Packing for an overseas business trip? U.S. intelligence agencies want you to leave your phone and laptop at home. Their message: Spies are everywhere, and they are out to get you.
“Make no mistake, American companies are squarely in the crosshairs of well-financed nation-state actors,” said William Evanina, director of the federal government’s National Counterintelligence and Security Center, in a news release that almost certainly went into the delete bin in a government-shutdown-focused Washington, D.C.
His stern warning was accompanied by a slew of online information released under the banner “Know the risk, Raise your shield,” one of those dorky government slogans in the “See something, say something” vein aimed at making all of us just a little more paranoid.
This may sound rich coming from the intelligence community after the uncomfortable revelations of post-9/11 spying on Americans courtesy of fugitive NSA contractor Edward Snowden, who now makes his home in Russia.
And the opening advice the campaign offers is likely to elicit a yawn: Strengthen your password, lock down your social media accounts, and delete suspicious emails.
It gets more interesting in the video section, with the added benefit of some amusingly wooden acting. One skit called “Human Targeting” shows how a foreign spy studies up on his quarry at a trade conference, then presents himself as an economic analyst who pretends to be an alum from the same university–information the spy picked up from social media. The spook tries to get the target to give him unclassified but sensitive company information. The gormless American finally gets suspicious and reaches out to his in-house company security who tell him, yup, you’re likely being played by a foreign intelligence operative.
Other advice the counterintelligence directorate offers: Be suspicious if a “headhunter” reaches out to you on LinkedIn. That all-expense-paid trip to Hong Kong for a dream job is more likely a come-on from Chinese intelligence, and once you realize it, the trap is already sprung because a foreign government paid for your trip.
And don’t trust that apparently like-minded kindred spirit who strikes up an acquaintance on Twitter from an unverified account, especially if you work in academia or industry. It may well be a state-funded hacker trying to access your computer, or influence your vote.
And above all, don’t click on that link, even from a friend. Or at the very least, hold your cursor over the link before clicking to check if it’s taking you to what looks like a valid link, and click with caution.
Frankly, I initially dismissed the educational pamphlets and videos as the cyber equivalent of the 1950s “duck and cover” public service announcements, which offered little in the way of actually helping to survive a nuclear conflagration, but served to spread fear of the Soviet Union at the height of the Cold War.
Then I talked to a U.S. counterintelligence official who said, yup, you’re right. It’s basic. But that’s the public’s fault. America’s counterintelligence officials are in perpetual face-palm mode over how stupid and trusting we all are.
Most major cyberattacks of late originate from those simple mistakes, like a back door hackers opened with a simple spear-phishing attack–after getting an employee to click on a malware-infested link.
And the conversations U.S. counterintelligence officials have been having with American businessmen at conferences and trade shows frequently go like this: Really, you brought your laptop to China? Great. Know that you just gave them your company’s entire intellectual property, or at least whatever was on your laptop, which probably included passwords and protocols to get into your company’s network.
You brought your phone too? Now they have your entire address book and know who else to target. You’re not important enough? Don’t kid yourself. And think of everyone else who might be in your address book.
“You can have no expectation of privacy if you bring your phone or laptop overseas,” the counterintelligence official said, in full cluck mode. “Your communications are traveling over a foreign government’s phone network,” and that government is likely monitoring it, just as the U.S. would.
The counterintelligence officials bolster their argument with a summation of recent hacks, intrusions and successful “elicitation” of U.S. government officials to get them to spy for foreigners:
- Last month, the U.S. indicted “cyber actors associated with China’s Ministry of State Security” for targeting intellectual property, confidential business information, and other data in a global computer campaign aimed at more than 45 U.S. technology companies and U.S. government agencies.
- In September 2018, a North Korean-backed hacker was charged for his role in the WannaCry 2.0 ransomware, the Sony Pictures cyberattack, and spear-phishing attacks on U.S. defense contractors.
- In March 2018, the FBI and DHS warned Russian government hackers are surveilling the U.S. energy sector networks, and the U.S. also charged nine Iranians with government-backed hacking that targeted intellectual property and other research at more than 144 U.S. universities.
Yet still, we click on that link. And take our phones, iPads and laptops with us when we travel, instead of a burner phone and a cheap laptop with only what we need on it.
So will anyone listen?
It’s a bit silly to think corporate America is not already fully aware of these points, former Deputy Under Secretary at Homeland Security Todd Rosenblum tells me. “That said, the points may have resonance with small vendors that do not have time or inclination to think about security.”
The U.S. counterintelligence official concedes that large companies, especially in the defense sector, have teams of people devoted to security. They’re already on the alert list for the more sophisticated cyberwarnings put out by the U.S. Computer Emergency Readiness Team.
The former chief of technology for the Defense Intelligence Agency, Bob Gourley, tells me to go easy on the government—they’ve been trying to warn us about foreign hackers since CIA director John Deutch testified about it before Congress in 1996, and officials have been warning us every year since then. The bad news? We’re either not listening, or the adversaries are getting more sophisticated faster.
“Consider the Equifax breach, or the Anthem breach, or the OPM breach,” said Gourley, now at OODA, a cybertechnology and intelligence firm. “What do you want to bet that every one of them had posters in their break room advising employees to be aware of threats?”
Gourley is worried about a different type of Trojan horse: spies with allegiance to hostile nations, including Russia and China, that get hired by U.S. technology firms with access to critical information. “There are not enough FBI agents to track these spies down, leaving corporate America almost defenseless to do anything about this. I've seen no indication that awareness campaigns will make any difference here.”
So, say you watch and read the whole “Know the risk, Raise your shield” educational extravaganza. You realize, you’ve probably been hacked and/or probed or somesuch, and @JohnSmith who tells you he’s a registered Republican from Texas might actually be Vlad from St. Petersburg.
The federal counterintelligence world doesn’t have anything to offer you, other than guidance to engage in conversation with @JohnSmith to make sure he really knows his barbeque, and on the tech side, avoid Russian-owned Kaspersky Labs’ software, because Russian companies by law have to provide the government access. (That’s do as I say, not as I do, since the U.S. government can’t remove the program from some of its own systems.)
We can’t ask Americans to send us their computers, or dial into a government site to check for malware, the U.S. counterintelligence official jokes. That’s not exactly viable in the post-Snowden era.
So if you’re worried, and don’t want to click on any government links above, you can always go to the watchdog site Electronic Frontier Foundation, which offers a number of cybersecurity tools and tips to stay safer on line. Another cyberacademic who chooses to remain nameless uses Google’s Advanced Protection Program, which requires a physical key for sign-on.
I also solicited a few recommendations from cyberexpert Bob Griffin, who sits on the board of the National Cyber-Forensics Training Alliance. He said the group had used McAfee, but recently adopted Sophos, and that at least one U.S. government agency recently issued its forensic agents with Symantec products. To rid your computer of malware? He recommends Bitdefender Total Security, or for free malware removal, “There is nothing better than Malwarebytes,” he emailed.
What does he think of the new information protection campaign?
“The material is very pedestrian, but I suppose it's the lowest common denominator issue, i.e. speak to your audience,” he said, meaning us. “A thousand-mile journey starts with the first step. This is a first step, albeit a very small one.”