A Review of the NCIX Report on Foreign Economic Collection and Industrial Espionage

Although this is the 14th report on Foreign Economic Collection and Industrial Espionage, it's the first to be written by the Office of the National Counterintelligence Executive (ONCIX); a post created in 2009 under the Office of the Director of National Intelligence. It's also the first to include cyber espionage in its coverage which was a bit surprising to me considering how long cyber espionage has been around. Other firsts in this report are that the ONCIX expanded its traditional sources within the government to include the private sector as well as academic research in an effort to gain the broadest possible coverage of the problem. The report also mentioned but didn't specify "new sources of government information".

I liked this report very much. It's the first official report that I've seen which mentions Russia with China as a source of cyber espionage. I can't tell you how exhausting it's been to try to refute so-called experts who proclaim loudly and often the twin fallacies that only China engages in cyber espionage while only Russia engages in cyber crime. When confronted, some of these experts will fall back on the "if you only had a clearance" retort. Well, ONCIX is cleared, and they came up with essentially the same assessment that I usually give:
We judge that the governments of China and Russia will remain aggressive and capable collectors of sensitive US economic information and technologies, particularly in cyberspace.
The report gets a lot of things right. While it mentions specific states like Russia and China, it also gives tangible examples of espionage that have nothing to do with cyberspace. This is important because it sets a precedent for Russia and China's past activities. Cyberspace has simply made it easier and more efficient for the collectors. For example:
Dongfan Chung was an engineer with Rockwell and Boeing who worked on the B-1 bomber, space shuttle, and other projects and was sentenced in early 2010 to 15 years in prison for economic espionage on behalf of the Chinese aviation industry. At the time of his arrest, 250,000 pages of sensitive documents were found in his house. This is suggestive of the volume of information Chung could have passed to his handlers between 1979 and 2006.a The logistics of handling the physical volume of these documents—which would fill nearly four 4-drawer filing cabinets— would have required considerable attention from Chung and his handlers. With current technology, all the data in the documents hidden in Chung’s house would fit onto one inexpensive CD.
Further, the report demonstrates motivation by identifying key technologies of interest to developing and developed nations:
  • Information and communications technology (ICT), which forms the backbone of nearly every other technology.
  • Business information that pertains to supplies of scarce natural resources or that provides foreign actors an edge in negotiations with US businesses or the US Government.
  • Military technologies, particularly marine systems, unmanned aerial vehicles (UAVs), and other aerospace/ aeronautic technologies.
  • Civilian and dual-use technologies in sectors likely to experience fast growth, such as clean energy and health care/pharmaceuticals.
Taia Global clients get a more specific assessment of various nation states' "shopping lists" which help us identify who our clients may have been attacked by, but I'm really happy to see this assessment included in the NCIX report.

While it has many positive points, this report falls short in a few areas. They could have included more information about how Russia is engaging in cyber espionage. Also, under Resources for Help in Appendix A, the report says to contact the NCIX or FBI for assistance in developing effective data protection strategies. I don't have any experience in working with the NCIX but I can tell you that the FBI is completely overwhelmed by cyber cases. We regularly hear from companies who have been contacted by the FBI about a breach in their network but who receive very little to no help at all after the initial contact. They just don't have the resources. Short of the FBI, there's no one else in government that the authors of this report could reasonably list as a point of contact for assistance. 

One might think that they could have listed US-CERT and DHS but neither organization has proven itself as particularly effective or competent in protecting civilian infrastructure. They couldn't list private information security companies for obvious reasons so this underscores a gap that may need filling by a non-profit public-private entity yet to be created.