BUSINESS COUNTERINTELLIGENCE
Your knowledge is your power, but if you don’t protect it, it can become someone else’s ammunition!
For a long time, we have been living in an age where knowledge is considered as “power”. However, this assessment, which is made independently of the question of “how knowledge is used”, can cause major risks and vulnerabilities to be missed. While I agree with Richard Feynman’s quote “It doesn’t matter how many resources you have if you don’t know how to use them…”, which emphasizes the criticality of “knowing (information)”, I would like to turn the other side of the coin and point out how “fatal” risks you may face if you cannot protect your “information”, which is your power, from competitors or enemies who may use it against you. This article aims to draw attention to the importance of the discipline of counterintelligence in the business world by addressing the repercussions of intelligence in the private sector.
THE PLACE OF INTELLIGENCE IN BUSINESS
The importance of intelligence in the business world was recognized early in the West and concepts sas “competitive intelligence”, “commercial intelligence” and “corporate intelligence” were developed. However, intelligence methods do not always stay within ethical and legal boundaries, and espionage through bribery, blackmail, and ideological exploitation pose major threats in the business world. In 1981, H. E. Rowan, in his book Protective Security (A South African Approach), emphasized that industrial espionage is a real danger and that unprotected companies carry great risks. However, many companies are still unaware of this threat. When we think of security, only guards, camera systems and cyber security measures come to mind. Yet these measures are insufficient in the face of more sophisticated intelligence activities targeting the human factor.
It is possible to find cases of commercial and industrial espionage in open sources. However, the cases that have actually succeeded have usually remained secret, while those that have been publicized have either failed or have been disclosed by their sponsors for propaganda purposes. The current and successful activities are those that we do not know about due to their inherent secrecy or that are not reflected in open sources. At this point, I must admit that I recently overheard a conversation in which a Turkish technology company’s R&D project, which had spent a lot of time and money, was stolen by a European company.
It should not be assumed that these threats are far away, somewhere in the Wild West or the Far East! If you have an endeavor like the National Technology Movement, someone will find something in you that is worth paying attention to and snooping around. The most targeted sectors for economic espionage are technology, defense, finance, software, and energy. Indeed, companies in Silicon Valley and elsewhere are extremely sensitive to the security of their intellectual property. But any company can also be a target of espionage if it possesses information valuable to its competitors. Companies have always been interested in gathering information about their competitors.
However, there is an important difference between gathering information and producing intelligence. Intelligence is a systematic process of processing information to a higher quality. Today, large companies are increasingly dependent on obtaining “actionable information” about their competitors. This process can sometimes involve illegal methods of information gathering (espionage).
COUNTERINTELLIGENCE: WHY IS IT NECESSARY?
Intelligence activities can gather information through legal or illegal methods. Counterintelligence includes systematic measures against these activities and the most important element in espionage activities is people. Cybersecurity measures can secure information in the digital environment, but detecting espionage activities in the real world requires a fast, vigilant, and trained organizational reflex (capacity). The most critical information is often stored in minds, on people (know-how), and can be obtained through manipulation. Spies can gain information beyond the reach of cyber or technical methods and find a direct answer to a strategic question: One question, one answer. Therefore, technical security measures alone may not be enough to protect the most critical information in your company; protective security measures focusing on the human factor should also be taken.
The ISO27001 Information Security Standard is an important step in modernizing companies’ approach to information security. However, it is very IT -oriented and may not be able to resist human intelligence. Because hackers hack computers (IT systems), spies and intelligence officers hack people! Therefore, a corporate reflex should be developed that raises employee awareness and observes suspicious relationships.
COUNTERINTELLIGENCE STRATEGIES
Counterintelligence is the set of strategies that companies develop to protect their trade secrets, prevent unauthorized access to information, and complicate competitors’ efforts to gather information. This process has both passive and active components: n Passive components include measures to prevent competitors from acquiring information: awareness trainings, countermeasures against technical surveillance, security policies, penetration tests, etc. n Active components include taking action after a threat has been detected: legal actions, adversary misdirection, and proactive security measures. Also, analyzing the intentions and capabilities of adversaries before a threat emerges is also part of counterintelligence processes.
EDUCATION AND AWARENESS REQUIREMENT
While most of the weaknesses in human beings can be eliminated with training, interestingly, in our country, training and awareness-raising activities on corporate security are not given enough importance and companies may consider the time and financing they will allocate for these activities as wasteful. In fact, the reason for this is the unfamiliarity with the issues mentioned in this article. Because of the “state of unawareness” that they are subjected to under the pretext of the (relatively low) costs they deem unnecessary, they may dare (!) to take on financial risks that could be “fatal” for them, as in the past when IBM’s top secret and literally “multi-billion dollar” Adirondack project was stolen by Hitachi by paying $650,000 to an IBM employee.
Raising awareness is critical for companies to avoid such major financial losses. On the other hand, I should anecdotally emphasize that intelligence threats to your company may not always come from low-level employees who are amateurs and easy to deal with. In the world of commercial and industrial espionage, the real targets are “high profile” individuals such as board members, general managers, experienced engineers, etc. Of course, those who seek to obtain information from them are of a similar status or are trained, specialized, and theatrical enough to play the role.
Look at what Claude Silberzahn, former director of the French secret service DGSE, said as early as 1996: “The task of the state in France is not only to legislate, but also to trade. For decades, the French state has used the left hand to manage the markets and the right hand to use the secret services to obtain intelligence for its own trading houses.” Yes, you will likely encounter threats from such structures, and education and awareness are essential to be able to identify these threats. In conclusion, there is a need in Türkiye, especially in technoparks and information/technology-intensive sectors, to build a capacity to combat industrial espionage in today’s increasingly competitive environment.
As international trade and technology wars increase, new security approaches (Industrial Security Movement), structural (National Technology Security Presidency), and legal (such as the Trade Secrets Protection Law or the Economic Espionage Law) arrangements should be worked on in order to protect our economic and technological power, which is considered one of the elements of national power. Relying on traditional systems alone is no longer enough. It is vital that companies develop a holistic and deeper understanding of security by adopting the discipline of counterintelligence.