It seems like I’ve spent the majority of my adult life either protecting secrets or trying to acquire them. After over a decade and a half in the service of the CIA’s Directorate of Operations, and then a dozen more years building a private sector global intelligence and risk management firm, I feel somewhat qualified talking about secrets. Taking them or keeping them is how I’ve made my living.
So when the Diplomatic Courier asked if I would write an opinion piece about risks to U.S. national security interests, it didn’t take long to settle on a specific topic. While many experts—and I don’t claim to be one—would point to Iran, the unwinding of our involvement in Afghanistan, the U.S.-Pakistan relationship, or that old chestnut North Korea as our most serious issue, I believe the top threat to our national security is more widespread and far less discussed.
This threat exists in the shadows and typically well off the radar screen of public or media awareness. It’s insidious, pervasive, and enormously costly to U.S. national interests. The threat is economic espionage: the theft of our research and development, intellectual property, trade secrets, negotiating positions, and other data critical to the private and public sectors.
It happens in seemingly harmless ways: through information gathered at trade shows, corporate events, and during official foreign delegation visits and exchanges. It happens in old school espionage ways: through the recruitment or placement of sources inside companies. And increasingly over the past couple of decades, it happens in cyberspace. The internet has made life easier and more accessible for people in all walks of life, including those involved in the gathering of sensitive economic intelligence.
Acquiring information in order to gain an economic or strategic advantage is a past time as old as mankind. I suspect, all those years ago before the invention of sliced bread and Facebook, some Neanderthal in the cave next door stayed up late at night plotting to steal his neighbor’s blueprints for the wheel. Why spend months or years chipping away at stone, hoping to get just the right shape, when your neighbor has already figured it out. Better to take his research, jumpstart your own effort, and be the first to roll out the wheel to the community.
To be fair, and diplomatic of course, no nation is free from this threat, just as no nation is innocent of practicing economic espionage to one degree or another. Nations act in their own best interests, but some more aggressively than others.
My experience over the years, both with the U.S. government and in the private sector working on behalf of U.S. companies, informs my opinion that when it comes to understanding and dealing with the dangers of economic espionage, we are very late to the party. Successive administrations, Congress and the intelligence community have been slow in linking the protection of our economic intelligence to U.S. national security. And the U.S. private sector has been even more delinquent in understanding the degree to which foreign states and corporations are pilfering critical information from U.S. businesses.
How bad is it? In the opinion of James Woolsey, former Director of the Central Intelligence Agency, “They’re stealing us blind.” In a recent conversation, Director Woolsey cited technology and the internet as a key factor in the increase in economic espionage. “Now it’s a matter of a keystroke between looking at information and stealing that information, or putting malware on the target’s system.”
While cybersecurity, primarily as it relates to the protection of critical infrastructure and the public sector, is gaining attention, government resources, and public awareness, effective efforts to curtail economic espionage, increasingly conducted in cyberspace, have been limited and, for the most part, uncoordinated between the private and public sectors.
In a demonstration of trying to close the barn doors after the horse has left the building, the U.S. Congress and White House have been dickering over several versions of a possible cybersecurity bill during much of 2012. One stated goal has been to improve the cooperation and coordination between the government and private sector. However, given the lack of cooperation and coordination between the House and Senate, there’s little optimism that meaningful legislation is likely anytime soon.
There have been some efforts within the federal government to address the problem; again most are in their early stages and do little to stem the outflow of information from U.S. shores. In 2011, 16 federal agencies and members of the intelligence community (IC) formed the National Cyber Counterintelligence Working Group to develop a coordinated response to the theft of intelligence, including private sector economic intel. While better late than never, creating a coordinated response decades after the first instances of cyber theft is an indication of how slow America has been to respond.
The damage to the U.S. is felt in a variety of ways: economic losses, lost opportunities for business expansion and revenue, stolen classified information related to private sector support of critical government and military operations, and a less competitive America in a global economy.
Brian Finch, a Washington, D.C.-based partner in the law firm of Dickstein Shapiro LLP and head of the firm’s Homeland Security practice group, deals regularly with issues related to economic espionage and cybersecurity. “The pace of the attacks (against U.S. businesses) is growing and the net result is that American companies can be at a strategic disadvantage in international investments as well as see significantly less value in their research and development investments.”
Recent federal efforts to quantify the losses have conservatively estimated that economic espionage has cost American companies a minimum of $13 billion dollars in just the past few years. If that sounds low, and rather vague, it’s because it is on both counts.
Ask ten officials in Washington for their estimates on damage to the American economy from theft of economic intelligence and you’ll get ten different answers. In part the lack of clarity is because the U.S. government still hasn’t devised an accurate way to track such losses, and in part it’s because U.S. companies are reluctant to report intrusions, loss of proprietary information, or instances of hacking into their internal systems.
Oftentimes, a company’s systems are attacked, information obtained or malware installed, and many months, or years, pass before the victimized company becomes aware of the problem. One recent study noted that the average time from cyberattack to the target becoming aware of the intrusion was 416 days.
Randy Phillips, a former senior member of the U.S. intelligence community, believes the threat can’t be overstated. “This is one of the most significant and persistent threats to the well-being of the United States.” He notes that the scope of the threat, and pervasiveness of the attacks, “undermines U.S. interests in ways that are very difficult to calculate. The sheer amount of theft of intellectual property and research and development material over the years both through cyber theft and via targeted employee theft is stunning.”
Having watched and worked this problem from both the public and private sector sides of the fence, I feel strongly that the U.S. has been disadvantaged significantly over the decades because of our failure to properly view our private sector economic information as critical to our national security interests. As opposed to practically every other nation, the U.S. has always viewed it as somehow improper for our intelligence community to include as an objective or task, the protection and support of the private sector.
Yet our allies, and those nations not traditionally aligned with our own interests, see no such separation between government and private sector. Over the past decade I’ve seen countless examples where foreign companies have been advised, assisted, and protected by their governments and intelligence services. Outside the U.S., most intel services work closely with their private sector because they fully understand that their economic interests, including protection of proprietary information, is directly linked to their national security.
In a clear statement of this link between a nation’s private sector and intelligence service, Vladimir Putin in late 2007 said that “the SVR (Russia’s intelligence agency) must be able to swiftly and adequately evaluate changes in the international economic situation, understand the consequences for the domestic economy, and more actively protect the economic interests of our companies abroad.”
In the United States we’ve maintained a Church-State type separation over the years between the intelligence community and our private sector. The IC’s concern over possibly giving an advantage to one U.S. company over another in trying to protect their interests has ultimately disadvantaged all American companies, as the global economy and technological advances speed access to information and time to market.
While there has been some recent discussion within the IC and in Congress about the possibility of improving public-private sector coordination, the likelihood is that privacy concerns, corporate suspicion over excessive government intrusion, and budget cuts to defense, homeland security, and intelligence spending will limit any real progress.
For now, it remains mostly up to the private sector in the U.S. to combat this threat. “It’s really up to American companies to own this problem,” noted Dickstein Shapiro’s Brian Finch. “They have to understand the risk and the need for senior management involvement in ensuring adequate security and cyber security programs.”
The danger in relying solely on the private sector to manage this risk is that corporations often only act when or if they realize they’ve been the victim of economic espionage. Proactively enhancing internal security practices is regularly viewed as an added cost to the bottom-line as opposed to an investment in the future growth and revenues of the company. If nothing else, the government should be playing a larger role in educating American companies as to the nature of the threat, potential for damage and methodologies of key players.
It’s an increasingly small world, and for U.S. companies operating without an appreciation that their secrets are being pilfered and without the involvement and adequate protection of the American government, it’s an increasingly dangerous one. In a global economy, information is our most valuable commodity. It’s time we act like it.
Mike Baker is a regular contributor in the national and international media on intelligence, security, and counterterrorism issues. After a career spanning over fifteen years as a covert field operations officer for the Central Intelligence Agency (CIA), Mike co-founded Diligence LLC and now oversees the company’s operations and growth throughout the Americas.
This article was originally published in the Diplomatic Courier's November/December 2012 edition.
a global affairs media network
Better Late Than Never: Dealing with the Dangers of Economic Espionage
November 9, 2012
It seems like I’ve spent the majority of my adult life either protecting secrets or trying to acquire them. After over a decade and a half in the service of the CIA’s Directorate of Operations, and then a dozen more years building a private sector global intelligence and risk management firm, I feel somewhat qualified talking about secrets. Taking them or keeping them is how I’ve made my living.
So when the Diplomatic Courier asked if I would write an opinion piece about risks to U.S. national security interests, it didn’t take long to settle on a specific topic. While many experts—and I don’t claim to be one—would point to Iran, the unwinding of our involvement in Afghanistan, the U.S.-Pakistan relationship, or that old chestnut North Korea as our most serious issue, I believe the top threat to our national security is more widespread and far less discussed.
This threat exists in the shadows and typically well off the radar screen of public or media awareness. It’s insidious, pervasive, and enormously costly to U.S. national interests. The threat is economic espionage: the theft of our research and development, intellectual property, trade secrets, negotiating positions, and other data critical to the private and public sectors.
It happens in seemingly harmless ways: through information gathered at trade shows, corporate events, and during official foreign delegation visits and exchanges. It happens in old school espionage ways: through the recruitment or placement of sources inside companies. And increasingly over the past couple of decades, it happens in cyberspace. The internet has made life easier and more accessible for people in all walks of life, including those involved in the gathering of sensitive economic intelligence.
Acquiring information in order to gain an economic or strategic advantage is a past time as old as mankind. I suspect, all those years ago before the invention of sliced bread and Facebook, some Neanderthal in the cave next door stayed up late at night plotting to steal his neighbor’s blueprints for the wheel. Why spend months or years chipping away at stone, hoping to get just the right shape, when your neighbor has already figured it out. Better to take his research, jumpstart your own effort, and be the first to roll out the wheel to the community.
To be fair, and diplomatic of course, no nation is free from this threat, just as no nation is innocent of practicing economic espionage to one degree or another. Nations act in their own best interests, but some more aggressively than others.
My experience over the years, both with the U.S. government and in the private sector working on behalf of U.S. companies, informs my opinion that when it comes to understanding and dealing with the dangers of economic espionage, we are very late to the party. Successive administrations, Congress and the intelligence community have been slow in linking the protection of our economic intelligence to U.S. national security. And the U.S. private sector has been even more delinquent in understanding the degree to which foreign states and corporations are pilfering critical information from U.S. businesses.
How bad is it? In the opinion of James Woolsey, former Director of the Central Intelligence Agency, “They’re stealing us blind.” In a recent conversation, Director Woolsey cited technology and the internet as a key factor in the increase in economic espionage. “Now it’s a matter of a keystroke between looking at information and stealing that information, or putting malware on the target’s system.”
While cybersecurity, primarily as it relates to the protection of critical infrastructure and the public sector, is gaining attention, government resources, and public awareness, effective efforts to curtail economic espionage, increasingly conducted in cyberspace, have been limited and, for the most part, uncoordinated between the private and public sectors.
In a demonstration of trying to close the barn doors after the horse has left the building, the U.S. Congress and White House have been dickering over several versions of a possible cybersecurity bill during much of 2012. One stated goal has been to improve the cooperation and coordination between the government and private sector. However, given the lack of cooperation and coordination between the House and Senate, there’s little optimism that meaningful legislation is likely anytime soon.
There have been some efforts within the federal government to address the problem; again most are in their early stages and do little to stem the outflow of information from U.S. shores. In 2011, 16 federal agencies and members of the intelligence community (IC) formed the National Cyber Counterintelligence Working Group to develop a coordinated response to the theft of intelligence, including private sector economic intel. While better late than never, creating a coordinated response decades after the first instances of cyber theft is an indication of how slow America has been to respond.
The damage to the U.S. is felt in a variety of ways: economic losses, lost opportunities for business expansion and revenue, stolen classified information related to private sector support of critical government and military operations, and a less competitive America in a global economy.
Brian Finch, a Washington, D.C.-based partner in the law firm of Dickstein Shapiro LLP and head of the firm’s Homeland Security practice group, deals regularly with issues related to economic espionage and cybersecurity. “The pace of the attacks (against U.S. businesses) is growing and the net result is that American companies can be at a strategic disadvantage in international investments as well as see significantly less value in their research and development investments.”
Recent federal efforts to quantify the losses have conservatively estimated that economic espionage has cost American companies a minimum of $13 billion dollars in just the past few years. If that sounds low, and rather vague, it’s because it is on both counts.
Ask ten officials in Washington for their estimates on damage to the American economy from theft of economic intelligence and you’ll get ten different answers. In part the lack of clarity is because the U.S. government still hasn’t devised an accurate way to track such losses, and in part it’s because U.S. companies are reluctant to report intrusions, loss of proprietary information, or instances of hacking into their internal systems.
Oftentimes, a company’s systems are attacked, information obtained or malware installed, and many months, or years, pass before the victimized company becomes aware of the problem. One recent study noted that the average time from cyberattack to the target becoming aware of the intrusion was 416 days.
Randy Phillips, a former senior member of the U.S. intelligence community, believes the threat can’t be overstated. “This is one of the most significant and persistent threats to the well-being of the United States.” He notes that the scope of the threat, and pervasiveness of the attacks, “undermines U.S. interests in ways that are very difficult to calculate. The sheer amount of theft of intellectual property and research and development material over the years both through cyber theft and via targeted employee theft is stunning.”
Having watched and worked this problem from both the public and private sector sides of the fence, I feel strongly that the U.S. has been disadvantaged significantly over the decades because of our failure to properly view our private sector economic information as critical to our national security interests. As opposed to practically every other nation, the U.S. has always viewed it as somehow improper for our intelligence community to include as an objective or task, the protection and support of the private sector.
Yet our allies, and those nations not traditionally aligned with our own interests, see no such separation between government and private sector. Over the past decade I’ve seen countless examples where foreign companies have been advised, assisted, and protected by their governments and intelligence services. Outside the U.S., most intel services work closely with their private sector because they fully understand that their economic interests, including protection of proprietary information, is directly linked to their national security.
In a clear statement of this link between a nation’s private sector and intelligence service, Vladimir Putin in late 2007 said that “the SVR (Russia’s intelligence agency) must be able to swiftly and adequately evaluate changes in the international economic situation, understand the consequences for the domestic economy, and more actively protect the economic interests of our companies abroad.”
In the United States we’ve maintained a Church-State type separation over the years between the intelligence community and our private sector. The IC’s concern over possibly giving an advantage to one U.S. company over another in trying to protect their interests has ultimately disadvantaged all American companies, as the global economy and technological advances speed access to information and time to market.
While there has been some recent discussion within the IC and in Congress about the possibility of improving public-private sector coordination, the likelihood is that privacy concerns, corporate suspicion over excessive government intrusion, and budget cuts to defense, homeland security, and intelligence spending will limit any real progress.
For now, it remains mostly up to the private sector in the U.S. to combat this threat. “It’s really up to American companies to own this problem,” noted Dickstein Shapiro’s Brian Finch. “They have to understand the risk and the need for senior management involvement in ensuring adequate security and cyber security programs.”
The danger in relying solely on the private sector to manage this risk is that corporations often only act when or if they realize they’ve been the victim of economic espionage. Proactively enhancing internal security practices is regularly viewed as an added cost to the bottom-line as opposed to an investment in the future growth and revenues of the company. If nothing else, the government should be playing a larger role in educating American companies as to the nature of the threat, potential for damage and methodologies of key players.
It’s an increasingly small world, and for U.S. companies operating without an appreciation that their secrets are being pilfered and without the involvement and adequate protection of the American government, it’s an increasingly dangerous one. In a global economy, information is our most valuable commodity. It’s time we act like it.
Mike Baker is a regular contributor in the national and international media on intelligence, security, and counterterrorism issues. After a career spanning over fifteen years as a covert field operations officer for the Central Intelligence Agency (CIA), Mike co-founded Diligence LLC and now oversees the company’s operations and growth throughout the Americas.
This article was originally published in the Diplomatic Courier's November/December 2012 edition.
