SGIS Security wants you all to be aware that you could potentially be a target.  Whether it’s for Economic Espionage, a type of cyber crime or Elicitation/Recruitment, the fact that you are a working for a U.S. government contracting company puts you at a level of risk.

Those who have clearances and access to sensitive or proprietary information are prime targets to foreign intelligence operatives a.k.a. “spies.”  Now when I say spy, someone might think of 007 or “Get Smart,” but the fact is today’s operatives are usually friendly, everyday people who want to become “friends” with you.  They use a technique called “Elicitation”, which simply put is “the art of conversation honed by intelligence services…”  Often times, they will make initial contact with you at a seminar, business conference, networking event or social networking site.  Their goal is to determine if you have ANY information or access to information that could be potentially valuable.

If this initial contact seems worthy, they will proceed to get to know you and assess your vulnerabilities.  This is why it is extremely important to be careful what you say about yourself and your co-workers!  If you begin telling this spy… err, I mean “friend,” about your financial difficulties, marital problems or work related stresses, you are letting them know what your vulnerabilities are and they will exploit those vulnerabilities to gain an advantage.

Elicitation can take place over a long period of time. They collect tidbits of information on you, your job and coworkers. Elicitation is sometimes very hard to recognize.  Over time they hope to earn your trust and have you consider them a friend. They may ask for your expertise or consultation. Typically their goal is to have a “trusted source” that they can go to for information.

Please review the information below for further details on how they may try to recruit you and or your information:



Elicitation might be hard to recognize, but if feel you are being targeting and assessed by a Foreign Intelligence Operative, remember you have done nothing wrong unless you start maintaining a regular contact without reporting it to your security officer. Your main defense is awareness and reporting. The government may be able to notify you that you are dealing with a known intelligence operative, or it may identify the person as an operative as a result of your reporting the contact. Always report so that you are part of the solution and not the problem. See reporting requirements below.

You are required to report the following to your security office:

• Any effort by any individual, regardless of nationality, to obtain illegal or unauthorized access to classified information or to compromise you or any other cleared employee.  In addition, all contacts by you or any other cleared employee with known or suspected intelligence officers from any country, or any contact which suggests that you or any other employee may be the target of the intelligence service of another country or other clandestine group shall be reported.¹

• Any other known, suspected, attempted, or planned activity that threatens U.S. national security. This includes unauthorized release of or access to any classified or otherwise sensitive information, intrusion into an automated information system containing classified or otherwise sensitive information, or information relating to terrorism, sabotage, subversion, or illegal diversion of U.S. technology to a foreign country. Knowledge of any activity by a foreign country or organization that suggests that country or organization may have unauthorized knowledge of U.S. national security information, processes or capabilities.

Just to show you that this is REAL and happens regularly, I have linked some interesting articles on recent espionage cases that have happened this past year:

U.S.: Product engineer swiped Ford’s secrets

China proves to be an aggressive foe in cyberspace

Scientist offered U.S. secrets for $2 million, prosecutors say

As always, SGIS security is here to HELP you! Please email us a SECURITY@SGIS.COM for assistance or if you’d like to suggest further monthly topics, we would love to hear from you.

References:

1. National Industrial Security Program Operating Manual, paragraph 1-302. Presidential Decision Directive NSC-12, Security Awareness and Reporting of Foreign Contacts, August 5, 1993.

2. Many ideas in this topic came from a NRO foreign intelligence threat awareness briefing.

3. DSS pamphlet, “Elicitation, Can you recognize it?”

SGIS Security would like to give you some pointers on how to protect yourself, and your equipment, while traveling overseas to help circumvent foreign intelligence agencies from obtaining US economic, technological and military information. As an employee of a government contracting company, you are a prime target to foreign intelligence agencies.  The reality is that most technologically advanced or developing countries, including some democratic countries that are closely allied with or supported by the United States, place a high priority on acquiring U.S. technology by both fair and foul means. One of the largest tactics used is to target your electronic equipment; laptops, computers and cell phones are easily intercepted, recorded, download, sabotaged and/or out right stolen. Any information transmitted over wires or airwaves is vulnerable to exploitation. So SGIS has put together some pointers that should assist you to help keep your information secure.

• If possible, leave unnecessary electronics devices at home!
• Use designated travel-only laptops that contain no sensitive information.
• Establish a temporary email address not associated with the company.
• Encrypt data, hard drives, storage devices etc.
• Use complex passwords, and enable login credentials.
• Never use a wireless connection as they are NOT secure and most countries have sophisticated intercept technology.
• Most important, be sure to REPORT any thefts or unauthorized accesses of your portable devices.
• Blackberry acting strange, turning on and off, making odd changes.
• Never trust the hotel or room safe… always carry your electronics with you.
• ALWAYS report anything out of the ordinary or suspicious.

Below you will find some funny excerpts of real life situations that have been reported.  We hope you enjoy the humor in the situations but please take them seriously, as they are true stories.

Anecdote #1: A traveler attending a workshop returned to his hotel room after being away for dinner. He went to bed and was awakened six hours later by a beeping noise. The noise was coming from the traveler’s laptop computer. The computer cover was closed, but the unit was not shut off. The traveler believes that while he was out of the room, it was searched and the laptop was opened but not turned off. This caused the battery to run down, which is what had caused the beeping. The traveler had not turned on the computer during his trip. No classified, sensitive, or proprietary information was on the computer’s hard drive.

Anecdote #2: A traveler found four entries for “guest access” on his laptop computer. The computer had been locked with a commercially available padlock and left in his room unattended. It was not clear if someone had actually accessed any files on the hard drive. He then checked the computer’s protection software and found another “guest entry” had been logged on. The date of this entry coincided with a previous trip the traveler took to the same country. Of course we “know” these situations could never happen to you right?  If you find yourself traveling overseas, we hope you review these tips and remember by reporting your observations to your security office. You make it possible for your security office to keep abreast of what is happening and to warn others about things they might encounter during their trip.

Next month look for tips on Counterintelligence Risks and Elicitation (Can you recognize it?)
As always, Security@SGIS.com welcomes your suggestions for any article ideas.

Reference: All anecdotes are from United States General Accounting Office, Department of Energy: National Security Controls over Contractors Traveling to Foreign Countries Need Strengthening, GAO/RCED-00-140, June 2000

SGIS Security wants to give some guidelines on keeping your laptops safe. Since a laptop can be a prime target of theft while traveling, here are some suggestions to help keep it secure:

Never let a laptop out of your sight in an airport or other public area. If you set it down while checking in at the airport counter or hotel registration desk, lean it against your leg so that you can feel its presence, or hold it between your feet.

When going through the airport security check, don’t place your laptop on the conveyor belt until you are sure no one in front of you is being delayed. If you are delayed while passing through the checkpoint, keep your eye on your laptop. Be prepared for the airport security check. You may be directed by airport security personnel to open and turn on your laptop to demonstrate that it is actually a functioning computer. Be sure the battery is charged or have the power cord handy. If you can’t turn your laptop on, you may not be permitted to take it on board the aircraft. The airport security X-ray machines will usually not affect hard drives. Removable storage media, having less shielding, may be affected. If possible, pass these to the attendant for hand examination.

When traveling by plane or rail, never place the computer (or other valuables) in checked baggage. If your aircraft departure is delayed and you are directed or invited to deplane and wait in the terminal, take your computer and other valuables with you. Don’t leave them unattended at your seat or in the overhead.

Never store a computer in an airport or train station locker. If you must leave it in a car, lock it in the trunk out of sight.

Avoid leaving your computer in a hotel room, but if you must do so, at least lower the risk of theft by keeping it out of sight. Lock it securely in another piece of luggage. Placing the computer in a hotel vault or room safe should make it secure from theft, but in some foreign countries it may not be secure from access by local intelligence or security personnel.

Never keep passwords or access phone numbers on the machine or in the case. Do not program your computer’s function keys with sign-on sequences, passwords, access phone numbers, or phone credit card numbers. If the machine is stolen or lost, these would be valuable prizes.

Try to keep only software files on your laptop’s hard drive. Store your data files on removable storage media and carry them separately from the computer.

Do not carry PII information on your laptop.

Back up all files before traveling.

Beware of power surges. Don’t be connected to either power lines or a copper phone line during a storm with lightning.

Check out Mission: A Laptop Security Game

Traveling abroad with your laptop! Since your laptop and information on it is much more vulnerable while traveling overseas, SGIS security will continue to provide information on this topic.  Please check back to learn what to do, and how to protect your laptop and its information overseas!

If you have any security situations or would like to submit any ideas for our next Security Bulletin, please report or send them to security@sgis.com. Thank you, your SGIS SECURITY Team!