One of the easiest ways to determine what data is at risk is to know what the strategic imperatives are of  those countries who engage in “technology transfer” and industrial espionage. Russian president Vladimir Putin has made it clear that he’s a supporter of espionage as a tool to be used in Russian technology development. A recent article in RIA Novosti discussed Putin’s call for long range bombers and Unmanned Aerial Systems. Russia plans to spend US$13B on UAS development over the next eight years. Part of that technology development strategy is almost certainly going to be acquiring intellectual property on related technology from foreign firms.

Two good examples of companies at risk are Boeing and General Atomics. Boeing, which has a defense, space and security division alongside its civil aircraft division, has 170,000 employees in over 70 countries, including Russia. General Atomics, who makes the Predator drone, has an affiliate office in Moscow. In fact, GA was recently praised by Russian military analyst Konstantin Makiyenko.

Any foreign business operating inside of Russia which holds technology vital to Russia’s national security interest will be contacted by the Russian Security Service (FSB). Under article 15 of the FSB law, those companies are obliged to provide assistance to the Federal Security Service in carrying out their assigned duties which could include a wide range of possibilities including the examination of source code. All communications emanating from those companies including landline, VOiP, mobile, and satellite will certainly be harvested electronically and entirely legally by the FSB.

While I’m using Russia and these two U.S. companies who do business there as examples, this same problem exists in many other nations which have active industrial espionage operations. It is a major part of a company’s threat landscape and one that is frequently being ignored because (a) it doesn’t involve a spear phishing email or a piece of malware and therefore doesn’t fit the business model of most cyber security companies and (b) defending against it requires a specialized skill set.

Jeffrey Carr