FBI: Enterprises need counterintelligence

The FBI is asking more companies to join its Counterintelligence Domain Program so that together, they can proactively fight against hacks and data theft

The Chinese government has denied involvement in a series of hacks carried out against IT systems at the Pentagon in June this week, but the threat of technology-driven espionage has forced the FBI to push businesses and academic institutions to better prepare for such attacks.

Little publicly-available evidence exists to prove that foreign governments have backed or planned to launch attempts to steal intellectual property from U.S. corporations and researchers, but officials with the FBI claim that the problem is real and that American organizations must begin policing their operations more aggressively today to prevent valuable data from being stolen tomorrow.

In October, the FBI's Counterintelligence Domain Program -- which aims to foster cooperation between the agency and private entities to help organizations identify and protect potential intelligence risks -- will mark its first year in existence.

The program is already making significant steps in helping to close the gap between businesses and law enforcement to defend intellectual property from being left vulnerable to potential theft, FBI officials maintain.

"In the past, we've always been reactive to this type of scenario and essentially showed up after the fact to bring resources to bear on this type of crime, but we want to be more proactive to help businesses and academic institutions protect themselves before an incident occurs," said Tom Mahlik, who serves as chief of the Domain program for the FBI.

"We've always responded aggressively to traditional espionage with investigation, such as with the theft of national secrets, but those cases really represent counterintelligence failures where the secrets are already in Beijing or Moscow and where valuable new technologies or intellectual property would already be gone," he said.

Counterintelligence efforts rank second on FBI Director Robert S. Mueller's current strategic agenda, sandwiched below counterterrorism work and above the fight against all forms of cyber-crime, according to Mahlik.

Thus far, the Domain project has materialized primarily in the form of relationships built between the leaders of the agency's 56 individual divisions and the leading corporate entities and research groups identified by those units as organizations that control data that criminals and governments could try to get their hands on.

For instance, companies handling sensitive government work -- such as defense contractors and large IT systems integrators -- have already joined in the effort, Mahlik said. The program will be expanded over time to pull more companies into the fold that are developing cutting-edge technologies and other products that are considered to give the U.S. a technological or business-related advantage.

Those relationships, and training seminars held by the FBI in the name of expanding Domain, are aimed at identifying any research, information, or technologies that might be targeted by U.S. adversaries -- and to establish an ongoing information exchange among the program's members to improve protections and reduce opportunities for theft.

As for the current state of involvement of foreign nation states, including large terrorist groups, in intellectual property theft, the FBI refuses to share specific examples or hard data, but Mahlik said there should be little doubt that the problem exists.

"The FBI is well aware of deliberate targeted attacks that were aimed at stealing sensitive data from organizations, including NASA, the Department of Defense, and individual defense contractors," said the FBI expert. "We're still trying to deduce the magnitude of the problem, and a lot of that has to do with what we've dealt with in terms of investigating any ex-filtration of data and where it has ended up."

Mahlik said that two of the most significant trends feeding the need for corporate counterintelligence are offshore outsourcing and the heavy flow of foreign engineering talent into U.S. corporations and research institutions.

While it remains hard to prove that foreigners are being trained specifically with the purpose of infiltrating U.S organizations to steal valuable data, he said that the concept is very real.

"This isn't about traditional spies anymore; the engineer, student, or business partner are the threat now, and these people are being given increased access to corporate secrets, intellectual property, and pre-patent research information at universities," Mahlik said. "These types of people are being actively used to ex-filtrate key pieces of information back to their homelands as there is always a race to establish a competitive advantage."

Data security in a global market

David Drab, principal for the Information & Content Security group at Xerox, said that companies are increasingly coming to the imaging giant looking for new ways to label sensitive information and track its flow among users in the workplace and throughout their supply chains.

Before joining Xerox, Drab served at the FBI for 27 years and observed, among other things, the flow of former KGB agents in former Soviet states into criminal organizations.

A good number of those intelligence experts were trained in the art of finding holders of sensitive corporate and national defense information and trying to liberate the data, he said, and many are likely employed in efforts to steal whatever plans they can sell to others for a profit today.

"This is why you have Wal-Mart hiring former government intelligence officers. It's not about spying so much as it's about identifying business risk and what is occurring with competitors in the global environment," Drab said. "These companies are creating separate entities from traditional security or IT security to allow management to identify people internally who might have access to high-level information or might be targeted by competitors or foreign entities."

Drab points to the 2001 indictment of two Japanese-born individuals accused of stealing research on Alzheimer's disease from the Lerner Research Institute (LRI) in Cleveland as proof of the need for enterprise counterintelligence.

One of the accused researchers subsequently pled guilty to charges of misleading investigators looking into the situation, while another, who returned to Japan to work for a quasi-government agency working on Alzheimer's research, was unsuccessfully sought for extradition to the U.S. to face trial.

Among the tools developed by Xerox to help trace the use of paper documents, one of the hardest data formats to track, are gloss marks and infrared stamps used to create a trail of evidence as to who might have accessed, printed and walked off with sensitive data when copies of any stolen documents are recovered.

Large companies like financial services institutions have also begun speaking publicly about the problem of international cyber-theft, saying that they are already working to deal with the problem.

At the Usenix Security Symposium held in Boston in August, Jerry Brady, global head of IT security at New York-based financial giant Morgan Stanley, outlined the threat of foreign attack as a current business reality. He specifically cited emerging activity in the Far East as worrisome.

"Sometimes the threats are coming from the governments themselves in different parts of the world," said Brady. "The people who want to harm us drives a lot about how we think of security awareness. We do a lot of monitoring and threat intelligence to tell who our adversaries are today and who they will be tomorrow."

When asked if the government has done enough to help companies like Morgan Stanley deal with the issue, Brady said that the firm's relationship with law enforcement officials has improved over the last several years, specifically around intelligence gathering regarding new threats.

However, he said that companies cannot rely on the government alone to watch out for their interests overseas.

"It's popular to pin this issue on the government, but we in private industry need to play an even bigger role in addressing the problem," said Brady. "Every time we go into a new country we have to do a risk assessment, every country has its own IP protections and concepts and we know that; we know the countries where ex-KGB Soviet Bloc resources have ended up, and where we need to be even more vigilant."

Copyright © 2007 IDG Communications, Inc.