The U.S. Supply Chain Should Care About Human Intelligence.
The recent attack of the SolarWinds IT management software is grim reminder that foreign adversaries continue to access into the U.S. supply chain and are using many tactics to gain access into our networks.
One of the methods these bad actors are using is HUMINT, or human intelligence, to gain access to a source/target, influence U.S. policy, spread propaganda, learn of advancements in technology, support ongoing or future operations, and/or prepare for future wars.
Understanding what HUMINT is, methods used, and how you can prevent against targeted efforts from a foreign intelligence service is the first step in protecting the U.S. supply chain from future attacks.
Human intelligence, as categorized by security and intelligence experts, is a covert method used to screen individuals that may be used as a source of information to support future and ongoing intelligence gathering operations. Unlike the common cybersecurity term ‘social engineering’ that focuses on deception of manipulating individuals into disclosing sensitive information for fraudulent means, HUMINT takes it a step further by identifying people they can recruit to give them information.
Furthermore, intel services have time to manipulate and exploit. They can identify their targets over time and invest in recruiting these sources to give them information that may seem insignificant to others, but in the long run is valuable to the overall operation. A source may be aware that he or she is giving away information and committing treason (think Edward Snowden) but more often than not, the agent is extracting information from the source without disclosing his or her affiliation with a foreign service.
The sole purpose of an intelligence service is to gather data that will help them gain further footing that further advances their political endeavors or ongoing and future operations. To do this, intel services are collecting data about nearly everything, including:
· Critical U.S. Infrastructure: This includes gathering data on our transportation routes, waterways, electrical grid, healthcare systems, automotive, manufacturing industries, and more.
· Relationship Data: Ever hear the term, it’s not what you have, but who you know? HUMINT is about exploiting people, so foreign intel services will target anyone they believe has access, or has access to someone who has access. This is why you don’t have to be tied to the Defense Industrial Base (DIB) or U.S. Supply Chain or Critical Infrastructure to be a target.
· Intellectual Proprietary (IP) Information & Emerging Technologies: By knowing our advancements in technology or having access to our IP, this gives them that advantage.
A few methods intelligence services use to exploit and recruit for information include:
· Network Analysis – Again, you personally do not need to have information that these bad actors want – you only need to have access to someone that does. From LinkedIn to TikTok to the conference you attended pre-pandemic, all your in real life and electronically available networks are being analyzed. Highly likely that a foreign intelligence service as figured out that you play Disc Golf with a guy who works in logistics at a company that stamps parts for the engine of the replacement of Lockheed Martin’s F-35 Lightning II. You are a target.
· Recruitment – As noted above, a foreign service has time and resources to exploit humans for information. Like social engineering that relies on the manipulation of individuals to disclose information, an agent wants to recruit long term assets to give them information. To do this, they study your human behaviors and desires. They try to understand how you tick. Are you financially or ideologically motivated to give away information? Did you come from a first- generation American family, got into the best supply chain program in the U.S. (we see you Spartans), but had to take out massive loans to cover what your scholarships didn’t? You are a target.
· Embedding Agents into our Organizations – According to a 2017 CNN report, nearly 100,000 agents from 60 to 80 countries were operating within the U.S. This means our adversaries have their people in place to collect information clandestinely. These people are working covertly within our businesses and have no official ties to their host country. Many vendors in the Supply Chain fail to apply a risk-based management concept that would ensure a robust security governance strategy and highlight data or purchase acquisitions that remain within the deployment lifecycle that could be considered a risk. The lack of security considerations allows agents embedded within your infrastructure to exploit weaknesses. You are a target.
· Human Collection at Social Gatherings, Events, and Conferences – Spies gather information at meetings, interviews, surveillance, and interrogations. They also deploy agents to large conferences and events to gather data in person and via technical exploitation. How many times did you network till you dropped at the last conference you attended in person? And that stack of business cards you turned into LinkedIn connections were people you’ve only met once? You are a target.
Prevent and Protect:
Five steps you can take to prevent human exploitation from a nation-states and protect our critical U.S. supply chain:
1.) Build Awareness – Take security awareness classes, adopt a risk-based management concept with a robust security strategy, create and build education around the various data exploitation types that nation-state adversaries use.
2.) Evaluate Your Relationships – Remember you don’t have to be a part of the U.S. Supply Chain, work within the U.S. Critical Infrastructure, or DIB to be considered a target. You just have to have access to someone that does. My recommendation would be to evaluate your existing relationships, assets (physical and virtual) to understand who could be targeted within your social network and is the first step in protecting those relationships. You may be the avenue of access for a nation-state.
3.) Question Unwarranted Solicitations About Your Relationships – Has someone recently entered your life that is inquiring about people or relationships you have that seem unusual? Since we put everything and almost anything via various social media networks, be cautious people that enter your network that are asking questions about your work, network and relationships. A foreign service has the time and resources to enter your network and try to exploit you via human methods.
4.) Protect Yourself at Events and Travel – Recognize if someone approaches you during an event to ask specific questions about your life, network, or relationships that could lead to the giving away of information. Be sure to protect your devices with the proper encryption or bring a burner device if you believe the data on your device is sensitive.
5.) Talk to an Expert – Work with a cybersecurity expert to increase your awareness about how to better protect yourself, your network, work or organizations. A professional cybersecurity expert can guide you and your organization on adapting the right risk and cybersecurity framework that includes security awareness.
Leave a Reply
Angie is the CEO of JADEX, she has a diverse background in national security and military intelligence. Today, she applies her skills towards helping clients improve and secure their technology solutions.
“Helping people secure and leverage their technology.”