Return to: Index of "Travel Security" || Index of "Consular and Travel Information" || Electronic Research Collections Index || ERC Homepage

This Electronic Research Collection archive provides access to older State Department documents as a research collection of scholarly interest. For more current information, see the main State Department web site at http://www.state.gov

Guidelines for Protecting U.S. Business Information Overseas

Released as a brochure by the Bureau of Diplomatic Security, and the Overseas Security Advisory Council, November, 1994

INTRODUCTION

Each day America becomes driven more and more by information. Proprietary information is our chief competitive asset, vital to both our industry and our society. Our livelihood and, indeed, our national strength depend on our ability to protect industrial and economic data.

This pamphlet outlines some steps that may be taken to protect information and to raise the general level of awareness to the threat by Americans living, working, or traveling abroad.

WHAT INFORMATION SHOULD BE PROTECTED?

Any information that provides a U.S. company with a competitive edge over its competitors, creative or innovative, whose loss would negatively impact an investment in time, product, finances, plants, or personnel should be protected.

It could be a trade secret, patent information, or intellectual property; a simple improvement in the way a certain American industry produces a product or does business; a technical modification, new technique, personnel policy, or management concept; or employee human resources information.

COMPANY EMPLOYEES

Current government and industrial security studies and surveys reveal that the majority of competitive information theft cases that occur in the United States and overseas involve a company's employees, contractors, vendors, and suppliers.

An employee's rank in the company is not necessarily commensurate with the interest of a foreign intelligence agency, who besides targeting researchers, key managers, and corporate executives, will target:

The latter frequently have good, if not the best, access to competitive information.

Application of need-to-know procedures will help. Carefully compartmentalizing competitive information on that basis provides two advantages: it slows or stops an information thief, and it may provide an indicator of an employee seeking to obtain competitive information beyond his or her need to know.

When local laws allow, it is prudent to conduct background investigations on prospective employees. A comprehensive background investigation can provide, prior to offering an applicant employment with a company, the best information concerning the person's social, education, military, credit, civil and criminal litigation, and employment histories.

VENDORS, CONTRACTORS, AND SUPPLIERS

Recent U.S. Government and security industry surveys regarding safeguarding of proprietary information revealed that vendors, contractors, and suppliers accounted for almost 15 percent of all disclosures, misappropriation, and thefts of U.S. business competitive information. Generally these groups should be:

VISITOR TOURS

Public tours of buildings containing competitive information should be discouraged. Similarly visitor tours of high-security areas should be prohibited.

All requests for tours by academic, industrial, fraternal, social, or media groups should be passed to security departments for background checks.

WORKPLACE VULNERABILITIES

U.S. businesses or research locations overseas are principal targets of those seeking to compromise competitive information. If possible, locate corporate offices in facilities totally controlled by the corporation.

Location, Location, Location

Site location and construction should be the best that will allow for normal and prudent security measures.

Normal security steps dictate that building perimeters and internal sensitive areas be secure, and that the general public, unescorted visitors, and unauthorized personnel be restricted from research, production, and business areas where competitive information is used. Prudent security steps dictate that existing security controls should always be reviewed for improvement or modification and that an awareness program, as well as policy and guidelines be established to protect competitive information.*

FACILITIES PERIMETER

All windows, external and internal doors, and high-security areas should be provided with intrusion alarm monitoring. Alarm systems should be supplemented by lighting, as discussed below. The alarm signal must be communicated to a location where a speedy and appropriate response can be provided.

The entire perimeter of any office building that serves as a perimeter barrier should be adequately illuminated during hours of darkness. Other perimeters, such as walls, fences, and natural barriers, should be illuminated to both detect and deter persons attempting to gain unauthorized access to the building. Adequate interior night lights should be left on whenever the building is not occupied. Security personnel should control:

High-Security Areas

High-security areas include, but are not limited to: design studios, strategic planning areas, engineering and research facilities, mailrooms, telephone switching rooms, computer facilities, and other similar areas. In general, office safeguards and possible restriction to a high-security level should be provided for:

Storage Facilities

Provide secure facilities for the storage of competitive information such as desks, offices, safes, vaults, filing cabinets, etc.

Clean-Desk Policy

Cleaning and Maintenance

Cleaning and maintenance should be done during times when responsible company supervisors are present to monitor such activity.

Disposal of Competitive Information

Competitive information must be destroyed when no longer needed.

Each work area must have adequate shredding capabilities or controlled disposal functions. Make each functional area responsible for verifying that competitive information is properly disposed.

COMMUNICATIONS

Easily accessed and intercepted telecommunications present a highly vulnerable and lucrative target for anyone interested in obtaining competitive information. Increased usage by businesses of these links for bulk computer data transmission and electronic mail makes telecommunications intercept efforts cost effective for intelligence collectors worldwide.

U.S. companies should:

Threats

U.S. companies should be aware of, and sensitize their employees overseas to, the fact that:

Vulnerabilities

Telecommunications monitoring may be done at a phone company's switching facilities; phone lines may be tapped or bugged; or microwave transmissions may be intercepted anywhere between the two microwave towers.

Telephones do not necessarily cease transmitting once they are hung-up. Conversations taking place near a phone may be transmitted to the foreign state's telephone system switching facility and can be monitored anywhere between the phone and that facility.

Many telecommunications transmissions will contain "key words" used to identify information of interest to a third party. A key word can be the name of a technology, product, project, or anything else that may identify the subject of the transmission.

Encryption should be the first line of defense since it is easier for foreign intelligence services to monitor lines than to place "bugs," however, encryption will provide little, if any, security if a careful examination for audio "bugs" elsewhere in the room is not conducted.

Most international U.S. corporate telecommunications are not encrypted. Some countries do not allow encryption of telecommunications traffic within their borders, but it should be considered, where feasible, for any transmission of competitive information.

About half of all overseas telecommunications are facsimile transmissions which, because they are emanations, may be intercepted by foreign intelligence services since many of the foreign telephone companies are foreign owned.

In addition, many American companies have begun using what is called electronic data interchange, a system of transferring corporate bidding, invoice, and pricing data electronically overseas. This type of information is invaluable to many foreign intelligence services that support their national businesses.

Video Conferences

The threat is essentially the same as that to other types of telecommunications. Adversaries can purchase or replicate specific equipment used by an American company and then either tap into the line or use other means to monitor both audio and video.

Although encryption is available for some video conferencing installations, many countries do not allow any type of encryption and others allow only that type which they can break.

Electronic Transmissions

Most foreign common carriers are government controlled or owned. Trade secrets, data, marketing strategies, and personnel information that are discussed or sent over host country telephone lines are easily obtained by foreign interests.

Electronic Media Path

Electronic data is recovered easiest when a signal is not multiplexed or mixed with other data signals, i.e., data transmitted from a telephone instrument to a telephone switch. Only a minimal investment is required to retrieve data not masked with other voice or data. For this reason, it is better to use standard dial-up versus dedicated lines.

Data and voice that is routed on major transmission paths--such as microwave or satellite transmission--have less likelihood of being monitored by hackers or low-cost monitoring operations, because the cost of sifting through such a volume of information to access one target is often cost prohibitive. However, a well-financed intelligence gathering operation may find satellite or microwave transmissions the best intercept opportunity, since they can be monitored at great distances with little or no threat of detection.

Suggested Telecommunication Countermeasures

Below is a list of suggested actions that may be taken in order to improve the security of your telecommunications transmissions.

COMPUTER TECHNOLOGY

Computers can pose enormous security problems. While they contain great volumes of information, they also concentrate it, and if not protected, they can make the task of the information thief much easier. When the facility is located overseas, the following additional security issues should be considered.

Access

Because one cannot assume that employment practices are the same from country to country, it is not always possible to dictate what employees can do or where they can go.

For example, in some countries you are not permitted to log the fact that a specific person accessed a specific data set at a certain time on a certain date, because such a log could be misused to inappropriately monitor work habits, speed, and productivity.

Similarly, in some countries, there are resident fire marshals in the facility who do not work for the enterprise, but are authorized access to each and every part of the physical facility.

Magnetic Media Control

Managers must be sensitive to mailing or physically carrying magnetic media between countries.

The information on magnetic media may be vulnerable during interaction with the local customs authorities, which could be far more damaging to a business.

In either mailing or carrying, accountability is lost once the material is turned over to local customs personnel to be "cleared." Often, the time involved, as well as the other details of what "cleared" means, are not always spelled out to private industry.

Distributed Printer Control

Physical access to printers used within a computing center is usually well controlled. However, small, powerful, printing facilities, which can be readily hooked-up with printed output routed directly to such devices by any employee, are coming increasingly into use. It is strongly recommended that attention be given to ensuring that:

Cellular PCs

The cellular portable computer is relatively new technology, having unique security considerations that one might easily overlook. The system is essentially a personal computer with an integrated modem, which is a device used to change signals understood by telephone technology into signals understood by computers, and vice versa. There is also a built-in cellular telephone that allows a person with a single action to place a call to a computer system, connect the personal computer to it, and interact with a host computer. Sometimes overlooked with this technology is the fact that cellular telephones:

Virus Contamination and Detection

Although it is a standard precaution to take special care when receiving a PC program from someone because of the possibility of virus contamination, it is exponentially greater during foreign travel.

Answering the questions in the checklist below can identify opportunities to improve the security of your computer software and hardware.

Computer Security Checklist

International Travel

Environment

Physical Security

System Security

Virus Protection

Computer Security Guidance

Under the Computer Security Act of 1987, the National Institute of Standards and Technology (NIST) develops standards and guidelines for the protection of sensitive information.

For a listing of available documents, including ordering information, request a free copy of Publications List 91 from the following:

CSL Publications Technology Building
Room B64
National Institute of Standards and Technology
U.S. Department of Commerce
Gaithersburg, MD 20899

EFFECTS OF TELECOMMUNICATIONS ON COMPUTER SECURITY

Telecommunications technology provides for electronic "highways" that now enable a person to directly access a computer system on another continent. Many U.S. corporations are dependent for their very survival on data being stored and processed on these computer systems. It is therefore mandatory that access control security software and procedures are implemented for any computer interfacing with a network or telephone system. Hacking into computers is now a standard tool for those involved in espionage and computer crime. Once an intruder has gained entry, he or she may be able to view, change, or destroy valuable company data and information. Electronic terrorism, placing a corporation's information assets at risk, also is possible.

Consider the following tips to reduce the possibility of unauthorized access through networks:

AT HOME

Many of the same principles that apply to maintaining a safe and secure office apply equally to a residence. These elements will vary depending on the foreign environment and the associated risk factors. As a general rule, competitive information should not be taken home. However, should it become necessary, the level of protection afforded competitive information in the home must be equal to or greater than the standard of protection it is afforded in the office.

A favorite$technique of information thieves is the examination of trash containers. Consequently, the disposal of competitive information should not be done at home. Such materials should be transported to the workplace where they may be properly destroyed.

HOME SECURITY CHECKLIST

Access to residential buildings where competitive information is located must be limited to only authorized persons. This will require appropriate locking devices and an alarm system that will detect an attempted intrusion and alert authorities and other responsible parties. A specific area or areas within the residence should be designated for working on competitive information.

Access should be limited to authorized family and service personnel. Such information, when left unattended, should be secured in an appropriate container. Control of the keys for these containers should be limited.

Cleaning activities should be done only when competitive information items are cleared from the area, secured, or when the area is monitored by the owner, custodian, or user of the information.

Residences and residential buildings should have appropriate:

Within the residence, the work area should include the following life and safety equipment:

Specific areas for competitive information work should include:

BUSINESS TRAVEL

Travel With a Laptop Computer

Business personnel who travel should adopt normal and prudent computer safeguards while traveling.

Never:

Working in Hotels With a PC

Hotel rooms are not secure. Leaving important company information in your room, even in a locked briefcase or PC, is an invitation for material to be copied or photographed while you are out. Hotel vaults are not much better. Foreign intelligence officers can gain access without you becoming aware of the compromise.

Reduce hard copy material as much as possible and carry what you must take on your person, possibly on disk, or secure it in a company vault.

U.S. business travelers should not assume that the U.S. standards in telecommunication security will be the case when traveling overseas. The quality of service, as well as the technical standards and conventions used, vary dramatically from country to country.

Scientific Conferences

Historically, scientific conferences and trade association meetings have been targeted by some foreign intelligence agencies. Today these meetings are still targeted, but the goal is to learn economic information that will improve the position of our foreign competitors. Individuals collecting this type of information may be managers, corporate officers, sales people, and other business people, scientists, engineers, and other technical personnel. There is a growing trend for foreign corporations to employ former intelligence officers for industrial work. Protect yourself by practicing discretion and remembering that not only time, but information, is money.

Eavesdropping

INFORMATION OF COMPETITIVE VALUE SHOULD NOT BE DISCUSSED IN PUBLIC PLACES.

Discussions on airplanes are overheard by those around you. Eavesdropping can result in gathering meaningful information in a radius of 6-8 seats. Recent revelations in the media specifically mention valuable information gathered by eavesdropping on conversations held on aircraft and in bars and restaurants.

Destruction of Information Waste

Necessary Communications

Be Alert!!!

Be aware of new acquaintances who probe for information or attempt to place you in a compromising situation. In an unusual situation, have an American colleague present. The watchword in travel while in foreign countries is discretion.

ADDITIONAL INFORMATION

We hope this has provided you with some basic security information . For a more detailed discussion, please review our expanded printed version, Guidelines for Protecting U.S. Business Information Overseas, available through the Overseas Security Advisory Council.

[end of document]