(CSO) As companies shop for expensive IT security software packages, hire information assurance specialists, or enter into contracts with IT security firms to provide up-to-date cyber threat intelligence, they should not overlook the threats posed to company data from traditional espionage tradecraft. Not even the most robust computer security measures or the latest behavioral analytic/machine learning algorithms can defeat the insider who does not rely on a computer or the exploitation of to steal company information. In this respect, the espionage case of Ana Montes provides important lessons for every business.
In 1984, Montes worked as a paralegal at the Department of Justice while attending Johns Hopkins University as a part-time graduate student. At the university, Montes’ outspoken views against U.S. policy in Latin America caught the attention of a fellow student who happened to be an access agent for the Cuban Intelligence Service. Identifying potential Cuban interest in Montes for the country’s clandestine war with the United States, the agent arranged to introduce her to Cuban intelligence officers in New York City. At this meeting, Montes impressed the Cuban intelligence officers with her views against U.S. foreign policy and sympathy toward the Cuban cause. It was clear to the Cubans that they had found a comrade.
An intelligence service typically recruits spies because of their access to information, organizations, or people of interest. Montes at the time, however, did not have access to information of significant interest. The Cubans rolled the dice and recruited her anyway seeing potential for her to acquire future access. The gamble paid off. In 1985, Montes began work as an intelligence analyst at the Defense Intelligence Agency (DIA) and eventually assumed responsibility for the DIA’s Cuba portfolio.
For the next 16 years, while rising through the ranks of DIA, Montes leveraged her access to classified information to steal U.S. government secrets for the Cubans. Despite her lack of access when she was recruited, as a DIA analyst Montes became uniquely positioned to provide significant insight into U.S. military knowledge of Cuba’s armed forces and advanced warning of U.S. operations that might affect the island nation. . . .
. . . . What are the lessons for the private sector?
Like Montes, a prospective employee could be applying for a company position because of the access it will provide and not because of any special desire to advance her career or join the company. Montes did not become disgruntled on the job and decide to take revenge. She targeted DIA for the information she could steal. While she explored other employment opportunities in addition to DIA, her raison d’être for getting any job was to obtain access to information that could help the Cuban government.
The Montes case also demonstrates that adversaries with intentions to steal company information can be anywhere. While we envision spies being recruited by intelligence officers in dark corners of the world, Montes was spotted in a “safe,” open academic environment in the United States by a fellow student, who was also a Cuban spy. From there, Montes was introduced to the world of espionage. For an American business with secrets to keep, it is important to recognize that employees with no apparent history of contact with adversaries or competitors could have come under the spell of espionage in unsuspecting ways and in nonthreatening locations.
Montes also proves the exception to the notion that spies are motivated by money and greed. Although money may not be the driving force in an espionage relationship, it is generally expected to play some role. Montes was instead motivated by ideological beliefs, a rarity today in traditional espionage cases. Because money and greed played no role, Montes did not exhibit traits common to many spies, such as financial vulnerabilities. Similarly, by not taking money, Montes denied counterintelligence investigators the financial evidentiary trail sometimes used to uncover espionage. During her 16 years as a spy, Montes continued to live frugally within the means her government salary provided. A spy within the midst of an American company with purely ideological or nationalistic motivations could be just as difficult to find.
The most important lesson American businesses can learn from the Montes case is that IT security measures will not be enough to prevent the determined insider and a sophisticated intelligence service or competitor from stealing corporate secrets. Montes never removed documents from DIA. She never copied documents to a thumbdrive or CD, never sent them out by e-mail, or downloaded malicious software to open DIA systems to electronic exfiltration. Instead, she relied solely on her required access and memory to steal classified information and give it to the Cubans. . . . (read all)