security briefings need to be thorough and travelers should not take countermeasures into their own hands, beyond what actions they take to limit disclosures while traveling and in a hotel room or other venue.

In the mid-1990s, the regional security officer (RSO) of a government diplomatic staff was staying in a hotel in Taipei, Taiwan while working with companies on business deals in Taiwan. He left his room in a hurry for a meeting and jumped into a government vehicle. Just as they were pulling out of the hotel, the individual realized he had accidently left his expensive Mont Blanc pen lying on the bedside stand in his hotel room. He asked the driver to go back to the hotel and jumped out of the vehicle outside of the hotel compound and ran inside. Since he was in a hurry, he ran up the stairwell to the fourth floor, where his room was located, instead of taking the elevator. When he entered his room he found six people looking through his personal stuff and removing a disc from a recording device in the ceiling, which was co-located with the smoke detector. Needless to say, they were surprised to see the occupant had returned and claimed they were hotel maintenance, but the RSO, being knowledgeable of espionage, saw what they were doing and the equipment they had. He subsequently had other business people from his country advise him of similar occurrences in Taiwan and China.

In another incident that took place in the late 1990s, a group of U.S. businesspeople traveled to Seoul, South Korea, where they had made reservations in a large chain hotel in Seoul. The purpose of the visit was to address legal action that was being taken against a Korean conglomerate group. The company arranged to have all of their staff housed on the same floor and was able to obtain a conference room on the same floor, which was used as the “legal command center.” At night, after working all day, the team would lock the conference room and get together for dinner and drinks. After two different days where it appeared that some documents had been moved, the team decided to call for a Technical Surveillance Countermeasures (TSCM) survey. During the survey, TSCM personnel detected microphones in the rooms of some of the team members. Hidden cameras were also installed in the legal command center. Upon review, the next day, the recordings inside the command center disclosed that about 2 a.m. what appeared to be members of the hotel security team entered the command center with a key and began going through documents and taking pictures. The question was why was the hotel security doing this? It was subsequently determined that the Korean group the foreign company was taking legal action against also owned this hotel chain in Korea. It was no surprise then that the hotel staff was providing intelligence on the legal planning. The better question was why someone would select to stay in a hotel owned by a group they were taking legal action against. The answer, of course, was no one checked on who owned the hotel.

Several years ago, a U.S. company was concerned about repeated instances where sensitive business information was apparently being lost by their business travelers while in hotels in China. The company went so far as to set up hidden cameras and microphones in the rooms of several mid-level executives traveling in China. They wanted to know if the monitoring extended to mid-level employees. According to the company, shortly after the employees left, individuals entered the rooms and began to systematically search the room and go through papers left behind. At one point, one of the individuals conducting the search found one of the hidden cameras. When he brought it to the apparent team leader, the leader openly expressed concern that another Chinese intelligence service was already targeting the visitors. He told his team to leave the hidden camera and get out of the room so as not to disrupt the organization’s spying mission.

In 2008, three U.S.-based R & D employees traveled to Wuhan, China, and brought their laptop computers with them, which contained extensive sensitive R & D-related information. After working for several days in Wuhan, some staff in the office invited the three out for dinner and drinks. Their Chinese hosts within the company convinced the employees to lock their laptops in one of the manager’s offices; they were told they could return to the office after the evening’s festivities were over to get them and return to their hotel. They had a good evening of eating and fellowship, but when two of the group said they were tired and ready to return to their hotel, the Chinese hosts insisted everyone have at least one more drink. The drinks dragged on, but finally, about 11 p.m., they returned to the office. As the group entered the office and passed by a glass door that opened into the emergency fire exit stairwell, everyone noticed that the door was broken and glass was scattered in the stairwell. As they slowly entered the office area, someone noticed the office door where the laptops had been stored, had also been broken into and, when they entered, all three laptops were missing. The employees summoned building security, which, in turn, called the police. Efforts to get with building security to view the CCTV coverage in the stairwell were unsuccessful because building security claimed the CCTV system just happened to not be working on the floor where the incident took place. According to building security the CCTV cameras had supposedly failed to work that night and repairs were not completed until the next day. The CCTV camera in the elevator lobby was working but a review only showed the three visiting persons and their hosts. It appeared that someone took stairs up to the floor and entered the stairwell from another floor. A review of CCTV cameras inside the elevators did show one suspicious individual but he was wearing dark glasses and a hat that hid most of his features from the single fixed camera in the elevator. He got off on the floor just below the office area that was broken into. A review of crime-scene photographs and investigation determined that the glass in the stairwell door, which should have been on the inside of the office area if someone had broken into the office area, was almost exclusively on the outside of the door, which indicated the door was broken outward from someone on the inside. If the thief or thieves were already on the inside there would be no reason to break the glass (the door had an emergency push bar for exit) except if the broken door and glass was designed to mislead or misrepresent what happened. Given that the only items taken (and there were at least 20-30 other laptops, mobile telephones, and even cash lying on or inside desks that were not touched) were the three laptops from the visiting R & D staff and the only break-in occurred in the interior office where the three laptops were kept, it was apparent the theft had occurred because of inside knowledge. About three weeks later, after an intensive internal investigation by the company, the Wuhan police suddenly reported they had found the thief and recovered the laptops. The thief was allegedly an “itinerant” who was not authorized to be in Wuhan. The police maintained he had kept the three laptops with him until they unexplainably caught him. When the laptops were returned to the United States, a forensic study of the computers showed that all the data on all three computers had been downloaded.

Business travelers should also know that waiters/waitresses can be required to elicit information and serve as collectors in the People’s Republic of China. Women also work bars and clubs in China, gathering information. In 2011, the Japanese media interviewed an attractive young Chinese woman who acknowledged that she had been recruited by Chinese military intelligence and was reporting information. Her job was to work the bars in Beijing where foreigners would go. The young lady said she was told to keep talking to foreigners and try and find those who could provide information of value. She said she was never specifically instructed to obtain specific documents or information, but was asked to at least find out details about plans for business, even future business trips or information about the target's colleagues. For this information, the young lady received a free apartment in Beijing and a bonus of several thousand Chinese Yuan every time she succeeded in obtaining information.1

It is worth knowing that travelers are subject to monitoring, as we have noted above and in other chapters, in places such as Korea, Taiwan, China, and Russia. It is also well known, within counterintelligence circles, that the French have a special unit, known when I was in the counterintelligence business as “Unit Sept,” or Unit 7. One of the former Unit 7 team members told me that on average they went through more than eight hotel rooms a day, examining documents, computers, etc. It was widely reported in the news media that the unit was also responsible for putting video cameras and microphones into first-class seats of Air France flights to read documents/computer screens and listen to business people who worked or talked on the plane. The former head of the French General Directorate of External Security (DGSE), Pierre Marion, acknowledged the unit’s activities during an interview according to the Philadelphia Inquirer.2

It is also well known that hotel staff will cooperate with the national intelligence services when those agencies want to get into rooms of business travelers. French, Korean, Chinese, and Taiwanese hotel staff have all reported that they had no choice but to let government services into specified rooms. I spoke with the manager of a western hotel chain in China, for example, and he reported that they had to open up rooms and even room safes for government security agencies. The manager was an ethnic Chinese-American citizen but he said the Chinese security agency made it clear that there would be big problems with regulatory agencies if China did not cooperate. Another travel agency manager, who specialized in trips to Latin America, said he had multiple examples of electronic monitoring of hotel rooms, and intelligence service entry into rooms in both Cuba and in Venezuela. This conversation also occurred with a Tampa-based travel agent who had taken tour groups into both Cuba and Venezuela. In both countries, individuals had returned to their rooms to find individuals going through their property or found items had been moved, including papers/documents kept inside of the hotel safe. As the U.S. government contemplates opening up travel and business with Cuba, it will be important for travelers and business people going to Cuba to understand the intelligence threat there and prepare accordingly. For example, they should know that their rooms are monitored by at least audio and possibly video. Hotel, restaurant, bar and tourist staff will report on their activities and telephone/computer communications are subject to monitoring. In fact, the use of travel agencies to help in spying on travelers to Cuba goes back to reports published in the Miami Herald in 1999.3

Intelligence Community (IC)

The Director of Central Intelligence Directives (DCID), issued by the Director of Central Intelligence (DCI), were formerly used to provide intelligence community-wide policies and guidance, including governing information systems that stored, processed, or transmitted intelligence information. In 1983, DCID 1/16 was published (and later updated in 1988) by the DCI to establish a security policy for the processing, storage, and transmission of US foreign intelligence and counterintelligence in automated information systems (AIS) and networks. Additionally, the criteria in the DoD Trusted Computer System Evaluation Criteria (TCSEC), published by the NCSC in 1985, was identified by DCID 1/16 as the protective measures (administrative, environmental, and technical security requirements) that were required to be met by the AIS to protect sensitive information. However, DCID 1/16 later became superseded by DCID 6/314 in 1999, with an implementation manual being published in 200015 (and an update in 2002). DCID 6/3 became the first C&A process documented for use by the IC.

DCI policy was used within the IC until the establishment of the Office of the Director of National Intelligence (ODNI) in 2005. In 2008, the ODNI published the Intelligence Community Directive (ICD) 503, which was to supersede DCID 6/3.16 The ICD 503 was established to implement the strategic goals17 agreed upon by the IC CIO, the DoD CIO, OMB, and NIST. ICD 503 and other transition guidance in the form of directives and standards directed the use of CNSS policy and guidance, which in turn pointed to the harmonized NIST guidance [13].