Long-Term Foreign Visitors
Long-term foreign visits to U.S. defense contractors, national laboratories or other companies or research institutes in the private sector can pose a serious threat to the security of classified, export-controlled, and proprietary information. Cleared contractors that have foreign national employees or that host long-term foreign visitors must have an approved Technology Control Plan (TCP) or other comparable procedures to mitigate the vulnerabilities associated with the foreign presence.1
Long-term visitors have several advantages over one-day visitors that can be particularly helpful in efforts to obtain sensitive U.S. technologies, trade secrets, or proprietary information. For one thing, those who stay on site for extended periods of time become familiar with security procedures meant to limit their access to protected technologies, and the insights thus gained may enable them to circumvent those security practices. This is particularly true of cyber security practices. A long-term presence may allow visitors time to acquire passwords and to learn where on hard drives sensitive information is stored. Then too, whereas short-term visitors are viewed as strangers, long-term visitors become part of the landscape. Their activities naturally receive less notice, which enables them to wander into off-limits areas without attracting undue attention.2
Given access to U.S. scientific, technical, or other proprietary information, foreign experts can gain for their home country information that will erode the U.S. lead in militarily critical technologies. Often the difference between the technology used in unclassified research and a classified weapons program is only the "application" of the technology.
Foreign scientists and engineers sometimes offer their services to research facilities, academic institutions, or defense contractors. This can be an effort to place a foreign national inside the facility to collect information on the technology available there. Some prominent foreign scientists who obtained employment with U.S. companies have immediately sent acquired information via fax transmissions back to their former associates in their home country, using their native language so the U.S. company could not monitor what was being sent.
As part of a joint venture, one cleared contractor had a number of foreign representatives working on unclassified projects. "One of them was caught hacking into the unclassified, but proprietary local area network system. This person accessed company proprietary source code information. He was expelled from the facility, but the computer intrusions continued a few days later. The suspected perpetrators were the remaining representatives from the same country. Since the start of the joint venture, the foreign representatives had stated their desire for the source codes."3
In some instances, foreign graduate students in the United States have been asked by their government or a national corporation to serve as assistants at no cost to professors doing research in a targeted field. The student then has access to the professor's research and learns the applications of the technology.
Some foreign governments routinely task their graduate students in the United States to acquire information on a variety of economic and technical subjects. In some instances, the students are contacted and recruited before they come to the United States to study. Others are approached after arriving and are recruited or pressured based upon a sense of loyalty or fear of their home country's government or intelligence service. The security officer of a cleared U.S. defense contractor reported the company's desire to employ the son of a prominent foreign scientist from a European country. A name check of the scientist revealed he had previously cooperated with his country's foreign intelligence service.
One allied foreign government has an organized program to send interns abroad as an alternative to compulsory military service. In return for exemption from military service, the intern has the specific task of collecting foreign business and technological information. A student from this country recently offered to work "free" for a U.S. company that has a U.S. Government contract for classified work.
The following indicators should trigger security concern:
Without sustained security and counterintelligence awareness training programs, assimilation of foreign personnel into the work environment usually results in a relaxation of security awareness among U.S. employees. Security compromise is a frequent result. In one case, the theft of proprietary source code was so damaging that the company went out of business. This is described in Espionage Killed the Company in the Spy Stories module.
Technology Control Plan
Cleared contractors with foreign national employees or long-term foreign visitors are required to have an approved Technology Control Plan (TCP) or comparable procedures. The TCP identifies the specific information that has been authorized for release to the foreign visitors or employees as well as what classified, export-controlled, or proprietary information needs to be protected from the visitors or employees. Note that any discussion of export-controlled information with a foreign national in the United States is an "export" of that information and is subject to all the export control procedures.
Elements commonly included in a Technology Control Plan include the following:
Related Topic: Short-Term Foreign Visitors.