Printer Friendly

Is the secret out?

AMERICAN COMPANIES WILL continue to expand into the global marketplace throughout the decade, creating a tremendous challenge for security professionals charged with protecting proprietary information. Managers who fail to take on this challenge may be jeopardizing the financial stability of their firms.

United States industries were already collectively losing $23.8 billion due to intellectual property piracy as far back as 1987, according to the International Trade Commission (ITC). By 1989, ITC found that the damage had climbed to $40 billion.(1) These figures include only the dollar value of patent, copyright, and trademark abuse. They do not include the loss from trade secrets and other proprietary information.

The 1992 ASIS-sponsored Proprietary and Technology Theft Survey addressed this other aspect of intellectual property problems. In that survey, thirty-two companies reported dollar losses of $1.82 billion.(2) If all respondents had reported dollar losses, that figure would have been far greater. Extrapolating the average company's loss to account for the potential losses for the entire US business community would easily compare to the $40 billion loss from patent, copyright, and trademark infringement.

In the same survey, respondents were asked about the cost of safeguarding proprietary information. They reported annual average expenditures of approximately $15,000 for formal safeguarding of proprietary information programs. There seems to be a dichotomy between the loss American companies suffer and what they are spending to prevent that loss.

Proprietary information is the lifeblood of any business. The resources directed to safeguard this valuable commodity are not up to the task. But is it really an issue that demands corporate attention?

ALVIN TOFFLER, AUTHOR OF Power Shift, describes a power shift as a fundamental change in how society functions. The power shift that Toffler writes about is the increasingly important role of information in every aspect of society. Information is now more important to success and survival of a business than access to capital.(3) This new level of importance for information requires that security professionals take a fresh look at the entire issue of information security.

Business success in this high-tech world will belong to those who manage access to their corporate data. Information protection requires a broad understanding of the material to be guarded. Information, in all its forms--written, electronic, visual, and oral--is what makes any business succeed.

Unauthorized access to business information has traditionally been handled by physical security safeguards, computer security, and proprietary safeguard methods. Depending solely on these techniques to protect information presents challenges. These disciplines are often under the control of separate parts of the corporation. The security department provides security officers, access control, and perimeter barriers. The management information systems department is responsible for computer security, and anyone from human resources to administration could be responsible for the proprietary safeguarding program.

A lack of central control has left potential vulnerabilities in current proprietary safeguarding efforts. Worse still is that these efforts do not confront the realities that modern corporations are facing when operating worldwide. According to Special Agent David Major, special assistant to the assistant director in charge of the FBI's intelligence division, foreign targeting of American technology and trade secrets continues. Foreign governments have increased their efforts to monitor and acquire sensitive information developed in this country.

Commercial espionage is having such a serious impact on U.S. competitiveness that the FBI has established a strategy to address the problem. As part of the new national security threat list program, the bureau has issued definitions to help focus the issues.

Economic espionage, according to the FBI, is "Government-directed, sponsored, or coordinated intelligence activity, which may or may not constitute violation of the law, conducted for the purpose of enhancing that country's or another country's economic competitiveness by the use of the information by the foreign government or by providing it to a foreign private business entity thereby giving that entity a competitive advantage in the marketplace."(4)

Another facet of espionage is industrial. Industrial espionage is defined by the FBI as "Individual or private business entity sponsorship or coordination of intelligence activity conducted for the purpose of enhancing a private business and its competitive advantage in the marketplace, which is a violation of law."(5)

Management may be reluctant to call in the FBI to investigate a situation. The potential perpetrator may be a major business partner or potential customer. Security departments are always sensitive to management's concerns about the business impact of law enforcement involvement. Senior managers may want to assess the impact on other business deals before they approve federal involvement in the investigation.

HOW CAN A SECURITY DIRECtor with limited resources cope with this complex problem? Competitive safeguarding is one solution. Competitive safeguarding is a synthesis of three currently proven processes: competitive intelligence, counterintelligence, and operations security.

Competitive intelligence is a common business technique used to analyze both marketplace and competitor-specific information. It uses accepted intelligence and economic analytical techniques to gather data. Competitive intelligence has come of age with the creation of the Society of Competitive Intelligence Professionals (SCIP). SCIP is a professional association of business intelligence experts who make their living finding out information about people. These experts analyze everything that leaves a business and keep in touch with experts who understand the company and industry that is involved.

Competitive intelligence can play an important role in protecting a company's information. It requires that security teams turn competitive intelligence assets inward and look at their own company as a competitor. This unique application has several benefits. It identifies real and potential vulnerabilities that threaten trade secrets and other proprietary information; it lessens the surprise that might otherwise occur because of an inadvertent disclosure; and it helps companies see the big picture.

Often, in large, modern companies, the release of individual pieces of data is not considered harmful. What rarely happens, however, is a periodic attempt to look at the aggregate of that information to analyze what could be gleaned by intelligence analysts. Competitive intelligence professionals do exactly that type of overall study.

Using competitive intelligence in this manner allows security managers to better understand their own firms. It creates a ripple effect that continuously improves the overall information safeguarding program throughout the entire corporate organization.

COUNTERINTELLIGENCE HAS been around as long as espionage. Two thousand years ago, Sun Tzu stated in the Art of War that "It is essential to seek out enemy agents who have come to conduct espionage against you." Unfortunately, this is still a valid concern for modern security professionals. The Proprietary and Technology Theft Survey found that 58 percent of the known individuals involved in attempts to take proprietary information were either current or former employees. The insider threat is a challenge in this time of downsizing and outsourcing.

Traditionally, counterintelligence has been used to counter human espionage efforts. Modern counterintelligence is a multidisciplinary effort. A potential business definition of counterintelligence is investigative and analytical activities designed to determine the capabilities, motivation, opportunities, and activities of a competitor using illegal or unethical methods to gain proprietary advantage. A competitor could be anyone from a private U.S. or foreign business, individual, or government.

In the last ten years, counterintelligence professionals in the federal government redefined the discipline to counter more than the threat from human intelligence. It now addresses the threat from both signal and imagery intelligence collection. The new policy shows increased awareness of the threat from these other collection efforts. An awareness of how these intelligence collection efforts can affect an operation is essential for the security professional to understand.

Counterintelligence awareness and compliance are the cornerstones of any protection effort. Counterintelligence procedures are not difficult. Enforcing the need-to-know policy is the basic tenet of good counterintelligence. This can be done by carefully analyzing where sensitive information resides in a company and who needs access to it. Depending on the level of sensitivity, a business may require records to be kept of everyone having access and annotating dates of that access. Nondisclosure statements are another basic tool that can assist the security manager in establishing a viable counterintelligence effort.

Counterintelligence also involves simulating possible intelligence collection activities against the organization being protected. Red team is the common term for these actions. Contacting former employees or retirees, using pretext phone calls, going on plant tours, and collecting data by misrepresenting oneself are all low-risk collection methods that can be simulated. Of course, these activities should only be done with the approval of both management and the legal staff.

One general rule of thumb in intelligence is that given enough time and resources, a collection effort will be successful if allowed to operate in a benign environment. Counterintelligence operations identify, penetrate, and neutralize these efforts.

If properly applied, counterintelligence activities raise both the cost and the risk of collection operations. This gives collectors the choice of applying more resources to accomplish the task or of moving on to easier targets.

OPERATIONS SECURITY (OPSEC) is a proven, systematic analytical process that uses an adversary's perspective to find vulnerabilities to critical information. It was formally adopted in the executive branch of government in January 1988 when President Reagan signed National Security Decision Directive 298 (NSDD) National Operations Security Program.

OPSEC is a five-step process.(6) It is applicable whenever an organization has information that must be protected; a competitor that would benefit from acquiring that information; and the need to use that information in the normal course of its activities.

OPSEC fills a gap left by traditional security safeguards. The process complements these efforts. It does not replace them. OPSEC helps an organization focus those other security measures by identifying critical information.

The security manager builds the framework for OPSEC programs by answering three questions. What must the company protect? From whom must that information be protected? How long must it be protected?

Answering these questions can be difficult, particularly if too many people are involved. Most large organizations are bureaucratic. More progress is made if the discussion is focused on a particular program, project, or activity. When recommendations are formulated, senior decision makers must always buy into the answers and support the entire effort.

The OPSEC process is systematic but not sequential. Having identified adversaries allows the company to postulate a threat collection strategy.

A threat strategy determines what a competitor could already know about critical secrets. Security then analyzes what it still needs to know to use that information. An excellent starting point for this step is conducting an in-depth open source review of the commercially available databases that cover the company's territory.

Commercial databases are lucrative sources of information about nearly every company, organization, or activity. More than 7,000 databases are available in this country. This is the starting point for those who try to glean proprietary secrets. Other potential sources of information on a firm's critical secrets include government filings, press releases, and court records.

The next step in the OPSEC process, finding vulnerabilities, shows how information about a company's weaknesses could be gained by an intelligence collection effort. Vulnerabilities are determined by examining a company's processes, procedures, and activities. These issues are not normally examined in traditional security reviews.

Assessing risk is the next step in the process. The security manager must think about the difference between what is possible and what is probable. Resources will be allocated to vulnerable areas accordingly.

Analysis of risks can be difficult because it involves hypotheticals. Practitioners also have to understand the dynamics of organizations. It may be a challenge to get policy changes that follow from theoretical risks. Employees and employers naturally favor the status quo. Even when security convinces people that change is necessary, it is not easy to accomplish.

The biggest problem a company faces in this area is predicting the future. An inverse relationship exists concerning the potential for success and either the length of time information must remain protected or the number of people and organizations actively involved in the effort. Increasing either factor decreases the potential for success.

The last official step in the OPSEC process is recommending and implementing countermeasures. OPSEC countermeasures are unlike normal security countermeasures. They involve changing the processes and procedures that make up the infrastructure of the activity.

The major consideration is the cooperation of the people in the organization. They must understand the problem before they will assist in making changes. The responsibility for spreading the word on required changes and their benefit is a management issue. Convincing management is the OPSEC practitioner's challenge.

Some of the best OPSEC countermeasures can come from the people involved in the surveyed activity. People closest to the issue are always the best source of solutions to fix vulnerabilities. Involving them in the process almost guarantees their support and the success of the effort.

The presidential directive NSDD 298 did not address feedback or periodic review of the effectiveness of countermeasures. This was a serious oversight. Vulnerabilities can change due to several factors, including a change in the threat, a change in the resources available for a project, and compromises of sensitive information.

OPSEC analysis is an ongoing process. The best way to apply the process is to build it into the front end of the planning for any major sensitive effort.

By melding competitive intelligence, counterintelligence, and operations security, a company can best safeguard its information assets. Security managers can use these techniques to secure their companies financial strength into the twenty-first century.

1 Eduardo Lachica, "Trade Thievery: US Companies Curb Pirating of Some Items But By No Means All." Wall Street Journal (March 16, 1989): 1.

2 Richard J. Heffernan and Dan T. Swartwood, "Trends in Competitive Intelligence." Security Management (January 1993): 70-74.

3 Alvin Toffler, Power Shift (New York: Bantam Publishers, 1990), 3-10.

4 FBI white paper, FBI Strategy to Address the Problem of Economic Espionage and Industrial Espionage (Washington, DC: FBI headquarters, undated): 2-3.

5 FBI white paper.

6 National OPSEC Advisory Committee, National Operations Security Doctrine, Interagency OPSEC Support Staff, (Greenbelt, MD): 1-6.

Dan T. Swartwood, OCP (OPSEC Certified Professional), is the managing director of Strategic Corporate Safeguarding, Inc., in Severna Park, Maryland. He is a member of ASIS, the OPSEC Professionals Society, and the Society of Competitive Intelligence Professionals.
COPYRIGHT 1993 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1993 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Information Security; commercial espionage
Author:Swartwood, Dan T.
Publication:Security Management
Date:Jun 1, 1993
Previous Article:Former foes, future friends.
Next Article:Managing by example.

Related Articles
SPI versus spy.
The cloak-&-dagger communicator.
Security key to value enhancement.
Countering the threat of espionage.
The spy who came to work.
The Economic Espionage Act of 1996: are we finally taking corporate spies seriously?
Stealing Secrets Solved.
Industrial Espionage Becoming 'Big Business'.
With friends like these ...: Ed Blanche reports on allegations of Israeli espionage on its closest ally, the United States. (Current Affairs).

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters