Protecting Clearances: Open Source Vulnerability
Information doesn't need to be Secret in order to be valuable. During the Cold War, Soviet intelligence found the journal Aviation Week so valuable that copies were rushed to a waiting aircraft as soon as it appeared on the newsstands. The plane was staffed with translators so that key articles could be translated in the air, en route, and be ready for dissemination as soon as the plane landed in Moscow. One indicator of how much things have changed since the end of the Cold War is that Aviation Week now publishes a Russian-language edition.
A vast amount of competitive intelligence is legally and openly available from commercial data bases, trade and scientific journals, corporate publications, U.S. Government sources, web sites, and computer bulletin boards. Collection of information through open sources often has a dual purpose. To obtain the open information, but also to refine the clandestine targeting of individuals who have access to protected information. These individuals may then be contacted and assessed by other means. Refer to the discussion of spotting and assessment techniques in How Do I Know When I'm Being Targeted and Assessed?
Because they believe that they are closely monitored by U.S. counterintelligence, some intelligence collectors resort to clandestine methods to collect even open source materials. They have been known to use false names when accessing open-source data bases and at times ask that a legal and open relationship be kept confidential. They may take steps to hide their true interest, affiliation, or location when accessing information through the Internet. For example, they may use public access Internet connections at public libraries or educational institutions for browsing Web sites, or route e-mail through one or more other countries to hide its true point of origin.
Exhibits, Trade Fairs, Conventions, and Seminars
Foreign intelligence collectors find these gatherings provide rich opportunities, especially when they bring together a concentrated group of specialists on a key topic of intelligence interest. The Paris and Farnborough (England) International Air Shows are especially noteworthy as attractions for a large number of government, corporate and free lance intelligence personnel. In addition to obtaining all the available literature, intelligence collectors use these opportunities to elicit information and for networking to meet or at least identify knowledgeable personnel who can then be targeted for further contact and assessment.
There have been many cases when Americans met at international conferences have been contacted at a later date and asked to provide information on a given technology or proprietary data. These approaches often play on a common cultural heritage as a reason to cooperate.
Some countries routinely debrief their citizens after travel to foreign conferences, asking for any information acquired during their trip. Some foreign scientists describe these debriefings as heavy-handed and offensive. In other countries, they are simply an accepted part of traveling abroad.
Indicators of security concern include:
- Topics at seminars and conventions deal with unclassified versions of classified or controlled technologies and/or applications.
- Country or organization sponsoring seminar or conference has tried unsuccessfully to visit your facility.
- A foreign organization issues invitations to brief or lecture in the foreign country with all expenses paid.
- Photography and filming appears suspicious.
- Some attendees wear false name tags.
Good risk management requires careful consideration of who and what are being exposed to whom at these meetings, attention to the physical security of sensitive information or equipment, and an appropriate balance between effective security countermeasures and marketing or other goals.
Surfing the Internet
Foreign governments and companies are increasingly using the Internet as a tool for collecting basic data on their intelligence collection targets. The World Wide Web was not designed with security in mind, and unencrypted information is at high risk of compromise to any interested adversary or competitor.
It is very easy to search the web and put together related pieces of information from different sites. For example, the search engine www.searchmil.com specializes in indexing sites with a .mil domain name. It claims to have indexed over 1 million pages of military sites, with the number of pages still growing. Department of Defense (DoD) has been among the first government departments to take the lead in spelling out rules for what should and should not go on a web site and how information should be reviewed before it is posted on a web site.
Information on a corporation's organization, leadership, products or programs, and the kinds of people they are seeking to hire may often be found on the company's web page. Quarterly financial reports submitted to the Securities Exchange Commission, newspaper and magazine stories about a company and, in many cases, discussion of new technology being developed by a company can be accessed on the Internet with various search engines. Employees can often be identified and assessed by searching Usenet and Newsgroup postings.
Before posting any information to a public Internet site, see Pre-Publication Review of Web Site Content.
Internet Discussion Groups
The anonymity of the Internet makes it a perfect medium for collection of information using e-mail, search engines, and discussion groups. One technique is the exploitation of listserv, an e-mail based discussion group organized along topics of interest and open to anyone. Subscribers who join a list may send an e-mail message to the listserv. The message is then sent by the listserv to all other members of the group. This provides subscribers with the e-mail addresses of all other members interested in the same topic.
This procedure facilitates discussion of research on various technical challenges, and these discussions are permanently archived and searchable. Such exchanges can pose a serious threat to economic and technical security for two reasons. First, it is not uncommon for discussion of concepts, research, development, testing, and evaluation of new technologies to take place in an open or unclassified environment. The availability of these discussions on the Internet is a security concern when they deal with sensitive unclassified, dual-use, export-controlled, or proprietary technologies. Second, a foreign national collecting information on U.S. programs can participate in the listserv using an e-mail address that makes it appear that the person is in the U.S.
Competitive Intelligence Professionals
Many corporations and some countries hire specialists in the collection of competitive intelligence to sort through the huge volume of openly available data. On its Internet site, the Society of Competitive Intelligence Professionals claims nearly 5,000 members in 44 countries. Most competitive intelligence professionals try to stay within the limits of the law, although those limits may be stretched almost beyond recognition. Their research modus operandi generally involves extensive use of the Internet; phone interviews with employees, industry experts, customers, competitors, suppliers, and government officials; gathering information at trade shows and conventions; and, as needed, human intelligence networks.
U.S. Government Sources
The Defense Technical Information Center is a major source of unclassified research on defense issues. Its database of available information may be searched on the Internet. The U.S. Patent Office provides free copies of U.S. patents to interested parties of all nationalities.
Requests for information submitted under the Freedom of Information Act (FOIA) are another major source of information. When a major corporation in a friendly Asian country decided in 1986 to enter the space industry, for example, it made extensive use of FOIA requests as a means of obtaining information from NASA. By some estimates, the corporation filed over 1,500 FOIA requests in 1987 alone.
|Veteran Jobs Security Clearance|