Countering the threat of espionage.THE STUNNING RAPIDITY OF THE changes witnessed in the world order have not altered the basic premise that information for countries or corporations is the key to competitiveness and survival. The methods and techniques used to protect this information--counterespionage--have taken on economic, as well as political, implications in a developing global economy. The first step in developing a comprehensive counterespionage strategy is to examine the nature of the threat and the motivation of the spy in the corporate structure. History has shown that spies are motivated by money. Financial problems or outright greed coupled with the opportunity to capitalize on access to classified information led to the spate of national spy cases in the late 1980s. AT FIRST GLANCE, the payments from Soviet and Chinese intelligence appeared extremely generous. John Walker, for example, received $1 million during a seventeen-year period for selling U.S. submarine technology to the Soviets. More recent is the alleged spy activity of Aldrich H. Ames, a CIA counterintelligence officer, and his wife who lived in the Washington, D.C., area. Both are charged with turning over top-secret documents to the Soviet Union and later to Russia. It has been estimated that Ames was paid more than $2.7 million since 1985 for his work as a double agent. The payoff for corporate spies can be much greater than the figures cited here. Chien Ming Sung, an employee of General Electric (GE), received $1 million per year to pass along secrets of industrial synthetic diamond production to a South Korean company. This secret alone, notes Peter Schweizer in Friendly Spies, has been estimated to be worth $500 million annually in future sales. Sung's espionage career was brought to a halt as the result of an investigation of his activities to recruit a GE technician, who reported the suspicious contact to company security officials. Is this an isolated or unusual occurrence in the business world? The 1992 ASIS-sponsored Proprietary and Technology Theft Survey brought this question directly to the U.S. business community. The results of the survey were issued in the article, "Trends in Competitive Intelligence," that appeared in the January 1993 issue of Security Management. The thirty-two respondents reported dollar losses of $1.82 billion as a direct result of intellectual property theft from their businesses. Ironically, Richard J. Heffernan, CPP, and Dan T. Swartwood, authors of the article, note that these same respondents reported average annual expenditures of $15,000 to safeguard proprietary information. This incredible disparity is symptomatic of the fragmented, piecemeal manner in which the security industry has struggled with the development of a cohesive counterespionage strategy both in government and in business. From the mid-1970s to the mid-1980s, attempts to create a true government-wide counterespionage strategy were frustrated by bureaucratic rivalries, turf wars among the members of the national counterespionage community, and a constant scramble for resources to justify efforts. As late as 1987, after the enormity of the damage caused by the Walker ring had been recognized, the chief of operations for the U.S. Army's worldwide counterespionage unit made the startling announcement that the Army was spending more to support its musical programs than on its worldwide counterintelligence mission. Beginning in 1986, however, dramatic actions were taken in the development of a national counterespionage strategy. The highest levels of government directed that a coordinated and cohesive counterespionage program be implemented by all members of the national counterespionage community--the Department of Defense, FBI, CIA, and Department of State. Private businesses can use the strategy and techniques developed under this government program as a guide in their efforts to deter, detect, or investigate incidents of industrial espionage. AN ESPIONAGE ATTACK on a U.S. corporation in a global environment can come from at least three directions. The first is from the entrepreneurial spy--the employee who steals proprietary information and trade secrets with the specific intent of selling them to the highest bidder. An attack can also be mounted by global competitors to weaken the position of the corporation in the world marketplace. A third avenue of attack can come from the professional intelligence services of governments that seek economic information to further bolster the competitive edge of their national corporations. The following basic counterespionage strategy can be applied to defeat an espionage attack from any of these directions. Ensure support. The first step for the security director is to obtain the understanding and support of senior management. Nothing will lose the confidence of senior management quicker than overstating the nature of the threat. The security director should analyze the potential of real risk to the company, monitor current cases in the corporate counterespionage field, and periodically provide short background briefings to senior management to ensure that management remains sensitized to the threat. The security manager must also maintain close and continuing coordination with the company's general counsel, providing similar briefings to illustrate the manner in which other companies have legally dealt with an espionage incident. Centralize responsibility. Companies tend to fragment the security responsibility along functional lines. The security director must convince senior management that overall responsibility for the counterespionage program of the company should be placed with the security department. Working in coordination with the other functional department heads, the security director should be ultimately responsible for the counterespionage program of the corporation. To decentralize the responsibility destroys the synergism of the individual elements of the overall strategy. Focus resources. Working closely with senior management, the security director should also develop essential types of information that need to be protected, such as technical advances, product development schedules, and client and pricing data. The security director must ensure that counterespionage resources are used to protect the most critical information assets. The basic elements of the strategy will be those methods and techniques needed to deter, detect, and neutralize an espionage attack. Deter. The importance of those measures that deter individuals from attempting espionage cannot be overemphasized. The majority of employees are honest; it is only a combination of poor attitude, available opportunity, and overriding need that will lead a person to commit espionage. A security director can do relatively little to help those employees with poor attitudes or great personal needs. However, measures can be taken that raise the risk level and reduce the opportunity for these individuals also to commit an act of espionage. Most measures used are traditional counterintelligence protective procedures: random personal belongings checks of employees leaving work, access controls, and need-to-know procedures for the information that has been clearly identified as proprietary or classified as a trade secret. Routinely scheduled security awareness briefings are a necessary part of a deterrence strategy. These briefings should be tailored to the audience and should highlight the type of information the corporation considers proprietary, as well as the latest cases in the corporate counterespionage world that illustrate the ways competitors attempt to collect this information. Anytime an employee entrusted with proprietary information attends a conference, symposium, or seminar, the security department should have a policy of providing individual security awareness briefings. These briefings, which should become a matter of record, review which information assets must be protected and how any suspicious attempts to collect proprietary information can be reported. Any additional deterrent measures developed by security should be directed toward making an individual think twice about the risks of industrial espionage against a company that they may consider targeting. Detect. The security director must also have mechanisms in place to detect any individuals not dissuaded by the company's deterrence measures. One effective mechanism is to establish a security hot line, where employees can report suspicious activity anonymously if they wish. The hot line can also be used to report incidents of waste, fraud, and theft of product and time. Most people want to work in an environment where they feel secure and genuinely dislike those who openly steal from an employer. The employee who steals products or information from a company is ultimately hurting fellow employees, and most people, realizing this, will not hesitate to report the activity. Along with the hot line, employees should have a means of reporting directly to security officials attempts to elicit proprietary information. Once a report is made, knowledge of the incident and those involved must be limited to members of the management team who decide how to proceed with the investigation. This policy will help prevent any alleged suspects from learning that their attempt to obtain proprietary information has been reported to management. Neutralize. Once it has been determined that the corporation is under an espionage attack, management must decide how to proceed. If the attempt to obtain information is the result of an employee's report, is that employee willing to cooperate with security officials to resolve the situation? Should a professional undercover investigator be introduced into the operation at some point? Senior management should be aware that investigating the incident may require the employee involved or the undercover investigator to reveal some company information to build credibility in the eyes of the suspects. A decision must also be made about when or if a law enforcement agency should be included. If prosecution is the goal, this must be done. However, once a law enforcement agency is involved, legal restrictions may affect how the investigation is conducted, and the company may lose some flexibility in making its own decisions. The investigation of an espionage incident is a complex and demanding undertaking. The security director should seek outside professional advice and assistance to develop an investigative objective and a course of action to resolve the situation. Senior management must be involved in all stages of the investigation to assess the economic impact that may result. This coordinated team approach is the best way to ensure a successful operation. Working in cooperation with senior management, the security director must take the lead in developing a corporate counterespionage strategy. The counterespionage function must be centrally controlled to ensure that the program is comprehensive and integrated and that all available investigative resources are brought to bear in the event of an espionage incident. By developing programs to deter, detect, and neutralize espionage, the security director can play a major role in reducing the possibility that the company will face catastrophic loss caused by a well-placed corporate spy. E. Paul O'Connell, CPP, CFE (Certified Fraud Examiner), is the managing director of Sigma Group, International, Ltd., a worldwide security consulting and investigations company. He is a member of ASIS. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion