Podcast: Could You Be the Target of Nation-State Adversaries? What to Know about HUMINT Collection
NOTE: This article first appeared at In CyberDefense.
Foreign governments are continuously conducting covert operations in the U.S. to gather intelligence about public and private sector organizations. One of the best ways to collect information is through human intelligence, or HUMINT, which targets individuals in order to get information from them. Unfortunately, many business leaders fail to understand the value of their assets, people, or how their relationships can be an avenue of access to foreign HUMINT collectors.
In this podcast episode, we hear from Angela Hill who spent a decade as an intelligence analyst for the intelligence community, working for the government and private sector. She discusses the motives and techniques of HUMINT collectors in order to help business leaders develop an operational security mindset and identify actions to take should a person suspect they’re being targeted by foreign adversaries.
Listen to the full podcast:
Listen to the transcript:
Leischen Stelter: Welcome to the podcast In Public Safety Matters. I’m your host, Leischen Stelter. For today’s episode, I’m joined by one of my colleagues, Wes O’Donnell, who is the Managing Editor of our sister site, InCyberDefense. Hi Wes, and thanks for being here.
Wes O’Donnell: Hi, Leischen. Thank you so much for having me.
Leischen Stelter: So Wes, we spent a lot of time this year working together to create a magazine called Preventing a Cyberattack: A Guide to Cyber Readiness, and this magazine covers a lot of really great cyber-related information from what assets business leaders should identify as their most highly valuable assets, what’s most likely to be targeted by hackers, how to work better with your IT department, and ways to train your employees to be cyber-ready. So for today’s episode, we wanted to feature one of the contributing authors in the magazine who had a really unique perspective on some of the threats business leaders face in protecting their information. Can you give us a little information about who we invited today?
Wes O’Donnell: Yes, absolutely. So today we’re joined by Angela Hill, who’s a veteran of the US Navy, and was an intelligence contractor to various agencies to include the CIA at the end of her career. Today, she designs high-impact security programs as a security practice manager for NuWave Technology Partners. Angela, thanks so much for being here.
Angela Hill: Thank you Wes and Leischen for having me.
Wes O’Donnell: Angela, I wanted to start our conversation by asking you a little bit about your background in the military and intelligence services. Can you tell us specifically about your expertise in human intelligence collection or HUMINT?
Angela Hill: Sure. To start, I actually spent a decade supporting the Intelligence Community or the IC. I joined the Navy as a reservist after the events of 9/11, and specialized in something called imagery analysis or IMINT, so imagery intelligence. Simultaneously, I held a civilian career which led me to work for various agencies in the Beltway, and I ended my career as a contractor for the CIA. I actually started out in science and technology helping with various technology exploitation efforts, and then I moved my role into more specific areas such as targeting for human activity and helping with the recruitment of assets. So I was working in counter-terrorism on operations at the end of my career, and I’ve supported ops in the Middle East, Africa, Europe, and Latin America.
Leischen Stelter: So Angela, can you tell us a little bit about some of your work on human intelligence collection? A lot of people refer to it as HUMINT. Can you just tell us what you did and give us a little bit of an idea of what that means?
Angela Hill: Sure. Human intelligence is targeted efforts in which we’re actively looking at various forms of human collection or intelligence coming from human sources. A large part of my career was working on supporting operations in which we were looking for assets, and so I was the analytical piece in which I would go through various data sources to gather information to put in front of our operators so that they could go after a specific target or a person that had been identified as an asset.
Leischen Stelter: So for the purpose of business leaders who may be working for corporations or in the public sector, can you give us a little insight into some of the threats that they may face from external or foreign HUMINT collectors and specifically what that looks like based on your work?
Angela Hill: So first and foremost, I’d like to say that it’s very important to understand their motives. So for example, today I work for a managed service provider called NuWave Technology Partners. We basically manage technology environments for small business, medium to small business. My boss is very conscious about the fact that we are targets for criminals and nation-states, so what are those motives? One thing I like to educate people on is a nation-state is purely looking at companies or U.S. industries or infrastructure for various reasons. One motive would be to disrupt American activities, another would be to support ongoing and future operations. Hard to believe but there are, I’m sure, various operations that our enemies are conducting in the United States covertly.
Another reason would be that they’re here to collect intelligence on our infrastructure. For instance, if we were to go to war, they already know what the lay of our land is like. They’re looking to collect information on advancements in technology or intellectual property because they want to advance their technological or intellectual property efforts over Americans, and also to create alliances and to build assets and sources for continuous information gathering.
My fear actually is that business leaders don’t really understand or have that awareness around various collection methods by nation-states, nor do they understand the data that they have or the relationships that they hold. For an example of this, there’s actually a presidential policy directive, it’s called PPD 21. It’s a directive in which Homeland Security actually outlines critical infrastructure, and there are 16 sectors that are considered critical, which I believe would be important to these nation-states that are looking to understand our critical infrastructure.
I guarantee that a majority of business leaders have some connection or at least one relationship with some of these various markets that have been identified by Homeland Security, and so another thing to consider is that, let’s say you’re a vendor to the US government, but you have key relationships with major US businesses. These businesses that have those relationships to the government or maybe relationships to major US businesses, they could be targets of human collection. So it’s who you know and how many degrees of access you may have to that association. These HUMINT collectors go out of their way to gather information so that they can support their operations if that makes any sense.
Leischen Stelter: I think that’s something that a lot of business leaders probably have no idea that they’re targets. I think what you mentioned earlier about basically just recognizing that you work in this industry, you are someone who has valuable information that you have access to or relationships with other people like you mentioned is something really important. So Angela, what are some of the signs of HUMINT activity? What do you think business leaders should be looking for and can you give us some examples based on your experience of how you targeted some of these folks?
Angela Hill: Yeah, so one of the things that I’ve run into since I’ve come out is they assume what I’m talking about is social engineering, but I wanted to be very clear and define what HUMINT is versus social engineering. And I believe it’s really important to let our audience know the difference. Social engineering is a practice of manipulating people in order to get them to divulge information or take action, whereas human intelligence is intelligence collected and provided by human sources. So HUMINT encompasses social engineering, but it’s much more. It actually includes social engineering aspects, but it can also include other aspects of gathering information from other assets. So it’s not just limited to manipulation, it’s looking at collecting information from all different platforms related to human activity.
And the first thing I would like to highlight is that you want to look for unwanted solicitation for information about yourself or your business in associations. For instance, is there a new contact in your life that seems to know just too much information about who you are and what you do? And are they probing for questions to understand about your industry that just seems really outside of the norm? Are they offering money in the exchange of information or are they aligning themselves to maybe some of the ideological beliefs that you have around whatever it is that you’re passionate around, so maybe politics for instance? Those are the things that I think I would highlight.
And I have an example of this where I know someone who, when I worked in the Beltway. He was a target walking around and he noticed a foreign national following him in the store. And in the DC area, people wear badges to get into facilities and you’re not supposed to wear them out in public. And this person wasn’t doing that, but he was wearing a lanyard. I don’t know if that was something that was a red flag or he had been targeted previously, but this individual had come up to him and just tried to make small talk, probing him about what he did for a living, and because this person had clearances, he was clearly not in the place to ever divulge what he did and just brushed the person off and said, “I’m just a teacher,” walked away, but noticed that this individual was following him throughout the store. And again, this person approached him, just very briefly asked him if he was interested in making some money.
This is an example in which I would say that this person was likely targeted because it had been identified that he had the financial need to give away information. So that would be an example of HUMINT collectors. They will take the time to understand your motives, what moves you, what you’re passionate about. If you’re financially motivated, they’re going to find out what those motivations are and then try to probe you to see if you divulged some of that information.
Wes O’Donnell: Yeah, Angela, I know at least in the Beltway, you can always spot a government employee with that blue badge that you were talking about or a contractor with that green badge. I think that this style of attack, as you mentioned, has that physical component where they need to physically befriend to someone or go to them in person. So other than hiding that badge, putting it into a pocket or something, what are some other physical security measures that you would encourage organizations to have?
Angela Hill: So I actually have a few recommendations, and the first would be honestly is to define what your critical assets are. For business leaders, whether it’s a small business or an enterprise, really take that time to define your critical assets in your business, identify the sensitive areas, and then further, identify who can have access to those areas or access to those control lists.
I actually have a colleague in the industry, he’s a CSO for one of the MSPs in the area, and he tells a story about a company that he knew. They made a small part for the Navy for a classified system on one of their ships. He actually warned this company that, “Hey, I believe that you have something what we called covered defense information.” When you look at the document or the blueprint, it’s a number. It doesn’t mean anything to you, but to a HUMINT collector, it could tell a bigger picture, a bigger story.
So CDI, Covered Defense Information, or CTI, Controlled Technical Information, are things that vendors to the government need to protect. Well, this company had CDI and blueprints, floor plans, of the ships that they were working on and that they had the sensitive data. So they handled it, but they weren’t protecting the data. So long story short, they ended up being compromised by the Chinese and today they’re no longer in business. So that’s one of the reasons I’m very passionate around educating specifically, small businesses about the threats and the data that they hold specifically if they’re a vendor to our government or even if they are a vendor to a major US business because there are businesses in the United States that are considered very important because of the intellectual property or the technology that they’re developing. That’s one recommendation.
Another one would be I think along the same lines is making sure that you have badged entry, that you don’t let people tailgate into your offices. Don’t let clients walk through sensitive areas. I’ve seen and know a few furniture design companies in the area and in West Michigan here and I’ve seen them clearly walk clients through areas in which they’re sensitive data that maybe to them doesn’t seem important or isn’t necessarily classified as CDI, but when you put all those nuggets together, little pieces of information, it actually tells a bigger picture. That data could be collected from a HUMINT collector via technical exploitation. And then I recommend that companies make sure they have ongoing background investigations on their employees because one method that HUMINT collectors actually use to attack civilians is to deploy someone called a NOC, which is a non-official cover. In fact, I think I actually referenced this in my article in which there was a report out there from CNN that reported there’s 100,000 agents approximately living in the United States collecting information covertly.
These NOCs actually embed themselves within our businesses pretending to work in various roles. It really just depends on who they go after and if they’ve identified that company as a source of information for themselves. So what’s crazy is that these people, they have no ties to their intelligence service that they’re supporting, and so not a lot of ways to detect them except for maybe building that culture of security and making sure that you’re having continuous background checks on your people. And I think the last and the most important recommendation I would have is to educate your people because people are actually the weakest link and various HUMINT tactics can be used on people online and in person. So really creating that culture of security.
Wes O’Donnell: Yeah, I’ve heard that statistic before and I don’t know how recent it is, but something like one in every 100 people that you bump into on the street is a foreign agent trying to collect information from businesses and government organizations.
Angela Hill: I believe it.
Wes O’Donnell: You mentioned China and a lot of small- and medium-sized businesses are increasingly going overseas and doing business internationally. That’s just the nature of a shrinking globe. So what can the leaders and organizations do to protect their data when they’re traveling overseas?
Angela Hill: There’s actually a few resources out there that I think Americans could use while traveling overseas. State Department has a threat level advisory board in which they actually give travel alerts and advise Americans going to certain countries what the threat level is. So like are we friendly with them? Are there things that they should know that’s happening in that country? And then the other one is the Director of National Intelligence, DNI, they actually have a document out there on their website called traveling overseas with mobile phones, laptops, PDAs and other electronic devices. They actually give a lot of great tips on what you should do before, after and even when you come back. So it’s just a really good resource to read through that document to tell you about what you should do and what you shouldn’t do while traveling with digital media.
I actually have an example of my own instance when I traveled overseas. I wasn’t allowed to bring digital media to any country that was considered a threat to the US because we knew that there was that technical on HUMINT exploitation that was happening. I actually have a, not a colleague, but someone that I know here, and he was telling me this story about how his son was going to school in St. Petersburg, and he had gone there and signed in and used their WIFI and everything, and I cringed when I heard that because I know, based on my background, that countries that are not friendly are definitely collecting information on you. So it shouldn’t be a surprise to you if intellectual property is compromised if you’re not protecting your technical devices and digital media while traveling to these countries. So I would advise that any business leader takes the time to look at those resources to make sure that they are protecting themselves while traveling with digital media.
Wes O’Donnell: Yeah, and that goes into the culture. We always talk about company culture and how that impacts employee happiness, but there’s another culture that I think a lot of companies don’t really pay much attention to or if they do, they don’t announce it, and that is that culture of security. So can you talk about the importance of creating the team who’s prepared to face attacks like these?
Angela Hill: Yeah, I think the most important thing is to remember is that we’ve been at this information wars for a while now, and especially since the onset of the internet, we really need to be prepared and make sure that we have all of our resources available. So to build that team, I think first and foremost, making sure that you understand as a business, what your critical assets and where your data resides. Who has access to it? And then make sure that those people that have access to it have a need to know and don’t let those that don’t. So build your incident response team so that you’re ready for that attack. So first, identify a leader who’s going to take over when that attack happens because the likelihood that it’ll happen is very high. Do you have a data forensics team or a third party in mind that you could reach out to in the event of some type of incident?
Have you selected an IT provider or do you manage your IT environment? Do you have their contact information available? The other people that you’ll need in place are making sure that you have legal, public relations and some type of Chief Privacy Officer available to help you understand how to disseminate the information, what your legal obligations are or compliance issues could be. And then I think businesses definitely need to make sure they invest in cyber insurance. And it’s great to have all of this plan in place and a digital reference somewhere, but make sure you print this plan off so your incident response plan, have that playbook printed off because if you’ve been compromised from a cyber incident, you’re not going to have access to that digitally. So have that form somewhere that you can access it at any time.
Leischen Stelter: Those are all really great recommendations and I think something else that you had mentioned earlier is just how important it is to train employees because like you said, they can really be the weak link in your security protocol. So Angela, is there anything else that you wanted to talk about, whether it’s human intelligence collection or anything else related to security?
Angela Hill: Yeah, I just really want to emphasize the importance of the human aspect and the fact that you might not think what you have is very important, but when you really look at the data you hold and the relationships you engage with, think of yourself as an avenue of access. We’re all separated by a few degrees, and that’s how these HUMINT collectors are thinking. You might not be my end target, somebody else might be down the chain. But you have the least secure environment and the access for me to get to my end target at the end of the day. So really to think about your data, the relationships you hold from that perspective that you are that last piece of the puzzle when you’re trying to build that big picture and to maybe just think of that from that perspective instead of just being only cyber focused and electronically focused. Think about all the different aspects in which you could be engaged as a target.
Leischen Stelter: And one last question I just wanted to ask was if you think that you’re a target, do you have any recommendations on what someone should do or how they should report that?
Angela Hill: Yeah, I guess it depends. Like if you’re being targeted on a platform online, like LinkedIn for instance, you can report that activity as, I think, suspicious or alert them. The other one would be to find a local authority so that work with the FBI. I think they would be your first step as far as notifying the FBI that you think that you might be a target of cybercrime or HUMINT activity.
Leischen Stelter: And I think that’s really important because as you said, you might be just a small piece in this puzzle, but you might also be the piece to solve the puzzle to really identify the network that’s targeting whomever or whatever industry. So this is all been just really great information. I think business leaders can really learn a lot from all the recommendations that you gave us today and I just want to take a minute and thank you so much for joining us and for sharing this information. It was really informative and just critical for today’s business leaders.
Angela Hill: Thank you. And I’d like to thank you both for giving me this platform to educate and to also thank my company, NuWave Technology Partners, for giving me the opportunity to help the public sector by securing their technology environments. I’m very passionate around helping small- and medium-sized businesses because I think they’re a big target today for criminals in nation-states.
Leischen Stelter: And Wes, thank you too for co-hosting this episode of In Public Safety Matters.
Wes O’Donnell: Yeah, Leischen, thank you very much and Angela, it was a pleasure.
Angela Hill: Thank you.
Leischen Stelter: And thanks to our listeners for joining us today. You can download a copy of the magazine, Preventing a Cyberattack: A Guide to Cyber Readiness, and read Angela’s full article to get more information on this topic. Thanks again. Be well and stay safe.