Counterintelligence and Cyber News and Views

April 2013 Volume 2 Issue 2

INSIDE THIS ISSUE:

PG. 1 CURRENT TREND ANALYSIS

PG. 2 REVIEW OF COUNTERINTELLIGENCE/CYBER SECURITY SEMINAR

PG. 7 ARRESTS, TRIALS, CONVICTIONS

PG. 7 NAVY SPY DELISLE SENTENCED TO 20 YEARS IN PRISON

PG. 7 FOREIGN ECONOMIC ESPIONAGE INVESTIGATION LEADS TO ARREST

PG. 8 IRANIAN CITIZEN SENTENCED IN PLOT TO EXPORT AIRCRAFT PARTS TO IRAN Corporate Headquarters

PG. 9 US DEFENCE CONTRACTOR, 59, 222 North Sepulveda Boulevard, Suite 1780 'GAVE CLASSIFIED INFORMATION TO 27 -YEAR-OLD CHINESE LOVER IN El Segundo, California 90245 (310) 536-9876 HONEYTRAP' www.advantagesci.com

PG. 12 FORMER U.S. CONSULATE GUARD SENTENCED TO NINE YEARS IN PRISON FOR ATTEMPTING TO COMMUNICATE NATIONAL DEFENSE CI TRENDS INFORMATION TO CHINA In this issue of Counterintelligence and Cyber News and Views we would like to focus on recent arrests and PG. 13 ALASKA-BASED SOLDIER GETS convictions related to counterintelligence (CI). Most of the stories that follow occurred between January and 16 YEARS IN SPY CASE April 2013. Most of the persons discussed within this article represent the type of targets Hostile Intelligence PG. 14 METHODS AND TECHNIQUES Services (HOIS) will attempt to recruit or compromise. You will see, from within these stories, a pattern of methodology used by our foes to compromise individuals, gain access to our technology and use it to our PG. 14 5 LESSONS FROM THE FBI INSIDER THREAT PROGRAM disadvantage. Additionally, stories of greed, revenge and fraud round out some of the methods CI professionals find daily in their struggles to protect classified, sensitive, and export controlled information. PG. 15 ATTORNEY GENERAL ERIC HOLDER SPEAKS AT THE Our first story, represents, in our opinion (let’s wait for the trial before we call anybody guilty) a classic case of ADMINISTRATION TRADE SECRET the so called ―honeypot,‖ where an older male has been, apparently, seduced by a younger woman, and STRATEGY ROLLOUT passes on to her US government classified information.

PG. 17 CYBER RELATED THREATS This is the apparent story of ―Benjamin Pierce Bishop, 59, a former U.S. Army officer who works as a civilian REPORTED IN THE DHS DAILY OPEN SOURCE INFRASTRUCTURE REPORT employee of a defense contractor at U.S. Pacific Command (USPACOM) in Hawaii, "Bishop…(was) …‖arrested on charges of communicating classified national defense information to a person not entitled to PG. 20 VIRUS ALERT EMAIL NOT receive such information.‖ The US Attorney for Honolulu’s press release regarding this case is reprinted in its REALLY FROM FBI entirety later in this newsletter. PG. 20 LOOKING FOR LOVE? BEWARE OF ONLINE DATING SCAMS In summary, a 27-year-old female citizen of the PRC has, in all likelihood, seduced a retired U.S. Army Lieutenant Colonel into allegedly ―telling his 27-year-old Chinese girlfriend top secret details about the U.S.’s PG. 21 STATEMENT TO HOUSE nuclear capabilities and defense protocols.‖ COMMITTEE ON THE JUDICIARY, SUBCOMMITTEE ON CRIME, We will continue to follow this story with great interest and will keep readers of this newsletter apprised of any TERRORISM, AND HOMELAND SECURITY updates.

PG. 23 DEPUTY ATTORNEY GENERAL (Continued on pg. 3) JAMES M. COLE SPEAKS AT THE ADMINISTRATION EVENT TO HIGHLIGHT PRIORITIES FOR CYBERSECURITY POLICY NOTE: Much of the Information contained within this newsletter originates from websites maintained by PG. 24 EXECUTIVE ORDER -- IMPROVING agencies of the U.S. Federal Government. The original web address from which material has been derived is CRITICAL INFRASTRUCTURE CYBERSECURITY posted at the beginning of reproduced articles. Readers are always encouraged to visit the web address from where the article has been derived from, in order to view the article in the original form in which it PG. 28 THE FBI IN POPULAR FICTION was presented. This newsletter also contains commentary from the editor of the newsletter. Such (COMIC BOOKS) commentary is solely the opinion of the newsletter editor and does not represent the views of the U.S. PG. 28 TRAVEL APP INFORMATION Government, nor the agency originally presenting this information on the internet. Questions, comments, PG. 29 ADVANTAGE SCI PRODUCTS, and subscription requests may be directed to the editor at [email protected] or to Richard Haidle SERVICES, TRAINING at 310-536-9876 x237 1 Counterintelligence and Cyber News and Views

Counterintelligence/Cyber Security Seminar: Lively Discussions, Enlightening Views

Advantage SCI hosted its first CI/Cyber Security Seminar on Wednesday, February 27th 2013. With more than 35 attendees, a diverse mix of cleared defense contractors, government, and municipal employees was in attendance.

Advantage SCI CEO and President, Elsa Lee, welcomed our guests, and provided a brief overview of the company.

Our first presentation of the day was provided by Mike Hartman (pictured at right) of the Aerospace Corporation. Mike retired from the FBI Los Angeles as the Assistant Special Agent in Charge for Counterintelligence before moving onto the Aerospace Corporation in the early 2000s.

Mike discussed the art of counterintelligence and its current state. He delineated case examples and current legal precedents affecting counterintelligence. Finally, he pointed out trends and issues the discipline faces going forward.

Following Mike was Brian Smith from Advantage SCI (pictured at right, middle photo). Brian is a retired Lieutenant Colonel from the USAF. Brian gave an excellent presentation on the collection of intelligence and the methods used by foreign governments to obtain that intelligence.

Next, Deb Thomas (pictured at bottom right) from The Walt Disney Company spoke. Deb retired from the USAF as an OSI agent, then worked at Boeing before joining Disney. Deb discussed the protection of intellectual property and some of the inherent challenges.

Our final presenter of the day was Jason Smolanoff of Stroz Friedberg. Jason was a Supervisory Special Agent with the FBI, heading up one of the FBI Los Angeles Cyber squads prior to joining Stroz Friedberg. Jason gave a very lively and informative presentation regarding the current state of cyber crime and the threats we face going forward into the electronic world.

Our seminar was a great success. Our guests provided great reviews of the day’s presentations.

With the favorable reviews and positive comments, another seminar will be planned for the late summer or early fall.

2 Counterintelligence and Cyber News and Views

(Continued from pg. 1) Sensitive technologies that are supposed to be China, was sentenced to nine years in prison in

The next arrest of interest is outlined In this brief strictly limited by U.S. export control laws are connection with his efforts to sell for personal extract from the Washington Examiner at web link: essential to U.S. space defense programs, but financial gain classified photographs, information http://washingtonexaminer.com/watchdog-alert-fbi Wolf said they could also apply to ―unmanned and access related to the U.S. Consulate to -arrests-nasa-contract-employer-trying-to-flee-to- aerial vehicles and other aerospace/aeronautic China’s Ministry of State Security (MSS), china/article/2524691 where the arrest of Chinese technologies.‖ announced Lisa Monaco, Assistant Attorney national Bo Jiang is reported: General for the Justice Department’s National There is little information publicly available Security Division; Ronald C. Machen Jr., U.S. ―Jiang was employed by the National Institute of regarding this case beyond what we have Attorney for the District of Columbia; Valerie Aerospace, a Hampton, VA-based NASA included here. Parlave, Assistant Director in Charge of the FBI’s contractor. The position afforded Jiang virtually Washington Field Office; and Gregory B. Starr, unlimited, unescorted access to the NASA Located at http://www.federalnewsradio.com/pdfs/ Director of the U.S. State Department’s Diplomatic Langley facility, which is the location for classified jiang_affadavit.pdf the FBI affidavit for this case Security Service. research programs related to U.S. space defense implies the existence of a great deal of sensitive, technologies. possibly export controlled or classified information Underwood pleaded guilty Aug. 30, 2012, in the that Bo Jiang was trying to take with him to China. U.S. District Court for the District of Columbia to Ronda Squizzero, an FBI Special Agent said in one count of attempting to communicate national documents Wolf made available today concerning Again, we anxiously await further details on this defense information to a foreign government with Jiang’s arrest that he ―was leaving the United sensitive case. intent or reason to believe that the documents, States abruptly to return to China on a one-way photographs or information in question were to be ticket.‖ Our next case of interest involves one Hua Jun used to the injury of the United States or to the Zhao. ―On March 29, 2013, special agents in the advantage of a foreign nation. He was sentenced The FBI is ―investigating conspiracies and Milwaukee Division of the FBI arrested Hua Jun by the Honorable Ellen S. Huvelle. Upon substantive violations of the Arms Export Control Zhao, age 42. Zhao is charged via a criminal completion of his prison term, Underwood will be Act,‖ according to the FBI’s arrest warrant. complaint for knowingly engaging in economic placed on two years of supervised release. espionage benefiting a foreign government, Jiang also is charged with making a false foreign instrumentality, or foreign agent, in Significant about this case is that Underwood, statement to federal law enforcement agents, violation of Title 18, United States Code, Section having experienced financial pitfalls, apparently including his attempt to conceal a ―laptop, and old 1831 (a) (1)(2)(3)‖. decided to sell out the US Government to recoup hard drive and a SIM card,‖ according to the FBI his losses. Through good fortune, he was never agent. ―Zhao is alleged to have used his employment able to link up with PRC intelligence officers to and position at the Medical College of Wisconsin compromise our diplomatic security. The FBI said it ―believes this to be material to the to illegally acquire patented cancer research federal investigation, in that it was important to material and to have taken steps to provide that After admitting his actions, Underwood was learn what electronic media Jiang was taking out material to Zhejiang University in China.‖ released on his own recognizance, and took the of the United States.‖ opportunity to flee to Los Angeles. He was This apparent case of Economic Espionage apprehended there in September 2011. He was Wolf said the Chinese national’s activities came to harkens back to a 1997 case where Japanese sentenced to nine years confinement on March 5, his attention from whistleblowers who worked at researchers were alleged to have stolen 2013. NASA Langley. proprietary cancer research information from a clinic in Cleveland. Some involved in this case In another case of Economic Espionage, detailed ―I want to credit the whistleblowers at NASA who never were prosecuted because they fled to at http://www.fbi.gov/newark/press-releases/2013/ brought Mr. Jiang’s security violations to my Japan. The government of Japan would not former-employee-of-new-jersey-defense- attention, which resulted in this investigation,‖ extradite individuals associated with this case. contractor-sentenced-to-70-months-in-prison-for- Wolf said at today’s news conference. exporting-sensitive-military-technology-to-china Fortunately, in this case, Hua Jun Zhao was ―Sixing Liu, aka, “Steve Liu,‖ 49, a PRC citizen After learning about Jiang, Wolf met with the FBI’s arrested and will face trial in a US Court of law. who had recently lived in Flanders, New Jersey, counterintelligence office and called FBI Director and Deerfield, Illinois was charged with stealing Robert Mueller about Jiang. As reported in the following extract (see http:// thousands of electronic files from his employer, L- www.justice.gov/opa/pr/2013/March/13-nsd- 3 Communications, Space and Navigation Wolf said he hopes to learn more about the 269.html ) former U.S. Consulate Guard Bryan Division, located in Budd Lake, New Jersey. The information contained on Jiang’s hard drive. He Underwood was convicted of attempting to stolen files detailed the performance and design said ―we know that Mr. Jiang has in the past taken communicate national defense information to a of guidance systems for missiles, rockets, target sensitive information back to China that he should foreign government with intent or reason to locators, and unmanned aerial vehicles. Liu stole not have been allowed to remove at Langley.‖ believe that the documents, photographs or the files to position and prepare himself for future information in question were to be used to the employment in the PRC. As part of that plan, Liu Wolf also said he believes Jiang’s information injury of the United States or to the advantage of a delivered presentations about the technology at ―may pertain to the source code for high-tech foreign nation. several PRC universities, the Chinese Academy imaging technology that Jiang has been working of Sciences, and conferences organized by PRC on with NASA. This information could have According to the US Attorney’s press release: government entities.‖ significant military applications for the Chinese Bryan Underwood, a former civilian guard at a (Continued on pg. 4) Peoples Liberation Army.‖ U.S. Consulate compound under construction in

3 Counterintelligence and Cyber News and Views

(Continued from pg. 3) jurisdiction of any particular state or district of the classified communications to the Hoover Institute United States, but within the extraterritorial juris- for the purpose of academic study. He men- ―On November 12, 2010, Liu boarded a flight diction of the United States and therefore, pursu- tioned what he thought to be the declassification from Newark Liberty International Airport to the ant to Title 18, United States Code, Section 3239, dates for some of the documents, but expressed PRC. Upon his return to the United States on within the venue of the United States District an opinion that the Hoover Institute should make November 29, 2010, agents found Liu in posses- Court for the District of Columbia, the defendant, the appropriate determinations, to include how to sion of a non-work-issued computer containing JAMES F. HITSELBERGER, having unauthor- use these ostensibly classified communications. the stolen material. The following day, Liu lied to ized possession of and control over documents agents of the Department of Homeland Security and writings relating to the national defense, did Again, at this point, the following comments are about the extent of his work on U.S. defense willfully retain documents and writings relating to mere speculation, and have no basis in technology, which the jury found to be a criminal the national defense, that is, a Joint Special Op- knowledge. They are based on the observations false statement.‖ erations Task Force (JSOTF) Situation Report and opinions of an FBI Counterintelligence Agent (SITREP) dated April 11, 2012 (SITREP 104) and with over 31 years of government intelligence ―The U.S. Department of State’s Directorate of classified SECRET, and a Navy Central Com- experience. In your author’s experience it ap- Defense Trade Controls later verified that several mand (NAVCENT) Regional Analysis dated April pears here that we have an egotistic academician of the stolen files on Liu’s computer contained 9, 2012, and classified SECRET, and fail to deliv- type who thinks the rules don’t apply to him. He export-controlled technical data that relates to er the same to an officer and employee of the has found classified materials he thinks should be defense items listed on the United States Muni- United States entitled to receive it. part of a collection of government classified com- tions List (USML). Under federal regulations, munications available in a think-tank environment items and data covered by the USML may not be (Unlawful Retention of National Defense Infor- for researchers of the future to review. exported without a license, which Liu did not ob- mation, in violation of Title 18, United States tain. The regulations also provide that it is the Code, Section 793(e)) This speculation is based on information currently policy of the United States to deny licenses to available in the public record, and may be proven export items and data covered by the USML to On or about March 8, 2012, at the Naval Support wrong by future events or information. countries with which the United States maintains Activity – Bahrain, outside the jurisdiction of any an arms embargo, including the PRC.‖ particular state or district of the United States, but In the second case mentioned ―Former CIA of- within the extraterritorial jurisdiction of the United ficer John Kiriakou, 48, of Arlington, Virginia, The case, when it went to trial in September States and therefore, pursuant to Title 18, United was sentenced to 30 months in prison, followed 2012, presented information to the jury. ―The jury States Code, Section 3239, within the venue of by three years of supervised release, for reveal- heard testimony that Liu’s company trained him the United States District Court for the District of ing to a journalist the identity of a man whose 20- about the United States’ export control laws and Columbia, the defendant, JAMES F. HITSEL- plus-year career as a covert CIA agent had never told him that most of the company’s products BERGER, having unauthorized possession of been disclosed publicly. Kiriakou also admitted in were covered by those laws. and control over documents and writings relating court that he disclosed information revealing the to the national defense, did willfully retain docu- role of another CIA employee in classified activi- ‖Sixing Liu, aka, ―Steve Liu,‖ 49, a PRC citizen ments and writings relating to the national de- ties.‖ who had recently lived in Flanders, New Jersey, fense, that is, a Joint Special Operations Task and Deerfield, Illinois, has been in custody since Force (JSOTF) Situation Report (SITREP) dated ―Court records indicate that the e-mails seized the September 2012 verdict, based on his risk of March 8, 2012 (SITREP 72) and classified CON- during the investigation revealed that Kiriakou flight. FIDENTIAL, and fail to deliver the same to an disclosed information to journalists about dozens officer and employee of the United States entitled of CIA officers, including numerous covert officers As a result of the trial and testimony, Liu, the to receive it. of the National Clandestine Service beyond the ―former New Jersey-based defense contractor ... one identified in the defense filing by lawyers for was convicted by a federal jury of exporting sen- (Unlawful Retention of National Defense Infor- the high-value detainees in Guantanamo Bay. sitive U.S. military technology to the People’s mation, in violation of Title 18, United The government raised this with the court to Republic of China (PRC), stealing trade secrets, States Code, Section 793(e)) demonstrate that the charged conduct was in no and lying to federal agents…‖ Liu…‖was sen- sense aberrational or reflective of an atypical tenced (on 3/25/2013) to 70 months in prison, Ultimately Hitselberger was also indicted on a lapse of judgment.‖ New Jersey U.S. Attorney Paul J. Fishman an- third count regarding possession and retention of nounced. classified US Government materials. ―Kiriakou admitted that, through a series of e- mails with Journalist A, he disclosed the full name In two other cases, it appears hubris and greed As this case is pending trial, motives and inten- of a CIA officer (referred to as ―Covert Officer A‖ have overtaken two individuals who may have at tions are mere speculation. But let’s go ahead in court records) whose association with the CIA one time had better intentions and values in and speculate in this case, based on the limited had been classified for more than two decades. mind. information available in the public record. In addition to identifying the officer for the journalist, Kiriakou also provided information to the jour- In the first case, James F. Hitselberger, a US Mr. Hitselberger had been in email communica- nalist that linked the officer to a CIA counterter- Government Linguist in Bahrain, was charged as tion with the Hoover Institute, a conservative think rorism program known as the Rendition, Deten- follows: tank located at Stanford University. In reading tion, and Interrogation (RDI) Program and a par- some of these communications, your newsletter ticular RDI operation.‖ On or about April 11, 2012, at the Naval Support editor has reached a preliminary opinion that (Continued on pg. 5) Activity – Bahrain, outside the Hitselberger was donating what he knew to be

4 Counterintelligence and Cyber News and Views

(Continued from pg. 4) of Black Creek, Wis., who is charged with one common carriers in the manufacturing, retail and count of conspiracy to damage a protected consumer industries. In 2004, Musacchio left ―In addition, Kiriakou admitted that he disclosed computer and one count of damaging a protected Exel to form a competing company, Total to Journalists A and B the name and contact computer. Transportation Services, where he was the information of a CIA officer, identified in court original president and CEO. Two other former records as ―Officer B,‖ along with his association “In February 2011, a loosely organized group of Exel employees, Joseph Roy Brown and John with an operation to capture terrorism subject computer hackers called Anonymous began Michael Kelly, also went to work at Musacchio’s Abu Zubaydah in 2002. Kiriakou knew that the using Internet Relay Chat (IRC) channels to new company. Trial testimony and exhibits association of Officer B with the Abu Zubaydah advertise a dedicated denial of service attack established that between 2004 and 2006, operation was classified. Based in part on this against Koch industries and seeking participants Musacchio, Brown and Kelly engaged in a information, Journalist B subsequently published to the attack. Such an attack aims at making a scheme to hack into Exel’s computer system for a June 2008 front-page story in The New York computer resource unavailable to users by the purpose of conducting corporate espionage. Times disclosing Officer B’s alleged role in the saturating the target computer with large Through their repeated unauthorized accesses Abu Zubaydah operation.‖ numbers of external communication requests. If into Exel’s email accounts, the co-conspirators successful, the attack causes the target computer were able to obtain Exel’s confidential and ―Kiriakou provided this information to journalists to be unable to respond or to respond so slowly proprietary business information and use it to without inquiring what the journalists would do as to be effectively unavailable to users.‖ benefit themselves and their new employer.‖ with the information. Without Kiriakou’s knowledge, Journalist A passed the information ―The attack was to be undertaken using a tool ―A federal grand jury had returned an indictment he obtained from Kiriakou to an investigator known as a ―Low Orbit Ion Cannon‖ that could against the three men on Nov. 2, 2010. Brown assisting in the defense of high-value detainees send a high volume of repeated requests to Koch and Kelly entered guilty pleas on May 19, 2011, at Guantanamo Bay. The investigator had been Web sites. ― and Aug. 2, 2012, respectively, and are awaiting unable to successfully identify either officer until ―On Feb. 27, 2011, Anonymous told conspirators sentencing. Musacchio is scheduled to be he received this information from Journalist A, sentenced on June 14, 2013, before U.S. District which led to Officer B being secretly to use the Low Orbit Ion Cannon to attack a Koch Industries Web site, ―quiltednorthern.com.‖ Judge Jorge A. Solis in the Northern District of photographed and his photographs being Texas.― tendered to high-value terrorist detainees—a ―On Feb. 28, 2011, Anonymous told conspirators result Kiriakou himself described as ―terrifying.‖ to attach a Koch Industries Web site, In a computer software piracy case, the risks for ―Kochind.com.‖ Rosol and others launched Low compromise of sensitive defense information is ―Kiriakou also admitted that he lied to the CIA illustrated by the story linked below: regarding the existence and use of a classified Orbit Ion Cannon attacks on ―Kochind.com.‖ technique, referred to as a ―magic box,‖ while ―As a result of the attack, the Web site http://www.networkworld.com/cgi-bin/mailto/ seeking permission from the CIA’s Publications x.cgi?pagetosend=/news/2013/031913-us- Review Board to include the classified technique ―Kochind.com‖ crashed and was unavailable for legitimate traffic.‖ defense-scientist-bought-pirated- in a book.‖ 267830.html&pagename=/news/2013/031913-us- defense-scientist-bought-pirated- Mr. Kiriakou was playing a dangerous game This attack on Koch Industries will, in all likelihood, place Mr. Rosol in personal legal peril. 267830.html&pageurl=http:// here. He compromised the name of an www.networkworld.com/news/2013/031913-us- intelligence agent, possibly putting that agents If convicted, he faces a maximum penalty of five years in federal prison and a fine up to $250,000 defense-scientist-bought-pirated- safety at risk. He could have compromised 267830.html&site=security&nsdr=n intelligence activities, and possibly put lives in on each count. jeopardy. In another computer hacking related case ―a The former chief scientist at a Kentucky defense Texas resident was convicted ... by a federal jury contractor has been sentenced to a year in prison ―In a statement of facts filed with his plea for buying pirated software from Russian and agreement, Kiriakou admitted that he made for conspiring to hack into his former employer’s computer network, announced Acting Assistant Chinese hackers and using it to design illegal disclosures about two CIA employees and components for military helicopters. their involvement in classified operations to two Attorney General Mythili Raman of the Justice Department’s Criminal Division and U.S. Attorney journalists (referenced as ―Journalist A‖ and Wronald Best, 55, of Owensboro, Kentucky, ―Journalist B‖ in court records) on multiple for the Northern District of Texas Sarah R. Saldaña.‖ purchased the modeling and design software, occasions between 2007 and 2009.‖ with a retail value of more than US$2.3 million, for use at his job with MPD, a manufacturer of Again here, we have an individual who thinks the ―Michael Musacchio, 61, of Plano, Texas, was found guilty by a federal jury in Dallas of one military and law enforcement equipment, the U.S. rules do not apply to him. No malicious intent, no Department of Justice said. revenge or greed, perhaps just wanting to felony count of conspiracy to make unauthorized establish his knowledge and expertise to access to a protected computer (hacking) and two substantive felony counts of hacking.‖ An investigation by U.S. Immigration and aggrandize himself. Still, a potentially dangerous Customs Enforcement's Homeland Security game for the person whom he was referring to, ―According to the evidence submitted at trial, Investigations (HSI) unit found that Best was one and, ultimately, dangerous to him for at least the from 2002 to 2004, Musacchio was the president of the top customers for Crack99.com, a site that 30 months he will be in federal confinement. of Exel Transportation Services, a third party sells pirated software, in 2008 and 2009, the DOJ said.‖ Moving onto computer intrusions and computer logistics or intermodal transportation company that facilitated links between shippers and hacking activity, we have one Eric J. Rosol, 37, (Continued on pg. 6)

5 Counterintelligence and Cyber News and Views

(Continued from pg. 5) The investigation may lead some software ven- woodlands-man-convicted-of-using-fake-cia- Best told special agents that he used the soft- dors to reexamine their anticopying security, credentials and reprinted below shows how fail- ware to conduct simulations on components MPD Kelleghan said. ure to validate an individual’s identity can poten- was designing for use in military helicopters, tially lead to a compromise of sensitive infor- The DOJ had sought a three-year prison sen- including the Black Hawk helicopter and the pres- mation. tence for Best. Prosecutors argued that Best idential helicopter fleet, commonly referred to as encouraged Li and the Russian hacker to crack ―Paul Alan White, aka Jonathan Alan Davenport, Marine One, the DOJ said. Other projects on copies of software for him. 57, of The Woodlands, has entered a plea of which Best used cracked software included de- guilty to two counts alleging he impersonated a signing Patriot missile components, police radars Best held a secret U.S. government security public servant, United States Attorney Kenneth and breath analysis equipment widely used by clearance, prosecutors wrote in a sentencing Magidson announced today. The plea was en- American police departments. document. Best "became the very epitome of a tered late yesterday before U.S. District Judge compromised individual known to those who Ewing Werlein, Jr. Best was sentenced Monday in U.S. District posed an international threat to the United Court for the District of Delaware for conspiracy According to the factual basis in support of the States," prosecutors wrote. to commit criminal copyright infringement. plea, White posed as a CIA agent to others at different times during 2011 and 2012 in order to Best's lawyer, Edmund Lyons, argued that crimi- Li pleaded guilty in January to one count of con- obtain personal information from individuals and nal copyright sentences were typically much spiracy to commit copyright infringement and one to have authorities give him privileges as well as shorter than the DOJ requested, with recent sen- count of conspiracy to commit wire fraud. He's official record documents. tences averaging less than a year. Lyons wasn't awaiting sentencing. immediately available for comment Monday. During March 2011, White had convinced a co- The software piracy conspiracy raised investiga- worker that he worked with Special Ops within The HSI investigation found that between April tor concerns that sophisticated modeling soft- the CIA and that they had to fill out an application 2008 and June 2011, Li sold about 550 pirated ware, some of which was on a U.S. restricted form for a security clearance with the CIA. White software titles to about 325 customers located in export list, was falling into the wrong hands, said apparently obtained the form from the Internet. more than 25 states and more than 60 foreign John Kelleghan, special agent in charge at HSI The co-worker completed the form, which includ- countries. The software, from about 200 vendors, Philadelphia. ed personal information, such as names of family had a retail value of more than $100 million, the members and friends, education, employment Best was working on sensitive government pro- DOJ said. history, and personal identification data such as a jects and "gets into cahoots with a Chinese na- Social Security number, a Texas driver’s license Between January 2010 and June 2011, under- tional and Russian cybercriminals," Kelleghan number, and a U.S. passport number. As di- cover agents made a series of purchases of pirat- said. U.S. agencies need to be able to trust their rected by White, the co-worker also ordered their ed software from Crack99.com. Undercover contracting partners, and Best "absolutely failed" own credit report and gave White a copy of their agents met Li in Saipan in June 2011. Li had in his security agreements with the government, passport. agreed to travel from China to Saipan to deliver he added. pirated software, design packaging, and 20 giga- The next month, White also attempted to recruit the co-worker’s friend from the co-worker’s Face- The DOJ and investigators with HSI accused bytes of proprietary data obtained from the server of a U.S. software company to undercover agents book site, using an alias. White reported to be Best of encouraging Chinese national Xiang Li conducting a reference check and also tried to and a Russian hacker to pirate copies of defense posing as U.S. businessmen. Agents arrested Li during a meeting in Saipan. recruit them for a position with the CIA. At the modeling programs and other software. request and demand of White, pretending to act as an agent under the authority of the CIA, the Xiang Li and a partner sold cracked copies of Li is scheduled to be sentenced on May 3. friend sent the security clearance form via FedEx software on websites including Crack99.com and If not obvious to the reader (and at the risk of with their personal information on it along with a Cad100.com between April 2008 and November stating the obvious to the majority of readers) the copies of their birth certificate, Social Security 2010, according to court documents. Many of the use of this ―cracked software‖ potentially runs the software packages they sold had retail values of card, driver’s license, and passport. risk of compromising other software or computers $10,000 or more. Also that month, White introduced himself to networked with the computer running this soft- Texas Department of Public Safety troopers as ware. This ―cracked‖ software has the potential Best communicated electronically with about 35 an agent working for the CIA. White showed a to ―crack‖ your internal computing system or net- different computer code crackers and purchased badge and a credential thought to be from the work. Those of you with the ability to scan your more than 60 pirated software titles from Chinese CIA and stated he had retired from CIA and was internal networks should consider an audit of and Russian sources, according to court docu- rehired to run ―backgrounds‖ on people. White, software connected to that network to determine ments. He paid more than $6,000 to obtain pirat- while pretending to be an officer and employee of whether the software is original or a copy. If it is ed software worth more than $2.3 million, the the United States, asked the trooper to run a a copy what is the original source the copy is DOJ said. criminal history check on his co-worker. White derived from? represented the request as an ―official request‖ HSI was tipped off to Li's operation by a software from a CIA officer. The trooper did so and provid- vendor, and the agency's investigation resulted in Our last snippet is a tale designed to remind you to verify and validate who you are talking to when ed the result. the notification of cracked software to several (Continued on pg. 7) other vendors, Kelleghan said. Some of the soft- it comes to work related matters. The case of ware vendors "had no clue their software was Paul Alan White, outlined here http:// getting cracked," he said. www.fbi.gov/houston/press-releases/2013/

6 Counterintelligence and Cyber News and Views

(Continued from pg. 6) Delisle is the first person to be sentenced under and underwater devices. Canada's Security of Information Act. Later, the CIA was contacted to conduct a check There, he had access to Stone Ghost, an allied for any and all employment either directly or indi- He pleaded guilty last October to one count of computer system. Delisle spied on top-secret rectly of White, aka Davenport. The CIA con- breach of trust and two charges of passing infor- NATO information for four years. firmed he did not work for the agency in any ca- mation to a foreign entity that could harm Cana- "Nothing in his past life made him stand out as a pacity. A search warrant was executed at White’s da's interest. home revealed several false and fraudulent pur- potential traitor," said Curran. ported official U.S. government identifications A "big chunk of the rest of your life" will be spent Review of procedure and badges allegedly belonging to the CIA. paying for the crime, Curran told Delisle. Canada's head of defence said Delisle failed all He said Delisle was aware that Canada safe- Judge Werlein has set sentencing for June 28, Canadians and violated the trust of Canada's guarded secret information. He also said Delisle 2013, at which time he faces up to three years in partners, his colleagues and the entire Armed federal prison and a possible $250,000 fine on knew he shouldn't leak that information but Forces. each count. White will remain in custody pending "coldly and rationally" did so anyway, Gen. Tom Lawson said he is conducting a full that hearing. Curran went on to say that even if the amount of review of security procedures. The case was investigated by the FBI and Hou- damage Delisle caused is speculation, the fact ston Police Department. Assistant U.S. Attorney that he passed information at all is a serious "We are actively pursuing measures to improve (AUSA) Joe Porto is prosecuting the case. AUSA crime. and enhance all facets of our security procedures," he said. Ken Dies handled the hearing yesterday. "Society is justifiably outraged at the betrayal," If confronted with identification from an individual said Curran. The Department of National Defence said it has to complete its administrative review before it can claiming to be with the CIA, if you have any Showing no emotion, Delisle sat quietly with his strip Delisle of his rank. doubt, contact your local FBI Office (call the num- chin rested on his folded hands as he listened to ber published in the phone book if you don’t trust the judge outline his spying and betrayal to the Until then he is on full pay. some other source for the FBI’s number), ask for court, reported the CBC's Rob Gordon. the Duty Agent, and tell them you have been Foreign Economic Espionage Investigation contacted by someone claiming to be with the When the sentencing was over, Delisle pulled up Leads to Arrest CIA, and that you need to validate the claim be- his red and blue hoodie, which he's worn to every fore meeting with the person in question. Each court appearance, and left. http://www.fbi.gov/milwaukee/press- FBI Office will have some sort of established The Crown had sought a prison sentence of at releases/2013/foreign-economic-espionage- protocol to validate the identity of an individual least 20 years, while the defence asked for nine investigation-leads-to-arrest claiming to be with the CIA. It may take some to 10 years. amount of time, but you should be able to ulti- FBI Milwaukee Delisle's lawyer, Mike Taylor, said he was sur- mately verify your contact through the local FBI. April 02, 2013 Public Affairs Specialist Leonard prised by Friday's sentence. ARRESTS, TRIALS, CONVICTIONS C. Peace (414) 291-4892 "I just thought considering all the factors that Navy spy Delisle sentenced to 20 years in were brought out in court, that the sentence On March 29, 2013, special agents in the Mil- prison would be somewhat less than what the Crown waukee Division of the FBI arrested Hua Jun Zhao, age 42. Zhao is charged via a criminal http://www.cbc.ca/news/canada/nova-scotia/ was asking for. It's as simple as that. They were asking for what I consider a very high number," complaint for knowingly engaging in economic story/2013/02/08/ns-spy-faces-sentencing.html he said. espionage benefiting a foreign government, for- He'll serve 18 years, 5 months, because of time eign instrumentality, or foreign agent, in violation "I can't say I'm completely caught off guard, but I served, and pay an $111,000 fine of Title 18, United States Code, Section 1831 (a) was hoping for something less." (1)(2)(3). CBC News The Crown prosecutor said she is extremely Zhao is alleged to have used his employment Posted: Feb 8, 2013 8:48 AM AT happy getting almost exactly what she wanted. and position at the Medical College of Wisconsin Sub-Lt. Jeffrey Delisle, the Halifax naval officer Lyne Decarie said it is all about deterrence and to illegally acquire patented cancer research who sold secrets to Russia, has been given a 20- this sentence sends a clear message. material and to have taken steps to provide that year prison sentence. material to Zhejiang University in China. The Approached Russians public is reminded individuals placed under arrest But Judge Patrick Curran said Delisle will serve The story began when Delisle walked into the are presumed innocent until proven guilty. 18 years and five months behind bars because of Russian Embassy in Ottawa wearing a red ball time he has already served. The arrest was a direct result of successful out- cap and civilian clothes. He flashed his Canadian reach by the FBI’s Division’s Strategic Partner- Delisle, 41, was also fined over $111,000, equal military identification and asked to meet with ship Program. This program focuses on fostering to what investigators say he received from the someone from GRU, Russia's military intelligence communication and building awareness through Russians. He has 20 years to pay. agency. partnerships with key public and private entities. As his children watched in the courtroom, one Delisle was posted to the security unit HMCS The goal of the outreach is to protect United daughter's eyes welled up with tears as the judge Trinity, an intelligence facility at the naval dock- States sensitive information, technologies, and delivered the sentence, reported the CBC's Ste- yard in Halifax. It tracks vessels entering and competitiveness in an age of globalization. phen Puddicombe. exiting Canadian waters via satellites, drones (Continued on pg. 8)

7 Counterintelligence and Cyber News and Views

(Continued from pg. 7) complaint without prejudice in light of the indict- FOR IMMEDIATE RELEASE

ment returned by the grand jury. According to ―This investigation underscores the importance of March 4, 2013 Court records, the indictment relates to efforts by the FBI’s outreach to our community partners,‖ Dr. Zhao to obstruct the investigation into the LOUISVILLE, Ky. - David J. Hale, U.S. Attorney said Teresa L. Carlson, Special Agent in Charge. theft of the compound by lying to the FBI and by for the Western District of Kentucky; Lisa Mona- ―The FBI will aggressively pursue those who covertly accessing the Medical College’s comput- co, Assistant Attorney General for National Secu- would attempt to steal trade secrets, proprietary er server and attempting to delete proprietary rity; and Perrye Turner, Special Agent in Charge, information, or national security information.‖ information – including research data – related to Federal Bureau of Investigation, Louisville Divi- The FBI Milwaukee Division’s Strategic Partner- the stolen compound. sion, announced the sentencing today, of two ship Program provides businesses and academia men to charges related to unlawful export of United States Attorney Santelle explained: ―The the tools to recognize, identify, and report insider aircraft and aircraft parts from the United States professional work being done by institutions like threats, theft of trade secrets, and economic to Iran. One of the defendants, Hamid Asefi, age the Medical College of Wisconsin is vital to the espionage. The FBI encourages businesses and 67, is a citizen and resident of the Republic of present care and treatment and the future health academia to contact the Strategic Partnership Iran. The other, Behzad Karimian, also known as and welfare of individuals in Wisconsin, through- Coordinator Special Agent Byron Franz at 414- ―Tony‖ Karimian, age 52, is a United States citi- out the United States, and across the globe. The 291-4371 for more information on this outreach zen living in Louisville, Kentucky who holds a United States Department of Justice, the Office program or to report suspected threats. valid Iranian passport and is employed as a of the United States Attorney, and the Federal Mesaba Airlines Pilot. Asefi was sentenced to 23 Subsequent to the preceding indictment the gov- Bureau of Investigation, in cooperation with our months in prison, and Karimian was sentenced to ernment issued a superseding indictment on partners in the public and private sectors, are all 46 months in prison by Chief Judge Joseph H. 4/11/2013 as announced by the USDOJ:: committed to vigorously enforcing federal crimi- McKinley, Jr. in United States District Court. The nal law, to ensuring the safety of our community, defendants pleaded guilty in Louisville, before Defendant Charged With Attempting To Dam- to guarding against all threats to our economy, Magistrate Judge James D. Moyer on December age A Protected Computer and to protecting our nation’s leadership in medi- 3, 2012. The two-count Indictment was returned cal innovation and research.‖ United States At- by a Federal Grand Jury meeting in Louisville on http://www.justice.gov/usao/wie/news/2013/ torney Santelle added that the investigation into pr20130411_Protected_Computer_Damage_Cha August 2, 2012 and unsealed prior to their the ultimate disposition of the stolen compound change of pleas hearings. rge.html and the ultimate intended use of the proprietary Hamid Asefi and Behzad Karimian were both FOR IMMEDIATE RELEASE information stolen from the Medical College and transported overseas is continuing. charged with conspiracy to violate and violation April 11, 2010 of the International Emergency Economic Powers "Proactive outreach through our Strategic Part- Act for exporting, selling, or causing the export or United States Attorney James L. Santelle an- nership Program was a key factor in this case, sale of aircraft and aircraft parts without first hav- nounced that earlier today, Hua Jun Zhao (age the arrest was a direct result of building aware- ing obtained the required license from the U.S. 42) was arraigned in federal court on criminal ness of insider threats with our public and private Department of Treasury. Asefi made his initial charges that he: (1) had attempted to damage partners," said Teresa L. Carlson, Special Agent appearance in U.S. District Court in Louisville, and had deleted information from a federally- in Charge, "the FBI will aggressively pursue Kentucky on June 1, 2012. Karimian was arrest- protected computer at the Medical College of those who damage or delete information on pro- ed and made his initial appearance in U.S. Dis- Wisconsin; and (2) had lied to the Federal Bu- tected computer systems to further their own trict Court in Louisville, Kentucky on June 6, reau of Investigation (FBI) in connection with an interests." 2012. investigation into the alleged theft of an anti- cancer compound and related research data from The investigation in this matter is being conduct- Asefi is the principal officer of Aster Corp Ltd., an the Medical College. ed by the FBI, and the case is being prosecuted Iranian company with offices in both Iran and the by Assistant U.S. Attorney Stephen A. Ingraham. United Kingdom. The Indictment charges that, According to court records, a federal grand jury beginning as early as August 2007 and continu- returned the two-count indictment against Dr. Indictments and criminal complaints are merely ing through April 2011, Asefi used the United Zhao on April 9, 2013. If convicted, the defend- the formal method of charging an individual and Kingdom office of Aster to serve as a transship- ant faces a maximum term of 10 years’ imprison- do not constitute inference of his or her guilt. An ment point to facilitate shipment of goods from ment, a fine of up to $250,000, and a maximum individual is presumed innocent until such time, if the United States to Iran; Asefi used Aster to of 3 years’ supervised release for the charge of ever, that the government establishes his or her facilitate the shipment of goods from the United attempting to damage a protected computer, and guilt beyond a reasonable doubt. States to Iran through third party countries; Asefi a maximum term of 5 years’ imprisonment, a fine Iranian Citizen And U.S. Citizen Residing In sent requests on behalf of Iranian entities to of up to $250,000, and a maximum of 3 years’ Louisville, Kentucky, Holding An Iranian Karimian for purchases of aircraft and aircraft supervised release for the charge of making a Passport, Sentenced In Plot To Export Air- parts located in the United States or owned by false statement. craft And Aircraft Parts To Iran United States persons; and Karimian knowingly and willfully made inquiries, placed orders, and Court records indicate that Dr. Zhao, a research http://www.justice.gov/usao/kyw/ attempted to facilitate the purchase of aircraft scientist formerly employed by the Medical Col- news/2013/20130304-01.html and aircraft parts located in the United States lege, previously had been charged in a criminal and owned by United States persons on behalf of complaint with the theft of the anti-cancer com- Conspired to violate the U.S. embargo against defendant Asefi and persons in Iran. pound, in violation of the Economic Espionage Iran Act. The United States moved to dismiss that (Continued on pg. 9)

8 Counterintelligence and Cyber News and Views

(Continued from pg. 8) Department’s National Security Division. The case According to the complaint filed in Honolulu, was investigated by the Federal Bureau of Bishop met the woman at a conference on Asefi and Karimian pleaded guilty to Count One of Investigation, Louisville Division. international military defence issues and passed the Indictment and admitted in court that they her the information by email after beginning a acted with knowledge and intent to violate the Iran US Defense Contractor, 59, 'Gave Classified romantic relationship with her. embargo when on September 27, 2007, Asefi and Information To 27-Year-Old Chinese Lover In Karimian sent emails to establish a ―profitable Honeytrap' The complaint said the 27-year-old woman 'may business collaboration‖ for the purpose of have been at the conference in order to target procuring aircraft and aircraft components for end- http://www.dailymail.co.uk/news/article-2295733/ individuals such as Bishop', who had top secret users in Iran. They further admitted that on or American-defence-contractor-Benjamin-Pierce- security clearance since 2002. about October 1, 2009, Asefi sent an email to Bishop-gave-nuclear-secrets-younger-Chinese- Karimian which outlined the terms of delivery and lover.html Bishop was arrested on Friday at Pacific payment on future transactions with Iran Air and Command headquarters at Camp H.M. Smith in Benjamin Pierce Bishop, 59, of Honolulu, charged stated ―…remember that, only US Embargo has Hawaii and appeared in court yesterday. with passing on secrets brought this chance and benefit to us, to get Authorities did not say when the conference took involved in these deals….‖ PUBLISHED:06:52 EST, 19 March 2013| place but said the Chinese woman, whose identity Further, defendants Asefi and Karimian pleaded UPDATED:11:01 EST, 19 March 2013 has not been released, was in the US on a student visa at the time. guilty to Count Two of the Indictment, and admitted that beginning in September 2009 and US Attorney Florence Nakakuni said Bishop had continuing through April 2010, they violated the been charged with giving defence secrets to his embargo against Iran by exporting and causing Chinese lover the export of services related to the sale of a G.E. Aircraft Engine Model CF6-50C2, as well as She allegedly began an intimate relationship with attempting the procurement of helicopters Bishop in June 2011, and the authorities say he manufactured by Bell Helicopter, from the United passed on the information to her in an email in States to Iran, without first having obtained the May, and also in a phone call in September, when required authorizations from the U.S. Department he told the woman about the deployment of US of Treasury. All of the aircraft and aircraft parts strategic nuclear systems and about the ability of involved in this case were intended for civilian the US to detect other nations' low- and medium- use. range ballistic missiles. ―The investigation and prosecution of national Bishop is accused of hiding the relationship from security cases is the top priority of the Department the government even though his position and of Justice and my Office,‖ stated David J. Hale, security clearance requires him to report contact the U.S. Attorney for the Western District of with foreign nationals. Kentucky. ―We view the circumvention of Iranian export control laws as a very serious matter. The Authorities conducting a covert search of Bishop's  The defence contractor met younger lover at FBI should be commended for its excellent work home in the Honolulu suburb of Kapolei found 12 military defence conference in disrupting this international scheme and individual documents marked 'secret' although he bringing these men to justice.‖  He did not tell authorities about her as he was not authorized to keep classified papers at home, court documents said. The International Emergency Economic Powers should have done Act authorizes the President of the United States  A covert search of his home in Hawaii found The woman asked Bishop last month what to impose economic sanctions on a foreign documents marked 'secret' western countries knew about 'the operation of a country when the President declares a national particular naval asset of People's Republic of emergency with respect to a national security By Harriet Arkell China', the complaint said, though the topic fell threat. On March 15, 1995, the President issued outside Bishop's regular work assignments. an Executive Order declaring the actions and Bishop, who is accused of passing classified policies of the Government of Iran constituted a military information to a Chinese lover 32 years Bishop researched the issued using open source national emergency. On May 6, 1995, the his junior records and was observed collecting and President issued an Executive Order imposing the reviewing classified information on the topic, Iran Trade Embargo. On June 23, 2011, the U.S. A defence contractor and former US Army officer according to the complaint. Department of the Treasury imposed sanctions on has been arrested and charged with giving his Iran Air after designating it as a proliferator of younger Chinese lover secret information about At one point, when he travelled to the UK to visit weapons of mass destruction for providing existing war plans and American nuclear the woman, Bishop tried to hide her identify on a material support and services to Iran’s Islamic weapons. request to leave for travel form 'by slightly Revolutionary Guard Corps. changing her given name to a masculine form of Benjamin Pierce Bishop, 59, who worked in the same name and by adding a letter to the This case was prosecuted by Assistant United intelligence in Hawaii, appeared in court to face surname,' according to an FBI agent's affidavit. States Attorney Bryan Calhoun of the U.S. one count of communicating national defence Attorney’s Office for the Western District of information to a person not entitled to receive it (Continued on pg. 10) Kentucky, and Trial Attorney Casey Arrowood of and one count of unlawfully retaining national the Counterespionage Section of the Justice defence documents and plans.

9 Counterintelligence and Cyber News and Views (Continued from pg. 9) Charge of the Naval Criminal Investigative Ser- civilian defense contractor more than twice her vice (NCIS) Hawaii Field Office; and U.S. Navy age and then found out classified information on At one point, when he travelled to the UK to visit Captain Patrick McCarthy of USPACOM. U.S. nuclear weaponry, missile defenses and war the woman, Bishop tried to hide her identify on a plans. request to leave for travel form 'by slightly chang- Bishop, who faces a maximum potential sen- ing her given name to a masculine form of the tence of 20 years in prison if convicted, was But is she a spy? same name and by adding a letter to the sur- scheduled to appear in court this Friday for a It is clear the Justice Department believes the name,' according to an FBI agent's affidavit. hearing on whether he will remain in detention woman's boyfriend broke the law, but the criminal during the case. A preliminary hearing was complaint that outlines the charges against him US Magistrate Judge Richard Puglisi conditional- scheduled for April 1. ly appointed Bishop an attorney after hearing never formally accuses her of any crime. It just arguments that his finances weren't sufficient to The complaint filed against Bishop at the court in paints a picture of a young woman who seems to cover the costs of defending himself. Honolulu does not refer to the Chinese woman be involved in espionage. by name, calling her instead 'Person1' Bishop's court-appointed attorney Birney Bervar, A Justice Department official who spoke on con- said Bishop was a lieutenant colonel in the US 'I kind of felt: "What did we do?"' DaSilva said. 'It dition of anonymity because the investigation is Army Reserve. was almost like he switched off.' ongoing says the government knows the woman's location and is continuing to investigate her He said: 'Colonel Bishop has served this country No-one was available for comment at Bishop's role. Her identity and whereabouts haven't been for 29 years. He would never do anything to harm brown, two-story home in a hilly neighborhood released, and U.S. authorities also haven't said the United States.' overlooking Pearl Harbor and downtown publicly whether they believe she is working for Honolulu. the Chinese government. Bishop's lawyer Birney Bervar said his client would never do anything to intentionally harm the She lives in the United States as a student on a United States J-1 visa, according to an affidavit the FBI filed this week by the FBI in U.S. District Court in Hon- Bart DaSilva, a neighbor of Bishop's, said the olulu. man lived alone and was initially friendly when he moved in about three years ago. Her boyfriend, Benjamin Bishop, a 59-year-old civilian defense contractor who works at Pacific DaSilva said Bishop once brought over a woman Command, met the woman at a Hawaii confer- and a girl he said were his wife and daughter ence on military defense issues. from Thailand. The counterintelligence agent investigating Bish- But he said he never saw Bishop with other visi- op said the woman may have been at the confer- tors, and noticed that Bishop increasingly began Bishop, who faces a maximum potential sen- ence specifically to meet people like Bishop, who to keep to himself. tence of 20 years in prison if convicted, was work with and have access to certain classified scheduled to appear in court this Friday for a information, the affidavit said. The complaint filed against Bishop at the court in hearing on whether he will remain in detention Honolulu does not refer to the Chinese woman They began an intimate, romantic relationship in during the case. A preliminary hearing was by name, calling her instead 'Person1' June 2011, according to the affidavit. At the time, scheduled for April 1. Bishop was working at a Pacific Command office 'I kind of felt: "What did we do?"' DaSilva said. 'It The home of civilian defense contractor Benjamin that develops plans to deter potential U.S. adver- was almost like he switched off.' Pierce Bishop in Kapolei, Hawaii on, March 18, saries, according to his LinkedIn profile online. No-one was available for comment at Bishop's 2013. Bishop is charged with giving national Bishop is scheduled to appear in federal court brown, two-story home in a hilly neighborhood security secrets to a 27-year-old Chinese woman Friday for a hearing on whether he should stay in overlooking Pearl Harbor and downtown Honolu- he was dating. Authorities conducting a covert detention while prosecutors pursue their case. lu. search of Bishop's home in Kapolei, a suburb about 22 miles west of downtown Honolulu, in Birney Bervar, Bishop's attorney, said he planned November found 12 individual documents to seek bail but wasn't optimistic he would be marked "secret" even though he's not authorized successful. Bervar declined to discuss details of to keep classified papers at home, the complaint the case, saying he had not yet spoken in depth said. (AP Photo/Oskar Garcia) to his client. A preliminary hearing is scheduled for April 1. Woman At Center Of Spy Allegations Is Enig- ma The affidavit says the woman told Bishop repeat-

http://azdailysun.com/news/national/pacific- edly she didn't want him to tell her anything clas- command-contractor-chargedwith-%20spying/ sified but continued to question Bishop about his article_57c631f6 - e 0 7 6 - 5 9 0 a - a 9 6 1 - work. The arrest and charges were announced by Flor- ce40459c447e.html ence T. Nakakuni, U.S. Attorney for the District of Bishop, on the other hand, told her he wouldn't give her any classified information but did so Hawaii; John Carlin, Acting Assistant Attorney Oskar Garcia General for National Security; Vida G. Bottom, anyway, the document said.

Special Agent in Charge of the FBI Honolulu U.S. officials say the 27-year-old university stu- Division; Dwight Clayton, Special Agent in dent from China started a relationship with a (Continued on pg. 11)

10 Counterintelligence and Cyber News and Views

(Continued from pg. 10) Baker said. According to an affidavit filed in support of the criminal complaint, Bishop currently works as an Bishop, a lieutenant colonel in the U.S. Army Leaked details on military plans might also be employee of a defense contractor that has a Reserve, is accused of telling her secrets about detrimental. contract with USPACOM, whose command is U.S. nuclear weapons, missile defenses, war "That's an important part, because if you divulge based in Oahu, Hawaii. Bishop has held a top plans, early warning radar systems and other enough information about the planning process, secret security clearance since July 2002 and issues. you end up giving information that reveals a strat- held access to Secure Compartmented Infor- Last month, the woman asked Bishop what west- egy and how you could counter that strategy," mation from November 2002 to April 2012. As a ern countries knew about a Chinese naval asset. Baker said. person holding a top secret security clearance, This fell outside the scope of Bishop's work but Bishop has been subject to multiple security The key issues for any trial will be Bishop's intent he conducted open source record research for briefings on restrictions regarding the disclosure and the sophistication of the information he her and collected and reviewed classified infor- of classified national defense information, as well passed on, Baker said. mation on the topic, the affidavit said. as the handling, marking, and storage of such Bishop is charged with one count of communi- information. Bishop's security clearance required him to dis- cating national defense information to a person close his contacts with foreign nationals, but the According to the affidavit, between May 2011 not entitled to receive it and one count of unlaw- affidavit says he failed to let officials know about through December 2012, Bishop willfully commu- fully retaining national defense documents and his relationship with the woman. nicated classified national defense information on plans. multiple occasions to Person 1, an individual not The FBI declined further comment on Tuesday. A Defense Contractor Charged In Hawaii With entitled to receive such information. The affidavit Justice Department spokesman in Honolulu did Communicating Classified Information To alleges that Person 1 is a 27-year-old female not return a call seeking comment. Person Not Entitled To Receive Such Infor- citizen of the People’s Republic of China who is Bishop was married until last year, according to mation residing in the United States on a visa and who state documents in Utah. His ex-wife declined does not possess, nor has ever possessed, a http://www.fbi.gov/honolulu/press-releases/2013/ comment when approached by The Associated U.S. security clearance, and thus is not entitled defense-contractor-charged-in-hawaii-with- to receive U.S. classified information. Press on Tuesday at her home in Ogden, Utah. communicating-classified-information-to-person- Her neighbor, Sandra Doyle, said it was clear not-entitled-to-receive-such-information According to the affidavit, Bishop and Person 1 originally met in Hawaii during a conference re- Bishop was having an affair with a Chinese wom- U.S. Attorney’s Office District of Hawaii an prior to the divorce. Doyle, who said she is garding international military defense issues. friends with the ex-wife, said the girlfriend was a March 18, 2013 Since June 2011, Bishop and Person 1 have university student in the District of Columbia, allegedly been involved in a romantic relation- (808) 541-2850 though she didn't know which school. ship. Despite a Defense Department directive HONOLULU—Benjamin Pierce Bishop, 59, a requiring personnel, like Bishop, who maintain a Doyle said neighbors knew Bishop worked for the former U.S. Army officer who works as a civilian U.S. security clearance to report to the U.S. gov- government in Hawaii but were unclear on his employee of a defense contractor at U.S. Pacific ernment any contacts with foreign persons, Bish- exact job. Command (USPACOM) in Hawaii, has been op has affirmatively hidden his relationship with Larry Wortzel, a member of the U.S.-China Eco- arrested on charges of communicating classified Person 1 from U.S. government officials, the nomic and Security Review Commission, said national defense information to a person not affidavit alleges. entitled to receive such information. China has used sexual entrapment as a means The affidavit alleges that Bishop communicated to gather intelligence before and the allegations The arrest and charges were announced by Flor- information classified at the secret level to Per- aren't surprising. ence T. Nakakuni, U.S. Attorney for the District of son 1 on several instances. According to the As an Army reserve officer and defense contrac- Hawaii; John Carlin, Acting Assistant Attorney affidavit, the national defense information that tor, Bishop would have received security brief- General for National Security; Vida G. Bottom, Bishop passed to Person 1 included information ings on this and understood "how sex may be Special Agent in Charge of the FBI Honolulu relating to nuclear weapons; information on used for intelligence targeting," Wortzel said. Division; Dwight Clayton, Special Agent in planned deployment of U.S. strategic nuclear Charge of the Naval Criminal Investigative Ser- systems; information on the ability of the United Whether U.S. national security was damaged by vice (NCIS) Hawaii Field Office; and U.S. Navy States to detect low- and medium-range ballistic any of the alleged disclosures would depend on Captain Patrick McCarthy of USPACOM. missiles of foreign governments; and information how detailed the information was and whether on the deployment of U.S. early warning radar the woman knew any of it was classified, said Bishop, a resident of Hawaii, was arrested Friday systems in the Pacific Rim. Carl Baker, director of programs at Pacific Forum without incident at his workspace at USPACOM Center for Strategic and International Studies. in Hawaii and made his initial appearance on The affidavit further alleges that a court- Monday in federal court in Honolulu. The criminal authorized search of Bishop’s residence in No- Information on weapons could be harmful be- complaint filed in the District of Hawaii charges vember 2012 revealed approximately 12 individu- cause it could tell a potential enemy what U.S. him with one count of willfully communicating al documents each with classification markings at weapons system can do as well as what capabili- national defense information to a person not the secret level. Bishop’s residence is not an ties the adversary would need to develop to entitled to receive such information and one authorized location for the storage of classified counter U.S. capabilities, he said. count of unlawfully retaining documents related information, and Bishop was not authorized to Bishop's position wouldn't have given him access to the national defense. If convicted, he faces a remove and retain those documents. to specifics about weapons technology, though, maximum potential sentence of 20 years in prison. (Continued on pg. 12)

11 Counterintelligence and Cyber News and Views

Former U.S. Consulate Guard Sentenced To very U.S. Consulate compound he was charged ernment. According to his subsequent state- Nine Years In Prison For Attempting To Com- to protect,‖ said Assistant Attorney General Mon- ments to U.S. law enforcement, Underwood in- municate National Defense Information To aco. ―Today, he is being held accountable for his tended to sell his information about and access China actions. As this case demonstrates, we remain to the U.S. Consulate to the Chinese MSS for $3 vigilant in protecting America’s secrets and in million to $5 million. If any U.S. personnel caught http://www.fbi.gov/washingtondc/press - bringing to justice those who seek to compromise him, he planned to falsely claim he was assisting releases/2013/former-u.s.-consulate-guard- them.‖ U.S. law enforcement. sentenced-to-nine-years-in-prison-for-attempting- to-communicate-national-defense-information-to- ―Access to classified information is a special As part of his plan, Underwood wrote a letter to china responsibility to be honored, not a financial op- the Chinese MSS, expressing his ―interest in portunity to be exploited,‖ said U.S. Attorney initiating a business arrangement with your offic- U.S. Department of Justice Machen. ―Bryan Underwood is going to prison es‖ and stating, ―I know I have information and because he tried to make millions by selling se- skills that would be beneficial to your offices [sic] March 05, 2013 Office of Public Affairs cret photos of a U.S. Consulate to a foreign gov- goals. And I know your office can assist me in my (202) 514-2007/ (202) 514-1888 ernment. His sentence demonstrates our dedica- financial endeavors.‖ According to court docu- tion to jealously guarding our nation’s secrets. ments, Underwood attempted to deliver this letter WASHINGTON—Bryan Underwood, a former We all owe a great debt of gratitude to the agents to the offices of the Chinese MSS in Guangzhou civilian guard at a U.S. Consulate compound who detected and stopped Underwood before he but was turned away by a guard who declined to under construction in China, was sentenced to- succeeded in betraying our country.‖ accept the letter. Underwood then left the letter in day to nine years in prison in connection with his the open in his apartment hoping that the Chi- efforts to sell for personal financial gain classified ――Bryan Underwood attempted to betray his coun- nese MSS would find it, as he believed the MSS photographs, information, and access related to try by using his access to sensitive information routinely conducted searches of apartments oc- the U.S. Consulate to China’s Ministry of State for his own benefit. Fortunately, he was stopped cupied by Americans. Security (MSS), announced Lisa Monaco, Assis- before classified information fell into the wrong tant Attorney General for the Justice Depart- hands,‖ said FBI Assistant Director in Charge In May 2011, Underwood secreted a camera into ment’s National Security Division; Ronald C. Parlave. ―Together with our partner agencies, the the new U.S. Consulate compound and took Machen, Jr., U.S. Attorney for the District of Co- FBI will continue to diligently work to combat photographs of a restricted building and its con- lumbia; Valerie Parlave, Assistant Director in potential acts of espionage that threaten our tents. Several of these photographs depict areas Charge of the FBI’s Washington Field Office; and national security.‖ or information classified at the Secret level. Un- derwood also created a schematic that listed all Gregory B. Starr, Director of the U.S. State De- The close working relationship between the U.S. partment’s Diplomatic Security Service. security upgrades to the U.S. Consulate and Department of State’s Diplomatic Security Ser- drew a diagram of the surveillance camera loca- Underwood pleaded guilty August 30, 2012, in vice, the FBI, and the U.S. Attorney’s Office re- tions at the consulate. In addition, according to the U.S. District Court for the District of Columbia sulted in the conviction of Bryan Underwood his subsequent statements to U.S. law enforce- to one count of attempting to communicate na- before he could potentially harm the security of ment, Underwood ―mentally‖ constructed a plan tional defense information to a foreign govern- our country,‖ said Director Starr of the Diplomatic in which the MSS could gain undetected access ment with intent or reason to believe that the Security Service. ―This was a great success by to a building at the U.S. Consulate to install lis- documents, photographs, or information in ques- all of the agencies involved.‖ tening devices or other technical penetrations. tion were to be used to the injury of the United According to court documents, from November States or to the advantage of a foreign nation. He According to court documents, the photographs 2009 to August 2011, Underwood worked as a was sentenced by the Honorable Ellen S. Hu- Underwood took were reviewed by an expert at cleared American guard (CAG) at the site of a the State Department’s Bureau of Diplomatic velle. Upon completion of his prison term, Under- new U.S. consulate compound that was under wood will be placed on two years of supervised Security who had original classification authority construction in Guangzhou, China. During this release. for facilities, security, and countermeasures at time, the compound was not yet operational. the U.S. Consulate. The expert determined that Underwood, 32, a former resident of Indiana, was CAGs are American civilian security guards with several of the photographs contained images first charged in an indictment on August 31, top secret clearances who serve to prevent for- classified at the secret level and that disclosure 2011, with two counts of making false statements eign governments from improperly obtaining of such material could potentially cause serious and was arrested on September 1, 2011. On sensitive or classified information from the con- damage to the United States. September 21, 2011, he failed to appear at a struction site. Underwood received briefings on scheduled status hearing in federal court in the how to handle and protect classified information In early August 2011, Underwood was inter- District of Columbia. The FBI later located Under- as well as briefings and instructions on security viewed several times by FBI and Diplomatic Se- wood in a hotel in Los Angeles and arrested him protocols for the U.S. Consulate, including the curity agents, and he admitted making efforts to there on September 24, 2011. On September 28, prohibition on photography in certain areas of the contact the Chinese MSS but falsely claimed that 2011, Underwood was charged in a superseding consulate. he took these actions to assist U.S. law enforce- indictment with one count of attempting to comment. On August 19, 2011, Underwood was In February 2011, Underwood was asked by U.S. municate national defense information to a for- again interviewed by law enforcement agents law enforcement to assist in a project at the con- and he admitted that he planned to sell photos, eign government, two counts of making false sulate and he agreed. In March and April of statements, and one count of failing to appear in information, and access to the U.S. Consulate in 2011, Underwood lost a substantial amount of court pursuant to his conditions of release. Guangzhou to the Chinese MSS for his personal money in the stock market. According to court financial gain. ―Bryan Underwood betrayed America’s trust by documents, Underwood then devised a plan to attempting to sell access to secure areas of the use his assistance to U.S. law enforcement as a (Continued on pg. 13) ―cover‖ for making contact with the Chinese gov- 12 Counterintelligence and Cyber News and Views (Continued from pg. 12) was dropped to 16 years because of a pretrial and set up a meeting the next day at an agreement. He will receive credit for the 535 Anchorage hotel restaurant. After initially being arraigned in this case on days he's been jailed since his Oct. 28, 2011, September 1, 2011, Underwood was released on Chriswell testified that during the first meeting arrest. The panel also reduced him in rank to his personal recognizance, with certain with the agent that day, Millay "expressed his private and he will forfeit all pay and allowances. conditions, including staying within the disgust with the U.S. military." They then moved Washington, D.C. metropolitan area and U.S. Army Alaska, File to the agent's hotel room, where audio and video returning to court for a status hearing on recording devices were in place. September 21, 2011. Instead of returning to court By MARK THIESSEN — Associated Press Millay said he'd work for the Russian as promised, Underwood purchased a bicycle, JOINT BASE ELMENDORF-RICHARDSON, government, and if they made it worth his while, racks, panniers, helmet, and multiple energy Alaska — An Alaska-based military policeman he'd re-enlist for a second five-year stint. He also snack bars. He left a fake suicide note at his will serve 16 years in prison and will be said he had confidential information on the hotel room in Springfield, Virginia. Then, alive dishonorably discharged for selling military Warlock Duke jamming system the U.S. military and well, he pedaled west out of Springfield and secrets to a Russian agent, who was an uses to sweep roadside bombs. eventually boarded a bus in Wytheville, Virginia, undercover FBI agent, a military panel decided under a false name. He was arrested on Monday. Two days after that meeting, Millay reported to September 24, 2011 in a hotel room in Los his commander that he had been contacted by a A panel of eight military members from Joint Angeles, with over $10,000 in cash and 80,000 Russian agent. He was later interrogated by Base Elmendorf-Richardson in Anchorage Japanese yen. He has been in custody ever military intelligence officers and the FBI, but recommended a 19-year sentence for Spec. since. prosecutors say Millay was merely trying to throw William Colton Millay, but that was dropped to 16 off suspicion. The U.S. government has found no evidence that years because of a pretrial agreement. He will Underwood succeeded in passing classified receive credit for the 535 days he's been jailed Chriswell said Millay, during the interrogation, information concerning the U.S. Consulate in since his Oct. 28, 2011, arrest. The panel also withheld information that officials already knew Guangzhou to anyone at the Chinese MSS. reduced him in rank to private and he will forfeit from the recordings. That included a claim that all pay and allowances. he didn't know why a Russian agent would This investigation was conducted jointly by the contact him, his claim to the agent that he had Millay pleaded guilty last month to attempted FBI’s Washington Field Office and the State access to Social Security numbers of people on espionage and other counts. A sentencing panel Department’s Bureau of Diplomatic Security. The base because of his police job and that he had of male military members began deliberations prosecution was handled by the U.S. Attorney’s sent her an earlier text claiming he had more late Monday afternoon. Office for the District of Columbia and Trial information on the jamming system. Attorney Brandon L. Van Grack from the Military prosecutors painted Millay as a white Later, after he came off a monthlong leave, he Counterespionage Section of the Justice supremacist who was fed up with the Army and told the agent he was willing to sell information Department’s National Security Division. the United States, and was willing to sell secrets using a confidential drop at a park. to an enemy agent, even if that would cost his Alaska-Based Soldier Gets 16 Years In Spy fellow soldiers their lives. Defense attorneys said On Oct. 21, 2011, he dropped off a white Case Millay was emotionally stunted, was only seeking envelope with information about the F-22s and http://www.tri- attention and was a candidate for rehabilitation. the jamming system in a garbage can. That cityherald.com/2013/04/15/2357504/us-soldier- envelope was later collected by the FBI. Millay's attorney, Seattle-based Charles Swift, being-sentenced-in.html said they understand and accept the sentence. Millay was told to drive to a hotel, where he collected $3,000 and a disposable cellphone However, "We do intend to seek further clemency from a pickup. as this case goes forward for the reasons that were set forth in the trial: his mental state, his Afterward, the agent contacted Millay to complain

emotional age, and the motivation for it, and the her superiors wanted information that wasn't on circumstances." the Internet. Millay assured her that the information on the jamming system - about a Monday's proceedings were like a mini-trial paragraph's worth - wasn't available. That was conducted in front of the sentencing panel, with later confirmed by military personnel. both sides calling two witnesses. He was arrested Oct. 28. A search of his FBI Special Agent Derrick Chriswell said Millay barracks found two handguns, detailed came to their attention in the summer of 2011 instructions on how to use a Russian Internet through an anonymous tip after Millay sent an phone service and literature from the white email to a Russian publication seeking supremacist organization, the National Socialists information about the military and made several Published: April 15, 2013 Movement. calls to the Russian embassy. FILE - In this undated file photo released by the Chriswell also testified that Millay has two Nazi "That's a concern for national security," Chriswell U.S. Army Alaska, Spc. William Colton Millay is SS thunderbolt tattoos under his biceps and said. shown. A panel of eight military members from spider web tattoos, which he said was common Joint Base Elmendorf-Richardson in Anchorage The FBI, working with military intelligence among racists in prison. Monday April 15, 2013 recommended a 19-year agencies, conducted the investigation. On Sept. (Continued on pg. 14) sentence for Spec. William Colton Millay, but that 13, 2011, an FBI undercover agent called Millay

13 Counterintelligence and Cyber News and Views

(Continued from pg. 13) Conference. But two presenters with the Federal 3. A good insider threat program should focus on Bureau of Investigation (FBI) swung the spotlight deterrence, not detection. "He branded himself in their symbols of hate," back onto insiders during a session this week that military prosecutor Capt. Stewart Hyderkhan said offered enterprise security practitioners some For a time the FBI put its back into coming up with in his closing statement, arguing for at least 25 lessons learned at the agency after more than a predictive analytics to help predict insider years in prison. "He had hate for the Army. He decade of fine-tuning its efforts to sniff out behavior prior to malicious activity. Rather than had hate for the United States." malicious insiders following the fallout from the coming up with a powerful tool to stop criminals Swift, Millay's attorney, argued that the Nazi disastrous Robert Hanssen espionage case. before they did damage, the FBI ended up with a movement and Russia don't exactly have a lot in system that was statistically worse than random at common, and that Millay had once been married 1. Insider threats are not hackers. ferreting out bad behavior. Compared to the to Filipino. predictive capabilities of Punxsutawney Phil, the Often people think of the most dangerous insiders groundhog of Groundhog Day, that system did a Defense witness Dr. Veronica Harris, a being hackers who are running special technology worse job of predicting malicious insider activity, psychiatrist, testified Millay had the emotional tools on internal networks. Not so, says Patrick Reidy says. capability of a 5-year-old and suffers from low self Reidy, CISO for the FBI. -esteem, mild depression, alcoholism and "We would have done better hiring Punxsutawney "You're dealing with authorized users doing narcissism. Phil and waving him in front of someone and authorized things for malicious purposes," he saying, 'Is this an insider or not an insider?'" he Millay offered an unsworn statement to the court, says. "In fact, going over 20 years of espionage says. in which he said, "This has destroyed me." cases, none of those involve people having to do something like run hacking tools or escalate their Rather than getting wrapped up in prediction or "I know I've made a terrible mistake," he said, also privileges for purposes of espionage." detection, he believes organizations should start fighting back tears. "I'm a U.S. soldier, and that first with deterrence. piece of me, I'm proud of." Reidy says that just less than a quarter of insider Millay spoke of his demon within. incidents tracked on a yearly basis come at the "We have to create an environment in which it is hand of accidental insiders, or what he calls the really difficult or not comfortable to be an insider," "It has taken me three years to come to grips with "knucklehead problem." However, at the FBI his he says, explaining that the FBI has done this in a who he is," he said. "He's my worst enemy; my insider threat team spends 35 percent of their time number of ways, including crowdsourcing security worst enemy is myself." dealing with these problems. He believes the FBI by allowing users to encrypt their own data, Hyderkhan said that wasn't remorse, especially and other organizations should be looking for classify their own data, and come up with better since jailhouse recordings show he threatens to ways to "automate out of this problem set" by ways to protect data. Additionally, the agency has continue to divulge secrets. focusing on better user education. Dropping those found ways to create "rumble strips" in the road to simpler incidents gives insider threat teams more let users know that the agency has these types of Swift, in his closing statement, argued that eight time to concentrate on the more complex problem policies in place and that their interaction with years was punitive enough and would provide of malicious insiders, he says. data is being used. time for rehabilitation. 2. Insider threat is not a technical or 4. Detection of insider threats has to use METHODS AND TECHNIQUES "cybersecurity" issue alone. behavioral-based techniques. Unlike many other issues in information Following the failure to develop effective The following excellent article from Dark Reading assurance, the risk from insider threats is not a predictive analytics, the FBI moved toward a ( http://www.darkreading.com/insider - technical problem, but a people-centric problem, behavioral detection methodology that has proved threat/167801100/security/news/240149745/5- says Kate Randal, insider threat analyst and lead far more effective, Reidy says. The idea is to lessons-from-the-fbi-insider-threat-program.html ) detect insider bad behavior closer to that "tipping Summarizes some current thinking at the FBI researcher for the FBI. point" of when a good employee goes rogue. regarding analysis and detection of the inside "So you have to look for a people centric solution," threat as it might manifest itself on internal FBI she says. "People are multidimensional, so what "We look at how people operate on the system, networks. Practitioners of internal threat you have to do is take a multidisciplinary how they look contextually, and try to build monitoring and risk assessments may find this approach." baselines and look for those anomalies," he says. article to be of interest. This starts by focusing efforts on identifying and Whatever analytics an organization uses, whether 5 Lessons From The FBI Insider Threat looking at your internal people, your likely it is print file behavior or data around file Program enemies, and the data that would be at risk. In interactions, Reidy recommends a minimum of six particular, understanding who your people really months of baseline data prior to even attempting Finding ways to improve enterprise insider theft are should be examined from three important any detection analysis. detection and deterrence informational angles: cyber, contextual, and psychosocial. "Even if all you can measure is the telemetry to Mar 01, 2013 | 05:51 AM | look at prints from a print server, you can look at "The combination of these three things is what's things like what's the volume, how many and how By Ericka Chickowski, Contributing Writer most powerful about this methodology," Randal big are the files, and how often do they do print," says. "In an ideal world we'd want to collect as he says. Dark Reading much about these areas [as possible], but that's never going to happen. So what's important is (Continued on pg. 15) SAN FRANCISCO -- RSA CONFERENCE 2013 -- adopting a method working with your legal and Insider threats may not have garnered the same managerial departments to figure out what works sexy headlines that APTs did at this year's RSA best within the limitations of your environment." 14 Counterintelligence and Cyber News and Views

(Continued from pg.14) Washington, D.C. for criminals to steal trade secrets – and to do so from anywhere in the world. A hacker in China 5. The science of insider threat detection and Wednesday, February 20, 2013 can acquire source code from a software compa- deterrence is in its infancy. ny in Virginia without leaving his or her desk. Thank you, Victoria, for those kind words – and With a few keystrokes, a terminated or simply According to Randal, it was bad science that led thank you all for being here. It’s a pleasure to unhappy employee of a defense contractor can the FBI to the point where they were using a welcome you to the White House today – and a misappropriate designs, processes, and formulas worse than random predictive analysis. Part of the privilege to stand with so many friends, key part- worth billions of dollars. issue is that even now the science of insider de- ners, and indispensable allies in introducing the tection and deterrence is still in its infancy. One of Administration’s strategy for combating the theft of Some of these criminals exploit pilfered secrets the issues with its slow growth is that much of the trade secrets. themselves – often by extorting the victim compa- existing research just focuses on looking at data ny or starting their own enterprise. Others try to from the bad guys. As Victoria just mentioned, this work is a top prior- sell the illicit information to a rival company, or ity for President Obama, for the entire Administra- obtain a bounty from a country interested in en- "So what the FBI has done is to really try to push tion – and of course for the dedicated men and couraging such theft. And all represent a signifi- this diagnostic approach of collecting data from women at the Department of Justice. I’m deeply cant and steadily increasing threat to America’s and comparing it between a group of known bad proud of the contributions that my colleagues economic and national security interests. and a group of assumed good [insiders] and try to have made in developing this strategy – and the apply that methodology to those three realms pivotal role that the Department will play in its Fortunately, the women and men of the Justice [cyber, contextual and psychosocial]." implementation. And I’m confident that – as we Department are working tirelessly to prevent, bring government agencies and additional private combat, and punish these serious crimes. In particular, some of the research the FBI has sector partners together to put these plans into Thanks to the efforts of 40 prosecutors and four done with regard to psychosocial diagnostic indi- action – we’ll continue strengthening national computer forensic experts serving in the Comput- cators has been a bit surprising, she says. efforts to protect the rights, safety, and best inter- er Crime and Intellectual Property Section, and ests of American consumers, innovators, and "What we learned from this study is that some of more than 230 specially-trained prosecutors sta- entrepreneurs. the things we thought would be the most diagnos- tioned at U.S. Attorneys’ Offices around the coun- tic in terms of disgruntlement or workplace issues try, including 25 Computer Hacking and Intellectu- Particularly in this time of ongoing economic real Property – or ―CHIP‖ – units, I’m pleased to really weren't that much," she says, explaining covery, this work is more important than ever. that more innate psychological risk factors come report that we’re fighting back more aggressively, Despite the challenges of recent years, American and collaboratively, than ever before. And with into play. For example, stress from a divorce, companies remain the most innovative in the inability to work in a team environment, and exhib- approximately 240 FBI agents in the field dedicat- world. They are responsible for many of the most ed to investigating IP crime, along with officials iting behaviors of retaliatory behavior all scored important technological advances the world has high as risk indicators when comparing the bad from U.S. Immigration and Customs Enforcement, ever seen, an overwhelming number of the 100 and 20 additional state, federal, and international insiders with the good. most valuable brands, and almost 30 percent of law enforcement agencies that are partners at the global research and development spending. While enterprises will not be able to do the same IPR Center, we are poised to build on our recent successes. kind of psychological screening that the FBI does This level of innovation and the investments that with its employees, there are ways to incorporate make it possible benefit consumers, create jobs, I’m proud of the outstanding work that these pro- this knowledge into insider prevention programs. and support our economy. For instance, in 2011, fessionals are leading every day, in offices all companies in Silicon Valley added over 42,000 "You can try to elicit this information from other across the country. But I also recognize – as I jobs and recorded a growth rate more than three avenues: observables, behavioral manifestations, know you all do – that the Justice Department times that of the U.S. economy as a whole. But, making supervisors more aware of the insider won’t be able to continue making the progress we as any of the corporate leaders in this crowd can threat problem, and creating an environment need, and that our citizens and companies de- attest, this prosperity is a double-edged sword. where they may be more willing to report some of serve, on its own. And it inevitably attracts global rivals – including these things as they see them," she says. "One of individuals, companies, and even countries – the best resources that your security program has We need to increase cooperation and coordina- eager to tilt the playing field to their advantage. tion between partners at every level of govern- is the collaboration of the HR department." ment. We need to improve engagement with the By corrupting insiders, hiring hackers, and engag- Attorney General Eric Holder Speaks At The corporations represented in the room today. We ing in other unscrupulous and illegal activities, Administration Trade Secret Strategy Rollout need to find ways to work together more efficiently these entities can inflict devastating harm on indi- and effectively – by following the road map set Commentary: In February of this year the govern- vidual creators, start-ups, and major companies. forth in the Administration’s new, comprehensive ment laid out its refined strategy for combatting As one private security expert has said of the strategy. And we need to do so starting immedi- the theft of trade secrets and intellectual property. largest U.S. corporations, there are only ―two ately – because continuing technological expan- This speech by the Attorney General sets forth categories‖ of companies affected by trade secret sion and accelerating globalization will lead to a the foundations for how these issues will be ad- theft – ―[T]hose that know they’ve been compro- dramatic increase in the threat posed by trade dressed in the coming months and years. mised and those that don’t know yet.‖ secret theft in the years ahead. http://www.justice.gov/iso/opa/ag/speeches/2013/ This is because, as new technologies have torn (Continued on pg. 16) down traditional barriers to international business ag-speech-1302201.html and global commerce, they’ve also made it easier

15 Counterintelligence and Cyber News and Views

(Continued from pg. 15) In response, the Justice Department has awareness about the devastating impact of made the investigation and prosecution of these crimes – and to encourage companies In fact, by 2015, experts believe that the trade secret theft a top priority. This is why to report suspected breaches to law number of smart phones, tablets, laptops, and the National Security Division’s enforcement – so violators can be caught, other internet-access devices in use will be Counterespionage Section has taken a brought to justice, and kept from striking roughly double the total that existed in 2010. leading role in economic espionage cases – again. In the same period, the proliferation of cloud- and others affecting national security and the based computing will significantly enhance export of military and strategic commodities or As we carry this work into the future – thanks flexibility and productivity for workers around technology. It’s also why, in 2010, I to the support and assistance of everyone the world. But these same forces will also established an internal Task Force on here today, and the cutting-edge strategy create more access points and vulnerabilities Intellectual Property – led by Deputy Attorney we’re committed to implementing – I’m that allow criminals to steal confidential General Jim Cole and other senior confident that we’ll continue to make great information. Just as increasing globalization Department leaders – to improve and expand strides in the fight against trade secret theft. will enable American companies of all sizes to our enforcement efforts in this area. And it’s We’ll keep improving our ability to crack down benefit from foreign technical experts and why the FBI has increased its focus on trade on intellectual property infringement and research and development activities in other secret theft and its use of sophisticated tools economic espionage. And together we’ll countries, the sharing of trade secrets with and techniques in conducting national ensure that the United States is, and always entities operating in nations with weak rule of security and criminal investigations. will be, the world leader in innovation. law may expose them to intellectual property losses. Any resulting cost advantages will Of course, most trade secret matters are dealt likely be more than offset by losses in with in civil court. But when the Justice proprietary company information. Department receives referrals, we investigate and, when appropriate, prosecute those Unfortunately, these projections aren’t merely matters fairly and completely. And, although hypothetical. We’ve seen this phenomenon the primary legislation creating criminal before – including in the late 1990s, when I liability for these acts is less than 20 years had the privilege of serving as Deputy old, federal law enforcement officials have Attorney General. Between 1997 and 2000, established a remarkable record of success in internet usage in the United States more than this area. doubled – and this massive technological shift also brought about major changes in the In the decade between 2001 and 2011, we nature of crime. For instance, in 1999 alone, secured well over 100 convictions in cases we saw a 30-percent spike in intellectual involving criminal trade secret thefts, and 6 property cases over the previous year. In convictions in economic espionage cases. order to fight back, in July of that year I For instance, in December 2011, a federal announced the Department’s first major IP court in Indiana sentenced a man from China Strategy, known as the Intellectual Property to more than 7 years in prison – after his Rights Initiative. conviction on charges of economic espionage on behalf of a foreign university tied to the Of course, we’ve all come a long way since Chinese government. Last September – in then. As critical technologies have advanced, New Jersey – a jury convicted another criminals have adapted accordingly. Our need Chinese native of trade secret theft and other to keep pace with these changes remains charges for stealing information from a imperative. And the stakes have never been defense contractor about the performance higher. and guidance systems for missiles and other military hardware. And last November – in In some industries, a single trade secret can Michigan – a former General Motors engineer be worth millions – or even billions – of and her husband were convicted of conspiring dollars. Trade secret theft can require to steal more than $40 million worth of trade companies to lay off employees, to close secrets from GM, with intent to use them in a factories, to lose sales and profits, to joint venture with an automotive competitor in experience a decline in competitive position China. and advantage – or even to go out of business. And this type of crime can have In these and many other cases – as we’ve significant impacts not only on our country’s refined our approach and increased our economic well-being, but on our national understanding of these crimes and those who security – allowing hostile states to obtain commit them – the Department has also data and technology that could endanger gathered valuable intelligence about foreign- American lives; expose our energy, financial, based economic espionage. We’ve forged or other sensitive sectors to massive losses; strong relationships with law enforcement or make our infrastructure vulnerable to partners, private sector experts, and attack. international allies. And we’ve begun to raise

16 Counterintelligence and Cyber News and Views CYBER RELATED THREATS REPORT- the use of cutting-edge tech security systems. hood watch," says Cyber Squared CEO Adam ED IN THE DHS DAILY OPEN SOURCE And by moving to advance public knowledge Vincent. "The power comes from the development about the stealthy tactics of cyber intruders, com- of a common, globally shared perspective about INFRASTRUCTURE REPORT panies under attack could be taking a crucial step sophisticated threats." toward gaining an advantage on the attackers, The following are extracts from DHS Daily Open For the past three months, threatConnect partici- say security analysts and law enforcement offi- Source Infrastructure Report, located at http:// pants have been scrutinizing the activities of what cials. "The one thing these disclosures have done www.dhs.gov/files/programs/editorial_0542.shtm the consensus believes to be a China-based is provide significant visibility into the latest at- These reports link back to more detailed reporting cybergang that has been sending messages car- tacks," says Lawrence Pingree, cybersecurity from the original source. Included here are ex- rying viral attachments to specific individuals at an industry analyst at market researcher Gartner. tracts pertaining to cyber threats prevalent on a array of companies. Their goal: to infect one em- "Without that, you're blind." daily basis. Readers may find practical applica- ployee's computer and use it to get deeper into tions for this material both in their work and in Data thieves, cyberspies and hacktivists, to be the targeted company's network, says Rich their personal use of computing devices and inter- sure, continue to probe company networks as Barger, Cyber Squared's chief intelligence officer. net usage. intensively as ever. An estimated 60% of compa- One of the gang's chief targets is an international nies globally reported a network security breach in news service that has ties to the Falun Gong, a March 20, Threatpost – (International) Research- the past year, including 34% that identified more spiritual movement critical of China's human rights ers uncover „Team Spy‟ attack campaign than one penetration, according to a survey of record. Other targets include a journal on the against government, research targets. Re- 4,447 tech professionals in nine nations, conduct- metals industry, as well as corporations in the searchers uncovered a long-running cyberespio- ed by Ponemon Institute and sponsored by Juni- U.S., Europe and Japan involved in mining, met- nage campaign by a group dubbed ―Team Spy‖ per Networks. Those survey results were released als, aerospace, defense, manufacturing, fabrica- for its use of the legitimate Team Viewer applica- on Monday at the giant RSA cybersecurity confer- tion, construction and engineering, Barger says. tion. The group targeted government, heavy in- ence in San Francisco, where much of the buzz dustry, intelligence, and activist organizations this week has been about the value of openness. The attackers are after authentication credentials around the world. that would get them deeper network access to "Just a short time ago, companies and third-party ultimately steal research projects, industrial pro- Source: http://threatpost.com/en_us/blogs/ service providers were extremely reluctant to cesses, financial records, business strategies and researchers-uncover-teamspy-attackcampaign- share any information for fear of airing dirty laun- other intellectual property. targeting-government-research-targets-032013 dry or revealing any potential weaknesses," says March 4, The Register – (International) New Kelly Bissell, a Deloitte security and privacy princi- "This tells us that (China-based cybergang) APT6 class of industrial-scale super-phishing emails pal. "Now there is a grass-roots, band-of-brothers has been given broad intelligence-collection re- threatens biz. Security researchers have identi- kind of approach with the good guys." quirements, including targeting news services that are critical of the Chinese Communist Party," fied a new large-scale form of phishing that uses Underscoring the openness theme, former White Barger says. "After looking at patterns of activity tailored messages and variable links to direct House cybersecurity adviser Howard Schmidt on and the targeting of specific victims around key users to drive-by download sites where rootkits Monday was named executive director of the non- geopolitical events, you can identify a common are installed. profit Software Assurance Forum for Excellence in China nexus. Source: http://www.theregister.co.uk/2013/03/04/ Code. Schmidt's mission: to assemble leaders longlining_phishing/ from tech, military, law enforcement and industry "While the 3-month-old exchange is shedding to collaborate on increasing the trust in tech prod- fresh light on nation-state cyberespionage, other February 27, Softpedia – (International) Emer- ucts and services. cutting-edge security systems are flushing out gency Flash update to protect Firefox users. cybercriminals of another stripe: those motivated Meanwhile, Hewlett-Packard on Tuesday an- Firefox released an update to Flash which ad- purely by quick profits. dresses vulnerabilities that target the browser and nounced the formation of HP Security Research, leave it susceptible to crashes and open to mali- a new division created to provide "actionable se- Juniper Networks, for instance, this week rolled cious attacks. curity intelligence" via published reports and out Spotlight Secure, a new cloud-based security threat briefings. Those moves follow President service designed to pay very close attention to the Source: http://news.softpedia.com/news/ Obama's recent executive order directing the makeup of any PC or mobile device that tries to Emergency-Flash-Update-to-Protect-Firefox- federal government and private companies to probe a company's website for security holes. Users332853.shtml work more closely to protect the nation's critical Cyber intruders often deploy armies of infected USA Today, Feb 27, 2013: Security tools reveal infrastructure against cyberattacks. computers, or bots, under their control to repeat- edly attempt to break into a targeted company's cyber intruders' trickery. There is a silver lining "The best scenario for training new defenders is to network through its public website. Spotlight Se- to the rash of revelations about cyber intruders get knowledge about defending current attacks cure watches for - and blocks - any PC or mobile cracking into the networks of marquee U.S. corpo- out in the open," says Alan Paller, research direc- device that attempts to make suspicious connec- rations. Microsoft this week admitted to a major tor of security training organization The SANS tions to a website, and records more than 200 network breach, following in the footsteps of Ap- Institute. "It's the only way to develop effective unique attributes of the attacking machine - in ple, Facebook, Twitter, The New York Times, The and up-to-date skills and build confidence." Wall Street Journal and the Federal Reserve, all essence, fingerprinting it, says David Koretz, Juni- of which have made similar disclosures in Febru- Cyber Squared, for one, has built openness into per security vice president. It then shares that ary. However, the mea culpas also show that with its business model. The security start-up recently information with companies and websites using persistent network breaches continuing to esca- launched ThreatConnect.com, an online ex- Juniper's security services. late, some large organizations have begun proac- change where some 150 security researchers and 45 organizations convene around the clock to tively gathering intelligence about what the bad (Continued on pg. 18) guys are up to. They are doing this by stepping up share data and brainstorm. "It's like a neighbor-

17 Counterintelligence and Cyber News and Views (Continued from pg. 17) by the Nastiest Hackers CNBC, 27 Feb 2013: A employee's computer, smartphone or online new report says that the Chinese military is passwords." Employees who use cloud-based, The service recently detected 3,000 separate PCs secretly obtaining sensitive data from U.S. shared document apps like Google Docs can be launching more than 20,000 attacks against the companies. sitting ducks for spearphishing attempts. website of an Australian hotel chain during the course of a week. "We were even able to detect a A key technique is "spearphishing," an approach "Google Docs is a very convenient way to fool case of a single attacker who intentionally that tricks a targeted individual to reveal employees or end users into divulging switched IP addresses to make it look like the information that can be used to infiltrate the passwords," Jevans said. For one thing, it is a attacking machines were coming from multiple company or government agency that person "trusted website that won't be blocked by Web parts of the world," Koretz says. works for. Security companies have been warning filters," with invitations to view documents or about spearfishing for the last two to three years, forms "hosted by a trusted company — Google — "They were either trying to lock up hotel rooms to and its use is increasing. But now that it has not some hacked server in Russia." Also, he said, resell them for more money, or trying to steal become top news, thanks to a report from U.S. "Google Docs connections are HTTPS encrypted, company or customers' financial credentials." computer-security firm Mandiant Corp. explaining and cannot be filtered by Web-filtering gateways Another kind of mass attack crafted to make quick how Chinese operatives tricked workers at Coca- to scan for malicious content." Cola and other major American firms, what is at cash involves directing thousands of infected PCs Battling spearphishing is an ongoing effort, with the top of many people's minds is this: How do to deliver phishing e-mail messages carrying a no easy-fix solutions in sight. "It's a massive you know if you're being spearphished? viral attachment or corrupted Web link. Security problem," Kurt Baumgartner, Kaspersky Lab analysts at Cisco Systems were recently retained You probably know to watch out for phishing senior researcher, told NBC News Tuesday. by a large payroll services firm to get to the attempts — broad, massive email efforts to get Jevans, of Marble Security, called spearphishing bottom of a case in which numerous customers you to hand over personal financial information "one of the most dangerous of all the advanced complained about a suspicious e-mail purporting like a credit card number or to click on a website persistent threats" that exist. to come from the firm, asking them to click to an link that could allow malware to steal information In 2010, Sophos Security said it intercepted an anti-fraud alert service. Anyone unfortunate from your computer. They're usually riddled with attack against a firm tied to the defense industry enough to have clicked on the tainted link had spelling errors and terrible formatting. in which emails "carried a malicious PDF file installed a sophisticated online banking theft Spearphishing is subtler, because it's aimed at claiming to be about the Trident D-5 missile, program, called ZeuS, says Gavin Reid, Cisco's intelligence gathering. director of threat research. launched from nuclear submarines." A report from It "often takes the form of key personnel inside an McAfee Labs at the end of 2011 noted the Cisco's analysts pored through the data trove of organization being emailed a malicious file," worrisome rise in spearphishing, saying the e-mail spam it continually filters from the networks Graham Cluley of Sophos Security told NBC problem "doesn't really lend itself to a pure of thousands of organizations worldwide that use News Tuesday. "It could be, for instance, a booby technology solution. its security services. They found that a run of -trapped PDF file or Word document which when The best defense against spearphishing is bogus emails with the firm's name represented opened — secretly and silently installs spyware employee — particularly executive employee — 38% of all spam for that day. The payroll firm thus onto your computer," he said. "The malicious education. Next-generation firewall technology was able to establish that the attackers had spyware code can then open a backdoor on your can also help prevent employees from accessing simply appropriated its brand to blast out the e- computer, giving hackers remote access to all the rogue sites." Baumgartner told NBC News on the mail to a broad group of recipients, including files on your computer, as well as capture every "human side, the old adage 'do not open some of its customers, using e-mail addresses keystroke, in order to steal passwords, and read suspicious emails or links,' is, well, old. While it's obtained from an unknown source. everything on your screen." sensible advice, it's proven to be ineffective "Cisco provided hard evidence that the attackers But why would an employee open such an email? because you are dispensing that advice to behind the phishing campaign had not, in fact, The information in the email is crafted to look and people." And people, of course, don't always pay obtained a list of customers, and the phishing sound just right enough so that it's "remarkably close enough attention. attack was not specifically targeted in this easy to dupe someone into clicking on a link or manner," Reid says. "The company was relieved opening an attachment in an email and for their Security vendors, he said, "have improved their that we could prove that no customer data had computer to become compromised," Cluley said. product capabilities as well," but still, "the been taken." While that discovery did little for any attackers sometimes up their game to beat all of of the firm's customers who happened to fall for "Imagine you were a reporter covering human those technologies. So you can stop 'it,' but at the phishing ruse, security experts say any fresh rights abuses in China. I simply send you an email some level you can't always stop 'it.' "For some insight that lends clarity to the tactics and patterns (with a boobytrapped attachment), forge my 'from' organizations and targets, learning how to best favored by cybercriminals represents ground address so you believe that the email has come tolerate and maintain intrusions becomes an gained. from a human rights group, and in the body of the attractive option," he said. Tools to expel email tell you that attached you'll find shocking invaders, or minimize exposure once they are in, Says Gartner's Pingree: "What you're seeing with details of human rights abuses in China." the discovery of these attacks and breaches is the may prove to be more important than just relying "Similarly, if you were a military supplier, I might on "defensive technology protecting against fact that we've raised the bar in security and make my email appear as though it came from a increased its visibility to the extent that malware spearphishing components," he said. sister company or another supplier." can be discovered, rooted out and removed." (Continued on pg. 19) Dave Jevans , founder and CTO of Marble Source: http://www.sheboyganpress.com/ Security, said "spearphishers know that the usatoday/article/1949879 easiest way to break into a company's network is Spearphishing: The Dirty Email Trick Favored not to breach their firewalls and intrusion prevention systems, but rather to compromise an

18 Counterintelligence and Cyber News and Views (Continued from pg. 18) target for portable media data loss, but we have hours to have their computer unlocked. This is seen a big increase in incidents around DVDs a hoax - not a legitimate communication from Cluley, of Sophos, says companies and agen- and CDs, as well," said Greg Bell, a partner at ICE. If you have received this message, do not cies can "reduce the chances of a targeted KPMG LLP. "The volume of company data follow the payment instructions. Instead, it is attack" being successful by keeping software stored on personal and mobile devices needs to suggested that you: such as PDF readers, Web browsers, word be a major consideration when devising a com- 1. File a complaint at www.IC3.gov. processing software and the computer's operat- prehensive security plan." ing system itself as up-do-date as possible, with 2. Keep operating systems and legitimate Depending on the type of data loss, an incident the latest patches. antivirus and antispyware software updat- can be a major risk to a company's revenue or ed. "Furthermore, you should run a layered defense reputation. Senior management and boards are — that means not just using up-to-date antivirus now challenged to weigh the threat of exposure 3. Contact a reputable computer expert to software, but also firewalls, email filtering tech- according to which data loss could be more assist with removing the malware. nologies, data-loss protection technology and impactful to the company and employ security Source: http://www.imperialvalleynews.com/ strong encryption to secure your most sensitive measures as appropriate, according to the re- index.php/news/national-news/3103-cyber- data," he said. And back to that human ele- port's findings. criminals-masquerade-as-theice-cyber-crimes- ment? "If a laptop with a formula for a new cancer drug center-to-extort- "Also, it's amazing how many people re-use is stolen, it could have the potential for a billion dollar loss to a company's future revenue; but if SCADA password cracking code available passwords, and use the same weak password Heise Security, 25 Jan 2013: ICS-CERT has in multiple places," Cluley said. "That means if a laptop is lost with health records for two million patients, that could be a reputational mark issued an alert about the existence and general you get hacked in one place, and your pass- availability of the proof-of-concept exploit code from which they can't recover," said Bell. word is compromised, it may also unlock ac- for a tool that can brute force passwords and counts elsewhere on the Net." All of these steps "Executives and boards need to be a part of the thus gain access and control of programmable "can reduce your chances of suffering from a discussion around the most effective way to logic controllers (PLCs). targeted attack," he said. protect this information from all types of loss The authors of the Python code in question are because it could mean unrecoverable damage Alexander Timorin and Dmitry Sklyarov of "But ultimately, there's no 100 percent techno- to a firm." logical solution, as human beings can still make SCADA Strange Love research group, and bad decisions. And that's why it's important to Additional findings in the KPMG report included: have unfortunately made the code available before the Siemens had the opportunity patch train users about threats, and warn them to be  Government, healthcare, education, finan- the flaw or offer mitigations. suspicious of unsolicited links and attachments cial services and retail comprised the top and to always report suspicious activity." five worst performing sectors for data loss In order to be able to use the tool, an attacker incidents in the last five years. must first capture TCP/IP traffic containing the Source: http://www.cnbc.com/id/100502990 authentication data in the challenge-response  The insurance sector is the most at risk Corporate data loss hits highest levels since form, and then by using the script, tries out from social engineering and system/human different passwords until it finds a match. 2008 27 Feb 2013: Recent incidents of corpo- error data loss. rate data loss hit the highest levels since 2008 Until Siemens comes out with mitigation, users as companies work to improve data security  More than 96 percent of data loss inci- of the affected controllers should minimize the strategies against a greater variety of more dents in the media industry were attributed risk to their systems by unplugging control sys- sophisticated IT attacks that can pose severe to hacking during the first half of 2012. tem devices from the Internet, put them behind enterprise and reputational risks. Data loss Source: http://www.net-security.org/ firewalls and isolate them from the business attacks affected more than one billion people in secworld.php?id=14503 network, and employ secure methods for re- the last five years and more than 60 percent of mote access. those incidents were the result of hacking, says Cyber criminals masquerade as the ICE In the meantime, the script seems to have been The Data Loss Barometer report from KPMG Cyber Crimes Center to extort money from incorporated in the popular John the Ripper that analyzed incidents since 2005 across in- web users IVN, 18 Feb 2013: Online scam- password cracking tool. ICS-CERT expressed dustries, types of data loss and global regions. mers have employed a new hoax to extort mon- its fear that the script can be adapted to be ey from web users in the name of the U.S. Im- According to the report, data loss threats have used against other vendor products. risen substantially with the use of mobile devic- migration and Customs Enforcement (ICE) es for business purposes and personally identi- Cyber Crimes Center. The latest version of this Source: http://www.net-security.org/ fiable information continues to be the top data scam - which has imitated the FBI's Internet secworld.php?id=14303 loss type. Industries such as health care and Crime Complaint Center in the past – lures victims to a drive-by download website, at professional services, which maintain the larg- (Continued on pg. 20) est databases of personal information, saw 18.5 which time ransomware is installed on the us- million people affected by PC theft, which ac- er's computer. Once installed, the computer counted for one-third of all data loss incidents in freezes and the user is warned that their com- those sectors for the first half of 2012. puter has been blocked due to federal criminal violations. The user is then told they must pay "Hard drives continue to be the number one the ICE Cyber Crimes Center $400 within 48

19 Counterintelligence and Cyber News and Views

(Continued from pg. 19) Date: February 2, 2013, 5:47:06 p.m. CST But today, on Valentine’s Day, we want to warn you that criminals use these sites, too, looking to January 25, Help Net Security – (International) To: undisclosed-recipients:; SCADA password cracking code available. turn the lonely and vulnerable into fast money Reply-To: FBI ALERT through a variety of scams. The Industrial Control Systems Cyber Emergency These criminals—who also troll social media sites Response Team (ICS-CERT) warned that a proof- We have an information for you regarding the and chat rooms in search of romantic victims— of-concept exploit code was released that can person you are transacting with online. You need usually claim to be Americans traveling or working brute force passwords to programmable logic to see this yourself. Contact us immediately for abroad. In reality, they often live overseas. Their controllers (PLC) before the vulnerability could be this is very important to you. Keep it to yourself most common targets are women over 40 who are addressed by the manufacturer, Siemens. and contact us, get back to us immediately. There divorced, widowed, and/or disabled, but every age is something you need to know about this person group and demographic is at risk. Source: http://www.net-security.org/secworld.php? or you might end up loosing everything you ever id=14303 Here’s how the scam usually works. You’re con- worked for. Stop e-mailing until you hear from us. tacted online by someone who appears interested Contact FBI secret service with the e-mail below January 23, InformationWeek – (International) in you. He or she may have a profile you can read [email protected] FBI secret service. Security flaws leave networked printers open or a picture that is e-mailed to you. For weeks, to attack. A security researcher discovered flaws There are many preventative measures you can even months, you may chat back and forth with in Hewlitt-Packard’s JetDirect printer networking take to minimize the risk of exposing your comput- one another, forming a connection. You may even software which can be used to bypass security er to a virus. be sent flowers or other gifts. But ultimately, it’s controls, disable printers, or reprint previous going to happen—your new-found ―friend‖ is going documents. 1. Be suspicious of any unsolicited e-mail. to ask you for money. 2. Do not click on links contained within an unso- Source: http://www.informationweek.com/security/ Recognizing an Online Dating Scam Artist vulnerabilities/security-flaws-leavenetworked- licited e-mail. Your online ―date‖ may only be interested in your printers/240146805 3. Log directly onto an official website for the enti- money if he or she: ty identified in the e-mail, instead of ―linking‖ to CYBER RELATED ARTICLES one from an unsolicited e-mail. - Presses you to leave the dating website you met through and to communicate using personal e- 4. Contact the actual entity that supposedly sent The following articles of interest are included here mail or instant messaging; because of their nexus to cyber related topics. the e-mail to verify if the e-mail is legitimate. - Professes instant feelings of love; 5. Be watchful of spelling errors, grammar prob- Virus Warning: E-Mail from „FBI Alert‟ Not Re- lems, or inconsistent information. These could be - Sends you a photograph of himself or herself ally from FBI signs that the sender is fraudulent (not who they that looks like something from a glamour maga- http://www.fbi.gov/jackson/press-releases/2013/ say they are). zine; virus-warning-e-mail-from-fbi-alert-not-really-from- Opening e-mail from an unknown sender, espe- - Claims to be from the U.S. and is traveling or fbi cially those using the names of well-known enti- working overseas; ties to catch your attention, is risky. Links embed- - Makes plans to visit you but is then unable to do FBI Jackson ded in such e-mails frequently lead to viruses so because of a tragic event; or February 06, 2013 Public Affairs Specialist Debo- which can infect the recipient’s computer. - Asks for money for a variety of reasons (travel, rah Madden In order to address Internet threats, including medical emergencies, hotel bills, hospitals bills for scam or fraudulent e-mails, the Internet Crime (601) 948-5000 a child or other relative, visas or other official doc- Complaint Center (IC3), a partnership between uments, losses from a financial setback or crime The FBI does not send unsolicited e-mail. the FBI and the National White Collar Crime Cen- victimization). Recently, some Mississippi residents have re- ter, was established in 2000. One way to steer clear of these criminals all to- ceived an alarming e-mail, supposedly containing ―The IC3 serves as a vehicle to receive, develop, gether is to stick to online dating websites with an ―FBI Alert‖ about someone with whom they and refer Internet crime complaints,‖ said SAC nationally known reputations. have communicated online. This e-mail requests McMullen. ―If you have received an e-mail of this that recipients contact the ―FBI secret service‖ by nature, or any scam e-mail, we encourage you to So you send money…but rest assured the re- following a link provided in the e-mail. notify the IC3 by filing a complaint at quests won’t stop there. There will be more hard- Be warned: the e-mail is not from the FBI, and if www.ic3.gov .‖ ships that only you can help alleviate with your you click on the embedded link, you run the risk of financial gifts. He may also send you checks to infecting your computer with a malicious virus. Looking for Love? Beware of Online Dating cash since he’s out of the country and can’t cash Scams them himself, or he may ask you to forward him a Daniel McMullen, Special Agent in Charge of the http://www.fbi.gov/news/stories/2012/february/ package. FBI in Mississippi, states, ―These e-mails do not (Continued on pg. 21) come from the FBI. Recipients of this or similar e- dating-scams_021412 mails should know that the FBI does not send 02/14/12 unsolicited e-mails to the public.‖ Millions of Americans visit online dating websites The following is the actual message: every year hoping to find a companion or even a soul mate. From: FBI ALERT

20 Counterintelligence and Cyber News and Views (Continued from pg. 20) ingly sophisticated adversaries we face in ties in the same way we enhanced our intelli- So what really happened? You were targeted cyberspace. gence and national security capabilities in the by criminals, probably based on personal infor- wake of the September 11 attacks. mation you uploaded on dating or social media The Cyber Threat FBI Response 2002-2012 sites. The pictures you were sent were most Some of the most critical threats facing our likely phony, lifted from other websites. The nation today emanate from the cyber realm. The FBI recognized the significance of the profiles were fake as well, carefully crafted to Intrusions into our corporate networks, person- cyber threat more than a decade ago and, in match your interests. al computers, and government systems are response, created the Cyber Division in 2002; elevated the cyber threat as our number three In addition to losing your money to someone occurring every single day by the thousands. national priority (only after counterterrorism who had no intention of ever visiting you, you We see four primary malicious actors in the and counterintelligence); significantly in- may also have unknowingly taken part in a cyber world: foreign intelligence services, ter- creased our hiring of technically trained money laundering scheme by cashing phony rorist groups, organized crime enterprises, and agents, analysts, and forensic specialists; and checks and sending the money overseas and hacktivists. expanded our partnerships with law enforce- by shipping stolen merchandise (the forwarded ment, private industry, and academia through package). Dozens of countries have offensive cyber ca- initiatives like InfraGard—a public-private coa- pabilities, and these foreign cyber spies have lition of 55,000 members to protect critical While the FBI and other federal partners work become increasingly adept at exploiting weak- some of these cases—in particular those with infrastructure—and the National Cyber- nesses in our computer networks. Once inside, Forensics and Training Alliance (NCFTA)—a a large number of victims or large dollar losses they can exfiltrate government and military and/or those involving organized criminal proven model for sharing private sector intelli- secrets as well as valuable intellectual proper- gence in collaboration with law enforcement. groups—many are investigated by local and ty—information that can improve the competi- state authorities. tive advantage of state-owned entities and We have made great progress in the interim. We strongly recommend, however, that if you foreign companies. Ten years ago, if you were an agent conducting a cyber investigation and the Internet Pro- think you’ve been victimized by a dating scam Terrorist groups would like nothing better than or any other online scam, file a complaint with tocol (IP) address tracked back to a foreign to digitally sabotage our power grid or water country, that was effectively the end of your our Internet Crime Complaint Center. Before supply. Some say they do not currently have forwarding the complaints to the appropriate investigation. Although you could send a lead the capability to do it themselves. But the reali- to one of the FBI’s overseas legal attaché agencies, IC3 collates and analyzes the da- ty is that the capability is readily available on ta—looking for common threads that could link offices, the likelihood that you would discover the open market. complaints together and help identify the cul- who was behind the keyboard was small. prits. Which helps keep everyone safer on the Organized crime groups, meanwhile, are in- Since then, we have embedded cyber agents Internet. creasingly migrating their traditional criminal with law enforcement in several key countries: activity from the physical world to computer For specific tips on how to keep from being Estonia, Ukraine, the Netherlands, and Roma- networks. They no longer need guns to rob a nia. Some countries in cyber hot spots also lured into an online dating scam, see the side- bank; they use a computer to breach corporate bar above. Awareness is the best tool for pre- enhanced their domestic laws and agreed to and financial institution networks to steal cre- allow extraditions to the United States. venting crime…and in this case, even for pre- dentials, account numbers, and personal infor- venting a broken heart. mation they can use to make money. Those changes, along with improvements in Statement Before the House Committee on our ability to track IP addresses back to their These criminal syndicates, often made up of source, have led to a recognition in the under- the Judiciary, Subcommittee on Crime, individuals living in disparate places around Terrorism, and Homeland Security ground economy that there are fewer safe the world, have stolen billions of dollars from hiding places around the globe. Building on the the financial services sector and its customers. http://www.fbi.gov/news/testimony/ success of our international outreach, we are Their crimes increase the cost of doing busi- investigating-and-prosecuting-21st-century- currently expanding our cyber assistant legal ness, put companies at a competitive disad- cyber-threats attaché program to additional countries. vantage, and create a significant drain on our John Boles economy. A prime example of how our investigations Deputy Assistant Director, Cyber Division have progressed in the 10 years since the Hacktivist groups such as Anonymous and Federal Bureau of Investigation Cyber Division was created is the 2011 LulzSec are pioneering their own forms of Washington, D.C. takedown of Rove Digital, a company founded digital anarchy by illegally accessing comput- March 13, 2013 by a ring of Estonian and Russian hackers to ers or networks for a variety of reasons, includ- commit a massive Internet fraud scheme. ing politically or socially motivated goals. Chairman Sensenbrenner, Ranking Member The scheme infected with malware more than Scott, and members of the subcommittee, I am With these diverse threats, we anticipate that four million computers located in more than pleased to appear before you today to discuss cyber security may well become our highest 100 countries. The malware secretly altered the nature of the cyber threat, how the FBI has priority in the years to come. Computer intru- the settings on infected computers, enabling responded to it, and how we are marshaling sions and network attacks are the greatest the hackers to digitally hijack Internet searches our resources and strengthening our partner- cyber threat to our national security. That is ships to more effectively combat the increas- why we are strengthening our cyber capabili- (Continued on pg.22)

21 Counterintelligence and Cyber News and Views

(Continued from pg. 21) using rogue servers for Domain Name System Last month, President Obama released the To that end, FBI Director Robert Mueller, DHS (DNS) routers and re-routing computers to administration’s Strategy on Mitigating the Secretary Janet Napolitano, and National Se- certain websites and ads. The company re- Theft of U.S. Trade Secrets. As part of the curity Agency (NSA) Director Keith Alexander ceived fees each time these websites or ads strategy, the FBI is expanding its efforts to fight recently held a series of meetings to clarify the were clicked on or viewed by users. This computer intrusions that involve the theft of lanes in the road in cyber jurisdiction. The scheme generated $14 million in illegitimate trade secrets by individuals, foreign corpora- group mutually agreed on their respective roles income for the operators of Rove Digital. tions, and nation-state cyber hackers. and responsibilities related to a cyber incident. The FBI’s role is to investigate, attribute, and Because Estonia has improved its domestic Over the past year, under our legal authorities disrupt cyber crimes affecting the United laws, we were able to work with our law en- and in conjunction with our government part- States. DHS’ role is to protect our critical infra- forcement counterparts and our private indus- ners, we have successfully warned some po- structure and our networks, coordinate mitiga- try partners to execute a takedown of this crim- tential victims ahead of time that computer tion and recovery from cyber incidents, and to inal organization. Following the arrest of sever- network exploitation or computer network at- disseminate threat information across various al co-conspirators in Estonia, teams of FBI tacks were about to happen. They were able to sectors. NSA’s role is to gather intelligence on agents, linguists, and forensic examiners as- use that information to shore up their defens- foreign cyber threats and to protect national sisted Estonian authorities in retrieving and es. security systems. analyzing data that linked the co-conspirators to the Internet fraud scheme. At the same time, Another area in which we’ve had success re- We are coordinating at an unprecedented we obtained a court order in the United States cently is in targeting infrastructure we believe level, including rapid, real-time exchanges to replace the rogue DNS servers with court- has been used in distributed denial of service from FBI investigative activities to DHS, allow- ordered clean servers. (DDoS) attacks, and preventing it from being ing the department to push out information to used for future attacks. help safeguard other networks from similar In this case, we not only took down the crimi- attacks. nal organization, but worked with our partners Since October, the FBI and the Department of in DHS and other agencies to mitigate the Homeland Security have released nearly A key part of the intergovernmental effort is the damage. Seven individuals have been indicted 130,000 IP addresses that were believed to be FBI-operated NCIJTF, which serves as the in the Southern District of New York in this infected with DDoS malware. We have re- deconfliction center on cyber investigations case: six in Estonia and one in Russia. The leased this information through joint intelli- among 19 agencies. The NCIJTF involves United States has sought extradition of all six gence bulletins (JIBs) to 129 countries. These senior personnel from key agencies, including Estonian subjects. To date, two of them have JIBs are released by both the Department of deputy directors from NSA, DHS, the Central been remanded to U.S. custody. One pleaded Homeland Security’s Computer Emergency Intelligence Agency, and U.S. Secret Service. guilty on February 1, 2013. Readiness Team mechanisms as well as by A fifth deputy will soon be appointed by U.S. our legal attachés to our foreign partners. Cyber Command. NCIJTF brings together a We are also employing novel ways of combat- partnership of agencies focused on addressing ing the threat. In Operation Coreflood, the FBI These actions have enabled our foreign part- cyber threats through investigations and intelli- worked with our private sector and law en- ners to take action and reduced the effective- gence sharing. forcement partners to disable a botnet that had ness of the botnets and the DDoS attacks. infected an estimated two million computers Not only have we recognized that the cyber with malicious software. Next Generation Cyber threat warrants considerably strengthening our intergovernmental partnerships, but it also The malware on this Coreflood botnet allowed The need to prevent attacks before they occur warrants significantly enhancing our collabora- infected computers to be controlled remotely is a key reason we have redoubled our efforts tion with the private sector. by criminals to steal private personal and fi- to strengthen our cyber capabilities while pro- nancial information from unsuspecting users. tecting privacy, confidentiality, and civil liber- Today, the private sector is the essential part- In an unprecedented move, the FBI obtained a ties. The FBI’s Next Generation Cyber Initia- ner if we are to succeed in defeating the cyber court order to seize domain names, re-route tive, which we launched in 2012, entails a wide threat. The private sector is a primary victim of the botnet to FBI-controlled servers, and re- range of measures, including focusing our cyber intrusions—and its networks contain the spond to commands sent from infected com- Cyber Division on intrusions; hiring additional evidence of countless such attacks. Our na- puters in the United States, telling the zombies computer scientists; creating Cyber Task Forc- tion’s companies and businesses possess the to stop the Coreflood software from running. es focused on intrusions in each of our 56 field information, the expertise, and the knowledge The success of this innovative operation will offices; and expanding partnerships and col- we need to combat the threat. They also build help pave the way for future cyber mitigation laboration at the National Cyber Investigative the components of cyber security—the hard- efforts and the development of new ―outside Joint Task Force (NCIJTF). ware, the software, and the networks—and the box‖ techniques. drive future technology. The nature and severity of the cyber threat While we’re proud of these investigative suc- have led the government agencies with a role (Continued on pg. 23) cesses and our progress against the threat, we in cyber security to recognize that we must are continuing to push ourselves to respond work together more efficiently than ever to more rapidly and prevent attacks before they keep pace with and surpass our adversaries in occur. this realm.

22 Counterintelligence and Cyber News and Views

(Continued from page 22) Washington, D.C. ty activities are conducted in a transparent manner with the guidance and oversight of In the past, industry has provided us infor- Wednesday, February 13, 2013 officials trained to safeguard privacy and civil mation about attacks that have occurred, and liberties. Under the Executive Order, each we’ve investigated the attacks. Our adver- Last year, the Administration made its views federal department and agency is required to saries have taken advantage of the fact that on the importance of privacy and civil liberties develop and implement privacy and civil liber- we have been limited in the kind of information clear during deliberations on cybersecurity ties safeguards in concert with their cyberse- we exchange with the private sector. We now legislation. The Administration declared, curity activities. Each agency’s senior officials realize this can no longer be a one-way flow of ―Cybersecurity and privacy are not mutually for privacy and civil liberties are required to information. exclusive.‖ It also affirmed its commitment conduct assessments of those safeguards and that ―[t]he sharing of information must be con- their implementation. Those assessments will As part of our enhanced private sector out- ducted in a manner that preserves Americans' be shared with DHS’ Chief Privacy Officer and reach efforts, we’re providing industry with privacy, data confidentiality, and civil liber- Officer for Civil Rights and Civil Liberties for tools—including information—to help repel ties….‖ inclusion in a public report. That report will be intruders. In fact, in line with a strategic gov- produced in consultation with the Privacy and ernment-wide shift, we have recently begun to Today, as we roll-out the Executive Order on Civil Liberties Oversight Board and reviewed provide classified threat briefings to key indus- Improving Critical Infrastructure Cybersecurity, annually. try partners and work with them to exchange the Administration is just as resolute about information. InfraGard, NCFTA, and our other adhering to those ideals. The Executive Order includes another im- partnerships are a step in the right direction. portant feature designed to ensure that federal As Deputy Secretary Lute and General Alex- agencies take a consistent and thorough ap- But we must build on these initiatives, in con- ander have emphasized, one of the most im- proach to identifying and mitigating potential junction with our federal partners, to expand portant aspects of the Executive Order is its privacy impacts of cybersecurity activities. In the channels of information sharing and collab- emphasis on improving government mecha- particular, it requires agencies to conduct their oration. We recognize that there are many nisms for providing timely cyber threat infor- assessments using the well-established Fair considerations to take into account when con- mation to the private sector. For example, the Information Practice Principles—also known sidering the level of public-private collaboration Executive Order explicitly adopts a ―whole-of- as ―FIPPs.‖ we believe is necessary, including industry government‖ policy to increase the volume, concerns about the protection of their proprie- timeliness, and quality of cyber threat infor- So what are the ―FIPPs‖? FIPPs are the widely tary information and questions about how best mation that is shared with the U.S. private -accepted framework of principles used to to share classified information. We are com- sector so that they may better protect and assess and mitigate privacy and civil liberties mitted, however, to engaging in this collabora- defend themselves against cyber threats. In impacts of information systems, processes, or tion in a way that fully protects privacy, confi- that vein, the Order mandates expansion of programs. They consist of eight interdepend- dentiality, and civil liberties. the Enhanced Cybersecurity Services initia- ent principles—Transparency, Individual Par- tive—a voluntary program that provides classi- * * * ticipation, Purpose Specification, Data Minimi- fied cyber threat information to appropriately zation, Use Limitation, Data Quality and Integ- In conclusion, Mr. Chairman, to counter the cleared personnel employed by private sector rity, Security, Accountability and Auditing. cyber threats we face, we are engaging in an owners and operators of critical infrastructure. unprecedented level of intergovernmental In addition, the Order requires the Department The FIPPS provide an objective set of princi- collaboration and cooperation with the private of Justice, the Department of Homeland Secu- ples, but they also permit agencies to apply sector. rity, and the Office of the Director of National those principles in the context of their differing Intelligence to declassify cyber threat intelli- authorities and missions. They are not a new We look forward to continuing to expand on gence reports that target U.S. entities and to invention of this Executive Order. Rather, those partnerships and working with the com- establish a process for rapidly notifying those they are time-tested and universally recog- mittee and Congress as a whole to determine entities of cyber threats. These are critical nized principles that form the basis of the Pri- a successful course forward for the nation to initial steps that the government must take to vacy Act of 1974 and dozens of other federal combat the cyber threat while protecting priva- assist private sector companies in defending privacy and information protection statutes. cy, confidentiality, and civil liberties. their systems and networks from escalating, They continue to be used prominently today, evolving, and increasingly sophisticated cyber including in the White House’s National Strate- Thank you again for the opportunity to appear threats. In taking these steps to improve the gy for Trusted Identities in Cyberspace and the before you today. I would be happy to answer flow of cyber threat information, however, we Consumer Privacy Bill of Rights. any questions you may have. must not lose sight of our commitment to secure individual privacy and civil liberties as we In closing, I want to emphasize the Administra- Deputy Attorney General James M. Cole do it. tion’s commitment to doing this right—which is Speaks at the Administration Event to demonstrated by the Executive Order itself. Highlight Priorities for Cybersecurity Policy How will we ensure that information received This Order sets the direction for responsible, and disseminated under the Executive Order is http://www.justice.gov/iso/opa/dag/ effective cybersecurity standards and infor- protected consistent with our commitment to mation sharing, while preserving individual speeches/2013/dag-speech-130213.html protect privacy and civil liberties? privacy and civil liberties and ensuring transparency and accountability to the American We will do so by ensuring that our cybersecuri- public we seek to protect.

23 Counterintelligence and Cyber News and Views

Executive Order -- Improving Critical Infra- of Homeland Security (the "Secretary"), and the Sec. 5. Privacy and Civil Liberties Protections. structure Cybersecurity Director of National Intelligence shall each is- (a) Agencies shall coordinate their activities sue instructions consistent with their authorities under this order with their senior agency offi- http://www.whitehouse.gov/the-press- and with the requirements of section 12(c) of cials for privacy and civil liberties and ensure office/2013/02/12/executive-order-improving- this order to ensure the timely production of that privacy and civil liberties protections are critical-infrastructure-cybersecurity unclassified reports of cyber threats to the U.S. incorporated into such activities. Such protec- EXECUTIVE ORDER homeland that identify a specific targeted entity. tions shall be based upon the Fair Information The instructions shall address the need to pro- Practice Principles and other privacy and civil IMPROVING CRITICAL INFRASTRUCTURE tect intelligence and law enforcement sources, liberties policies, principles, and frameworks as CYBERSECURITY methods, operations, and investigations. they apply to each agency's activities. By the authority vested in me as President by (b) The Secretary and the Attorney General, in (b) The Chief Privacy Officer and the Officer for the Constitution and the laws of the United coordination with the Director of National Intelli- Civil Rights and Civil Liberties of the Depart- States of America, it is hereby ordered as fol- gence, shall establish a process that rapidly ment of Homeland Security (DHS) shall assess lows: disseminates the reports produced pursuant to the privacy and civil liberties risks of the func- Section 1. Policy. Repeated cyber intrusions section 4(a) of this order to the targeted entity. tions and programs undertaken by DHS as into critical infrastructure demonstrate the need Such process shall also, consistent with the called for in this order and shall recommend to for improved cybersecurity. The cyber threat to need to protect national security information, the Secretary ways to minimize or mitigate such critical infrastructure continues to grow and include the dissemination of classified reports risks, in a publicly available report, to be re- represents one of the most serious national to critical infrastructure entities authorized to leased within 1 year of the date of this order. security challenges we must confront. The na- receive them. The Secretary and the Attorney Senior agency privacy and civil liberties officials tional and economic security of the United General, in coordination with the Director of for other agencies engaged in activities under States depends on the reliable functioning of National Intelligence, shall establish a system this order shall conduct assessments of their the Nation's critical infrastructure in the face of for tracking the production, dissemination, and agency activities and provide those assess- such threats. It is the policy of the United States disposition of these reports. ments to DHS for consideration and inclusion in to enhance the security and resilience of the the report. The report shall be reviewed on an (c) To assist the owners and operators of criti- annual basis and revised as necessary. The Nation's critical infrastructure and to maintain a cal infrastructure in protecting their systems report may contain a classified annex if neces- cyber environment that encourages efficiency, from unauthorized access, exploitation, or sary. Assessments shall include evaluation of innovation, and economic prosperity while pro- harm, the Secretary, consistent with 6 U.S.C. activities against the Fair Information Practice moting safety, security, business confidentiality, 143 and in collaboration with the Secretary of privacy, and civil liberties. We can achieve Principles and other applicable privacy and civil Defense, shall, within 120 days of the date of liberties policies, principles, and frameworks. these goals through a partnership with the own- this order, establish procedures to expand the Agencies shall consider the assessments and ers and operators of critical infrastructure to Enhanced Cybersecurity Services program to improve cybersecurity information sharing and recommendations of the report in implementing all critical infrastructure sectors. This voluntary privacy and civil liberties protections for agency collaboratively develop and implement risk- information sharing program will provide classi- activities. based standards. fied cyber threat and technical information from Sec. 2. Critical Infrastructure. As used in this the Government to eligible critical infrastructure (c) In producing the report required under sub- order, the term critical infrastructure means companies or commercial service providers that section (b) of this section, the Chief Privacy systems and assets, whether physical or virtual, offer security services to critical infrastructure. Officer and the Officer for Civil Rights and Civil Liberties of DHS shall consult with the Privacy so vital to the United States that the incapacity (d) The Secretary, as the Executive Agent for and Civil Liberties Oversight Board and coordi- or destruction of such systems and assets the Classified National Security Information nate with the Office of Management and Budget would have a debilitating impact on security, Program created under Executive Order 13549 (OMB). national economic security, national public of August 18, 2010 (Classified National Security health or safety, or any combination of those Information Program for State, Local, Tribal, (d) Information submitted voluntarily in accord- matters. and Private Sector Entities), shall expedite the ance with 6 U.S.C. 133 by private entities under Sec. 3. Policy Coordination. Policy coordina- processing of security clearances to appropri- this order shall be protected from disclosure to tion, guidance, dispute resolution, and periodic ate personnel employed by critical infrastruc- the fullest extent permitted by law. ture owners and operators, prioritizing the criti- in-progress reviews for the functions and pro- Sec. 6. Consultative Process. The Secretary cal infrastructure identified in section 9 of this grams described and assigned herein shall be shall establish a consultative process to coordi- order. provided through the interagency process es- nate improvements to the cybersecurity of criti- tablished in Presidential Policy Directive-1 of (e) In order to maximize the utility of cyber cal infrastructure. As part of the consultative February 13, 2009 (Organization of the National threat information sharing with the private sec- process, the Secretary shall engage and con- Security Council System), or any successor. tor, the Secretary shall expand the use of pro- sider the advice, on matters set forth in this Sec. 4. Cybersecurity Information Sharing. (a) It grams that bring private sector subject-matter order, of the Critical Infrastructure Partnership is the policy of the United States Government to experts into Federal service on a temporary Advisory Council; Sector Coordinating Coun- increase the volume, timeliness, and quality of basis. These subject matter experts should cils; critical infrastructure owners and operators; cyber threat information shared with U.S. pri- provide advice regarding the content, structure, Sector-Specific Agencies; other relevant agen- vate sector entities so that these entities may and types of information most useful to critical cies; independent regulatory agencies; State, better protect and defend themselves against infrastructure owners and operators in reducing local, territorial, and tribal governments; univer- cyber threats. Within 120 days of the date of and mitigating cyber risks. sities; and outside experts. this order, the Attorney General, the Secretary (Continued on pg. 25)

24 Counterintelligence and Cyber News and Views

(Continued from pg. 24) tional Security Agency, Sector-Specific Agen- President for Homeland Security and Counter- Sec. 7. Baseline Framework to Reduce Cyber cies and other interested agencies including terrorism and the Assistant to the President for Risk to Critical Infrastructure. (a) The Secretary OMB, owners and operators of critical infra- Economic Affairs, that shall include analysis of of Commerce shall direct the Director of the structure, and other stakeholders through the the benefits and relative effectiveness of such National Institute of Standards and Technology consultative process established in section 6 of incentives, and whether the incentives would (the "Director") to lead the development of a this order. The Secretary, the Director of Na- require legislation or can be provided under framework to reduce cyber risks to critical infra- tional Intelligence, and the heads of other rele- existing law and authorities to participants in structure (the "Cybersecurity Framework"). The vant agencies shall provide threat and vulnera- the Program. bility information and technical expertise to Cybersecurity Framework shall include a set of (e) Within 120 days of the date of this order, the inform the development of the Cybersecurity standards, methodologies, procedures, and Secretary of Defense and the Administrator of Framework. The Secretary shall provide perfor- processes that align policy, business, and tech- General Services, in consultation with the Sec- mance goals for the Cybersecurity Framework nological approaches to address cyber risks. retary and the Federal Acquisition Regulatory informed by work under section 9 of this order. The Cybersecurity Framework shall incorporate Council, shall make recommendations to the voluntary consensus standards and industry (e) Within 240 days of the date of this order, the President, through the Assistant to the Presi- best practices to the fullest extent possible. The Director shall publish a preliminary version of dent for Homeland Security and Counterterror- Cybersecurity Framework shall be consistent the Cybersecurity Framework (the "preliminary ism and the Assistant to the President for Eco- with voluntary international standards when Framework"). Within 1 year of the date of this nomic Affairs, on the feasibility, security bene- such international standards will advance the order, and after coordination with the Secretary fits, and relative merits of incorporating security objectives of this order, and shall meet the to ensure suitability under section 8 of this or- standards into acquisition planning and contract requirements of the National Institute of Stand- der, the Director shall publish a final version of administration. The report shall address what ards and Technology Act, as amended (15 the Cybersecurity Framework (the "final Frame- steps can be taken to harmonize and make U.S.C. 271 et seq.), the National Technology work"). consistent existing procurement requirements Transfer and Advancement Act of 1995 (Public related to cybersecurity. Law 104-113), and OMB Circular A-119, as (f) Consistent with statutory responsibilities, the revised. Director will ensure the Cybersecurity Frame- Sec. 9. Identification of Critical Infrastructure at work and related guidance is reviewed and Greatest Risk. (a) Within 150 days of the date (b) The Cybersecurity Framework shall provide updated as necessary, taking into consideration of this order, the Secretary shall use a risk- a prioritized, flexible, repeatable, performance- technological changes, changes in cyber risks, based approach to identify critical infrastructure based, and cost-effective approach, including operational feedback from owners and opera- where a cybersecurity incident could reasona- information security measures and controls, to tors of critical infrastructure, experience from bly result in catastrophic regional or national help owners and operators of critical infrastruc- the implementation of section 8 of this order, effects on public health or safety, economic ture identify, assess, and manage cyber risk. and any other relevant factors. security, or national security. In identifying criti- The Cybersecurity Framework shall focus on cal infrastructure for this purpose, the Secretary "Sec. 8. Voluntary Critical Infrastructure Cyber- identifying cross-sector security standards and shall use the consultative process established security Program. (a) The Secretary, in coordi- guidelines applicable to critical infrastructure. in section 6 of this order and draw upon the nation with Sector-Specific Agencies, shall The Cybersecurity Framework will also identify expertise of Sector-Specific Agencies. The establish a voluntary program to support the areas for improvement that should be ad- Secretary shall apply consistent, objective crite- adoption of the Cybersecurity Framework by dressed through future collaboration with partic- ria in identifying such critical infrastructure. The owners and operators of critical infrastructure ular sectors and standards-developing organi- Secretary shall not identify any commercial and any other interested entities (the zations. To enable technical innovation and information technology products or consumer "Program"). account for organizational differences, the Cy- information technology services under this bersecurity Framework will provide guidance (b) Sector-Specific Agencies, in consultation section. The Secretary shall review and update that is technology neutral and that enables with the Secretary and other interested agen- the list of identified critical infrastructure under critical infrastructure sectors to benefit from a cies, shall coordinate with the Sector Coordi- this section on an annual basis, and provide competitive market for products and services nating Councils to review the Cybersecurity such list to the President, through the Assistant that meet the standards, methodologies, proce- Framework and, if necessary, develop imple- to the President for Homeland Security and dures, and processes developed to address mentation guidance or supplemental materials Counterterrorism and the Assistant to the Presi- cyber risks. The Cybersecurity Framework shall to address sector-specific risks and operating dent for Economic Affairs. include guidance for measuring the perfor- environments. mance of an entity in implementing the Cyber- (b) Heads of Sector-Specific Agencies and security Framework. (c) Sector-Specific Agencies shall report annu- other relevant agencies shall provide the Sec- ally to the President, through the Secretary, on retary with information necessary to carry out (c) The Cybersecurity Framework shall include the extent to which owners and operators noti- the responsibilities under this section. The Sec- methodologies to identify and mitigate impacts fied under section 9 of this order are participat- retary shall develop a process for other relevant of the Cybersecurity Framework and associat- ing in the Program. stakeholders to submit information to assist in ed information security measures or controls on making the identifications required in subsec- (d) The Secretary shall coordinate establish- business confidentiality, and to protect individu- tion (a) of this section. al privacy and civil liberties. ment of a set of incentives designed to promote participation in the Program. Within 120 days of (d) In developing the Cybersecurity Framework, the date of this order, the Secretary and the the Director shall engage in an open public Secretaries of the Treasury and Commerce review and comment process. The Director each shall make recommendations separately (Continued on pg. 26) shall also consult with the Secretary, the Na- to the President, through the Assistant to the

25 Counterintelligence and Cyber News and Views

(Continued from pg. 25) make recommendations for further actions, to (d) "Independent regulatory agency" has the minimize or eliminate such requirements. meaning given the term in 44 U.S.C. 3502(5). (c) The Secretary, in coordination with Sector- Specific Agencies, shall confidentially notify (d) The Secretary shall coordinate the provision (e) "Sector Coordinating Council" means a owners and operators of critical infrastructure of technical assistance to agencies identified in private sector coordinating council composed identified under subsection (a) of this section subsection (a) of this section on the develop- of representatives of owners and operators that they have been so identified, and ensure ment of their cybersecurity workforce and pro- within a particular sector of critical infrastruc- identified owners and operators are provided grams. ture established by the National Infrastructure Protection Plan or any successor. the basis for the determination. The Secretary (e) Independent regulatory agencies with re- shall establish a process through which owners sponsibility for regulating the security of critical (f) "Sector-Specific Agency" has the meaning and operators of critical infrastructure may infrastructure are encouraged to engage in a given the term in Presidential Policy Directive- submit relevant information and request recon- consultative process with the Secretary, rele- 21 of February 12, 2013 (Critical Infrastructure sideration of identifications under subsection vant Sector-Specific Agencies, and other af- Security and Resilience), or any successor. (a) of this section. fected parties to consider prioritized actions to Sec. 12. General Provisions. (a) This order mitigate cyber risks for critical infrastructure Sec. 10. Adoption of Framework. (a) Agencies shall be implemented consistent with applicable consistent with their authorities. with responsibility for regulating the security of law and subject to the availability of appropria- critical infrastructure shall engage in a consul- "preliminary Framework"). Within 1 year of the tions. Nothing in this order shall be construed tative process with DHS, OMB, and the Nation- date of this order, and after coordination with to provide an agency with authority for regulat- al Security Staff to review the preliminary Cy- the Secretary to ensure suitability under section ing the security of critical infrastructure in addi- bersecurity Framework and determine if current 8 of this order, the Director shall publish a final tion to or to a greater extent than the authority cybersecurity regulatory requirements are suffi- version of the Cybersecurity Framework (the the agency has under existing law. Nothing in cient given current and projected risks. In mak- "final Framework"). this order shall be construed to alter or limit any ing such determination, these agencies shall authority or responsibility of an agency under (f) Consistent with statutory responsibilities, the consider the identification of critical infrastruc- existing law. ture required under section 9 of this order. Director will ensure the Cybersecurity Frame- Within 90 days of the publication of the prelimi- work and related guidance is reviewed and (b) Nothing in this order shall be construed to nary Framework, these agencies shall submit a updated as necessary, taking into considera- impair or otherwise affect the functions of the report to the President, through the Assistant to tion technological changes, changes in cyber Director of OMB relating to budgetary, adminis- the President for Homeland Security and Coun- risks, operational feedback from owners and trative, or legislative proposals. operators of critical infrastructure, experience terterrorism, the Director of OMB, and the As- (c) All actions taken pursuant to this order shall from the implementation of section 8 of this sistant to the President for Economic Affairs, be consistent with requirements and authorities order, and any other relevant factors. that states whether or not the agency has clear to protect intelligence and law enforcement authority to establish requirements based upon of technical assistance to agencies identified in sources and methods. Nothing in this order the Cybersecurity Framework to sufficiently subsection (a) of this section on the develop- shall be interpreted to supersede measures address current and projected cyber risks to ment of their cybersecurity workforce and pro- established under authority of law to protect the critical infrastructure, the existing authorities grams. security and integrity of specific activities and identified, and any additional authority required. associations that are in direct support of intelli- (e) Independent regulatory agencies with re- gence and law enforcement operations. (b) If current regulatory requirements are sponsibility for regulating the security of critical deemed to be insufficient, within 90 days of infrastructure are encouraged to engage in a (d) This order shall be implemented consistent publication of the final Framework, agencies consultative process with the Secretary, rele- with U.S. international obligations. identified in subsection (a) of this section shall vant Sector-Specific Agencies, and other af- (e) This order is not intended to, and does not, propose prioritized, risk-based, efficient, and fected parties to consider prioritized actions to create any right or benefit, substantive or pro- coordinated actions, consistent with Executive mitigate cyber risks for critical infrastructure Order 12866 of September 30, 1993 cedural, enforceable at law or in equity by any consistent with their authorities. (Regulatory Planning and Review), Executive party against the United States, its depart- Order 13563 of January 18, 2011 (Improving Sec. 11. Definitions. (a) "Agency" means any ments, agencies, or entities, its officers, em- Regulation and Regulatory Review), and Exec- authority of the United States that is an ployees, or agents, or any other person. utive Order 13609 of May 1, 2012 (Promoting "agency" under 44 U.S.C. 3502(1), other than BARACK OBAMA International Regulatory Cooperation), to miti- those considered to be independent regulatory gate cyber risk. agencies, as defined in 44 U.S.C. 3502(5). (c) Within 2 years after publication of the final (b) "Critical Infrastructure Partnership Advisory Framework, consistent with Executive Order Council" means the council established by 13563 and Executive Order 13610 of May 10, DHS under 6 U.S.C. 451 to facilitate effective 2012 (Identifying and Reducing Regulatory interaction and coordination of critical infra- Burdens), agencies identified in subsection (a) structure protection activities among the Feder- of this section shall, in consultation with owners al Government; the private sector; and State, and operators of critical infrastructure, report to local, territorial, and tribal governments. Securing Tomorrow Today! OMB on any critical infrastructure subject to (c) "Fair Information Practice Principles" means ineffective, conflicting, or excessively burden- the eight principles set forth in Appendix A of some cybersecurity requirements. This report the National Strategy for Trusted Identities in shall describe efforts made by agencies, and Cyberspace. 26 Counterintelligence and Cyber News and Views

THE FBI IN POPULAR FICTION (COMIC BOOKS)

Pictured below are some examples of comic books where the FBI is depicted carrying out its various missions.

For those of you old enough to remember the old Classics Illus- Pictured above is the comic book trated Series of Comics, the FBI version of the 1959 Movie, The and its Counterintelligence mis- FBI Story, Starring James Stew- sions are prominently depicted in art. This comic depicts the movie the above The Illustrated Story of version of The FBI Story, and has the FBI. the ―hollow nickel‖ holding micro- fiche sequence and a surveillance The above is a loose depiction of of a Russian spy to the subway the book, The FBI Story. It in- and Yankee Stadium. cludes a sequence fictionalizing the Rudolph Abel (1950s Russian

Spy operating in the US) story.

We hope you have enjoyed these

popular cultural references that

we have included in the last few issues of our newsletter.

27 Counterintelligence and Cyber News and Views

iTravelSafe™

 Avoid Cultural Missteps

 Protect Your Business Secrets

 Avoid Crime and Scams Travelers Face

iTravelSafe™ The Advantage SCI Avoid getting “scammed” when traveling overseas. Read about App frauds and scams related to international travel. Do you have elderly relatives traveling overseas? Gift them a copy of this App Sitting in the plane, holding your iPhone, so they can be aware of scams targeting the elderly. thinking about your trip to Brazil…

―Hmmm. My phone is in ―Airplane Mode‖ with no internet connection. I really wish I had read a bit more detailed information about traveling to Brazil, what I could do safely. But with no internet connection, I guess I can’t do that, can I?‖ ―Wait a second!! I have the iTravelSafe™ app on my iPhone. All of the data I need is on my phone now. I can read it all even with no internet or cellular connection! Wow, that is really cool! Oh my, look here! I better not Are you a parent with a child go on that hiking trip near Brazil’s border spending a semester in an regions, I might get kidnapped. Oh no, my overseas study course? planned charitable journey to Rio’s shanty town is too dangerous. I’ll have to call it off. Driving overseas? Read about driving in many It’s a good thing I had iTravelSafe™ with Make sure your children read the “Tips for Students” section of the more than 200 countries this App in- me to tip me off to the danger!‖ of the iTravelSafe™ App. cludes. iTravelSafe™ gives an organization an app for its employees traveling outside the Advantage SCI‟s Smartphone App: iTravelSafe™ U.S. to use as a ―self-briefing‖ travel tool. Read about hotel safety. Study up on tips Everything you see pictured here is a screenshot from the iTravelSafe™ App. about which business travelers need to be ―savvy.‖ An Android version of this App is available for immediate purchase at the Google Play Store https:// play.google.com/store/search?q=itravelsafe&c=apps, or an iPhone version at the iTunes Store http:// itunes.apple.com/us/app/itravelsafe/id521506480?ls=1&mt=8.

Keep up to date with the latest Travel Alerts pushed out to iTravelSafe™ users immediately from the U.S. State Department.

Example of the screenshot, appropriate for the country to which it applies, will be sent to your device as soon as the U.S. State Department pushes out the notification of any Travel Alert

NOW INCLUDING SECURITY TIP OF THE WEEK !

For volume sales, please contact Richard Haidle at 310-536-9876 x237 or email [email protected].

28 Counterintelligence and Cyber News and Views

Advantage SCI Vision: ADVANTAGE SCI PRODUCTS, Homeland Security and Private Sector SERVICES, AND TRAINING ―Educate America’s 300 million people Business and business leaders on prevention, Advantage SCI offers services Corporations' Role in Critical detection, and response to 21st century supporting the counterintelligence needs Infrastructure Protection threats.‖ of the cleared defense contractor By Elsa Lee Corporate Headquarters community, private business, Auerbach Publications 2009 Print ISBN: Advantage SCI, LLC government, utilities, and municipalities with requirements to protect classified 978-1-4200-7078-1 222 North Sepulveda Boulevard information, trade secrets, intellectual eBook ISBN: 978-1-4200-7079-8 Suite 1780 El Segundo, California 90245 property and other privileged information. Order Your Copy at:

Services include: http://www.crcpress.com/ Phone: 310.536.9876 Fax: 310.943.2351  Vulnerability Assessments www.advantagesci.com  Threat briefings/Foreign Travel Briefings/Debriefings Newsletter Editor: Richard Haidle,  Counterintelligence (CI) Awareness Counterintelligence Services Training / Insider Threat Training Manager [email protected]  TSCM services in classified or 310.536.9876 x237 unclassified spaces  Facility Security Officer (FSO) In a Box Advantage SCI is a 8(a), SERVICE-  Consult With a CI Professional DISABLED VETERAN - O W N E D BUSINESS (SDVOSB), SMALL  Foreign Travel Briefings and BUSINESS ENTITY (SBE), MINORITY- Debriefings OWNED BUSINESS ENTITY (MBE),  Intelligence Analysis / Intelligence SMALL DISADVANTAGED BUSINESS Analysts ENTITY (SDB), WOMAN-OWNED BUSINESS ENTITY (WBE)  Plans, SOPs and Regulatory related materials  Workplace Violence Prevention and Response  Other matters related to improving CI related posture Since September 11, 2001 the American NAICS Codes Public has not had a clear understanding 928110 - NATIONAL SECURITY of "Homeland Security" and just what it means for the average citizen and 541512 - COMPUTER SYSTEMS DESIGN SERVICES business owner. Elsa Lee, in her first 541519 - OTHER COMPUTER RELATED SERVICES attempt, has hit ―a home run!‖ Not only is 541611 - ADMIN MGMT/GENERAL MGMT CONSULTING the book well researched, but it is quite simply the best resource on this important 541612 - CONSULTING SERVICES subject. I found the context to be 541618 - OTHER MANAGEMENT CONSULTING informative, persuasive, and topical. Not 541690 - OTHER SCIENTIFIC AND TECH CONSULTING Securing Tomorrow Today! only does the writer provide a clear understanding of the need for a National 541990 - OTHER PROF, SCIENTIFIC, & TECH SERVICES Infrastructure Plan, but provides the 561210 - FACILITIES SUPPORT SERVICES reader with a clear blueprint for protecting 561499 - OTHER BUSINESS SUPPORT SERVICES all of America's resources at home and abroad. Hopefully, every university and 561611 - INVESTIGATION SERVICES college with a Homeland Security course 561621 - SECURITY SYSTEMS (EXCEPT LOCKSMITHS) will use this book as a major text to insure 561990 - OTHER SUPPORT SERVICES that all students obtain a grounded education on this important topic. 611430 - PROFESSIONAL AND MGMT DEVELT TRAINING

611699 - OTHER MISC SCHOOLS AND INSTRUCTION Review by: Alfred J. Finch 922190 - OTHER JUSTICE, PUBL ORDER/SAFETY ACTIVITES FBI Legal Attaché, Cairo (Retired)

29 Counterintelligence and Cyber News and Views

Securing Tomorrow Today!