Could Your Organization (or You) Be a Target of Foreign Spies?
This article is featured in the magazine, Preventing a Cyberattack: A Guide to Cyber Readiness. Download it now.
By Angela Hill, Contributor, In Public Safety
Organizations take great precautions to be ready for cyberattacks, but it can be extremely difficult to prepare for the loss of data or information from a foreign intelligence service’s human intelligence collection effort, otherwise known as HUMINT targeting.
HUMINT is intelligence gathered by means of interpersonal contact, when information is collected and provided by human sources. Foreign adversaries use HUMINT to collect various types of information, which, when aggregated, can turn into actionable intelligence.
People can be highly susceptible to social engineering, which is the use of deception to manipulate individuals to divulge confidential or personal information. Because people can be manipulated, many foreign adversaries turn to HUMINT collection tactics to gain access to an organization’s networks and steal proprietary intellectual property and data.
HUMINT Collection Tactics
Knowing what HUMINT is and how information can be collected helps business leaders understand why an organization, or they themselves, may become a target of HUMINT collectors. HUMINT collection tactics include:
- clandestine acquisition of photography, documents, and other material.
- overt collection by personnel in diplomatic and consular posts.
- debriefing of foreign nationals and U.S. citizens who travel abroad.
- official contacts with foreign governments.
Understanding this clandestine activity enables leaders to better safeguard their enterprise data and enhance their security measures. There are several reasons why organizations or their employees are targeted by HUMINT collectors.
Information Is Intelligence
Unlike many hackers, who are after information that is overtly valuable like credit card data, HUMINT collectors are after data that may not represent an immediate payout. That doesn’t mean it’s not highly valuable. Businesses generate and collect information on clients, vendors, competitors, and industries that range from intellectual property to future business operations.
This information in its raw form may seem inconsequential. But when it’s aggregated and processed, it may be extremely valuable to external parties and foreign entities who are attempting to understand specific industry operations or strategies.
Do you work for or with an industry that is considered critical infrastructure? If so, your company’s data is likely to be of great interest to a foreign entity. Organizations in specific industries may be targeted by foreign adversaries in an effort to collect data about how that industry works.
YOU May Be the Target
As a HUMINT expert, I worked overt and covert operations in which our primary objective was to recruit new informants and collect information via various sources. I always looked for ways to gain access to targets of interest through other people. I would look at organizations and its employees and ask myself, “Who do they know that could give me direct access to the information I want?”
To protect against the actions of foreign HUMINT collectors, it’s important for leaders to ask themselves some important questions:
- Are there high-value leaders in your network to whom you have access (e.g., CEOs, CFOs, IT directors)?
- Do you have clients, vendors, or connections with access to data that may be valuable to someone else?
- Do you have access to business data that, if it were aggregated by a HUMINT collector, would be considered important?
If you answered yes to any of these questions, you may be the target of a HUMINT collector looking for an access point to desired information.
Leaders can protect the business against HUMINT tactics by educating employees about social engineering. For example, HUMINT collectors may try to solicit someone with money in exchange for data or information. They may befriend someone unexpectedly and then try to learn as much as possible about that person’s business, its operations, or the industry overall.
The Insider Threat Exists
At this very moment, foreign entities are conducting HUMINT operations within organizations across the country. Although it can be difficult to detect a spy, it is important for business leaders to realize that foreign agents embed personnel within businesses in order to extract information or data. These personnel are used to support cyberattacks and breaches. According to a 2017 CNN report, nearly 100,000 agents from as many as 80 nations were working covertly within the United States. Could they be inside your organization?
Ways to Improve Security Measures
Ramping up physical security and implementing virtual security are crucial steps in protecting an organization’s data and preventing HUMINT collection. Here are a few security measures that organizations can implement to protect themselves from infiltration or HUMINT collection efforts:
- Don’t allow clients to walk through or have access to sensitive areas of buildings or property.
- Require employees to lock their workstations when away from their desks.
- Enforce the use of security badges for entry to all physical access points within your facilities.
- Do not allow employees to “piggyback” through access points—everyone must swipe their badge every time.
- Install video surveillance systems at access points, especially in sensitive areas.
- Require background checks on all employees.
- Require vendors and partners to have similar vetting and background checks on any of their employees who will have access to the organization’s networks or facilities.
- Establish a vetting process for all new technologies coming into your facilities.
Businesses Have a Responsibility to Clients and National Security
Employees have an inherent responsibility to protect the privacy of their company’s data for business reasons, but also for national security reasons. HUMINT collection is often used in conjunction with cyberattacks and security breaches, so it is a threat that cannot be ignored. Every business leader must take into consideration the value of their data, why foreign adversaries want it, and whether your industry could be targeted for HUMINT collection.
About the Author: Angela Hill is a veteran of the U.S. Navy and was an intelligence contractor for special operations supporting operations throughout the Middle East, Africa, and Latin America. She now resides in Michigan, where she serves as Security Practice Manager for NuWave Technology Partners. Angela writes about technology optimization and national security risks and is a contributor for American Military University’s online publication, In Cyber Defense. To contact the author, please email IPSauthor@apus.edu. For more articles featuring insight from industry experts, subscribe to In Public Safety’s bi-monthly newsletter.