USE ONLY Intelligence Threat 1 Security fimatiOn Series I I I QFFICEAL USE ONLY The lmeragency OFSEB Stall 1033 was creatw ed to support the National OPSEC Program by providing tailored training assisting in program development producing multimedia products and presenting conferences for the defense securi ty intelligence research and development acqui- sition and public safety communities Its mission is to help government organizations develop their own self sufficient OPSEC programs in order to protect US programs and activities Our mall is secure and effective Operations for all National Security Mission activities Oar is to promote and maintain OPSEC principles worldwide by assisting our customers in establishing OPSEC programs providing OPSEC training and conducting OPSEC surveys Our Goal is to be recognized as the leader and preferred provider of value added OPSEC products and services PUBPIE In the early days of the Vietnam War the US lost an alarming number of pilots and aircraft To reverse that trend a team was assigned to ana lyze US military operations The team Purple Dragon discovered that crucial planning information was being disclosed through routine patterns of behavior Countermeasures were quickly initiated Purple Dragon s analytic process called OPerations SECurity or OPSEC was used by the military for the next 20 years In 1988 President Reagan for- malized its use throughout the government and created the 1035 to provide training and guidance to the national security community My o w v 0 h The Intelligence Threat Handbook was researched written and designed for 1085 by the Centre for Counterintelligence and Security Studies cicentre com -inuqa n aw USE ONLY ONLY Table Of contents U 7 iijy ieuC7Ii gi 7gi iimre Ofelia illitelligence 7 7 7 m filellniiwi Shea U Economic Espionage 'Ei i 7clf7 25h5 2 gi ag 7 7763 mama C n eei ls 7 7 The Gatsidcgi iireainhrough 7 The Oilisider7771reet i3mm En'teliig e 7 7 7 7 U Insider Threat U ieinsider Threaf 7 41 7 7777777 77 7177I 777Developing a 7 7 44 7 U Outsider Threat 7 7w 7 U Insider Threat 7 7 _777 17 U Computers and the Internet 7 ii History of Internet Security 7 U meets to Neticerk Securiiy 7w 7 WEbSite bntem PSEC 7 U Roots 3f le-Work Vulnerability U Outsider Attack Techniques 7777 U insider Attack Techniques 77 U Ceuntenneasures 7 64 U Intelligence Collection Disciplines 7 67 7 U Selected Supplemental Intelligence Service Informiation 7 69 U Russian Federation 7777 69 7 U People s Republic of China 7777 7777 71 7 7 U Cuba 77 77% 7' 7 U The Economic 77 82 U Finding Informatioa and Assistance 87 U Selecied ReadiEgs 77m 7 7 77 93 U oetnotes 95 UNCLASSEFEEDIIFOR OFFICEAL USE ONLY OFFICIAL USE ONLY 1 U The purpose of this handbook is to provide unclassified threat reference information for Operations Security OPSEC personnel and managers This handbook explains the cate gories of intelligence threat provides an overview of world Wide threats in each category and identi es available addition al resources for obtaining threat nifonnation and outside assis tance The information presented has been drawn entirely from open source refer ence material and therefore may be disseminated to the largest possible audience in order to increase the awareness of intelligence threats targeting US government and industry U OPSEC is a set of procedures and methodologies that provides a way for pro gram project or facility managers to implement cost effective measures to protect their programs and staff from exploitation by adversaries The key to effective OPSEC is to determine both What critical information most needs to be protected and how a potential adversary would most likely attempt to exploit weaknesses to obtain that information An organization s OPSEC officer must understand the range of 1 threats that confront the organization Although many categories of threat that may be considered most OPSEC activities focus initially on the intelligence collection threat I we U While US organizations and their staff are the targets of a large number of intelli gence collectors worldwide the speci c collection methodologies deployed against US targets are limited Moreover intelligence methodologies tend to change only slowly and are intended to be used against many targets The starting point for the i OPSEC manager is to become familiar with the intelligence procedures and method ologies used by adversaries to determine how an intelligence attack on his facility a would most likely be carried out in the wake of the 11 September 2001 terrorist attack on the United States attention to intelligence procedures and methodologies has l SSlmattlnencn ier Handliasl OFFICIAL USE ONLY 2 UNCLASSWFEDWOR USE became even mere critical because experience indicates that every suecess d termn ist attack has been preceded by at least one succeseful intelligerzce attack t0 gather infermatien about the intended target Every successful tenurist attack 1371115 handbook will previde OPSEC offi- has been preceded at least ne cers with Marinatien an haw intelligence successful intelligence attack t0 Gamma Prawn 335 target and ather abcut the cellect ageing individuals and instituticns of interest Tb simplify study at the different Intended target waye in which US critical Mermaticn is targeted by foreign cellection programs this handbaok focuses 0n the callectien mechai sms strategies and capabilitie of the Russian Federation and the People s Republic of China Although often targeting the same information Russia and China approach their callection eperations from very different intelligence petspectives 2 This complicates the OPSEC prmess of determining threat risk and effective comp termeasmes U More details On specific intelligence organizatiens of other US intelligence adver- saries are mcluded in Appendix A Information about available US Govenunent resources is provided in Appendix B Nature at the Threat U Intelligence threat as it applies to OPSEC is de ned as the intention and capabil- ity of any adversary to acquire and exploit critical infermation The purpose of the acquieition is to gain a competitive edge 01 din dm sh the success of a particular US program operation or industrial activity 3 U changing Nature of the challenge U While the end of the field War caused a dramatic imp in the mili- tary threat to US security interests it also gave rise to a significant increase in the OPSEC threat Although there has been an easing of pelitical and military tensions since the cellapse of Soviet style commu- nism there has not been a canesponding reduction in the level of espi onage and other activities threatening the United States in fact foreign intelligence activities have grown in diversity and complexity over the last several years OPSEC must became mere diverse in order to confront the evolw ing threat envirenment That enviromnent now also includes a large number af ter- rorist organizations U changing Nature of the Intelligence Environment U More Exchange Programs U A natural byproduct of less antagonistic relations with former military adver- saries has been an increase in exchange programs Because of this US facilities have been flooded with large numbers of foreign students research scholars and commen cial delegations Such exchanges in tum create increased opportunities for knowi- OFFICIAL USE ONLY QFFICIAL USE ONLY 3 edgeahle staff members of US facilities to travel overseas on reciprocal visits far from US security and countarintelligence capabilities U Several other factors have combined to create Significant changes in the overall environment Now in addition to individual-country threats there are transnational groups such as terrorists organized criminals and economic competi- tors that engage in traditional intelligence collection activities This has been made possible by the fall of the Soviet Union an event which threw many professional intelligence officers out of work with little but their intelligence skills to fall back on A KGB Intelligence Training Connection Li With the emergence of many newly independent states in Africa and Asia in the 19605 the KGB founded the Foreign intelligence Training Center in Moscow to provide special courses for the intelligence services of the new countries This training was of a lesser quality than that provided to Soviet intelligence person- nel or intelligence officers from former Bloc U The fall of communism mrned the training situation topsy turvy There now was very little demand for largoscale special- ized training for former Soviet citizens and no such interest at all from the Bloc intelligence instructors became more available for third world students and the those nations in turn became more interested in the training since it no longer came with a strong dose of communist indoctrination and potential Soviet political interference The KGB Training Center quickly evolved into a commercial entity U One current Training Center intelligence professor put it this way to a former col league W Now we are after money not ideology In 1991 of course a foreign entity like the Cali Cartel openly asked us to train their personnel we would re lse l however the Cartel was smart i enouglz to use a cover such as calling thmseloes personnel securi ly o icers from a Colombian or in lemational bank than we didn t mind training them After all in 1991 the government destroyed our jobs and threw us on the streets We have to take care of our- selves International crime is not our problem for us the name of - the game is survival 7 U Russian intelligence professors are available on a pay-as you go basis to teach the following courses to all who are interested international security threats agent net works recruitment strategy and tactics agent handling countersurveillance theory and practice signals intelligence and eavesdropping operations and counterintelli gence strategy tactics and practices 8 UNCLASSEFIEDIIFOR OFFICIAL USE ONLY 1083 immaeaca Hanmmt a USE ORLY U More 0th Ventures U in the United States many facilities formerly dependent on defense contracts have found themselves in search of continued sources of funding They have commonly responded to this challenge by instituting commercial joint ventures with private concerns This has increased opportunities for information to flow outward and cre- ated direct economic incentives for sharing as much information as possible The real- ities of joint-venture economics opens a de facto official umbrella for establishing and nurturing close relationships with those potential collectors of intelligence who also have a commercial dimension In some cases the same resources that were formerly dedicated to defense technical research and production are now designated for joint venture technical commercial projects with entities representing former US military adversaries U The Internet U The current information explosion via computers and the Internet has also changed the OPSEC environment Computers are constantly growing faster and more powerful while becoming smaller In the past just locating a possible source of desired information was a considerable stumbling block in the path of US intelli gence adversaries With rise of the internet and vast increases in data-storage capabil ities this is no longer the case Many American businesses including the military use computers to communicate and store most information Most have their computers internally networked to facilitate better and faster communication Intranet or LAN They also have external access to the Internet and advertise their wares and capabiliw ties on websites U While the Internet is a superb vehicle for advertis ing and informing the population at large many businesses have not yet found the correct and often delicate balance for posting information on the Internet thereby creating a virtual OPSEC night mare This Ewbusiness explosion and often unchecked posting of information on websites has made it much easier for foreign countries non entities and even motivated individuals to locate and focus on specific targets and feast on the information given away so freely U For example Russia s Center for Automated Data Exchanges once subordinated to the KGB and now believed to play a central role in the computer intelligence col lection activities of its successor agency the SVR is a client of several onvline data bases such as those provided by the Library of Congress NEXIS US National Technical information Service and the International Atomic Energy Agency and has direct access to data networks in the US Canada France Germany and the United Kingdom The Russians also have established accounts with multiple Internet service providers such as America Oriline CompuServe and the European IHSS Intelligent Threat Han noeit OFFICIAL USE ONLY t umcmeetFIEDx me OFFECEAL use ONLY 5 Unien s EuNet 9 Russia is 0 11 we mummy of many tr have capabilities there are at Ieaet 20 others considered critical ceuntriee 0n varicvue US government Eiste at any given thrice 3 Many businesses have net yet feund the U CQIIectms around the Wad correct and often delrcate balance for r the intemeg callectign posting informatien 0n the Internet thereby effmt no Ianger have to creating a Virtual OPSEC nightmare Ieave their homes to gather information they can access it from the comfort at their armchairs in seconds rather than traveiing for days and Spending vast amounts of money t0 focate a source that may or may not have the morsei of infermation they seek k a Mtg OFF USE ONLY IESS Threat Handbook USE GNLY U Esnionage U Th8 classical Method 0f Targeting the United States U Russian Federation U The Russian Federation has a significant intelligence capability inherited from the former Soviet Union Much of this intelligence coilection infrastructure con tinoes to focus on collecting information concerning the Umted States Russian intelligence operations against the United States have increased in sophistication scope and number and they are likely to remain at a high level for the foreseeable future U Russia has two main active intelligence services the Russian Foreign Intelligence Service SVR and the Main Intelligence Directorate of the General Staff GRU Intelligence activities are overseen by the Russian National Security Council and 1953 Intelligence mm Handbook coordinated through the Permanent Interbranch Commissions of the Nationai Security 12 U In addition to the three foreign intelli gence agencies the Russian intelligence community also controls the Federal Customs Service and the newly organized Federai Security Service The Federai Customs Service can provide the intelli gence services with detailed information on the movement of goods and equipment in and out of Russia Proprietary information such as customer lists is available in declae USE ONLY vac 4 USE ONLY 7 rations made to the Federal Customs Service After the dissolution of the Soviet Union the KGB was broken up into eight different agencies- most are responsible for internal security matters The Federal Security Service incorporates the functions of the Main Administration for the Protection of the Russian Federation and the Federal Counterintelligence Service The combination of these functions has returned much of the inter- I I nai security and counterintelli- 3 -- gence functions formerly held i i 1 'u by the KGB to a single agemzy 13 I an U The classic HUMINT collection process used by the former Soviet Union its allies and many intelligence services of the West shares a number of general features U First the main consumers of intelligence are factories research institutes and gov ernment agencies Second their critical information needs are addressed through a centralized intelligence requirements list maintained collectively by the intelligence services Third when specialized intelligence is needed a requirement is levied on the intelligence services which sometimes collect the desired infomtation through covert operations Because the consumers of intelligence do not know the source of the information they ultimately receive one strength of this approach to intelligence collection is that it is relatively secure Another is that the hands-on operational activ- ity is accomplished by professional intelligence officers extensively trained for such work One weakness of the classical approach is that because it is dif cult to deploy and maintain extremely large numbers of intelligence officers abroad the collection process has a limited capacity Another weakness is that the professional intelligence officers involved in the process may not always know enough technical detail about Russia s critical information needs to target the best information One oftha most serious examples of a operation con ducted by Russia is 111 case ofAldn'ch Amos 3 Central Intelligence Agency CIA employee working ln the Directorate of Operations In April 1985 Amos h'sd ol 'cial business oontacts with diplomats at the Soviet Embassy in DC and seized this opportunity to volun toer his sen oss to the KGB Ho modded extensive - lnforrnallon on CIA operations targeting the former Soviet Union and later Russia Amos compromised by his aim admission virtually all Sovlet agents of the CIA and other and foreign to me In addition he provided the former Soviet Union and Russia with a huge - Iquantityof information on US for'elgn defense and security- - I - policies He continued to woklorthe SVR a arlha breakup of the Soviet Union until his arrest in February 1994 Amos was paid at least $2 5 SEM663 233 - - USE ONLY I853 Rommel 8 USE GNLY U The Soviet or Soviet trained approach to intelligence collection poses two main problems for OPSEC managers determining the activities of the adversaIy s intelli- gence officers and monitoring the activities of employees to see if they are in contact with the intelligence officers Further because of the professionalism of the intelli gence officers it may be extremely difficult for US counterimelligence authorities to identify them Even if intelligence officers are successfully identified it may be prob lematic to determine if their activities are intelligence-related or whether they have had contact with an employee Busslamntemnence Organizations U SVR the Russian Foreign Intelligence Service U The SVR the successor to the First Chief Directorate of the KGB is responsible for collecting foreign intelligence It was created when the KGB was dtsmantled in the aftermath of the 1 August 1991 coup against the Gorbachev government The Chairman of the KGB Vladimir Kryuchkov and other senior of cials were involved in the plot to overthrow Gorbachev As a result of this attempted coup the KGB was broken up The internal security counter ntelligence border guard and protection service missions formerly assigned to the KGB were given to newly created organizations The SVR concen trates on collecting political economic scientific and technical information as well as conducting covert action operations M The majority of SVR case of cers operate under diplomatic cover from Russian embassies and consulates U Although the number of SVR personnel has reportedly been reduced by 30 per- cent the agency continues active collection operations For example after an opera tional hiatus following the collapse of the Soviet Union the agency continued to oper ate FBI Special Agent Robert P Hanssen as a penetration of the US Intelligence Community Further Russian President Vladimir Putin who served for 16 years as a KGB foreign intelligence officer has placed other former intelligence offi cers in key government posts and has carried out a vigorous domestic campaign to laud the exploits of Russia s intelligence services both during the Soviet era and afterwards The SVR may also continue to be involved in conducting propaganda and in uencing operations abroad 15 U GRLI the Main Intelligence Directorate of the General Staff U The GRU and the Ministry of Defense supported Gorbachev against the August 1991 coup and unlike the KGB the GRU survived the aftermath of the coup largely intact The GRU is responsible for providing strategic operational and tactical intelli gence to the Russian armed forces Principal missions include the collection of indica lass Intellineaee 1183 antitank USE ONLY USE ONLY 9 An instructive example of the changing environment now faced by OPSEC and its need to field a diverse defense is evidenced in the series of events that led to the discovery of a microphone planted in a conference room of the State Department U in December 1999 Stanislav Borisovich Gusev a Russian diplomat was apprehended by US agents as he positioned a Russian embassy car in a parking space to monitor a listening device that had been planted on the build- ing s seventh oor which houses State Department s executive suite According to reports Gusev rst came to the notice of U S counterintelligence and security olticials months eariier when an FBI surveillance team involved in another case noticed him repeatedly parking and re-parking his vehicle in different locations close to State Department's main building 3 Since the car bore the dis- tinctive tags issued to foreign legaticns by State Department's Of ce of Foreign Missions the FBI personnel knew at a glance that its occupant who would usual gayg lsvamm I and sit quietly on a nearby park hours - wees-arsenal the Russian Embassy U Subsequent observation of Gusev s suspicious routine raised the possibility that his vehicle which he kept within sight of the park bench might contain audio monitoring equip- ment A systematic search of the building with sophisticated counter audio equipment was undertaken and this eventually located a battery-powered bansmitter concealed within a section of chair rail in an executive level conference room The room was on the same cor- ridor as the Secretary of State s conference area and was usually left unlocked U Investigation determined that access to the conference room might have been avail- able to Russian diplomats since closer diplomatic relations with Russia had some time eanier led the State Department to issue Russian diplomats no escort required badges to wear during visits to the building Stanislav Borisovich Gusev was quickly expelled from the US for his espionage activities 23f It ls-'worth noting that this audacious intelligence attack' was made possible by the combination of tachnology bettery and radio design advances allowed for the con- struction of a very small very powerful device and geopolitical changes used State Departrnent policymakers to make a gesture of trust to Russian diplomats by granting them unesoorted access Nonetheless it was still necessary for an intelligence of cer to get physically close to the building to turn theimplanted microphone an and record its transmissions UNFDUO 0n the other hand discovery of the attack was also made possible by a com- bination of fari ors For one thing State Department is obviously a high-pro le terrorism tar- get and i'i'equent parking and repairing of a vehicle on its perimeter was bound to draw the attention of security personnel In addition the distinctive diplomatic tags of the car immediately identi ed it as of potential counterintelligenoe interest The tags were a requirementof the Of ce of Foreign Missions created in the early 19803 to impose on for eign of cials the same sort of treatment including distinctive vehicle tags that U S olticiais encountered overseas Further the El surveillance of cers were at the site to investigate another matter and noticed the suspicious activity by chance- Although no single element of State Department s defenses was speci cally designed to stop Gusev's intelligence activities the combination of defenses there for other purposes served to identify him and place him under scrutiny leading to the neutralization of the penetration USE ONLY 055 Threat 1a USE GNLY tions and wanting intelligence data on advanced military technologies and specific information on the intentions and military capabilities of potential adversaries Collection techniques include gathering open source infonriation acquiring overt and clandestine HUMINT conduct ing satellite and aircraft imagery reconnaissance and collecting signals intelligence from various platforms ships aircraft satel lites and ground stations 16 The GRU also is interested in exploiting opportunities to penetrate US intelligence and atone point early in his espionage career renegade FBI Special Agent Robert P Hamsen worked as an agent of the GRU in the process providing his Soviet military handlers the identity of one of the most valuable us agents who eventually was arrested and executed U Specialized GRU technical collection activities that directly threaten US interests are those under the First Deputy Chief and the Space Intelligence Directorate The Space lntelligence Directorate in coordination with the Fleet lntelligence Direction of the Fifth Directorate manages the Russian space reconnaissance program The Fleet Intelligence Direction is responsible for space systems that provide intelligence sup- porting naval forces The Space intelligence Directorate is responsible for the devel opment manufacture launch and operation of Russian space-based reconnaissance systems It operates its own cosmodrornes several research institutes supporting mission ground centers and a centralized computer processing facility 17 The Sixth Directorate uses more than 20 different types of aircraft a fleet of 60 collection vessels satellites and ground stations to collect signals intelligence 18 U GRU analytical activities are organized into geographical sections and a limited number of functional activities that cut across geographic areas An example of funco tional orientation is the Ninth Directorate which acquires and assesses scientific and technical data for the military design bureaus 19 Of particular interest to the OPSEC manager is the Institute of Information which operates separately from the direc- torates It is responsible for developing intelligence products based on the fusion of open source materials and classified information 20 U F58 The Federal Security Service U The FSB is one of the successors of the KGB and remains headw quartered in several buildings in Moscow's Lubyanka Square and staffed by approximately 75 600 employees Its responsibilities are similar to those of the Fill in the United States and include counter intelligence operations investigation of organized crime and counw terterrorism The FSB also works outside Russia in certain target areas in cooperation with other Russian intelligence services The Federal Security Service has arrested some people on false pretexts for expressing views critical of the Government and in particular for voicing criti cism of the security services The FSB has also targeted national security and environ mental researchers On some occasions Russian citizens interested in military issues or Hulitary industrial polluters have become a target of the FSB Threat antitank OFFICIAL USE ONLY um Ms mom Mew v ww Am m mum USE ONLY U Lt Colonei Alexander Litvtnenko a former ESE officer granted political asylum in Britain has described one recent Russian intelligencosewice tactic U Once the FSB or owner targets a Russian migr for recruitment they approach them usuain at their piece of rest ti CE and make an irt to read an fire or sire In May 1985 an assistant air attache at the Soviet Embassy in Washington D C approached a high-ranking U S Air Force of cer to spy for the Soviet Union The Soviet representative Colonel Vladimir Makarovich lsmaylov was in actuality a GRU o icer and as such part of a military intelligence collection effort so aggressive that its of cers sometimes knocked on the doors of US military personnel in the lsiha i rl ori pressr' d the'Aif Force o 'icer for classi ed documents on the Strategic Defense initiative the Cmise Missile stealth technology and other sensitive subjects The inducement for the of cer to commit espionage was the most common one money The Expulsion of U As required by regulations the US of cer reported the contact with lsmayiov and Air Force and FBI counterintelligence investigators thereUpon ini- tiath a double-agent operation using the situation to study the techniques the GRU would employ to target U S ori ce information U After a number of increasingly ctandestine meetings with the of cer the GRU accepted him as a remitted clandestine agent and decided to use imper- sonal agent communication techniques to handle messages to and from him in the future lsmaylov explained that he wanted the of cer to put the secret docu- ments into a plastic trash bag and bury the bag at an agreedupon drop site - where lsmayiov could retrieve it at his con-- venience The GRU Intelligence operative later provided the Air Force of cer a sched- ule on which to make his drops He was to signal it had been done by leaving an orange soda n'near a certain stop sign as a flag for the Soviet Ismaylov also pro vided a spy camera to make copies of d00- uments that were too dangerous for the of cer to smuggle out of his of ce U In mid-1936 counterintelligence of - - cials decided to bring the case to a close in a way which would support the US policy of drawing down re large personnei infrastructure the Soviets had established in the US to facilitate clandestine operations It FBI agents could him red-handed in an act of espionage Ismaylov would be sent home and the diplomatic slot be occupied also would be abolished Late one evening in June of 1986 - Colonel lsmaytov was detained by FBI agents classi ed documents le for him by the double agent He was deciared persona non grate and compelled to return to the Soviet Union 39 USE ONLY I035 threat Henchman 12 UNCLASSIQEDIIFOR QFFECEAL USE OMLY re rses the intelligence o icer than threatens the would-be recruit with legal prosecution in Russia and if the person continues to re ne the charges U According to Litvinenko extradition proceedings are then immediately launched Litvinenko was himself convicted in absentia by a Moscow court in June 2002 21 U Former PAPSI the Federal Agency for Government Communications and Infomation U The FAPSI created in October 1991 was abolished in March 2003 by President Putin who divided its functions between the F88 and the Ministry of Defense Elements of what was FAPSI are responsible for both communications security for the Russian Federation and SIGINT operations against targeted foreign activities It is also responsible for the development and maintenance of databases and cornmm tica tions systems to support Russian intelligence and law enforcement activities FAPSI is chartered to lease government communications lines to private investors to set up communications activities in the territory of other sovereign states and to conduct foreign business activities The access provided through such activities allows FAPSI to monitor communications systems and permits the purchase of advanced telecom munications technologies from foreign companies 'lhe former Soviet Union and 3 now Russia have been denied the opportunity to purchase advanced communica tions and information systems from the West The Russians hope that the entrance of FAPSI into the commercial telecommunications market will end this isolation 22 U Even after the failure of August 1991 attempted coup the number of HUMINT operations conducted by the SVR and KGB targeting the United States and the West continues to rise This is due to a number of factors First as a result of arms control treaties joint business opportunities and cultural and economic exchanges the Russian intelligence services have greater access to Western society govemment and industries In addition there has The number of HUMINT Operations been a significant influx of concluded by the SVR and KGB Russ a 91mg es mt the Umted States The FBI estimates that targeting the United States and the West more than 105 000 Russians Continues to rise immigrated to the United States in the late 19805 The Russians like many intelligence services have traditionally used migr s to gather intelligence in fact there has been a substantial influx of Russian students into the United States and many of them are studying technical disciplines to improve Russian military and civil industries Finally travel restrictions on Russian diplomatic and consular pen sonnel in the United States have been lifted making it easier for thorn to collect infor- mation on US activities U Signals lmelligence HOBO The GRU elements of the former FAPSI and the Cuban intelligence serv- ice jointly operate a SIGINT facility at Lourdes Cuba which is one of the most signif Intelligence Handbook USE ONLY UNCLASSIFIEWFQR USE icant intelligence collection activities targeting the United States This facility less than tilt miles from Key West Florida is one of the largest and most sophisticated ENT collection facilities in the world The Lourdes com plex is manned by over 1 000 Russian personnel and is capable of monitoring a wide array of commercial and government communications throughout the southeast- ern United States and between the United States and Europe Lourdes intercepts transmissions from microwave towers in the United States communication satellite downlinks and a wide range of shortwave and high frequency radio transmissions It also serves as a mission ground station and analyti cal facility supporting Russian SIGINT satellites The facility at Lourdes and a sister facility located in Russia monitor all US military and civilian com munications satellites It is believed that the Lourdes facility monitors all White House communication activities launch control communications and telemetry from the National Aeronautics and Space Administration NASA and Air Force facilities at Cape Canaveral as well as financial and commodity wire services and military communications links2 3 According to one source Lourdes has a special collection and analysis facility responsible for targeting financial and political information Specially selected personnel man this complex and it appears to be highly successful in providing Russian leaders with political and economic intelligence 4 U The former Soviet Union also used a variety of other means to collect signals intelligence and it is believed that Russia continues these activities in the United States The locations of a number of Russian diplomatic facilities in the United States facilitate SIGINT access to sensitive infon mation Russian collection activities could derive sensitive government policy infor mation by monitoring activities in the Washington DC area and sensitive finan- cial and trade information by using Russian facilities located in New York San Francisco and Seattle The fact that microwave towers and cellular communication repeaters are located near Russian diplomatic facilities in these cities increases the risk of collection activitiesizg' U There is little doubt of past collection of this sort For example vans from the former Soviet Mission to the United Nations UN were observed in the vicinity of the General Electric Americom satellite ground station in Vernon Valley New Jersey in addition Soviet San Francisco consulate vans made unexplained trips to the vicin- ity of microwave towers in northern California in both cases the vans appeared to be conducting SIGINT monitoring of these facilities USE ONLY ins intelligence mm auction 14 OFFICIAL USE ONLY U In Febmary 2001 FBI Special Agent Robert P Hanssen was arrested by the FBI after lling an intelli genes drop site with classi ed comments intended for the SVR As details ofthe case became known both the public and government officials were shocked by the extent of damage to the national security caused by this apparently exemplary man with a large family and devout religious beliefs In the late 1970s Hanssen beset with credit card debt from his young and growing family living in an expensive suburb of New York City and Innater curious about what it would be like to be a spy used his oesltion on an FBI counterintelli genoe squad to develop a way to safely contact Soviet military Intelli- gence the GRU Hanssen passed information to a local of cer several times Including the identity of a Soviet Army general cooperating with the West In return for a total of about $30 000 After his wife became suspicious of his activities Hanssen broke off contact with the Soviets Paying something each month he began to donate most of the money he had received from the GRU to charity The Soviet general Hanssen had corn- promlSed eventually was arrested and executed l8 case U In late 1985 Robert Hanssen was on the verge of leaving a job at FEll Headquarters In which he supervised a group of studying Soviet intelligence techniques In that position he had also acquired a reputation as someone who could understand and suc- explain the technical aspects of intelligence projn ects undertaken by agencies such as NSA and CIA and so he frequently was called upon to be the FBI's repre sentative at interagency meetings and brie ngs about sensitive projects Again Hanssen was deeply in debt this time Debause of continuing family expenses and a high-rate mortgage with an impending balloon payment and again he was fascina Mensa-J 9 expert insider knowledge of both Soviet intelli genoe practices and the Bl's counterintelli- genes strategies Robert Hanssen again contact- ed the Soviets this time the KGB and asked for money in exchange for information Until the breakup of the Soviet Union Hanssen provided the Soviets with a steady stream of information about not only US counterintelligence operations and techniques but also the intelligencegathering projects of other Intelligence agencies whose brie ngs he had attended on behalf of the FBI He even compromised part of the plan the United States had devetoped to safeguard the President and other senior govemrnent o icials in the event of a surprise attack by another country After the fall of communism Threat Racetrack OFFICIAL USE ONLY OFileiAi USE ONLY 15 Hanssen broke off communications with the KGB for security reasons in 1999 however Hanssen contacted the SVR one of the Russian successor agencies to the KGB and resumed passing intelligence this time because of college expens- es for his children and the desire to remodel his kitchen U in late 2000 US which had sus- tained losses that could only be explained by a traitor from high up within its own ranks succeeded in obtaining from i a source deep inside Russian intelligence the le the KGB had kept on Hanssen Although the KGB apparently did not know his identity there was suf cient detail in the le materials to lead investigators to Hanssen 8mgHans'sen was spared the death penalty and his wife allowed to collect the survivor's bene t on his government pension which normally would be forfeit because of his espionage crimes Although he has apologized publicly for ROBERT cos '1 rat 1- heat- USE ONLY his crimes Robert Hanssen s betrayal compromised a wide away of US intelligence capabilities and directly led to the arrest and execution of a number of agents the United States was operating inside the Soviet Union in May 2002 Henssen was sentenced to life in prison without chance of parole U From an OPSEC perspective the Hanssen case is one of the best examples of the damage lhata trust- ed insider do once he has decid- HAHSSEH 145 1 1 01 2 0 organization can defend itself against all possible threats and still l continue to function it was no prob- w em for Hanssen todafeat the FBI's 3 defenses against the Soviets for the simple reason that he was one of the individuals entrusted with designing and studying those very defenses in addition to that specialized counter-intelligence information Robert Hanssen also had access to foreign intelligence information about tech- nical collection programs U S intelligence policies etc So Hanssen not only had the means to defeat the defenses but also access to information of extreme intelligence value While Robert Hanssen went to great pains to try to his Identity from his intelligence handlers over time he left behind a series of clues suf cient to identify him as a spy When he was nally identi ed it was because of information provid- ed by another trusted insider one on the other side ed to betray his employer Because IDES Human titres Handheai 18 USE ONLY The Russians have probably continued the Soviet practice of using covert mobile collection plat forms not assigned to their diplomatic facilities hiring the Cold War for example the Russians fro quently used tractor trailers and other vehicles with concealed SIGINT coilection equipment to gather intel ligence in Western Europe The Soviets allegedly used clandestine collection vans located in Mexico to monitor activities at White Sands Missile Range in New Mexico and Vandenberg Air Force Base in California Vans operating from Tijuana Mexico were reportedly able to monitor all of southern California and western Arizona There have also been reports that Russian Aero ot aircraft and clandestine collection vehicles collected SIGINT data inside the continental United States The Russians continue to use satellites for collecting SIGINT The first Soviet SIGINT satellite was the Cosmos 189 lile satellite launched in 1967 Over the next 24 years the Soviets placed over 200 SIGINT satellites into orbit and the Russians continue to maintain a robust presence in space During 1994 the Russians conducted 48 spacecraft launches Fifty percent were military misw sions including advanced imagery systems ocean reconnaissance and electronic intelligence collection In 1995 the Russians space program included another 48 space launches again approximately half were military missions 28 U alien-Source Intelligence U The Russian Institute of Automated Systems at Moscow State University hosts the National Center for Automated Data Exchanges NCADB with foreign computer networks and data banks NCADE was subordinate to the KGB and is now believed to play a central role in computer intelligence collection activities NCADE has direct access to data networks in the United States Canada France Germany and the United Kingdom and it is a client of several online databases These databases include the US Library of Congress the data service the United States National Technical Information Service the British Library and the International Atomic Energy Agency The Russians have also established accounts with multiple Internet service providers such as America Online COMPUSERVE TYMNET and the European Union s EuNet 29 Russian Intelligence Collection Trends U Russia is likely to continue aggressive use of its intelligence services to gain infor mation concerning the United States with increased emphasis on obtaining commer Cial 01' dual-use technology Detectors and former intelligence officers from the on trier Soviet and Russian intelligence services predict that industrial espionage activi ties will escalate in the years ahead Russia requires advanced technology to bolster its economy and foster increased technological progress Detectors have stated that the SVR will target the increasing number of us and Russian joint business ventures in an effort l0 Obtain legally or illegally desirable Western technologies In many Hires Handbook OFFICIAL USE ONLY CJFFICIAL USE ONLY cases the Russians cannot pay for the items needed to improve economic growth so they are wiliing to steal or obtain them through other illegitimate means Additionally the Russians must still contend with restrictions on certain technoiogies that they desire Even though the opportunity to coilect HUMINF expanded as a result of the relaxation of US security standards focused on Russia the reduction in the number of SVR inteiligence officers the closing of diplomatic facilities throughout the world 1 055 0 6955 0 or Defectors have stated that the SVR Will mer Warsaw Pact mteihgence semces Wm lead to a overall target the mcreasmg number of US and reduction in intelligence Russian joint business ventures in an acquired through HUMINT effort to obtain legally or illegally HUMINT may be mm are desirable Western technologies fully targeted to gain informa tion not readily avaiiable through technical intelligence collection or through open source eocploitati011 31 The Russians have aiways relied on openwsource information and will continue to anaiyze public data and compare it with intelligence derived through classified sources The Soviets previously used a variety of research and politicai institutes for the analysis of open source data The Russians retained a majority of these institutes They are probably performing the same roles as they did under the Soviet Union 32 13 A Amman In Targeting the united States U People s Republic of Chi tl U The PeOple's Republic of China PRC practices a different approach to intelligence coilection compared to US or Russian philosophies in this area 33 The United States is a primary intelligence target of China because of the US role as a global superpower its substantial military political and economic presence in the Paci c Rim and Asia its role as a developer of advanced technology that China requires for economic growth and the large number of Americans of Chinese ancestry who are considered prune intelligence targets by the With seven diplomatic establishments and an estimated 2 750 commer cial of ces the PRC has established a large physical presence in the United States Of cial and private exchange programs have raised the number of current and for mer PRC students in the United States to over 100 000 in addition more than 27 000 PRC delegations visit the United States each year Legal immigration is limited to 20 000 China born individuals per year but estimates of illegal entry by Chinese nationals run to many times that figure The overall PRC presence in the United States is of intelligence significance because a large portion of the collection efforts against common targets like technology is conducted directly by PRC stun dents delegations and commercial enterprises 35 USE ONLY 1933 mm 18 USE ONLY China s collection U Although the PRC has a large professional intelligence apparatus one of the hall marks of its distinctive approach to intelligence collection is that many intelligence operations especially those directed at science and technology targets are not direct- ed and controlled by the PRC intelligence services As a rule it is the consumers of intelligence such as institutes or factories that concoct and implement collection whemes even when clandestine activity is required These consumers of intelligence are able to carry out these strate gies because of the large numbers of PRC students and visit ing delegations coming to the United States and the large numbers of knowledgeable US visitors going to China in reciprocal visits 6 U in some instances a delegation will visit a PRC consulate in the United States and identify the company that produces the technology or information the delegation is interested in Intelligence officials will give the delegation members the names of company employees with whom the officials have established ties and the delegation will appeal to them for covert assistance in obtaining a restricted item If successful the delegation may ask the consulate to use the diplomatic pouch to mail it back to China U Another important dimension is that when delegations and students or researchers have contact with US laboratories or advanced research facilities they as a rule do not attempt to steal or covertly acquire restricted information they simply identify what they need and invite knowledgeable individuals to make reciprocal visits to the PRC While there the Chinese hosts will attempt to persuade the American guests lo make unauthorized disclosures The PRC students or delegation members thus become vec- A large portion of the collection tors not for theft of Mama- efforts against common targets like tiori but for convincing us technology is conducted directly by Experts that flier should sire PRC students delegations and the technical away 33 commeraal enterprises U Because the consumers of critical information in the PRC in many instances know the identity of the US source who provided it one weakness of China s approach to collection is that it is relatively insecure Another vulnerability is that since the effort is dispersed among many collectors instead of channeled exclusively through the intelligence services the methods used to obtain information can be extremely unsophisticated and ineffi cient The main of the PRC approach to colleclion are that the number of potential inlelligence collectors is virtually limitless and the individuals who do the collecting know exactly what critical US information will best suit their intelligence needs 39 It is a system that is inefficient but not ineffective I055 Intelligence mm Halidll k USE ONLY USE ONLY U For the OPSEC manager China s approach poses the same basic questions as the Ruseian approach which foreign nationals are attempting to collect restricted 'mfor- mation and which employees are being targeted in the process In the case of PRC intelligence activities however the problem is identifying suspects from among the people who are not intelligence officers including tens of thousands of FM nationals who enter the US as stu- dents or visitors The OPSEC task is further complicated by the fact that China s cottage industry intelligence collection is normally accomplished as an adjunct to normal approved contacts with the employees of a tar geted company Many Chineae intelligence operations thus try to piggyback on sanctioned relationships This means that OPSEC managers can face a much difw ferent problem when looking for intelligence situations involving China because in China s approach to intelli gence the question is whether a given individual has had contacts of an unauthorized extent or nature with an individual he or she has permission to deal with This contrasts with the Soviet style problem where the quesw tion usually is Whether the individual has had a contact of some sort with someone he or she does not have permission to deal with U The potential impact on OPSEC of this approach to intelligence collection was vividly demonstrated in the investigation of Los Alamos scientist Wen Ho Lee and its aftermath From the prosecutor s point of View Lee had simply stolen copies of high- ly classified nuclear weapons design and test data perhaps with a View to providing them to scientists in the PRC with Whom he had developed relationships much deeper than What he had reported to Los Alamos security officers Lee s defenders argued that his contacts with counterparts in China were part of his normal of cial duties and his travel had been approved by Los Alarnos administrators U Pm collection organizations U China has seven intelligence services but only three conduct the covert intelligence operations against the United States the Ministry of State Security the Military Intelligence Department and the Liaison Office of the General Political Department of the People s Liberation Army In addition to intela ligence service collection operations there is frequent direct intelligence collection by individual PRC institutes and factories acting on their own behalf and beyond the control of the intelligence services Signals intelligence and computer support for the operational services and other intelligence collectors is available from the Technical Department also known as the Third Department of the People s Liberation Emmy U MSS the Ministry of fate Security U The Ministry of State Security is the preeminent civilian intelligence collection agency in China It was formed in June 1983 by combining the espionage counterin- telligence and security functions of the Ministry of Public Security MPS with the OFFICIAL USE ONLY loss Inna andhunt 20 UNCLASSFIEDIIFOR OFFICIAL USE hivestigation Department of the Cliniese Communist Party which had primary responsibility for acquisition of foreign intelligence At the formation of the MES its MP5 components were predominant It continues to have a very strong and aggres give approach to countermtelligence in particular regarding the suspicious activities of foreigners in Chime 41 The intelligence philosophy divided into a to recruit agents before there is a specific need and to recruit as many as possible number of different bureaus Some focus on regions the North American Affairs Bureau while others such as the Counterespionage Bureau are responsible for coun terintelligence against all potential adversaries Additionally the Institute of Contemporary International Relations prepares all-source studies for the PRC leader- shin U Most M88 officers in China are stationed at field of ces in metropolitan areas These of ces are in many senses independent and do not appear to be closely super- vised by M83 Headquarters in Beijing This may account for the fact that some MSS offices such as its Shanghai Bureau are notably more aggressive against US targets than other MES offices The Guangzhou and Beijing M85 field offices also target Americans more aggressively than other MSS components 3 U As might be expected M58 officers may occuu py cover positions in virtually any PRC ministry trading corporation or private enterprise Within China They also use undercover slots abroad as diplomats of cials businessmen and students ln addition it is very easy for M855 officers to join almost any PRC delegation traveling abroad either for operational activity or for general famil- iarization purposes Although there are speci c MSS components charged with running technolo gy-collection operations and there are standing 1 intelligence requirements for such collection the - M58 does not appear to be notably active in organ izing covert operations to collect US technology Senior FBI of cials have stated that the PRC intelligence services have made extensive intelligence usewmost often for cover 0f the thousands of commercial offices that China has opened in the United States U FOUO The primary operational focus of the M88 is Taiwan work namely conducting intelligence activities against Taiwan in every intelligence and covert political action arena To accomplish its objectives the M55 also is heavily involved in assessing developmg and recruiting ethnic Chinese targets This ethnic recruitment approach to solving intelligence challenges is so pronounced that the Chinese American community which is no more than one percent of the total US popula tion is the target of an estimated 98 percent of M88 agent recruitment efforts This practice is in marked contrast to the strategy of other US intelligence adversaries lasSImallieem USE ONLY cmwme ONLY 21 U One of the most serious PRC espionage cases - to date was that of Lany Wu-tai Chin who worked in various positions for the US Government for more than 35 years Chin was recruited as a Chinese Communist Party member near the end of Wodd War it and his strong language skills eamed him employment rst at one of the US consulates in China and then as an interpreter assisting with Inter rogations of captured PRC soldiers during the Korean 'Conflict Some of the most serious intelligence damage done by Chin stemmed from the military information he passed to the PRC during that assignment After Korea Chin joined the Foreign Broadcast lnfonnatipp IJar component of the CtAr andmevenMaW st'a at its headquarters in Washington 0 0 From this post Chin also passed a large volume of information on US policy regard- ing China and also some information on CIA operations he had access to Chin a frequent gambler at casinos was motivated by money and was paid in excess of $300 000 for his senrioes He was run by a counterintetligence unit that later merged into the M88 Chin provided his information on rolls of 35mm undeveloped lm of documents that he smug gled out of his workplace overnight His espionage activities were facilitated by frequent home leave travel to Hong Kong After retirement he attempted to continue gathering infonnation on the activities of his former coworkers Chin was arrested and convicted of espionage in 1985 and committed sui- cide in his jail cell in early 1986 while awaiting sentencing-2 who as a rule focus only a fraction of their recruitment energies on members of eth- nic communities For example while the Soviets also ran ethnic Russian agent recruitment operations they were no more than about a quarter of their total PHJMINT effort There is no evidence that the PRC considers Chinese-Americans to be more vulnerable to approach than any other group it is likely the PRC has adopt- ed its distinctive ethnic targeting intelligence strategt because it is much momapa- ble of mounting effective approaches against individuals of ethnic ancestry than those of any other background Also the selling point in a normal PRC recrtut- operatron is not an appeal to ethnicity per se but to whatever obliga- tion the targeted individual may have towards China ferre- ily members in China old friends in Clone etc The crux of the approach is not to try to exploit a perceived vul- hh-erability but to appeal to an individual s desire to halp China out in some way Whatever the reason ethnic target ing to arouse feelings of 0in ation is the single most dis- tinctive feature of PRC trim U The MSS operates under different intelligence concepts than the West although some of its techniques are completely familiar For example in secret work some USE ONLY 035 mailman 7311331 8113508 22 OFFICIAL USE ONLY M38 components are devoted to penetrating the intelligence services of PRC adver- saries and to running secret agents of various types Other M58 activities however would not normally be conducted by a Western sacrifice Strategic intelligence for example consists of culling information from sources such as People magazine talk ing to pundits about prognostications and then combining the two into a classified intelligence product for consumption by PRC leaders The MSS considers it to be worthy of assigning intelligence resources to this product in the West this would he considered only news or news analysis The crux of the approach is not to U Another intenigeme try to exploit a perceived vulnerability but practice that differs from to appeal to an individual s desire to help Soviet and Western Concepts china out in some way is the use of recruited agents The Soviet and Western intelligence services recognize that recruiting agents can be difficult timeronsum ing and expensive Thgy will not attempt to recruit an agent until a specific intellim gence target emerges so as to realize the full benefit from the agent s seryic es The intelligence philosoW agents before there is a spmilerTeed and to recruit as many as possible Although this sort of approach consumes profli gate amounts of titne mid effort the PRC has the manpower resources to pursue this strategy Moreover when using recruited agents the M55 prefers to gather a small amount of intelligence from many agents rather than concentrating on collecting as much as possible from just one The entire process is sometimes referred to as actuarial mte igence because its basis is not unlike the principles that insurance company actuaries apply to determine the pro tability of insuring large groups of people This means that successful MSS attempts to recruit a Siamese American are not always followed up with intelligence activity Even when intelligence activity occurs it may be slight 18 U MD the Military Intelligence Department U The MID often referred to as the Second Department is responsible for the collec tion and dissemination of the intelligence required to support the military command structure The realm of activities includes tactical strategic and technical intel ligence operations The MID reports directly to the General Staff Department GED of the People s Liberation Array FLA MID intelligence gathering focuses primarily on the acquisition of order of battle military geography military doctrine intentions military economics biographical intelligence nuclear targeting and military intelli- I gence watch centers In addition to the collection of relevant military information the Mill pursues foreign technological information such as dual-use technologies Taiwan is the main intelligence target but the United States is the second con 155 intelligence 8 83 Handbook OFFECIAL USE ONLY 4 m at swim - WW QFFICIAL USE ONLY U The MID is organized into numerous divisions and bureaus HUMINT activities are conducted along functional lines by two collection bureaus four analytical bureaus and one bureau dedicated to science and technology Of significant interest are the Western Nations Analysis Bureau which conducts open source intelligence collection the Bureau of Science and Technology which opera ates a number of technology collecting enterprises and the First Bureau which is primarily engaged in the collection of military intelligence 50 U The Beijing histitute for international Studies BUS and the PLA Institute for International Relations provide academ- ic analysis and training in support of PRC military intelli gence needs The 3118 is not openly associated with the MID despite the fact that almost all of the institute s faculty are current or former FLA offi- cers It is not of cially associated with the intelligence community out of a fear that such an association Would limit professional and academic contacts of the institute s members hurting them both professionally and operationally The FLA Institute for international Studies formerly known as the Nanjing International Relations institute is responsible for teaching MID personnel techniques and methodology 1 used in intelligence operations 5 w the Liaison Office of the General Political Department U The Liaison Of ce General Political Department GPD which is a compo- nent of the PLA used to concentrate on targeting senior Taiwan military figures The is also targeting the United States in military intelligence areas but very lit tle information on this has come to public notice 52 U TD the Technical Department U The Third Department TD known as the Technical Department is responsible for Chinese operations The TD has the world s third-largest effort The Third Department was founded in the 19505 with equipment supplied by the Soviet Union The Third Department maintains the most extensive SIGINT capability in the Asian-Pacific region There are no reported instances of signals intelligence collection in the United States or else- where in the West but TD officials occasionally travel to the United States in search of new technical equipment 53 U The can also provide technical surveillance of targeted Americans in China during their communications home In 7 addition TD code breakers apply sophisticated world class I technology to the task of breaking commercial code systems that travelers to China use to the data on their laptop th considered safe practicme that computers left in hotel rooms in China are safe from compromise by ama s intelli gence collectors no matter how much commercial is used to safeguard 3 WW USE ONLY lass tmttiganse Throat Hartline 24 USE ONLY an Intelligence operations U WT Operations U The M853 is the primary Chinese HUMINT collection organization for civilian and military intelligence though the MID also engages in collection operations regarding orderofwbattle data and teclmoiogy with military applications The MID collects technical information through Visits to trade shows military exchange pro grams and through its military attache program Both services collect overtly and covertly 55 objective of Chinese intelligence operations targeting the US government and its industry is to collect technical and economic information with the dual purpose of making the Chinese military industrial base more sophisti - th In recent years the Chinese have been the 53 9 an 9 9 30 me more competitive In recent subject of approximately half of the cases years the Chinese have initiated by US law enforcement agencies been the subject of approxi- concerning the illegal diversion of technology matey half of the cases from the United States at id by US 13 enforce ment agencies concerning the illegal diversion of technology from the United States The PRC also seeks infor mation on US trade positions and intentions dual-use technologies and trade secrets In addition the Chinese seek information regarding US strategic interests in the South Pacific While not particularly efficient in organization or practice the Chinese have the ability to overwhelm US law enforcement and counterintelligence because of the sheer quantity of operations they undertakes6 U Chinese HUMINT operations primarily rely 01W infor mation from a large number facilitate this collection strategy the PRC relies on both recruitment and exploitation operations The PRC attempts to recruit or at least make friends with as many ChinesoAmericans as possible apparently hoping that at least some will perceive an obligation to help China perhaps on a corn fidential basis Although their attempts to recruit agents only occasionally result in developing someone who will provide sensitive or classified information the Chinese seem well satisfied with their strategy perhaps because they attempt to develop confidential relationships with large numbers of people U The PRC also attempts to exploit knowledgeable individuals visiting China regardless of ethnic origin intelligence is obtained Wes various elicitation tecthuestg'man'ly by maneuvering the individual into a social or professional situation in which he can be embarrassed or cajoled into pro- viding at least a little extra information The actual elicitation in China is done by Chinese intelligence consumers themselves although intelligence of cers may have a role in manipulating a targeted individual into a situation Where he is at a dis- advantage For example it is not uncommon for the Chinese to arrange for a targeted Visitor to go on an all day sightseeing excursion after which they will throw a code I355 Intelligence meat Handbook OFFECIAL USE ONLY -W AW mm UNCLASSIFIEDIJFOR USE GNLY tail party in his honor toast him with potent Chinese liquor as much as possible and then surround him with a small group of questions-rs asking about sensitive topics Under the strain of fatigue alcohol and group pressure some visitors have made indiscreet statements orumlibriaed disclosures Some ethnic Chinese targets may be exploited through elicitation in this manner while they are also being assessed for an eventual recruitment approach it is probac ble that the intelligence product produced by China s exploitation operations is many times larger than that pro duced by recruited agents though by its nature it is hit or- miss UHFOUO The PRC intelligence services have also dispatched agents or stabc officers Wto the United States to become long term sleepers with absolutely no immediate ihtelligence function They believe if large numbers of PRC nationals leave and settle permanently in the United States some of them may some day find their way into positions of intelligence potential When they are in position these individuals will be approached on the basis of loyalty to their ancestral land and some may be persuaded to cooperate at least on a limited basis 58 Again this appears to be a symp- tom of China's achiarial approach to intelligence U Examines of Pat HUMIHT alterations U The Peter Lee Remtitment Case U In 1997 physicist Peter Lee pled guilty to filing false statements and to divulging classified information to PRC scientists Lee who grew up in China and Taiwan immigrated to the US with his family graduated from the California institute of Technology with a in Aeronautics and became a natural ized citizen in 1975 From 1976 t01984 he worked as a physi cist in a program at Lawrence Livermore National Laboratories that specialized in the use of laser power to initi ate nuclear reactions In 1981 he began a correspondence with scientists in the PRC that by 1997 included over 600 letters or E mail messages 5g U In 1984 Lee moved to Los Alamos National Laboratory where he worked on a laser program as a contract employee In early 1985 Lee traveled to China with a group of scientists at the invitation of a Chinese visitor to his laboratory Lee was supposed to act as a translator for the American delegation Lee later recounted that a Chinese nuclear weapons scientist visited him in his hotel room and asked for his help saying that China was a poor country The Chinese scientist drew a diagram and asked questions about Lee s laser research Lee dis- cussed problems the United States was having in its nuclear weapons testing simula- tion program later explaining that he decided to help because he wanted to bring UNCLASSFFIEDIIFOR OFFECIAL USE ONLY 1053 haulage Heat Emanuel 23 QFFICIAL USE ONLY China s scientific capabilities closer to those of the United States The next day Lee was picked up at his hotel and driven to another hotel to meet a group of Chinese sci- entists He answered their questions for two hours drawing diagrams and providing specific mathematical and experimental results related to laser fusion research U Lee stayed at Los Alamos until 1991 when he went to the space and electrorucs group of TRW Inc in Redoudo Beach California At TRW he Worked on a classified satellite radar imaging research program lee divulged information about the pro-m gram which had submarinedetection military applications in a two hour lecture in Beijing in May 1997 He was questioned about his work s applications for antisubma rine warfare and showed the audience a surface ship wake image that he had brought with him from his lab After a detailed discussion of the physics of his work he tore the ship wake image to shreds after leaving the meeting On his return to the US he filed a false trip report to TRW security officers claiming that his trip to China had been for pleasure not business 61 U Goverrunent of cials originally planned to charge Lee with espionage but this was made problematic since the information he had divulged in 1985 was subse- quently declassified and the US Navy was unwilling to disclose radar information needed to support an espionage prosecution in open court 2 At his sentencing hear lng Lee told the judge that he had been carried away by scientific enthusiasm U5 and PRC scientists also circulated a petition decrying the prosecution as an infringe ment of scienti c freedom Over the strenuous objections of federal prosecutors the judge declined to put Lee in prison and sentenced him to 12 months in a halfway house with three years probation and a fine of $20 00le A PRC Intelligence Exploitation Attack On a Senior LLS Science Official Visiting China In 1980 a senior scientist from Los Alamos National Laboratory traveled to a research institute in the PRC to talk about his specialty nuclear fusion Although he was knowledgeable about US nuclear weapons design information he was determined to stick to his topic and not wander into loose talk about secret information I Nonetheless the scientist found himself being peppered with increasingly detailed inquiries that related directly to nuclear weapons Benign inquiries about fusion and astro physics soon gave way to pointed requests for information about such highly classi fied matters as the ignition conditions of the hydrogen isotopes deuterium and tri tiurn - and about the thenwnew neutron bomb 64 g1 POGO The scientist did his best to fend off the demands for specifics but at a cocktail party thrown in his honor by his hosts he did compromise on his previous position by offering an analogy What would happen he mused to a group of dues tioners if you rolled deuterium and tritium into a ball and then rolled the ball off the end of a table Deuterium and tritium ignite at such low temperature levels he told ass Intelligence Threat Hammett USE ONLY USE QNLY his iistoiiets that you couid just about got ignition by dropping them on the oor Although the scientist did not consider this particular piece of information to be criti- cal to neutron bomb design it may have launched his PRC counterparts along a new y and moro productive lino of experimentation than what they had boon working 011 55 His axporianca made a deep Completely benign conversations impression on the scientist who even years cart turn later used this example many times to Situations hinau show younger colleagues how completely benign conversations could turn into uncomfortable situations in China Given the intelligence strategy of trying to collect small amounts of intelligence from many individuals over a long period of time it is iikely that a number of knowledge ahla US scientists had similar experiences but did not report them in as much dotaiif 6 U Sl ll As mentioned earlier the PRC has the third largest SICINT effort in the world The Technical Department provides the PRC with a wide range of SIGINT capabilities They monitor signals from india Japan Russia South Korea Southeast Asia and Taiwan Signals Wgcatcd in the regiog ular interest to these monitoring stations in addition to be devel- oping a photoreconnaissance arid communi- ilhere migdiggtipil thgt this capability presahts a significant Ego in the region The - 4 AMWHAWW tion of Hong Kong offers the Chinese additional facili ties in the region it is likely that those will used to monitor communications to and from Kong Additionally this Chinese a series of SlGINngoliection vessels that monitor military op ops and exercises Miwaacific region 67 U FOLIO The Third Department maintains several dozen ground stations throughout China These stations actively monitor US Indian Japanese Korean and Russian communications in the region The majority of these stations are located within several hundred miles of the borders or coast In addition the Chinese navy operates several vessels with SIGINT capabilities Furthermore the acquisition of Hong Kong provides the PRC with an additional listening station to monitor transmissions with in Hong Kong in addition to sites located within China s borders the Third Department maintains several SIGINT facilities such as in Burma Rocky Island in the Paracel Archipelago and the Cocos Islands in the Andaman Sea This gives China an extensive capability to conduct sophisticated operations through- out Southeast Asiaf 8 USE ONLY lass Inmillganca an hunk tassmtammce OFFICIAL USE ONLY 28 U lMll The Chinese have a limited spacebome photorecomaissance capability that focuses on collecting imagery over the Russian border They aiso use a variety of fixed wing aircraft to coileet photographic imagery None of diese systems presents a substantial intelligence collection threat to US forces in the region US intelligence agencies beiieve that China probably develop a midmresolution imaging system in the future that will improve Chinese U PRC Intelligence museum Trends U The PRC spent more than two decades establishing a large and diverse intelli- genCe infrastructure in the United States but only reiatively recently gained attention by drawing upon its intelligence capabilities Recent investigations of PRC political in uence operations directed at Us Eegislators and of apparent PRC nuclear espi onage Operations targeting the us national laboratories are just the tip of the iceberg of an alreadywlarge and increasingly capable PRC intelligence effort 70 While it is expected that China will improve its SIGINT and IMINT capabilities increasing the coliection threat to the United Statesthe majority of mtelligence will probably contin- ue to come from HWINT 331d openwsource collection activities 71 UNCLASSIREDIIFOR USE ONLY OFFICIAL USE QNLY I U Esnionage Today s economic competition is global The conquest of markets and technologies has replaced fonner territorial and colonial conquests We are living in a state of U Economic espionage has world economic war and this IS not met always been a factor in rela- tions between competitor a military metaphor the companies nations For example in 1811 are the armies and a American merchant the unemployed are the casualties Francis Cabot Lowell toured BERNARD ESAMBERT Scotland and England ostensi- bly for reasons of health and in the process either memorized or purloined enough information concerning British textile mills to return to Boston and build a copy of the Cartwright loom That particular guarded device had revolutionized British textile production and it subsequently helped Lowell build a complex of mills that propelled the US into its own industrial revolution 72 U As the let Century begins the lines of espionage are becoming less and less clear ly defined Because nations are now linking their national security with economic security the spy of today may not be after the composition of a new warhead because that is no longer a lucrative market He may instead be collecting the scienti - ic and technological data that goes into making a computer chip for a high tech auto mobile or the formula of a new cancer drug In the words of Bernard Esarnbert President of France s Pasteur institute Today s economic competition is global The conquest of markets and technologies has replaced former territorial and colonial conquests We are living in a state of world economic war and this is not just a mili- tary companies are training the armies and the unemployed are the casualties U Economic espionage often is not targeted at the crown jewels of US technolog- ical supremacy Instead much of the sought-after information and technology is dated nulitary-related or infrastrucmre supportive material that is no longer classi OFFICEAL USE ONLY I885 Intelligence Ka dh i 1353 Intaltluenae meat Han auoi 38 OFFJCIAL USE ONLY tied but has both and civilian applications Although unclassified informa tion of interest usuaily is subject to control through government U casts of Eeannmic Esalanaga U There has been a growing recognition of the cost of economic espionage For example in a 1999 American Society for Industrial Security survey of 1 000 US com panies there were reported losses of proprietary information Loss of intellectuai property totaled $45 billion By 2001 this figure had risen to an estimated $59 billion The average company responding reported 2 45 incidents with the average loss per incident at over $500 000 Most of the incidents took place in high technology or service companies with reported losses of property up sharply in 2001 Manufacturers reported fewer incidents a total of - 'i 96 but suffered an average loss of nearly $50 mil- lion per incident 75 According to a 1998 report to Congress on espionage the actual figure may go as high as $300 The US Chamber of Commerce estimates that losses today continue at roughly $2 billion a month 77 Most US companies do not have effective mechanisms for safeguarding their proprietary information nor do they have con sistent and effective mechanisms for determining the value of such information U These figures iook less abstract if one applies what is known as the economic loss model developed by the Pacific Northwest National Laboratory This modei applied to a single FBI case of economic espionage showed these resuits I U The foreign competitor captured the market I U The US business lost $600 million in sales I U 2 600 full-time were jobs lost I U 9 5e2 jobs were lost to the US economy as a whole over 14 years U US trade balance was negatively impacted by U $714 million I U Lost tax revenues amounted to $129 million78 U Emerging Pall U Although economic espionage has aiways been a part of the commercial land scape it is oniy recently that it has been identified as a national problem at which US intelligence resources shouid be deployed This policy shift has taken place because over the past 40 years the US has undergone a gradual paradigm shift concerning the general inteihgence threat to the countiy Prior to 1980 for example the FBI defined the intelligence threat to the United States in terms of the presence of hostile OFFICIAL USE ONLY 1r A- a we Wm GNLY intelligence services and their diplomatic establishments in the United States A country was deemed to be hostile if it met certain classified national-security crite ria 79 U All this changed in 1981 however when the French government provided US authorities information from a Soviet source code-named In reality FAREWELL was Vladimir Vctrov a KGB intelligence officer with a senior analytical post in Directorate T which was responsible for collecting strategic military and industrial technology from the West Vetrov eventually provided the French with more than 3 000 documents de ning Soviet Operational Vetrov eventually provaded the French which were more successful With more than 3 000 documents and Wadi larger in Smite than detailing Soviet operations which were anyone had suspected'm more successful and much larger in scope Vetrov s reporting provided important documentation of than anyone had suspeded the following I U The State Committee on Science and Technology deten mined what information must be collected and developed task- ing for Line X the operational unit which carried out the bulk of the collection objectives Line X however was not the only enti- ty to receive tasking from this committee The GRU the Soviet Academy of Sciences and the State Committee for External Relations were assigned this collection mission as well 81 I U It was not intelligence operatives trained to act like scientists who carried out the collection objectives rather it was the task of actual scientists who had been trained as collectors to gather the information This meant that actual scientists could evaluate and decide on the spot it the information they had access to bore any relevance to the collection objectives with which they were tasked and also if the infor- mation was worth the collection effort 82 I U The US foreign policy of engagement with the Soviet Union provided broad access for these collectors and opened many new avenues for exploitation few of which escaped Soviet intelligence Beginning in 1972 delega tions of Soviet specialists arrived in the US in droves to visit companies and laboratories around the coming 83 Further the Soviet Union was quickly acquiring information for about 1% the cost of what the West spent in developing it over many years OFFECEAL USE ONLY loss inietiiganca mm Handbook 38 Threat andhoak 32 USE GNLY U Vetrov s reporting later was confirmed and amplified by Vasili Mitrokhin a for- mer KGB officer who over more than a decade handcopied and archived a wealth of information from Soviet files According to Mitrokhin during the mid 1979s the KGB made unprecedented use of the Soviet scientific community in intellia gence operations For example the Directorate succeeded in developing approximately 90 agent-recruiters 909 agents and 350 trusted contacts among the ranks of Soviet scientists Of these 377 agents and 44 trusted contacts reported on Western high technology The intelligence rote of the Soviet scientists was to talent spot Western scientists in areas of intelligence interest approach them on a personal or institutional level for cooperation and collect information from them 5 U The inteliigence treasure trove from FAREWELL was a fac tor in the 1985 shift in its View of the inteliigence threat to the United States away from intelligence service presence to a de nition that focused on activities directed by intelligence services against the U S regardless of Where those activities occurred or what country initiated them86 U In the early 19905 the winding down of the Cold War caused the FBI to again reassess the overall intelligence threat to the US This time the FBI developed a strat egy that focused on the targets of intelligence activities such as proprietary technoio gy data and employees 87 This shift took piace at about the same time that the exten sive direct involvement of France s intelligence services in economic espionage against the US became public knowledge U In October 1996 the Economic Espionage and Protection of Proprietary Economic information Act was signed The new law had two primary elements not previously covered by US 121% I U First it allowed US national intelligence resources to be used on more foreign intelligence organization activities and not only when they targeted classi ed government information and programs In particular the Economic Espionage Act allowed US agencies to investigate cases where a foreign intel ligence service appiying traditional methodologies mounted an intelligence attack against a US company to gather propri etary information to support the commercial interests of a for eign company I U Second the law extended the definition of goods wares or merchandise protected by Federai anti theft statutes to include the proprietary economic information of a company This permitted Federal investigation and prosecution in the event that the information was used in interstate commerce USE ONLY UNCLASSWIEDHFOR USE ONLY The Bursitis Threat U Most organizations conceptualize the main threat to their operations security as coming from outside the organization I the realm of economic espionage the main outsider threats come from company twompany attacks launched by economic competitors attempts to purloin critical intelligence through duping unwitting employees of the organization and even through the direct invoivernent of foreign intelligence services in foreign er Emmach comnalimrs U Competitor companies have been reaponsible for many instances of economic espionage against their US counterparts A frequent scenario is one in which an employee leaves his company and goes to work for the competitor taking propriw etary information with him The following is a representative sample of competitor company economic espionage against a variety of US technologies U Automotive Glass Manu zchn ing Process U in late 1973 John Akfirat a research engineer in the Glass Division of Ford Motor Company was dis covered to be in negotiation with a Portuguese auto- motive glass manufacturer in competition with Ford Akfirat was to he paid $250 000 for delivering the proprietary information and he would also be hired by the company at a good salary Ford had licensed the revolutionary glassmaking process from its British inventor for $1 25 million and sub stantial royalties The Portuguese competitor could have used the critical information to capture the European auto glass market from Ford which calculated its potential loss at $2 79 million Ak rat was convicted and received 60 days in jail and a $10 000 fine Shortly after his release from jail in 1974 Ak rat got a job at another glass company and he and his new boss began to travel frequently to Romania to talk with of cials there about the proprietary glass manu- facturing process By 1978 he and his boss had exported specialized glass manufac- raring equipment to Romania in the process making false statements in the export documents required In 1983 Akfirat was again arrested for ongoing fraud against Ford He admitted to meeting with Romanian officials as part of a scheme for core structing a plant there which would use the process Akfirat had learned from Ford and to providing the Romanians with computer hardware and software This time Alc rat was convicted and sentenced to four months of community service two years probation and a $1 000 fine His boss was not prosecuted but the company did have to pay monetary damages both to Ford and the British company that invented the manufacturing process 88 OFFICIAL SSE ONLY 1033 53331313353 Inna Handbag loss Intelligence threat Handbook 34 USE QNLY U Computer Chip Designs U In 1979 PRC nationals opened a computer chip manufac- turing plant in California named Chipex Eric Chipex sup- posedly was a joint venture with a Hong Kong firm but in actuality the Hong Kong company was itself a subsidiary of a PRC electronics company The ostensible purpose of the plant was to manufacture chips from designs provided by US companies while at the same time training PRC nation- als on how to use the manufacturmg equipment in reality however Chipex also was illegally copying its customers proprietary designs and sending them to its parent corporation in China US Customs Service and the Commerce Department raided Chipex in 1982 and shut it down The subsequent investigation determined that the San Francisco Consulate provided support and guidance to Chipex s operations and several PRC students were used in dupli eating the proprietary US designs 89 i w Microwave Tube Design Drawings U In 1989 Ssangyong a large South Korean conglomerate purchased a US microwave technology company Square Microtec inc Square was participat- ing in a microwave technology joint venture with Litton Systems which held US defense contracts Litton soon discovered that Square had stolen some of its pro prietary radar and microwave tube design drawings and passed them on to Ssangyong Litton notified the FBI about the situation but the intangible nature of its loss precluded criminal investigation Litton Systems pursued the matter through civil litigation and in the process uncovered Ssangyong documents detailing its strategy to undercut Litton s prices which had to re ect research costs In 1995 Litton Systems was awarded a summary judgment of $65 million against Seeiruggyong 90 U Organic Fertilizer U In late 1994 three representatives of a South Korean firm Visiting the laboratory of Rubicon Pacific Trading Group to View a sales presentation of its new organic fertilizer were observed dipping their ties in a solution of the product The three visitors then pulled out cameras and fanned out in dif ferent directions photographing everything in sight Rubicon s new fertilizer was more productive environmental- ly friendlier and cheaper than its main alternative and had a potentially huge market especially in Asia Rubicon later had problems trying to interest South Korean farm- ers associations in using the fertilizer 91 U Cancer Drugs U in June 1997 Hsu Kai lo and Chester H Ho naturalized US citizens were arrest ed by the for attempting to steal the formula for Taxol a cancer drug patented and licensed by the Bristol Myers Squibb Company Hsu and Ho were employees of USE ONLY Wm mucwm mc _u USE QMLY An employee of FIELCO Industries received a phone call information on the formulas for his company's state ot-the-art adhesives The employee noti ed his supervisors of the approach and they called in US law enforcement authorities The caller subsequently mailed the employee $2 000 in cash and asked to be faxed some of the infonnalion The facsimile num- ber provided matched that of one of FIELCO's customer companies in Mexico When the tier ew to the U S to pay the employee the balance of the bribe money he was arrested IELCO estimated that the formula infor- mation would have cost the company $1 million annually in sale-3 24 the Yuen Foong Paper Manufacturing Company of Taiwan Jessica Chou a Taiwan citizen actively involved in the attempted theft was also indicted Taiwan publicly stated that it would not help the US extradite Chou for trial in the US If the Taiwan firm had obtained the Taxol formula Bristol Myers Squibb would have lost approximately $200 million a year in revenue from the world market 92 U Coal Mining Technology U In mid- 1997 John Fulton a former employee of Joy Mining Machinery Inc and at the time the operator of a Joy competitor United Mining Cable approached a Joy employee in an attempt to purchase schematics for part of the coal-shearing system used by Joy Joy Mining Machinery is a global coal mining company that manufac- tures and repairs technical components of equipment that mechanically shears coal from the face of an underground coal wall The Joy employee became a cooperating witness in the case and participated in consensually monitored conversations Fulton offered to pay any amount of money for information pertaining to the chock interface unit of the coal-shearing technology In November 1997 Fulton paid the cooperating witness $1 500 for blueprints and a technical binder both of which were Joy propriw etary items Fulton was arrested by the FBI after the exchange and was charged with unlawfully attempting to obtain trade secrets 93 U mresati newlines Hammetle U Sometimes collectors of economic intelligence try to brazen their way into oppor- tunities in which they can collect critical information Another ploy is to create situa- tions in which the employees of a targeted facility can be induced to give their pro- prietary information away in the mistaken belief that the individuals requesting the information have been prOperly authorized to receive it Examples of this type include the following I U A Japanese collector called the president of a major US biotechnology firm knowing the president was out of town The Japanese businessman assured the secretary he spoke to that the company president had already given his approval for her to provide several sheets of data on a technical compound USE ONLY loss all Handbook from a Mexican national offering the employee up to $10 000 for Formulas as UNCLASSEFIEBIIFGR USE ONLY The secretary refused to provide the information and her boss later confirmed that he had not given authorization for anyone to receive the data 9 I U A Japanese TV crew requested and obtained permission to visit a US firm to film a documentary on cancer research While filming the video the crew asked many questions collected information and sought access to sensitive areas Before long it became apparent the visitors had much more technical understanding of the indusw try than would be expected from a profes sional television crew Company officials had the visitors escorted from the facility 95 I U Japanese scientific visitors to one facility wan dered into restricted areas and began taking pictures When confronted they apologized profusely and blamed their lack of English language skills for not being able to read the posted signs denying them access At later social gatherings however the Japanese scientists were observed conversing with their counterparts in fluent English 96 U French engineers with the support of the French Embassy in Washington misrepresented themselves as customers of Dow Corning and sought to obtain information regarding the coating used in the stealth aircraft to evade radar detection I U A business education professor from India who taught a night class at a Maryland college required each of her students to write a term paper on the company where they worked One student advised the FBI that her paper had been returned by the professor three times with the professor on each occasion asking for more detailed information Eventually the profes- sor s interest in the student s company extended to directing her to provide sensitive possibly proprietary data 98 From foreign Intelligence Services U Intelligence services are by de nition specialists in the techniques of collecting secret information When they apply their specialized skills against individual commercial targets they can provide a potent combination of resources and special skills it has been extensively documented that France has used this approach against the US for many years I855 Intelligence threat Heartbeat USE ONLY QFFICIAL USE ONLY U First the memoirs of Count Alexandre de Morenches director of France s external intelligence service from 19791981 recount that an agent in the US Govemment provided information about an upcoming currency devaluation that allowed the Bank of France to reap enormous profits in international currency markets De Marenches s successor Pierre Marion admitted in news interviews that he initiated It would not be normal for us to spy on the United States in political matters or military against US bush messes to keep matters but in the economic and techmcal imam spheres we are competitors we are not allies - I if Fompe 1 Pierre Marion Fonner Director of V83 311911 mm France s Eternal Intelligence Service tioned that 18M Corning Glass and Texas Instruments had been specific targets of the French intelli gence service Marion explained that it would not be normal for us to spy on the United States in political matters or military matters but in the economic and techni cal spheres we are competitors we are not allies Marion was succeeded by Charles Silberzahn who also continued publiciy that economic espionage had replaced polit- ical intelligence as a priority for France and that theft of information about large cor- porations was a long term French government policy In a 1996 interview on a German television program Silherzahn observed that in France the state is not just responsible for lawmaking it is in business as well 99 U Examples of economic espionage operations against the US directed and con- trolled by foreign intelligence services or other foreign government entities include the following I U Beginning in 1969 the French intelligence service recruited several French nationals in the France-based offices of IBM Coming Glass and Texas instruments These agents were tasked to collect information on marketing plans product speci cations and travel itineraries of executives French intelligence passed the information along to competing companies in France including Machines Bull in 1993 when Bull sued Texas Instruments over patent m inge ment on a computer chip Texas Instruments discovered that Bull had originally stolen the design from them through an agent who worked for Texas Instruments for 13 years After two years of litigation the two companies settled out of court on undisclosed terms 100 I U In 1973 ranking scientists and managers of the Soviet com- puter and electronics industries obtained a visa for the speci c purpose of Visiting the Uranus Liquid Watch Company of Minneola Long Island This was definitely a very odd choice USE ONLY 035 Immgenct Threat an boat 38 QFFICSAL USE QNLY U in M'ay1991 a pnvate som ty guard in an exduswe We - residential area of Houston Texas notioad two well- dressed men tossing into their van plastic bags of garbage Blessed taken from behind the home of an axomtlve for at us defense contractor The guardnoti ed the FBI and investigation later ideals ed the iron as beionging to the French consul general'in Houston When FBI agents quizZed the French 'dlpiomat abouthts actions he dairan that he had topian for bags of grass to ll in a hole dug in his back yard of destination for such a delegation but three days before the delegation s arrival the Soviets requested an expansion of the itinerary to include nearly all leading US computer and semi conductor firms The reason for the abrupt change in plans was that the Soviets had studied US regulations and procedures 1 and discovered that if they made a last minute change of itiner ary the US Defense Department would not have time to object This allowed the delegation to observe the latest critical technol ogy U In 1985 a US aerospace company bid- cling to sell jet fighter aircraft to India lost a -- $2 biilion contract to a French aerospace 3 -- - company after the French intelligence serv I ice became aware of the US company s best and final offer during negotiations and then passed the information along to a French competitor I U in the spring of 1986 Recon Optical was - v in the midst of a $45 million contract with 7 lsrael to manufacture advanced airborne photographic surveil- lance equipment The terms of the contract allowed three Israeli I Air Force officers to be stationed at Recon to monitor progress of the project After a dispute with Israel over the financial terms of the contract Recon decided to close work down and asked the three Israeli officers to leave The of cers attempted to leave the premises with boxes of Recon data labeled as their personal belongings These were confiscated and examine tion of their contents revealed that the IBSS mm audit 0F FSCEAL USE ONLY USE officers had for months been sendirtg proprietary Recon infer - mation to a competitor company back in Israel Recon sued the government of Israel and an arbitrator awarded the American company $3 million in damages my The Insider threat U Most people visualize espionage as a secret agent managing to sneak into a facili- ty defeat its guards and locks and then spirit away secret documents or equipment in reality the most common threat comes from an employee inside the facility who approaches an outsider to seii his orgs nization s secrets Three surveys con ducted between 1988 and 1994 by the incidents of economic espionage American Satisfy for Mussel Security were attributable to employees or determined that approximately 75 per fewer employees with access cent of all reported incidents of econom ic espionage were attributable to employees or former employees with access to sensitive information The figure for losses attributable to vendors consultants joint venture partners and subcontractors was at that time just 15 percent but by 1999 a similar survey identified on site con- tractor employees and original equipment manufacturers as the main source of con cent for US comparues 102 U In cases involving national security between 1975 and 2000 the United States charged 140 individuals with espionage Of these 80 were US citizens with a securi ty clearance 35 were US citizens or resident aliens with no security clearance and the remaining 25 were foreign nationals By a more than three to one margin the cases involved one person acting without co conspirators in about two thirds of the cases the arrests were made only after there had been damage to US national secu- rity t U Moles and espionage entrepreneurs are two types of insiders who can wreak havoc through economic espionage These cases are particularly dif cult for OPSEC managers since an insider with access to his organization s critical information would also know the critical needs of competitors or adversaries Moreover he is likely to be familiar with his organization s security systems and safeguards and be in a good position to defeat or circumvent them U Moles U A mole is an employee sent by an outside entity to work for a competitor or recruited after he already is inside the targeted organization The mole tunnels his way into a position of access to the orgaruzation s critical information and then pass- es the data back to his outside clients I U From 1977 to 1986 agents operating from the Japanese con sulate in San Francisco obtained vast amounts of information from a Huddle level researcher at Fairchild Semiconductors Seventy- five percent of all reported to sensitive information UNCLASSEFIEDIIFOR GFFICEAL USE ONLY loss mummies mug llamas 40 OFFICIAL USE QNLY inc The employee provided them computer disks containing as many as 160 000 pages of confi dential research results and con porate plans The Fairchild mole was never conclusively identified and was apparently able to leave Fairchild with enough extra money to retire soon tl lereafrer Fairchild was so Weakened by the mole s efforts that in 1986 it required government assis tance to fight off a Fujitsu Corporation bid to purchase 80 per cent of the company I U In 1981 a French software engineer was convicted on two counts of felony theft involving the intellectual property of his employer Renaissance Software Systems Inc At the time he was receiving a stipend from the French government for report ing on his work at Renalssartce 105 I U In 1994 Yao Mindong a PRC 1 national in a five month engineer training program at a Motorola Company facility in Albuquerque New Mexico made a sudden unannounced departure from the workplace several days early Just before his departure Yao Vis ited the plant s computer facility and printed out some materi als to take back with him Motorola of cials had no way of determining What data Yao printed out but they were corr corned because it had taken the company 50 manwyears to develop the project Yao had been working on Motorola valued its potential loss from the incident at $5 millth 106 - - - - I war- 97 I-bAmo-jl- -- Dr Ton Hong Les Pin Yen Yang and a his daughter Sally Chen Yang were arrested for theft of trade secrets from the Avery-Dennison Corporallon Pasadena California Four Pillars Enterprises Ltd which has o ices In Texas and Taiwan was also charged Lee a TalWan native and US citizen had been an Avery snnison employee since 1936 at Ihe company's Concord Ohio fadlity Over a period of approximately eight years he 'reoelved between $150 000 and $160 000 or providing Four Pillars and the Yangs with secrets about adhesives used in products such as postage stamps name labels diaper tape and battery labels Both Yangs wars ned and Pin Yon Yang was also sentenced to home con nement Four Pillars was assessed the maximum statutory ne $5 million The estimated damage to Avery- Dennison was $50-60 million M3 1953 Intelligence meat Kandace USE ONLY OFFICIAL USE ONLY U Esaionane Entremneurs An espionage entrepreneur is an employee who obtains access to critical inforw mation and then tries to use the information as an inducement to a competitor com-- pany to hire him for a better job or simply tries to sell his secrets outright to one or more buyers They are most commonly discovered when an approach is reported by one of the potential buyers of the critical information Here are some examples of crit ical intelligence compromised by information entrepreneurs U Electronic Typewriter Trade Secrets U in the summer of 1979 Orion tidal a disgruntled employee at Exxon s QYX division resigned his job and sent a letter to a vice president of Office Products Division offering to steal proprietary Exxon documents including designs for new products research and devel opment plans and marketing strategies QYX at the time had captured nearly 25 percent of the computerized typewriter market a field once dominated by IBM Briel asked for $100 000 IBM reported the approach to the FBI The potential loss to Exxon was $500 million 107 U Telecommunications Computer Applications U In 1986 Ronald Hoffman a US scientist working on space technology computer research for Science Applications hiternational Corporation SAIC attempted to per- suade SAIC to sell information to Japan developed for the Strategic Defense Initiative but with commercial telecommucations and weather- satellite applications Japan was years behind the US in this area but SAIC declined to pursue the matter since the information was both classified and restricted from export Hoffman thereupon formed his own research and export company Plume Technology as a sideline activ ity and contacted various Japanese firms to offer his services Over the next four years he sold SAIC technology to four Japanese companies Ronald Hoffman was arrested in 1990 and convicted of selling classi ed information No legal action was taken against his Japanese customers who subsequently gained a signi cant compet- itive advantage in the space industry 108 U Genetically Engineered Phannaceuticals U in early 1990 a former research scientist with Merck and Company and Schering Plough Company and an accomplice who ran a research laboratory let it be known that they had some extremely valuable pharmaceutical trade secrets to sell Their offer was to provide details of the manufacturing process for two genetically engineered pharmaceuticals ivermec n a leading antiparasitic drug with worldwide livestock usage and Interferon which is used as an anticancer and antiviral drug Their offer the attention of the FBI and later that year both were arrested immediately after selling their critical information on one of the drug OF FJCEAL USE ON LY lass managing infest manhunt 52 USE ONLY fennentation processes to an undercover agent who paid the two $1 5 million in cash and bonds The companies involved advised that over $350 million had been Spent developing the two drugs Since there was no Economic Espionage Act at the time the case was prosecuted under applicable fraud sta mtes 109 U Tomahawk Missile Bid Infoonetz on U in 1993 the US Navy decided to have a sole vendor either Hughes Aircraft or McDowell Douglas Missile Systems Company manufacture its Tomahawk cruise missiles and this caused an intense competition between the two companies in November of that year a former Hughes employee approached a senior manager at McDonne w ouglas and offered to sell the specifics of the Hughes bid and pricing information for $70 000 The manager alerted the FBI A month later the espionage entrepreneur and the current Hughes employee who was the source of his information were arrested by the FBI and the Naval Criminal Investigative Service after they agreed to sell the proprietary information to under cover agents 110 U Copier Technology U In late 1996 Harold Worden a 28 year employee of Eastman Kodak Corporation retired and established his own consulting firm Worden thereupon hired many former Kodak employees 1 and stole a considerable amount of Kodak trade secret and propriw etary information that he later attempted to sell to Kodak rivals including corporations in China Worden s illegal activities were documented in an mvestigation using a double agent operation l and he was arrested and pled guilty Worden was sentenced to one year imprisonment and a $30 000 fine 11 F 9 m VoicewMail Intelligence - - - U In November 1996 John Hebel was arrested and charged with wire fraud Hebe had been employed by Standard Duplicating Machines Corporation as a field sales manager from 1990 to 1992 when he was terminated Hebel subsequently found employment at the US affiliate of Duplo Manufacturing Corporation of Japan Through an unsolicited phone call from a cus tomer Standard discovered that while employed at Duplo Rebel had accessed Standard s electronic phone messaging system and used the information to Dupio s benefit to compete against Standard In March 1997 Hebel was sentenced to two years probation In addition a civil suit was brought against Duplo by Standard 355 Intelligence 1138 aauhnek USE ONLY USE GNLY with a final settlement close to $1 million 1 12 U Glass Technology ii In December 1996 Patrick Worthing and his brother Daniel were arrested by the FBI after agreeing to sell PPG industries Pittsburgh Plate Glass information for $1 000 to an FBI special agent posing as a representative of Owens-Corning a priw mary competitor Patrick Worthing had misappropriated diskettes blueprints and other types of confidential research information from which he tried to sell to Owens Coming However Owens Coming alerted PFC who subsequently informed the FBI that an individuai was attempting to sell company trade secrets to representatives of Owens 113 Corning Corporation U Razor Blade Design Information U In February and March 1997 Steven Louis Davis stole and disclosed trade secrets concerning a new shav ing system developed by the Gillette Company Davis was a process control engineer employed by a subcon tractor of Gillette Company Using several pseudonyms Davis sent facsimiles and electronic mail containing con fidential technical drawings to Gillette's competitors Warner Lambert Co Bic and American Safety Razor Co Davis in soliciting further interest claimed that he had 600 megabytes of Gillette s product drawings equipment drawings and assembly drawings relating to Gillette s next generation of razor systems Davis was arrested in October 1997 Subsequent FBI investigation was notable to establish to what extent he had disseminated trade secrets overseas After pleading guilty he was sentenced to two years and three months in Federal prison and $1 2 million in restitution U Computer source code U In a recent case Cadence Design Systems Inc was attempting to recover $1 2 billion from former employees alleged to have stolen intellectual prop erty to build up the product line of a competitor Evidence collected during the execution of a search warrant included electronic footprints which Show that one employee E-mailed six megabytes of computer source code to a private account before quitting Cadence and joining the rival company Before long the com petitor company began marketing a product similar to Cadence s and theirs con - tained the same source code including the same typographical errors as in the Cadence product In the words of a senior vice president of Cadence That source code is the central nervous system for every other product and service we put out it took hundreds and hundreds of engineering hours and years to develop A criminal USE ONLY 088 Throat ilamllmel USE ONLY case is pending against the rival company HES U mlaning a Gnuntenneasures Strategy U me of the problems that US companies who have been the victims of economic espionage face is that they often feel constrained to keep their losses secret In fact the General Accounting Officethe investigative arm of the US Congress-had to aban don its plan to study the extent and impact of foreign govermnent spying on US companies when it became clear that firms had little desire to discuss the matter U US firms have been reluctant to speak out about their experiences with econom ic espionage for a number of practical reasons For one thing if a firm makes its loss known it may suffer public embarrassment and become known as a company that can't keep its secrets Some companies that have reported successful attacks on their critical mfonnation have seen their stock prices drop their employee morale plum met and their corporate partners pull out of deals for fear their own critical informa tion my be compromised Also when the econortuc espionage has come from a for eign country the US company that names names runs the additional risk of losing future contracts there Finally criminal and civil penalties imposed on individuals and organizations engaged in economic espionage are small compared to the poten tially huge gains possible U The case of Recon Optical is an instructive example of some of the problems that US companies can face even after they have successfully fended off an economic espionage operation Although Recon was awarded a reported $3 million by an arbi tration panel the figure did not RECOHIS sales dropped 40 percent cover the company s legal expens and it was forced to lay off 800 ES 1 waging a foueyear lawsuit of its 1 10041161111381 workforce against Israel The Israeli contract I had been the company s largest and its management was tied down in the legal process The action depleted all the company s cash and when it med to bid for contracts in two huge new Pentagon reconnaissance programs its prices had to reflect its low cash reserves and thus could be beat by competitors The company sales dropped 40 percent and it was forced to lay off 800 of its 1 100 member workforce Only the emergency military needs of the Gulf War kept Recon Optical from going under completely 116 U Economic Esnionage Indicators U Given the realities that US organizations face many may try to handle OPSEC requirements without outside assistance The following is a partial list and discussion of indicators that a given company may be under economic espionage attack U Oetsider Threat Indicators U Unsolicited requests for infomation U Such requests frequently involve faxing mailing Emailing or phoning to indi E385 Intelligence Threat OF ONLY USE GNLY I viduals rather than corporate marketing departments The requests may involve our- veys or questionnaires and are frequently sent over the Internet l vlarketing surveys can elicit Seneitive technological and buoineae information With this method it is important to consider who ie the end user of the information and who i5 completing the survey Increasing use of the Internet provides a method of bypassing organiza tional security Systems for coilection purposes internet access to a company s bulw letin board homepage and employees provides a collector many avenues to broaden coilection efforto Additional indicators include communications in which the recipi- ent has never met the sender the requester identifies himself as a consultant or stu dent the requestor insinuateg the company he works for is classified and the requeeter advises the recipient not to worry about security concert 15 117 U Inappropriate Conduct Dm ing Visit U Vieitors are an obvious vector for loss of critical infor- mation One economic espionage indicator is an attempt to arrange an alternative mechanism such as proposing a commercial visit shortly after an official visit has been denied by the host organization Another situation involve-3 foreign visitors accompanied by a diplomat who attempts to conceal the visitors identi es or official posi- tions during the visit Yet another is the existence of bid den agendas the Visitors arrive to discuss program but do everything to discuss and meet with personnel who work with program Last minute and unannounced persons being added to the visiting party is also a reason for heightened concern The questions asked by the Vis- itors also may be an indicator of an economic espionage interest on their part espe cially if they ask them during a briefing outside the scope of the approved visit hop ing to get a courteous or spontaneous response 118 U Suspicious Work Offers U Sometimes foreign scientists and engineers will offer their services to research facilities academic institutions and defense contractors This may be an attempt to place a foreign national inside the facility as a mole to collect on a desired technolo- gy There are further reasons for concern if the foreign applicant has a scienti c back ground in a specialty for which his country has been identified as having a collection requirement if the technology the prospective employee wants to work with is pro prietary or export-controlled if the applicant s salary and expenses are to be paid by a foreign government or a corporation associated with the government or if the prospective employee offers to work under a knowledgeable individual for a time for free Another tactic is for one side to overstaff a jointmventure operation using its excess employees to gather loose information from their business painters g U Invitations to International Exhibitions Conventions and Seminars U It is not necessary for critical information collectors to devise ways to get into a OFFECIAL USE ONLY 583 Inna am mct 45 OFFICIAL use ONLY Here are the steps a security consultant recently used to compromise the current research projects of a large chemicals company 1 The consultant used the Internet and newspaper les to famil- iarize himseifwiih news reports of current projects and with past incidents of industrial espionage against the company He wanted to nd out what had worked and what had not 2 Hired as a temporary employee in a low-level position the insider went to a nearby restaurant that had a shbowl with business cards in it for a weekly free lunch drawing and shed cut a company card He had a local print shop dupliCate the card in his name with the titie Supervisor of information Security 3 Noting that the company used a passcard for some computer systems the employee forged his supervisors name to a memo ordering a special access card for himself in his assumed information-security role 4 The insider called on a senior researcher on one of the projects he had read about in the newspaper and gave her his new 1 business card He intendewed the researcher about what information in the project could be considered sensitive and asked for suggestions on how to improve security The researcher sug gested he contact the team leader which he did mentioning the referral from the researcher The team leader identi ed the portion of the project considered most valuable and gave the insider the names of all the people working on the pro - 3 eat so he could interview them about data-stor- age security Using the same technique the insider interviewed several other employees until he found one who admitted up Uriderthe guise d- ml i mt e backup process with the employee the insid- er had the empioyee mark his les as shared Later he downloaded the les from his own of ce computer 5 Looking for a critical document on the project the insider accessed an unprotected computer le with research meeting minutes on it One document identi ed the location of the document and the User ID and password needed to open it Using the same password the insider accessed several other summary documents with details of two other critical projects the company was working on Had he chosen to the security consultant could have tell at the end of the day and not returned He had compromised three projects of potential mui -miliion dollar value to the company competitors E355 intatliuence Threat deadliest UNCLAS8IFIEEMFOR USE ONLY w USE QNLY US facility if they can induce the facility to send its knowledgeabie staff members to locations and situa tions where there is little or no protection for them This is a particuiar QPSEC problem for organizations in which foreign travel is highly prized by staff merry bets If the invitation is to send representatives for a specific topic whom the organization seiects to attend may itself identify future targets for foreign collectors and economic competitors Indicators that economic espionage may be involved in such situa- tions are if the organizing country or organization has tried unsuccessfully to visit the invited facility if the travel or accommodations are offered expensopaid if a summary of the confer ence speaking topic is requested far in advance of the foreign meeting if attendees wear false or incomplete conference name tags or if there is excessive or suspicious filming or photography at the conference 129 U Proposals for I 0th Ventures or Joint Research Projects U It is not necessary for a foreign coilector or an economic competitor to steal critical intelligence from an organization if the organization can be persuaded to give the infonnation away Proposals for mutually pro table cooperative enterprises are one means of collecting critical information that would otherwise be dif cult to obtain Requests for unrestricted access to the organization s local area network or its physi cal plant may be indicators of economic espionage Sometimes companies are induced to provide large amounts of technical data as part of the bidding process only to have the contract canceled or the proposed technology sharing agreements may be one-sided Other indicators of the impending loss of critical information are the venture partner 3 sending more people than necessary to Staff the project or the venture partner 5 staff members singling out individual employees to provide infor mation outside the scope of the agreement 121 U Insider Threat Indicators U firing Ewamployees U An ex-ernployee who now works for a competitor can be a good source of critical company intelligence for the competitor not just because of the intellectual property the tax employee may already know but also because of the ex ernployee s ability to find out recent information In this regard it can be critical to keep track of which for- mer employees now work for competitor companies and which former employees still maintain social or professional contact with current staff members Of particular concern is the employee who has a job history of alternating working between one company and one of its competitors 122 U Foreign Ethnic Targeting of Employees UHFOUO Sometimes foreign countries and their commercial entities attempt to OFFICIAL USE ONLY loss Holman angina 48 OFFICIAL 133$ ONLY Exploit cultural ties with company employees to exploit them for collection of critical information Sometimes an employee will receive unsolicited mailings or greeting cards from foreign embassy personnel In other cases an employee may be invited to travel to the country of his ancestry to give a lecture or receive an award This may be an especially ominous development it the travel is also to be expense-paid Alternatively foreign delegations may arrive without an interpreter and ask the com pany to provide an employee who speaks their language The visitors may then sin gle out the employee for extra socializmg and may invite him to pay a reciprocal Visit to their country 123 U A Too Good Employee CU Sometimes individual characteristics that are most valued in an employee may taken together give reason to fear possible economic espionage from him These indicators include extra initiative such as volunteering for special work or project assign ments offering different or higher access repeatedly volunteer- ing to work nights or weekends especially when few other employees are present refusing promotion to a higher-paying job with less access to proprietary information etc U Work Assignments and Access Indicators I U Any attempt to obtain classified sensitive or trade secret informa- tion Without a genuine need to know that information I U Unauthorized removal of classified sensitive or trade secret infor- mation from a work area I U Placing classified sensitive or trade secret information in desks or briefcases for no apparent reason I U Unusual use of requests for classified sensi- tive or trade secret information I U Using a copier machine in other offices to reproduce classified sensitive or trade secret infor mation when a copier machine is available in that person's office I U Repeated or unusual or unnecessary overtime I U Sudden deterioration in work performance or a change in attitude of a person with access to classi ed sensitive or trade secret information I U Borrowing or making notes of classified sensitive or trade secret ir ormation not associated with assigned work I U Attempting to obtain witness signatures on a classified or sensitive loss Intelligence threat Han tmol UNCLASSIFIEDIIFGR USE ONLY USE ONLY document destruction form where the destruction was not actually observed by the Witness I U Bringing a camera or record ing device into an area where classified sensitive or trade 5 secret infometion is used espe dolly new cellular phones with digital imaging and transmission capability I U Excessive unauthorized use of a classified or sensitive computer sys tern at work 131 nancial Indicators I U Sudden purchase of highwvalue items such as real estate automm biles or vacations for which no logical source of income exists I U Flashing of expensive purchases or large sums of cash especially after returning from leave I U Extensive or regular losses or nancial indebtedness I U Sudden repayment of large loans I U Purchase of expensive miniature cameras and related equipment I U Purchase of quality international or ham radio bend communica- tions equipment by other than a known hobbyist124 U leave and Travel ln lcatars I U Short domestic or overseas trips for no apparent purpose I U Recurring or quick weekend trips not associated with recreation or farm y I U Trips that cost out of proportion to the short time spent at the locations I U Upon return the traveler has a hard time describing the location vis itecl I U Personal or family travel to cor- UNCLASSIFIEDIIFOR OFFICIAL USE ONLY rent or former Communist countries Em resumes Him 50 OFFICIAL USE ONLY I U magni es about passport or Visa requirements for went 0r former Communist counties I U Travel on cment or former Communist Bloc aircraft or cruise liners I U Mention of problems with border crossing visa or police in former 0r current Communist jour riesl25 U Secial and Family Indicators I U Relatives or iends live in Or maintain mmecticms to aurth Or for- mer Communist countries I U Relatives or friends visit current or former Communist comm tries I U Reiatives or friends in current or former Communist countries request assistance I U Use of illegal dmg3126 intelligence Threat UNCLASSIFIEDIIFOR DFFICIAI um mu web mw w- USE GNLY comnulers and the lntemet U Background U Advances in telecomunications and in com puter technology have caused an information revo lotion in the United States and worldwide the impact of which may be as profound as that of the industrial revolution of the 19th century Developments such as fiber optic cable have occurred when computer processor speeds have doubled and redoubled and computer memory has trebled and sextupled A seemingly instantaneous evolution of telephone cable satellite and computer networks and software com- bined with technological breakthroughs in computer processing haVe made this lat- est revolution possible U Apart from the rapid evolution of personal computers PCs the computing envi- ronment today allows for a sophisticated and complex interconnection of PCs net works and hosts Many organizations now have PCs connected to different networks with the additional capability of accessing a mainframe Laptops and notebook corn peters add to the risk factor by providing the ability to easily remove sensitive infor- mation from the workplace The loss of sensitive information whether deliberate or inadvertent can carry a price tag far beyond the cost of platform hardware U Since networks of computers allow users to share vast amounts of data very effi- ciently networked computer environments are used every day by the majority of corporations and organizations Corporate networks are not always designed and implemented with security in mind merely functionality and ef ciency Although this is good from a business standpoint in the short-term security problems arise later which cost millions to solve in larger environments USE ONLY 135 inieillgenca Threat an hnot 52 USE L5 The most obvious example of both the prevalence and power of computer net- working today is the Internet The Internet is not a single network but a worldwide coilection of loosely connected networks that are accessible by individual computer hosts in a variety of ways including gateways routers dial up connections and internet service providers The Internet is easily accessible to anyone with a comput er and a network connection Individuals and organizations worldwide can reach any point on the network without regard a national or Corporate networks are not always team lawman designed and implemented with time of day ii The only equipment security in mind merely required for Internet access is funC onality and EffiCiency a computer with a modem and a telephone line and even these requirements are being superseded by services that offer high speed connection through cable TV lines or directly through a combi- nation computer-television set As more people get connected the attractiveness of the internet as a convenient cheap quick and intriguing way of communicadng increases With more participants the amount of available information news groups program and data files graphic and multimedia documents and government and industry documents increases and attracts even more users U The Internet strives to be a seamless web of networks therefore it is often impos sible to distinguish where one network ends and another begins Local state and Federal government networks are connected to commercial networks which in turn are comected to military networks nancial networks utilities networks etc U Internet Security U The Internet began in 1969 as the ARPANET a proj- ect funded by the Advanced Research Projects Agency ARPA of the US Department of Defense One of the original goals of the project was to create a network that would continue to function even if major sections of the network failed or were attacked The ARPANET was designed to reroute network traffic automatically around problems in connecting systems or in passing along the necessary information to keEp the network functioning U As more sites joined the ARPANET the usefulness of the network grew The consisted primarily of university and government computers and the applications supported on this network were simple electronic mail E-rnail elec- tronic news groups and remote connection to other computers By I971 the Internet linked about two dozen research and government sites and researchers began to use it to exchange information not directly related to the ARPANET itself The network was becoming an important tool for collaborative research 128 IDES $18 an aandneok UNCLASSEFIEDHFOR OFFICIAL USE ONLY USE ONLY U The ARPANET protocols the rates of syntax that enable computers to communi cats on a network were originally designed for openness and exibility not for secu rity The ARPA researchers needed to share information easiiy so everyone needed to be an unrestricted insider on the network During these years researchers also played practicai jokes on each other using the ARPANET These jokes usuaily involved humorous messages annoying messages and other minor security vioia- tions It was rare that a connection from a remote system was considered an attack however because ARPANET users comprised a smali group of people who general - ly knew and trusted each other 129 U in 1986 the first wed publicized international com m gng gm It-Iijrgh pater-network security incident was identified A uni versity scientist noticed a simple accounting error in the computer records of systems connected to the ARPANET and this discrepancy ted him to uncover an international effort using the network to connect to computers in the United States and copy information from them These US computers were not only at uni versities but at military and government sites allover the country This incident raised awareness that the ARPANET could aiso be used for destructive purpos 30 STULL 85 U In 1988 the ARPANET had its first automated network security incident A stu dent at Cornell University Robert T Morris wrote a program now called a worm that would connect to another computer find and use one of several vulnerabilities to copy itseif to that second computer and begin to run the copy of itself at the new loca tion Both the original code and the copy would then repeat these actions in an infi nite loop to other computers on the ARPANET This self replicating automated net work attack tool caused a geometric explosion of copies to be started at computers all around the ARPANET The worm used so many system resources that the attacked computers could no longer function As a result 10% of the US computers connected to the ARPANBT effectively stopped at about the same time 131 U By that time the ARPANET had grown to more than 88 000 computers and was the primary means of communication among network security experts With the ARPANET effectively down it was dif cult to coordinate a response to the worm Many sites removed themselves from the ARPANET altogether further hampering communication and the transmission of the solution that would stop Morris s term 2 U The Morris worm prompted the Defense Advanced Research Projects Agency DARPA the new name for ARPA to fund a computer emergency response team now the CERT Coordination Center at CarnegiewMellon University to give experts a central point for coordinating responses to network emergencies Other teams quick 1y sprang up to address computer security incidents in specific organizations or geo graphic regions Within a year of their formation these incident response teams cre- USE ONLY loss amt immune 54 SNCLASSIFIEDIZFOR OFFICEAL USE ONLY ated an informal organization now known as the Forum of Incident Response and Security Teams F 11251 These teams and the FIRST organization exist to coordinate responses to computer security incidents assist sites in handiing attacks and educate network users about computer security threats and preventive practicesm U in 1989 the ARPANET officiatly became the internet and moved from a govern ment research project to an operational network by then it had grown to more than 100 000 computers Security problems continued with both aggressive and defensive technologies becoming more sophisticated Among the major security incidents were the 1989 OILZ worm an automated attack on one type of system attached to the Internet and exploitation of vulnerabilities in widely distributed programs such as the sendmail program a complicated set of instructions commonly used for sending and receiving electronic rnaiiw 4 U In 1994 intruder tools were created to sniff pack ets from the network easily resulting in the wide spread disclosure of user names and password infor mation A packet sniffer is a program that captures data from information packets as they travel over the network That data may include user names pass words and proprietary information that travels over the network in clear text 135 U In 1995 the method that Internet computers use to 7 name and authenticate each other was exploited by a new set of attack tools that allowed widespread internet attacks on computers that have trust relaw tionships with any other computer even one in the same room Computers on networks often have trust relationships with one another For example before executing some commands the computer checks a set of files that Specify which other computers on the network are permitted to use those commands If attackers can forge their identity appearing to be using the trusted computer they may be able to gain unauthorized access to other corriputers 136 U Although the Internet was originally conceived of and designed as a research and education network usage patterns have radically changed The internet has become a home for private and commercial communication and it is still expanding into important areas of commerce medicine and public service Increased reliance on the Internet is expected over the next five years along with increased attention to its secu Imus items to camnuter Network Security U Three basic security concepts important to information on computer networks are confidentiality integrity and availability When information is read or copied by someone not authorized to do so the result is known as loss of confidentiality-n I038 Threat andhoak OFFICIAL USE ONLY use ONLY 55 atomization can be corrupted when it is avail able on an insecure network When information is modified in unexpected ways the result is known as loss of integrity Information can be erased or become inaccessibie resulting in toss of availability This means that people who are authorized to get information cannot get what they need 38 U Concepts relating to the people who use net- work mformation are authentication authorize tion and nonrepudiation To make information available to those who need it and who can be trusted with it organizations use authentication and authorization Authentication is proving that a user is who he or she claims to be That proof may involve something the user knows such as a password something the user has such as an electronic passcard or something about the user that proves his identity such as a ngerprint Authorization is the act of determining Whether a par ticular user or computer system has the right to carry out a certain activity such as reading a file or running a program Authentication and authorization go hand in hand Users must be authenticated before carrying out the activity they are author ized to perform Security is considered to be strong when the means of authentication cannot later be refuted the user cannot later deny that he or she performed the activ ity This is known as nonrepudiation 139 U Just as with other types of threats it is useful for OPSEC managers to conceptual- ize computer network security in terms of the risk of loss of critical information or other damage caused by outsiders versus the risks posed by the actions of insiders While the potential for attack may come from a variety and potentially large number of individuals computer attacks themselves tend just like other areas of OPSEC con cern to use a relatively small number of methodologies to compromise the organiza tion s security systems Mg U Website content and BFSEB U it is not necessary for an intelligence adversary a terrorist an economic competi- tor a Mischief maker or any other potential security threat to an organization to devise novel and clever methods to steal the organization s critical information if that information is already being given away on the organization s website or a series of sites While the World Wide Web provides any organization a new and powerful tool for conveying information quickly and ef ciently on a broad range of topics it also increases the risk to the organization The particular problem posed by today s tech nology is that Internet connectivity provides a single user with new levels of under- standing from unclassi ed sourcesm U While have always employed data mining techniques to collect small pieces of information from a number of different sources and compile them into a USE ONLY E888 intelligenca Threat atulth 56 USE product which contains critical information it was hard for than to produce a timely product their problem was that the sources of information they required might be very widely scattered and gaining physical access to than imposed real constraints on the process With today s Information posted on the organization s Hemorksy haw- may p038 1110113 than over geography is no longer a infoma on about the organization factor in information retrieval available through other means T mg 3 flow the m Witt tor but sophisticat ed computer search engines and information compilation algorithms have automat ed many steps in the research process and vastly reduced the time necessary to collect comprehensive amounts of mfonnationl g U For OPSEC managers this means that information posted on the organization s website may pose more risk than information about the organization available through other means For example one Website might identify the officers of a given military unit and a page on the site might provide names of immediate family mem- bers Using this information an analyst might be able to locate another website that provides support and advice to military families Noting the type of support offered in particular anything under a what s new banner an analyst might be able to derive indicators that the unit will deploy in the near future or indicators of where the unit will deploy Both of these items of intelligence might be considered critical to the unit s ability to carry out its mission Using conventional informatiomgathering tech- niques it might take days or even weeks to gather such information on the Internet it could take only hours or even minutes U Because of the increased risk that someone will be able to make a coherent mosaic of small pieces of information small items of informa tion posted on a publicly available Website are of increased OPSEC significance Further it may be possible for an intelligence adversary or other collector to put together a public item from one site and an item from an unrelated site and derive critical information from the combination An OPSEC manager can no longer simply review the organization s website for items that may be targets for an adversary since there is no sure way of specifically identifying which items in con- junction with information from other sites or sources may become a critical indicator U The OPSEC solution to this apparent security dilemma is to adopt a zero-based approach to Website content Decide which items combined with other information would be critical to an outside collector Use OPSEC procedures to determine what information is necessary to post on websites to fulfill the mission These are the most important considerations in zero based website security 385 Handheolt USE ONLY USE ONLY I U Assess the benefits to be gained by posting specific types of information on a website identify a target audience for each type of information and why their need for the information is important to the organization s mission A carefoi examination of the potential consequences of placing information on the website is I U Feet oniy information for which the organization is responsible Since any organization knows Eta own critical information best it can reduce the vulnerability of other organi- zations by letting them post their own inforr nation m I U Do not post public links to more sensitive sites These links identify the existence and location of potential targets for a col- lector who may previousiy been unaware of them If it is neces- sary to link to other Sites the link should pass through an inter mediate site which can screen visitors through passwords or other U Boots 0 Network Vulneranllm U Many early network protocols that now form part of the Internet infrastructure were not designed with security in mind Without a fundamentally secure infrastruc- ture network defense becomes more difficult Furthermore the internet is an extremely dynamic environment its software changes constantly and this makes it difficult for security systems to catch up with current and newly discovered security holes 146 U Because of the inherent openness of the Internet and the original design of its protocols Internet attacks are quick easy inexpensive and may be hard to detector trace An attacker does not have to be physically present to carry out the attack Many attacks can be launched readily from anywhere in the world and the location of the attacker can easily be hidden It is not always necessary to break in to a site gain privileges on it to compromise the con dentiality integrity or availability of its infor- mation or service My U Many sites place unwarranted trust in the Internet it is common for operators of sites to be unaware of the risks or unconcerned about the amount of trust they place in the Internet They may not be aware of what can happen to their information and systems They may believe that their site will not be a target or that precautions they have taken are suf cient The technology is constantly changing and intruders are constantly developing new tools and techniques therefore solutions do not remain effective USE ONLY 085 Threat Hangma 58 OFFECFAL USE ONLY U Sihce much of the traffic on the Internet is not con dentiality and integrity are difficult to achieve This situation undern nes not only applications such as nancial applications that are networkmbased but also more fimdamental mechanisms such as authentication and nonrepudlatiou A3 a result sites may be affected by a semrity compromise at another site over which they have no control An example of this is a packet sniffer that is installed at one site but allows the intrud or to gather information about other sites possibly in other U Another factor that contributes to the vulnerability of the lntemet is the rapid growth and use of the network accompanied by rapid deployment of network serv ices involving complex applications G en these services are not designed config ured or maintained securely In the rush to get new products to market developers do not adequately ensure that they do not repeat previous mistakes or introduce new Vulnera bilities 150 U Compounding the problem is that operating Operating SyStem security system security is rarely a purchase criterion is rarely a purchase criterion Commercial operating system vendors often report that sales are driven by customer demand for performance pricc ease of use maintenance and support As a result off-tho shelf operating systems are shipped in an easy t0 use but insecure con guration that allows sites to use the system soon after installation These hosts sites are often not fully configured from a security perspective before connecting This lack of secure con guration makes them vulnerable to attacks which sometimes occur within min- utes ofcuiantmtiorl 151 U Finally the explosive growth of the Internet has expanded the need for well- trained and experienced people to engineer and manage the network in a secure manner Bocause the need for network security experts far exceeds the supply inex- perienced people are called upon to secure systems opening still more windows of opportunity for the intruder cornmuruty 52 U outsider Attack Techniuues U The typical outsider threatening the computer security of an organization with critical information in its network is a computer hacker Once used as a slang term for a computer enthusiast hacker is now largely used to refer to individuals who gain unaudiorized access to computer systems for the purpose of stealing or corrupt- ing data A typical hacker is male between 16 and 25 years old Hackers usually become interested in breaking into machines and Ironworks in order to improve their computer skills or to use network resources for their own purposes Most hackers are quite persistent in their attacks possibly because of the amount of spare time the average hacker has 153 U In addition there are as many as 1 000 professional hackers worldwide According to the managing director of the Centre for Infrastructural Warfare Studies These are people with hard core skills lhey know exactly what they re doing these are highly amed professionals and are way out of the age bracket of the was mreawaadnnak OFFICIAL use ONLY USE ONLY teenage hacker These people are very difficult to step I hey ll come at you in '10 dif ferent ways not just trying to get through a firewall They'll steal a password they'll put honey pots lie very attractive subsites out thereto trap passwords they ll do anything 15 U A typical hacker attack pattern consists of gaining access to a network user's account gaining privileged access and using the victim's system as a launch plat form for attacks on other sites or areas of the network it is possible to accomplish ali these steps manually in as littie as 4 3 seconds with automated software hacking toois the time can decrease further 55 Hackers tend to use the foliowing ways to pen etrate or damage an organization s computer network I U Probing A probe is a search initiated at a remote site with the intent of determining potential weaknesses in systems for later exploitation They are characterized by unusual attempts to gain access to a system or to discover information about the system One example is an attempt to log in to an unused account Probing is the electronic equivalent of testing doorknobs to find an unlocked door for easy entry 156 I U Scanning A scan is simply a large number of probes done using an automated tooi Such tools are available for download at hacker websites on the lnternet Scanning is often a prelude to a more directed attack on systems that the intruder has found to be vulnerable 757 I U Compromising an account An account compromise is the unauthorized use of a computer account by someone other than the account owner without involving privileges a system administrator or network manager has An account compromise might expose the victim to serious data loss data theft or theft of services The damage can usually be contained but a user-level account is often an entry point for greater access to the system 158 I U Compromising a root directory A root compromise is similar to an account compromise except a compromised account has special privileges on the system Intruders who succeed in a root compromise can do just about anything on the victim s system including run their own programs change how the system works and hide traces of their intrusion 159 OFFICIAL USE ONLY $183 mailman Threat Hansen 5 so USE ONLY I U i acket sniffing A packet sniffer is a program that captures data from information packets as they travel over the network That data may include user names passwords and proprietary infomation that travels over the network in ctear text With pen haps thousands of passwords captured by the sniffer intruders can launch widespread attacks on systems Installing a packet sniffer does not necessarin require priviteged access For most muiti user systems however the presence of a packet sniffer implies there has been a root compromise 160 I U Launching a denial of service attack The goal of denial-of- service attacks is not to gain unauthorized access to machines or data but to prevent legitimate users of a service from using it A denial-of service attack can come in many toms Attackers may flood a network with large volumes of data or deliberateiy con some ail of the channels used to connect with the targeted site Sometimes an attack is used in conjunction with an intrusion attempt For example a denial of-service attack may be launched against a website effectively shutting it down or keeping it too busy to commu- The cost of security measures to protect nicate with other against network weaknesses is normally 5395- While the a small fraction of the cost of having to mt 3158 15 13115 defending itself handle a successful outside attack the hacker sends against an organization a message to another site mis representing it as a communication from the disabled site which may be fully trusted by the other site The hacker uses this trust to penetrate the targeted site 161 I U Exploiting Trust Computers on networks often have trust relationships with one another For example before executing some commands the computer checks at set of files that specify which other computers on the norm-York are permitted to use those commands if attackers can forge their identity appearing to be using the trusted computer they may be able to gain unautho rized access to other cornputers 2 I U Malicious Code Malicious code is a general term for programs that when executed wouid cause undesired results on a system Users of the system usually are not aware of the program until they discover the damage Maiicious code includes Trojan horses viruses and worms Trojan horses and viruses are usually hidden in legitimate programs or files that attackers have altered to do more than what is expected Trojan horses are programs that hide inside other programs and then execute commands like ordering l lel en Threat andheou USE ONLY USE QNLY a copy of all passwords typed in by the user to be copied stored in a new directory Viruses are programs usuatly designed to become a nuisance by replicating themselves endless Ey until they crowd all available memory out They usually require action on the part of the user to spread inadvertentiy to other prom grams or systems normally inserting an diskette into an uninftx ted machine Worms are self replicating programs that are constructed with a buiitmin strategy to spread themselves to other computers with no human intervention after they are start- ed These programs can lead to serious data toss downtime deniai of service and other security incidents 63 one outsider Target Network Weaknesses U Most network security incidents exploited by attackers from the outside are made possible by a relatively small number of problems Most problems can be prevented if adequate defenses are established against these weaknesses The cost of security measures to protect against network weaknesses is normally a small fraction of the cost of having to handle a successful outside attack against an organization The fol lowing weaknesses are the perennial targets of outside attack I U Easy network passwords Passwords are the single most important weakness in computer network security Doing every thing else correctly is almost of no value if password security is low The biggest such problem is an account where the username is the same as the password This makes the password both easy to remember and easy to guess The most common occurrences of this problem is the initial password that the system administrators set for an account with the expectation the user will change it Often - enough the user doesn t know how to change it or never logs in at all I U Duplicate passwords on differ- ent machines Many years ago it was reasonable to request that a pen son to use a different password on each machine or set of machines With a modern workstation environment however it is no longer practical to expect this from a user and a user is unlike ly to comply if asked At a rrunimum users with computer access at another facility should use a different password for their accounts on machines at those facilities Otherwise a compromise of a computer at a remote facility could compromise all the com puter systems the user has access to The worst offenders of the USE ONLY loss Imal ne ca miss an bnot 52 use ONLY shared password problem are network maintenance people and teams Often they want an account on every local area not that they service each with the same password That way they can examine network problems and such without having to look up hundreds of passwords 165 I U Readable password files A readable password file is an acci dent waiting to happen It is vital to prevent any user from male ing and removing a copy of the organization's password file and it is important to make it as dif cult as possible for a user to see the version of his individual password A related pass word problem can arise if there is a game or other lower level computer application on the network that identifies and stores the records for individual users by allowing them to choose their own passwords Usually applications do not the user 5 pass word and there will always be some people who choose their net- work password as their game password 166 3 U Old password files When a system is backed up or upgraded several copies of the password file may be created and left in a completely readable state in a forgotten corner of the storage sys- tem Looking for these files is a favorite technique of any hacker who manages to get past the outermost layer of system securi ty 167 I U Managers Managers center directors and other respected people are often given privileged accounts on a variety of machines They are given these privileges as a sign of respect Unfortunately they often are not as familiar with the systems as the programmers and system maintainers themselves As a result they often are the targets of attack Often they are so busy they do not take the security precau- tions that others would and do not have the same level of technical knowledge They often ignore instructions to change passwords or file protections Managers 4 should have separate privi- leged accounts and normal user accounts with a differu ent password for each 168 I U Secretaries to managers Managers are often so busy or out of the office so frequently that they reveal their passwords to their secretaries who may make an electronic note of it and inadvertently leave it within easy elec l lme l m threat UNCLASSEFIEDIIFOR OFFICIAL USE ONLY USE ONLY tronic reach of a hacker The risk involved can escalate when the manager has a single password that gives him special user privi leges i g I U System administrators System programmers often add their own security problems They sometimes create privileged pro- grams that are needed and then forgotten about without being disabled To make the situation worse their files and user accounts sometimes are excluded from secuiity audits because they are thought to know better than to create computer security vulnerabilities-$379 I U Demonstrators The one case where it is especially important to have separate accounts or passwords for a single individual is for an employee who travels to give demonstrations Such an employee may inadvertently reveal his password if he experi ences equipment failure while on the road m I U security holes There are a very small number of security holes in most large systems that are exploited by hackers over and over Hacker websites publish information about such entry poults and security manager websites in turn post patches and upgrades that patch the 110188 172 U nannies ef uents In Hackers U In September 1996 Russian hackers apparently succeeded in siphoning about $10 million into foreign bank accounts but bungled their attempts to extract cash from these electronic fraudulent deposits All but $400 000 of the stolen funds was recov- 1 8d 1 3 0 In February 2000 the FBI reportedly was investigating a total of 17 distributed denial of service intrusions The number of reported attacks had quadrupled from the beginning of the month Four hivestiga ons centered on the placing of denial of serv- ice tools known as daemons on ambushed computers that were later remotely ordered to attack a victim site Planting daemons on unwitting host computers is a U In Match i991 a juvenile computer hacker disabled- a Worcesten' Massachmetls airport contol tower and unmet-airport fadli es for six hours and disrupted pheno- Woe ln a-nelghbo ng town rejuvenil'ei'alsohacked into 5 Worcester pharmacy computer metals brasserie tron details from a local pharmacist B tlf attacks after computer were accessible numb lntemst 'so batsmen administratost 375561603544 - - - - - -- u - v r I I I OFFICIAL USE ONLY twine lcem mat aadhaet Employees will at times take some 64 OFFICIAL USE ONLY key step in mounting such an attack The tools to accomplish these attacks can be downloaded free from Internet websitesl Insider Attack Techninues U For most organizations the major threat to computers remains internal Not only is there the possibility that a disgruntled employee will attempt to disrupt the organi- zation s computer files for malice or steal information for personal gain there is also the possibility that a skilled outsider employed by a competitor may gain employ ment with the organization and thus become an insider Inside access even if as a temporary employee puts such a person in position to supplement his computer not work hacking with HUMINT operations called social engineering by some U It is axiomatic that in technical systems humans usually are the actions or fail to take others and Will weakest link From an OPSEC stand an point employees at times take suddenly completely vulnerable some actions or fail to take others and will make an otherwise secure sys w tern suddenly completely vulnerable For example sometimes employees will unwit tingly facilitate a hacker s efforts by using their organization s Internet portal to visit freeware sites and download games or screen savers Some of these programs contain Trojan-horse programs that will become active every time the infected machine is booted up and will perform actions to facilitate the covert entry of the hacker A Trojanhorse program hidden inside a game downloaded from a user s favorite newsgroup might contain instructions to Email all the user s files anywhere in the world 5 U enumemeasures U A high percentage of computer hackers are opportunists They tend to operate on either the Internet or on telephone networks Because they do not have many resources they tend to bypass organizations that have even a low level of rigorously- enforced security in favor of attacking targets that are softer 176 U Web servers are not usually attacked by hackers who want to break through into corporate records systems unless the collection of hardware and software designed to examine a stream of network traffic and service requests- between the systems has been improperly configured Hackers instead prefer to attack corporate mail servers which must have access to Internet mail servers in order to deliver mail properly to the corporate clients Instead of looking for a possi hle hole in the firewall they try to widen and exploit existing paths in the mail U Most hacker probes and scans occur during evening hours when the outsider is more certain to be able to operate without worrying about the presence of systems administrators Hackers tend to have most of their spare time on the weekends and their intrusion attacks are usually made then 8 033 Intelligence Threat Han h t OFFICIAL USE ONLY OFFICIAL USE ONLY LE While there is not much that the OPSEC manager can do on her own to protect her computer system from extremely technical attacks there are many things that she can do to protect her network from an attack that is based on HUMINT security lapses or on a combination of computer hacking and social engineering U managers and personnel can take the following steps to help reduce the risk of damage to their organizations through computer security incidents U Secure all access points between an internal network and the outside world Hackers will find and attack the weakest and most easily exploitable point of a network Usually this is the initial point of contact within the company its computer network One way to prevent corporate information from leaking out is to ensure that Internet terminals are completely separated from the company s other computer systems Without a direct link to the company s operating systems a potential hacker will only get into the company 3 Internet computer and not its core computer sys- tern When risk is assessed as too high the only safe connection to the internet is none at $1 179 I U Develop a security policy for each system Users must know what is allowed and what is not which applications may be run and which not and who is allowed access and who is not The basis for this should be an OPSEC risk analysis that identifies the organization s assets the threats that exist against those assets and the costs of asset loss This policy should also cover contingencies such as guidelines for reacting to a site compromise g how to deal With the media and law enforcement Hackers Will and attack and whether to trace the weakest and most easily the intruder or shutw exploitable point of a network clown and rebuild the U Ensure all user accounts have a password Also the pass words should not be easy to guess There is software available to analyze the security of a network s passwords 181 I U Regularly check the integrity of system software There are a number of software tools available at Internet computer security OFFICIAL USE ONLY 66 GFFICIAL USE ONLY websites with the latest 0f systemwintegrity analysis pm grams OPSEC managers sheuld also Check securiby archives peri- odically for security alerts and technical advice- 182 I U Keep network systems up to date with upgrades and patches Each major aperating system has its own characteristic security weakne ses Hackers regularly ccnfer in trade informatien 011 these as they are identified System programmers alga issue upgrades to x problems as they are idanti ed 133 I U Audit systems and networks and regularly check user logs Hawaiian resources should be as comprehensive as practicable Many orgardza ons victimized by hackers or insiders later nd that they have kept msuf cient track 0f the activities of their users and are unable to completely understand how they were Victim- ized g loss Intailleenco mm Handhaal UNCLASSIFIEDIIFOR OFFICIAL USE ONLY i a 4 1r- USE GNLY - Intelligence collection U There are five general collection platforms that countries use to gather intelligence regarding US activities HUMINT or Human Intelligence is the use of human beings to obtain or confirm information Collection of information Via humans includes overt covert and clandestine methodologies U FOUO SIGINT or Signals Intelligence which can be performed from a variety of remote locations on the ground or via plane or satellite is an umbrella term for intelligence derived from the intercept and exploitation of signals There are three subdisciplinesz COMINT or Communw ications Intelligence is the collection and exploitation of communications signals which can include voice communication fax and printer pagers and beepers and myriad computer-tomomputer trans- missions I ELINT or Electronic Intelligence includes the interception and analysis of non-communications transmis- sions most often associated with civil and military radars UNCLASSIFIEDIIFOR USE ONLY 1353 immune 113mm antitank 68 USE ONLY I U FOUO or Foreign Instrumentation Signals Intelligence includes interception and exploitation of perform ance and tracking data usually telemetry during tests or oper ations of weapons systems and space vehicles 10130 or imagery Intelligence is - intelligence derived from visual phetography infrared sensors lasers electro opties and radar sensors The last includes aperture radar BAR wherein images of objects are reproduced optically and electronically on film electronic dis play devices or other media This category also includes imagery gathered Via satellites MASINT or Measurement and Signatures Intelligence is the analysis of equipment emanations This includes radar intelligence infrared intelligence telemetry intelligence T acoustic intelligence and nuclear intelligence MASINT operates in different parts of the electro magnetic Spectrum and is used to detect information patterns not previously exploit ed by other systems The information gathered by MASINT often is not protected by countermeasures U OSINT or Open-Source intelligence is intelligence derived from sources available to the public especially from the news media and more recently the lnternet More than 90 percent of all information a typical foreign intelligence effort gathers about the US and its activities is derived from open sources E635 Ima isammreanlanuhnak USE ONLY 4 USE QNLY Selected Sunnlemental Intelligence Service lninrmation U Russian Federa en U Russia has the ability to use and MASINT to supple ment its other intelligenceecolleetion methodologies and devel- op all source intelligence products for Russian political leaders military planners and industrial concerns U IMINT U Satellite imagery systems are Russia s primary source of mm The first Soviet reconnaissance satellite was launched in 1962 During the next 30 years the Soviets launched over 850 photorecon naissance satellites On average the Soviets and now the Russians have been able to maintain two photoreeonnaissance satellites in orbit each year with an average of 780 mission days per year It is believed that Russian imagery systems are able to obtain resolutions of better than one third of a meter The Russians currently use three types of imagery satellites depending on the imagery requirement 185 U The thirdugeneration photoreconnaissanee satellite is a medium resolution system 1 to 3 meters used for Wide area surveillance missions The satellite flies in low earth orbits at altitudes ranging from 235 to 245 kilometers It is designed for a mission of 2 to 3-weel duration and requires that the satellite be deorbited for return of film can- isters During Operation Desert Storm the former Soviet Union launched three of these spacecraft to fly repetitive ground tracks over the Persian Gulf region The capa bility to quickly launch and recover these satellites allowed the Soviets to respond to the intelligence requirements of Soviet political and military leaders by doubling the coverage of that area The Russians appear to be phasing the 3rd generation satellite out of operation in favor of follow-on systems 6 USE ONLY less MGM M lml use ONLY U the 4th-generation photoreconnaissance satellite provides the Russians with increased operational capabilities The spacecraft flies elliptical orbits at altitudes of HO kilometers which improves resolution The principal improvements in the terns are the ability to return film canisters without deorbiting the spacecraft and consequently the extension of orbital lifetime The productive lifetime of the 4th gen eration satellite now averages 60 days per mission During the last 5 years the Russians have launched 6 highwresolution satellites and 1 topographic mapper annu- ally During the Persian Gulf War the former Soviets launched 4 fourth-generation satellites in a period of less than 90 days illustrating the ability of the Russians to surge reconnaissance systems in times of crisis or international tension The ground track of these satel The Russrans have been able to maintain lites was aligned with a constellation of 160 satellites 111 snnultaneous the Persian Gulf orbits the same level as during the existence resien to Provide of the Soviet Union despite a 35 percent Coverage during daylight reductlon launches hours 187 W The 5th generation satellite is an E0 imaging system that provides the Russians with near real-time imagery The 5th generation imagery satellite greatly improves the reconnaissance capabilities of the Russian Federation It provides quicker return of intelligence data and ends the restrictions posed by the limited amount of film that can be carried by a photoreconnaissance satellite In general the Stir generation satel- lite is used for global reconnaissance and the 3rd- and 4th-generation satellites are used for coverage of particularly sensitive areas 8 U Overall the Russians have continued to manitain a robust space reconnaissance program despite predictions that the program would wane after the demise of the aviet Union The Russians have been able to maintain a constellation of 160 satellites in simultaneous orbits the same level as during the existence of the Soviet Union despite a 35 percent reduce tion in launches The one major problem faced by the Russians is the lack of an all- Weather day-night imaging system Both E0 and photographic systems require day- light and clear weather in order to get an image of an area In the 19805 the Soviets attempted to develop a SAR system to provide ail-weather and night coverage This program failed to develop a militarily acceptable product and the resulting Almaz spacecraft was converted into a commercial mapping system No comparable SAR system is currently known to be under development 189 U MASINT U The Russians have programs that can provide MASINT data such as the Prognoz satellite program that has infrared detection capabilities similar to those provided by the United States Defense Support Program USP satellite system The Prognoz can be used to conduct a variety of missions in support of infrared intelligence Other MASINT related systems include a wide variety of sophisticated radar systems that threat Hananoal OFFICIAL USE ONLY UNCLASSEFIEDHFOR osnolst use own 11 can be used for Radar Intelligence 3 welLdeveloped Acoustic intelligence program for antisubmarine warfare and a highiy developed Nuciear intelligence program that collects samples from nuclear testing 190 U china to IIan mate Security U The MES is divided into several different subsections or divisions Each division relates to one of two specific types of skills regional or organizational Regional divi sions are responsible for conducting operations in their specific geographic locale Qrganizational divisions are responsible for the bureaucratic functions of the M38 such as accounting or training U omestic Bureau The Domestic Bureau also known as the First Bureau recruits people with overseas connections to work for the Ministry of State Security The Domestic Bureau can expedite exit document application procedures for travelers The Bureau is also responsible for receiving Chinese secret agents from abroad who return to China every few years for holidays or meetings To conceal the identity of its agents the Domestic Bureau may require its agents to enter China through a third country The MESS has special guesthouses in the suburbs of Beijing to provide accom- modation for returning agents These guesthouses have many small compounds and offer substantial privacy and security 191 U Overseas Bureau The OverseasBure au also known as the Second Bureau Mislesponsible for opWrovides tasking and receives analyzes and reports to higher levels intelligence collected y its operatives and agents Werseas Bureau is responsible for agents abroad using covers posted to foreign trade compa nies banks insurance companies ocean ship- ping companies etc The Overseas Bureau also remnts agents abroad Some of these agents have worked for the Bureau for decades while others are long time hidden agents who are not normally assigned duties and are only activated as needed 192 U Hong Kong Macao and Taiwan Bureau The Hong Kong Macao and Taiwan Bureau also known as the Third Bureau has geographical intelligence responsibility for operations in these areas The main activities of the Bureau include agent opera tions and recruitment of PRC nationals with Hong Kong Macao and Taiwan connec tions The Bureau receives agents when they return to the mainland for reporting tasking or ho days Only a small number of the postings are permanent and most agents are replaced once every few years The Ministry of State Security increased its UNCLASSIFIEDIIFOR OFFECIAL USE ONLY 1855 Intelligent Threat 12 OFFICIAL use GNLY activities in living Kong following the reversion of the territory in 199 where it can now operate without foreign interference against proudetmmracy elements in the ter ritory U Technical Bureau The Technicai Bureau also known as the Fourth Bureau stud ies and dc vetops intelligence gathering and counterintelligence tradecrat t This includes sun'eiliance wiretapping piti itography recording communications and inteiligence transmission gadgetry Due to the technical nature of this field post graduates in Virtually every discipiine have been recruited to the work of the Bureau U Local intelligence Bureau The M g Fifth Bureau the Local lnteliigence Bureau is responsible for directing and coordinating the work of local departments and bureaus of the Ministry at the provinciai and municipal ievelsfl 95 U Counterintelligence Bureau The Sixth Bureau is the Counterinteliigence Bureau The primarv task of Chinese court activity IS to work a ainst overseas Chinese prodemocracy organiza tions its investigatWE priorities have N m Incinded Western consortia investing 1n China which were suspected of involve ment in attempts to bring about peaceful evolution to democracy in China Overseas Chinese prodemocracy organiza tions also have been investigated under sus picions that they were sending investors to China who were actually engaged in anti communist activities Much of the Countermtelhgence Bureau s work Is focused on surve lance of inchViduals of inter est-and on conducting security awareness education briefings for local arithorities to 196 encourage them to report suspicious people and activities km U Reports Bureau Also known as the Seventh Bureau the Reports Bureau checks verifies prepares and writes intelligence reports and special classified reports based on all-source intelligence Ordinary reports are prepared or other government departments while the special reports go to the top Chinese hierarchy Work at the Seventh Bureau is the most boring and difficult of all the N185 units and low morale is a continuing prohlemigy U Institute of Contemporary International Relations The Eighth Bureau of the MES has no operational intelligence function instead it is one of the world s largest institutes for research on international relations with a staff that at one time numbered over 500 research fellows The Bureau is divided into 10 research offices speciaiizing in general internationai relations global economy the United States Russia Eastern Europe Western Europe the Middle East Japan Asia Africa and Latin America One of its main objectives is to collect open-source information The institute is also responsible for providing ever foreign affairs secretary of each I035 intelligence Threat Hannhank USE ONLY USE ONLY Political Bureau Standing Committee member with subscriptions to major English language newspapers as well as major Hong Kong and Taiwan newspapers and magazines Another mission of the institute is the preparation of publications for units at the provincial army and ministerial levels recurring publications include U Studies in International Relations guoji guanxi yanjiu published every '10 days on world political and economic trends and events and policies toward China U Summaries of Books and Newspapers shubao iianxun a news bulletin published every three to four days with excerpts of works by the world s public figures documents issued by other governments editorials from major papers and articles by noted reporters U Contemporary International Relations xiandai guoji guanxi a journal issued quarterly 198 U Counterespionage Bureau The Counterespionage Bureau also known as the Ninth Bureau is responsible for countering efforts by foreign intelligence services to recruit personnel of the M83 and among cadres of other Chinese institutions abroad It also counters surveillance wiretapping and infiltration by foreign intelligence serv ices against Chinese embassies and consulates The Counterespionage Bureau includes an overseas students section which specializes in anti-defection work among Chinese students abroad including both preventing their recruitment by forw sign intelligence services as well as investi gating student participation in overseas Chinese prodernocracy organizations 199 U Science and Technology Bureau Also known as the Tenth Bureau the Science and Technology Bureau is charged with collecting economic scientific and technological intelligence This represents a significant shift in emphasis from work under the former Central Investigation Department which was mainly concerned with political intelligence There have been few reported instances of successful covert collection by this bureau howev- 200 631' U Computer Support Bureau The Eleventh Bureau the Computer Support Bureau is responsible for analyzing intelligence gathered with electronic computers and also operating the computer network of the Ministry of State Security It also collects infor mation on advanced electronic systems from the West and protects the information systems of Chinese intelligence services from attacks by foreign intelligence agen- cies 201 UNCLASSIFIEDHFOR OFFICIAL USE ONLY I058 ilandlmi 74 USE ONLY U Military intelligence assortment U The Military lnteliigence Department MID often referred to as the Second Department is responsible for the collection and dissemination of the intelligence required to support the military command structure The realm of activities includes tactical strategic and technical intelligence operations The MID reports directly to the General Staff Department 380 of the People s Liberation Army 202 U The M113 is organized into numerous divisions and bureaus including military- based collection and analysis groups These groups exist within the Navy and Air Force its ground army Each division of the MID is responsible for determining its own intelligence requirements and conducting operations within its own Military Region in addition to the individual service intelligence divisions within the MID there are a number of functional bureaus responsible for collection analysis science and technology records and archives classi ed materials general resource manage ment and 0135550263 U The First Bureau is primarily engaged in the collection of military intelligence and has these responsibilities divided into regional sections In the regions that share a border with another state the regional of ces collect information on that state However the Nanjing region of the MID is responsible for collecting mformation about the United States 204 Two of the bureau s favorite sources U The Western Nations of information are Congressional reports Analysis Bureau 01 Fifth and RAND Corporation documents Bureau primarily relies on collection focusing on the United States Two of the bureau s favorite sources of information are congres sional reports and RAND Corporation documents 205 U The Bureau of Science and Technology or Seventh Bureau controls two elec tronics factories the Sea Gull Electrical Equipment Factory and the Beijing Electronic Factory two computer centers the Science and Technology Bureau Computer Center and the Northern Transportation University Computer Center and two research institutesInstitutes The Seventh Bureau is completely inde pendent frorn its civilian counterparts in the M88206 U The Beijing institute for international Studies is not openly associated with the MID despite the fact that almost all of the institutes faculty are current or former FLA officers it is suspected that the institute is not officially associated with the intel ligence community out of a fear that such an association would limit professional and academic contacts of the institute s members hurting them both professionally and operationallyfiG7 ti The FM Institute for International Studies formerly known as the Nanjing Foreign Affairs Institute is responsible for teaching MID personnel speciaiized tech niques and methodology used in intelligence operations 208 g I055 mm enchant USE ONLY USE U The 8341 Gait The Beijingbased Central Security Regiment also known as the 8341 Unit was an important law enforcement clement it was responsible over the years for the personal security of Mao Zedong and other party and state leaders More than a bodyguard force it also operated a nationwide intelligence network to uncoVer plots against Mao or any incipient threat to the leadership The unit report cdly was deeply involved in undercover activities discovering electronic listening devices in Mao s office and performing surveillance of his rivals The 834i Unit par ticipated in the late 1976 arrest of the leadership of the ultra-left wing of the Chinese Communist Party marking the official and of the Cultural Revolution but the unit reportedly was deactivated soon after that event 209 U Technical Benamnem U The Technical Department TD also called the Third Department is responsible for Chinese SIGINT operations The TD was founded in the 1950s with equipment supplied by the Soviet Union originally under the guise of being a meteorological bureau Although the TD currently maintains the most exteri- sive SIGINT capability in the Asia Pacific region only frag mentary information concerning its organization and activities have become public U The Technical Department provides the PRC with a wide range of SIGINT capabilities The Chinese maintain by far the most extensive capability of any nation in the Asia Pacific region The Chinese operate several dozen SIGINT ground stations deployed throughout China There they mon itor signals from Russia Taiwan Japan South Korea India and Southeast Asia Sigmg from US mum The Chmese actively momtor international units heated in the region communications satellites from SATCOM are of signi cant interest intercept facilities on Hainan Island to these monitoring sta- and Outside Beijing tions and a large SIGINT facility at Haitian Island is principally concerned with monitoring US naval activi ties in the South China Sea Additionally the Chinese have developed a series of SIG- INT collection vessels that monitor US military Operations and exercises in the Asia Paci c region 211 U The Chinese also actively monitor international communications satellites from SATCOM intercept facilities on Hainan Island and outside Beijing The Haitian SIG- INT complex was significantly upgraded in 1995 212 U The PRC has been conducting space-based imaging of the earth since 1975 when it became the third country in the world to retrieve high resolution photographs of the planet shot from space The Chinese currently have a limited space-borne pho toreconnaissance capability that focuses on collecting imagery over the Russian bor- der They also use a variety of fixed-wing aircraft to collect photographic imagery USE ONLY maintenance Mil Handball 16 OFFICIAL USE ONLY None of these systems present a substantial intelligence coiiection threat to US forces in the region By mid 1999 a total of 17 spacecraft had been orbited with 15 successful recoveries The 135le model was introduced in September 1987 FSWWI satellites have carried imaging payloads with high resolution 10-15 tn cameras for film development on Earth and with 50411 resolution camera systems for nearrealw time unages Unlike Russian photo reconnaissance satellites FEW-1 spacecraft do not perform orbital maneuvers to adjust their groundtracks for prolonged observations over areas of high interest FEW satellites are normally flown only once each year and usually in the period U The Chinese appear to be developing a spaceborne 13le system that is mount ed on their photoreconnaissance and communications satellites There is no indica tion at this point that this capability presents a significant threat to US forces in the region U New china News Agency Ill ll U The NCNA was founded in 1931 as the Red China News Agency It is currently China s primary source of foreign and domestic news and deploys hundreds of jour nalists who are assigned to collect and disseminate foreign news publish documents and disseminate information throughout the PRC However the NCNA primarily engages in open - I Chma 5 news agency has a staff of more than some collection 5 000 employees Operating out of over 90 bureaus has a staff of more and 300 offices in China and abroad monitoring than 5 000 employ newspapers magazines and broadcasts from 9 35 01 an 0f over 90 bureaus around the world' and 300 offices in China and abroad monitoring newspapers magazines and broadcasts from around the world 1 and conducting open source analysis for the Chinese leadership Given its global network and journalistic credentials it often provides cover to Chinese intelli gence operatives from other agencies In the past only People s Daily and NCNA were used to provide journalist cover for MSS intelligence officers However this practice has recently extended to most major newspapers including Guangming Daily Economic Daily China Youth News and Workers Daily which have correw spondents in the United States Japan Europe and other countries 215 U Elma k U The principal intelligence collection arms of the Cuban gov - ernrnent are the Directorate General of intelligence 961 of Ministry of the interior and the Military Counterintelligence Department of the Ministry of Revolutionary Armed Forces Both have been closely associated with the Soviet and Russian intelligence services Based upon the military cooperation agreement between Russia and Cuba of June 1993 the relationship 216 between these services is likely to continue 955 Imel senna 1133 Handbook OFFECIAL USE ONLY USE ONLY 11 Military wnterimelligenca nenamnem U The Military Counterintelligence Department is responsible for conducting counw terintelligence and electronic warfare activities against the United States 218 U airecmmte Di General intelligence U The is responsible for Cuba s foreign intelligence collection and has six divi sions divided into two categories of roughly equal size the operational divisions and the support divisions U The operational divisions include the Poiitical Economic intelligence Division the External Counterintelligence Division and the Military Intelligence Division The Political Economic Intelligence Division consists of four sections Eastern Europe North America Western Europe and Africa-Asia Latin America The External Counterinteiligence Division is responsible for penetrating foreign intel- ligence services and the surveillance of exiles The Military intelligence Department focuses on coliecting infonnation on the United States Armed Forces and coordinat ing SIGENT operations with the Russians at Lourdes 219 U The support divisions include the Technical Support Division the Information Division and the Preparation Division The Technical Support Division is responsi hie for production of false documents comrnunjcations systems supporting clandes- tine operations and development of clandestine message capabilities The information and Preparation Divisions are responsible for intelligence analysis func tions 220 U Despite the economic failure of the Castro regime Cuban intelligence-in particu lar the Dlerernains a viable threat to the United States The Cuban mission to the UN is the third largest UN delegation and it has been alleged that almost half the per sonnel assigned to the n ssion are DGI officers The DGI actively recruits HUMINT agents within the Cuban emigre community and has used refugee ows into the United States to place agents in this U In February 2000 FBI agents arrested Mariano Faget a Cuban born supervisor in the Miami office of the US Immigration and Naturalization Service for spying for the Cuban government Faget was accused of handing oVer US secrets to a Cuban citizen and lying about contacts with Cuban government officials 222 At his trial prosecutors revealed that FBI agents were wiretapping Faget as he told a business acquaintance with ties to Cuban intelligence that a Cuban secu- rity of cer who had been based in Washington was going to defect to the United States The information was false and had been fed to Faget to see what he would do with it A jury convicted Faget of disclosing classified information and other offenses but in June 2001 the trial judge sentenced him to only five years imprisonment citing his exemplary work record and the failure of the prosecution to demonstrate that the information Faget had compromised to Cuba damaged US interests 223 USE ONLY was immense Threat Headline manna Belen Mamas not Meniscus trust Handbook U36 ONLY 18 U The 1361 collects political monoxide and military Mormotion within the United States The aiso conducts operations to coiiact information about technologies not de to improve the Cuban ccor ainifny 224 The Uruth States considers Cuba to be a sponsor of internationat terrorism one that has worked closely with Pucrto Rican separatist and Latin American terrorist groups Much of this activity is bandied through the 1361 325 Marisa Department if Some say that a third intetligenco component the America Department BA is the most powerhzl branch of Cuba s security apparatus 226 The DA has con trol over covert Cuban activities for supporting national liberation movements and the efforts of regimes such as those of Nicaragua and Grenada The DA may be responsible for planting and coordinating Cuba s secret guerrilla and terrorist train U In September 2001 Ana Helen Montss the Defense Intelligence Agency's DlA s sonlor analyst for Cuban matters was arrested for spying for Cuba Montss single and 44 years old had begun working for DEA in 1985 and bsocma a_ Cuban analyst in'1992t At about the same limo she began spying for Cuba because she believed it was not being treated fairly by the United States She provided Information about U S intelligencsgaihering programs con - cornan Cuba and also the identities of some US o icers working undercover against the Cubans U Montes would receive coded radio trelnsmiSslons from the Cubans decode them with a program on her homo computer and than go to a public telephon to use propaid telephone cards provided to her by the Cubans to call telephone pager- nr'mesrs also providcd to her She would leave a message on the pager by entering digits that to a special list of massages she had bean given on _l waWWum - - -Ig U131 onlias Wars able to recover details of her activities over a number of years by recovering les she had deleted on a laptop computer she purchased Other than reimbursement for some travel expenses Monies did not accept money for her aspi- onaga activities U A or pleading guilty to espionage in October 2002 Monica addressed the court engaged in this activity that brought me before you bawusa obeyed my odns clenos rather than the law I believe cor government s policy towards Cuba is cruel and My way of responding to our Cuba policy may have been morally I can only say that I did what I thought right to counter a grave injustice Ana Bolen Montss was sentenced to 25 years in prison OFFICIAL USE GNLY USE GNLY iog camps networks for the covert movement of personnel and material from Cuba and a propaganda apparatus DA personnel regard as the elite of the var ious Cuban security agencies Covers used by DA staff include diplomatic posts Cuba s Prensa Latina news agency Cabana Airlines the institute for Friendship With the People and Cuban front companies In 1983 the DA had between 200 and 300 members 327 i U North Korea U is North Korea s primary source of intelligence collection against South Korea and other intelligence targets Additionally North Korea continues to expand its capabilities and currently possesses the capability of monitoring many South Korean and US communications in the region The North Koreans have a limited HUMINT capability in the United States and what they have is primarily directed at acquiring nuclear weapons tech- nology The primary threat posed by North Korean intelligence operations is directed against forces stationed in South Korea U The North Korean gence community is in a dynamic environment It changes structure and organization as power shifts Within the Communist Party of the Peoples Democratic Republic of Korea DPRK At present the majority of DPRK intelligence agencies are within the Cabinet General Intelligence Bureau CGIB of the Korean The primary threat posed by North Korean Worker s Party KWP intelligence operations is directed against Central Committee and are US forces stationed in South Korea directly responsme to the president of the country The is primarily responsible for coordinating and implementing the intelligence directives among five departments actively involved in intelligence collection opera 228 dons U liaison neaamnem U The oldest of these departments is the Liaison Department The Liaison Department was founded in the late 19405 and until the early 19808 was the pie miere intelligence agency in North Korea The Liaison Department was initially responsible for the collection of intelligence on South Korea but this evolved into the role of conducting collection and covert operations overseas especially in Japan 229 OFFICIAL USE ONLY I053 warm antitank 88 UNCLASSEFIEDIIFOR GFFECIAL USE ONLY Reconnaissance Bureau U The Reconnaissance Bureau is responsible for collecting strategic operational and tactical intelligence for the Mitssz of the People s Ahmed Forces It also exercises operational control over agenm engaged in collecting military intelligence and in the training and dispatch of unconventional warfare teams to %uth Korea The primary methods of infiltration have been through tunnels under the Demilitarized Zone and seabome operations involving sub- marine and high speed patrol boats as insertion vehicles In the 1970s in support of overland insertion North Korea began I I clandestine tunneling operations along the entire DMZ with two tunnels per forward division By 1990 four tunnels dug on historical invasion routes from the north had been discov ered by South Korean and United States tunnel neutralization 7 teams 3 in the mid 19703 and the 4th in March 1990 The South Koreans suspect there were as many as 25 tunnels in the early 19905 but the level of ongoing tunnelirig is unkmiwvn 230 U Slate Security aenamnem U Since 1973 the State Security Department has been responsible for North Korea's defensive and offensive counterintelligence programs It carries out a wide refuge of counterintelligence and internal security functions normally associated with secret police It is charged with searching out anti state crimioals-a general category that includes those accused of antigoverrunent and dissident activities economic crimes and slander of the political leadership Camps for political prisoners are under its jurisdiction To support its counterintelligence responsibilities at home and abroad the Security Department runs overseas intelligence collection operations It also mon itors political attitudes and maintains surveillance of returnees 231 U Ministry of Public Security U The Ministry of Public Security responsible for internal security social control and basic police functions is one of the most powerful organizations in North Korea and controls an estimated 144 000 public security personnel It maintains law and order investigates common criminal cases manages the criminal prison system and traffic control monitors citizens political attitudes conducts background investigaw tiorzs census and civil registrations controls individual travel manages the govern ment s classified documents protects government and party officials and patrols government buildings and some government and party construction activities Mmistry of Public Security personnel escort high ranking officials traveling abroad The Ministry also guards national borders and monitors international entry points The Border Guards are the paramilitary force of the Ministry of Public Security They are primarily concerned with monitoring the border and with internal security The latter activities include physical protection of government buildings and facilities During a con ict they would probably be used in border and rear area security mis- $0315 32 lass itandlsault OFFICIAL USE ONLY mm GFFICIAL USE ONLY ma chosen Seven U Chosen Soren the General Association of Korean Residents in Japanm Zainichi Chosenjin Sorengokai is North Korea s do facto diplomatic presence in Japan The association currently has 200 000 members Nearly one-third of the japanese packinko pinball industry is controIled by Chosen affiliates or supportersm3 Chosen members each year remit an estimate 510% operations in Japan assists in the infiltration of million in hard our agents into South Korea collects open source rency 0 Pyongyang information and diverts advanced technology f lam meme for use by North Korea in North Koreaw A wing of the Chosen Soren supports intelligence operations in Japan assists in the infiltration of agents into South Korea collects open source information and diverts advanced technology for use by North Korean m In February 2003 Los Angeles Korean American businessman John Ioungwoon Yai was arrested by the FBI for failing to register as a foreign agent for North Korea and not disoloshig that he had received at least $18 000 from North Korean officials for a variety of low-level intelligence services over a seven year period in late 2003 Yai entered a guilty plea to the charge and was expected to be sentenced to up to two years imprisonment 235 OFFICIAL USE ONLY toss lmatltnam mm mum A wing of the Chosen Soren supports intelligence 82 UNCLASSEFIEDIIFOR OFFICIAL USE 0 he Economic Esnlonage not of 1996 U in October 1996 the Economic Espionage Act was signed into law The purpose of the new statute was to provide new tools weapons and sanctions to use against industrial espionage The main provisions of the new legislation are as follows U Scope The Economic Espionage Act outlaws economic espionage where 1 U The conduct occurs in the US 2 U The conduct occurs outside the US and either a U An Act in furtherance of the offense was committed in the US E U The offender is a US person or organization U Confidentiality The court must issue orders necessary to protect the con den tiality of trade secrets consistent with Federal Rules of Procedure and the Constitution Also the prosecution is permitted to immediater appeal any order authorizing or directing disclosure of a trade secret U Criminal Penalties Imposes up to a 1 U 15 year prison term and or maximum $500 000 00 fine on any per son and a $10 million fine on any organization who steals or destroys a trade secret of value with intent to benefit'any foreign power 2 U '10 year prison term and or a maximum $250 000 00 fine on any pep son and a $5 million fine on any organization who knowingly steals or destroys any trade secret with intent to a U Economically benefit anyone other than the owner and 1 U Injure the owner of the trade secret Title 18 USC 1832 U Forfeiture Requires the forfeiture to the US Government of proceeds or proper- ty derived from economic espionage and may require forfeiture of property used to commit economic espionage The victim can apply to the US for restitution U Civil Relief The Government can apply for injunctive relief to prevent trade secret crimes 655 Intelligence threat Handhaot OFFICML USE ONLY USE GNLY U Be ni nn Bf Isms U Owner with respect to trade secret means the person or entity in whom or in which rightful legal or equitable title to or license in the trade secret is reposed U Trade Secret means all forms and types of financial business scienti c techni cal engineering or wonomic information including patterns plans compilations programs devices procedures methods techniques codes processes or programs whether or how stored complied memorialized physically electronically graphical ly photographically or in writing if 1 U The owner thereof has taken reasonable measures to keep such infor mation secret and 2 U The information derives independent economic value actual or potential from not being generally known to and not being readin ascertainable through proper means by the public U Corporate Responsibility To take reasonable measures to keep trade secret infor matiori secret U Economic Espionage Ml of 1996 Text U 1831 Economic Espionage U EN or knowing that the offense will benefit any foreign government foreign instrumentality or foreign agent knowingly 1 U steals or without authorization appropriates takes carries away or conceals or by fraud artifice or deception obtains a trade secret 2 U Without authorization copies duplicates sketches draws photo graphs downloads uploads alters destroys photocopies replicates transn ts delivers sends mails communicates or conveys a trade secret - 3 U receives buys or possesses a trade secret knowing the same to have been stolen or appropriated obtained or converted without authoriza tion 4 U attempts to commit any offense described in any of paragraphs 1 through or 5 U conspires with one or more others persons to commit any offense described in any of paragraphs 1 through 4 and one or more of such persons do any act to effect the object of the conspiracy shall except as provided in subsection be fined not more than $500 000 or impris oned not more than 15 years or both U organization that commits any offense described in subsection shall be fined not more than $10 000 000 U 1832 Theft of trade secrets U Whoever with intent to convert a trade secret that is related to or included in a product that is produced for or placed in interstate of foreign commerce to the eco nomic benefit of anyone other than the owner thereof and intending or knowing that the offense will injure any ovmer of that trade secret knowingly- 1 U steals or without authorization appropriates takes carries away or conceals or by fraud artifice or deception obtains a trade secret OFFICIAL use ONLY iassmsumm mm Kandace 5 8 OFFICIAL USE ONLY 2 U without authorization copies duplicates sketches draws photo graphs downloads uploads alters destroys photocopies replicates transmits delivers sends mails commurucates or conveys such infor motion 3 U receives buys or possesses such information knowing the same to have been stolen or appropriated obtained or converted without authorization 4 U attempts to commit any offense described in any of paragraphs 1 through or 5 U conspires with one or more others persons to commit any offense described in any of paragraphs 1 through 3 and one or more of such persons do any act to effect the object of the conspiracy shall except as provided in subsection 03 be fined under this titie or imprisoned not more than 10 years or both U Any organization that commits any offense described in subsection shall be fined not more than $5 000 000 U 1833 Exceptions to prohibitions U This chapter does not prohibitw 1 U any otherwise lawful activity conducted by a government entity of the United States a State or a political subdivision of a State or 2 U the reporting of a suspected violation of law to any government enti ty of the United States a State or a political subdivision of a State if such entity has lawful authority with respect to that Violation Criminal forfeiture U The court in imposing sentence on a person for a violation of this chapter shall order in addition to any other sentenced imposed that the person forfeit to the United States - U any property constituting or derived from any proceeds the person obtained directly or indirectly as the result of such Vioiation and 2 U any of the person s property used or intended to be used in any manner or part to commit or facilitate the commission of such violation if the court in its discretion so determines taking into consideration the nature scope and proportionality of the use of the property in the offense U Property subject to forfeiture under this section any seizure and disposition thereof and any administrative or judicial proceedings in relation thereto shall be governed by section 413 of the Comprehensive Drug Abuse Prevention and Control Act of 1970 21 USC 853 except for subsections and of such section which shall not apply to forfeitures under this section @1835 Orders to preserve confidmtiality U in any prosecution or other proceeding under this chapter the court shall enter such orders and take such other action as may be necessary and appropriate to pre serve the confidentiality of trade secrets consistent with the requirements of the Federal Rules of Criminal and Civil Procedure the federal rules of Evidence and all other applicable laws An interlocutory appeal by the United States shall lie from a i955 Intelligence Threat Ha ho USE ONLY oeriomi use em 35 decision or order of a district court authorizing or directing the disclosure of any trade secret U 1836 ivil proceedings to enjoin violations U The Attorney general may in a civil action obtain appropriate injunctive relief against any violation of this section U The district courts of the United States shall have exclusive original jurisdiction of civil actions under this U 1837 Applicability to conduct outside the United States U This chapter also applies to conduct occurring outside the United States il- U the offender is a natural person who is a citizen or permanent resi- dent alien of the United States or an organization organized under the laws of the United States or a State or political subdivision thereoffurtherance of the offense was committed in the United States U 1838 Construction with other laws U This chapter shall not be construed to preempt or displace any other remedies whether civil or criminal provided by United States Federal State commonwealth possession or territory law for the misappropriation of a trade secret or to affect the otherwise lawful disclosure of information by any Government employee under sec- tion 552 of title 5 commonly known as the Freedom of Information Act U 1839 De nitions U As used in this chapterm 1 U the term foreign instrumentality means any agency bureau ministry comw ponent institution association or any legal commercial or business organization corporation firm or entity that is substantially owned controlled sponsored com rnanded managed or dominated by a foreign government 2 U the term foreign agent means any officer employee proxy servant delegate or representative of a foreign government 3 U the term trade secret means all forms and types of financial business scien tific technical economic or engineering information including patterns plans com pilations program devices formulas designs prototypes methods techniques processes procedures programs or codes whether tangible or intangible and whether or how stored compiled or memorialized physically electronically graphi- cally photographically or in writing lf - A U the owner thereof has taken reasonable measures to keep such infor mation secret and B U the information derives independent economic value actual or poten tial from not being generally known to and not being readily ascertainable through proper means by the public and 4 U the term owner with respect to a trade secret means the person or entity in which or in which rightful legal or equitable title to or license in the trade secret is reposed it OFFICIAL USE ONLY 6313 433 199an Hamilton SPECIAL USE ONLY U and Assistance Any potential adversary is interested in Virtually anything about US military U Threat information about a particular operation can be enforF ment capablhhefs postulated rst by empioying and intentions political and economic some common sense concem policies and diplomatic initiatives log who might be interested in critical information about the Operation Why they would need the information and how they might go about collecting it We should assume that any potential adver sary is interested in virtually anything about US military capability law enforce ment capabilities and intentions political and economic policies and diplomatic ini tiatives and that any competitor is interested in anything dealing with economic trade and commercial endeavors U Although threat summaries and intelligence reports can provide an overall pio- ture of the threat this picture should be tailored to each speci c operation or activity Tailoring the threat picture involves examining both national intelligence sources as well as local sources Threat information can be obtained through a number of the US government sources such as the Federal Bureau of Investigation the Department of Homeland Security the Defense Intelligence Agency the Defense Security Service the Department of Defense Security Institute the Department of Energy DOE the Department of State DOS and the National Counterintelligence Executive NCIX These agencies are responsible for protecting US government and commercial activities as well as executing counterintelligence programs security education and or threat analysis UNCLASSIFEEDIJFOR GFFECIAL USE ONLY Intelligence Handbook 88 - USE QNLY U Esderal Bureau of Investigation wwfbigov U The FBI has primary for investigations Within the United States and can provide a variety of support services and classified analytical products to government agencies An integrai part of the FBl s countesintelligence efforts is the Awareness of Nations Security issues and Response ANSIR program it is the public voice of the FBI for espionage comiterinteiligence countertenrorism economic espionage cyber and physical infrastructure protection and all nationai security issues The program is designed to provide unclassified national security threat and warning information to US corporate security directors and executives iaw enforcement and other government agencies information is disseminated nationwide via the and ANSIKFAX networks Each of the field offices has an ANSIR coosdinator and is equipped to provide national security threat and awareness information on a regular basis to corporate recipients within their jurisdiction U neaamnent of Hamelam Security U U primary reason for the establistunent of the Department of Homeland Security was to provide the unifying core for the vast national network of organizations and institutions involved in efforts to secure the United States DES carries out its mission by focusing on the following eiements I U Awareness Identify and widerstand threats assess vul nerabilities determine potential impacts and disseminate time 1y information to our homeland security partners and the American public U Prevention Detect deter and mitigate threats to our homeland I U Protection Safeguard our peOple and their freedoms criti- cal infrastructure property and the economy of our Nation from acts of terrorism natural disasters or other emergencies I U ResponsemLead manage and coordinate the national response to acts of terrorism natural disasters or other emer gencies U Recovery Lead national state local and private sector efforts to restore services and rebuild communities after acts of terrorism natural disastess or other emergencies 3355 lmsliigence threat amalth USE ONLY UNCLASSEHEDUFOR USE 6393137 Heiress Intelligence assess U U BIA is a combat support agency and the senior military compow nent in the United States lntelligence Community it provides intelli gence in support of joint military operations in peacetime crisis con tingency and combat service weapons systems acquisition and defense policy making 3er prepares counterintelligence Cl rial assess ments for the DOD and conducts a variety of assessments and studies on the foreign intelligence collection threat DIA also assesses the threat posed by illegal transfers of high tech military capabilities to adversaries of the United States U nefense Security Service U U D88 provides security services to the Department of Defense through the integration of personnel security industrial security information systems security and counterintelligence Through the integration of security services combined with intelligence threat data 388 is uniquely able to facilitate the application of tweet appropriate security countermeasures A counterintelligence element in D88 is responsible for providing threat data from the intelligence and counterintelligence couununities to industry As the partnership has matured industry routinely reports security inci dents to D88 for joint resolution with management officials As an added benefit D88 is able to share this information in a sanitized form in order to enhance the security awareness and training programs for defense industry at large 1388 refers significant incidents involving both industrial and personnel security to the FBI and the military counterintelligence elements it a counterintelligence investigation is believed to be warranted U Denanment otnefense Security Institute U U 901381 was disestablished at the end of fiscal year 1998 and its functions were assumed by the D88 Training Office in December 1998 D0981 became a part of the D88 As such it continues to develop and present courses on DOD security countermeasure programs DODSI con - ducts instructional courses on industrial personnel and information securi- ty Discussion of intelligence collection threats is an inherent part of the training pro Vided by DODSI They also publish unclassified security awareness publications The best known of these publications is the Security Awareness Bulletin which is distrib- uted to 25 009 customers in government and industry Articles often highlight foreign economic and industrial intelligence efforts as well as methods to protect against 7 such activities OFFICIAL USE ONLY 1855 lntelliuense urea Ha hmk g5 USE ONLY U 33113311118 8f Energy EMSMR U The DOE Counterintelligenee Division is responsible for analyzing foreign intelligence collection threats providing awareness training and disseminating threat assessments to government and contract organizations The Cl Division publishes classified and unclassi ed threat assessments and distributes bulletins and newsletters concerning foreign intelligence threats to DOE activities and facilities This data can be provided to US government agencies and corporations that have entered Cooperative Research and Development Agreements CRADAs with DOE The DOE Counterintelligence Division can be contacted at 202 5866901 03 Department at State Bureau at ninlsmatic Security U U The Bureau of Diplomatic Security D8 is responsible for protecting the Secretary of State and other senior leaders in the department ensur ing the security of diplomatic facilities overseas and department activi ties Within the United States conducting counterterrorisrn and antiterror isrn activities and investigating violations of US passport laws in support of its mission IDS conducts threat assessments and provides US government and pri- vate entities overseas with threat assessment support through its regional security of cers Overseas Advisory Council OSAC is a joint DS and industry venture that cooperates on overseas security problems of mutual concern An area of growing concern for OSAC is the intelligence collection threat faced by us businesses over- seas OSAC gathers and disseminates threat information to member businesses To exchange threat information as expeditiously as possible the OSAC Electronic Bulletin Board has been implemented The provides a means for business- es to exchange information among themselves and with the Department It also pro vides a means for the Bureau of Diplomatic Security s Office of Intelligence and Threat Analysis to disseminate threat information Travel advisories and other perti nent State Department security information is available on their website U Rational U U The NCIX was established in accordance smith Presidential Decision Directive 24 United States Counterintelligence Effectiveness issued in fan I May 1994 The NCIX coordinates the US government s efforts to identi is 1 fy and counter foreign intelligence threats to US national and economic security The conducts analyses of emerging collection threats and iden tifies and broadly disseminates information on and technical collection methods As appropriate the NCIX provides analytical products to private firms depending on classification and dissemination caveats 105$ intelligence Threat Handuaok USE ONLY mm vegewmwwe m w ow Va smomssmeoreoe OFFIQIAL use ONLY 91 in generation at Bummeree Wear stirrer administration U The Bureau of Export Administration has three of ces available to counsel businesses and individuals on their obligations under the Export Adonnistration Regulations and assist in determining their licensing requirements The Bureau of Export Administration also main tains a list of firms and individuals who have been denied export and re export privileges U Exporter Counseling Division Washington DC Room 2705 for mail Room 1099 for visitors 14th Street and Ave NW US Department of Commerce Washington DC 20230 Phone 202 4824811 Fax 202 482 3617 U Western Regional Office Newport Beach CA 3300 irvine Avenue Suite 345 Newport Beach CA 92660 Phone 949 660 0144 Fax 949 660 9347 U Western Regional Office San Jose CA 101 Park Center Plaza Suite 1001 San Jose CA 95113 Phone 408 9983402 Fax 408 998 7470 U Thelmeragencv mm Support Staff U vvwwiossgov U The lnteragency OPSEC Support Staff 1088 was established in January 1989 to carry out national level interagency OPSEC training for executives program and project managers and OPSEC Specialists to act as a consultant to the executive deparnnents and agencies in connection with the establishment of OPSEC programs and the conduct of OPSEC sur veys to perform OPSEGrelated analyses and to provide an OPSEC technical staff to the National Security Council 1088 also conducts the Defensive Information to Counter Espionage DICE program to disseminate threat information to DOD con- tractors DICE provides current threat information through training programs and briefings provided to DOD contractors and the presentation of threat briefings at selected classi ed conferences The EOSS can provide government agencies and their supporting contractors with assistance in the following areas U OPSEC training courses I U OPSEC program deveIOpment I U OPSEC survey support I U OPSEC publications and training materials development OFFICIAL USE ONLY 053 Threat antitank 2 USE GNLY Brian Regan a 40-year-old married father of four owednearly $111000 on his credit cards when hewrote a letter in 2001 to Iraqi leader Saddam Hussein offering to sell satellite intelligence that could help iraq hide anti-sin craft missiles His asking price was $13 million The letter was found on a computer at Regan s home The computer contained a nearly identical letter-to Libyan leader Moammar Gadha Regan Worked at the National government's spy satellites that forthe-Air Force and then as a civilian employee for TRW a defense contractor UlUsing his assess to a classi ed government computer network Regan looked up numerous too- secret documents including satellite photos of iradi missile sites and confidential documents about Libya s biological warfare program He printed approximately 20 000 pages of this secret material and then buried portions of the informa- tion in a series of caches in state parks in Virginia and Maryland Regan's idea was to sell the exact location of the sitesto a foreign country and let its of cials or agents dig up the buried intelligence treasure thus insulating himself from the danger of being caught while delivering the documents U Regan was-arrested in August 2001 at Dulles international Airport outside Washington while boarding a - ight for Zurich Switzerland Regan was carrying informa- tion with the coded coordinates of iraQi and Chinese mis site sites-the missiles that'were stored there and the date the information was obtained He also had the addresses of the Chinese and Iraqi embassies in Switzerland and a saletaataetiatidq he relishes U Prosecutors sought the deathpenalty for Regan but although a jury convicted him in February 2003 of espi- onage it-de'cided his crimes did not merit execution in exchange for Regan's cooperation in debrie ng the gov- ernment dropped possible charges against his wife and allowed her to collect a portion of his pension Brian Regan was sentenced to life in prison in March 2003 Although he -protested that his sentence was too harsh and that his actions'iwere undertaken just to protect my wife and children the judge immediately rejected Regan s plea observing You have betrayed yom nation's have joined the list of infa- mous spies Reconnaissance Of ce NRO which operates the USE ONLY - WW OFFISWL USE QNLY Ada1ns a1nes The New Spies Expior ing the Frontiers of Espionage Pimlico 1995 Andrew Christopher and Oleg Gordievsky KGB The Inside Story Hodder Stoughton 1990 midrew Christopher and Vasili Mitrokhin The Sword and the Shield the Mitrokhin Archive and the Secret History of the KGB Basic Books 1999 Choate Pat Agents of Influence How Japan Manipulates America s Political Economic System Simon and Schuster 1990 De Borohgrave Armand and Robert Moss The Spike Crown Publishers Inc 1980 Dziak John J Chekisty A History of the KGB Lexington Books 1988 Eftimiades Nichoias Chinese Intelligence Operations Naval Institute Press 1994 Fatigot Roger and Remi Kauffer The Chinese Secret Service Kang Sheng and the Shadow Government in Red China William Morrow and Company Inc 1987 Fiaika John War By Other Means Economic Espionage in America WG Norton and Co 1997 Harmon James H Japanese Intelligence The Competitive Edge National Inte igence Book Center Press 1996 Kaiugin Oleg with Fen Montaigne The First Directorate My 32 Years in Inteiligence and Espionage Against the West St Martin s Press 1994 Lamphere Robert I and Tom Shaehtman The FBI-KGB War A Special Agent 3 Story Random House Inc 1986 OFFECEAL USE ONLY I033 lntelli gense Threat 81133033 gg 012131011911 USE ONLY Laney Stanieiav with Ira Winkier Through the Eyes of the Enemy Regnery Publishing Inc 1998 Metcalfe Robyn Shortwe The New Wizard War Tempus Books 1988 P01111517 Norman 31161111031215 8 Allen Spy Book The EneycloPedia of Espionage Random House Inn 1997 Rieheleon Jeffrey T A Century of Spies Intelligence in the Twentieth Century Oxford University 13154235 1995 Schweizer Peter Friendiy Spies Atla tic Press 1993 Slata a Michelle and Joshua Quit ler Masters of Deception The Gang that Ruled Cyberspace Harper Com 1995 81 011 Clifford The Cuckoo s Egg Tracking a Spy Through the Maze of Computer Espionage Mags Market Paperbacks 1995 Thnperlake Edward and William C T plett II Red Dragon Rising Reg ery Publishing Inc 1999 Volkman Ernest Espionage The Greatest Spy Operations of the Twentieth Century John Wiley Sons Inc 1995 I Wehxstein Alien and Alexamder Vassih'ev The Haunted Wood Random House 1999 Winkler Ira Corporate Espionage Primal 1997 $53 i i llm REE Threat Haai mok USE ONLY we USE QNLY U 00 si 3- lnteragency OPSEC Support Staff OPSEC Fondamentals Computer Based Training Series Greenbelt ME 1085 2002 2 Paul D Moore Spies of a Sifterent Stripe The Washington Post May 31 1999 A23 3 lnteragency OPSEC Support Staff OPSEC Fundamentais Computer Based Training Series Greenbelt MD I088 2002 4 Peter A Lupsha Transnational Organized Crime versus the Nation 8tate Transnationai Organized Crime 2 no 1 Spring 1996 21 5 Valentin Aksilenko The Foreign lnteiligence Training Center unpublished notes for the Centre for Counterinteiligence and Security Studies McLean VA January 2000 5 Ibici 7 Ibid 8 ibid 9 Wayne Macisen Intelligence Agency Threats to Computer Security International Journal of Intelligence and Counterintel gence 6 no 4 winter 1993 4194120 10 Peter Schweizer Friendly Spies mew York Atlantic Press 1993 11321 11 Jeffrey T Richelson Sword and Shield The Soviet Intelligence and Security Apparams Cambridge Mass Ballinger 1986 and United States House of Representatives Subcommittee on Civil and Constitutionai Rights Committee on the Judiciary FBI Oversight and Authorization Request Hearings before the Subconunittee on Civil and Constitutional Rights 1013i Congress 2nd Sees 1990 281 12 Sander Thoenes and Alan Cooperman Yeltsin s Eyes and Ears US News and World Report 119 no 6 7 August 1995 3669 and Victor Yasmann Security Services Reorganized Ali Power to the Russian President Radio Free Europe Radio Liberty Reports 3 no 6 11 February 1994 74 4 13 ibid 14 Victor Yasmann Security Services Reorganized All Power to the Russian President Radio Free Europe Radio Liberty Reports 3 no 6 11 February 1994 7-14 15 James Sheri Change and Continuity in the Former Jane s Intelligence Review March 1993 110412 and Adam Zago n Still Spying After All These Years Time 29 June 1992 58 59 15 Carey Schofield interview With the Head of Russian Militaiy intelligence Jane s Intelligence Review March 1993 112-116 17 Jeffrey T Richeison Sword and Shield The Soviet Intelligence and 86me Apparatus Cambridge Mass Ballinger 1986 34-38 18 Victor Yasmann Security Services Reorganized All Power to the Russian President Radio Free Europe Radio Liberty Reports 3 no 6 11 February 1994 7-14 OFFICIAL USE ONLY 188 Intelligence Threat Handlienk g USE ONLY 3'9 Victor Yasmann Security Services Reorganized Ali Power to the Russian President Radio Froo Europc Radio Liberty Resorts 3 no 6 11 February 1994 and James Sherr Change and Continuity in tho Iiiormer Jane s Intelligence Review March1993 1 10 1 12 9 Jeffrey T Richelson Sword and Shield i he Soviet Inteiligencc and Security Apparatus Cambridge Mass Bailinger 1986 34 38 25 Jane s Inteiligence Digest http europc news jid jidt121 22 Victor Yasmarm Security Services Reorganized All Power to the Russian President Radio Free Europe Radio Liberty Reports 3 no 6 11 February 1994 744 and James Sherr Change and Continuity in the Former Jane s intelligence Review March 1993 110 112 33 DeSmond Ball Soviet Signals Intelligence SIGINT Intercepting Sateliite Conununications Strategic and Defence Studies Centre Canberra Australian National Sluversity 1989 62 63 24 Current and Projected National Security Threats to the United States and Its Interests Abroad US Con gress Senate Select Committee on Intelligence 1996 213 25 Christopher Andrew and Oleg Cordievsky KGB The Inside Story New York Harper Coliins 1990 609 2 5 Desmond Ball Soviet Signals Intelligence Vehicular Systems and Operations Intelligence and National Security 41 no 1 January 1989 923 27 lbid 28 Christopher Andrew and Oleg Gordievsky KQB The inside Story New York Harper Collins 1990 608 610 and Craig Covault Russian Space Program Advances Despite Crisis Aviation Wee and Space Technology 16 January 1995 22 24 29 Wayne Madsen intelligence A gency 'I lu ests to Computer Security International Journal of Intelligence and Counterintelligence 6 no 4 Winter 1993 419 420 30 United States House of Representatives Subcommittee on ECOnomic and Commercial Law Committee on the Director FBI Hearings before the Subcommittee on Economic and Commercial Law Committee on the Judiciary '10an Congress 2nd Sess 1992 42 31 Adam Zagorin Still Spying After All These Years Time 29 June 1992 5859 32 James Adams Sellout Aldrich Ames and the Corruption of the CIA New York Viking 1995 4345 and Wayne Madsen Intelligence Agency Threats to Computer Security lntornationai Journal of Intelligence and Counterintelligence winter 1993 418 420 and 4 22 33 Paul Moore Spies of a Different Stripe The Washington Post May 31 1999 3 1 Paul Moore I Iow China Plays the Ethnic Card Los Angeles Times June 24 1999 9 35 Report to Congress on Chinese Espionage Activities Against the United States by the Director of Central Intelligence and the Director of the Federal Bureau of Investigation December 12 1999 36 Ibid 37 Paul 9 Moore China s Subtle Spying New York Times September 2 1999 A-21 38 lbid 39 Report to Congress on Chinese Espionage Activities Against the United States by the Director of Central intelligence and the Director of the Federal Eui'eau of investigation December 12 1999 and Fan D Moore China s Subtle Spying New York Times September 2 1999 AQI 40 Jeffrey T Richeison Foreign Intelligence Organizations Cambridge Mass Ballinger 1988 295 and Desmond Bail Signals intelligence in China Jane s Intelligence Review 7 no 8 1 August 1995 365 41 Nicholas Eit imiades Chinese Intelligence Operations Armapolis Naval Institute Press 1994 17-19 12 lbid 1820 43 Paul D Moore Chinese Recruitment Techniques Centre for Counterintelligence and Security Studies January 2000 unpublished class notes 1035 Intelligence Harem Bandhaex USE ONLY use ONLY $7 9 Report to Congress on Chinese Espionage Activities Against the United States by the i iirector of Central lnteiligence and the Director of the Fed eral Bureau of investigation December 12 1999 45 China Boosts Spy Presence in US CIA FBI Report lfVashington Times March 9 49 17a ul D Moore Row hina Plays the Ethnic Card Los Angeles Times June 24 1999 9 4 7 paul 13 Moore China s Subtle Spying New York Times Septengtber 2 1999 1921 and Paul D Moore Spies of a Diffe rent Stripe The Washington Fost May 31 1999 AQS 4 8 ibici 19 Nicholas Eftimiados Chinese intelligence Sperations Annapoiis Naval Institute Press 1994 7889 50 Ibid 51 lbici lbid 53 Desmond Bali Signals intelligence in China Jane s kitelligence Review 7 no 8 1 August 1995 365 5% ibid 55 Report to Congress on Chinese Espionage Activities Against the Uniteci States by the Director of Central Intelligence and the Director of the Federal Bureau of Investigation December 12 1999 55 Nicholas Eftimiades Chinese Intelligence Gpetations Annapolis Naval institote Press 1994 113 116 57 Paul D Moore Spies of a Different Stripe The Washington Post May 31 1999 and Paul Moore China s Subtle Spying New York Times September 2 1999 53 Paul D Moore Chinese Recruitment Techruques Centre for Counterintelligence and Security Studies January 2000 unpublished class notes 59 An Earlier China Spy Case Points Up PostuCold War Ambiguities New York Times March 13 1999 60 lbicl 51 Reports Show Scientist Gave US Radar Secrets to Chinese New York Times May 10 1999 62 lbid 93 lbid 64 In China Physicist Learns He Tripped Between Useful Exchange and Security Breach New York Times August 1 1999 65 Ind 56 lbici 37 Desmond Ball Signals Intelligence in China Iane s intelligence Review 7 no 8 1 August 1995 365368 - and Desmond Ball Signals Intelligence in Hong Kong Intelligence and National Security 11 no 3 July 1996 474495 5 8 Desmond Ball Signais Intelligence in China Jane s Intelligence Review 7 no 8 1 August 1995 367 a 69 Jeffrey T Richelson The Future of Space Reconnaissance Scientific American 264 no 1 January 1991 38 44 7'3 Paul D Moore Spies of a Different Stripe The Washington Post May 31 1999 and Paul D Moore China s Subtle Spying New York Times September 2 1999 As21 1 Report to Congress on Chinese Espionage Activities Against the United States by the Director of Central Intelligence and the Director of the Federal Bureau of Investigation December 12 1999 72 John Fialka War By Other Means N ew York Norton 1997 xi-xiv 73 Canaciian Security Intelligence Service Economic Security scrc gc ca eng operat esZe html January 2000 74 National Counterintelligence Center Annual Report to Congress on Foreign Economic Coliection and Industrial Espionage 2002 vii OFFICIAL USE ONLY $055 Intelligence Threat Handbook g3 QFFICIAL USE ONLY 73 American Society for Industrial Security Trends in Proprietary lniormation loss Pricewaterhouse Coopers 1999 924 7 3 1999 Annual Report to Congress on Foreign Economic Collection and Industrial Espionage Foreign Economic and industrial Espionage Remains a Threat in 1999 CPS 1999 7 1998 Annual Report to Congress on Foreign Economc Collection and industrial Espionage like Cost of Economic Espionage GPO 1998 7 8 ibid 79 Rusty Cappe The Soy Who Came to Work Security Management February 1997 47 80 Iobn Fiall a War By Other Means New York Norton 1997 6636 81 Ibid 82 uid 8 3 Ibioi 84 Ibici 85 Christopher Andrew and Vasili Miu okhin The Sword and the Shield New York Basic 1999 474475 86 Rusty Capos The Stay Who Came to Work Security Management February 1997 47 87 lbid 88 Federal Bureau of Investigation Economic Espionage Case Summaries 3 995 1243 89 Ibid 1 30 Raid 5 91 Dirty Work Fertilizer Frustration and Industrial Espionage Far Eastern Economic Review February 9 1995 5061 92 Taiwan Men Held for Trying to Steal BristoisMyers Drug 90w Jones News Service June 1997 and Corporate Spy Case Rebounds on Bristol The Wail Street Journal February 2 1998 93 Man Admits to Economic Espionage Pittsburgh Post azette April 20 1998 and Man Sentenced in Theft Pittsburgh Post-Gazette November 14 1998 94 Rusty Capps The Spy Who Came to Work Security Management February 1997 48 95 Ibid 96 Ibid 97 Ibid 98 ibid 49 99 Federal Bureau of Investigation Econouuc Espionage Case Surmnaries 1995 6 100 rue 7 101 Inquiring Eyes an israeli Contract with a US Company Leads to Espionage The Wall Street Journal January 17 1992 and Rusty Capps The Spy Who Came to Work Security Marmgement February 1997 54-55 102 Rusty Capps The Spy Who Came to Work Security Management February 199% 48 103 David G Major Espionage Realities Centre for Counterinteiligence and Security Studies Ianuary 2000 unpublished class notes 104 Peter Schweizer Friendly Spies New York Atlantic Press 1993 38439 105 Rusty Capps The Spy Who Came to Work Security Management February 1997 48 106 Federal Bureau of Investigation Economic Espionage Case Summaries 1995 11 107 Former Exxon Employee Charged With Offering Secrets to Dow Jones News Service August 8 1980 108 Federal Bureau of Investigation Economic Espionage Case Summaries 1995 34 109 ibid 9 110 Ibid 8 Testing the Limits of Trade Secrets The Washington Post Dacember 9 1997 3-1 112 Voice Mail ibeft Scheme May Land Man in Jail Boston Herald N ovember 26 1996 - and As Computer Technology Thrives Lawbreaking Is a Keystroke Away Boston Globe December 4 1996 113 rm Stops Apparent Espionage Try Greensboro News Record December 12 1996 Elite 155 lmeliisence mreat anduuak USE ONLY 1 mo - viv mum my - - mm omcmr use QNLY gg and Five Year S Prioon in ESpionage Corie York Daily Record April 19 1997 114 Engineer Indicted on Charges He Stole Track on 31 Motto Shaving Syatem The Wall Street Journal September 26 1997 and rmer Giliette Associate Pleads Guilty to Stealing Trade Secrets Dow limes Of ine New Uanuary 27 1998 5 Cadence Suit on Trade-Secret Theft Pending Dow Jones News Service March 18 1997 and Avantl Losea Lawauit by Cartoons Dos gn over Trade Secrets The Wall Street journal September 24 1997 5 lnq oiring Eyes an Israeli Contract with a U5 Company Lewis to Espionage The Wall Street Journal Ian nary 17 1992 and Rusty Capps The Spy Who Came to Work Security Management February 1993 54455 117 Report of the Special Senate Committee on Security and Intelligence Govermnent of Canada Canadiar @Curity Intelligence Service 1999 113 fbid 119 Hold 120 fbid 121 Ibid 122 uid 123 Ibid 124 Ibid 125 lbid 125 Ibid 3'2 Compoter Emergency Response Team CERT Coordinatioa Center Overview of Internet Security Froelich Kent of vol 15 1997 123 uid 129 Enid 130 uid 331 Ibid 132 Ibid 133 Ibid 134 Ibid 335 fbid 136 Ibid 137 Ibid 138 Ibici 139 Ibid 145 Ibid 141 US Department of Defense Web Site Adn Histra on Policies and Procedures November 25 1998 1 1 2 142 Ibici 1 2 4 143 Ibid 31 144 Ibid 2 3 145 Reid 8 2 145 Russel L Branci Coping with the Threat of Computer Security Incidents June 1980 45 147 Ibid 143 Ibid 14 Ibid 150 Ibid 151 lbid 152 Ebid 153 libid 21 154 William Church as quoted by John Borland Analyzing the Threat of Cyberterrorism TechWeb September 23 1998 155 Russel L Brand Coping with the Threat of Computer Socurify hcidents lune 1980 39 156 Ibid 39 41 OFFICIAL USE ONLY Intelligence Threat Kandhaok ll USE QNLY 157 ibid 158 ibid 159 I bid 15 lbid 3 53 ibicl 1 32 l'bid 3 53 Ibici 61% Ibid 165 lbidt 166 I bid Ibict 3 38 ibid 169 Raid W0 ibid 171 lbid 6 172 1bici 13 173 The Tale of the Russian Hacker The Guardian December 5 1996 - Cyber Space is the New Battieground Toronto Star August 10 1997 and Cyberterror Threat Draws Disorganized Response USA Today October 21 1997 17 Hacker Caseioad Mnltipiies February 22 2000 3-73 Russel L Brand Coping with the Threat of Computer Security incidents J tine 1980 1 5 176 Ibid 21 7 Canadian Security Intelligence Service Computer Security the Problem of Keeping Information Systems Secure CSIS Liaison Awareness Program 1999 4 8 Russel L Brand Coping with the Threat of Computer Security Incidents June 1980 27 179 Canadian Security lntetligence Service Computer Security the Problem of Keeping Information Systems Secure CSIS Liaison Awareness Program 1999 4 1 80 ibid 181 Russei L Brand Coping with the Threat of Computer Security Incidents June 1980 418 182 Ibid 3 83 Ibid 184 lijid 185 Jeffrey T Richelson The Future of Space Reconnaissance Scientific American 264 no 1 January 1991 38414 1 86 Nicholas L Johnson and David M Rodvold 1991 3992 Europe and Asia in Space Technicai Report Kirtland Air Force Base N Mex USAF Fliillips Laboratory 1992 241 245 187 Ibis 241 245 188 Ibicl 241 245 and Craig Covault Russian Space Program Advances Despite Crisis Aviation Week and Space Tecimology 16 January 1995 22-241 189 Ibici 241345 - and Craig Covault Russian Space Program Advances Despite Crisis Aviation Week and Space Technology 16 January 1995 22 24 19 Wiiliam B Scott Russian Pitches Common Eariy Warning Network Aviation Week and Space Technoiogy 9 January 1995 4647 and Jeffrey T Richelson Sword and Shieid The Soviet lnteliigence and Security Apparatus Cambridge Mass Ballinger 1986 108 111 191 Tan Po Spy Headquarters Behind the Shrubs Supplement to Secrets About CFC Spies Cheng Ming no 233 Hong Kong March 1 1997 34 637 192 Ibid 193 ibid 194 said 195 lbid 1% Ibid 19 Ibid 198 Ibid i085 Sarelligence Threat Ra dh it UNCLASSIFIEDIIFUR USE ONLY owe n w A use once in lbict l b id 2m lhicl 392 livid anti Tan Po China s intelligence External Affairs Research Organs Cheng Ming no 227 15101133 Kong September 1 1 996 2331 203 Nicholas Eftirniacles Chinese intelligence Operations Annapolis Naval institute Press 1994 7539 309 Raid 2135 lbidi 209 inlet 84 207 ibis 82 208 lbict 81 299 Tan Po Spy Headquarters Behind the Shrubstupplement to 'Secrets About CFC Spies Cheng Ming no 233 Hong Kong March 1 E997 34 37 Besmond Bali Signals Intelligence in China Jane s Intelligence Review 7 no 8 1 ugost 1995 365 21 ibid and Desmond Ball Signals intelligence in Hong Kong intelligence and National Security 11 no 3 July 1996 4741495 212 generation of American Scientists intelligence world agencies China facilities Haitian anuary 2000 2E3 Hi Changchui he Development of Remote Sensing in China Space Policy February 1989 I Zhaogian and G Lynwood May China s Developing Space Jrogramf Signal February 1986 27 Placed a Satellite into press release China Great Wall industry Corporation October 28 1993 and Lin Ming The Use of Re trievable Satellites Beijing Review July 1997 2 Desmond Ball Signals Intelligence in China Jane s Intelligence Review 7 no 8 Au gust 1995 365 368 and Desmond Ball Signals Intelligence in Hong Kong Intelligence and National Security 11 no 3 July 1996 474 4195 See also Richard D Fisher China s Arms Require Better US Military Ties with Taiwan Heritage Foundation backgrounder no 1163 March 11 1998 and Lin Hau iaao and Min Gui rong Aspects of the China s Recoverahle Satellite Platform Paper 44th Congress of the international Asironautical Iiietiera tion October 1993 215 Jeffrey T Richelson Foreign Intelligence Organizations Cambridge Mass Ballinger 1988 295 and Nicholas Eftimiacies Chinese In telligence Operations Annapolis Naval Institute ibress 1994 21-23 107 215 H P Klepak The Cuban Armed Forces Jane s Intelligence ReviewYear Book 31 December 1994 136438 and Jeffrey T Richeison Sword anci Shield The Soviet intelligence and Security Apparatus Cambridge Mass Ballinger 1986 219212 217 lbid 218 Ihiol 2 19 lbid 220 Ibicl 227 Christopher Andrew and Oleg Gordievsky KGB The Inside Story of its Foreign Operations from Lenin to Gorbachev New York Harper Collins 1990 561-563 222 Officer Charged with Spying for Cuba The Washington Post February 18 2000 and Sting at INS Found an Unlikely Cuban Spy The Washington Post February 19 2000 A l 229 Official Gets 5 Years in Spy Sting Miami Herald Miami L June 30 2001 p A1 224 Calvin Sims Engineer Says fie Stole Secrets of Chip Makers New York Times May 22 1995 11 1 Christopher Andrew and Oleg Gordievsky KGB The Inside Story of its Foreign Operations from Lenin to Gorbachev New York Harper Collins 1990 561 563 226 Rex A Hudson Castro s America Department The Cuban American National Foundation 1988 - 2 27 Desmond Ball Signals intelligence in North Korea Jane s Intelligence Review 8 no 1 OF USE ONLY 058 lntetiigenca areal Handbauk OFFICIAL USE ONLY January 1996 1328 328 ibid 229 Kid 29 230 Andrea Me ee Sevada 8d Norm Korea A Study Washingtoo QC 1993 261 262 ' Joseph S Bermudez ht North Koree e inteliigence Agencies and Infiltration Operations fene e intelligence Review one 199 269271 and Kongdan 0h North Korea in aha E9903 impiieationa for the Future of the United StatesfSouth Korean Security Alliance RAND Note 3489 Santa Monica RAND 1992 231 Ibid 232 Andrea Modes Sevada ed North Koreanihe Public Security Apparatug North Korea A Country Study Waehing con DC USGPO 1993 333 Pachinko Mayer s nderwriie North Korea The Washington Post Home 7 1996 234 Tsutomo Niehioka Chosen Soreo Today and its Future Montiily Modern Korea 235 Man Entere Guiity Plea in Federal Probe Les Angeies Times Los Angeles CA October 24 2003 235 David Tinker Tailor Soidier Soy Hunter if Cameo Has His Way Foreign Agents in District Will Be Put Out in the Coid The Washington Poet anuary 19 2000 A31 237 Ibid p A-21 238 David Major and Rosty Capps US Countermfeliigence The Foun ation of Strategy and Espionage Reaiities Centre for Countermteiligence and Security Studies 1999 396 239 Robyn Shotweil Metcalfe The New Wizard War Redmond Wasm ngton Tempos 1988 1185119 2 40 Ibiti 376 2 43- Federal Bureau of investigation Economic Espionage Case Summaries 1995 10 242 Trashy Caper in River Oaks FBI IS Alerted after French Consul Grabs Garbage Houston Chronicie Guile 5 1991 rms Targeted by Foreign Intelligence Asian Wall Skeet Ioumai Gone 25 1991 243 Two Convicted in Spying Case New York Times Aprii 30 Detention Given in Theft of Secrets New York Times January 8 2000 344 Teenager Charged in Air Tower Hacking Los A11 geles Times March 19 1998 Hacker Caseload Multipiies February 22 2000 245 Ira Winkler Corporate Espionage Prima 1997 038 intelligence Threat Kandhosk OFFICIAL USE ON LY