printer friendly version

Corporate counterintelligence

In the first issue of SafeGuard we provided a brief understanding what counterintelligence is, its role in the corporate environment and how it can support management to protect business secrets and valuable corporate information.

We also highlighted the shortcomings in present security doctrines that still promotes `hunker down' approaches behind fences, guards and locks in a world of portable information, laptops, cellular devices, etc. This might be good and adequate for the protection of property and lives. Unfortunately the protection of confidential business information requires a much more sophisticated and educated approach.

In this article we will look at the threats against information, discuss the responsibility of corporate leaders, focus on intellectual property and the need to have counterintelligence capabilities.

Introduction

The danger of business espionage and information theft is usually underestimated as most of the time there are no overt signs or indications of the attack.

Companies as well as foreign governments are now competing against each other for economic supremacy and technology.

The threat against our business and private information is serious. The Minister of Intelligence, Lindiwe Sisulu, recently warned in Parliament, on 17 June this year, that she will outlaw 'private intelligence' in South Africa, if those local companies practising intelligence continue to operate outside the law. Unfortunately she did not offer anything concrete to assist the corporate sector against these attacks.

South Africa also does not have any legislation dealing specifically with countering or protecting against business espionage. The official government definition (and practice) of counterintelligence caters for government only and makes no reference of any support for the corporate sector. It is different in the USA. In October 1996 the US Economic Espionage Act of 1996 saw the light. The Act is an attempt by the US Government to allow the FBI to assist American corporations against business espionage attacks.

The attacks against intellectual property and business information are not just restricted to local competitors but can also come from international competitors as well as foreign intelligence agencies. At the moment, five Ericsson's employees are on trial in Sweden for passing corporate secrets to members of the Russian Intelligence Service. The Los Angeles Times reported as far back as July 1995, that the then "President Clinton has ordered the Central Intelligence Agency (CIA) to make economic espionage of America's trade rivals, a top priority" (Stanley Kober, 1996).

"... Even during the Cold War, the economic competition existed. Now the competition between states is moving from the political-military level to the economic and technological level. In economics, we are competitors, not allies," said Pierre Marion, during an interview with a TV journalist. (Former head of the French Intelligence Service, DGSE.)

"While relying on and cultivating personnel from within the country, we will be active in introducing foreign intelligence resources, so as to promote China's economic development and social progress." (Chinese Vice-Premier Qian Qichen - 30 September 2002, People's Daily.)

Taking responsibility

In view of the above, the question can be asked, "How prepared and ready are our companies to protect their information against professional and sophisticated attacks from both local and foreign spies as well as competitors?"

Counterintelligence and the protection of business information are corporate issues and should be one of the top concerns of today's business leaders.

According to the guidelines published in the King II Report, the responsibility for the management of all forms of risk now resides with corporate leaders and directors. They will not only have to assess the vulnerability of their corporation to various threats, but will have to craft risk strategies and communicate it in the company. Various people and functions in the company can assist them but the ultimate responsibility stops with the directors. They will also have to show commitment to the task and will have to lead the way to link the corporate strategy with counterintelligence and the protection of the corporation's secrets.

In the past there were many reasons why executives shied away from voluntarily taking responsibility for the protection of corporate secrets. Many believed, and still do, that there is no threat against their information, others believe that it would be too expensive to employ counterintelligence measures, some argue that there are more important business issues, not recognising the value of the information they own, some are not prepared to allocate money and resources, whilst others are simply not interested because the protection of corporate information was not taught at business school. Others still believe that having a guard at the door and a firewall is all the protection they require.

It is also difficult for executives to come to grips with the concept of promoting business and openness whilst at the same time maintaining a high level of protection of the corporation's information and intellectual property.

Corporate strategy however, can only succeed if it adds value to all levels of the business, including the weakest links. Often, one of the weakest links in a corporation is the failure to recognise the need to protect against business intelligence operations and industrial espionage. Competitive rivalry and the attacks are most likely to occur on the business unit level. It is on this level where counterintelligence also has to focus on preventing the competitor from putting various pieces of information together to get the real picture. CEOs and executives are not always aware of the dangers their employees face whilst working with internal secrets and intellectual property.

Company executives will now have to go further in the protection of their information than the standard nondisclosure agreements employees are required to sign. They also need to make staff aware of the threat and prepare strategies which inform employees how to handle and counter the known threats used by those practising business intelligence. Some of the techniques used by those that gather business information are elicitation techniques, enquiries for information, pretext attacks, etc. Efforts have to be made to maintain confidentiality and to be vigilant. Many companies now forbid their employees to work on laptops or to discuss work in public places such as aeroplanes, restaurants, hotel lobbies, etc, or to talk work on cellular telephones in public places. Others again train their staff to do the right thing. The practice of business counterintelligence requires a different skills set and expertise than those required for security and the protection of computer networks, viruses, etc. Existing technology such as firewalls, keywords and traditional security are just not enough to protect confidential information.

Intellectual property

One just has to look at the characteristics of information to understand why it is such a difficult thing to protect. Information can be something that is audible, visible, or may be smelt, tasted and touched. It surrounds us in nearly everything we do, whether at home, at play or at work. The field of intellectual property is exploding and is showing tremendous growth.

Intellectual property is a valuable asset in any business. It is intangible and susceptible to copying, imitation and unauthorised disclosure. It is therefore vital to protect the intellectual property in a business. This can be done through appropriate contractual clauses, meticulous record keeping, by timeous applications for protection and regular audits. Counterintelligence is however necessary to protect against the activities of competitors, employees and business spies.

The emphasis in trade has shifted to information and technology-based products. The trade in intellectual property is also becoming a greater component of world trade. Some describe it as the new global currency. Intellectual property is more and more recognised as a company's most valuable asset.

"Whereas it is easy to understand the value of real estate or tangible assets, such as inventory, it is more difficult to understand the value of intangible assets, such as a method of doing business, one's Internet domain name, a list of potential acquisition targets, the know-how of key employees, or the marketing material used in a business. All these assets provide a competitive edge to their owner, and the loss of such assets can be just as devastating to a company as the loss of equipment, inventory, or other physical goods." (Deborah E Bouchoux, 2001.)

Intellectual property encompasses various concepts and consists of statutory rights such as patents, copyrights, trademarks, designs and common law rights such as trade secrets, know-how and confidential information.

It is important for the counterintelligence specialist and management to have basic knowledge of the statutory laws dealing with intellectual property rights. Statutory protection is the preferred form of protection of intellectual property. These statutes are the:

* Patents Act 57 of 1978.

* Copyright Act 98 of 1978.

* Trade Marks Act 194 of 1993, and.

* Designs Act 195 of 1993.

Common law protection can be relied upon in suitable circumstances. Advantages of relying on common law protection are that there is no formal registration procedure and the duration of the protection is not limited. Disadvantages are that the risk of unauthorised disclosure remains high and once the confidentiality is lost the protection under the common law no longer applies.

Counterintelligence protects businesses' most valuable possessions

"Relying on your employees' common sense is risky business. According to experts, to protect a company's private information, you should create a written policy that outlines what you are protecting and also describes what you expect from employees when it comes to communication." (Chris Penttila, 2000.) It follows from this that employees need to be made aware and trained how to deal with their business environment from a counterintelligence perspective.

It is not always easy to implement counterintelligence as it involves taking responsibility, changing people's mindset and also requires a formal set of tactics and strategies. Companies could start to implement counterintelligence with their new projects, products or services. Special emphasis is then placed on protection of the information and personnel during the incubation and development processes.

Steve Whitehead

Share this article:

Further reading: