Thursday, April 11, 2019

Redefining an Export and Reducing Export Violations; An FSO's Opportunity

Order your copies from
A few years back I wrote an article referring to the practice random computer searches occurring as travelers returned to the United States from trips abroad. Now with technology improvements, time, and the shrinking of borders in this well-connected global economy, I thought it would be a great time to revisit the idea of, “what would an adversary with limited resources be able to exploit in our computers?”

This is an important question to ask as cyber-attacks are becoming more common. Now an adversary on foreign lands can gather military or dual use technical information governed by the international Traffic in Arms Regulation (ITAR) and commercial information covered in the Export Administration Regulations (EAR).

This cyber-attack activity should not be surprising to the well-educated security cleared employee. What may be surprising is the risk to protected sensitive information available on well-connected information systems. For example, Facility Security Officers, (FSO), those working in corporate law, and export compliance officers provide regular reminders and conduct training on requirements to protect sensitive information.  However, there may be a disconnect when it comes to applying the protection. The immediate go to measure is to protect the organizations enterprise network of computers from cyber threats and to remind employees that exports are not authorized without a license or exemption.

The U.S. Government encourages companies to pursue business with foreign enterprises and these opportunities are provide through requested licenses. However, exports are occurring where licenses may not exist. According to ITAR, an export is defined as:
1.     Sending or taking hardware out of the U.S. or transferring to a foreign person in the U.S.
2.     Disclosing (oral, email, written, video, or other visual disclosure) or transferring technical data to a foreign person whether in the U.S. or abroad
3.     Providing a service to, or for the benefit of a foreign person, whether in the U.S. or abroad

Definition number 2 provides the most risk to our technical information if we consider that disclosure can be voluntary or unwitting. For example, if the movement of non-U.S. persons visiting a facility is not controlled, they may be able to exploit export controlled information appearing on a computer screen, overhead projection, left on a printer, and etc. Additionally, cyber-threat examples abound such as hacking into enterprise networks and exfiltrating sensitive information.

In 2012, John Reece Roth, a plasma physicist was sentence to prison for export violations. The charges included taking a laptop containing sensitive plans with him on a lecture tour in China. Despite warning not to do so, he brought his computer and sensitive information to China where sensitive information was vulnerable to exploitation.

The above story provides good reference points for security safeguards while travelling abroad. Recommended practices include getting approval for all presentations to non U.S. Persons, getting licenses for technical data expected to be released during the presentation, and bringing a “clean” computer that only stores information permitted for presentation.

So what’s missing?
This just reminds us to be cognizant of what kind of information we disclose to non U.S. persons. Whether or not we are in the U.S. or visiting overseas, we should be concerned with and adversary’s ability to conduct cyber-attacks anywhere and at any time.

Anytime an employee travels abroad, they may find themselves liberated from their computer at the host country’s customs. They should also expect to have the hard drive duplicated, files read and etc. These are the contingencies for which astute security specialists plan.

While an information system is employed at a defense contractor facility, sensitive information should be protected by firewalls, software, network defense, and other countermeasures to prevent cyber-intrusion. However, once the information system is removed, so is the protection.

A common practice is for employees to bring their laptops on business trips, vacation, to night school, and other locations. Our sense of security of being within the U.S. borders provides an added vulnerability to that sensitive information.

What could go wrong?
Consider that an employee may be providing a presentation in another country. The employee may be provided with a clean computer with only the presentation stored. Everything is done properly to ensure the employee and information are protected from unauthorized information disclosure.

In this case the laptop is removed from the facility for authorized work. However, since the laptop will be used within the United States borders, the employee is permitted to take his working laptop, with all the unclassified technical information he has been working on for the past few years.

Since the employees business is within the U.S., and will not be “releasing” the information to non-U.S. persons, there is no problem; or is there?
The employee may expect to connect to the internet at the airport, university, or other public Wi-Fi or other provider of the needed internet connection. Without the proper protections (which usually don’t travel with the employee) the information is almost as vulnerable as if the laptop were provided for international travel.

What can be done?
The best place to begin change is by facing the facts, global connectivity of the internet makes our sensitive information vulnerable to exploitation. Other people want your information. Even more eye opening is that an adversary with limited resources is better equipped through this connectivity to target and acquire information they seek. Defense contractors should assume the task of making targeted information very difficult to get.

Begin with developing a culture within your company that causes awareness of information vulnerabilities both within and external to the facility. Construct the behavior that recognizes and prevents unauthorized disclosure of economic, classified or sensitive information.

Consider any removal of information from the security of the enterprise network as vulnerable to export violation.
This culture should include a policy for removing company information systems containing sensitive information. Prior to employee travel, remove export controlled or other sensitive information or prepare special travel computers with only the information they need to conduct business at hand (make sure the information is authorized by license or agreement with the State Department or Commerce Department to prevent an exports violation).

No comments: