For years the counterintelligence efforts of the Federal Bureau of Investigation (FBI), Defense Security Services (DSS) and other U.S. Government entities have been sharing “stranger danger” type briefings for travel, conferences and elicitation over telephone calls. Every individual with a government security clearance has received their annual counterintelligence training, with emphasis on reporting contact with foreign nationals. Most of these briefings and instructions focus on the in person solicitation or email query. Now with the ubiquitous nature of social networks, it should come as no surprise that foreign intelligence services hostile to the interests of the U.S. have put another collection of arrows into their operational quiver so as to achieve their goals, collecting U.S. secrets (and those of the allies of the U.S.).
ClearanceJobs is a closed network, they carefully screen employers and have in place checks and balances on how and to whom your folio is shared. This is not the case with the open networks like LinkedIn, Facebook, Google+, etc. These social networks are considered open networks, where the admission and presence requires nothing more than web access and an email address.
Government warns us
In fact the United Kingdom’s MI-5 (internal security service) sent a memo to government departments warning according to the UK’s Daily Mail: Foreign spies on LinkedIn trying to recruit civil servants by ‘Befriending’ them before stealing British secrets.” The Daily Mail notes that the memo (not provided) warns government workers that Russia and China are both utilizing the LinkedIn social network to target government employees, are creating fake profiles within the site, and are trying to “find-connect-cultivate” government employees. Those of us who do not suffer event amnesia will remember the well orchestrated “Robin Sage” sting of 2010, where a total persona was created by Thomas Ryan of Provide Security and over the course of several months engaged, befriended and elicited information from cleared government employees. The results of the sting were shared at the 2010 Black Hat conference in a talk, “Getting in bed with Robin Sage.”
The DSS and FBI have also issued their own counterintelligence brochures dealing with the broader cyber threat. The rather robust FBI brochure on elicitation is especially apropos when it comes to social networks, as the techniques used in face-to-face personal engagement are applicable to social network engagement. Elicitation is an art form, and when exercised by the intelligence professional, it is difficult not to engage. The FBI suggests:
Deflecting Elicitation Attempts
Know what information should not be shared, and be suspicious of people who seek such information. Do not tell people any information they are not authorized to know, to include personal information about you, your family, or your colleagues.
You can politely discourage conversation topics and deflect possible elicitations by:
- Referring them to public sources (websites, press releases)
- Ignoring any question or statement you think is improper and changing the topic
- Deflecting a question with one of your own
- Responding with “Why do you ask?”
- Giving a nondescript answer
- Stating that you do not know
- Stating that you would have to clear such discussions with your security office
- Stating that you cannot discuss the matter
The DSS notes in their cyber threats brochure the myriad of reasons and methods used to target cleared personnel. The DSS suggests:
Why Do They Target
- Company unclassified networks (internal and extranets), partner and community portals, and commonly accessed website
- Proprietary information (business strategy, financial, human resource, email, and product data)
- Export controlled technology • Administrative and user credentials (usernames, passwords, tokens, etc.)
- Foreign intelligence entities seek the aggregate of unclassified or proprietary documents that could paint a classified picture
Why should I care?
OPM breach + Health Care breach + IRS breach + Ashley Madison breach = Targeting bonanza
While we have in the past admonished to be judicious on what you post as it can be culled, with the OPM data breach, many who have security clearances have had their information compromised. Knowing that it is probable the contents of their SF-86 are in the hands of hostile intelligence services can be disquieting. Couple this with the most recent compromise of the various medical provider data sets and the salacious Ashley Madison breach and it becomes clear there is no shortage of our information available to the targeteers of the foreign intelligence services. You do NOT get to decide if you will be targeted, you do however, have control over how you react to an approach.
Your responsibilities include understanding how individuals may use the various pieces of data public and private (compromised data sets) to approach you. Fictional LinkedIn profiles can be used to appeal to your professional interests. Facebook and Google+ groups and communities can be stepping stones to personal virtual relationships. As President Reagan is often quoted, “Trust, but verify.”