|
|
Guidelines for Protecting U.S. Business
Information Overseas
A series of publications by the Bureau of Diplomatic Security, Overseas
Security Advisory Council (OSAC), produced November 1995, providing guidance, suggestions,
and planning for the American traveler on a variety of security related issues.
Released on the Web June 5, 1996
INTRODUCTION
Each day America becomes driven more and more by information.
Proprietary information is our chief competitive asset, vital to both our industry and our
society. Our livelihood and, indeed, our national strength depend on our ability to
protect industrial and economic data.
This pamphlet outlines some steps that may be taken to protect
information and to raise the general level of awareness to the threat by Americans living,
working, or traveling abroad.
WHAT INFORMATION SHOULD BE PROTECTED?
Any information that provides a U.S. company with a competitive edge
over its competitors, creative or innovative, whose loss would negatively impact an
investment in time, product, finances, plants, or personnel should be protected.
It could be a trade secret, patent information, or intellectual
property; a simple improvement in the way a certain American industry produces a product
or does business; a technical modification, new technique, personnel policy, or management
concept; or employee human resources information.
COMPANY EMPLOYEES
Current government and industrial security studies and surveys reveal
that the majority of competitive information theft cases that occur in the United States
and overseas involve a company's employees, contractors, vendors, and suppliers.
An employee's rank in the company is not necessarily commensurate with
the interest of a foreign intelligence agency, who besides targeting researchers, key
managers, and corporate executives, will target:
 | Secretaries |
| Computer operators |
| Technicians |
| Maintenance personnel |
The latter frequently have good, if not the best, access to competitive
information.
Application of need-to-know procedures will help. Carefully
compartmentalizing competitive information on that basis provides two advantages: it slows
or stops an information thief, and it may provide an indicator of an employee seeking to
obtain competitive information beyond his or her need to know.
When local laws allow, it is prudent to conduct background
investigations on prospective employees. A comprehensive background investigation can
provide, prior to offering an applicant employment with a company, the best information
concerning the person's social, education, military, credit, civil and criminal
litigation, and employment histories.
VENDORS, CONTRACTORS, AND SUPPLIERS
Recent U.S. Government and security industry surveys regarding
safeguarding of proprietary information revealed that vendors, contractors, and suppliers
accounted for almost 15 percent of all disclosures, misappropriation, and thefts of U.S.
business competitive information. Generally these groups should be:
| Controlled, documented, and required to wear a photo identification
|
| Escorted throughout the general premises by the person they are visiting
|
| Restricted from unnecessary admittance to high-security areas, or
escorted at all times |
| Required to sign nondisclosure and confidentiality agreements
|
VISITOR TOURS
Public tours of buildings containing competitive information should be
discouraged. Similarly visitor tours of high-security areas should be prohibited.
All requests for tours by academic, industrial, fraternal, social, or
media groups should be passed to security departments for background checks.
WORKPLACE VULNERABILITIES
U.S. businesses or research locations overseas are principal targets of
those seeking to compromise competitive information. If possible, locate corporate offices
in facilities totally controlled by the corporation.
Location, Location, Location
Site location and construction should be the best that will allow for
normal and prudent security measures.
Normal security steps dictate that building perimeters and internal
sensitive areas be secure, and that the general public, unescorted visitors, and
unauthorized personnel be restricted from research, production, and business areas where
competitive information is used. Prudent security steps dictate that existing security
controls should always be reviewed for improvement or modification and that an awareness
program, as well as policy and guidelines be established to protect competitive
information.*
FACILITIES PERIMETER
All windows, external and internal doors, and high-security areas should
be provided with intrusion alarm monitoring. Alarm systems should be supplemented by
lighting, as discussed below. The alarm signal must be communicated to a location where a
speedy and appropriate response can be provided.
The entire perimeter of any office building that serves as a perimeter
barrier should be adequately illuminated during hours of darkness. Other perimeters, such
as walls, fences, and natural barriers, should be illuminated to both detect and deter
persons attempting to gain unauthorized access to the building. Adequate interior night
lights should be left on whenever the building is not occupied. Security personnel should
control:
| Perimeter and internal sensitive area access
|
| Keys and locks supervision |
| Access card supervision |
| Employee, visitor, contractor, and vendor identification badges
|
High-Security Areas
High-security areas include, but are not limited to: design studios,
strategic planning areas, engineering and research facilities, mailrooms, telephone
switching rooms, computer facilities, and other similar areas. In general, office
safeguards and possible restriction to a high-security level should be provided for:
| Designated photo copiers |
| Encrypted telecommunication equipment |
| Facsimile machines and other reproduction equipment. If this cannot be
done, the equipment should be provided with access control devices to prevent unauthorized
usage. |
| Executive offices, research labs and work areas
|
| Lockable file cabinets and desks and vaults to secure competitive
information |
| Keys, combination locks, and access cards to maintain the effectiveness
of these devices Certain offices or portions thereof may require designation as high-
security areas if: |
| Highly sensitive competitive information is present.
|
| Access is limited and entry is restricted to only those persons who
possess special identification and who are specifically permitted entry.
|
| A higher level access control device is used above that operating at the
perimeter of the building. |
| A procedure, such as a receipt and copy accountability system, is
established for the authorized removal of all competitive information, blueprints,
drawings, and other documents contained in these areas. |
Storage Facilities
Provide secure facilities for the storage of competitive information
such as desks, offices, safes, vaults, filing cabinets, etc.
Clean-Desk Policy
| Encourage a clean-desk policy for all offices during non-business hours.
|
| Require a clean-desk policy in high-security areas.
|
Cleaning and Maintenance
Cleaning and maintenance should be done during times when responsible
company supervisors are present to monitor such activity.
Disposal of Competitive Information
Competitive information must be destroyed when no longer needed.
Each work area must have adequate shredding capabilities or controlled
disposal functions. Make each functional area responsible for verifying that competitive
information is properly disposed.
COMMUNICATIONS
Easily accessed and intercepted telecommunications present a highly
vulnerable and lucrative target for anyone interested in obtaining competitive
information. Increased usage by businesses of these links for bulk computer data
transmission and electronic mail makes telecommunications intercept efforts cost effective
for intelligence collectors worldwide.
U.S. companies should:
| Assume that all overseas telecommunications are intercepted, recorded,
and organized into reports and reviewed for economic intelligence.
|
| "Button-up" all competitive information communications to
maintain their competitive edge. |
Threats
U.S. companies should be aware of, and sensitize their employees
overseas to, the fact that:
| All foreign telephone systems are either owned or controlled by the host
government. This allows the government to easily monitor transmissions of selected U.S.
corporations. |
| Intelligence agencies of third-party nations, terrorists, and criminals
monitor electronic transmissions. |
| Business and technical data obtained from U.S. corporations may be, and
often are, provided to foreign competitors and potential customers.
|
| Personal information obtained may be used to kidnap executives for
financial gain or political purposes. |
| Electronic equipment, such as facsimile machines, telephones, and desktop
computers, may be altered to make electronic monitoring easier.
|
Vulnerabilities
Telecommunications monitoring may be done at a phone company's switching
facilities; phone lines may be tapped or bugged; or microwave transmissions may be
intercepted anywhere between the two microwave towers.
Telephones do not necessarily cease transmitting once they are hung-up.
Conversations taking place near a phone may be transmitted to the foreign state's
telephone system switching facility and can be monitored anywhere between the phone and
that facility.
Many telecommunications transmissions will contain "key words"
used to identify information of interest to a third party. A key word can be the name of a
technology, product, project, or anything else that may identify the subject of the
transmission.
Encryption should be the first line of defense since it is easier for
foreign intelligence services to monitor lines than to place "bugs," however,
encryption will provide little, if any, security if a careful examination for audio
"bugs" elsewhere in the room is not conducted.
Most international U.S. corporate telecommunications are not encrypted.
Some countries do not allow encryption of telecommunications traffic within their borders,
but it should be considered, where feasible, for any transmission of competitive
information.
About half of all overseas telecommunications are facsimile
transmissions which, because they are emanations, may be intercepted by foreign
intelligence services since many of the foreign telephone companies are foreign owned.
In addition, many American companies have begun using what is called
electronic data interchange, a system of transferring corporate bidding, invoice, and
pricing data electronically overseas. This type of information is invaluable to many
foreign intelligence services that support their national businesses.
Video Conferences
The threat is essentially the same as that to other types of
telecommunications. Adversaries can purchase or replicate specific equipment used by an
American company and then either tap into the line or use other means to monitor both
audio and video.
Although encryption is available for some video conferencing
installations, many countries do not allow any type of encryption and others allow only
that type which they can break.
Electronic Transmissions
Most foreign common carriers are government controlled or owned. Trade
secrets, data, marketing strategies, and personnel information that are discussed or sent
over host country telephone lines are easily obtained by foreign interests.
Electronic Media Path
Electronic data is recovered easiest when a signal is not multiplexed or
mixed with other data signals, i.e., data transmitted from a telephone instrument to a
telephone switch. Only a minimal investment is required to retrieve data not masked with
other voice or data. For this reason, it is better to use standard dial-up versus
dedicated lines.
Data and voice that is routed on major transmission paths--such as
microwave or satellite transmission--have less likelihood of being monitored by hackers or
low-cost monitoring operations, because the cost of sifting through such a volume of
information to access one target is often cost prohibitive. However, a well-financed
intelligence gathering operation may find satellite or microwave transmissions the best
intercept opportunity, since they can be monitored at great distances with little or no
threat of detection.
Suggested Telecommunication Countermeasures
Below is a list of suggested actions that may be taken in order to
improve the security of your telecommunications transmissions.
| Whenever possible, use your corporate transmission facilities instead of
those of the host government. |
| Encrypt electronic transmissions whenever possible. Computer links,
facsimile transmissions, E-mail, and voice transmissions can all be encrypted.
|
| The National Institute of Standards and Technology (NIST) conducts
validations of products for conformance to cryptographic standards for encryption and
publishes the results quarterly in the "Validated Products List." Subscriptions are available from:
National Technical Information Service
U.S. Department of Commerce
5285 Port Royal Road
Springfield, VA 22161
|
| Neutralize the vulnerability of telephones. A small, company- controlled
switch installed within the facility can help ensure that conversations are not
transmitted through handsets that are "hung-up," and also can serve to decrease
the threat of covert line access. |
| Avoid "key words" or phrases that may be used by intelligence
agencies and others to search recorded conversations for subjects of interest. Examples
would be project names, product names, the names of persons of interest (e.g. heads of
state, CEOs, etc.) and classification labels such as sensitive and "company
confidential." |
| Positively identify all parties participating in phone conversations or
receiving the facsimile transmissions. |
| Always keep at least one phone and facsimile machine secured in a
container equipped with a combination lock, and restrict access to the combination. This
will help maintain the integrity of that equipment. |
| Check connecting lines to telecommunication devices (telephones,
computers, fax machines, etc.) monthly to ensure that the line has not been replaced or
modified by unauthorized personnel. |
| Placing stickers on phones warning of hostile monitoring will be helpful
to maintain awareness. |
COMPUTER TECHNOLOGY
Computers can pose enormous security problems. While they contain great
volumes of information, they also concentrate it, and if not protected, they can make the
task of the information thief much easier. When the facility is located overseas, the
following additional security issues should be considered.
Access
Because one cannot assume that employment practices are the same from
country to country, it is not always possible to dictate what employees can do or where
they can go.
For example, in some countries you are not permitted to log the fact
that a specific person accessed a specific data set at a certain time on a certain date,
because such a log could be misused to inappropriately monitor work habits, speed, and
productivity.
Similarly, in some countries, there are resident fire marshals in the
facility who do not work for the enterprise, but are authorized access to each and every
part of the physical facility.
Magnetic Media Control
Managers must be sensitive to mailing or physically carrying magnetic
media between countries.
The information on magnetic media may be vulnerable during interaction
with the local customs authorities, which could be far more damaging to a business.
In either mailing or carrying, accountability is lost once the material
is turned over to local customs personnel to be "cleared." Often, the time
involved, as well as the other details of what "cleared" means, are not always
spelled out to private industry.
Distributed Printer Control
Physical access to printers used within a computing center is usually
well controlled. However, small, powerful, printing facilities, which can be readily
hooked-up with printed output routed directly to such devices by any employee, are coming
increasingly into use. It is strongly recommended that attention be given to ensuring
that:
| Printed output may be picked up only by the information owner or his or
her representatives. |
| Printers are placed in a room having a controlled-access system.
|
Cellular PCs
The cellular portable computer is relatively new technology, having
unique security considerations that one might easily overlook. The system is essentially a
personal computer with an integrated modem, which is a device used to change signals
understood by telephone technology into signals understood by computers, and vice versa.
There is also a built-in cellular telephone that allows a person with a single action to
place a call to a computer system, connect the personal computer to it, and interact with
a host computer. Sometimes overlooked with this technology is the fact that cellular
telephones:
| Use radio frequencies to communicate |
| Are vulnerable to unauthorized interception, recording, and subsequent
analysis. Monitoring equipment is readily available to foreign intelligence services and
to the more sophisticated business espionage agent. |
Virus Contamination and Detection
Although it is a standard precaution to take special care when receiving
a PC program from someone because of the possibility of virus contamination, it is
exponentially greater during foreign travel.
Answering the questions in the checklist below can identify
opportunities to improve the security of your computer software and hardware.
Computer Security Checklist
International Travel
| Does the local power supply match your system's requirements?
|
| Are electrical power transformers, filters, surge protectors or
uninterruptible power supply (UPS) units available to protect your equipment?
|
| Does the government impose restrictions on the import of computer
hardware and software into the country? |
Environment
| Will the computer be used in a low humidity area where damage from static
electricity may be sustained? |
| Are carpets treated? |
| Are humidifiers available? |
| Will the computer be used in a hot, dusty climate?
|
| Are office temperature controls sufficient?
|
| Are dust covers available? |
Physical Security
| Is the work area kept clear of soft drinks, coffee and other liquids,
that, when accidentally spilled, may damage equipment? |
| Are diskettes physically labeled and handled as directed by the
manufacturer? Are sensitive diskettes sufficiently write-protected to avoid accidental or
malicious damage or destruction? |
| Are backup copies stored off-site? |
| Is the computer sufficiently protected from acts of sabotage, tampering,
and theft? |
| Are modems (particularly those with an automatic answer feature)
disconnected or powered off when not in use? |
| Are printer ribbons, sensitive printouts, and diskettes burned, shredded,
or degaussed as appropriate to prevent inadvertent information disclosure?
|
System Security
| Are spare, user-serviceable parts available in the event of failure?
|
| Are backup copies of software and data produced periodically?
|
| Has a backup system (contingency) been identified to continue critical
operations in the event of a failure or disaster? Has it been tested?
|
| Are sufficient controls in place to prevent violation of manufacturers'
copyrights and license agreements? |
| Are software controls present to authenticate individual system users?
|
| Are passwords changed frequently and are they easily guessed?
|
| Is a security erase or file scrub program present on the system that will
overwrite sensitive data on the hard disk when a file is deleted? Is it used?
|
| Are system hardware and software controls present to authenticate
individual system users? |
Virus Protection
| Are software and data diskettes received from reliable, trustworthy
sources? |
| Is software received from outside sources scanned for computer viruses
with current virus detection software? |
Computer Security Guidance
Under the Computer Security Act of 1987, the National Institute of
Standards and Technology (NIST) develops standards and guidelines for the protection of
sensitive information.
For a listing of available documents, including ordering information,
request a free copy of Publications List 91 from the following:
CSL Publications Technology Building
Room B64
National Institute of Standards and Technology
U.S. Department of Commerce
Gaithersburg, MD 20899
EFFECTS OF TELECOMMUNICATIONS ON COMPUTER SECURITY
Telecommunications technology provides for electronic
"highways" that now enable a person to directly access a computer system on
another continent. Many U.S. corporations are dependent for their very survival on data
being stored and processed on these computer systems. It is therefore mandatory that
access control security software and procedures are implemented for any computer
interfacing with a network or telephone system. Hacking into computers is now a standard
tool for those involved in espionage and computer crime. Once an intruder has gained
entry, he or she may be able to view, change, or destroy valuable company data and
information. Electronic terrorism, placing a corporation's information assets at risk,
also is possible.
Consider the following tips to reduce the possibility of unauthorized
access through networks:
| Apply access control software and procedures to the corporation's
networks; keep the intruder off the "highway."
|
| Ensure that the corporation's computer systems are protected.
|
| Mandate that all users change passwords at least once every 60 days,
allow no more than three consecutive invalid passwords before suspending a user ID, and
ensure that all passwords are at least six characters in length. Also, encourage employees
to use passwords that do not relate to their lives (names of family, pets, sports teams,
etc.). Hackers often gain entry by simply guessing passwords.
|
| Control the phone numbers to the corporation's networks and computer
systems as competitive information. Minimize their distribution and notify corporate
employees that the numbers should be guarded. |
| Test corporate networks for the existence of unauthorized modems that
could provide access to eavesdroppers. |
| Encrypt computer-to-computer sensitive transmissions, including
electronic mail. |
| Require all personnel to agree in writing before they are granted access
to corporate networks and computer systems, that they will keep competitive information
confidential, and that they will abide by the corporation's information protection
standards. |
AT HOME
Many of the same principles that apply to maintaining a safe and secure
office apply equally to a residence. These elements will vary depending on the foreign
environment and the associated risk factors. As a general rule, competitive information
should not be taken home. However, should it become necessary, the level of protection
afforded competitive information in the home must be equal to or greater than the standard
of protection it is afforded in the office.
A favorite$technique of information thieves is the examination of trash
containers. Consequently, the disposal of competitive information should not be done at
home. Such materials should be transported to the workplace where they may be properly
destroyed.
HOME SECURITY CHECKLIST
Access to residential buildings where competitive information is located
must be limited to only authorized persons. This will require appropriate locking devices
and an alarm system that will detect an attempted intrusion and alert authorities and
other responsible parties. A specific area or areas within the residence should be
designated for working on competitive information.
Access should be limited to authorized family and service personnel.
Such information, when left unattended, should be secured in an appropriate container.
Control of the keys for these containers should be limited.
Cleaning activities should be done only when competitive information
items are cleared from the area, secured, or when the area is monitored by the owner,
custodian, or user of the information.
Residences and residential buildings should have appropriate:
| Access controls to restrict unauthorized persons and vehicles
|
| Locking devices on exterior windows and doors
|
| Intrusion-control alarm systems where possible
|
| Procedures for the positive identification of visitors and utility
personnel prior to entry |
Within the residence, the work area should include the following life
and safety equipment:
| Flashlight |
| First-aid kit |
| Emergency radio and/or cellular phone |
| Fire and smoke alarms |
| Safehaven |
Specific areas for competitive information work should include:
| Limited access to only authorized persons
|
| Lockable desk and computer equipment and files
|
| Procedures imposed for access safeguards on computer equipment
|
| Storage of authorized company software on designated computer
|
| An appropriate shredder |
| Limited cleaning conducted only in the presence of the employee or other
responsible person |
BUSINESS TRAVEL
Travel With a Laptop Computer
Business personnel who travel should adopt normal and prudent computer
safeguards while traveling.
Never:
| Leave a laptop unattended while in an airport terminal, checking in and
out of hotels, or at a business location |
| Operate a computer while in public areas such as airport waiting rooms,
cafeterias, or snack bars |
| Check a laptop with luggage. Laptops should always be stowed in carry-on
baggage that will stay with the traveler at all times |
| Check a laptop in a temporary airport or train station storage locker
even for a short time |
Working in Hotels With a PC
Hotel rooms are not secure. Leaving important company information in
your room, even in a locked briefcase or PC, is an invitation for material to be copied or
photographed while you are out. Hotel vaults are not much better. Foreign intelligence
officers can gain access without you becoming aware of the compromise.
Reduce hard copy material as much as possible and carry what you must
take on your person, possibly on disk, or secure it in a company vault.
U.S. business travelers should not assume that the U.S. standards in
telecommunication security will be the case when traveling overseas. The quality of
service, as well as the technical standards and conventions used, vary dramatically from
country to country.
Scientific Conferences
Historically, scientific conferences and trade association meetings have
been targeted by some foreign intelligence agencies. Today these meetings are still
targeted, but the goal is to learn economic information that will improve the position of
our foreign competitors. Individuals collecting this type of information may be managers,
corporate officers, sales people, and other business people, scientists, engineers, and
other technical personnel. There is a growing trend for foreign corporations to employ
former intelligence officers for industrial work. Protect yourself by practicing
discretion and remembering that not only time, but information, is money.
Eavesdropping
INFORMATION OF COMPETITIVE VALUE SHOULD NOT BE DISCUSSED IN PUBLIC
PLACES.
Discussions on airplanes are overheard by those around you.
Eavesdropping can result in gathering meaningful information in a radius of 6-8 seats.
Recent revelations in the media specifically mention valuable information gathered by
eavesdropping on conversations held on aircraft and in bars and restaurants.
Destruction of Information Waste
| Keep unwanted material until you can dispose of it securely.
|
| Paper should be burned or shredded. If shredded, the type of shredder
should cut horizontally and vertically. |
| Floppy disks should be cut in small pieces and discarded.
|
Necessary Communications
| Avoid sending facsimiles or conducting sensitive conversations on local
or international telephone lines. |
| Fax, telex, and data systems are all vulnerable to interception,
particularly in overseas hotels. |
| On important issues, go to the extra trouble of identifying company
travelers for the purpose of carrying information rather than entrusting it to less secure
electronic means. |
Be Alert!!!
Be aware of new acquaintances who probe for information or attempt to
place you in a compromising situation. In an unusual situation, have an American colleague
present. The watchword in travel while in foreign countries is discretion.
ADDITIONAL INFORMATION
We hope this pamphlet provided you with some basic information you
should consider in dealing with important issues. For a more detailed discussion, please
review our expanded version, Guidelines for Protecting U.S. Business Information Overseas,
available through the Overseas Security Advisory Council.
|
|
