Corporate Counterintelligence

Corporate Espionage, sometimes referred to as Industrial Espionage or Corporate Spying, is a very real and large-scale problem targeting U.S. businesses today, responsible for the loss of hundreds of billions of dollars annually. While this is not a new crime, it is one that has greatly benefitted from the Internet, for reconnaissance, targeting, intelligence collection, and actual theft.  The main legal difference between Economic Espionage and Corporate Espionage is the origin and allegiance of the offender.  Economic Espionage is committed primarily by foreign governments or agents of that government. Corporate Espionage or Theft of Trade Secrets is committed by a competitor or agent of that competitor.

According to the Economic Espionage Act (Title 18 U.S.C. §1831), economic espionage is (1) whoever knowingly performs targeting or acquisition of trade secrets to (2) knowingly benefit any foreign government, foreign instrumentality, or foreign agent. In contrast, the Theft of Trade Secrets (Title 18 U.S.C. Section 1832) is (1) whoever knowingly misappropriates trade secrets to (2) benefit anyone other than the owner. More commonly referred to as Industrial Espionage.

Why are the losses so high in Corporate and Economic Espionage cases?  The offender is stealing more than the actual “widget,” they are bypassing and essentially stealing the hundreds of millions of dollars that were invested in research and development of the “widget.”  A great example to illustrate this is the actions of the Chinese and the attempted theft of drought and pest resistant corn seeds.  Recently, Chinese nationals were caught digging up cornfields in Iowa to locate these seeds so they could reverse engineer their development, thereby skipping the research and development costs associated with developing the seeds.  According to the FBI, China is the perpetrator in 95% of the state sponsored investigations or Economic Espionage investigations.  These actions are not limited to foreign governments and foreign actors, they are often initiated by competitors to gain a competitive advantage.  These competitors can encompass a wide array or determined collectors, including employees, hackers, subcontractors, vendors, business partners, academia, or information brokers looking to purchase access from your employees.  Companies must realize and address this threat before it forces them out of business.  As with Foreign Governments, Companies must initiate Corporate Counterintelligence Programs.

Corporate Counterintelligence and Physical Security Programs are complementary to one another, both are defensive in nature, the CCI is also proactive. The goal of an effective CCI Program is to detect, counter, and disrupt the adversary’s actions, to protect the company’s resources. A key indicator of a successful CCI Program is the strength of its underlying Insider Threat Program (which is discussed on the Insider Threat webpage) This is accomplished through risk assessments, employee awareness training, intelligence collection, auditing, analysis, liaison, and investigation.

The first step to building a successful program is to conduct a Counterintelligence Risk Assessment to identify and prioritize your organization’s assets, determine the viable threats to those assets, and your organization’s specific vulnerabilities. This process requires the involvement of Senior Executives, the Board, industry partners, and potentially the Federal Bureau of Investigation’s Office of Private Sector for an accurate threat picture. The current remote/hybrid work environment must also be taken into consideration as a potential threat. Along with remote work, remote hiring, and the prospect of never physically meeting new employees must be taken into consideration as a potential threat. Does your organization really know who they are hiring? Are they really who they say they are, do they live in the US or a threat country, who else do they concurrently work for? These are all potential CCI issues//risks. Organizations are inviting this threat into their network with their haste to fill positions.

Now that you have an idea of what you need to protect, from who, and what, you can move to the next step of laying the groundwork for the program

You are ready to begin developing your organization’s program. Depending on the size of your company, you may want to assign or hire a program manager that is dedicated to the CCI program and has direct access to senior staff to quickly mitigate threats with the appropriate authority.  The CCI program should have a centralized management structure but also support the entire organization.  The CCI program should have designated representatives from Executive Management, Legal, Human Resources, Physical Security, and Information Security assigned and on call to quickly convene and address threats as they are detected. (These representatives also comprise the Insider Threat Board.)

The results of the CI Risk Assessment will guide your organization’s capabilities requirements to protect your assets, brand, and intellectual property. One of the first items your organization will need to implement is Threat Awareness Training. This training should be integrated into new employee orientation and regular annual training to keep your employees apprised of your organizations adversaries and the threat they pose.  The key to a successful CCI Program is early detection. Second an Analysis, Reporting, and Response capability must be established to integrate information from the relevant entities previously mentioned (Executive Management, Legal, Human Resources, Physical Security, and Information Security). The third item requires the establishment of Suspicious Activity Reporting procedures.  Your employees learned what to report in the Threat Awareness Training, now they need to know how and where to report what they notice.  Next, the CCI Audit capability should be established or incorporated into an existing function.  A “blue” team should be established to detect, identify, and monitor anomalous employee behavior. This team should also have the capability to conduct investigations. Finally, your organization should establish a relationship with the Federal Bureau of Investigation’s Office of the Private Sector to facilitate intelligence reporting, referrals, investigations, and training opportunities.

Arruda Group can assist your organization with the development of a solid Corporate Counterintelligence Program, assist with rebuilding your current program, and design Threat Awareness Training that is both educational and engaging.

1. Identify what you need to protect, assets
2. Identify the threat(s)
3. Develop a plan to protect the identified asset(s)
4. Limit physical and cyber access to the asset(s)
5. Assess your vendors for security risks
6. Develop and provide ongoing training
7. Develop an Insider Threat Program
8. Establish a relationship with the Counterintelligence Squad in your local FBI Office
9. Promptly report suspicious activity

Common Behaviors to be aware of in Corporate Espionage

• Employment at a competitor to gain access to Trade Secrets
• Unauthorized access to competitor’s computer network
• Unauthorized access to third party systems housing competitor information
• Wiretapping a competitor

Please Contact the Arruda Group to discuss your organization’s specific needs and let our experts share their vast knowledge.