DynCorp International Intelligence Training and Solutions

If You Stop to Eat Lunch, You Are Lunch

In today's business environment, the entire calculus is changing dramatically. Seemingly solid business practices and issues that were once the foundation for competition are fading fast. They're being replaced rapidly by business models that emphasize speed, flexibility and most importantly, knowledge.

It's spawning a whole new set of words and phrases for the security professional who wants to remain current. More importantly, it's driving a whole new set of issues and priorities for the security professional who wants to remain employed.

Where once we had a focus on the protection of assets that were physical in nature - identifiable, visible, ¢quantifiable£ and accountable - we now have an environment where the real value of the company is found in electrons or being carried around in the heads of knowledge workers. A value that is captured in the phrase "intellectual capital". A value that is calculated in entirely different terms than ever before.

What's The Big Deal?

The traditional company valuation models that calculate what a firm is worth have changed as we move from a manufacturing-intensive to a knowledge-intensive economy. Newer valuation models are fast emerging that focus on intellectual capital rather than the book value of a company's physical capital. According to these models, intellectual capital can be valued at anywhere between three and four times the book value.

In an increasing number of industries, the intellectual capital constitutes the raw material that drives financial results, not the number of machines, offices, buildings, trucks, desks, assembly lines or laboratory space.

Just as in the days when the physical output - the widgets or whatever - of a manufacturing
It's no accident that more and more firms are looking at their intellectual
This is especially true in those industries where shareholders expect
Isn't This Why We Pay Lawyers?

This is really two questions in one.

First, this is the kind of question that we all too often hear from security
In case after case, intellectual property seems to be one of those "It's
Typically, there is little understanding of the language or concerns that
Perhaps it's dangerous to generalize just from our experiences, since
Is this too harsh an indictment of the professionalism of security practitioners?
Second, lawyering is not the only answer to everyone's problems. Lawyering
Where's The Bureau When We Need Them?

Courtesy of the Economic Espionage Act (EEA), the FBI is now on the job,
Right.

Let me be clear on this, right up front. I stop well short of joining
For example, take a look at the Bureau and its wide ranging mission. Director
Rationally, we have to expect that the number will continue to grow as
Is the Bureau being staffed up to handle this relatively new mission?
The most recent ASIS "Trends in Intellectual Property Loss Survey"
As an extension of this point, there's also the problem of people becoming
At bottom, while the FBI certainly has a mission and a great ability to
The First Line of Defense

Let's put the responsibility where it belongs - on the people who are
And, let's be clear about how to go about protecting intellectual property.
For example, on the level of basic principles, where we consider trade
plant was the yardstick for measuring a firm's worth, the new knowledge world produces intellectual property. Comparing the sales and market capitalization of three high tech firms with that of the Big Three auto makers makes this point very clearly. Although the sales of the Big Three absolutely dwarf the sales figures for Microsoft, Intel and IBM by 2.4 times, the market capitalization of these high tech companies is 2.3 times greater than the auto makers.
property as being their most coveted and prized asset. And when the boss decides that the firm should put more emphasis on protecting this asset than on how many physical assets take a walk, it is an unwise and ill-prepared security manager who insists on protection by the old strategies of gates and guards, guns and dogs.
to be able to leverage and extract value from the company's intellectual assets - industries such as pharmaceuticals, biotechnology, and high technology in general.
managers who call after a major intellectual property problem has arisen and they're looking for a place to point their fingers.
Not My Job" issues when, in fact, senior management considers it to be just as valuable - if not more so - than any other asset for the reasons described above. Security management, on the other hand, pays little or no attention to the business side of the business.
haunt leadership every day. Somehow, it seems as if by concentrating on those myriad problems that are the stock in trade of the security manager, intellectual property protection takes a back seat. It seems to me that that's like viewing the world while wearing blinders. The comment that comes to mind is "If the only tool you ever use is a hammer, every problem will always look like a nail."
we usually get calls after the problem has been and that might tend to skew the population, but we don't think so. It's a problem that seems to be rooted in the largely passive and reactive nature of traditional security thinking.
Maybe. Maybe, if it'll get you to thinking about protecting your intellectual property now instead of later - after it's gone - then perhaps it will have been worth it. Or, perhaps it'll get you to look at what you really need to protect and how vulnerable it is today instead of waiting for the fire after the storm.
comes in when the loss has already occurred. Lawyering is almost always far more costly than a well-conceived and orchestrated, proactive protection program. It's almost like your personal health: choose whether you want to eat your vegetables today or suffer the indignities of shots, pills and probing later. And, last but not least, lawyering means that you actually have to deal with, well, lawyers. Isn't that incentive enough?
rooting out all the ne'er-do-wells and evil-doers. We can sit back and just watch as those who compromise our company's most vital business information are brought to justice.
in the chorus of those skeptics who say that the EEA is really a canard; that it should've really been called the "FBI Full Employment Act." It's just that there are many other factors to be considered before deciding that the EEA - and the potential employment of the FBI's resources - is the answer to every maiden's prayer.
Louis Freeh has been variously reported as saying that in the economic espionage realm alone, the Bureau is on top of some 800-900 open cases right now involving the misappropriation of intellectual property in its various and sundry forms: trade secrets, patents, copyrights, trademarks/trade dress and know-how.
companies seek after explanations of why they lost share or advantage when they thought they had a lock on a product or category. We have to expect that as the United States remains the center of industrial, technical and scientific creativity and intellectual property development, the attempts to obtain that information will continue to increase in number and sophistication.
Is the FBI's involvement always the preferred answer, especially for your leadership who may actually want to avoid the publicity that almost always attends a Bureau success story? Is the FBI's ANSIR program reaching all of your employees and actually helping to get the message out?
included in its draft report that only about 30% of the respondent companies had any clue about the FBI's programs to assist them, and only 10% of that 30% felt that the program was effective. It may be that for companies to have a higher degree of confidence in the FBI's ability to satisfy their needs, the responses to intellectual property crimes will have to be as rapid and straightforward and with the same degree of urgency with which bank-robbery and kidnappings are treated. An angry and upset corporate leader - who has just learned of a significant intellectual property loss - is not going to be the world's happiest camper when he hears that it'll take the FBI six weeks or more to make its initial response.
jaded by numbers that don't seem to have much relevance to their daily, professional lives. When an FBI ANSIR briefer comes into the company and speaks about the billions and billions of dollars lost by American firms every year, it's often as impactful as Carl Sagan talking about Billions and Billion and Billions of Stars. Or, as Josef Stalin once said "The death of one is a tragedy, the death of millions is only a statistic."
assist in the protection of intellectual property, they shouldn't be the first line of defense. Doubtless, every FBI agent assigned to work EEA related cases would say the same thing, especially given their manpower constraints.
charged with the protection of a company's assets in the first place. As it stands right now, we are involved in four separate EEA cases where the bulk of the groundwork has to be done before the FBI will be able to move. Done by whom? Done by the people at the first line of defense. The people in those companies that are under attack. Using all the resources at their disposal. Getting additional resources to provide levels of protection that are consistent with the value of what is needful of protection.
Intellectual property that's just as important to people in the Rust Belt as it is to the people in Silicon Valley - or, what we Alabamians refer to as Silicon Holler, or what the New Jerseyians call Silicon Landfill.
secrets as one of the subsets of intellectual property, it's useful to just consider what a trade secret actually is before deciding to protect it. It's important to understand that just calling it a trade secret gets you nowhere. According to the Uniform Trade Secrets Act, a trade secret is something that

(1) derives independent economic value, actual or potential, from not being generally known to, and not being easily ascertainable by proper means, by other persons who can obtain economic value from its disclosure or use, and

(2) is the subject of efforts that are reasonable under circumstances to maintain its secrecy.

Let's look at the two elements of the definition and seek after some understanding of your role by asking a few questions.

How do you know whether or not the information that constitutes the trade secret is not known to or ascertainable by proper means (or, by extension, by improper means)? Have you ever tested your defenses, using the same kinds of techniques that are used by those who are actively and aggressively collecting against your firm? Have you ever sought to find out what is actually known outside the company about the things that you would want to protect? Or, what do you and your firm consider trade secret type information and what steps have you taken to protect each category, such as:

Technical information - including R&D data to formulas, compounds, prototypes, lab notebooks, calculations and drawings, vendor and supplier information, Know How and Negative Know How;
Production or Process Information - including costing and pricing data, proprietary process and production rates, production or process machinery or technologies, and their specifications;
Quality control information - QC manuals, processes., records, controls;
Sales & Marketing Information - Sales forecasts, S&M promotional plans, call reports, customer lists, customer needs assessments, buying habits and profiles;
Internal Financial Performance Data - Forecasts, profit margins, P&L statements, project/departmental or company budgets, financial planning documents, financing arrangements
Adminstrivia - Strategic and tactical business plans, organizational relationships - both internal as well as external - in addition to joint venture, teaming and other linkages.

Or, don't you consider any of this intellectual property worthy of protection? If you don't, does your leadership?

Next, there is another whole category of relevant questions for the security manager to develop - and to answer. What are the reasonable efforts taken to maintain its secrecy, especially in the face of so many different domestic and international approaches being taken today to penetrate your defenses? Who decides they are reasonable? A judge after the damage has been done? Possibly. But that still means that you have to go through the crap shoot of a trial and the battalions of lawyers - and all the while your firm is not in command of its marketplace as it might otherwise be.

And how do you determine - and possibly be able to prove to a judge later - what those reasonable countermeasures are? Countermeasures that are consistent with, and take into consideration the nature of, the actual threats to your intellectual property. Do you have an educated work force that understands the nature of the environment and the ways in which company survival is inextricably intertwined with their continued employment? And, how have they been educated?

Let's use a short war story to illustrate. One client in a high technology industry was about to invest almost $100 million in a wholly new product line. Clearly, they wanted to have a cone of silence over the whole project until they were ready to launch. But, owing to the amount of rumor, migration of employees and the sheer length of time it was going to take to get it rolled out, they knew they'd need more than a guard at the front door. They put everything they could into the security planning for the project. Then, they asked for an attack. A friendly attack, but an attack that replicated their business rivals nonetheless.

Within 30 days, the entire project was penetrated through a variety of approaches through their employees, their strategic partners, their vendors and services providers. People who were all operating under Non Disclosure Agreements and other binding documents and relationships. People who were not at all aware of what they were giving away to an organized, coherent and aggressive Competitive Intelligence collection effort. At least not aware until they were all brought together and told what a group of outsiders had gotten in a few short weeks. A few weeks at the very outset of what was to be a two year development process.

This clearly transcended the kind of general, non-company specific awareness and educational briefings they'd received previously. They had a direct relationship to, and investment in, the project. They found that what they had thought were routine and non-threatening events, conversations and activities were actually the elements of a sophisticated business intelligence collection activity. Collection activities that were just like the ones that an increasing number of firms are undertaking each day of the week in virtually every industrial sector in the country.

Try to imagine the results of such a presentation and the impact that it had on how the employees treated documents, materials and research efforts. Imagine how it changed the ways in which they viewed even the most casually appearing conversations.

Well, the proof was in the pudding almost two years later. When the company was ready to tell the investment community about the project that was going to change the face of their industry, the analysts were completely surprised. Those analysts who were always on the lookout for those little signals that are indicators of big things to come simply had no clue. There had been no leaks, no indicators, no compromises.

Why? Because the employees and the associated partners knew exactly what they were supposed to protect, and from whom. Because they understood the value of what the company needed to protect. Because they had seen first-hand what could happen under real world business circumstances, contrasting sharply with those other awareness presentations and policies that they had previously seen as just so much "boy crying wolf."

From the Government's Mouth to Your Ear

There are serious and real lessons to be learned from government attempts to control the loss of classified information; to prevent the unauthorized disclosure of information that is vital to the national interest. And yes, Virginia, there really is a reason for information to be classified and protected from general dissemination.

In government, one of the hardest things a counterintelligence professional has to deal with is a tendency on the part of the scientific and technical communities to consider themselves excused from the requirements that others have to follow when it comes to revealing information to those outside the defined limits.

One of the favorite ways that foreign intelligence officers routinely exploit such people is to emphasize the universality of knowledge. The drumbeat has been heard for decades: "Knowledge should be shared in the interest of peace and freedom and human dignity." "Science and technology should not be fettered by small minded people who want to limit the spread of information and knowledge, and thereby keep the rest of the world in ignorance."

Lofty statements that are often effective ploys to get people to talk more than they should. Ploys that are just the tip of the iceberg of the panoply of elicitation skills of the professional intelligence officer.

Getting today's knowledge workers past the idea that what they know isn't supposed to be "shared science for the benefit of all mankind" is not an easy task. It takes a realistic appraisal of what forces are arrayed against a firm's intellectual capital and an effective way of communicating that value to the knowledge worker. Moreover, it takes the imagination, dedication and foresight of a forward thinking, business-oriented security professional.

Without that kind of an approach, many vibrant companies that dot the landscape today will be littering it tomorrow.

About the author: John A. Nolan, III CPP, OCP is Chairman and Managing Director of Phoenix Consulting Group, which provides competitive intelligence, counterintelligence and professional development/training programs across a variety of industries. He is also a co-founder of The Centre for Operational Business Intelligence in Sarasota, FL where corporate intelligence practitioners from around the country and the world learn the tools and techniques necessary to prevail in the marketplace. His newest book, “CONFIDENTIAL”:Uncover Your Competitor's Top Secrets Legally and Quickly - And Protect Your Own was released by HarperCollins Business Books in June 1999. He is frequently featured in national and international media such as Forbes, George, Times of London and CNN, to name just a few. He can be reached at jnolan@intellpros.com, or at 1.800.440.1724.