A Counter-Espionage Approach to Corporate Security Management

Today’s corporate security landscape includes a myriad of potentially devastating outcomes for businesses large and small due to the theft of proprietary information. While countering extremist machinations and the fully developed terrorist threat remains at the forefront of security planning, the more insidious and potentially more costly threat remains that of industrial espionage. Not only do business competitors routinely engage in these illegal activities, but state-sponsored economic intelligence-gathering campaigns remain at the centre of national security agendas around the world. In order to deter or neutralize this potentially ruinous form of attack, a nuanced approach is necessary.

A world class counterespionage (CE) program must address not only standard physical security and evolving cyber threats, but also the venomous and low-tech threat of human-enabled espionage. Your security strategy must be a converged risk strategy which also applies robust counterespionage methodologies. Used by competitive intelligence (CI) firms as well as sophisticated transnational criminal elements, human espionage remains the most common form of industrial espionage. This form of industrial espionage is directed at high-value/low risk collection targets – vulnerable employees and vulnerable streams of proprietary work. This will afford the source both the access and the long period of time required to collect the desired non-public information. Add to this scenario the deliberate and targeted compromise of organizational and personal electronic devices by sophisticated cyber attacks, and a corporation is made even more vulnerable.

Human-enabled industrial espionage leverages deception to obtain sensitive information through the use of pretext. Pretext, in the industrial espionage world, involves assuming an identity or appearance other than one’s own in order to cloak the person’s real intentions which are the solicitation or theft of protected company information. The convergence of cyber and human-enabled threats is difficult to defend against without applying a converged response. Defending against only one of these methods of penetration will certainly point the attacker towards the other and thus an organization is breached.

Most CE programs do not adequately address the human weaknesses in their workforce and it is this failure that costs the organization substantial loss of revenues, loss of research and development man-hours and loss of investor confidence. While robust technical countermeasures provide a secure operating environment, they can be circumvented by an employee who has the motivation and ability to do so. It is important to keep in mind that while many security professionals associate industrial espionage with a long-running and deeply embedded activity, there are many instances when a focused and brief penetration can satisfy the competition’s intelligence requirements. This may as simple as an employee transferring a single report to a portable media and never coming up on the security team’s radar again. This could also be done with multiple one-time penetrations each acquiring a different piece of the puzzle over the space of several weeks or months to be reconstructed with the luxury of time in a permissive setting. There are other examples of these cracks in the human firewall.

Corporate counter-intelligence is the overarching security concept used in building obstacles, sensitizing the workforce and training employees to prevent the spill or theft of proprietary information. This concept is not often converged or blended, but instead relies on the separate physical security, human resource and information security functions to defend against these threats. Corporate counter-espionage is a function which must use a full-spectrum or converged approach, and which relies heavily on interoperable and mutually supporting security functions. An enhanced corporate counterespionage program leverages specialized counterespionage detection practices, methodologies and response strategies to deter, exploit and/or defeat the most serious threats to an organization’s bottom-line occurring through industrial espionage.

For the most part, serious human-enabled industrial espionage projects are undertaken by former national intelligence officers (IO). Highly trained and with a narrow set of niche skills, IOs bring a highly sophisticated, nuanced, agile and surgical operating capacity to the table. The threat posed by such professionals could come in the form of direct action that is the IO conducts the espionage on his own without the use of a controlled source. More likely and more difficult to defend against is the recruitment of an insider or peripheral actor with either continuing or finite access to non-public information. Don’t forget, a single document, memorandum or report can provide the competition an unassailable competitive advantage.

The IO also leverages human weaknesses in order to provide intelligence on that which no computer or cyber solution can provide: meeting atmospherics. Relational dynamics and personal demeanor. The example might be that in the course of the quarterly earnings report meeting, certain C-Suite executives appear uncomfortable during the meeting, provide elusive answers or attempt to deflect attention to another agenda item. This information, reported in a timely and accurate fashion, could provide the competition enough evidence to mount a specific operation to uncover what was not said during the quarterly earnings meeting.

The CE manager, and more importantly the programs he formulates, establishes and conducts, are the chief obstacle for the IO and they vary in sophistication and effectiveness from organization to organization. Those entities that employ no CE program, simply make the theft of their secrets less eventful for the perpetrators. A nuanced and well thought-out CE program can often times prove the only reason a professional IO needs to look elsewhere for the necessary information. What are the objectives & benefits of a good CE program? Quite simply the objective of a good CE program is to prevent, preempt, detect, and respond to an incident of industrial espionage. The most obvious benefit of the prevention, preemption and detection aspects is the avoidance of the loss of trade secrets in the first place, followed by the time consuming response needed to salvage what is left of the bottom line. Secondary benefits include the reassurance of long-time clients, the stabilization of new and developing business relationships and safeguarding of an entire brand.

A world class counterespionage program does not have to remain reactive. The value-added of a flexible and enhanced counterespionage strategy is that it can also go on the offensive in certain instances and defang your competitor’s industrial espionage operation while forcing him to expend vast resources with nothing to show at the end. There is no better deterrent to an industrial spy than knowing he or she may be dueling with a controlled provocation or when they realize that they are the subject of a counterespionage collection operation. This normally occurs as a result of an aggressive counterespionage program uncovering a penetration without their opponents finding out. By taking the appropriate countermeasures and actions to maintain the appearance of a successful espionage operation, the CE manager or team can now actually turn the project to their favor by restricting access to the sensitive data in a way that does not show their hand. This will enable the CE team to study the penetration and collective vital operational data on the attackers in order to help prevent a recurrence.

The scope of a good CE program, like it’s many sub-elements is always scalable and tailored to the organization’s mission and resources. This could mean that a major organization will need a small office of CE-specific professionals to liaise with other stakeholders, communicate strategically with the work force and conduct those CE operational tasks that require their expertise. On the other end of the spectrum is an out-sourced solution involving external consultants or fixed-term contractors for big projects or policy development. Finally, and perhaps more efficient is a hybrid of the two in order to address the disparate nature of industrial espionage penetrations, bearing in mind that converged threats from cyber, physical and human-enabled attackers. It is critical to leverage the expertise of a CE manager who will work hand in hand with the security team.

The CE manager is the proponent for counterespionage and counterintelligence strategies for the organization and he or she is well-versed in not just counterespionage, but in competitive intelligence acquisition. A good CE manager should always be mirror-reading or reverse engineering an industrial espionage event to prevent, preempt, detect and respond to that threat. The CE manager provides subject matter expertise to the security team as they shift part of their resources to either a forensic or ongoing espionage investigation.

In this way, the security team can now leverage passive collection methods to build a picture of the penetration’s signature and begin pursuing investigative leads. Likewise, the CE manager will coordinate and operate alongside other major stakeholders. The most important, typically-speaking, is the IT component of the organization where the most damage can be done in the shortest period of time. The reverse side of that equation is that the IT component can gather electronic data much more efficiently than the security team.

The CE manager/security team will add a host of critical information-gathering nodes by leveraging forensic IT security data, as just one example. In order to spot the tell-tale signs of espionage, the security team needs to not only be well-versed in the science of counterespionage, but also in the conduct of industrial espionage. From this theoretical standpoint they can make better sense of the evidence they have gathered. In short: it takes a spy to catch a spy.
Posted: 27 February 2014 by Optimal Risk Admin | with 0 comments
Filed under: convergence, counter, cyber, espionage, information, intelligence, security