Article by Flashpoint Insider Threat Program principal advisor Eric Lackey
The term ‘insider threat’ often brings to mind an image of a disgruntled employee who abuses their internal privileges in an unsophisticated manner for personal gain. While insider threat certainly can manifest in this form, it can also take more coordinated, insidious forms when insiders act as agents of economic espionage.
Indeed, economic espionage has become such a pertinent issue for businesses and research institutions that on Jan. 7, the U.S. National Counterintelligence and Security Center (NCSC) launched an awareness campaign that aims to arm private-sector companies with information to help them better understand and defend against this threat.
While various countries have been known to conduct espionage, the U.S. NCSC notes that Chinese economic espionage operations are among the most active of any nation state. In 2017, the U.S.-China IP Commission estimated that Chinese intellectual property theft costs the U.S. economy between $225 billion and $600 billion annually. Much of this espionage is carried out through sophisticated cyber intrusions, but China has also been known to target corporate insiders in an effort to obtain intellectual property and trade secrets.
To better understand this development through the lens of insider threat, Flashpoint examined the targeting, objectives, recruitment efforts, tactics, and tradecraft of these recent espionage attempts:
Targeting and objectives
Recently reported cases involving China and China-based companies have made it increasingly apparent that Beijing’s objective is to acquire intellectual property to drive technological innovation, strengthen its dominance over global manufacturing, and modernise its military.
Although many aspects of the U.S. economy are of potential interest to state-sponsored actors, the U.S. government has identified a number of industries that may be more susceptible to economic espionage, including energy, biotechnology, defense technology, high-end manufacturing, and information and communications technology.
In many reported instances, Chinese operatives have leveraged social media to contact insiders at targeted organisations. One common tactic is for operatives to pose as researchers or academics and invite targeted individuals to speak at universities or institutes overseas in an effort to lower their guard and manipulate them into unwittingly divulging trade secrets.
In other cases, operatives been known to target Chinese nationals working at foreign companies by promising them high-salary positions in China if they exfiltrate intellectual property before leaving their current organisation.
Tactics and tradecraft
One of the main tactics observed in 2018 is the use of insiders to exfiltrate targeted information using email or external storage devices with the intent of bringing the acquired intellectual property back to China.
For example, in Dec. 2018, a Chinese national and U.S. resident was charged with stealing intellectual property from the U.S. petroleum company where he had worked until being offered a new job at a company in China. While working for the petroleum company, the individual downloaded hundreds of files containing proprietary manufacturing information and other trade secrets estimated to be worth over $1 billion USD.
Investigators believe that this individual intended to use the files to the benefit of his new employer in China. His ability to access and download such intellectual property—which was not relevant to his role at the company—shows why user-access management (UAM) is an essential measure for proactively combating insider threat.
In addition to leveraging company employees, Chinese economic espionage operations have also been known to steal information from company contractors and partners based in other countries. These types of incidents demonstrate why the scope of an insider threat program (ITP) should not be limited to company employees but also include any third parties with which a company is affiliated.
More sophisticated techniques such as steganography—the practice of concealing information within images and other types of files — have also been used by insiders as a means of disguising stolen assets. As organisations become more cognizant of the risk of insiders acting as agents of economic espionage, Flashpoint believes that steganography and other advanced methods of evading detection will become increasingly common.
Implications for defenders
Although numerous arrests have been made over the past year, China appears to have been relatively successful at leveraging insiders as part of its widespread economic espionage campaign directed against a variety of private- and public-sector industries. The rise of insider threat as a vector for economic espionage underscores the importance of proactively combating insider threat as part of an organisation’s broader risk-management strategy. The most effective defence is a combination of insider-threat response policies, rapid identification and reporting of suspicious activities, and enterprise-wide investigative support. These defence requirements can only be met by a full-fledged ITP with access to up-to-date knowledge of the latest insider-threat tactics and relevant internal and external data.