Risky business: private sector intelligence in the United States

By Hulnick, Arthur S.
Publication: Harvard International Review
Date: Sunday, September 22 2002

When people think about intelligence, they usually focus on such organizations as the US Central Intelligence Agency (CIA), the British Secret Intelligence Service (SIS), or perhaps the Chinese Ministry of State Security—all government-run agencies specializing in espionage, analysis, and usually some form

of covert action. Most countries have similar intelligence organizations as well as counter-intelligence bodies to stop spies and protect national security secrets. In the aftermath of September 11, a great deal of attention has focused on intelligence and its role in national security. Intelligence in the private sector, however, has largely been ignored, although business intelligence, too, has been energized by recent events and reflects many of the same characteristics.

In fact, the field of intelligence has become significantly privatized as technology has advanced. Today, high-tech information collection through the use of satellites and electronics has replaced a great deal of old-fashioned espionage by government agencies such as the CIA. The once top-secret world of overhead satellite photography has become a commercial enterprise, and intelligence agencies that could not afford to launch their own satellites in the past can now buy photos to help spy on their adversaries. Commercialized high-tech spying is widely accepted as a non-intrusive method of espionage, while purchasable electronic countermeasures—such as firewalls, encryption programs, and scrambler phones—have become common as well. Private intelligence is emerging as an important part of the new world intelligence order.

Sectoral Distinctions

What are the differences between private and governmental intelligence? Governmental intelligence and security are designed to protect countries, while private sector intelligence and security are essentially activities for profit, designed to benefit owners, shareholders, and managers.

Moreover, the kinds of operations routinely undertaken and sanctioned by governmental intelligence and security services, especially overseas, are illegal and immoral. In the private sector, there is no such sanction or protection. Espionage and covert action are illegal activities in most countries, especially when carried out by private agents. Espionage operatives are not protected by government, their activities are banned by professional intelligence associations, and their operations carry stiff penalties.

In the area of counter-espionage, different rules apply as well. The governmental practice of countering the work of hostile intelligence services involves either trying to penetrate the hostile service with inside agents, converting enemy operatives, or using defensive techniques such as the polygraph or surveillance to keep penetration by hostile agents to a minimum. In the private sector, many of these techniques are forbidden by law or are unworkable in practice. Thus, the private sector has had to develop less intrusive methods to stop industrial espionage, or white-collar crime. Their tools to combat terrorism are limited.

The battle against foreign industrial espionage in the United States has been enhanced by a new law called the Economic Espionage Act (EEA) of 1996. This law was originally designed to stop industrial espionage by foreign intelligence services or operatives, but it has been broadened both in language and in application to cover the theft of trade secrets by private companies or individuals. Still, recent espionage cases demonstrate that the EEA and such statutes as the Uniform Trade Secrets Act (UTSA), as well as laws against wire and mail fraud, have not prevented industrial espionage, although they have made it more costly for potential spies. The legal rules and ethical mandates of private sector intelligence are easily violated, and practices can quickly overstep these bounds.

Like most, but not all, governmental intelligence, data gathered in the private sector comes from open sources. Open sources are free and readily available sources of information, including print and electronic media, books, journals, and Internet sources. The growth of Internet-based electronic databases has increased the amount of open-source information so dramatically that some intelligence observers have suggested that traditional collection methods are no longer necessary. In reality, the open-source database makes collection from espionage more meaningful, since these more sensitive sources, which are often fragmentary or incomplete, can be compared, augmented, or corrected by what the open sources have already revealed.

Although private sector intelligence operatives are not supposed to engage in espionage, they do have access to some high-tech methods unavailable just a few years ago. This is especially true in such areas as data mining, a technique for finding information in computer databases. And the once top-secret world of overhead reconnaissance using satellites is now quite public and accessible. Photos taken from space with one-meter resolution—good enough to distinguish considerable detail on the ground—can be purchased on the Internet by anyone with a credit card.

Another major difference between governmental intelligence and private sector intelligence is that governmental intelligence organizations are integrated into the state bureaucracy and become part of the regular governmental infrastructure. In the private sector, intelligence units are either integrated parts of a larger company or specialized consulting firms to which intelligence work is outsourced. These private intelligence firms may specialize in gathering and analyzing information about marketplace competitors, risks in overseas investments, or various aspects of security.

Intelligence vs. Security

US business officials seem uncomfortable with the notion of an intelligence unit integrated into the firm, thinking that this indicates that the company is somehow involved in industrial espionage or at least in something unsavory. Managers have trouble under-standing how intelligence contributes to the bottom line since the results of intelligence work are often hard to measure. In fact, intelligence units are often among the first to go in times of downsizing. Nonetheless, business leaders need intelligence for the same reason that governmental leaders need it. Intelligence can prevent surprise, contribute to strategic planning, monitor ongoing events, and help defeat competition.

Interestingly, concerns about profit and cost do not seem to apply quite so much when it comes to security. Loss prevention is more easily measured, the costs are more obvious, and the concept seems easier for managers to accept. Thus, in the United States, there is a pattern in which intelligence work is given to outside consultants but security is integrated into the firm. Many start-up firms, especially in the service sector, are casual about security. As a result, there are many instances when security practices are instituted only after a firm has suffered some form of loss.

In the United States, anyone who has the urge can become a private sector intelligence professional merely by printing up a card and looking for work. There are no licenses or standardized testing requirements, and no background in intelligence work is required. Anecdotal evidence suggests that most of the people in the business intelligence world have little governmental intelligence experience. Only recently has there been a serious movement to certify private sector intelligence professionals, but certification is not yet widespread.

In the US security sector, however, the requirements for becoming a security professional are much more stringent. Professionals have to acquire credentials as Certified Protection Personnel (CPP), administered by the American Society for Industrial Security (ASIS). The ASIS organizes training courses and testing around the country, and practically anyone who has reached the management level in industrial or business security has already been certified. Given the security problems that have surfaced in government m recent years, the types of training used in the private sector might also be useful to government security personnel.

Anyone who has ever worked in governmental intelligence, at least in the United States, has been taught a theoretical model called the Intelligence Cycle. Policy officials begin the Intelligence Cycle by informing intelligence managers what they want to know and laying out their specific requirements. These requirements then drive the second step, the collection of data. Analysts evaluate data and judge the likely course of events. The conclusions are then sent back to the policy officials who set the original requirements so that they can take action or make policy decisions. Although the Intelligence Cycle may not be an accurate model for the way intelligence works in government, it does create a basis for understanding the way intelligence operates in the private sector.

In private industry, executives drive the intelligence process more directly than in government. Although they may not provide specific collection requirements, they usually play a much greater role in defining intelligence projects. There is significantly more communication and feedback between intelligence consumers and managers in the private sector, as the intelligence professionals work to ensure that they are going to deliver the product the consumer will pay for. Does intelligence in the private sector drive the decision-making process? It is hard to tell, but anecdotal evidence suggests that it does to a much greater degree than in government, where intelligence analysts are not supposed to make or even hint at policy. In the private sector, however, decision makers usually want advice; since they are paying for it, they get it.

Competition and Planning

There are two major areas in the private sector where the intelligence collection and analysis process are significant. The first might be called marketplace intelligence, or competitive intelligence. Marketplace intelligence has received attention in the past few years because of a drive by an organization called the Society for Competitive Intelligence Professionals (SCIP) to push private industry to adopt intelligence as part of the business process. If the marketplace is a battlefield, as some theoreticians claim, then competitive intelligence ought to play the same role in business as it does in warfare. It ought to be used to know one’s enemy—or competitor—and to play a role in defeating him.

The second area where the collection-analysis process is critical is in strategic planning, especially in international business-a subject that has received relatively little attention from the media or academics. There is a very busy network of professionals, many of them former governmental intelligence professionals, involved in this activity, and they are likely content to escape the notice of the press. They are engaged in what is usually termed political risk analysis, trying to provide information and advice to investors considering investments or starting businesses abroad. This is particularly important in dealing with developing countries and in other areas where conducting business may hold special dangers.

Interestingly, the United States has taken two distinct positions on private sector intelligence. With regard to marketplace intelligence, the US government has often said that it will not use its intelligence services to gather information on foreign firms to make US businesses more competitive. This stands in stark contrast to the French, who have confirmed that they do spy on foreign firms to benefit domestic industries. Other countries who carry out industrial espionage include Japan, South Korea, China, and Israel.

In the field of risk analysis, the US government has taken a different approach. The US Departments of State and Commerce have both encouraged US business investment abroad and are willing to provide intelligence data to potential investors and even insurance to minimize the risk. However, this has not put risk analysts out of business. Many business investors do not trust the government’s data and do not want the government to know their plans. As a result, they prefer to deal quietly with private intelligence experts.

Although the United States has pledged not to use its intelligence services to support US industries, it has agreed to use its intelligence resources defensively in detecting evidence of unfair trade practices or foreign industrial espionage. Government operatives claim that US private industry cannot defend itself against industrial espionage carried out by foreign intelligence services because these services are too clever, too sophisticated, and too well equipped to be stopped by industrial security units. Is this true? The evidence is mixed, to be sure, but seems to suggest that private industry is doing better defending against industrial espionage than the government thinks.

There is also the matter of private individuals who engage in spying for one company against another. A growing number of cases illustrates this kind of industrial espionage, including the General Motors executive who defected to Volkswagen, taking GM trade secrets with him, and the food service worker at Mastercard who tried to sell the credit card company’s proprietary data to Visa. Much of this information has surfaced because of lawsuits or prosecutions under industrial espionage laws.

Security Complications

Security in private industry is generally more complex than in government. US security agencies, including both intelligence services and operational elements of the executive departments—Defense, Justice, Energy, and State, for example—have to protect property, personnel, and operational data, but they are dealing with activities that are remarkably similar. In private industry, businesses are so varied that a number of security techniques must be developed and applied. What works for a manufacturing plant or a software developer may be totally inappropriate for a hotel or a hospital.

One problem common to both government and private industry is white-collar crime. How is it possible that government officials, virtually all of whom have undergone expensive, extensive background checks and even polygraph exams before being hired, still turn out to be criminals? Some, like the infamous Aldrich Ames, steal secrets for money, while others skim public funds, embezzle, or even blackmail their employers. Usually, they are caught because they trip up or brag about their exploits.

More serious is the problem of cybercrime, though there is a great deal of information about strategies for data protection, much of it based on systems already used in government. In the aftermath of the September 11 terrorist attacks, private industry has awakened to the need for good security, protecting property, operations, and data.

One of the dilemmas often faced in industrial security is convincing management that there are threats that ought to be addressed. Again, cost is a factor, but the private sector has another tool that is unavailable in government—insurance. In many cases, private firms can choose to spend money insuring against loss rather than paying the cost of security for loss prevention. Management has to decide which is more cost effective. In government, insurance is not an option because the government is essentially self-insured.

Ferreting out threats to private industry is an intelligence problem, but the private sector has been slow to recognize this. In order to protect their firms, security planners have to understand the nature of the threats they face. A growing number of private sector intelligence firms are prepared to provide current intelligence 24 hours a day. These services existed well before September 11, but the need for them has now become more apparent.

Covert Companies

One issue that has received very little attention concerns covert action. In government, covert action refers to secret operations designed not to collect or analyze intelligence but to carry out foreign policy while leaving open the possibility that the state could later deny its involvement. This is called plausible deniability, even though in most cases the denial may hardly be plausible.

Covert action includes the use of secret agents who carry out political or economic action to help friends abroad, including the distribution of false or misleading information—called disinformation—or the use of deception to confuse or distract adversaries. Another form of covert action is what professionals term black propaganda, a form of enhanced or manipulated information, usually based on true material but presented in such a way that the hand of the manipulator or the real source of the information is hidden.

One would think that covert action has no place in the private sector, since such activity is not only illegal but morally reprehensible. Yet evidence is beginning to surface showing that covert action is used in the private sector when firms want to weaken their competitors. There are several areas where traditional kinds of covert action have been used in the private sector. Black propaganda, the main form of covert action, often uses a lobbying group or association whose ties to the sponsor can be buried.

Another covert strategy might be to use deception to hide business activity in various ways so that competitors are fooled into strategies that will prove ineffective. Information can be spread about an alleged new product a firm might produce to goad competitors into wasting time and money to match the effort. Disinformation can also be used to discredit a competitor firm or its products.

In a recent example, software giant Microsoft apparently tried to gain ground on its competition by using allegedly independent organizations to take frill-page ads in major newspapers attacking the software giant’s rivals. As the story emerged in the press, it appeared that corporate espionage was involved as well, including efforts to buy the rival firm’s trash. Coming as it did during government efforts to break up Microsoft, one must wonder about the timing of the revelations.

One use of covert action that has received less attention in the press is sabotage, the attempt to thwart a competitor firm by destructive operations in which the hand of the operator is hidden. Airlines have been particularly active in trying to stop start-up competition in this fashion, although they deny any such activity as a matter of course. One major carrier, British Airways, used this technique to try to drive rivals, including Virgin Atlantic, out of business, finding mixed success.

The private sector has a tool to use against covert action that is not really available to government: legal action to seek redress and compensation. The problem for the victim firm in private covert action is gathering the evidence needed to prove injury. After all, the direction and management of covert action is supposed to be hidden, and, if found out, plausibly deniable. In cases that have been made public, the use of covert action has not shown great benefit for the firm using such dubious tactics, although the victimized firms may suffer serious loss or be driven out of business.

The Bottom Line

Before the events of September 11, business managers in the United States probably understood the benefits of good security even if they did not always apply good security practices, but they were much less concerned about the need for good intelligence. The terrorist attacks in the United States have been something of a wake-up call for the private sector. Vague and unfocused government warnings about possible attacks on banks and supermarkets make it clear that the private sector cannot afford to shut down every time Washington cries wolf. It needs more and better intelligence to be able to evaluate threats and plan for contingencies.

US intelligence managers are wrestling with the challenge of overhauling the government’s large and bureaucratic intelligence system to meet the threats of the 21st century. Private sector managers have a different task: they have to integrate good intelligence and effective security to become more productive and safe in an increasingly interdependent world. As US intelligence managers struggle to determine what went wrong on September 11 so they can find and correct flaws in national intelligence, private industry should recognize that it cannot wait to implement good intelligence and security practices. The cost of failure, as governments know, is too high.

ARTHUR S. HULNICK is Associate Professor of International Relations at Boston University and former Chief of the Public Relations Unit and Coordinator for Academic Affairs of the Public Relations Office of the US Central Intelligence Agency.

Роман В. Ромачев