Secure Innovation –
Scenarios and Mitigations (PDF)

Safeguarding Our Future

These bulletins provide an overview of a specific foreign intelligence threat and mitigation steps.

The U.S. emerging technology ecosystem is an attractive target for state actors looking to steal technology, competitors seeking commercial advantage, and criminals looking to profit. Emerging technology companies of all sizes – particularly those with weak security – are targeted by actors seeking to steal technology to fast-track their technological capability, to undermine your competitive edge, to repress their own people to prevent dissent or political opposition, or to increase their military advantage over other countries. There are many ways hostile actors can target assets:

• Insiders – People are your greatest asset but, in some cases, they can pose an insider risk
• Cyber – Insecure IT can provide an easy way for your business to be exploited
• Physical – Your assets could be stolen via physical access
• International Travel – Hostile actors can operate more easily overseas than in the U.S.
• Investment – Investment can be used to gain access to, and influence over, your company
• Overseas Jurisdictions – International expansion can expose you to risk from foreign laws and business practices
• Supply Chain – Vulnerable or malicious suppliers could compromise your business

Identifying those assets most critical to your company's success is an ideal starting point for your security planning. Completing a risk assessment will help you identify vulnerabilities and the potential impact of exploitation of those assets. Consider establishing a process to monitor evolving counterintelligence and security threats and implementing the following mitigations to help reduce risk to a level you find acceptable.

Safeguarding Science

An outreach initiative for protecting research and innovation in emerging technologies.

• Establish a security strategy for your business based on your critical assets, the risks they face, and the risks you are willing to tolerate.
• Regularly review security policies and procedures, so they evolve with the threats to the business.
• Establish security responsibilities with any new employees, contractors, or suppliers.

Build in security measures to protect your critical assets from the start.

• Place barriers around the assets you prioritized for protection. These could be physical barriers, such as an access-controlled room, or virtual barriers such as a firewall.
• Limit access to these assets to only those employees who need it and are trusted to use it securely.
• Implement measures to detect unauthorized activity. Early identification of unauthorized or unusual access to an asset will help avoid or limit a security incident.

Intellectual Asset (IA) and Intellectual Property (IP) management strategies are essential for any business, and are an integral part of your business plans. Understanding the assets you have and what you want to do with them will help determine what actions are required. Know:

• What you need to protect
• How you need to protect it
• The laws of the countries in which you are operating

Legal protections for your IA and IP do not mean they are completely secure. Continuously track and review who has access to your most sensitive information and how you ensure it remains secure. Ensure staff take an active role in IA and IP management. Consider adding IP clauses to employee contracts to help manage the risk to your IA and IP from current and former employees. The best security decisions are taken holistically and consider personnel, information, physical, and cyber risks together.

Secure Innovation –
Due Dilligence Guidance (PDF)

Partnerships are often essential to the success of a business, but they may also increase a company's information and data exposure. Know the "Three W's"

1. Why are you collaborating? Clearly articulate the desired outcomes, as well as the benefits and risks associated with the partnership.
2. Who are you working with? Conduct due diligence on prospective partners:
   • Do they have organizational structures or relationships that could compromise their independence or integrity?
   • Do they have links to foreign militaries, police, or security services?
   • Do you know the source of funds for any proposed transaction, whether direct or indirect?
   • Do they operate under a legal regime that could compel them to share your data or cooperate with their host government?
     • Is there publicly available information that raises concerns about their intentions or values?
     • Are they subject to U.S. sanctions, export controls, or similar designations in countries where you may consider doing business in the future?
     • Is there information that suggests a lack of transparency from the partner?
     • Could the partnership affect future investors, your global business, and long-term intentions?
     • Does their approach to managing data, security breaches, or incidents align with your own?
3. What are you sharing? Help manage the risks associated with business collaborations by:
   • Determining early what data is appropriate to share and implementing measures to limit access to just that data.
   • Designing your architecture so your more sensitive systems are independent from those accessible to the wider organization and external parties.
   • Taking steps to ensure that third parties are handling sensitive data appropriately and securely.
   • Considering how you will regain your data and IP at the end of the collaboration, or if the partner reneges on a deal.

When working with international partners, consider the implications of local laws and regulations in foreign countries. Some legal regimes could compel overseas partners to release data or cooperate with state organizations.

1. How are you protecting your innovation? Consider including protections for your assets and data and security requirements within contracts. Check that these requirements are understood and adhered to. Non-disclosure agreements (NDAs) and confidentiality agreements can allow you to put additional legal protections in place, usually for a defined length of time. An NDA can help restrict the use of your ideas and information to a specific permitted purpose. Nevertheless, NDAs do not replace good protective security measures. They can be a useful deterrent and fallback after an incident has occurred, but are unlikely to prevent intentionally hostile actors.
2. Is this a secure investment? Investments into your company introduce both opportunities and risks. You may be able to benefit from your investors' experience to improve your business and security practices. However, investment can be used to gain access to, and influence over, your company. Early assessments of prospective investments to determine whether they raise security concerns will allow you to be better informed about possible outcomes and may also help you have a stronger negotiating position. Taking a security-minded approach from the start will enable you to make well-informed investment decisions. Consider the following steps:
   • Conduct due diligence on prospective investors
   • Be strategic when considering how much data or proprietary information you share with potential investors, both before and after any investment – what could you lose if an investor backs out of the deal?
   • Reflect on the following questions and implement appropriate mitigations before in-depth engagement with prospective investors:
     • Have you included provisions in your legal investment documentation to protect key operations, information, and data?
     • Have you considered how effective a legal or contractual agreement would be if you were relying on enforcement in an overseas jurisdiction?
     • Have you implemented a governance and reporting structure that ensures the risk management strategy remains effective over time?

   Additional information on investment security (PDF)

   
3. 

   Supply Chain Risk Management

   NCSC works to raise awareness about supply chain threats, while providing resources to mitigate risks.

   Is there a supply chain risk? Your supply chain could expose you to potentially damaging security threats. Supply chain attacks can compromise entire organizations and pose a potentially terminal risk to businesses. Carefully consider your decision to outsource, when it may provide another organization with access to your critical assets. Consider how to reduce unnecessarily sharing sensitive data or access to sensitive systems. Assess the impact on your business if your supplier is compromised. Use this assessment to determine appropriate security measures to include within the contract.
   • Conduct independent due diligence on suppliers and seek security assurances from them. Consider building diversity and resilience into your supply chain if you are reliant on one supplier. Security clauses in contracts can help hold suppliers accountable for their security responsibilities. As your company grows, you may be able to take more control of your supply chain security by demanding greater security assurances from your suppliers.
   • Include security as part of your service. It could give your business a competitive edge. Depending on your sector or customer, there may be a requirement to meet further standards. If this is the case, make sure you understand why a particular standard is needed, and how you can meet future requirements.

Secure Innovation –
Travel Security Guidance (PDF)

Expand safely into new markets.

• As you grow, there may be more need for employees to travel internationally. Consider whether planned travel is likely to introduce additional risks and build in appropriate steps to mitigate them.
• When expanding into new markets, you will need to be aware of U.S. export controls. Certain products, software, or technology (including the intangible transfer of critical, technical knowledge) are ‘controlled' and therefore may require an export license. It is the exporter's responsibility to check whether items require an export license.
• Understand the local laws in the countries where you plan to operate. Different countries have different export control laws, as well as laws regarding the handling and storage of IP and data. National security laws in foreign countries may allow that country's government to access data or information stored in, or transmitted via, that country. Understanding local laws will help ensure you are legally compliant and that you better understand the additional security risks involved in expansion into new markets.
• Many IP rights are territorial and only give protection in the countries in which they were granted or registered. IP legal frameworks can also differ by country. If you are considering trading internationally, familiarize yourself with the IP framework and enforcement processes in that market. Register your IP rights in advance of entering the market and ensure you are resourced to defend those rights, if required.
• National security laws in foreign countries may allow that country's government to access data stored in, or transmitted via, that country.

  Additional information on PRC laws (PDF)

  
  • China's National Intelligence Law allows China's intelligence agencies to compel individuals and organizations to support and cooperate with state intelligence work. Intelligence work could capture any information to protect China's national interests, be that military, political, economic, social, technological, cultural interests. The law does not allow individuals or organizations to refuse to provide access, information, or support if requested.
  • Russia has an extensive lawful intercept capability, known as the System of Operative Search Measures (SORM). SORM allows Russia's Federal Security Service (FSB), to covertly monitor communications to, within, and out of Russia. The FSB can also compel individuals and organizations to share data stored in Russia with the Russian government and can prevent the data holder from informing the data owner about the disclosure. All communication service providers operating in Russia are obliged to install equipment to enable the FSB to monitor communications.
• Understand U.S. laws and regulations regarding data protection and transfers abroad, as well as data laws in the countries in which you are operating.
• As your company grows, you may no longer be able to rely primarily on personal relationships to ensure trust. It is vital that you can trust your workforce to protect your assets and information, and to deter, detect, and report potential security incidents. As you recruit more employees, it is important that you screen potential candidates who wish to be part of your business and access your critical assets. Security checks could include:
  • Confirmation of identity
  • Nationality and immigration status
  • Employment and education history
  • Criminal records check
  • Financial records check
  • Personal references
  • Open-source environment
  • National security vetting (for access to government classified information)
• Foster a culture in which employees are confident they can speak openly about security concerns; that the organization will likely improve as a result; and that any actions will be reviewed fairly. It should be easy and routine for employees to report concerns. Handling those concerns should be done sensitively and without apportioning blame. Keeping those involved informed of both the progress and benefits of any resulting actions will help reinforce confidence in reporting.
• Consider providing security training for all employees (permanent, temporary, or contracted) to maintain your security culture. Effective education and training help individuals understand the policies, standards, and procedures in place to maintain security. Individuals should also understand the threats facing your business; their security responsibilities; and how to report security concerns.
  Security education and training should start at the time of hiring and continue as employees move internally between jobs. Leaders should set an example and reinforce good security practices. Tailored education and training should be provided for job roles with specific security responsibilities: security managers across business areas, security officers and guards, line managers, IT professionals and developers, etc.
• Consider providing additional support to high-risk roles. Role-based security risk assessments help keep your security measures proportionate and effective. Assessments of risks to your business and critical assets should provide you with a foundation for determining which roles have a higher risk exposure and require more comprehensive security training and support.
• Prepare for incidents by creating an incident management plan that contains:
  • Contact details for anyone you would need to contact to help you identify an incident. These may include a web hosting provider, IT support services or insurance company.
  • Clearly defined responsibilities and an escalation criteria and process for critical decisions. This should ideally include contact details and contingencies in case a key member of staff is unavailable.
  • A coordination function to track and document findings and actions. A good record of the incident is useful for post-incident reviews and determining where it is necessary to report the incident.
  • Use lessons learned from post-incident reviews to update your response plan and security practices.
• Monitor your IT to spot anomalies, which may reveal security incidents. Monitoring user activity, in accordance with privacy and civil liberty laws, can help identify any unauthorized or accidental misuse of systems or data by users. As elsewhere, understanding the risks you are most concerned about will enable you to focus your monitoring to collect information relevant to your needs.
• Recognize potential risk indicators of an insider who feels disgruntled and potentially motivated to harm the organization. A response designed to help the employee overcome challenges or concerning behavior can improve the employee's relationship with the company, thereby reducing risk to your organization. Potential indicators may include:

  National Insider Threat Task Force

  
  • Changes in work patterns
  • Conflicts at work
  • Decline in performance
  • Drug or alcohol abuse
  • Aggressive behavior
  • Mishandling sensitive data
  • Debt
  • Unexplained wealth