Friday, June 20, 2008

Elicitation, One Fine Example

The Washington Post ran an article called, Man, 84, Is Charged With Spying for Israel in 1980s. Ben-Ami Kadish had worked for the Army as an engineer. For some years in the 1980’s until 1985, he passed documents to his contact, named as Yosef Yagur. Yosef was an experienced agent who had also handled Pollard, another spy convicted and sentenced to life in prison.

Elicitation is a recruiting method using subtleness to gain information. It is not an overt or threatening type of interrogation, but one of building relationships and creating consent for further communication and finally dedication or commitment to providing information. In the case of Kadish, his handler paved the way by asking Kadish to provide documents to help Israel maintain her security.

Kadish never accepted payment other than small gifts. Thiers was a relationship of socializing. According to the article, Kadish removed documents from his office and provided them to his handler.

You may recall a more recent article where we discussed assessing and addressing real threats to national security. Government agencies and DoD contractors spend incredible amounts of money building fortified structures to keep people out. However, the main threats of secrets leaving the buildings remain.

Industrial Security Professionals can make a difference by providing proper security training and putting controls in place to prevent the removal of classified material. For example, Kadish may or may not have attended training on how to recognize recruiting methods. He may have been an engineer who had a soft spot for Israel. An effective training program would have helped him recognized a recruitment effort and given him options of how to handle it. Many training programs skip over this very important concept.

For example, the training I had received in the 80’s warned us of recruiting effort putting emphasis on blackmail and more aggressive means of foreign recruitment. However, not much was said about relationship building or how to recognize subtle attempts to gain information. Please do not misunderstand, I am not giving Kadish a break here, he violated national security and should be punished. I am, however, advocating having a security awareness program that addresses real and not perceived threats.

As far as controls, have them in place. Education will create a positive and hopefully voluntarily compliant security culture, but administrative, physical and technical controls need to be in place. For example, Kadish, and others engaged in espionage left controlled environments with classified material. How can that go unnoticed? Proper controls to prevent such action include but are not limited to:
• Lock printers and copying devices until approved reproduction occurs. Open printers and copy machines can be used without control and accountability. Assign access codes and monitor the meter.
• Use two person rule for classified processing at all levels.
• Conduct a regular inventory. NISPOM requires annual inventory in all cases, but a risk assessment may indicate need for monthly or quarterly. Inventories will tell exactly what is missing and can provide timely investigation data
• Account and receipt all classified material at all levels. Review access logs to make sure material has been returned at the end of the day

Spectacular security depends on training and controls that matches the legitimate threat. A fortified building is good, but when was the last time the news reported someone blasting a safe to get to classified materials? The education and controls program should reflect your analysis of the threat.

No comments: