Economic Espionage: Spies, damn spies, and the real threat (Part 2 of 2)
In Part 1 I spoke about the many threats to your organizations innovations and intellectual property and described two of the five key strategies I came up with to help you prevent loss. In Part 2 I provide you with the three remaining strategies.
3. Trust, but Verify
Develop a “people risk model” for your business. One that is designed for your specific industry, shaped for your specific technologies, and can address the specific threats you face. Use this model to screen employees, subcontractors, vendors, visitors, and others you engage. You should pay particular attention to subcontractors; be sure to flow-down all of your security protocols to their employees, subcontractors, vendors, etc.
Interesting side note: Chi Mak, who was arrested in 2005 for stealing and sharing Naval submarine propulsion technology to China, worked as an engineer for Power Paragon, a subcontractor to L-3 Communications, who was in-fact a subcontractor to Lockheed Martin.
Additionally, you should join your local InfraGard program and develop a close relationship with your local FBI field office. If you are involved in national security, defense, or homeland security technologies or projects, you should ask the FBI for a focused threat briefing for your sector. you should also share suspicious incidents, unsolicited emails, strange purchase orders for products, etc., with them. Finally, don’t be afraid to ask the FBI to help screen foreign visitor to sensitive facilities BEFORE those visitors actually arrive on your doorstep.
4. Use the Velvet Rope and Black Cloth
I know this probably goes without saying, but i’ll say it anyway–implement and enforce physical and computer security measures–I cannot tell you how many times I’ve visited facilities only to find the loading dock door propped open for smokers or visitors wandering the halls clearly displaying “Escort Required” badges. It’s also a good idea to do periodic walk throughs of your facilities, with a twist–think like the threat. As you walk the halls, stop and r3ad stuff on the walls, look in trash cans, pay close attention to what you can see through open doors. Also, sit in the cafeteria for a while and listen–what are employees talking about while they have their 10am coffee? Lunchtime?
You can help to prevent threats from getting what they are looking for if you sanitize those bulletin boards and use “velvet ropes” to block off areas they shouldn’t be allowed to wander around. In my early days at NSA we used black cloth to cover our desks and bulletin boards when uncleared visitors came into our spaces; it sounds simplistic, but it was effective. Finally, be sure to sensitize smokers and others about not leaving those back doors propped open. if you use “Escort Required” badges, make sure your people challenge visitors they see walking the halls without an escort.
5. Educate, Communicate and Reward
In the end, you must rely heavily on your employees to protect your organization’s projects and intellectual property–they are really your first and best line of defense. The best gates, guards, and firewalls won’t protect you very well if your staff doesn’t remain vigilant to the threats that these measures were put in place to protect against. The best advice I can give you for enlisting and sustaining your staff’s attention to prevent economic espionage against your organization can be boiled down to two axioms:
- What gets measured, gets done; and
- Reward the behavior you want repeated.
Establish simple and easy to implement measurement systems for the protection of your organizations projects and intellectual property. Hold project mangers accountable through regular evaluation of ongoing projects; publish the results of your findings publicly so everyone can see where the organization stands with respect to protecting against threats. Finally, publicly reward individuals, teams, and other parts of your organization for finding and fixing vulnerabilities or for actively practicing good personnel and information system security practices–rather than just punishing poor performance, be sure to actively reward GOOD performance; you’ll be surprised how effective this strategy can be.
Summary
In May, 2008, the Special Agent in Charge of the Pittsburgh FBI Division was quoted as saying “America has no friends when it comes to the research that gives its companies, universities and government a competitive edge. Countries all over the world – including friends and allies – would like to have that research, and they would love to get it for free.” I hope, through this article, I’ve opened some eyes a bit wider to better see and understand a) the threats they face from foreign (and domestic) sources, and b) some simple things they can do to better protect themselves from the threats.
In summary, here’s a review of recommendations:
At the Executive level:
- Develop prioritized list of company programs and projects (3 piles)
- Engages in process to regularly review and update list with executive team
- Working relationship with FBI office for classified/sensitive defense projects
For each project:
- Proactive effort to fully understand the threat
- Formal assessment of program/project vulnerabilities
- Documented mitigation strategy to address identified risks
- Screen employees, subs, and vendors with access to pile #1 programs
- Ask FBI office to screen at-risk visitors/foreign delegations in advance of visit
On a regular basis
- Hold cognizant staff accountable for knowing the domain
- Enforce physical and computer security measures – periodically test
- Measure what’s important and reward the behavior you want repeated
Remember…
- Ask the right questions;
- Do the math;
- Trust, but verify;
- Use the velvet rope and black cloth; and
- Educate, communicate and reward.
As always, comments and thoughts are welcome.
Chuck Georgo, chuck@nowheretohide.org
Chuck has served as a strategic planner, business analyst, and technologist for the National Security Agency, Federal Bureau of Investigation, Department of Homeland Security, Naval Criminal Investigative Service, Naval Security Group, Illinois State Police, and many other public and private sector organizations. He helped these agencies to develop meaningful strategies, to implement innovative technologies, and to assess their success towards achievement of desired public safety and homeland security results. He currently serves as Executive Director for NOWHERETOHIDE.ORG, First Vice president of the InfraGard Maryland Members Alliance, and Chairman, IJIS Institute Security and Privacy Committee.
