Q: I am trying to garner support for creating a corporate counterintelligence (CI) program within our security organization; we are an international company with people and facilities in multiple countries. What does a “good” corporate CI program look like?
A: CI Defined - The US Government’s national CI effort is tactically focused in the sense that policy and legal authorities define and direct “activities” to be conducted and “information” to be gathered to counter foreign intelligence (and terrorist threats). Entities empowered to manage CI investigations and operations attempt to synchronize the “CI yield” so that it can be used strategically to more consistently advance broader national security objectives and systematically degrade the capabilities of US adversaries. By government measures, CI success is publicly quantified by statistics like arrests, convictions, assets seized, illicit technology transfer disruptions, etc.
So, how does this translate to a corporate CI program, which has few if any at all of the authorities or responsibilities inherent to governmental elements? The role of CI in an organization supporting the defense industrial base (DIB), especially US government classified programs, is readily apparent, particularly in the safeguarding of national security and militarily critical information. But what about other industry sectors? Do public utilities or businesses in health, financial services or information technology sectors really need CI? The answer is a resounding, “maybe.” Deciding whether the investment is worth the potential benefits requires a few key questions:
For its lifeblood, does your organization rely on: Patented or copyrighted products? Trade secrets? Proprietary information, technology, services or processes? Are supply chain vendors/subcontractors hired to support any of those areas? Is research and development a core capability? Does your organization provide goods or services not provided by anyone else? Are foreign nationals employed in the organization (domestically or internationally)? Are US citizen employees assigned to facilities outside the US? If you answered yes to any of these, then your organization is a viable candidate for a dedicated CI program. Protection of any asset that if lost, stolen or compromised would disrupt business operations, erode competitive advantage, or damage brand name equities requires ‘CI thinking’ and protective measures that extend beyond typical security protocol.
Once you’ve decided that a CI capability makes sense for your organization, where do you start? Five general first steps:
- Start small - Recruit a small cadre of smart people. Professionals trained in certified CI-centers of excellence (FBI, NCIS, AFOSI, US Army CI, CIA, etc.) bring, CI Knowledge, Skills, Abilities (KSAs) but most are also trained investigators. They are security-cognizant and add value in other areas such as insider threat initiatives. You don’t need a cast of thousands - one good CI officer and a CI analyst can make an immediate impact.
- Formalize the capability – Formally designate CI (e.g., Program, Unit, Cell) and identify an accountable individual (e.g., Senior CI Officer, Program Manager). Even if it is an embedded function within the security organization, GSOC or other trusted analytical component, give it an identity and let the workforce know it exists.
- Establish protocol – Factors like your organization’s size and structure – the nature of the key assets requiring protection, I/T configuration, existing security program maturity, the composition of your workforce, and other factors unique to your organization (or sector) – will determine the necessary rigor of your CI protocols. At a minimum, your CI cadre should develop an incremental plan to identify core/key assets, understand which countries/foreign entities are likely to be seeking those assets, assess how the assets are most vulnerable and put specific protective measures in place.
- Engage partners – Encourage the CI program manager to establish and maintain partnerships with relevant government CI components and private industry CI teams. This drives information sharing, analytic exchanges, and keeps your CI program “plugged in” to threat trends and best practices. In addition, having your program on “speed dial” with the local government CI component (typically FBI) can equal faster response time in fast-moving situations. A critical internal partnership will be the CI program’s relationship with organizational information security programs
- Training and awareness – Add CI awareness briefings to existing security training; educate the workforce on the imperative to protect the organization’s “lifeblood” and to report activities or behaviors of CI concern.
Remember that security and CI are interdependent and mutually beneficial capabilities. Building on this synergy, a robust corporate CI program should bring into sharp focus how the organization is committed to protecting its people, facilities and information against collection efforts from foreign intelligence entities (FIEs); as well as activities by terrorism actors.
While it is true that defense-related and dual-use (military/civilian) technologies have always been the primary targets of foreign intelligence collection, there is irrefutable evidence that commercial trade secrets and proprietary information are increasingly becoming the targets of FIEs and their surrogates.
Many of the countries that are home to our foreign intelligence adversaries either directly sponsor or condone systematic collection activities to advance their businesses and economic interests. Don’t let your organization become a soft target – let CI (and security) keep you informed and prepared.
Answer provided by John Slattery, Security Executive Council Emeritus Faculty member.