(U//FOUO) FBI Counterintelligence Vulnerability Assessment for Corporate America

The following document was obtained from the website of a Colorado affiliate of the the National Defense Industrial Association.



  • 10 pages
  • For Official Use Only
  • September 18, 2009
  • 5.4 MB


To prevent foreign entities from achieving their goals, a Counterintelligence Program (CIP) proactively searches for and uses information from multiple sources. An effective CIP draws information from security programs and other internal systems, as well as from the U.S. Intelligence Community (USIC). Once this information is assembled, an effective CIP develops a coherent picture and crafts a strategy to prevent the foreign entity from successfully achieving its goals and minimizes the damage already done. An effective CIP conducts active analysis of available information, requires annual CI education for all employees, and provides a system for immediate referral of behavior with CI implications.


• A central entity accountable for executing the program company-wide
o Reporting structure for all CI personnel
o Liaisons with the USIC and/or US Government (USG) project sponsors

• Recognition of the Insider Threat potential
o High value and unique access personnel are identified and briefed
o A system exists to identify patterned behavior with possible CI implications
o Liaisons with the FBI when possible espionage activity is identified

• Recognition of the Foreign Threat potential
o Liaisons with the FBIIUSG to discuss the foreign governments, organizations, and competitors who are targeting technologies and information owned/used by the company.

• Integration of CI and Information Technology (IT)
o Trip wires exist to recognize anomalies with CI implications
o CI and IT personnel work closely on network architecture and security, including cyber attacks, intrusions, and suspicious incidents.

• Valuable Partnerships
o Internal and external liaisons with the USIC

• Training
o CI training is required and tailored to specific programs and positions


• The CI discipline and Security discipline are different and unique
• All personnel require CI awareness and certain employees require special awareness training
• A strong link between IT security and CI is essential in the global workplace
• The company can improve its protection through relationships with the USIC and USG


Despite multiple layers of protection “insiders” have proven to be the most effective penetration tool for foreign governments and intelligence services. Insiders betray their company for a number of reasons, including money, revenge or ideology. While all employees are potentially an insider threat, not all warrant the same level of CI precautions. All employees should have a basic CI awareness, but beyond that an effective program identifies personnel who are of high value to the company or possess unique access within the company for additional CI awareness training. The baseline question for determining who is of high value or who has unique access is – what is the significance of the damage that will occur if this person were recruited by a foreign government or competitor?

High value and unique access personnel:

• Are critical to project success
• Are associated with critical programs
• Have access to critical internal systems or technologies
• If compromised, could significantly impact National Security (intelligence or military programs) or the company’s economic viability

A system to identify and document suspicious activity by persons who:

• Inquire above their security clearance
• Access sensitive information during odd hours
• Query and/or collect unusually large amounts of information
• Ask questions about projects they are not involved with
• Are patterned in their suspicious behavior

Categories of conduct that may be exploitable for the purpose of coercion may include:

• The loss of security clearance
• Financial anomalies
• Disciplinary action and dismissals
• Unreported contacts with foreign nationals
• Unauthorized access to secure systems
• Marked changes in behavior

A comprehensive and centralized personnel information system should include:

• Data on clearance level
• Foreign travel
• Regular business contact with foreign nationals
• Disciplinary actions
• Arrests or police incident records
• Exploitable conduct allegations
• Security infractions or withdrawal of a clearance
• Other information that contributes to a comprehensive picture of the employee.


A successful CIP addresses the cyber-bome threat to a company’s information, technologies, and personnel. The company uses information technology (IT) tools to augment the CI program, especially in addressing the insider threat.

The virtual cyber world significantly expands access to sensitive information for the public at large, foreign intelligence services, foreign competitors, and the “insider.” As a result, the partnership between IT security and CI is crucial to fully protect sensitive information while providing access to those who need it. This protection/access balance is significantly strengthened by a CI trained cyber security cadre who interact with the CI Program Manager and other CI personnel in a mutually beneficial way. This begins with an understanding of the difference between traditional IT security (secure passwords, security plans, vulnerability scanning, etc.) and cyber security with a CI focus (intrusion detection systems placed on sensitive and classified networks, vulnerability scanning for repeated high vulnerabilities in certain machines or those associated with certain high value individuals).

Beneficial IT information includes:

• Intrusion attempts
• Unsolicited email from threat countries
• Hits on web sites
• Anomalous activity on the internal network

The CIP can collate the IT information with other available information including:

• Visitors from threat countries
• Foreign travel
• Employees with access to sensitive information
• Knowledge of entities targeting the company’s information

Share this: