“Plenty of colleges have popular cybersecurity courses for young students looking to find a career, but even employees who don’t work in IT need to have knowledge of basic cybersecurity principles these days. There aren’t many such educational resources for people not looking to go into the cyber field, or who are already in the workforce.
That’s where the National Security Agency comes in.
They worked with Penn State University, as part of a broader initiative from the Department of Homeland Security, to develop a free online course to educate people on cybersecurity operations, law and policy.
“The NSA asked us to design a law course about cyber operations that can be taught to non lawyers, and really no requirement of any technical background or expertise,” Ann Toomey McKenna, a professor at Penn State’s Institute for CyberScience and one of the three professors who wrote the course, said on Agency in Focus: Intelligence Community. “They wanted a course that can be designed to be taught as a whole comprehensively, or in modules; smaller units of the course could be taken and taught independently. So in a very unusual way we went about this and we created a course designed to be taught in whole or part, and designed to be taught by anyone who might be interested.”
The course is offered for free through the Clark Center, operated by Towson University in Maryland. And Toomey’s isn’t the only course offered there; there’s a whole range of cybersecurity offerings as part of this program.
The course starts with a quick, introductory overview of how the U.S. government and legal system operate, so that everyone understands the legal framework around cyber operations and cybersecurity.
“I think folks need to be aware when they’re engaged in something that involves U.S. law, when are they engaged in something that could be considered a problem under the Computer Fraud and Abuse Act? When are we engaged in operations that implicate national security?” Toomey said.
The course does the same for technology concepts, such as the fundamentals of communications and cellular technologies. And then it goes into the legal foundations for modern cyber law and policy. That focuses on the Constitution and Bill of Rights, and how they’re applied to these concepts. For example, how does the Fourth Amendment and the right to privacy inform the Electronic Communications Privacy Act, or electronic surveillance?
“And then really the final module is where we get into cyber operations, and that’s sort of the meat of this from the standpoint of what we consider today an offensive operation and defensive operations,” Toomey said. “And we did it through sort of a cyber threat response framework, where we looked at operations by and against private actors, and how our domestic law comes into play and that intersection with international law and international norms in cyber operations. And then we really went through the international right to conduct cyber operations. And one thing we did to keep students engaged is use real-world case examples. So we talked about Estonia, we talked about different situations that folks can look at and read about in real news articles and think ‘okay, here’s how this played out. Here’s how the law works.’ And here’s how we intersect that technology, domestic law and national security.”
Employees will need new skills. OK. Got that. What new skills will they need? Are we talking about the skills of the tech folks in the agency? Yes. Are we talking about the people who will use the tech? Yes.
Are we talking about the agency’s customers? Yes. So we are talking about the potential retraining of the bulk of the federal workforce over a period of years.
“It is hard to avoid seeing articles and studies that talk about artificial intelligence (AI) and how it will provide many benefits and open the door to countless risks. A recent two-part Partnership for Public Service report — “More Than Meets AI” — talked about steps agencies should take to communicate with their employees, ensure they have the right skills, minimize risk and build confidence in systems.
All of those are good things to think about. It is true that the potential for AI is so far-reaching that it will certainly change how employees work, present risks we are only beginning to understand and change how the American people interact with the government. The problem with a lot of what I am reading is that it does not take the promise of AI and present concrete examples of how something we all are used to seeing and experiencing will change.
We have retrained people before. When we started moving from paper to mainframe-based systems, we trained employees how to use the dumb terminals that started appearing in their offices. When the first personal computers started appearing in offices, we taught people how to use them, found ways to use the capabilities of the technology and then gradually transformed the way everyone works.
The transformation in those days was slow and mostly predictable. It was a move from paper and pencil to digital, but much of the work replicated what was already being done. While the change was predictable, it was also far-reaching. As I wrote in October last year, during the 1950s, the federal government employed more than a million clerks. Those jobs were mostly automated out of existence. By 2014, the number was down to 123,000. Now the number is down to 106,000.
The fact that we could replace 900,000 jobs and not have tremendous disruption is partly because it was a gradual transformation, partly because it affected the lowest graded jobs where turnover was traditionally high, and partly because it changed the nature of how the most repetitive tasks were done. But it did not change the fundamental work being done, as much as we might think.
The federal government was part of a much larger move to an economy based on knowledge work. Knowledge workers derive their economic value from the knowledge they bring to the table. Clerical work, much like trade and craft work, brought value mostly because of the labor the employees carry out, not their technical and programmatic skills. As those jobs disappeared, they were replaced with people whose knowledge was their contribution.
That transformation is the reason I have said for a long time that the federal government is actually much larger as a percentage of the population than it was in the 1950s. In 2014, I wrote a post that showed how that happened. At the time, we had 183 U.S. residents for every nonclerical federal employee. In the 1950s, the number was one for every 503 residents.
When we experience the next wave of AI-enabled changes, can we expect the same thing to happen? Is it likely that we will continue to see federal spending increase at the rate it has in the past 60 years? Will large numbers of federal jobs be replaced with technology, only to reappear in another form? I think the answers to those questions are going to drive federal agency priorities for years to come.
Will federal spending increase? If the recent spending agreement is any measure, absolutely. The last big attempt by Congress to put itself on a fiscal diet was sequestration. Remember that? They put automatic cuts in place so they could force themselves to stop spending. Then they spent trillions. Spending kept going up because politicians will spend money to get votes.
A free-spending Congress means we are likely to see the dollars continue to flow. The fact that 85% of federal jobs are not in the National Capital Region means they are not going to want to see real reductions in the number of federal jobs. So it is safe to predict that the number of federal workers is going to continue to hover around two million. Add the flowing money, desire to protect jobs in congressional districts and the emerging wave of AI, and the result will be a radically transformed federal workplace. The difference this time is that the pace of advances in technology is increasing and the capabilities we will see from AI will replace knowledge workers to a degree we have not seen before.
This post is the first of a series that will look at the impact of AI. Rather than addressing it in broad terms, future posts will take a look at one type of federal job and examine how the work is performed today and what we can expect as technology develops. I will also make some recommendations on how that transition can come about and what will happen to the employees.
I have more than 40 years of experience in human resources, so that is the occupation I will examine. The changes we can expect in HR and how the government can make those changes will translate to other types of work as well. The next post in this series will be in two weeks.”
ABOUT THE AUTHOR:
Jeff Neal is a senior vice president for ICF and founder of the blog, ChiefHRO.com. Before coming to ICF, Neal was the chief human capital officer at the Homeland Security Department and the chief human resources officer at the Defense Logistics Agency.
“Corporate security programs must take a global approach to identify, segregate and protect critical data in every corner of the world where it can be found.
When a reporter asked why he robbed banks, the notorious robber Willie Sutton apocryphally retorted “because that’s where the money is.” Sutton later denied having made this remark. But regardless of who (or if) anyone said it, the quote nevertheless highlights a fundamental truth of crime: criminals will select a target that has the item(s) they wish to steal.
This same principle also holds true for corporate espionage. Your company’s secrets are a target wherever they reside, including (and perhaps especially) in locations assumed to be less at-risk. Because of this, it’s important to understand that espionage is a truly global and multifaceted threat, requiring security programs equally robust in nature and scope to protect sensitive information from malicious actors.The Big Picture
Corporate espionage remains a persistent and widespread threat to critical proprietary information — and the financial future — of many global businesses. This threat not only emanates from state actors, such as China and Russia, but from corporate competitors as well. See SecuritySee Cybersecurity
The Trap of Tunnel Vision
Many, if not most, security departments assess the corporate espionage threat based either on the country where a facility that holds critical information is located or on where an employee that has a device that holds such information is traveling to. Because of this, U.S. or European companies often treat the espionage threat to a facility in a “safer” country, such as Japan, differently than they do a similar facility in a country deemed “higher risk,” such as China. Likewise, employees traveling to Russia are often given much more robust guidelines and restrictions than those traveling to the United Kingdom.
This segmentation of espionage threats is not unique to private business. During my time at the U.S. State Department, I noticed that foreign service officers assigned to “critical” intelligence threat posts, such as Moscow or Beijing, were given much different counterintelligence briefings than those assigned to “low” intelligence threat posts, such as Ottawa or Santiago.
Of course, this skewed focus is not lost on hostile intelligence agencies. During the Cold War, a good number of CIA case officers and KGB rezidents enjoyed great success in recruiting agents in third countries where the intelligence threat was deemed lower and where the oversight of employees was, in turn, more relaxed. Such targeting continues today, because in the end, it doesn’t matter where the cryptographic key to break classified communications was obtained. What matters is if it still gets the job done.
Assessing the Global Threat
This brings us back to assessing the corporate espionage threat. At Stratfor, we use a three-pronged test that examines the interest, intent and capability of a particular state or non-state actor. If we determine that a company’s proprietary information is of interest to a hostile actor, we then examine that actor’s specific capabilities and intent to steal that information to gauge the threat posed to the company’s information.
Some actors are limited in their capabilities, in terms of both their geographic reach and the tactics and techniques that they can employ. But since countries with advanced capabilities have been known to sell intelligence, or trade intelligence and tools for other goods and services, high levels of interest and intent can translate into a heightened threat even when the capability of the primary actor is lacking. Criminals or mercenaries can also serve to increase an actor’s capability.
There are a number of cases that highlight the increasingly international nature of the corporate espionage threat, as well as the variety of tools that can be used. Perhaps the most “global” technique is hacking, which enables an actor to attack a company on the other side of the world through an injection of SQL code, a phishing email or some other cyber tool. For the perpetrator, hacking attacks are relatively risk-free and also allow for some degree of plausible deniability, which can be enhanced by the use of cyber mercenaries or other intermediaries to further insulate the actor.
However, in many cases, actors cannot easily obtain what they’re looking for through hacking alone. It could be because the victim’s cyber defenses are robust, or that the information is not in electronic form. This forces actors to then resort to using other tools to obtain their desired data, such as recruiting a human source who works at the targeted company, or placing an agent into the company to serve as a mole — both of which can pose a global threat, too.
The U.S.-based American Superconductor Corporation (AMSC) learned this risk the hard way when a Serbian engineer who worked at a wholly owned subsidiary in Austria provided its source code to Sinovel, AMSC’s largest customer at the time. AMSC knew their source code was highly desired and took great measures to protect it, including using robust encryption in all its motherboards. But a sophisticated global actor was nonetheless able to spot and seize a vulnerability in the company’s security program — recruiting a disgruntled employee in a European country assumed to be “safe,” while AMSC focused its time and attention on threats elsewhere.
In a similar case, an engineer working for GE Aviation in Ohio was recruited remotely by a Chinese Ministry of State Security (MSS) Officer based on his LinkedIn profile, which indicated he had access to sought-after information. Corporate security protocols would not permit the employee to take his company-issued laptop computer on a trip to China, so the MSS officer arranged to meet him in Brussels — a location where the engineer could travel with his laptop, and where the officer could then copy the contents of his hard drive.
“Black bag jobs,” or breaking into a targeted company to obtain desired information, is another intelligence approach we’ve seen hostile actors use when other means fail. This was the case in a 2017 incident involving the U.S.-based medical equipment manufacturer Medrobotics, when the CEO discovered that a Chinese operative had snuck into a conference room at the company’s headquarters in Massachusetts. The mole attempted to infiltrate Medrobotics’ computer network via the company’s wireless LAN, after entering the United States by crossing the Canadian border.
A group of officers from Russia’s Main Intelligence Directorate (known by its Russian acronym GRU) were also conducting this type of black bag job when they attempted to hack into the wireless data network of the Organization for the Prohibition of Chemical Weapons in The Hague in 2018. Information obtained from the laptop later recovered from their vehicle revealed members of the GRU team had used the same equipment in a similar attack against the World Anti-Doping Agency in Geneva, among other targets.
How to Protect Your Company
These are just a handful of many cases that illustrate how sophisticated actors can use a variety of tactics in a variety of locations to conduct corporate espionage — making the threat to corporate security truly global. To protect against such pervasive security risks, there are several key steps companies can take:
1. Prioritize critical information.
The first step is identifying what information is truly critical to your business and must be closely protected — what I refer to as your “special sauce.” It is very difficult (and not to mention daunting) to attempt to carefully guard every piece of company data. But when only the most crucial information is prioritized — whether it be a manufacturing technique or product design — protecting it becomes a much easier task.
2. Consistently vet employees.
The next step is to thoroughly vet any employees who do or could have access to that truly critical information. While vetting can be difficult at best (and can even be contentious in some corporate cultures), it still must be done to the best of the company’s ability to help protect against moles and employees who could be vulnerable to recruitment. Many companies, including some of those in the aforementioned cases, have been burned by insiders who could have been identified far earlier had they been properly vetted. Vetting should also be done periodically, not just upon hire, because people and their circumstances change — making them more susceptible to recruitment by hostile actors.
3. Limit access to key data.
Once those employees with a legitimate need to access critical data have been identified and vetted, it is also important to carefully limit how and where they can access that data. A pair of recent espionage cases involving Apple’s autonomous vehicle program illustrate how corporate spies will adapt to security measures.
In 2018, an engineer downloaded 20 gigabytes of technical specifications and other proprietary data from a restricted Apple database onto a thumb drive and attempted to take it to a Chinese competitor — prompting Apple to limit access to external ports on corporate computer systems. Then several months later, another employee linked to the same competitor was caught taking photos of sensitive documents on his computer screen with his phone to evade the new restriction. Thus, as espionage strategies evolve, so must security policy — and security measures should also attempt to anticipate such changes.
4. Stay aware of the global threat.
Finally, it is crucial to recognize and remember that the corporate espionage threat is truly global when sophisticated actors are involved. This means that measures to protect your company’s critical proprietary information must be taken wherever that information resides. It also means that corporate security training programs can’t just focus on employees who work in or travel to places deemed “high threat.” In other words, data stored on a corporate laptop in Canada should be treated as equally as vulnerable as that stored on a computer in China. It’s also important to not develop tunnel vision that focuses only on one or two threat actors. While China and Russia are perhaps the most active industrial espionage actors, the risk is by no means restricted to them.
Of course, such a global approach is difficult to accomplish unless there is C-suite level buy-in. Therefore, security directors must educate company leadership about the threat corporate espionage poses to their business. That way, they can implement a global program to ensure there is no low-hanging fruit a hostile actor can easily pluck.”
“Sens. Ron Johnson, R-Wis., and Gary Peters, D-Mich. — the chairman and ranking member of the Senate Homeland Security and Governmental Affairs Committee — are the lead sponsors.
“America’s adversaries use any means necessary to gain access to valuable and sensitive government information, including possibly inserting compromising code into products or enlisting untrustworthy IT support personnel to exploit government systems,” Peters said in an announcement about the bill. “Allowing an adversary to gain a foothold in America’s technological supply chain is a risk that simply cannot be tolerated.”
The bill comes as the U.S. cybersecurity community and government are paying increased attention to where federal technology originates. Most prominent is the Department of Homeland Security’s 2017 binding operational directive ordering agencies to remove Russian cybersecurity company Kaspersky Lab’s products from their systems. DHS cited Kaspersky’s close ties to Russian intelligence, as well as Russian laws that could potentially force the company to hand over information on U.S. systems. The defense authorization bill that President Trump signed into law in August 2018 also blocks government purchases from Chinese tech companies Huawei and ZTE on similar grounds.
Kaspersky and Huawei both have rejected the U.S. accusations.
The Senate bill would require the Office of Management and Budget, Office of the Director of National Intelligence, the Department of Homeland Security and General Services Administration to collaborate on creating the program.
Last month, Federal Chief Information Security Officer Grant Schneider said the new council is developing criteria for making recommendations on equipment, products and services that shouldn’t be allowed to do business with government.
A Senate bill introduced earlier this year would create a White House Office of Critical Technologies and Security to protect against the theft of U.S.-developed technologies and risks to critical supply chains. Senators also have expressed concerns about the use of foreign VPN apps.”
“Funding for live, virtual, constructive training programs will remain on an upward trajectory as the U.S. military looks for less expensive ways to prepare troops for battle, one analyst said.
Such training relies heavily on simulators and other “synthetic” technologies to complement or supplement the work that troops do on physical training ranges.”
“The Pentagon spent close to $400 million in 2015 on LVC programs. That amount is expected to increase to about $550 million by 2021 — nearly a 40 percent bump, said Michael Blades, North
America director of research for Frost & Sullivan’s aerospace, defense and security division.
“The biggest thing that’s driving it is dollars,” he said. “They’re trying to figure out how we can provide more readiness with the money that we have. … There has been a big transformation from live to virtual.”
It costs much less to use electricity to power virtual reality devices than it does to buy fuel or other items for live training, he noted.
“There’s a huge trend that’s going to keep continuing,” he said. In the coming years, military officials will maximize the use of simulators and “minimize that purely live component because that’s the most costly component,” he added.
Advances in simulation capabilities are expected to accelerate this trend.
“Because of the realness and the immersion that you get with these new technologies … [they are] increasingly more capable of training folks without having to use the actual” aircraft, tank or vehicle, he said.
The Defense Department has no intention of completely eliminating live training, officials have noted.
“You need to validate the weapon system. Soldiers need to be confident in it,” Lt. Gen. Michael Lundy, commanding general of the Army Combined Arms Center, told reporters at the Association of the United States Army’s annual convention in Washington, D.C.
However, the U.S. military wants to be good stewards of taxpayer dollars, he said, noting that live rounds are expensive. Conducting more training in a virtual environment makes sense because it reduces the amount of money spent on ammunition and other live training requirements, he said.
Blades also expects augmented reality to be a growth area because it enables troops to see through digitally-created objects.
The technology has been widely displayed at the annual Interservice/Industry Training, Simulation and Education conferences hosted by the National Training and Simulation Association — an affiliate of the National Defense Industrial Association — he noted.
“This last one I went to had a lot more Microsoft HoloLens and those kinds of see-through things,” he said. “There’s a lot more … momentum in that direction on the training side.”
“As the US Army assembles a 6,000-person-strong cyber mission force in the next two years, officials are trying to determine the best way to attract, organize and maintain the cyber talent required to secure Defense Department networks.The creation of a new Army branch dedicated to cyber — the first new branch established in the service since Special Operations in 1987 — means that leaders are learning how to recruit, train, retain and equip cyber forces.
The Army has made significant strides in areas such as assessing aptitude and establishing training and doctrine, but the buildup is not without its challenges, Lt. Gen. Edward Cardon, commander of Army Cyber Command, told reporters at the AUSA conference.
“Once you get these highly trained professionals, how do you lead them; how do you develop their talent?” Cardon said. “It has a lot to do with retention, and one of the challenges we have is we’re constantly being pulled at by industry. So we have to have a way to manage [the workforce] the best we can for the defense of the country.”
A major part of that is forging better partnerships with the private sector, government’s primary competitor for cyber talent, Cardon said. To do that, the Army is looking at new ways of recruiting and hiring, which could mean changes to current policies.
“As I’ve traveled around to the different tech companies, a lot of them would like to work with us, but they don’t want a permanent job with us. So right now the personnel polices don’t really allow us to do that, they don’t allow us to bring somebody in for a year,” he said.
“I’ve talked to Amazon, Microsoft [and] Google about how they manage their workforce … you have to find people who can operate in this environment, which means as technology comes along, they study it all the time. They’re self-learning. You have to invest significant time to stay current in this profession.”
To find those people, it may mean looking beyond the traditional academic and military programs, and making changes to how the Army handles hiring and personnel, Cardon said. For example, Army officials are looking at ways to loosen restrictions on how soldiers and civilian employees can move between specialties and assignments, similar to what’s done in other disciplines.
But leaders are looking internally as well. Roughly 2,000 of the projected 6,000 cyber-focused personnel have been hired so far, and the Army also is hammering out its use of the National Guard and Reserves for cyber requirements, Cardon said.
“For the National Guard, the immediate need is the cyber mission force itself, and we’ve developed National Guard teams — 11 in the National Guard, 10 in the Army Reserve — and they’ll be trained to the same standard for the cyber mission force,” Cardon said”