Two experts are concerned that employees are no match for nation-state spy services tasked with obtaining a company's vital intellectual property.
Companies—large and small—need to be aware of espionage threats. If that seems a bit overboard, consider the dramatic increase in the number of incidents related to geopolitical cybercrime.
"Many authoritarian governments are doing everything they can, including using their spy services, to build successful businesses and grow their economies," explained Bill Priestap and Holden Triplett, co-founders of Trenchcoat Advisors, and adjunct professors at Georgetown University's Walsh School of Foreign Service, in their Lawfare Institute article: The Espionage Threat to U.S. Businesses. "These nation-states are consciously building national champions to dominate industries to extend their national power—not just domestically but also worldwide."
SEE: Identity theft protection policy (TechRepublic Premium)
This significantly changes the playing field
As to what this means, business owners must realize their competition now includes corporate rivals supported by nation-states having significant resources and capabilities. Priestap and Triplett suggest most businesses are unprepared for this, adding, "They have neither the information nor the tools they need to protect themselves..."
Priestap and Triplett advise the weapon of choice is espionage, since an average business owner would never suspect that kind of interest. "Intelligence and the art of spying are no longer constrained to the government sphere," mention Priestap and Triplett. "The assets that competitor states are now seeking to obtain from the United States are not possessed by the government—they are possessed by companies."
What are we looking for when it comes to espionage?
Very simply, espionage is all about obtaining intellectual property (IP) and, if possible, directly from those who developed the IP, as they know more about the IP than anyone else. "This is why people are simultaneously the greatest defense and the greatest vulnerability of any organization—be it a government agency or a business," write Priestap and Triplett. "The strengths and weaknesses of an organization's people are the strengths and weaknesses of its business. That is often true in general, but it is especially true when considering the threat of espionage."
What is the answer?
Those responsible for IP within a company should be working with employees. For example, do employees know who to inform if they are approached, offered a bribe or are being blackmailed?
Also, "know thy enemy" comes into play. "If businesses want to protect their assets, then developing an understanding of spies and their activities should become standard practice for business leaders and investors today," suggest Priestap and Triplett. "[Businesses] need to develop sophisticated defenses to the slew of attacks from nation-states."
A good first step, according to Priestap and Triplett, entails understanding the company business, the specific industry and where the business fits into the global landscape.
Regarding the global landscape, the article uses the Made in China 2025 plan as an example. The plan details 10 industries in which China intends to dominate, first domestically and then globally. Priestap and Triplett offer the following examples of questions needing to be asked by responsible parties within the company:
● Does the business belong to one of the ten industries?
● Is the business in an industry that produces a key technology needed by other countries?
● Is the business, its partners or supply-chain vendors located in jurisdictions that require them by law to cooperate with the local intelligence and security services, possibly without judicial review?
"Answering these types of questions helps a business understand the severity of risk it faces based on its industry," advise Priestap and Triplett. "It matters greatly, for example, if the business is facing an advanced persistent threat—that is, an individual or group with a full range of intelligence techniques and specific objectives."
Also important is the identification of a company's most important assets—ones that, if lost, would affect the company's ability to continue operating. "This is not just about advanced technology or cutting-edge research and development," explain Priestap and Triplett. It also includes the following:
● Knowledgeable employees, key suppliers and unique business processes
● Company business strategy for the coming years
Companies must determine all that needs protecting; anything that provides a business with a competitive edge may be targeted and exploited.
And finally, companies must address their vulnerabilities—cyber and otherwise. "Spy services often look to employees as an entry point into a company," mention Priestap and Triplett. "If such employees have financial or familial connections to competitor nations with sophisticated spy services, then they could be targeted."
The two authors are adamant that responsible parties at companies must prepare employees for this possibility, and, in the heat of the moment, assist the employee(s) being targeted. Priestap and Triplett also caution that company representatives should offer the same assistance to pertinent people at the company's partners and vendors.
If Priestap and Triplett are correct, understanding and mitigating company espionage will chiefly depend on how well employees are trained in counterespionage.
- Looking for cybersecurity experts? Consider hiring veterans (TechRepublic)
- New US cybersecurity plan makes it easier for businesses to get help after an attack (TechRepublic)
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
- Shadow IT policy (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)