Chinese Spies and Outsourcing

UPDATED BELOW

Over at Tim Johnson’s blog, thoughts on Chinese spying:

I went to Middlebury College in the summer of 2003 to begin Chinese language training … and soon figured out that some were FBI counter-intelligence officers honing their Chinese. After some quiet conversations, a couple told me they were inundated with work. Beijing had a massive effort going in the United States, and it was what might be called “ant” intelligence. Many people picking up lots of little bits and pieces and taking it back to be put together at the mother nest. Is it true? Who knows.

Good point. How can we really know? Meanwhile, ESWN points out this little tidbit from the FBI:

One of your execs is on a business trip overseas. At an opportune time, a foreign spy covertly plants software on her laptop. Unsuspecting, she returns home and plugs her laptop into your company’s computer network. By the time your security experts get wind of it, your most cherished business secrets are long gone.

Is that a Dell laptop? Why evoke the threat of foreign spies when corporate espionage and data security should be a priority regardless of where you are in the world – including in your own home office?

It then lists what these spies want:

Know What Spies Want
At the top of their country’s hit lists:

* The inside skinny on our government’s policies and intentions towards their country.
* Details on U.S. military plans and weapons systems.
* The crown jewels of our economy: our nation’s best scientific and technological innovations and research, both public and private.
* Cutting edge U.S. management practices, which themselves are a valuable asset.

Know Their Favorite “Disguises”

* Representatives at supposed “research institutes”;
* Visiting business professionals and scientists who want to tour your state-of-the-art plants and operations worldwide (a great place to take pictures and make friends);
* Tourists or visitors on non-immigrant visas;
* Diplomatic officials, the standard cover;
* False front companies; and
* Students and educators.

The term “crown jewels” might ring some bells from the Wen Ho Lee debacle. Those crown jewels turned out to be public information, not classified data. Tim Johnson’s use of the word “ant” might be because it came into use at the time:

A March 21, 1999, Washington Post article explained that the Chinese had been perfecting their technique of “tasking thousands of Chinese abroad to bring secrets home one at a time like ants carrying grains of sand” since “at least the fourth century B.C., when the military philosopher Sun Tzu noted the value of espionage in his classic work, The Art of War.”

Little known fact: editors excised the following paragraph after counter-intelligence officials asked WaPo not to reveal US knowledge of ancient Chinese secrets:

Historical records show that the Tang Dynasty expansion into Central Asia was led by a vanguard of restaurants, using sophisticated ciphers such as “you likee flied lice” and “two egg roll, two dolla”. Locals became suspicious something was afoot when stray cats began vanishing from the streets of Samarkand.

I mean, c’mon. I consider it a meaningless stereotype when China Daily starts harping on about “the Chinese” and their civilization from the beginning of time, too, as if they’ve always been a colony of insects sharing one hive mind and race memory. Just because the PRC government talks like its true doesn’t mean it is.

The FBI mentions false front companies – which gives me yet another opportunity to flog ArmsControlWonk’s post on how claims of 3,000 Chinese false front companies come from, well, thin air. The number came about during the late 90s due to (intentionally?) illiterate people attempting to read the Cox Report.

Back to the “ants”. The idea of thousands of Chinese carrying away the entire picnic one crumb at a time is pretty suggestive of hive-minded Asiatic hordes. Is it possible that China recruiting and debriefing the thousands of doctors, scientists, students, businessmen and tourists that visit the U.S.? Sure, but that’s not exactly a new idea. Could they be using nationalism to turn Chinese citizens abroad into intelligence assets? Gosh, appealing to nationalism to recruit spies? Crazy talk.

Let’s say there really is such a far-spanning operation asking Chinese citizens of all walks of life to be “Spy for a Day”. First of all, how effective could it be? In 1999, DIA analyst Nicholas Eftimiades, author of “Chinese Intelligence Operations”, testified before Congress:

The operational differences between professional intelligence officers and co-opted individuals are often noticeable. The intelligence officer generally has less technical knowledge about the subject matter involved in the operation, while the co-optee usually has no expertise in collecting information clandestinely. For example, at a trade show in Paris, French military investigators observed members of a Chinese scientific delegation discreetly dipping their ties in a photo processing solution made by the German firm Agfa.

Uh… ok. I’m not sure how discreet they were if “they”, as in plural, were dipping ties. Wouldn’t one tie-load do? Second, this could just as easily be amateur industrial espionage that didn’t involve the Chinese government. Considering that China has alot of trouble with IP theft domestically, a little Occam’s Razor says the government didn’t have to recruit or debrief anybody to inspire this little fashion statement.

When it comes to the most serious form of espionage, military technology, what is the statistical probability that having thousands of loyal Chinese part-time spies collecting random scattered bits of information from varying levels of American society is actually helpful? It has a certain “Monkeys typing Shakespeare” kinda ring to it. A bit from a biology lab in Maryland, a CD from a shipyard in San Diego, some schmuck’s physics thesis from Chicago – does this really add up to something big? I imagine some nuggets would be great, but in general it’d be like getting bits of different 5000 piece jigsaw puzzles. It could take decades to get anything that fits together.

And then there’s looking at it from the other side: assuming such a massive dragnet exists, and its effective, then what condition is the U.S. defense industry to prevent infiltration? Consider the following:

Intelligence professionals tell me that more than 50 percent of the National Clandestine Service (NCS) — the heart, brains and soul of the CIA — has been outsourced to private firms such as Abraxas, Booz Allen Hamilton, Lockheed Martin and Raytheon. – Who Runs the CIA? Outsiders for Hire, R.J. Hillhouse, WaPo

The House’s Intelligence Authorization Act for FY 2008 released on May 7 took multiple shots at the Intelligence Community’s reliance upon contractors:

A recent Intelligence Community contractor survey did not include a review of accountability mechanisms in cored contracts, nor any data to judge whether any contractors have committed waste, fraud, abuse, or criminal violations. Based on this and other observations, the Committee has concluded that Intelligence Community leaders do not have an adequate understanding of the size and composition of the contractor work force, [sic] a consistent and well-articulated method for assessing contractor performance, or strategies for managing a combined staff-contractor workforce. – RJ Hillhouse’s blog The Spy Who Billed Me

On May 14, at an industry conference in Colorado sponsored by the Defense Intelligence Agency, the U.S. government revealed for the first time how much of its classified intelligence budget is spent on private contracts: a whopping 70 percent. Based on this year’s estimated budget of at least $48 billion, that would come to at least $34 billion in contracts. The figure was disclosed by Terri Everett, a senior procurement executive in the Office of the Director of National Intelligence, the agency established by Congress in 2004 to oversee the 16 agencies that make up the U.S. intelligence infrastructure. A copy of Everett’s unclassified PowerPoint slide presentation, titled “Procuring the Future” and dated May 25, was obtained by Salon. (It has since become available on the DIA’s Web site.) “We can’t spy … If we can’t buy!” one of the slides proclaims, underscoring the enormous dependence of U.S. intelligence agencies on private sector contracts. – Salon.com

On 9/11, our spies found themselves shorthanded – untrained in the languages spoken by terrorists, unable to crack new communications technologies, generally lagging behind their counterparts outside the government. The privatization boom emerged out of sheer necessity. As it happened, the dot-com bubble had burst shortly before 9/11, cutting loose a generation of technology entrepreneurs who, when the government came calling, were only too happy to start developing new data-mining algorithms and biometric identification programs. New startups began sprouting in the suburbs around Washington. The number of “contractor facilities” cleared by the National Security Agency grew from 41 in 2002 to 1,265 in 2006. It was a gold rush, a national security bubble. – IHT via Military.com

Steven Aftergood, director of the Project on Government Secrecy at the Federation of American Scientists, believes that the kind of military intelligence work contracted to CACI, Titan Corp., and other companies is particularly ripe for problems because intelligence agencies “operate under unusual authority.” He adds: “I don’t think the current oversight system is equipped to monitor the activities of contractors. That is one of the central lessons of the Abu Ghraib affair.”– Mother Jones

The OPM [Office of Personnel Management, U.S. agency responsible for background checks to issue government security clearances to contractors], which has scrambled to increase its staff to keep pace with requests for background checks on government workers, relies on “an inexperienced investigative workforce” and cannot always use technology to shorten processing time because some data must be entered into computer systems from paper applications, the GAO [General Accounting Office] said.

In its review, the GAO turned up troubling signs that some top-secret clearances are based on incomplete investigative reports. A study of 50 investigative reports found 47 were missing data required by federal rules, the GAO said.

Other background reports lacked information on where applicants worked and lived, their overseas trips, and their personal conduct, the GAO said.

“The use of incomplete investigations and adjudications in the granting of top secret clearance eligibility increases the risk of unauthorized disclosure of classified information,” the GAO said. – Washington Post

So, in conclusion: if China really has a vast legion of spies across industries, is it really such a good idea to be privatizing so much of the defense industry, expanding the number of companies, many of which are merely a few years old, and handing out security clearances on poor background checks? Increasing the number of possibly insecure channels to defense and intelligence data seems the wrong way to go if you’re being stuffed full of sleepers. But perhaps its too late to turn it around – the U.S. has even outsourced the background checks.

UPDATE: As if on cue, this report has just come out on classified military documents appearing online due to contractor error. The documents were put on an open FTP server by CH2M Companies Ltd, but other contractors mentioned of similar sloppiness are SRA International and Benham Companies LLC, as well as a number of agencies (even the DIA, as mentioned above, posted secret budget information). The more contractors there are, especially smaller ones, the more avenues there are for foriegn intelligence to exploit. China’s tactics don’t seem as great a concern as the U.S.’s lack of care.