How Foreign Intelligence Services Compromise, Exploit U.S. Technology

DCSA organized this report by targeting region, then considered the targeted technology, methods of operation (MO) employed, methods of contact (MC) used, and collector affiliation. DCSA ranked the regions based on the number of suspicious contacts received in FY21 from cleared industry: East Asia and the Pacific, Near East, Europe and Eurasia, South and Central Asia, Western Hemisphere, and Africa. Additionally, when a targeting attempt against a technology was confirmed, the targeted technology was placed into one of the Industrial Base Technology List (IBTL) categories (see the report’s “Category Descriptions” section). Additional reporting from cleared industry on foreign intelligence threats has and will continue to improve the accuracy of the analysis and threat levels addressed in DCSA annual assessments.

Here are the report’s Executive Summary and Key Findings:

Executive Summary
This report reflects foreign collection attempts to obtain unauthorized access to sensitive or classified information and technology resident in the U.S. cleared industrial base. In FY21, DCSA received nearly 24,000 reports of suspicious contacts from cleared facilities operating as part of the National Industrial Security Program (NISP). Of these, DCSA reviewed and identified thousands of incidents of counterintelligence concern that likely involved a foreign entity attempting to illicitly obtain classified information or technology resident in cleared industry, or an attempt to compromise a cleared employee.

The large scope and diversity of collection efforts targeting U.S. technologies meant that foreign entities simultaneously directed considerable efforts at many technologies using variations of methods and collectors. In FY21, electronics; software; and command, control, communications, and computers (C4) made up the top three targeted technologies. These three technologies accounted for 40 percent of all reporting for FY21. Aeronautic systems and armament and survivability finished out the top five targeted technologies. The remaining reported collection efforts targeted a variety of technologies covering the remaining 24 IBTL categories.

In FY21, East Asia and the Pacific and Near East entities remained the most significant collectors of sensitive or classified U.S. technology and information, collectively accounting for 61 percent of overall reporting. DCSA attributed nearly 31 percent of suspicious contacts to collectors from Europe and Eurasia, as well as South and Central Asia. Collectors from the Western Hemisphere and Africa, collectively accounted for just 7 percent of reported suspicious contacts.

In FY21, résumé submission was the top MO, accounting for a third of overall reported attempts, more than doubling the next closest MO—exploitation of experts. Near East entities accounted for 35 percent of résumé submission incidents, with students seeking to conduct postgraduate level research at U.S academic centers involved in sensitive or classified research. East Asia and the Pacific entities represented 26 percent of overall résumé submission, despite primarily relying on exploitation of supply chain when targeting cleared industry. The most pervasive MOs used by entities from Africa were résumé submission and request for information (RFI)/solicitation. Each of these two MOs represented 82 percent of the incidents DCSA attributed to this region. Western Hemisphere collectors relied heavily on exploitation of cyber operations, followed by exploitation of insider access and exploitation of experts.

In FY21, individual was the top collector affiliation, collectively accounting for nearly half of overall reported attempts, primarily due to résumé submission. DCSA attributed nearly 27 percent of suspicious contacts to individual collectors from the Near East, as well as South and Central Asia, seeking advanced degrees and employment opportunities at CCs. Reporting indicated that commercial entities from East Asia and the Pacific, constituted 62 percent of the overall reported attempts. On several occasions, commercial collectors offered manufacturing services and requested to serve as overseas distributors for CC products in regional markets.

Key Findings
DCSA based the following key findings on analysis of FY21 cleared industry reporting:

East Asia and the Pacific

• Entities from this region were the most prolific collectors of classified information and technology resident in the cleared industrial base, accounting for 38 percent of all reports.

• Nearly every IBTL category was targeted with an emphasis on electronics, software, and C4.

• Commercial and individual entities were among the top collectors.

Near East

• The most targeted technologies were C4 and electronics, followed by aeronautic systems.

• Consistent with the previous 2 years, résumé-academic was the most common MC.

• Individual entities continued to be the most prevalent, accounting for 67 percent of collection affiliation.

Europe and Eurasia

• The top three targeted technologies—aeronautic systems, software, and electronics—made up a third of all reporting.

• Individual entities were the most prominent collectors, accounting for 37 percent.

• Entities most commonly used RFI/solicitation via email.

South and Central Asia

• The top technologies targeted included C4, software, and electronics, accounting for 50 percent of total reporting from this region.

• These entities relied heavily on résumé submissions for both academic and professional placement to gain employment and research positions at cleared facilities or institutions associated with classified research.

• Individual entities were the most common collectors in FY21, accounting for 80 percent.

Western Hemisphere

• Entities from this region targeted a wide variety of technologies, including aeronautic systems, electronics, and software, accounting for 42 percent of total reporting.

• Individual entities were the most commonly reported collector affiliation.

• Entities from this region relied heavily on exploitation of cyber operations and exploitation of insider access when targeting technologies. Collectively, these MOs accounted for 36 percent.

Africa

• The region accounted for 2 percent of all reports

• The most common MOs were résumé submission and RFI/solicitation.

• The most targeted technologies were software and C4.