SGIS Security wants you all to be aware that you could potentially be a target.  Whether it’s for Economic Espionage, a type of cyber crime or Elicitation/Recruitment, the fact that you are a working for a U.S. government contracting company puts you at a level of risk.

Those who have clearances and access to sensitive or proprietary information are prime targets to foreign intelligence operatives a.k.a. “spies.”  Now when I say spy, someone might think of 007 or “Get Smart,” but the fact is today’s operatives are usually friendly, everyday people who want to become “friends” with you.  They use a technique called “Elicitation”, which simply put is “the art of conversation honed by intelligence services…”  Often times, they will make initial contact with you at a seminar, business conference, networking event or social networking site.  Their goal is to determine if you have ANY information or access to information that could be potentially valuable.

If this initial contact seems worthy, they will proceed to get to know you and assess your vulnerabilities.  This is why it is extremely important to be careful what you say about yourself and your co-workers!  If you begin telling this spy… err, I mean “friend,” about your financial difficulties, marital problems or work related stresses, you are letting them know what your vulnerabilities are and they will exploit those vulnerabilities to gain an advantage.

Elicitation can take place over a long period of time. They collect tidbits of information on you, your job and coworkers. Elicitation is sometimes very hard to recognize.  Over time they hope to earn your trust and have you consider them a friend. They may ask for your expertise or consultation. Typically their goal is to have a “trusted source” that they can go to for information.

Please review the information below for further details on how they may try to recruit you and or your information:



Elicitation might be hard to recognize, but if feel you are being targeting and assessed by a Foreign Intelligence Operative, remember you have done nothing wrong unless you start maintaining a regular contact without reporting it to your security officer. Your main defense is awareness and reporting. The government may be able to notify you that you are dealing with a known intelligence operative, or it may identify the person as an operative as a result of your reporting the contact. Always report so that you are part of the solution and not the problem. See reporting requirements below.

You are required to report the following to your security office:

• Any effort by any individual, regardless of nationality, to obtain illegal or unauthorized access to classified information or to compromise you or any other cleared employee.  In addition, all contacts by you or any other cleared employee with known or suspected intelligence officers from any country, or any contact which suggests that you or any other employee may be the target of the intelligence service of another country or other clandestine group shall be reported.¹

• Any other known, suspected, attempted, or planned activity that threatens U.S. national security. This includes unauthorized release of or access to any classified or otherwise sensitive information, intrusion into an automated information system containing classified or otherwise sensitive information, or information relating to terrorism, sabotage, subversion, or illegal diversion of U.S. technology to a foreign country. Knowledge of any activity by a foreign country or organization that suggests that country or organization may have unauthorized knowledge of U.S. national security information, processes or capabilities.

Just to show you that this is REAL and happens regularly, I have linked some interesting articles on recent espionage cases that have happened this past year:

U.S.: Product engineer swiped Ford’s secrets

China proves to be an aggressive foe in cyberspace

Scientist offered U.S. secrets for $2 million, prosecutors say

As always, SGIS security is here to HELP you! Please email us a SECURITY@SGIS.COM for assistance or if you’d like to suggest further monthly topics, we would love to hear from you.

References:

1. National Industrial Security Program Operating Manual, paragraph 1-302. Presidential Decision Directive NSC-12, Security Awareness and Reporting of Foreign Contacts, August 5, 1993.

2. Many ideas in this topic came from a NRO foreign intelligence threat awareness briefing.

3. DSS pamphlet, “Elicitation, Can you recognize it?”

In the government contracting world there’s a fine line between successful networking on the web and giving away too much.  In his presentation at the DoDIIS Worldwide Conference last month, Jack Kiesler, chief of cyber counter intelligence at the Defense Intelligence Agency, talked about the publicizing of personal information as well as tactical pieces of information that, when pieced together, can lead to big trouble.

Imagine this fictional scenario: Jane is a contractor, currently working at the Defense Intelligence Agency. She is linked to 20 people on LinkedIn, 5 of whom also work for this agency. One of those links is Tom. Tom’s LinkedIn profile shows that he is registered on Twitter and, unfortunately, has the same screen name on Twitter and his personal blog. So, now I’m following Tom’s blog and his Twitter page. I also “know” his friend Jane.  When Tom decides to post to Twitter through his iPhone, the GeoData embedded in that Tweet is posted to the Internet (GeoData is GPS coordinates automatically embedded into photos and network postings by many smartphones).

So, it’s 10 a.m. and Tom has posted a Tweet that he’s going to step out for a coffee. With two hits to Google, I can find the closest coffee shop to his current location, visit there myself and introduce myself as a friend of Jane’s. Bingo, I now have a friend at the DIA and we automatically share a level of trust, thanks to our mutual connection.

On a more personal level, a similar issue was considered in Wired magazine by journalist Mathew Honan.  Honan conducts a similar experiment after viewing a woman in the park taking pictures of her dog. He looks up the park’s coordinates on Flickr, searches by date and there are her pictures, along with other pictures, obviously taken at her house. Now, he has the coordinates to her house, he knows exactly where to find her laptop and her flat-screen inside the home and he knows that neither she nor her dog are home!

So, why bother with social networking if it can lead to so much trouble? Well, that’s simple: because even in the delicate government contracting world, everyone else is doing it. According to the 2009 Social Recruitment Survey by Jobvite: “Employers are more satisfied with the quality of candidates from employee referrals and social networks than those from job boards… the survey results showed that 80 percent of companies use or are planning to use social networking to find and attract candidates this year. Among those using social network sites for recruiting, LinkedIn is now used by 95 percent of respondents and Facebook use grew from 36 percent in 2008 to 59 percent in 2009. A new addition, Twitter, ranks third with 42 percent of recruiters using the tool to source candidates.”

The moral of the story is this: Go forth and post with care!
There are many ways to keep yourself and your business safe; the following tips are a good start:

• Understand how each social networking site works before you sign up. Check the privacy settings and RSS feeds to ensure that the information is not passed on to another site without your knowledge.
• Don’t use the same login and password for more than one site.
• Be aware that posting remotely (from a smartphone) can allow people to see your current location (most phones have a simple switch off option for GeoData).
• Don’t post anything you wouldn’t want your worst enemy to see. Even on sites that only share information between “friends.” It’s impossible to remove information from the Internet once it’s posted, that information is archived both on the Internet and on previous viewers computers.
• If you work in a sensitive industry, be sensitive with your postings. Don’t share information about your daily tasks, your coworkers, information about your office or any software/hardware you might use.