UNCLASSIFIED

many of which are available online. Cyber exploitation is inherently difficult to detect as cyber intruders from one country typically cover their tracks by routing their attacks through the compromised computers of others. At the same time, the losses can be significant and finding the cyber bandit can be virtually impossible.

U.S. businessmen traveling abroad provide another valuable source of information for foreign countries. Foreign governments and businesses continue to acquire sensitive U.S. proprietary information from all types of electronic storage devices, including laptop computers, personal digital assistants (PDAs), and cell phones carried by U.S. businessmen traveling abroad. A recent U.S. private sector study indicated that two-thirds of PDAs are used to carry client details and corporate information but without adequate protection. Foreign businesses and security services gain access to such information by using clandestine entry to hotels and business establishments or by electronically downloading information during routine security inspections at airports or other ports of entry. In addition, technology weaknesses in some PDAs make it easy for foreign entities to extract information without directly accessing the storage devices.

Foreign students, scientists, and other experts who come to the United States to work or attend conferences also can serve as a funnel for sensitive U.S. technologies. China, in particular, seems to be benefiting from the access its experts have here. The Chinese press explicitly recognizes the role of the overseas Chinese community in increasing China's technological prowess. Moreover, Beijing has established a number of outreach organizations in China and it maintains close relations with a number of U.S.-based advocacy groups that facilitate its interaction with experts here and probably aid in efforts to acquire U.S. technology.

One indirect method used to acquire U.S. technology is for foreign firms to offer their services or technology—particularly IT-related support—to U.S. firms that have access to sensitive items. Such deals, at a minimum, have provided foreign visitors access to facilities where trade secrets or proprietary information are stored. In their most dangerous forms, however, these deals can result in foreign companies subverting U.S. firms' supply chains by selling tainted products. These subversions could give foreign companies long-term, remote access to significant proprietary information and trade secrets. Well-executed supply chain subversions are almost impossible to detect, even years after implantation.

In some cases, foreign entities seeking to acquire sensitive U.S. technologies find that the easiest route to acquisition is to either purchase outright or form a joint venture with a U.S. firm that has access to that technology. Even joint venture negotiations where no agreement is reached can yield proprietary information valuable to foreign entities. The negotiation process often includes plant tours and inspections of manufacturing processes, and the U.S. firms may provide proprietary information on customers and marketing plans in an effort to secure the deal.

Increasingly, foreign entities need not even come to the United States to acquire sensitive technology but, instead, can work within their own borders. There, U.S. firms have difficulty securing their secrets and have few legal protections once proprietary information has

UNCLASSIFIED

UNCLASSIFIED

been lost. Globalization is forcing U.S. companies toward a more diversified business model that includes foreign outsourcing and external partnerships. These arrangements, while making U.S. firms more competitive by providing a source of inexpensive inputs, at the same time make sensitive U.S. technologies more vulnerable. For example, a recent security survey by a major U.S. accounting firm showed that sensitive blueprints, formulas, and computer codes are being transferred abroad to enable foreign firms to supply specially tailored inputs to high-tech products that are manufactured in the United States.

Conducting due diligence on foreign partners is difficult, but the problem becomes geometrically more complicated when the foreign partners themselves outsource to other firms. According to the same security survey just cited, fewer than one-third of U.S. companies that are involved in outsourcing conduct regular assessments of their IT providers to monitor compliance with information security policies; "they simply rely on trust." These trends not only leave U.S. firms more exposed to a direct outflow of technology but also make it difficult to guarantee that the foreign-provided inputs-particularly IT hardware and software-are free from Trojan horses or back doors that could be used later to extract sensitive technology.

The Technologies Targeted

What kinds of technologies are targeted? Virtually all kinds of U.S. trade secrets-military and civilian-are targeted. The CI Community pays closest attention to technologies with direct military application and to those on the Defense Department's Militarily Critical Technologies List (MCTL), many of which are dual-use, with both military and commercial applications. All of the technologies on the MCTL are targeted every year. Information systems—the foundation of almost all modern civilian and military production processes-continue to top the list of targeted technologies. There has also been significant foreign interest in sensors, which provide the eyes and ears of many military systems; aeronautics, because of the demonstrated advantage of airpower in recent international conflicts; electronics, which are either contained or used in the production of virtually every weapons system in the U.S. arsenal; and armaments and energetic materials, the technologies required to develop and produce conventional munitions and weapons systems of superior operational capability.

As difficult as it is for us to track foreign efforts to acquire military and dual-use technologies— where defense contractors are required to report suspicious targeting incidents—it is far more challenging for the CI Community to monitor foreign targeting of purely commercial technologies. The FBI has outreach programs that are geared to encouraging U.S. firms to report suspicious targeting incidents but, even so, such reporting is uneven at best. U.S. firms have sometimes been reluctant to raise alarms about possible technology theft out of concern for the potential impact on investor and consumer confidence and stock prices. Nevertheless, recent legal cases alleging technology theft provide examples of the items targeted, which include: semiconductor production processes, computer microprocessors, high-speed digital cameras, software, proprietary information, and chemical formulas.

UNCLASSIFIED

UNCLASSIFIED

The Rough Road Ahead

We should expect no decline in foreign demand for sensitive U.S. technologies over the next few years. The United States remains the source of much of the world's most advanced technology, and, in many industries, foreign entities depend on that innovation to improve their competitiveness. At the same time, the task of slowing the illicit outflow of technology will only become more difficult. Globalization, while benefiting the United States economically, is making it challenging to isolate trade secrets from foreign managers and employees. Increasingly U.S. firms are conducting research and development in centers located outside U.S. borders, where physical security will be difficult to maintain and legal protection of technology, trade secrets, and innovation is weak or nonexistent. At the same time, however, U.S. businesses prefer to operate in an environment where their trade secrets are protected, which may gradually pressure foreign governments to strengthen legal safeguards.

It is one thing to list the range of foreign technology acquisition activities to you; it is quite another to describe what we need to do about them.

In my view, successful policy must be consistent, and thoughtfully apply the full range of public policy instruments to strategic effect. For its part, U.S. counterintelligence has to be more effective than the foreign intelligence services-meaning more pro-active in identifying, assessing and degrading foreign intelligence operations against us.

My office has underway an aggressive program to identify, align and coordinate the many CI community efforts to slow this illicit outflow of U.S. technology. We are grouping these activities as the centerpiece of our implementation planning for the National CI Strategy and the recommendations of the Silberman-Robb Commission. Major efforts include, for example, the work of the FBI-led national CI working group on technology protection and a number of cyber threat and technology vulnerability response initiatives.

Mr. Chairman, your Committee has jurisdiction over our nation's single greatest resource in countering foreign intelligence threats, the Federal Bureau of Investigation. The most significant change of late, and it is significant indeed, is the President's June decision to create a new National Security Bureau within the FBI. The integration of counterterrorism, counterintelligence, and intelligence programs in the new NSB should give a major boost to our nation's CI capability, and to achieving the objectives of the National Counterintelligence Strategy.

UNCLASSIFIED

Mr. HOSTETTLER. Dr. Wortzel.

TESTIMONY OF DR. LARRY WORTZEL, VISITING FELLOW, THE HERITAGE FOUNDATION

Mr. WORTZEL. Mr. Chairman, Members of the Committee, thank you for the opportunity to testify today on the theft of national security secrets and national security sensitive technology. I have a longer statement I would like to submit for the record, if I may. Mr. HOSTETTLER. Without objection.

Mr. WORTZEL. I will focus on the intelligence collection posed by China. The manpower pool available to the Chinese Government and its intelligence services is nearly limitless, and it is impossible to know for certain if people are here to study for research or if they are here to steal our secrets.

The People's Republic of China is methodical in its program to gather information from abroad. In 1986, the People's Republic of China launched a national high technology research and development program with the specific goal of benefiting China's medium and long-term high technology development.

This is a centralized program; it is known as the 863 Program for the date it was announced, and it allocates money to experts in China to acquire and develop things like biotechnology, space technology, laser technology, and advanced materials. Thousands of Chinese students and scientists were sent abroad by China over the years to pursue critical, civil and military dual-use technologies, and the practice still continues. Thus, the U.S. faces an organized program out of China that is designed to gather high technology information of military use.

Now, today, inside China, there are entire high technology incubator zones that are designed to attract back students from the U.S. or U.S. businesses to bring technology in. It is very important to recognize that Chinese diplomatic missions abroad monitor the activities of their businessmen and students to cultivate informants, and before Chinese citizens get passports or travel permission, they are often interviewed by China's intelligence security services and sensitized to intelligence collection requirements.

I think it is important to remember that the constitution of the People's Republic of China characterizes the state as a people's democratic dictatorship. So it is pretty hard for legal travelers to simply turn down the Chinese Government in that authoritarian state when they get asked to cooperate.

Now, we know from Chinese defectors and Chinese security officials, or diplomats in places like Australia and Canada recently, that this approach is used not only to collect intelligence in the United States, but also abroad.

In 2003, the State Department approved some 700,000 visas for visitors from China to the United States. That includes about 135,000 students. That is just a lot of folks. There were 40,000 immigrant visas granted to Chinese citizens in 2003. I have to say that these numbers make it impossible for the Federal Bureau of Investigation to vet every one of these people. There are some 3,200 Chinese front companies operating in the United States.

Now, the People's Liberation Army of China went into the business of starting companies to bring in technology in the 1970's, late

1970's and 1980's. The General Equipment Department started Polytechnologies; the General Political Department, started Kaili or Kerry Corporation, Baoli, the logistics department started Xinshidai, or the New Era Corporation; and these are separate legal entities, not part of the military, but they were authorized to conduct these activities by the Central Military Commission of the Chinese Communist Party.

They were originally manned by former officers of PLA or their families, in some case active officers, and they operated branches in the United States. They regularly brought delegations to the U.S. to bring in technology, and today they have turned into global conglomerates that have spawned some of those 3,200 companies that are operating in our country.

So the Chief of FBI Counterintelligence Operations, David Szady, recently said that these companies are operating in such places as Milwaukee, Trenton, New Jersey, and Palo Alto.

Now, I think that the Government, the U.S. Government security intelligence and law enforcement agencies have to focus on national security information. They ought to be looking for violations in the Arms Export Control Act, or the Export Administration Act, but when it comes to corporate or industrial espionage, proprietary secrets, that is not national security.

It may be an economic problem for the United States, but I think that there the Government owes American companies a good legal infrastructure to protect patents, copyrights and trademarks; a system of education on industrial security here in our country; and a strong effort to ensure that China meets its own obligations to create a rule of law that protects the rights of ownership and intellectual property. But we shouldn't cross over into losing-given the number of people, into losing our focus on national security.

From the standpoint of congressional action, I would point out that the Export Administration Act expired in 2001; it was a 1979 act. It needs to be revised to take account of the needs of 21st century technology. The Senate passed a revision in 2001; the House did not. I think the Executive Branch has to regularly review the Commodity Control List to ensure that appropriate national security controls on exports do not unduly restrict the ability of American industry to compete in the world market.

Generally speaking, I think that technologies that are widely available in the world market and not unique to the United States should not be restricted and subject to export controls unless they can be multilateral controls. I would also recommend that visa officers get educated by the intelligence community so that things like the Visas Mantis program, and the technology alert list, can work effectively. They have a lot of prerogatives when they are out in the embassy.

Let me close by saying that I don't think it pays for us to be paranoid and suspect that every traveler, student and businessman from China, or woman from China, is a spy or is out to steal technology. Prudent law enforcement programs, counterintelligence programs, security education and industrial security programs are important ways to protect our Nation. But I would note that in places like Taiwan, the Republic of China and South Korea, it is these students that came out and learned and went back home that