Font Size: A A A

Case Studies

CPNI: hostile approaches on social on ‘industrial scale’

Hostile states are trying to dupe UK people into giving up secrets, such as by connecting with them through professional social media, befriending them, wining and dining them and offering them ‘opportunities’. Those (unnamed) hostile states are doing it on an ‘industrial scale’, the UK official CPNI has told Professional Security.

And CPNI want security managers to be aware that they could be a target as much as anyone; and it’s for them to endorse CPNI’s campaign to the rest of their organisation, and to take up downloadable posters, videos and other training material.

CPNI explain it in terms of Rs – first you have to recognise this is a problem. They offer a ‘conservative estimate’ that 10,000 UK people have been subject to a ‘malicious profile being operated by a hostile state agency’. It’s most unusual for CPNI and their like to give such numbers. While CPNI do stress that it’s not only happening on Linkedin, that company alone has taken down millions of fake or dodgy profiles from its site. Then you ought to realise the signs. Sadly, just as robbers don’t walk the streets with bags that say ‘SWAG’, so the hostile states trying to tap up people pretend to be in recruitment, or think-tanks or consultants or in business generally.

If you are approached, you have to rectify the problem, and report it. Just as if you have clicked on a phishing email, or have a nasty feeling that you have sent money to a romance or other scammer, you may feel too embarrassed to want to own up. CPNI say that you should be honest, and indeed professional about it. If you’re vetted or ever asked as part of security clearance whether you have suspicions that you have linked with someone who isn’t who they say they are, who’s offering things that seem too good to be true: if you conceal, then you run the risk of losing that clearance, and ultimately your job.

Anyone, CPNI say, can be a target; an academic (the Oxford University-AstraZeneca vaccine research was among cases cited by CPNI; the CIA former agent Kevin Mallory, jailed in the United States in 2019 for espionage, was another), civil servant, someone in the defence sector, or critical national infrastructure; or indeed a security manager, who almost by definition can access computer systems and physical sites.

More in the June 2021 print edition of Professional Security magazine.

About CPNI

It stands for Centre for the Protection of National Infrastructure, and covers personnel, cyber and site-physical security. Visit for plenty of free training material for example on how to bring on a security culture. The CPNI began its awareness campaign around everyone – but particularly those with security clearance, or access to sensitive info – being alive to the risk of connecting with someone who turns out to be from a hostile state, last autumn.

Advice in brief

– Do not advertise your security clearance online; n don’t reveal details of sensitive job roles;
– ‘think before you link’; just because an unknown person seeking contact is linked with a friend, that’s no proof the person checks out as genuine – or indeed is a person at all?!
– and think about the lowest level of detail that you really need to include.

Photo by Mark Rowe; Oxford University, summer 2020.


Related News