Project Documents – High Value Targets of Cyber Espionage

The global reliance on technology has significantly increased the complexities of many current projects to levels not seen before. Indications are that this trend will not be slowing down any time soon. In fact, there are signs that the current rate of technology advancement will actually accelerate and drive the complexity level of many projects to new heights. If that doesn’t bring to mind a big enough challenge, there is a relatively new and rapidly evolving aspect of modern projects that is now on the plate of project managers and is something that must now be addressed. The latest change is being brought about by a change in philosophy about security. Speaking historically, cyber security has been treated as an afterthought; as such, security was what has been termed “bolted-on” rather than being designed in.

The risk is cyber attacks on our system and cyber espionage that target our proprietary and sensitive information are on the rise with no end in sight. In fact, recent reports suggest that cyber espionage losses in the United States total between cyber espionage and crime lies between $70 and $140 billion annually. Pause a moment and think about all the technologies that are involved in a modern project and the criticality of many of these initiatives. Now add to that the mountain of documents associated with those technologies and how they will be used throughout the life of the project and far beyond. Finally, add the project specific documents, schedules, procurement plan, shipping notices & schedules, implementation dates and the list of documents goes on and on. 

Most modern projects establish a project repository to manage all of these materials. All that information concentrated in one area is an enticing target for cyber espionage actors. For some businesses the theft of these sensitive documents has competitive consequences. For organizations involved with critical infrastructure projects, the theft of these documents pose a threat to homeland security and for those that work in the defense and intelligence area, theft of project documents can represent a national security threat. All this combines to make project repositories high value targets that some criminals, activist organizations, terrorist groups and even some nation-states would like to obtain. You can easily imagine just how attractive project documents have now become in that documentation about cyber security measures that is being designed into these products and systems are included in the project repository.

Many of you may not be aware that January of this year a cyber espionage campaign was disclosed of this year. That attack specifically targeted CAD diagrams generated by a widely used computer-aided design application as well as many other document formats that are all too common on projects. In fact, this specific clandestine initiative targeted files with DOC, XLS, PPT, RTF and PD in addition to file formats like DWG, DXF, CDW and DWF that are associated with drawings. All these documents types are routinely found within the project document repository.

Top areas the project managers must monitor include the loss or theft of laptops, the loss or theft of CDs/DVDs and USB drives containing project information, improper disposal of paper document and storage media (CDs/DVDs), and finally the unauthorized access or copying of documents by insiders. There was an interesting observation from one cyber investigator who said, “Thieves go where the money is and that includes dumpster diving looking for discarded document of value.” While cross-cut shredding of documents address the dumpster diving issue, solutions for securing online documents remains elusive. Many of you may be saying to yourselves encryption is the answer, you should reconsider that position. Earlier this year a researcher demonstrated at an international conference on cyber security a technique that broke the most common form of encryption. But wait, it gets worse! Hackers that launched a cyber attack that was discovered in 39 countries specifically targeted encrypted files. Investigators believe that the attackers must have the ability to decrypt these documents or they would not have waited their time and increased the risk of detection by going after those files.

Imagine for a moment that you are the project manager on a project that is to take a new product design from the working prototype stage through market introduction. As the researchers finalize their documentation and patent application, operations begins to look at what will be needed to produce, sell and support the new product. At the same time, marketing is busy designing the product materials, advertisements and overall launch campaign. The engineers and legal department submit the patent application and begin to support the follow-on activities. A few weeks go by and the patent office rejects the patent due to an application that had been filed a few weeks earlier. The engineers review the earlier patent and determine the similarities could not a coincidence. An investigation begins and cyber investigators discover all the research and engineering data had been exfiltrated from their systems to servers in foreign countries and a piece of malware routinely sent updates about the progress/status of the development project. All the investment the company made into bringing this new product to market now has to be written off! Management was counting on this new product and for a time is was not clear that the company would survive. Unfortunately, this is not a hypothetical situation. I was made aware of this incident in a conversation with an individual from a three-letter agency.

Information is a valuable asset and must be treated as such, including security measures and functionality that is now being built into these systems and products only increases the value of project information. Organizations and project managers must take a different approach to address the growing security threats posed by cyber attacks that seek to exfiltrated documents and other acts of cyber espionage. That would include insider threats that are all too often the source of many of data thefts. Many in cyber security are beginning to talk about establishing project metrics that monitor the measures taken to properly secure project documents. Project managers should be aware of this risk and take appropriate measures to insure proper security is in place around the project document repository, as well as addressing the risk posed by physical documents. Failure to do this, a project manager would be falling short of their professional responsibilities and exposing the company to a heightened level of risk. Perhaps it is time to integrate cyber threat training into all the project management courses and a topic on the agenda for project kick-off meetings!

Don’t forget to leave your comments below.