Potential CI Risk Indicators

Potential CI Risk Indicators

Potential counterintelligence (CI) risk indicators are observable behaviors, conditions, or circumstances that are useful in assessing the risk that an individual may become, or may already be, involved in espionage or terrorism. This list and categorization of counterintelligence risk indicators is prepared for two purposes: (1) to assist training of personnel security investigators and adjudicators in the recognition of risk indicators and the assessment of counterintelligence risk, and (2) to assist in developing guidance for what actions should be taken when potential counterintelligence risk indicators are recognized or discovered at various stages of the personnel security process.

The personnel security investigation and subsequent adjudication provide an opportunity to identify and evaluate these indicators. As described here, there are three broad categories of potential CI risk indicators with multiple subcategories. 1

• Potential Indicators that the Subject May Be or Become a Target for Recruitment
  o Circumstances Beyond the Subject's Control
  o Behaviors that May Attract Foreign Intelligence Attention
  o Indicators of Already Being a Target
• Potential Indicators of Susceptibility to Espionage or Terrorist Activity
  o Indicators of Conflicting Interests
  o Indicators of Vulnerability to Pressure or Duress
  o Indicators of Competing Identities
  o Indicators of Personal Weaknesses
• Potential Indicators of Espionage, Terrorism, or Subversive Activity
  o Indicators of Recruitment
  o Indicators of Information Collection
  o Indicators of Information Transmittal
  o Indicators of Illegal Income
  o Indicators of Terrorist Activity
  o Indicators of Support for Terrorism
  o Other Behavioral Indicators

These are called “potential” indicators because no single indicator constitutes evidence of terrorism, espionage, or any other unauthorized use of classified or other protected information. Most counterintelligence risk indicators are what might be called “soft” indicators. That is, each indicator only tells us that something may happen or may already be happening, not that it will happen or actually is happening. Each specific behavior may have several possible explanations, and each particular condition or circumstance may have several possible outcomes. Therefore, most single indicators have limited significance. However, they alert the investigator or adjudicator that further inquiry may be appropriate to clarify the situation and determine if other indicators are also present.

The significance of any single indicator is greatly influenced by the presence of certain other indicators, and various combinations of indicators may form a pattern that is a valid basis for doubt or suspicion. Two types of interaction between risk indicators are especially important.

• An indicator that an individual may be a target for recruitment is far more significant if there is also some indication of susceptibility to recruitment, and either one or both of these enhance the significance of any indicator that this same individual may already be engaged in espionage or terrorism
• If an individual has family, friends, or professional associates in a foreign country, the significance of these foreign contacts is increased if there is also some indication of susceptibility to recruitment, and especially if there is any indicator that this individual may already be engaged in some improper activity.

The modus operandi for the recruitment of spies and the conduct of espionage often follows well-established patterns. These often make it possible for a counterintelligence specialist to recognize scenarios, or combinations of indicators, associated with foreign intelligence activity.

Use of CI Risk Indicators
For Personnel Security Decisions

Evaluation of the possibility that an applicant for security clearance or a current clearance holder is now a foreign agent, or is at risk of later becoming a foreign agent, is a principal underlying purpose of the personnel security process. However, this is a difficult evaluation to make, and two significant problems arise when seeking to perform this function in the most efficient and effective manner.

• First, there are practical limits on the number of questions that can be asked during a standard personnel security subject interview, but an almost unlimited number of questions that might be relevant under various combinations of circumstances.
• Second, there are practical limits to the amount of counterintelligence knowledge and expertise that can be expected from the average personnel security investigator or adjudicator.

In order to deploy limited personnel security resources in the most effective manner, it would be helpful to have a system of triage to guide an optimal, risk-based allocation of resources to various types of cases. The comprehensive list of counterintelligence risk indicators in this report, broken down into analytically useful categories, may facilitate the development of such a system.

Decision points where counterintelligence indicators should play a role include the following:

• Review of the SF-86 to determine if a subject interview should be conducted in a NACLC investigation, whether an interim clearance should be granted, or if an investigator with counterintelligence training and experience should be assigned from the beginning to conduct expanded questioning.
• Review of the completed investigation to determine if a special interview should be conducted to cover Foreign Influence or counterintelligence issues, or if the case should be referred for counterintelligence review.
• Determine if further investigative action such as polygraph examination, check of bank or other financial records, or check of computer logs is appropriate.

Which action may be most appropriate in any given case depends upon the specific combination of indicators that are present. There is no national investigative standard that specifies what action is appropriate under which circumstances, and the Adjudicative Guidelines for Determining Eligibility for Access to Classified Information address counterintelligence issues only indirectly.

Potential Indicators of Being
Or Becoming a Target for Recruitment

There are three types of indicators that an individual may become or is already a target for recruitment by a foreign intelligence collector. The first includes circumstances over which the individual has no control, but which make them an attractive target. The second is specific behaviors by the individual that may attract the attention of an intelligence collector and lead to the individual becoming a target. The third is circumstances that may indicate the individual already is a target.

A substantial percentage of cleared personnel are vulnerable to becoming a recruitment target through no fault of their own simply because of the nature of the information to which they have access, where they are stationed or travel, or their ethnic or cultural background. It is emphasized that being a recruitment target does not reflect poorly on the individual. It is very different from saying that an individual is susceptible to recruitment. However, just being a target for recruitment is a risk factor, because it increases the likelihood that any susceptibility to recruitment that does exist will be discovered by a foreign intelligence collector.

Circumstances Beyond the Subject's Control

One of the most important risk factors is the country in which the subject maintains contacts or where an individual is assigned or resides. Almost 100 countries were involved in legal and illegal efforts to collect intelligence in the United States during 2004, but the bulk of the activity originates in a relatively small number of key countries.2  These key countries include friends and allies as well as strategic competitors that conduct a systematic program of espionage against the United States for one or more of the following reasons:

• The country competes with the United States for global or regional political and economic influence.
• The country feels threatened by a hostile neighbor and seeks to develop or obtain the most advanced military technology. It may also seek information on U.S. policy toward itself and the hostile neighbor, intelligence information the U.S. has on the hostile neighbor, and to influence U.S. policy toward itself and the hostile neighbor.
• The country has a developing economy and sees its economic future as being dependent upon the rapid acquisition and development of new technologies by every possible means, both legal or illegal.
• The country competes with U.S. companies in the global marketplace for the sale of advanced technologies or military weaponry.

Foreign intelligence collectors find it easier to contact, build rapport with, assess, and manipulate individuals with whom they share some common interest – including a shared national, ethnic, or religious background. Also, it is much easier for foreign intelligence collectors or terrorist groups to contact, assess, and recruit Americans when the American is in the intelligence collector’s home country. Therefore, the following circumstances increase the likelihood that an individual will become a target.

• Relatives, friends, or business or professional associates in a foreign country that is known to target United States citizens to obtain protected information and/or is associated with a risk of terrorism.
• Foreign relatives, friends, or business or professional associates who are aware that the subject has a security clearance for access to classified information.
• Foreign relatives, friends, or business or professional associates who have jobs or other activities that would make them very interested in the classified or other sensitive information to which the subject can gain access.
• Travel to or assignment in a foreign country that is known to target U.S. citizens to obtain protected information and/or is associated with a risk of terrorism.
• Employed in science or technology research and development with close or frequent contacts in the same field in a foreign country.
• Attendance at international conferences or trade shows. Many of these events, especially those dealing with science or technology, attract many intelligence collectors.
• Evidence that a foreign intelligence collector is targeting the specific technology to which the subject has access.
• Access to very sensitive information that is highly sought after. (Note: It is easy to overemphasize the extent to which the value of information available to an individual determines the chances of that individual being targeted. Foreign intelligence operatives are under pressure to recruit agents just as salesmen are under pressure to make sales. Their career advancement depends on it, but they also need to avoid getting caught. As a result, they often go after the easiest or most available target, rather than take the risk of going after the most valuable target. Support personnel such as secretaries, computer operators, and maintenance personnel can often provide access to very valuable information.)

Behaviors that Attract Foreign Attention

Some behaviors in a foreign country, or when interacting with foreign officials or other foreign nationals in the United States, are known to attract the interest of foreign intelligence collectors or terrorist groups. Again, the significance of most of these behaviors depends in part on the country involved. The significance is greater if the foreign country is known to target American citizens to obtain protected information and/or is associated with a risk of terrorism.

• Any action that draws the attention of a foreign security or intelligence service or terrorist group to an individual’s ties of affection or obligation to a citizen of that foreign country. This includes regular telephone or e-mail contact with, sending packages or money to, or visiting a foreign relative, friend, or business associate. The more frequent and extensive the contact and the stronger the apparent ties of affection or obligation, the greater the chances that the contact will come to the attention of and be exploited by a foreign security or intelligence service or terrorist group.
• While traveling abroad, engaging in any activity that is illegal in the foreign country involved or that would be personally embarrassing if the activity were exposed. In many countries the local security service monitors patronage of prostitutes, homosexual bars, and the drug scene. In some countries black market currency exchange, distribution of religious information, and export of certain antiquities are illegal.
• Behavior while abroad or in the United States that is observable by a foreign national, especially by a foreign government official, and that shows strong disagreement with U.S. policy, anger at one’s employer, or an exploitable weakness such as a serious financial problem, an alcohol or gambling problem, drug use, or compulsive sexual needs.
• Foreign relatives or friends are made aware of the individual’s access to classified or other protected information.

Indicators of Already Being a Target

It is not at all unusual for Americans traveling or living abroad to see signs of being cultivated, observed, or monitored by the local security or intelligence service. Indicators of being a target include the following:

• While traveling abroad, a foreign acquaintance seeks to elicit information about one’s work, access to information, organization, or personal life. A new acquaintance shows knowledge about one’s work or personal life that this individual would not be expected to know unless he or she had been briefed.
• A traveler observes indications of being followed, or that hotel room conversations, telephone conversations, or e-mail are being monitored.
• A traveler carrying sensitive government or business documents has his or her luggage or hotel room searched, papers or computer searched in the hotel room at night, or a briefcase or bag containing sensitive material is stolen.
• Unsolicited attention by a prostitute in the hotel where one is staying.
• Meeting a foreign national (often younger) who quickly becomes romantically infatuated with the (sometimes older) American.
• Request by a foreign national to provide unclassified information to help that person keep track of technology developments in the United States or keep up-to-date about U.S. policy.
• Travel to a foreign country that is paid for by someone other than family or employer, such as receiving an invitation to present a lecture or attend a conference in a foreign country at the expense of the host.
• An individual is contacted by a former coworker who has since been hired by a foreign controlled company.
• Receipt of an unsolicited e-mail request or “survey” from a foreign source requesting information about the individual’s organization or area of expertise.
• An individual who is not looking for a job is contacted by a “head hunter” or other person seeking to interview the individual about an unsolicited job offer. Questions about the individual’s job experience cannot be answered without divulging sensitive or proprietary information to what is essentially an unknown party.
• A foreign visitor to an organization attempts to meet and socialize with cleared personnel of the same ethnic or cultural background.
• A foreign national proposes that the individual work as a paid “consultant.”
• A foreign national hints that he or she may be able to help a relative or friend of the individual get a better apartment, job, or medical treatment.
• A foreign national hints that he or she may be able to help the individual financially – for example, finance research, pay for a child’s education, buy a new car, or pay family medical bills.
• A friend or acquaintance encourages the individual to live beyond his or her means, and then later offers to help the individual continue that lifestyle.
• A friend or acquaintance encourages the individual in their anger, resentment, or disgruntlement with their employer or opposition to U.S. Government policies, and then offers to help the individual get even with the employer or to oppose the objectionable policy.

Potential Indicators of Susceptibility
To Espionage or Terrorist Activity

Susceptibility to espionage or terrorism includes both the susceptibility to being recruited by a foreign interest and susceptibility to volunteering one’s services to the foreign interest. (Most recruits are volunteers.) Susceptibility to recruitment also includes both susceptibility to inducements to cooperate and vulnerability to pressure or coercion. As with all indicators, their significance depends in large part on the foreign country involved. It is greater if the country is known to target aggressively American citizens to obtain protected information and/or is associated with a risk of terrorism. The significance of all foreign contacts also depends upon the closeness of the tie, frequency of the contact, and the occupation and interests of the foreign contact.

Indicators of Conflicting Interests

• Any evidence of divided loyalty between the United States and another country or organization.
• Any evidence of an obligation to another country, such as any exercise of a right or privilege of foreign citizenship.
• Individual responds, when asked, that he or she feels an obligation to assist the economic development of the native country, or the military defense of the native country against a hostile neighbor.
• Individual responds, when asked, that he or she may have a problem protecting information that would be of value to the native country but which the U.S. Government is unwilling to share. (This is particularly significant if the individual may have access to such information, which includes much advanced technology and access to any of the large Intelligence Community networks that include intelligence reports on many different countries.)
• Individual responds, when asked, that family members or friends in the native country would be upset if they knew he or she is working on a Secret project for the U.S. Government or military. (This shows the kinds of people the subject associates with and that might influence the subject.)
• Repeated statements that raise questions about a person’s loyalty to the United States, such as statements of support for actions by a foreign group hostile to U.S. interests. (This does not include legitimate dissent or disagreement with U.S. Government policies.)
• Statements that a person puts the interests of a foreign country, organization, or group ahead of the interests of the United States. For example: the person says he or she may be unable to support the United States in the event of a conflict with a specified country.
• Friends or relatives in the native country hold jobs or are involved in activities that would cause them to be very interested in the classified or other protected information to which the subject has access.
• For an individual with foreign business contacts, the success of a business transaction, and perhaps the individual’s income or career, depends upon the good will of a foreign individual or entity.
• The individual considers his or her own classified research or development as his or her own personal property that may be shared with others.
• The individual is a scientist who believes that research findings should always be shared rather than protected.
• Any paid association with a foreign person or entity, especially if the association is unknown to one’s employer or is with an organization that competes with one’s employer.

Indicators of Vulnerability
to Pressure or Duress

Most spies volunteer their services or are willing recruits, but aggressive foreign intelligence and security services do use pressure and duress when it serves their purposes. There are two general circumstances when an individual is vulnerable to pressure or duress. One is when an individual engages in conduct that, if exposed, could cause the person to have severe problems with spouse, family, or employer or adversely affect the person's personal, professional, or community standing. The other is the presence of a relative or friend in the foreign country whose life might be either improved or made more difficult, depending upon whether or not the subject cooperates with the foreign intelligence or security service.

Even when an individual is vulnerable to pressure or duress, the foreign intelligence recruiter will usually try to avoid outright coercion whenever possible. Intelligence operatives understand human nature and know that a willing spy will be more effective and more trustworthy than one who is coerced to cooperate. A foreign intelligence or security service might first ask for cooperation and offer inducements rather than make threats. For example, it can make the life of the target’s relative or friend better as well as worse, and it is more likely to be successful with the carrot than the stick. If the recruitment target is already fearful of what will happen if he or she refuses, explicit threats may be unnecessary.

Vulnerability to pressure or duress is difficult to assess, as the vulnerability exists in the mind of the individual concerned. Different individuals may react quite differently to the same circumstance. Many individuals who want to obtain or retain a security clearance will automatically answer no if asked whether a certain circumstance makes them vulnerable to coercion, as they recognize this might lead to denial of access to classified information. Some do, however, admit their vulnerability.

Indicators of vulnerability to pressure or duress include the following:

• An individual has a strong fear of the security service and what it might do to relatives or friends.
• An individual is easily influenced or compliant, unwilling to say “no,” prefers to avoid conflict or confrontation.
• Relatives or a close friend or business contact in a foreign country may be helped if the individual agrees to provide information, but may be hurt if the individual refuses.
• Sexual behavior while living or traveling overseas that would cause severe embarrassment or other difficulties if it were exposed.
• For an immigrant to the United States, past receipt of any foreign government funding for the education in the United States or charitable assistance from a foreign organization in getting resettled in the United States. (Such assistance may create an obligation to the foreign country or organization.)
• Significant debt to a foreign government or foreign nationals, or foreign financial interests that could be affected by the foreign government.
• Any offense that is technically a crime in the foreign country, even if it is rarely prosecuted, such as currency exchange on the black market.
• Also see indicators listed above under Behaviors that Attract Foreign Attention and that might cause one to become an intelligence target.

Indicators of Competing Identities

Competing identities are defined as the dual self-identifications experienced by individuals who were raised as citizens of a foreign country but have since established their residence in the United States. Indicators are used to assess the degree to which the individual remains identified with his or her native country and the degree to which he or she has assimilated American culture and values. The focus here is only on indicators of continued identification with one’s native country. A more complete list of such indicators is available in the reference. 3

Many naturalized American citizens feel some degree of loyalty to both the United States and their native country, and most of the time this is not a problem. However, if an individual is motivated to help the economic development or military defense of his or her native country against a hostile neighbor, the two loyalties may conflict when that individual gains access to classified or other protected information of substantial value to the native country. This conflict can be exacerbated by a personal belief that the United States is wrong in not sharing this information. It could also be exacerbated by a financial need that could be satisfied by selling this information. Persons in this situation sometimes rationalize their actions as not being harmful to the United States.

An individual may continue to identify primarily with his or her native country if he or she:

• Came to the United States for educational or economic benefits rather than as political refugee or to be with family who had come previously to the United States.
• Was educated during the formative years at least through high school in the native country.
• Most of the individual’s family remains in the native country.
• Communicates via telephone, e-mail, instant messaging, or mail with friends or relatives in the native country at least once every two weeks.
• Provides financial or other support, such as medicine, to relatives in the native country.
• Has expressed feelings of obligation to the native country.
• Did not apply for U.S. citizenship as soon as he or she was eligible.
• Views acquisition of American citizenship as a means to gain economic opportunities rather than as a commitment to American values and traditions.
• Is reluctant to give up a foreign passport or to renounce foreign citizenship.
• Maintains or will inherit investments, property, or other financial interests in the native country. Obtains income from the native country or is involved in a joint business venture there with a friend or relative.
• Returns to the native country annually.
• Resides in a culturally closed community with individuals from the same country of origin.
• Has a network of friends that consists largely of persons with the same national or ethnic background.
• After gaining U.S. citizenship, returned to native country to obtain a spouse and brought him or her back to the United States (or plans to do so).
• Frequently expresses a negative view of U.S. culture and values.
• Frequently expresses disagreement with U.S. policy toward the native country.
• Is actively involved in social or political organizations that support his or her native country.
• Contributes to charities in the native country or provides financial assistance to causes or individuals in that country.
• Makes references to wanting to return and live in the native country, for example, to retire there.
• Maintains regular communication with individuals in the native country who share the same professional interests and expertise.

Indicators of Personal Weaknesses

There is no single profile of the employee who is likely to betray an employer’s trust. Motivation for espionage is believed to result from a complex interaction between personal weaknesses and situational circumstances. The personal weaknesses include some of the potentially disqualifying factors covered by the Adjudicative Guidelines, but also a number of personality characteristics that are often found in persons who commit espionage and other white-collar criminals.4,5 These same personality characteristics are also found to some degree in many law-abiding and successful individuals, so they are by no means disqualifying by themselves. These behaviors are discussed in greater detail in the separate file in this module on Behavior Patterns and Personality Characteristics Associated with Espionage. The indicator always refers to a pattern of undesirable behavior, not a single example of such behavior.

• Antisocial behavior: involvement in petty crimes that indicate a propensity for violating commonly accepted rules and regulations, pattern of lying, misrepresentation, gross exaggeration, or failure to follow through on promises or commitments. Unscrupulous and has no conscience, so feels no remorse for the adverse effects of one’s behavior on others. Takes pleasure in beating the system and not getting caught, or cutting corners to achieve personal objectives.
• Impulsive: doing whatever feels good at the moment, without regard for duties or obligations, or without regard for the long-term consequences for self or others. Goals or gains that can be achieved quickly are overvalued, while those that are more distant are undervalued. When a younger person exhibits this pattern, it is often described as immaturity. Impulsive individuals may not be concerned about duties and obligations and may be careless or lazy. There may be a pattern of not completing tasks. Such persons cannot tolerate boredom and often require constant stimulation. Inability to tolerate frustration may lead to a sudden outburst of hostility or violence.
• Grandiosity: entirely unwarranted feelings of self-importance. The view of one’s own abilities is so grossly inflated that disappointment and bitterness against those who fail to recognize these special talents are inevitable. Need for praise and sensitivity to criticism dominate relationships with others. Overreacting to criticism and responding with anger, even to constructive and well-intentioned criticism, is common. Fantasies of oneself as a James Bond, as indicated by repeated statements or actions indicating an abnormal fascination with "spy" work, can also be indicative of grandiosity.
• Narcissism: viewing the world only from the perspective of how it affects oneself. Narcissism often involves treating other people as objects to be manipulated for the benefit of one’s own self-interest or to indulge one’s own desires.
• Entitlement: unreasonable expectation of especially favorable treatment. Such persons expect to be given whatever they want or feel they need and become very upset when they don’t get it.
• Vindictive: Such a serious grievance with one’s boss, employer, or with the U.S. Government that the person has threatened violence or other vindictive action to get even. (Even if an individual seems to be just blowing off steam, all credible threats must be taken seriously.)
• Risk-seeking: taking risks just for the thrill of it without thinking of possible long-term consequences.
• Unable to make personal commitments: may drift from one relationship or job to another with little sense of purpose or loyalty to anyone or anything; limited capacity to express either positive or negative emotions towards others.
• Paranoid: pervasive mistrust and suspicion of other people. The security concern is that the paranoid person sometimes views his or her employer or the U.S. Government as the enemy and acts accordingly.
• Financial: Serious financial needs or excessive preoccupation with acquiring money or possessions. When financial need is triggered by a specific event such as divorce, medical expenses for a loved one, educational expenses for children, large gambling losses, or threatened bankruptcy, it can cause one to revaluate one’s priorities and sometimes one’s loyalties.
• Any exploitable weakness as identified under the Alcohol, Drugs, Crime, Sexual Behavior, and Personal Conduct adjudicative guidelines.
• Deliberate withholding or misrepresentation of information required on the personnel security form (SF-86).

Potential Indicators of Espionage,
Terrorism, or Subversive Activity

Being a spy requires that one engage in certain observable behaviors. There is usually some personal contact with a foreign intelligence operative who recruits the spy or to whom the spy volunteers his or her services. The spy must obtain information, often information to which the spy does not have normal or regular access. This information usually needs to be copied and then removed from the office. The information is then communicated to the foreign intelligence service, and this often requires keeping or preparing materials at home and traveling to signal sites or secret meetings at unusual times and places. The spy may receive large sums of money which then may be deposited, spent, or hidden. Periods of high stress sometimes affect the spy’s behavior.

Behaviors associated with espionage or terrorism sometimes deviate from the norm in such a way that they come to the attention of other people and must be explained. Other people sometimes become suspicious and pass their suspicions on to others. This sometimes comes out during a security clearance reinvestigation.

While an indicator’s existence may be known, the counterintelligence implications of the indicator are frequently not recognized. Even in circumstances where the indicator has aroused suspicion, personnel may fail to act, or act improperly on that knowledge. The record of past espionage cases shows that coworkers and supervisors often ignored or failed to report counterintelligence indicators which, had they been reported, would have permitted earlier detection of the spy. In some cases, disciplinary actions were taken against the offender, but the matter was never considered from a counterintelligence perspective. See related information in the file Reporting Espionage Indicators.

Indicators of Recruitment

• Close association with an individual who is known to be, or is suspected of being, associated with a foreign intelligence or security organization.
• Being secretive about contact with any foreign national or visit to a foreign diplomatic facility.
• Failure to report a personal relationship with any foreign national when reporting foreign contacts is required and expected.
• Failure to report an offer of financial assistance for self or family from a foreign national other than close family.
• Failure to report a request for classified or sensitive unclassified information by a foreign national or anyone else not authorized to receive it.
• Unreported private employment or consulting relationship on the side, separate from one’s regular job, with a foreign national or foreign organization.
• Bragging about working for a foreign intelligence service or about selling U.S. technology. (Such statements should be taken seriously. They indicate at least that the individual is thinking about it, if not doing it.)

Indicators of Information Collection

• Accessing or attempting to access or download information to which the individual is not authorized access.
• Conducting key word searches in a classified database on people, places, or topics about which the individual has no need-to-know.
• Ordering classified or other protected documents or technical manuals not needed for official duties.
• Unusual pattern of computer usage (accessing files for which has no need-to-know) shortly prior to foreign travel.
• Asking others to obtain or facilitate access to classified or unclassified but sensitive information to which the individual does not have authorized access.
• Unusual inquisitiveness or questioning of coworkers about matters not within the scope of the individual’s job or need-to-know.
• Obtaining or attempting to obtain a witness signature on a classified document destruction record when the witness did not observe the destruction.
• Copying protected information in other offices when copier equipment is available in the individual’s own work area.
• Intentionally copying classified documents in a manner that covers or removes the classification markings.
• Extensive use of copy, facsimile, or computer equipment to reproduce classified, sensitive, or proprietary material which may exceed job requirements, especially if done when others are not present.
• Repeatedly working outside normal duty hours when this is not required and others are not in the office, or visiting classified work areas after normal hours for no logical reason.
• Repeated volunteering for assignments providing a different or higher access to classified or sensitive information.
• Bringing a camera, microphone, or recording device, without approval, into a classified area.
• Unauthorized monitoring of electronic communications.
• Illegal or unauthorized entry into any information technology system.
• Deliberately creating or allowing any unauthorized entry point or other system vulnerability in an information technology system.

Indicators of Information Transmittal

• Unauthorized removal or attempts to remove classified, export-controlled, proprietary or other protected material from the work area.
• Storing classified material at home or any other unauthorized place.
• Taking classified materials home or on trips, purportedly for work reasons, without proper authorization.
• Retention of classified, export-controlled, proprietary, or other sensitive information obtained at a previous employment without the authorization or the knowledge of that employer.
• Providing classified or sensitive but unclassified information, including proprietary information, outside official channels to any foreign national or anyone else without authorization or need-to-know.
• Regularly exchanging information with a foreigner, especially work-related information, whether or not the known information is sensitive.
• Putting classified information in one’s desk or briefcase.
• Downloading classified material to an unclassified computer or storage device.
• Communicating electronically or using the Internet in a manner intended to conceal one’s identity, e.g., use of “anonymizer” software on one’s home computer or use of public computer services at a public library or Internet Café.
• Excessive and/or unexplained use of e-mail or fax.
• Short trips to foreign countries or within the United States to cities with foreign diplomatic facilities, for unusual or unexplained reasons, or that are inconsistent with one’s apparent interests and financial means. This includes a pattern of weekend travel not associated with recreation or family.
• More than one trip during a two-year period to a country where one has no relatives, no business purpose for the travel, and where the country is not a common location for an annual vacation.
• Hesitancy or inability by traveler to describe the location reportedly visited.
• Any attempt to conceal foreign travel.
• Foreign travel with costs out of proportion to time spent at the foreign location.
• Frequent foreign travel with costs above the individual’s means.
• Foreign travel not reflected in the individual’s passport to countries where entries would normally be stamped.
• Maintaining ongoing personal contact, without prior approval, with diplomatic or other representatives from countries with which one has ethnic, religious, cultural or other emotional ties or obligations, or with employees of competing companies in those countries.
• Recurring communication with a person or persons in a foreign country that cannot be explained by known family, work, or other known ties.
• Illegal or suspicious acquisition, sale, or shipment of sensitive technology.
• Purchase of high quality international or ham radio-band equipment by other than a known hobbyist.

Indicators of Illegal Income

• Sudden, unusual ability to purchase high-value items such as real estate, stocks, vehicles, or foreign travel when the source of income for such purchases is unexplained or questionable.
• When asked about source of money, joking or bragging about working for a foreign intelligence service or having a mysterious source of income.
• Implausible attempts to explain wealth by vague references to some successful business venture, luck in gambling, or an unexplained inheritance; also more explicit explanations of extra income that do not check out when investigated.
• Living style and assets out of line with the individual’s known income, especially if this has been preceded by signs of financial distress such as delinquencies or bankruptcy.
• Sudden decision to become a big spender; for example, picking up the bar bill for everyone, buying new and expensive clothes, giving expensive jewelry to a girl friend, all with vague explanation of the source of funds.
• Sudden reversal of a bad financial situation as shown by repayment of large debts or loans with no credible explanation of the source of funds.
• Extensive or regular gambling losses that do not appear to affect lifestyle or spending habits.
• Display of expensive purchases or large amount of cash shortly after return from leave, especially if the leave involved foreign travel.
• Foreign bank or brokerage account with substantial sums of money, but with no credible explanation for the source of this money or no logical need to maintain funds outside the United States.
• Large deposits to bank accounts when there is no logical source of income.
• Unexplained receipt of significant funds from outside the United States
• Moving funds into or out of the United States in amounts or circumstances that are inconsistent with normal business or personal needs. Includes deposit of large sums shortly after return from foreign travel.
• Large currency transactions as noted in Financial Crimes Enforcement Network (FinCEN) reports, unless the transaction was done for one’s employer or a volunteer civic organization in which the individual is active.
• Carrying large amounts of cash when this is inconsistent with normal cash needs or known financial resources.

Indicators of Terrorist Activity

Although a terrorist might also steal information like a spy, the typical terrorist is engaged in planning, preparing, supporting or executing some violent terrorist action. The behaviors that might indicate or reveal terrorist preparations are quite different from the behavior of a spy. Alert employees who recognize and report these clues play a significant role in helping to protect our country against terrorist attacks and other subversive activities. The following are potential indicators that an individual may be involved in planning a terrorist attack.

• Talking knowingly about a future terrorist event, as though the person has inside information about what is going to happen.
• Statement of intent to commit or threatening to commit a terrorist act, whether serious or supposedly as a “joke,” and regardless of whether or not it seems likely that the person intends to carry out the action. (All threats must be taken seriously.)
• Statements about having a bomb or biological or chemical weapon, about having or getting the materials to make such a device, or about learning how to make or use any such device—when this is unrelated to the person’s job duties.
• Handling, storing, or tracking hazardous materials in a manner that deliberately puts these materials at risk.
• Collection of unclassified information that might be useful to someone planning a terrorist attack, e.g., pipeline locations, airport control procedures, building plans, etc. when this is unrelated to the person’s job or other known interests..
• Physical surveillance (photography, videotaping, taking notes on patterns of activity at various times) of any site that is a potential target for terrorist attack (including but not limited to any building of symbolic importance to the government or economy, large public gathering, transportation center, bridge, power plant or line, communication center).
• Deliberate probing of security responses, such as deliberately causing a false alarm, faked accidental entry to an unauthorized area, or other suspicious activity designed to test security responses without prior authorization.
• Possessing or seeking items that may be useful for a terrorist but are inconsistent with the person’s known hobbies or job requirements, such as explosives, uniforms (to pose as police officer, security guard, airline employee), high-powered weapons, books and literature on how to make explosive, biological, chemical, or nuclear devices.
• Possession of multiple or fraudulent identification documents.

Indicators of Support for Terrorism

As compared with espionage, which is usually conducted by individuals working alone, a terrorist attack is usually a group activity conducted by a small, clandestine cell which is often loosely associated with a larger network or organized group. Therefore, support for terrorism is often indicated by whom an individual associates with, certain public actions or Internet use, and or expressed support for a terrorist ideology.

Any support or advocacy of terrorism, or association or sympathy with persons or organizations that are promoting or threatening the use of force or violence, is a concern even if the individual is not directly involved in planning a terrorist attack. Of particular current concern is any expression of militant jihadist ideology, but this also includes the extremist groups discussed under Allegiance to the United States.

• Knowing membership in, or attempt to conceal membership in, any group which: (1) advocates the use of force or violence to achieve political goals, (2) has been identified as a front group for foreign interests, or (3) advocates loyalty to a foreign interest over loyalty to the U.S. Government.
• Distribution of publications prepared by group or organization of the type described above.
• Pro-terrorist statements in e-mail or chat rooms, blogs, or elsewhere on the web. Frequent viewing of web sites that promote extremist or violent activity (unless this is part of one’s job or academic study).
• Financial contribution to a charity or other foreign cause linked to support for a terrorist organization.
• Unexplained, or inadequately explained, travel to an area associated with terrorism or U.S. military action.
• Statements of support for the militant jihadist ideology of holy war against the West, such as: 6

-- Militant jihad against the West is a religious duty before God and, therefore, necessary for the salvation of one’s soul. Peaceful existence with the West is a dangerous illusion. Only two camps exist. There can be no middle ground in an apocalyptic showdown between Islam and the forces of evil.

-- The separation of church and state is a sin. Democratic laws are illegitimate and sinful, because they are “man-made” laws expressing the will of the electorate rather than God. The only true law is Sharia, the law sent down by God, which governs not only religious rituals but many aspects of day-to-day life.

-- Muslim governments that cooperate with the West and that have not imposed Sharia law are religiously unacceptable and must be violently overthrown.

• Statements of support for suicide bombers even though they kill innocent bystanders.
• Statements of support for violence against U.S. military forces either at home or deployed abroad.
• Statements of belief that the U.S. Government is engaged in a crusade against Islam.
• For U.S. military personnel only: Any action that advises, counsels, urges, or in any manner causes or attempts to cause insubordination, disloyalty, mutiny, or refusal of duty by any member of the armed forces of the United States. 7

Other Behavioral Indicators

• Reporting by any knowledgeable source that the subject may be engaged in espionage or terrorist activities.
• Attempt to conceal any activity covered by one of the other counterintelligence indicators.
• Behavior indicating concern that one is being investigated or watched, such as actions to detect physical surveillance, searching for listening devices or cameras, and leaving "traps" to detect search of the individual’s work area or home.
• Misrepresenting or failing to report use of an alias and/or multiple identities; possession of false identity documents without valid explanation.
• Attempts to place others under obligation through special treatment, favors, gifts, money, or other means.
• Avoiding or declining an assignment that would require a counterintelligence polygraph.
• Withdrawing application for a security clearance, or resigning from employment, in order to avoid a polygraph examination or other investigative interview.

Footnotes

1. This list is a combination and consolidation of many lists prepared by various persons and organizations for various purposes during the past 15 years.

2. Office of the National Counterintelligence Executive, Annual report to Congress on foreign economic collection and industrial espionage - 2005. NCIX 2005-10006, April 2005.

3. Krofcheck, J.L., & Gelles, M.G. (2006). Behavioral consultation in personnel security: Training and reference manual for personnel security professionals. (Appendix A: Assessing Competing Identities). Yarrow Associates.

4. Several government agencies have conducted comprehensive psychological assessments of their employees arrested for espionage, and an Intelligence Community project has interviewed and administered psychological tests to a number of Americans serving jail terms for espionage. Most interviews and tests were conducted after conviction and incarceration and were subject to agreements that protect the privacy of the offenders. Privacy and security considerations preclude public release of these studies.

5. Gottfredson, M.R., & Hirschi, T. (1990). A general theory of crime. Stanford, CA: Stanford University Press. Parker, J.P., & Wiskoff, M.F. (1992). Temperament constructs related to betrayal of trust (Tech. Report 92-002). Monterey, CA: Defense Personnel Security Research Center. Collins, J.M., & Schmidt, F.L. (1993). Personality, integrity, and white collar crime: A construct validity study. Personnel Psychology, 46, 295-311. Brodsky, S.L., & Smitherman, H.O. (1983). Handbook of scales for research in crime and delinquency. New York: Plenum Press. Hogan, R., & Hogan, J. (1989). How to measure employee reliability, 74, 273-279. Collins, J.M., & Muchinsky, P.M. (1994). Fraud in the executive offices: Personality differentiation of white collar criminality among managers. Paper presented at 23rd International Congress of Applied Psychology, Madrid, Spain.

6. Department of State. (2005, April). Global jihad: Evolving and adapting. See more recent information available at http://www.state.gov/s/ct/.

7. Department of Defense. (2003, Dec. 1). DoD Directive 1325.6, Guidelines for Handling Dissident and Protest Activities Among Members of the Armed Forces. Retrieved April 14, 2010, from http://www.dtic.mil/whs/directives/corres/pdf/132506p.pdf