Long-Term Foreign Visitors

Long-term foreign visits to U.S. defense contractors, national laboratories or other companies or research institutes in the private sector can pose a serious threat to the security of classified, export-controlled, and proprietary information. Cleared contractors that have foreign national employees or that host long-term foreign visitors must have an approved Technology Control Plan (TCP) or other comparable procedures to mitigate the vulnerabilities associated with the foreign presence.1

Long-term visitors have several advantages over one-day visitors that can be particularly helpful in efforts to obtain sensitive U.S. technologies, trade secrets, or proprietary information. For one thing, those who stay on site for extended periods of time become familiar with security procedures meant to limit their access to protected technologies, and the insights thus gained may enable them to circumvent those security practices. This is particularly true of cyber security practices. A long-term presence may allow visitors time to acquire passwords and to learn where on hard drives sensitive information is stored. Then too, whereas short-term visitors are viewed as strangers, long-term visitors become part of the landscape. Their activities naturally receive less notice, which enables them to wander into off-limits areas without attracting undue attention.2

Given access to U.S. scientific, technical, or other proprietary information, foreign experts can gain for their home country information that will erode the U.S. lead in militarily critical technologies. Often the difference between the technology used in unclassified research and a classified weapons program is only the "application" of the technology.  

During joint research and development activities, foreign governments routinely request the presence of an on-site liaison officer to monitor progress and provide guidance. Several allied nations have used these positions as cover for intelligence officers who are tasked to collect as much information about a facility as possible. These officers use their access to the facility's computer network or relationship with their U.S. counterparts to gain unapproved access to classified or other restricted data that is then sent back to their home country.

Foreign scientists and engineers sometimes offer their services to research facilities, academic institutions, or defense contractors. This can be an effort to place a foreign national inside the facility to collect information on the technology available there. Some prominent foreign scientists who obtained employment with U.S. companies have immediately sent acquired information via fax transmissions back to their former associates in their home country, using their native language so the U.S. company could not monitor what was being sent.

As part of a joint venture, one cleared contractor had a number of foreign representatives working on unclassified projects. "One of them was caught hacking into the unclassified, but proprietary local area network system. This person accessed company proprietary source code information. He was expelled from the facility, but the computer intrusions continued a few days later. The suspected perpetrators were the remaining representatives from the same country. Since the start of the joint venture, the foreign representatives had stated their desire for the source codes."3

In some instances, foreign graduate students in the United States have been asked by their government or a national corporation to serve as assistants at no cost to professors doing research in a targeted field. The student then has access to the professor's research and learns the applications of the technology.

Some foreign governments routinely task their graduate students in the United States to acquire information on a variety of economic and technical subjects. In some instances, the students are contacted and recruited before they come to the United States to study. Others are approached after arriving and are recruited or pressured based upon a sense of loyalty or fear of their home country's government or intelligence service. The security officer of a cleared U.S. defense contractor reported the company's desire to employ the son of a prominent foreign scientist from a European country. A name check of the scientist revealed he had previously cooperated with his country's foreign intelligence service.

One allied foreign government has an organized program to send interns abroad as an alternative to compulsory military service. In return for exemption from military service, the intern has the specific task of collecting foreign business and technological information. A student from this country recently offered to work "free" for a U.S. company that has a U.S. Government contract for classified work.

The following indicators should trigger security concern:

• Foreign applicant has a scientific background in a specialty for which his or her country is known or suspected to have a collection requirement.
   

• The technology the individual wants to conduct research on may have classified applications (dual-use technology), be on the militarily critical technology list, or be export-controlled technology.
   

• Foreign intern (student working on masters or doctorate) offers to work under a knowledgeable individual for free, usually for a period of 2-3 years. If any foreign national applicant offers services for free, the foreign government or a corporation associated with the government is probably paying the expenses and expecting to gain accordingly.

Without sustained security and counterintelligence awareness training programs, assimilation of foreign personnel into the work environment usually results in a relaxation of security awareness among U.S. employees. Security compromise is a frequent result. In one case, the theft of proprietary source code was so damaging that the company went out of business. This is described in Espionage Killed the Company in the Spy Stories module.

Technology Control Plan

Cleared contractors with foreign national employees or long-term foreign visitors are required to have an approved Technology Control Plan (TCP) or comparable procedures. The TCP identifies the specific information that has been authorized for release to the foreign visitors or employees as well as what classified, export-controlled, or proprietary information needs to be protected from the visitors or employees. Note that any discussion of export-controlled information with a foreign national in the United States is an "export" of that information and is subject to all the export control procedures.

Elements commonly included in a Technology Control Plan include the following:

• All information requiring protection must be appropriately marked or otherwise identifiable to all personnel, and the penalties for noncompliance or negligence should be well known. (Under the Economic Espionage Act of 1996, information is not considered a trade secret unless the owner of the information has taken reasonable measures to protect it.)
   
• Prior to arrival of a foreign national, facility employees should be briefed on the access limitations, potential foreign collection techniques that could be used, recognizing indicators of economic espionage, and to whom to report any attempts to collect information, inappropriate behavior, or suspicious activity.
   
• Facility employees should be advised that export-controlled technology must not be discussed with any foreign visitor even if it is assumed that the visitor's country might be approved to receive such technology.  Such discussion is subject to prior approval of an export license, as it is assumed that the foreign national will take the information back home. The technical term for such a discussion is that it is a "deemed export," and it is a violation of export control regulations. More detailed information on this is available at the Department of Commerce web site www.bis.doc.gov/DeemedExports/DeemedExportsFAQs.html.
   
• Facility employees who have frequent contact with foreign national personnel should be interviewed periodically to check for indicators that foreign nationals are attempting to obtain unauthorized information.
   
• Foreign nationals and long-term foreign visitors should be briefed on their obligations and responsibilities, including limitations on access and any limitations on their use of computers, copiers, or fax machines. They should be asked to sign an agreement that they will comply with security requirements. The agreement should state what the consequences are for not complying with the security requirements. If the foreign national is later caught doing something wrong, the written agreement eliminates the "I didn't know" excuse. 
   
• In anticipation of gaining access to an organizations computer network, some foreign employees have been trained in hacking techniques. Good risk management means reducing vulnerabilities to the technologies or information you are trying to protect. It may mean providing long-term visitors with a "stand alone" computer instead of access to your entire network. At a minimum, the National Industrial Security Program (NISP) requires that computer audit logs must be maintained and checked at least weekly to detect any effort by the foreign employee to exceed his or her approved computer access. Audit results must be recorded in the System Security Plan.
   
• Foreign visitors should not be given access to company fax machines unless you have some means to read and review the documents being sent, including those written in a foreign language. Fax machines make it possible for someone who is stealing information to compromise documents without having to take the riskier step of physically removing them from the building.

Related Topic: Short-Term Foreign Visitors.

Reference
1. Source for most information in this topic is "Long-Term Foreign Visitors Threaten Security," Counterintelligence News and Developments, March 1997, National Counterintelligence Center.
2. National Counterintelligence Executive. Annual Report to Congress on Foreign Intelligence Collection and Industrial Espionage - 2004. Accessed via Internet at www.nacic.gov/publications/index.html, June 20, 2005.
3. James Norvell, "Assessing Foreign Collection Trends," Security Awareness Bulletin, No. 1-98 (Richmond, VA: Department of Defense Security Institute, 1998).

HOME   |   METHODS OF OPERATION CONTENTS   |   TOP OF PAGE   |   HELP

INFORMATION | CONDUCT | THREATS | TECH VULNERABILITY | ASSISTANCE
SPY STORIES | TREASON 101