Counterintelligence and Security Countermeasures
Introduction
As more US contractor facilities are becoming involved with foreign entities, the Defense Security Service (DSS) has noticed many of these companies are reporting counterintelligence (CI)-related incidents involving foreign visitors and joint ventures and research. The CI concerns associated with foreign visitors and joint ventures and research could often be mitigated with some simple security countermeasures (SCMs). Based on recent experience, some of the best SCMs for dealing with foreign entities may include, but are not limited to, the following:
- Have a technology control plan (TCP)
- Have an employee knowledgeable of export control issues
- Conduct frequent computer security audits
- Write "English" into the contract
- Do not respond to requests for visas
Technology Control Plan
A technology control plan (TCP) stipulates how a company will control access to its export-controlled technology and outlines the specific information that has been authorized for release. It is a plan to protect classified and export-controlled information, control access by foreign visitors, and control access by employees who are foreign persons. A TCP is a security countermeasure that is frequently overlooked by companies eager to secure business in the international marketplace. A TCP may be required by the National Industrial Security Program Operating Manual (NISPOM) and the International Traffic in Arms Regulations (ITAR) under certain circumstances. The TCP shall contain procedures to control access and provide disclosure guidelines to all export-controlled information, and should be tailored to a company's operations and the specific threats identified. CI organizations can help identify specific threats.
Knowledge of Export Control Issues
Many small and mid-size companies, in their rush to do business with foreign entities, are frequently unaware of the Arms Export Control Act (AECA). The AECA is a federal law that governs the sale and export of defense articles and services. The Directorate of Defense Trade Controls (DDTC) implements the AECA through the International Traffic in Arms Regulation (ITAR). The ITAR regulates the exports of defense articles and related technical data by requiring contractors to obtain a license or other written export authorization. The possibility is very real that a US facility could export a defense-related article or service in violation of the ITAR and not even realize they committed an export violation. However, as the old saying goes, "ignorance of the law is no excuse." Export control concerns should be considered at the beginning of any foreign business negotiations. DDTC has an internet homepage (http://www.pmddtc.state.gov/) that includes the State Department's Country Embargo Reference Chart, the list of debarred parties under the AECA, the ITAR, and information on export license applications. A company's knowledge of export control issues could save them a great deal of time and money.
Frequent Computer Audits
Advanced technology is a common aspect of most US contractor facilities. As such, most Government or contractor employees have access to the internet. Even business dealings are more frequently being conducted with the assistance of the internet. Use of the internet is a potential vulnerability that could result in the loss of massive amounts of information in a short period of time. In addition, any company that has computer connectivity outside their facility, even with firewalls, is subject to hacking. A prudent SCM is to conduct daily, or at a minimum weekly, computer security audits. The purpose of the audits is to detect unauthorized intrusion attempts. However, detecting computer intrusions may be a waste of time if no effort is made to report the illegal activity and take remedial or corrective action. Unauthorized intrusion attempts should be handled in each facility in accordance with the written AIS security plan for the facility. At a minimum, this usually requires reporting the intrusion attempt to the Facility Security Officer, DSS Industrial Security Representative, DSS AIS Security Specialist, and possibly local FBI. If the intrusion attempt is determined to be a current or former employee, an adverse information report must be submitted to DSS at Operations Center - Columbus. If current or former employees make unauthorized intrusion attempts, those individuals should be considered for removal from access to the computer systems. In some cases, aggressive computer intrusion attempts may require the computer system be temporarily disconnected from connectivity outside the facility until a specific plan can be coordinated to deal with the unauthorized activity if it should continue to occur. Another prudent SCM is to have a policy requiring employees not to respond to any unknown requests over the internet and to report the contacts to their security office.
Write "English" into the Contract
The Defense Security Service has frequently seen joint ventures between foreign entities and US companies result in disagreements over communication or correspondence coming into and leaving the US facility. Many US companies often negotiate contracts with foreign entities and forget a simple SCM that could have saved the cost of an interpreter. Write "English" into the contract so all parties agree English will be the language for all correspondence coming into and leaving the facility. If a company does not write English into the contract, there may be no way to ensure export controlled, proprietary, or classified information is not leaving the US facility illegally without hiring an interpreter.
Do Not Respond to Visa Requests
Foreign citizens cannot legally enter United States territory "just because they feel like it." For most foreign citizens, entry into the US requires a visa. For many foreign scientists and engineers, who want to visit the US to conduct research, they must request a visa from a US sponsor. US citizens should be suspicious anytime a foreign entity requests their assistance to obtain a visa to enter the United States. If there is no clearly defined benefit to the US company or the US Government, do not respond to the request for a visa. By declining to sponsor an unwanted foreign visitor, you could be preventing a potential problem before it has an opportunity to develop.
Summary
One of the objectives of the DSS CI Office is to support industry's growing involvement in the international market place with threat information to provide for the application of rational and cost-effective security countermeasures. The security countermeasures mentioned above are some of the more commonly recommended for those facilities entering into business with a foreign entity. If your facility encounters any suspicious contacts, they should be reported to the Defense Security Service and the FBI.
Approved for Public Release #99- S -3416