What to protect; decisions, decisions. It seems that there are acronyms developed with the ingenuity and fluidity of American innovation. The same innovation that enhances our military capability also comes with a set of warnings and new titles and acronyms that demand increased attention. While new acronyms and technology protections are identified, reliance continues on fundamental protection measures that rarely change.
More and more evident is the growing volume of U.S. defense information categories that demand protection and are not necessarily classified. If not identified and protected, unclassified U.S. defense information could be accessed by unauthorized persons.
Unclassified defense information comes in many forms and acronyms includes military critical technology, proprietary information, intellectual property, company secrets, Export Administration Regulation (EAR), International Traffic in Arms Regulation (ITAR) controlled technology, controlled unclassified information (CUI) and the most recent unclassified controlled technical information (UCTI).
Some U.S. defense information categories and definitions include:
- Espionage
- Gathering, transmitting or losing defense information
- Gathering or delivering defense information to aid foreign government
- Photographing and sketching defense installations
- Use of aircraft for photographing defense installations
- Publication and sale of photographs of defense installations
- Disclosure of classified information
- Economic Espionage Sec. 1831 of Economic Espionage Act of 1996
- Whoever, intending or knowing that the offense will benefit any foreign government, foreign instrumentality, or foreign agent, knowingly--
- steals, or without authorization appropriates, takes, carries away, or conceals, or by fraud, artifice, or deception obtains a trade secret;
- without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys a trade secret;
- receives, buys, or possesses a trade secret, knowing the same to have been stolen or appropriated, Obtained, or converted without authorization;
- Trade Secret Theft Sec. 1832 of Economic Espionage Act of 1996
- Whoever, with intent to convert a trade secret, that is related to or included in a product that is produced for or placed in interstate or foreign commerce, to the economic benefit of anyone other than the owner thereof, and intending or knowing that the offense will, injure any owner of that trade secret, knowingly
- steals, or without authorization appropriates, takes, carries away, or conceals, or by fraud, artifice, or deception obtains such information;
- without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys such information;
- receives, buys, or possesses such information, knowing the same to have been stolen or appropriated, obtained, or converted without authorization
- ITAR Violations
- Export means:
- Sending or taking a defense article out of the United States in any manner, except by mere travel outside of the United States by a person whose personal knowledge includes technical data; or
- Transferring registration, control or ownership to a foreign person of any aircraft, vessel, or satellite covered by the U.S. Munitions List, whether in the United States or abroad; or
- Disclosing (including oral or visual disclosure) or transferring in the United States any defense article to an embassy, any agency or subdivision of a foreign government (e.g., diplomatic missions); or
- Disclosing (including oral or visual disclosure) or transferring technical data to a foreign person, whether in the United States or abroad; or
- Performing a defense service on behalf of, or for the benefit of, a foreign person, whether in the United States or abroad.
The lesson is that significant effort and thought should go into protecting sensitive unclassified U.S. defense information. Developing a security program to protect sensitive unclassified information may require more innovation than that of understanding how to protect classified information. Classified information handling instruction provides much stronger wording. For example, recipients of TOP SECRET, SECRET, and CONFIDENTIAL information are directed to protect this information with GSA approved security containers, security in depth, intrusion detection devices and much more depending on the classification level. In fact, there are entire manuals written depending on agency and their contractors. For the Department of Defense the National Industrial Security Program Operating Manual (NISPOM) provides a few hundred pages on how to protect classified information.- Gathering, transmitting or losing defense information
- Gathering or delivering defense information to aid foreign government
- Photographing and sketching defense installations
- Use of aircraft for photographing defense installations
- Publication and sale of photographs of defense installations
- Disclosure of classified information
- Whoever, intending or knowing that the offense will benefit any foreign government, foreign instrumentality, or foreign agent, knowingly--
- steals, or without authorization appropriates, takes, carries away, or conceals, or by fraud, artifice, or deception obtains a trade secret;
- without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys a trade secret;
- receives, buys, or possesses a trade secret, knowing the same to have been stolen or appropriated, Obtained, or converted without authorization;
- Whoever, with intent to convert a trade secret, that is related to or included in a product that is produced for or placed in interstate or foreign commerce, to the economic benefit of anyone other than the owner thereof, and intending or knowing that the offense will, injure any owner of that trade secret, knowingly
- steals, or without authorization appropriates, takes, carries away, or conceals, or by fraud, artifice, or deception obtains such information;
- without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys such information;
- receives, buys, or possesses such information, knowing the same to have been stolen or appropriated, obtained, or converted without authorization
- Export means:
- Sending or taking a defense article out of the United States in any manner, except by mere travel outside of the United States by a person whose personal knowledge includes technical data; or
- Transferring registration, control or ownership to a foreign person of any aircraft, vessel, or satellite covered by the U.S. Munitions List, whether in the United States or abroad; or
- Disclosing (including oral or visual disclosure) or transferring in the United States any defense article to an embassy, any agency or subdivision of a foreign government (e.g., diplomatic missions); or
- Disclosing (including oral or visual disclosure) or transferring technical data to a foreign person, whether in the United States or abroad; or
- Performing a defense service on behalf of, or for the benefit of, a foreign person, whether in the United States or abroad.
However, for unclassified U.S. defense information the defensive measures depend primarily on the analysis and innovation of those holding it. True, the ITAR, EAR and some DoD publications speak to protection of sensitive unclassified information, but the guidance is high level and subjective. For example, the NISPOM limits access to classified information to security clearance and need to know and a time proven classification system. It also requires specifications for locks and security containers that protect classified information. On the other hand, sensitive unclassified information does not address background investigation or requirements for industry other than to prevent access by non-U.S. persons. Also, unclassified hard copy requires securing in a locked desk or drawer and shredding or ripping into pieces. These might be adequate in general terms but are subjective to the quality of desk and size of the shredded pieces as well as any credible threat.
At this point it is good to consider the guidance as a minimum and plug in a risk analysis of the defense information within organization as the added ingredient. Once established, the FSO should develop a security awareness training program to assist with enforcing the message.
Unclassified U.S. defense information should be protected with a well-designed security system. Though not classified, this information could impact national security if access by unauthorized persons. Therefore, it should be identified by title and location and limited not only to U.S. persons but also by need to know of the information.
Stay plugged in for future articles and information on building that security program to protect sensitive unclassified U.S. defense information. Sign up for our newsletter to keep up to date.
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".
No comments:
Post a Comment