Wishing You a Safe and Happy President’s Day!

This Wednesday, at 9pm EST, president Barack Obama will deliver his State of the Union speech.

This year will be extra special as the followup to Obama’s speech viewers will have the opportunity to submit questions (and vote on other users’ questions) in response to the speech on youtube.com/CitizenTube. Next week, Obama will answer some of the questions in an online event delivered live from the White House. From the YouTube blog:

“Presidents have long used new technology to share their message directly with the American people. Calvin Coolidge was the first president to broadcast the State of the Union over the radio in 1923, and President Truman made history in 1947 when he became the first to deliver his address to a live television audience.

This year’s State of the Union speech will also make history. It will be the first time that citizens will have the opportunity to ask follow-up questions during the speech — and to hear the president’s response to those questions.”

Currently, the exact timing of the followup event is unknown.

SGIS Security wants you all to be aware that you could potentially be a target.  Whether it’s for Economic Espionage, a type of cyber crime or Elicitation/Recruitment, the fact that you are a working for a U.S. government contracting company puts you at a level of risk.

Those who have clearances and access to sensitive or proprietary information are prime targets to foreign intelligence operatives a.k.a. “spies.”  Now when I say spy, someone might think of 007 or “Get Smart,” but the fact is today’s operatives are usually friendly, everyday people who want to become “friends” with you.  They use a technique called “Elicitation”, which simply put is “the art of conversation honed by intelligence services…”  Often times, they will make initial contact with you at a seminar, business conference, networking event or social networking site.  Their goal is to determine if you have ANY information or access to information that could be potentially valuable.

If this initial contact seems worthy, they will proceed to get to know you and assess your vulnerabilities.  This is why it is extremely important to be careful what you say about yourself and your co-workers!  If you begin telling this spy… err, I mean “friend,” about your financial difficulties, marital problems or work related stresses, you are letting them know what your vulnerabilities are and they will exploit those vulnerabilities to gain an advantage.

Elicitation can take place over a long period of time. They collect tidbits of information on you, your job and coworkers. Elicitation is sometimes very hard to recognize.  Over time they hope to earn your trust and have you consider them a friend. They may ask for your expertise or consultation. Typically their goal is to have a “trusted source” that they can go to for information.

Please review the information below for further details on how they may try to recruit you and or your information:



Elicitation might be hard to recognize, but if feel you are being targeting and assessed by a Foreign Intelligence Operative, remember you have done nothing wrong unless you start maintaining a regular contact without reporting it to your security officer. Your main defense is awareness and reporting. The government may be able to notify you that you are dealing with a known intelligence operative, or it may identify the person as an operative as a result of your reporting the contact. Always report so that you are part of the solution and not the problem. See reporting requirements below.

You are required to report the following to your security office:

• Any effort by any individual, regardless of nationality, to obtain illegal or unauthorized access to classified information or to compromise you or any other cleared employee.  In addition, all contacts by you or any other cleared employee with known or suspected intelligence officers from any country, or any contact which suggests that you or any other employee may be the target of the intelligence service of another country or other clandestine group shall be reported.¹

• Any other known, suspected, attempted, or planned activity that threatens U.S. national security. This includes unauthorized release of or access to any classified or otherwise sensitive information, intrusion into an automated information system containing classified or otherwise sensitive information, or information relating to terrorism, sabotage, subversion, or illegal diversion of U.S. technology to a foreign country. Knowledge of any activity by a foreign country or organization that suggests that country or organization may have unauthorized knowledge of U.S. national security information, processes or capabilities.

Just to show you that this is REAL and happens regularly, I have linked some interesting articles on recent espionage cases that have happened this past year:

U.S.: Product engineer swiped Ford’s secrets

China proves to be an aggressive foe in cyberspace

Scientist offered U.S. secrets for $2 million, prosecutors say

As always, SGIS security is here to HELP you! Please email us a SECURITY@SGIS.COM for assistance or if you’d like to suggest further monthly topics, we would love to hear from you.

References:

1. National Industrial Security Program Operating Manual, paragraph 1-302. Presidential Decision Directive NSC-12, Security Awareness and Reporting of Foreign Contacts, August 5, 1993.

2. Many ideas in this topic came from a NRO foreign intelligence threat awareness briefing.

3. DSS pamphlet, “Elicitation, Can you recognize it?”

SGIS Security would like to give you some pointers on how to protect yourself, and your equipment, while traveling overseas to help circumvent foreign intelligence agencies from obtaining US economic, technological and military information. As an employee of a government contracting company, you are a prime target to foreign intelligence agencies.  The reality is that most technologically advanced or developing countries, including some democratic countries that are closely allied with or supported by the United States, place a high priority on acquiring U.S. technology by both fair and foul means. One of the largest tactics used is to target your electronic equipment; laptops, computers and cell phones are easily intercepted, recorded, download, sabotaged and/or out right stolen. Any information transmitted over wires or airwaves is vulnerable to exploitation. So SGIS has put together some pointers that should assist you to help keep your information secure.

• If possible, leave unnecessary electronics devices at home!
• Use designated travel-only laptops that contain no sensitive information.
• Establish a temporary email address not associated with the company.
• Encrypt data, hard drives, storage devices etc.
• Use complex passwords, and enable login credentials.
• Never use a wireless connection as they are NOT secure and most countries have sophisticated intercept technology.
• Most important, be sure to REPORT any thefts or unauthorized accesses of your portable devices.
• Blackberry acting strange, turning on and off, making odd changes.
• Never trust the hotel or room safe… always carry your electronics with you.
• ALWAYS report anything out of the ordinary or suspicious.

Below you will find some funny excerpts of real life situations that have been reported.  We hope you enjoy the humor in the situations but please take them seriously, as they are true stories.

Anecdote #1: A traveler attending a workshop returned to his hotel room after being away for dinner. He went to bed and was awakened six hours later by a beeping noise. The noise was coming from the traveler’s laptop computer. The computer cover was closed, but the unit was not shut off. The traveler believes that while he was out of the room, it was searched and the laptop was opened but not turned off. This caused the battery to run down, which is what had caused the beeping. The traveler had not turned on the computer during his trip. No classified, sensitive, or proprietary information was on the computer’s hard drive.

Anecdote #2: A traveler found four entries for “guest access” on his laptop computer. The computer had been locked with a commercially available padlock and left in his room unattended. It was not clear if someone had actually accessed any files on the hard drive. He then checked the computer’s protection software and found another “guest entry” had been logged on. The date of this entry coincided with a previous trip the traveler took to the same country. Of course we “know” these situations could never happen to you right?  If you find yourself traveling overseas, we hope you review these tips and remember by reporting your observations to your security office. You make it possible for your security office to keep abreast of what is happening and to warn others about things they might encounter during their trip.

Next month look for tips on Counterintelligence Risks and Elicitation (Can you recognize it?)
As always, Security@SGIS.com welcomes your suggestions for any article ideas.

Reference: All anecdotes are from United States General Accounting Office, Department of Energy: National Security Controls over Contractors Traveling to Foreign Countries Need Strengthening, GAO/RCED-00-140, June 2000

The Department of Defense Website recently underwent a huge transformation. Formerly known as “DefenseLINK.mil,” the DoD page has now become a new-and-improved “Defense.gov.” The reason for the change? A strategy to emphasize two-way, personal communication with the American public, according to Price Floyd, principal deputy assistant secretary of public affairs. The launch is targeted specifically towards the 18- to 24-year-old age group. Defense officials at the Pentagon are hoping to reach and engage these users in a number of ways by allowing them to post questions, provide feedback and participate in other interactive features.

If you haven’t been to the page yet, you’ll definitely want to take a look.

New DoD Homepage

Have you visited the new DoD Website? What security risks do you think should be addressed?

A recent list published by US News & World Report titled “15 Government-Heavy (and Recession-Resistant) Cities” lists 15 cities in the U.S. where government jobs are heaviest. The numbers come from a Brookings Institution report released in June. According to the article,

“Metro areas where government is one of the main employers shed fewer jobs than other metro areas. Average employment in these government-heavy areas has fallen only by 1.3 percent between the fourth quarter of 2007 and the first quarter of 2009, compared with 4 percent losses for metro areas where the major industries are arts and entertainment or agriculture. “

The benefits of recession-resistant government jobs are felt by everyone – even those who are not working in federal government. These benefits, from more government activity, include money to spend on other parts of the local economy: education, health and nonprofit organizations. These areas tend to attract a variety of individuals, ranging from families looking for a better lifestyle, those going through a job change due to layoffs or graduating college students looking for a good start to their careers. It’s a simple cycle of progression: people making money spend their money thus improving their area and creating more jobs as a result.

Among the cities listed, four are home to SGIS offices.
Of those cities, we are proud to say we have offices located in:

• Washington Metro Area (Vienna office)
• Pasadena, Calif.
• Tampa, Fla.
• Orlando, Fla.

The report shows that government employment rates continue to hold strong. Recently, SGIS opened a new office in Fayetteville, N.C., and we continue to expand, but more importantly, we continue to hire. SGIS has grown exponentially in the past 7 years as shown by our awards and we’ve opened several offices nationwide in that short amount of time. In an economy that seems to be slipping, more individuals are looking to work in federal government-related fields. SGIS provides Intelligence Analysis, IT, Engineering/Integration, Training and Cyber Security solutions to the federal government. We work with various agencies supporting the Intelligence, Homeland Security and Defense communities. Some of our open positions include Resource Managers, Account Managers, Web Developers System Administrator/Integrators and Configuration Managers. To check our open jobs, you can visit our Careers page.

You can check out the entire US News & World Report list here and view all of our SGIS office locations on our website.

In the government contracting world there’s a fine line between successful networking on the web and giving away too much.  In his presentation at the DoDIIS Worldwide Conference last month, Jack Kiesler, chief of cyber counter intelligence at the Defense Intelligence Agency, talked about the publicizing of personal information as well as tactical pieces of information that, when pieced together, can lead to big trouble.

Imagine this fictional scenario: Jane is a contractor, currently working at the Defense Intelligence Agency. She is linked to 20 people on LinkedIn, 5 of whom also work for this agency. One of those links is Tom. Tom’s LinkedIn profile shows that he is registered on Twitter and, unfortunately, has the same screen name on Twitter and his personal blog. So, now I’m following Tom’s blog and his Twitter page. I also “know” his friend Jane.  When Tom decides to post to Twitter through his iPhone, the GeoData embedded in that Tweet is posted to the Internet (GeoData is GPS coordinates automatically embedded into photos and network postings by many smartphones).

So, it’s 10 a.m. and Tom has posted a Tweet that he’s going to step out for a coffee. With two hits to Google, I can find the closest coffee shop to his current location, visit there myself and introduce myself as a friend of Jane’s. Bingo, I now have a friend at the DIA and we automatically share a level of trust, thanks to our mutual connection.

On a more personal level, a similar issue was considered in Wired magazine by journalist Mathew Honan.  Honan conducts a similar experiment after viewing a woman in the park taking pictures of her dog. He looks up the park’s coordinates on Flickr, searches by date and there are her pictures, along with other pictures, obviously taken at her house. Now, he has the coordinates to her house, he knows exactly where to find her laptop and her flat-screen inside the home and he knows that neither she nor her dog are home!

So, why bother with social networking if it can lead to so much trouble? Well, that’s simple: because even in the delicate government contracting world, everyone else is doing it. According to the 2009 Social Recruitment Survey by Jobvite: “Employers are more satisfied with the quality of candidates from employee referrals and social networks than those from job boards… the survey results showed that 80 percent of companies use or are planning to use social networking to find and attract candidates this year. Among those using social network sites for recruiting, LinkedIn is now used by 95 percent of respondents and Facebook use grew from 36 percent in 2008 to 59 percent in 2009. A new addition, Twitter, ranks third with 42 percent of recruiters using the tool to source candidates.”

The moral of the story is this: Go forth and post with care!
There are many ways to keep yourself and your business safe; the following tips are a good start:

• Understand how each social networking site works before you sign up. Check the privacy settings and RSS feeds to ensure that the information is not passed on to another site without your knowledge.
• Don’t use the same login and password for more than one site.
• Be aware that posting remotely (from a smartphone) can allow people to see your current location (most phones have a simple switch off option for GeoData).
• Don’t post anything you wouldn’t want your worst enemy to see. Even on sites that only share information between “friends.” It’s impossible to remove information from the Internet once it’s posted, that information is archived both on the Internet and on previous viewers computers.
• If you work in a sensitive industry, be sensitive with your postings. Don’t share information about your daily tasks, your coworkers, information about your office or any software/hardware you might use.