Counter Intelligence

Introduction

A disturbing trend has developed in which foreign intelligence services, non-state actors, and criminals are using intelligence collection techniques against American companies to steal valuable trade secrets and assets. This activity can bankrupt a company by compromising years of costly research and development, weaken the U.S. economy, and threaten national security. According to the FBI, the cost to U.S. industry is tens of billions of dollars each year.

Corporate boards and executive officers must understand the true threat their companies face. It is one that has evolved beyond the stage where information security, as one example, can simply be delegated to the security office or CIO- it requires full executive engagement. With the tools available to economic spies, the American private sector is more vulnerable than ever.

Not too long ago, traditional corporate espionage was dangerous. It required the corporate spy to betray one's coworkers, clandestinely collect company documents, load and mark dead drops, and operate under the constant risk of exposure and arrest. Yet corporate espionage, like so many activities, has moved into the realm of cyberspace. In cyberspace, many American companies are left working in the modern equivalent of the Wild West, an unregulated frontier where the crown jewels of the corporation -trade secrets and intellectual property- are hijacked every day, often without the victim's knowledge. In turn, America often finds itself competing with the very developments and technologies our companies pioneered.

Companies must have aggressive security programs to protect their intellectual property, trade secrets, business processes, strategic goals, and the integrity of their brands. Security Engineering Associates (SEA) provides the steps involved in building a corporate counterintelligence program to complement your company's security program and respond to the intelligence collection techniques used by today's spies. An effective Counterintelligence program will ensure that your company has identified its most vulnerable assets, understands the threats to those assets, has discovered the vulnerabilities that might make your company susceptible to exploitation, and has taken the appropriate steps to mitigate risks.

Unlike many of our most active competitors who engage in cyber espionage, the United States does not have a centralized industrial policy. Our long-standing prosperity is a reflection of the free market. That places a large responsibility on the shoulders of American CEOs. The U.S. Government will share threat and warning information to the full extent of the law, but to protect our economy and our position on the global stage, much of our national security will have to move from the war room to the board room.

"Sensitive US economic information and technology are targeted by the intelligence services, private sector companies, academic and research institutions, and citizens of dozens of countries." - ONCIX

Report to Congress on Foreign Economic Collection and Industrial Espionage

Transformation in Corporate Asset Values Creates Economic Vulnerability

The U.S. economy has changed over the past 20 years. Intellectual capital rather than physical assets now represent the bulk of a U.S. corporation's value. Research by Ocean Tome Intellectual Capital Equity states the transition from an economy of tangible assets (real estate, hardware, vehicles) to one in which intangible assets (patented technology, trade secrets, proprietary data, business process and marketing plans) now represent eighty one (81) percent of the value associated with the S&P 500. This shift has made corporate assets far more susceptible to espionage.

Simon Hunt, Vice President and Chief Technology Officer of McAfee, said in a 2011 report titled "Underground Economies" that: "Criminals understand that there is much greater value in selling a company's proprietary information to competitors and foreign governments the cyber underground economy has shifted its focus to the theft of corporate intellectual capital."

When Security is Not Enough

When companies become targets of competitors, foreign intelligence services, and criminal elements, even aggressive security programs may not be enough. A Counterintelligence Risk Assessment can help determine the threat of espionage activity against your company and the size and scope of the Counterintelligence program or capabilities that are needed to address this threat.

Counterintelligence and security are distinct but complementary disciplines, and it is important for organizations contemplating the establishment of a Counterintelligence program to understand the difference.

  • Every corporation in America needs an effective physical security capability that ensures employees, facilities, and information systems are protected. Security, at its root, is defensive.
  • Counterintelligence is both defensive and proactive, and it incorporates unique analysis and investigation activities designed to anticipate, counter, and prevent an adversary's actions, protecting company resources and innovation.

Counterintelligence and security programs create a continuum of effective protection for your company.

Step One: Conducting a Counterintelligence Risk Assessment

The decision to create corporate Counterintelligence programs and practices will be based on concerns that your company and its assets are a target of foreign intelligence services, criminals, economic competitors, and private spies-for hire. Therefore, the first step that Security Engineering Associates (SEA) will complete in establishing a Counterintelligence program is to conduct a risk assessment that evaluates the threat to your company by examining available threat information, assessing your organization's vulnerabilities, and gauging the consequences of losing critical assets. SEA in cooperation with a senior executive or board member of your company will oversee the Counterintelligence risk assessment process from start to finish, drawing on both in-house experts and SEA expertise in Counterintelligence analysis, operations, and investigations to complete the assessment. A risk assessment will help determine the capabilities and resources that will be required to run an effective Counterintelligence program.

A. Identifying and Prioritizing Assets

SEA will identify and prioritize your company's most critical assets, to include people, groups, relationships, instruments, installations, processes, and supplies. The loss or compromise of these assets would be the most damaging to your organization, could result in substantial economic losses, or could harm U.S. national security.

SEA will support collaboration with industry partners and Federal agencies that have oversight or regulatory responsibilities in your business sector which will provide a fuller picture that will assist your company with this prioritization process.

SEA will assist your company's management in making the final assessment of those assets most worthy of protection.

B. Determining Threats

Next, SEA will need to assess the capabilities, intentions, and opportunity of potential adversaries to exploit or damage company assets or information. SEA will also determine if there are any gaps in an adversary's knowledge of the company or if your company is working on a particular technology or product that an adversary may be trying to acquire. SEA will provide assistance to Company Executives to establish relationships with Federal agencies to make use of existing threat reporting for this part of the assessment.

C. Assessing Vulnerabilities

Finally, SEA will need to assess the inherent susceptibility of its procedures, facilities, information systems, equipment, or policies to an attack. SEA will need to determine how an adversary, including a malicious insider, would attempt to gain access to your critical assets. When assessing vulnerabilities, SEA will consider the physical location of its assets and who has access to them, including both employees and outsiders.

SEA will identify any systemic or institutional vulnerability. Situations in which employees are dispersed geographically-including at overseas locations-or have access to or are involved in sensitive systems or projects deserve extra scrutiny.

Step Two: Laying the Groundwork for a Corporate Counterintelligence Program

The risk assessment will provide a better understanding of the scope and nature of the threats to your company's most important assets. At this point, a number of initial activities should be considered that will lay the groundwork for building an effective Counterintelligence program. To prepare for implementation, SEA will:

  • Assign or hire a program manager who is dedicated to the Counterintelligence program and has direct access to the CEO or senior partners so that Counterintelligence and security issues can be addressed expeditiously, discreetly, and with appropriate authority.
  • Establish that the Counterintelligence program will have a centralized management structure but will support the entire corporation, regardless of location.
  • Take steps to begin or continue strengthening strong relationships among the company's security, information assurance (lA), general counsel, and human resources (HR) departments; these relationships are critical to effective Cl.
  • Develop liaison relationships with relevant U.S. Government law enforcement and Intelligence Community agencies to ensure effective two-way communication on Counterintelligence issues of concern to both the corporation and the U.S. Government.

While companies will need to tailor Counterintelligence risk assessments to their unique circumstances, all assessments require three important actions:

Step Three: Identifying the Capabilities Needed

As progress continues on laying the groundwork, SEA will begin identifying the CJ capabilities needed for an effective Counterintelligence program that is focused on protecting your company's assets, brand, and intellectual property. The risk assessment will be an important guide during this step. The Office of the National Counterintelligence Executive (ONCIX) recommends a layered approach to acquiring Counterintelligence capabilities. Counterintelligence capabilities are essential to identifying and countering insider and cyber threats, which represent the two most challenging threats to U.S. corporate assets.

The following are six primary capabilities that should be considered when determining the size and scope of the CJ program your company requires:

Corporate Counterintelligence Program Capabilities

Threat Awareness & Training

New employee orientations and continual refresher training can equip the workforce with the skills needed to understand who your company's adversaries are, identify threats, and follow reporting procedures for suspicious activities. A highly trained and aware workforce is key to the early detection of potential threats. SEA will utilize a Counterintelligence-specific non-disclosure agreement before divulging their threat and vulnerabilities.

1. Analysis, Reporting & Response

An analysis, reporting, and response capability can integrate resources and information from across relevant corporate elements (CI, security, lA, HR, general counsel) and provide assessments and warning on data that may be indicative of a threat. Mature Counterintelligence programs will also want to incorporate risk assessments related to sensitive acquisitions into this analytic and reporting process.

2. Suspicious Activity Reporting

Defining, training the workforce, and developing company reporting policies on suspicious activities that are deemed inappropriate or potentially threatening could provide an effective "early warning system" of potential threats to your employees or company.

3. Counterintelligence Audit

A CJ audit capability would enable SEA to monitor user activity on corporate IT systems. This would help to identify anomalous behavior, deter the theft or unauthorized use of company information, and protect the company from network intrusions.

4. Counterintelligence investigations

Companies with more advanced corporate CJ programs may wish to augment their ability to conduct security investigations with a capability to perform preliminary Counterintelligence investigations that are consistent with the law.

5. Liaison

SEA will establish a liaison relationships with US Government law enforcement and Intelligence Community agencies, to facilitate the flow of intelligence reporting, investigations, referrals, and training opportunities to aid and assist the company.

Step Four: Implementing a Corporate Counterintelligence Program

Once the risk is assessed, the groundwork has been laid, and the Counterintelligence capabilities required are identified, SEA will can begin implementation of a Counterintelligence program. Although the investment needed to build an effective program will use company resources that might otherwise be dedicated to product development, marketing, and other priorities, it is important to remember that a properly designed program that is tailored to your company's unique security needs and that protects your critical corporate assets can more than justify the costs.

Program Management

The following describes three management frameworks that are recommended based on the level of capability your company requires. The functions are cumulative and build toward what ONCIX considers to be the framework for a full scope Counterintelligence program.

Basic Counterintelligence Program (Essential)

  1. A Counterintelligence Program Manager is assigned responsibility for development and implementation of the program. It is often beneficial to have one program manager who is responsible for both Counterintelligence and Security.
  2. The Program Manager serves as the focal point for a centralized Counterintelligence program and has insight and access to information from all corporate elements (security, lA, HR, general counsel) relevant to Counterintelligence.
  3. The Program Manager is responsible for liaison activities with U.S. Government law enforcement and Intelligence Community agencies to gather threat information, report information to the appropriate U.S. Government agency, and follow up on Counterintelligence issues of concern.
  4. Component Security Officers should report threat information to the corporate Counterintelligence program manager and should also consider reporting to their local law enforcement contacts.

Counterintelligence Program Management Frameworks

Basic Counterintelligence Program

  • PM develops and implements Counterintelligence program
  • PM oversees a centralized Counterintelligence Program office
  • PM maintains insight into all corporate elements
  • PM is responsible for liaison with US Government
  • Security officers responsible for tactical Counterintelligence

PM provides Counterintelligence guidance through training programs

Expanded Program

  • PM has received professional Counterintelligence training
  • PM manages a broad analysis, reporting, and response function
  • Employee records are centralized to enable PM access

Full Scope Program

  • PM oversees branch employees responsible for Counterintelligence
  • Counterintelligence manager oversees dedicated Counterintelligence training programs

Expanded Counterintelligence Program

  1. The Counterintelligence program manager has received professional training in counterintelligence.
  2. The program manager manages a dedicated Counterintelligence analysis, reporting, and response function that is responsible for assessing information from all the corporate components relevant to Counterintelligence (security, lA, HR, general counsel).
  3. Employee records are managed centrally to facilitate access by the program manager and to support Counterintelligence investigations.

Full Scope Counterintelligence Program

The Counterintelligence program manager oversees employees in the company's subcomponents or major programs who are dedicated to Counterintelligence responsibilities and have received professional Counterintelligence training.

Staffing

SEA will also assist your company to make staffing decisions when the size and scope of the Counterintelligence program is decided. Ideally, these points of contact will be dedicated full-time to the Counterintelligence program, respond to headquarters direction, and understand the specific Counterintelligence responsibilities assigned to company entities at non-headquarters locations.

A fully functional headquarters program should, at a minimum, be staffed with the following personnel:

  • Counterintelligence Program Manager: An individual responsible for managing the organization's counterintelligence program, which ideally has security or Counterintelligence expertise and is given direct access to the company's senior management. If necessary, companies might consider hiring a former counterintelligence or law enforcement professional to acquire this expertise.
  • Program Officers: The employees who will perform the Counterintelligence program functions. The number of program officers will depend on the size and composition of the company, the company assets needing protection, and other factors identified in the risk assessment.
  • Security Analyst(s): At least one individual with analytic training, appropriate understanding of the organization, and full access to relevant information technology systems who will maintain an appropriate awareness of threats to the company as a whole and to specific company assets. This person may attend analytic forums of interest on behalf of the organization.
  • Program Support Officer: At least one individual to assist the program manager and senior company officials by performing basic program management functions, such as strategy, policy, budget, and program evaluation.
  • Liaison Officer: An individual assigned to conduct extensive liaison with industry partners and with relevant U.S. Government agencies to ensure strong information sharing programs and processes.

Maintaining an Effective Corporate Counterintelligence Program

Once your Counterintelligence program is established, ONCIX recommends a number of follow-on activities designed to ensure that the program remains effective. We encourage companies with an active Counterintelligence program to:

  • Establish a process to share security and Counterintelligence "best practices" across the company's Counterintelligence, security, HR, and La elements and ensure that these practices are applied consistently throughout the organization.
  • Assess the effectiveness of your Counterintelligence program and capabilities periodically to ensure that they remain focused on the highest priority threats to your company and are providing a valuable return on your company's investment.

Copyright © 2009-2012. All rights reserved.