WIXLIB

W W W. I N S A O N L I N E . O R GChina recruits U.S. scientists, engineers, and others toobtain critical technologies, expertise, and intellectualproperty through its Thousand Talents Program andmore than 200 similar initiatives to surreptitiouslyacquire foreign technology. U.S. nationals recruitedby the program provide proprietary data to Chinesecounterpart institutions in exchange for payment,which they typically do not disclose to their full-timeU.S. employers or funders.20 Some participants,according to a U.S. Senate committee report, establish“shadow labs” in China to mirror the work they do in theUnited States, based on research data funded by theirU.S. employers.21R IS KS OF ACA D E M IA’ S OPE N C ULTU R EIn academia, and particularly in scientific and medicalresearch, scholars lean towards the noble goal ofexchanging ideas to promote learning and progressto the benefit of all, regardless of heritage, nationalorigin, race, creed, or religious views. This is, admittedly,necessary if we as a global society hope to continue toadvance quality of life for generations to come.Unfortunately, foreign adversaries can takeadvantage of this openness to the detriment of U.S.national and economic security. As former NationalCounterintelligence Executive Michelle van Cleavetestified at a congressional hearing in April 2018, “U.S.academic institutions, with their great concentrationof creative talent, cutting edge research endeavors,and open engagement with the world of ideas, are anespecially attractive environment for foreign collectorstargeting America’s R&D wealth.”25– On January 13, 2021, Meyya Meyyappan, a seniorNASA scientist, pleaded guilty to making falsestatements related to his participation with theChinese Thousand Talents Program. Meyyappanheld a trusted position at NASA as Chief Scientist forExploration Technology at NASA’s Ames ResearchCenter in California.22In 2019, “national security agencies, federal grantingagencies, the White House and members ofCongress all signaled their increasing concern ”about “theft of sensitive academic research byforeign competitors.”26 In many cases, the researchbeing stolen was funded by U.S. taxpayers throughinstitutions like the National Institutes of Health (NIH).An NIH outreach campaign encouraging administratorsof government research grants to assess security risksresulted in more than 180 investigations of scientists at71 institutions.27– In January of 2020, Charles Lieber, Chair of Harvard’sChemistry Department and one of the world’sleading researchers in the field of nanotechnology,was arrested for sharing his research, in exchangefor payment, with Wuhan University of Technology(WUT) through the Thousand Talents Program.U.S. government agencies, including the NationalInstitute of Health and the Department of Defense,had provided Lieber with more than 15 million tofund his research in the United States.23The U.S. Government has taken significant stepstowards curbing such threats, including securingsensitive studies, classifying some research, addingrestrictions to visas in certain STEM fields, limitingChinese graduate students in technological fields toone-year stays in the United States, and restrictingparticipation “in foreign talent recruitment programsoperated by countries deemed ‘sensitive.’” 28– In July of 2019, Kang Zhang, the Chief of EyeGenetics at the University of California SanDiego Shiley Eye Institute and a participant ofthe Thousand Talents Program, resigned after itwas revealed that he failed to disclose he was aprimary shareholder of a publicly traded Chinesebiotechnology company that specializes in the samework he performed at UCSD.246

IN SIDE R T H R E AT S A N D C OM M ER C I A L ESP I ON AGE : EC O N O M IC AN D N AT IO N AL SECU RIT Y IMPACT SDOM ESTIC INDU STRI A L ESPI O NAGET YPE S OF IN S ID E R T HR E AT SDomestic economic espionage, also known asindustrial espionage or corporate espionage, can bejust as damaging to American companies as foreignbased malicious activity. U.S. corporations face intensecompetition both at home and abroad, and whilemethods of spying on competitors have changed overtime, the motivations to uncover a rival’s trade secretshave persisted. Advances in technology make theprotection of IP and sensitive data even more difficultto protect and more critical to a company’s operationsand economic success.In 2015, INSA’s Insider Threat Subcommitteeworked closely with the Defense Counterintelligenceand Security Agency (DCSA) and ODNI’s NationalCounterintelligence and Security Center (NCSC) torefine the definition of insider threat to be relevant to allU.S. government agencies and private companies. TheSubcommittee defines an insider threat as, “The threatposed by a person who has, or once had, authorizedaccess to information, facilities, networks, people, orresources; and who wittingly, or unwittingly, commitsacts in contravention of law or policy that resulted in, ormight result in, harm through the loss or degradationof government or company information, resources,or capabilities; or destructive acts, to include physicalharm to others in the workplace.”32While the worst case scenario may be losing criticaldata to a nation-state that could both undermine acompany’s business and compromise U.S. nationalsecurity, losing data to a domestic competitor canalso result in significant revenue losses and damageto long-term viability. U.S. corporations must be ableto protect their trade secrets from all adversaries toremain competitive.29 Malicious insiders don’t onlysteal proprietary information to share with companiesoverseas; they often do so as they prepare to leavetheir jobs to work for competing companies inside theUnited States. In one of the most infamous recentcases of such IP theft, an engineer in Google’s selfdriving car division downloaded thousands of projectfiles before quitting. He immediately started his ownautonomous vehicle company, which he sold to Uber—one of Google’s top competitors in the market—justmonths later.30Countless motivations might drive a person to turnagainst his or her employer. INSA’s Insider ThreatSubcommittee identifies several categories of insiderthreats and outlines the motivating factors that couldpush a person to steal a company’s sensitive data.These include sabotage, theft of intellectual property ornational defense information, insider fraud, workplaceviolence, and unintentional insider threats.33 Emotionalfactors that drive malicious insiders include anindividual’s sense of national pride and politics, financialhardships and disgruntlement. Dissatisfaction at workdue to real or perceived unfair treatment can also bemanipulated by foreign powers well-versed in the art ofespionage.34Corporations also deliberately hire employees ofcompeting firms to exploit their knowledge of, andaccess to, the competitor’s IP. In one example,Ticketmaster hired a former employee of Crowdsurge,a rival ticket seller, and used this person’s credentialsto access Crowdsurge’s data and analytics relating toconcert ticket pre-sales. Prosecutors asserted thatTicketmaster executives began asking the employeefor information related to his former firm within weeks,and that “Ticketmaster employees repeatedly—andillegally—accessed a competitor’s computers withoutauthorization using stolen passwords to unlawfullycollect business intelligence.”31People with access to sensitive information are notonly motivated by a desire to harm an employer theyresent , but they frequently take advantage of theiraccess for their own personal gain. In December 2019,for example, a Chinese cancer researcher at a Harvardlaboratory was arrested while trying to smuggle vialsof cancer cells on a flight to Beijing. His goal was toadvance his career by conducting research at a facilityin China and publishing study results under his ownname.35 In December 2020, motivated by greed, twomarried Chinese genetic researchers who developedgenetic testing kits at an Ohio hospital pled guilty toselling the kits through a company they formed inChina.36Preventing the loss of proprietary data to U.S.-basedindustrial competitors can be accomplished throughsimilar measures employed to address foreign-basedeconomic espionage.7

W W W. I N S A O N L I N E . O R GIt is difficult to identify malicious activity by potentialor current insider threat actors before damageis discovered. However, it is possible to identifycharacteristics typical of individuals indicating personalstress, which might render them susceptible to actingrashly and emotionally. While such traits are notdefinitive evidence of wrong-doing, they can serve aswarning signs.Carnegie Mellon points out that some insidersunintentionally open up their employers to risk dueto negligence rather than malicious objectives.40Employees create risk without an intent to harmthrough bad business practices, ignorance of policy, laxpolicy enforcement, a willingness to by-pass securitymeasures to work more efficiently, and just plainhuman error.41 Researchers affiliated with CarnegieMellon University identified four additional categoriesof unintentional insider threat incidents: accidentaldisclosure, malicious code introduced through socialengineering, theft or improper disposal of records, andloss of portable electronic data storage devices.42Statistically, unintentional insiders (and theirunintentional actions) far outnumber the maliciousinsiders. However, external actors’ exploitation ofunintentional mistakes has been at the root of manylarge-scale data breaches. In many cases, improvingemployees’ awareness of security threats and bestpractices can prevent lax behavior that increases risk.External actors’ exploitation of unintentionalmistakes has been at the root of many largescale data breaches. In many cases, improvingemployees’ awareness of security threats andbest practices can prevent lax behavior thatincreases risk.– In 2011, unintentional employee negligence at RSASecurity led to an advanced persistent attack thatcompromised an estimated 40 million employeerecords. Two hacker groups working with a foreigngovernment launched phishing attacks targetingRSA employees, pretending to be trusted coworkersand contacts. When employees fell for the attack,the hackers gained access to RSA’s networks andwere able to compromise SecureID authenticationtokens.43In 2012, the FBI produced an article that focused oncommon motivations for insider threat actors andobservable behaviors that are potential indicatorsof criminal conduct. The piece highlighted suchmotivations as financial compensation, dividedloyalties, blackmail, and substance abuse. Signsof misdeeds might include such things as takingproprietary or other information without authorization,disregarding company information security policies,unexplained affluence, significant stressful life events,and/or unmet professional expectations.37– In 2016, the payroll information of roughly 700current and former Snapchat employees wascompromised after a phishing attack tricked ahuman resources employee into handing overthis sensitive information by pretending to be thecompany’s CEO.44What is crucial to understanding and recognizingmalicious insider threat actors is that they often exhibitindicators that, if identified early, can be mitigatedbefore harm to the organization occurs.38 Thechallenge is overcoming peoples’ reticence to speakup when these signs are recognized. Additionally,“our natural human tendency is to trust one another,especially our coworkers.”39– In 2017, Wells Fargo intended to provide a lawyerwith a selection of emails and documents related toa case involving a Wells Fargo employee. Instead, thebank accidentally turned over an unencrypted CDwith confidential personal and financial informationregarding 50,000 of the bank’s wealthiest clients.458

IN SIDE R T H R E AT S A N D C OM M ER C I A L ESP I ON AGE : EC O N O M IC AN D N AT IO N AL SECU RIT Y IMPACT SPROPOSED SOLUTIONSDespite the prevalent nature of economic espionage throughout U.S. history, the estimated loss of billions of dollarsto the American economy each year, and the threat to U.S. national security,46 a hard push to develop and implementpreemptive—as opposed to reactive—measures is still lacking. There is no walking back the harm that is done onceintellectual property has been compromised. While holding perpetrators, beneficiaries of purloined information, andnation-states accountable is necessary, its effectiveness is weakened by the fact that it does not undo damage alreadydone to American national and economic security.Proactive steps to protect valuable information can, however, mitigate threats from foreign adversaries and maliciousinsiders and minimize the damage that they can do.– The first and most crucial step is to educatecorporate and academic leaders about theinformation and technologies that foreign adversarieswant to steal and the steps they may take to do so.The goal is not to discourage or hinder scientificallyand commercially valuable collaboration, but ratherlearn to balance cooperation with security. The FBI,the Intelligence Community, and other governmententities routinely brief corporate and academicleaders on these threats, but many of the participantsin such briefings are large institutions that have theresources to engage. FBI and others must extendtheir outreach to more small organizations and labswhere a great deal of innovative work is undertaken.– Government agencies should take a more activerole in helping companies and institutions of highereducation—particularly ones that partner with themon research and development—re-evaluate theirsecurity postures and establish comprehensiveinsider threat programs that are responsive andcrafted uniquely to meet industry needs. Agenciescan do so by assisting with:– Companies and universities must also work to instill aculture of security and security awareness within theirown organizations. Because indicators of potentialinsider threats often go unrecognized or are ignoredby people who are hesitant to report their concerns,corporate and academic leaders must encourageand empower their workforce to come forward whena colleague demonstrates concerning behavior.Organizations should develop and disseminateclear security policies and build awareness of bothpolicies and best practices through steps like posters,periodic training classes, and email campaigns.Employees must know that they can share theirconcerns with human resources, security staff, andany key stakeholder in the company’s insider threatprogram, including the insider threat hotline if oneexists.47 Establishing insider threat awareness programs Undertaking capability assessments Developing security policies and governancestructures Designing and delivering security training– FBI and other agencies do provide this assistanceto some companies, but many of them are largerorganizations with the capacity to engage thegovernment on such issues on an ongoing basis.Small innovative companies with fewer resourcesto devote to security policies and programs arein particular need of government advice andassistance.– Companies and research institutions should alsodraw on the wide range of insider threat expertisethat exists outside of government. Carnegie Mellon’sSEI vulnerability assessment processes andmethodologies, for example, are valuable tools tostrengthen insider threat programs.9

W W W. I N S A O N L I N E . O R GCONCLUSIONThe economic lifeblood of any society is innovation—the creation of new techniques, tools, or processes that arerelied on for the betterment of its citizens. Foreign adversaries will always seek information regarding commerciallyvaluable innovations, and they will target and recruit knowledgeable insiders who understand the significance ofsensitive data and have unimpeded access to it. Thefts of such data harm American economic competitivenessand national security.The fundamental defenses againstinsider threats are employee educationand continuous encouragement ofthe workforce to raise concerns whencircumstances appear to be unusual,out of place, or troubling. If people donot understand the significance of thethreat posed by those with nefariousintentions, they cannot help protecttheir organizations’ intellectual property.A better understanding of maliciousinsiders’ motivations, more robustpublic-private collaboration, andeffective employee training andawareness strategies can hinderforeign attempts to steal commerciallyvaluable intellectual property andprotect U.S. national and economicsecurity.R E F E RE NC E S1The Federal Bureau of Investigation (FBI) defines economic espionage as,“foreign power-sponsored or coordinated intelligence activity directed at the U.S.Government (USG) or U.S. corporations, establishments, or persons, designedto unlawfully or clandestinely influence sensitive economic policy decisions orto unlawfully obtain sensitive financial, trade, or economic policy information;proprietary economic information; or critical technologies.”8“Foreign Economic Espionage in Cyberspace,” National Counterintelligenceand Security Center, 2018. At 0724-economic-espionage-pub.pdf.3Federal Reserve Bank of St. Louis, Gross Domestic Product. At onal Research Service, U.S. Research and Development Fundingand Performance: Fact Sheet, Report R44307, January 24, 2020. At Mellon University Software Engineering Institute, “Our Research:Insider Threat,” no date. At 0Carnegie-Mellon University Software Engineering Institute, CERT InsiderThreat Center, “Common Sense Guide to Mitigating Insider Threats, FifthEdition,” December 2016. At https://resources.sei.cmu.edu/asset files/TechnicalReport/2016 005 001 484758.pdf.2National Bureau of Asian Research, “Update to the IP Commission Report,”February 2017. At Commission-Report-Update-2017.html.418 USC 1831. At https://uscode.house.gov/view.xhtml?path /prelim@title18/part1/chapter90&edition prelim.12Erik Sherman, “One in Five U.S. Companies Say China Has StolenTheir Intellectual Property,” Fortune, March 1, 2019. At https://fortune.com/2019/03/01/china-ip-theft.5US Department of Justice, “Introduction to the Economic Espionage Act,”Criminal Resource Manual (CRM), Sec. 1122. June 2015. At l-1122-introduction-economic-espionage-act.See also 18 USC 1832.13Gina Heeb, “FBI Says It Opens New Espionage Investigation Into China‘Every 10 Hours’,” Forbes, April 14, 2021. At hina-every-10-hours/?sh 772b1c707a5d.6National Count

Economic espionage causes signiicant harm to the American economy and to U.S. national security. The theft of intellectual property costs the United States between one and three percent of its 21 trillion annual GDP and enables foreign competitors to bring comparable products or technologies to market at a fraction of the cost and in far less .