With technology improvements, time, and the shrinking of borders in this well-connected global economy, we should consider the question: “what would an adversary with limited resources be able to exploit in our computers?”
This is an important question to ask as cyber-attacks increase in frequency and severity. Now an adversary on foreign lands can easily gather military or dual use technical information governed by the International Traffic in Arms Regulation (ITAR) and commercial information covered in the Export Administration Regulations (EAR) without ever meeting a U.S. citizen.
Export Training May be Lacking
This cyber-attack activity should not be surprising to the well-educated security cleared employee. What may be surprising is the protected sensitive information’s vulnerability on well-connected information systems. For example, Facility Security Officers, (FSOs), those working in corporate law, and export compliance officers provide regular reminders and conduct training on requirements to protect sensitive information. However, there may be a disconnect between training and application. The immediate “go to” measure is to protect the organization’s enterprise network of computers from cyber threats and to remind employees that exports are not authorized without a license or exemption.
The U.S. Government encourages companies to pursue business with foreign enterprises and these opportunities are provide through requested licenses. However, exports are occurring where licenses may not exist. According to ITAR, an export is defined as:
- Sending or taking hardware out of the U.S. or transferring to a foreign person in the U.S.
- Disclosing (oral, email, written, video, or other visual disclosure) or transferring technical data to a foreign person whether in the U.S. or abroad.
- Providing a service to, or for the benefit of a foreign person, whether in the U.S. or abroad.
Definition two provides the most risk to our technical information if we consider that disclosure can be voluntary or unwitting. For example, if the movement of non-U.S. persons visiting a facility is not controlled, they may be able to exploit export controlled information appearing on a computer screen, overhead projection, left on a printer, and etc. Additionally, cyber-threat examples abound, such as hacking into enterprise networks and exfiltrating sensitive information.
Re-thinking an Export: the Evolution
In 2012, John Reece Roth, a plasma physicist, was sentenced to prison for export violations. The charges included taking a laptop containing sensitive plans with him on a lecture tour in China. Despite warning not to do so, he brought his computer and sensitive information to China where that information was vulnerable to exploitation.
The above story provides good reference points for security safeguards while travelling abroad. Recommended practices include getting approval for all presentations to non U.S. persons, getting licenses for technical data expected to be released during the presentation, and bringing a “clean” computer that only stores information permitted for presentation.
Changing the Export Paradigm
Whether or not we are in the U.S. or visiting overseas, we should be concerned with an adversary’s ability to conduct cyber-attacks anywhere and at any time. Whenever an employee travels abroad, they may find themselves liberated from their computer at the host country’s customs. They should also expect to have the hard drive duplicated, files read, etc. These are the contingencies for which astute security specialists plan.
While an information system is employed at a defense contractor facility, sensitive information should be protected by firewalls, software, network defense, and other countermeasures to prevent cyber-intrusion. However, once the information system is removed, so is the cyber-security protection afforded by the facility.
A common practice is for employees to bring their laptops on business trips, vacation, to night school, and other locations. Our sense of security of being within the U.S. borders provides an added vulnerability to that sensitive information.
What could go wrong?
Consider that an employee may be providing a presentation in another country. The contractor facility may provide the employee with a computer storing only the authorized material. Everything is done properly to ensure the employee and information are protected from unauthorized information disclosure.
In our example the laptop is removed from the facility for authorized work. However, since the laptop will be used within United States borders, the employee is permitted to take his working laptop, with all the unclassified technical information he has been working on for the past few years. Since the employees business is within the U.S., and will not be “releasing” the information to non-U.S. persons, there is no problem; or is there?
The employee will connect to the internet at the airport, university, or other public wi-fi or other provider of the needed internet connection. Without the proper protections (which usually don’t travel with the employee) the information is almost as vulnerable as if the laptop were provided for international travel.
What can be done to protect u.s. secrets?
The best place to begin change is by facing the facts; global connectivity makes our sensitive information vulnerable to exploitation. Even more eye opening is that an adversary with limited resources is better equipped through this connectivity to target and acquire information they seek. Defense contractors should assume the task of making targeted information very difficult to get.
Policies that allow for the removal of information systems should consider how sensitive information is vulnerable both within and outside of the facility. Construct the behavior that recognizes and prevents unauthorized disclosure of economic, classified or sensitive information. Policies should consider any removal of information from the security of the enterprise network as vulnerable to export violation through cyber attacks.
Our well-connected global economy should remind us that our information is vulnerable to “export violations” even while resting in information systems physically residing at home. Defense contractors should rethink the definition of export to include weak cybersecurity practices of information removed from the protected facility networks.
