Tackling the Converged Nature of Industrial Espionage

Espionage is probably one of the more severe manifestations of converged attack to large corporations.  To consider what is at risk, one must consider everything that comprises IP, and confidential plans and strategy appertaining to new market entry, M&A, new product development, and channel partnerships. To miss the key point that this is not a pure cyber threat but a converged threat; is one of the key failings of security planning & management, and represents one of the main fault lines in Enterprise Security Risk Management [ESRM].
 
One of the greatest problems with espionage, is knowing whether you are a target or a victim, and once you do discover, it is not straight forward to conduct the forensic work to find out how it was perpetrated. Recent examples of industrial espionage through cyber means, have highlighted that data has been exfiltrated over several years. There is also the challenge of identifying the breach as espionage, as it is invariably difficult to establish who the recipient was, and recognize that industrial intelligence may have been passed through different owners to the final consumer.
 
It is therefore complicated to target your organizational response once you realize you have been breeched, and that you are a victim of espionage, when you have an over-delineated approach to IT and physical security which does not account for the converged nature of the threat. In organizational terms, you may be facing severe consequences depending on the destination of the leak, and in the minds of some managers this is a critical situation particularly if the company is publicly listed, and knowledge of the breech may lead to a significant impact on share price. So it raises questions of how do you respond to that, and more pertinently: how to prepare for such an eventuality?
 
The prevailing situation is a reactive one, where ‘reasonable’ efforts are made to protect information, and there is a reluctance to accept that espionage exists in many cases. The IT security function will be alert to some forms of threat, invariably from external sources, though they are increasingly alert to the exfiltration of data irrespective of internal or external initiation. In parallel physical security will try to influence the day-to-day operations to heighten awareness of insider threat, intruders and suspicious events. Invariably suspicions of espionage are raised based on some cursory evidence and then an investigation commences. This is naturally reactive, and reactive to instances where an act has been discovered in-progress, when the perpetrators are likely to be most vulnerable. However, invariably, some damage is already done, and discovery after the event can be crushing.
 
The ‘loss’ of a laptop or briefcase to a competitor [or even a state intelligence service], cannot be undone even if the employee admits to his role. Similarly, identifying the former employee who sold passwords, or an existing employee who unknowingly fell victim to subversion or coercion will do little to retrieve the situation. This naturally raises questions that are already being addressed for other types of lower-impact, higher probability security risks, but require answers that prove more challenging for the converged nature of 21st century industrial espionage.
 
  • Given the nature of the risks, can firms continue to be reactive or passive in relation to espionage?
  • Can they afford the potential losses that could be incurred if 3-5 years of R&D is lost, or their top clients do not renew contracts because their bids are suddenly, and consistently uncompetitive?
  • How does the concept of ‘resilience’ apply to espionage?
  • How does a company plan define ‘recovery’ in the face of a massive loss of competitive advantage?
  • How does a company plan to replace what is lost?
  • How can a firm realistically count the cost of lost competitive advantage?
  • How can firms retain staff [in which much IP resides] within an organization that needs to implement or escalate security measures?
 
These are all valid questions that require a organization-specific answer according to the needs of the business, that will not be provided in this article because there are more fundamental problems that need to be addressed by establishing an organizational consciousness about espionage, and the converged nature of the threat. So the real first question is how to go about answering these questions.
 
A major converged threat like espionage is made all the more likely through physical security flaws rather than cyber; and much as security policy can be rewritten to modify behavior, the threat cannot be solved by a piece of paper, even if every employee signs it. Trying to introduce more security discipline among employees differs considerably from a management-centric initiative of developing a sensitivity & awareness to threats from disgruntled or former employees, simply because the activity of rogue employees engaged in espionage would be different to those developing a grudge; and more difficult to identify in the preparatory phases of an act of espionage if they were being well ‘handled’.
 
There is no perfect solution to the organizational challenge: Firms in some sectors have developed a culture that is protective of intellectual property, and are made aware of a very real espionage threat to what the organization recognizes as company secrets; but this is never immune to the more sophisticated side of espionage which includes coercion & subversion of staff, and the insider threat is always difficult to address without creating an unhealthy atmosphere.  Moreover people are inherently flawed and can be induced to make mistakes outside of the office environment, and it is near impossible in business to encourage staff to adherence to guidelines in their private lives, or home, or social environment, despite the fact that in these circumstances, they are most vulnerable. This applies not only to company ‘secrets’, but to a plethora of information that corporate spies can leverage [including social engineering], to undermine cyber and physical security measures.
 
Many firms under-estimate the role of human threats to the cyber domain, and similarly fail to recognize the vulnerability of staff in cyber space. This translates simply into cyber methods to undermine physical security measures; and physical vulnerabilities to IT security. Once this is laid upon imperfect IT security and out-dated or lazy physical security practices the scale of vulnerabilities is obvious to the trained eye... and the eye in espionage is typically well trained.
 
Accepting the cyber dimension has not yet translated into a driver for appropriate counter-measures, and some believe that it never will. Because there is great risk to company confidential information rather than customer information, there is no driver in ‘compliance’ to improve security; just the hope that adhering to standards will raise security sufficiently to mitigate the risk. However achieving a ‘standard’ for IT security will never suffice, no matter how much the board hopes this to be the case, because the solution cannot be a one-dimensionally information technology-based.
 
IT security managers know little about espionage and the nature of that security risk, in fact it plays to the strengths of some physical security managers, though most are unfamiliar with the converged nature of current espionage methods. To some information security officers neither the motive nor the objective may define the overall defensive concept, because IT security can invariably translate into a myriad of layers, measures and end point security that all cobble together into a jigsaw that spells security. The converged nature of the threat identifies that the cyber domain is but another potent tool in the hands of professional teams that have an unconventional approach to theft, and a meticulous and sometimes counter-intuitive approach to out-playing corporate defence.
 
Implementing best practices in securing against espionage can provide a comprehensive solution but they represent a long-term commitment to both tactical and strategic initiatives, and are not without cost. Invariably the justification for such an investment is weak unless an organization has recently become a victim of espionage, or they have become privy to information about one of their peers in similar circumstances. While many companies may deny that the threat is significant because attention is drawn to other cyber incidents, recent research findings are not attributing the majority of cyber breeches as potential espionage activity. And more security directors are prepared quietly to confront the elephant in the room.
 
It is difficult to get traction among managers, particularly regarding the potential damage caused by espionage; but managers tend not to lose sleep over worst-case or low probability scenarios. However in order to break down silos that exist in different spheres of responsibility setting periodic taskforces to address different ‘typologies’ of threats like industrial espionage is a very effective way of creating an issue-focused team that have a common focus for their different specialisms.  The debate of how to manage and lead a converged security operation can be solved in this issue-driven manner, with a risk-informed leader tasking a converged team of managers to address specific threats from a combined perspective, and it really requires this risk-informed leadership to ensure that the objectives and outcomes are suitable.
 
If you don’t know where to start, but you know that there is a vulnerability, and you have to appraise the risk, you should start by ‘getting tested’. The often quoted cases of failure in implementing, or introducing converged security tend to reflect the inception of focus and priorities, and this is easily solved by engaging a red team to demonstrate how a converged attacker could conduct an advanced and persistent campaign of espionage. The organizational self-evaluation very quickly creates common cause among different managers around the threat more importantly introduces each manager to the boundaries and interdependencies of his colleagues in other functions, for delivering both security and continuity. As many commentators claim that this is the greatest barrier to converged working, engaging a converged red team would appear to be a uniquely valuable process.
Posted: 13 May 2013 by Optimal Risk Admin | with 0 comments
Filed under: converged, cyber, enterprise, espionage, ESRM, insider, management, risk, security, threat