https://www.protocol.com/fbi-delta-protocol-economic-espionage

a-suspicious-login-screen.png

When FBI special agent Nick Shenkin starts talking about spies in Silicon Valley, he's not describing a James Bond movie or even what people have seen on "The Americans." Instead, what he's there to warn the tech sector about is less dramatic but perhaps more insidious: the insider threat of economic espionage and intellectual property theft.

It's not the Hollywood image of espionage. But the risk to tech companies is real, the FBI says: Employees are being persuaded, or more typically, coerced by foreign autocracies into stealing information or handing over login credentials. In one case Shenkin worked on, Chinese government agents threatened to deny an employee's mother dialysis back in China if he didn't steal proprietary information from a large hardware/software company.

"This is a quotidian activity," Shenkin told Protocol in an interview. "This is a massive fundamental activity that bolsters and is one of the mainstays of many autocratic countries and their governments."

For the last few years, San Francisco-based Shenkin has been quietly briefing venture firms, startups, academics and tech industry groups that might be of interest to foreign actors. It's not the glamorous spy stings that form movie plots, but a subtle way of fighting espionage through education. After Protocol heard about the briefings from multiple sources, the FBI agreed to an interview about the content of the briefings and shared its framework, called the "Delta Protocol" (no relation to COVID-19 or this publication), which the agency developed to distribute to startups so they can learn to protect themselves.

"The reason why we're being so much more assertive about these briefings and trying to be more open with U.S. industry is because we've just come to the realization that if there is no cost, then they will continue to do what they're doing," Shenkin said. "So the briefings are like, 'Please American companies, raise your shields, protect yourselves, make it more expensive for the thieves to rob you, and the country is stronger, and you're stronger.'"

It's not your HR department's job to catch a spy

Five years ago when Shenkin started approaching companies, he was trying to convince them the threat wasn't just hypothetical. But hackings by foreign actors now routinely make headlines, and there's been a spate of indictments of individuals, from ex-Apple engineers to researchers, who were accused of smuggling information.

In 2018, the Department of Justice formally launched the China Initiative, and FBI Director Christopher Wray called China's economic espionage and counterintelligence "the greatest long-term threat to our nation's information and intellectual property, and to our economic vitality" in a 2020 speech. (Government estimates of losses from Chinese intellectual property theft run in the hundreds of billions of dollars a year, though some critics say those numbers are inflated.)

"Now you go to these companies and nobody needs to be convinced. Everybody knows that this is a threat, and the big issue becomes how do we defend against it," Shenkin said.

No one expects HR departments to screen out spies when hiring employees — nor is that even the way companies should be thinking about it, Shenkin said. Instead, he's trying to coach tech companies on how to identify vulnerabilities that a person could have and then find ways to protect the individual and the company from those vulnerabilities being taken advantage of by an autocratic government — namely, China and Russia.

There are four main vulnerabilities covered in the briefings: someone being a citizen of an autocracy, doing business with one, having assets in the country or having family members or employees living or working in the autocracy. But it's the family vulnerability in particular that Shenkin says he sees "exploited over and over and over again".

"A lot of what the briefings cover is the idea that this is not about the ethnicity of the individual. This is about: What is any individual's or entity's vulnerability to the jurisdiction of an autocracy? Because what we see overwhelmingly is people who end up stealing intellectual property, very often, they have no desire to be stealing intellectual property," Shenkin said.

While the government used to obsess about state-owned enterprises (or ones that are closely associated, like Huawei), Shenkin said it's shifted focus to what it calls the hybrid threat: autocracies essentially sinking their hooks into people and "forcing them to act as if they are an arm of that government, whether they want to or not."

The general ignorance of the threat — and the lack of incentives for companies to report suspicions — has meant Silicon Valley, in particular, has emerged as a "den of spies," according to POLITICO.

There have been a handful of high-profile cases to reach the level of indictments. The government charged two different Apple engineers in 2018 and early 2019 for allegedly stealing trade secret information about its self-driving car. The most famous case the FBI and experts draw from is the case of Walter Liew, who was found guilty of stealing information about the color white from DuPont. The Center for Strategic & International Studies maintains a list of more than 100 allegedly China-linked IP theft acts since 2000.

The challenge is that these cases are the prosecutable tip of what Shenkin believes is a much larger iceberg when it comes to theft of sensitive information.

To help identify some of the areas that it should be focusing on, the FBI has turned to the venture capital community. It's not that the FBI thinks Sand Hill Road is "housing intelligence officers from foreign countries," Shenkin said. Instead, it's interested in the firms as "knowledge nodes" that can help the FBI understand where the real valuable technological innovations are. The agency is also hoping to learn which companies in an investor's portfolio could most use a briefing to help protect their investments from IP theft.