We are bred up to feel it a disgrace ever to succeed by falsehood...we will keep hammering along with the conviction that honesty is the best policy, and truth always wins in the long run. These pretty little sentiments do well for a child's copy book, but a man who acts on them had better sheathe his sword forever.
-The Soldier's Handbook of the British Army (1869)
Over the course of the past several articles concerning security's role in dealing with aggressive competitive intelligence collectors, we have addressed a number of countermeasures - and very few of them have corresponded to the traditional security role in an organization. And that's as it should be, since new challenges demand non-traditional solution sets.
Of the countermeasures we've spoken about, they've all been more aggressive than passive, more proactive than reactive. This month's article deals with perhaps the most aggressive, complex and yet effective of them all: deception.
But first, let's just get straight about our terms. Deception is one of those words that conjures up thoughts of things that are ......well, un-American. At the very least it should be immoral or fattening, if not illegal. Right? One of the responses to all this, of course, is the tried and true method of euphemisms: call it something less offensive. In some parts of the world, this may be called perception management; in other places it's called reflexive control.
For the squeamish, please feel free to substitute either of these, or any other of your own choosing. But whatever you decide to call it, understand that it represents one of the most powerful countermeasures available to the security professional in today's competitive arena.
Please bear in mind that such a process is not for the ill-prepared or the timid. Nonetheless, with wit, planning, imagination and adherence to a few basic principles, today's security professional can make a significant contribution to ensuring the continuing value of the assets s/he is charged with protecting.
The essential point in employing such countermeasures is relatively simple to describe, although much more complex in operation. The end result of this process is to confuse your rival's Competitive Intelligence organization - the eyes and ears of his strategists - so that the decision-maker makes the wrong decisions about what they should do in response to the incoming information. If you do it well, several significant things can be expected to occur:
the rival company will make erroneous business decisions about what your firm is doing or is going to do in the marketplace; the rival firm will begin to distrust his business intelligence organization, and may even lead to its demise - thereby removing a potential threat to your company's sensitive plans and information; you can begin to have an even larger impact on your company - as a whole - and increase the value that your security function has in the eyes of your firm's leadership.
And, all this can happen against the backdrop of your responsibility: protecting your firm's information assets.
"A secret can only be kept between two people if one of them is dead.
"
This old adage introduces the complementary concepts of compartmentation and "need to know." These points mean restricting information about the intent, importance, nature and success (or failure). In turn, it allows you to take advantage of what you know about a competitor's intelligence collection efforts and to use that understanding against him. In gross terms, this principle means that only a few people - typically at the leadership level of the company - know what's really going on, even though there may be many people involved on a less-than-witting basis. The following example will show this principle in operation, and at the same time, will show that things don't have to be particularly sophisticated to be effective.
A somewhat unusual client company's business was highly cyclical and dependent upon marketplace conditions rather than seasons or raw materials as is very often the case. Thus, information about rates and timing of production changes were of considerable competitive value. The company had been able to consistently have the right amount of product at the right times in the right places. Although the client had six other firms in its competitive universe, and were generally able to eclipse five of the others, one stood out because it always seemed able to anticipate - and capitalize on - these changes.
After some assessment of the client's facilities and processes, it became apparent that one of the competitor's principal early-warning signals came from a fairly low-level source. The competitor was able to anticipate the client's production changes by the simple expedient of having someone sit in a car some distance from the main gate of the factory and record the traffic flow.
Counting the number of cars going in and out - and then comparing them week by week - allowed the competitor to gauge the changes and use the knowledge competitively. Once they had an early warning from this source, then the company's other sources of competitive information were contacted. By comparison with other firms in other industries, this was a fairly unsophisticated competitive intelligence operation. Nonetheless, it had been paying for itself for quite some time. It was this general lack of sophistication that allowed a fairly simple deception to take work.
It must be said that the first response of the client's security leadership was to try and find ways to have the local police put the habeus grabbus on the surveillance talent. But we suggested another approach, using an anecdote from many years ago to illustrate the point.
At our Special Forces camp in the western Mekong delta region of South Viet Nam, we had a particular Viet Cong sniper who frequently shot at helicopters that came into and out of the camp. But, we never did anything about him because he was never able to hit anything. Nonetheless, a new camp commander bristled at the nuisance of it all and took measures to neutralize the sniper. The problem was that the VC replaced him with one who could shoot well and caused all manner of subsequent misery.
Similarly, we certainly didn't want to have the competitor replace one collection methodology with another one that would take longer to detect and possibly neutralize. Thus, with this example in mind, we suggested an alternative to the local gendarmerie.
The company started a campaign to provide financial incentives for production workers who car pooled, and stated explicitly that it related to the company's commitment to environmental concerns. No mention was made whatever of the security issues involved, although they were clearly in the minds of the few members of the planning cell that launched the project.
The timing of the environmentally-friendly campaign coincided with the ramping up of people that was normally associated with the cyclical increase in production. The distance was such that the surveillant would not have been able to detect the actual number of people in the cars and as a result of the carpooling, the number of cars remained relatively constant - certainly nowhere near the gross changes that were normally observable.
Thus, when the client company was able to realize a significant increase in market share during that particular cycle, the increased earnings more than offset the costs of the incentive program. The security director was credited with having had a major, direct significant impact on the company's business base. The question that begs to be asked at this point is "How often have you been singled out for helping the earnings side of your company?" Obviously, this small success allowed the security director greater credibility later on when other, more sophisticated countermeasures were needed. It also helped him in a number of other areas since senior management began to view the security function differently.
The Greatest L'il Ole Warehouse in Texas
In this case, we were assisting a firm identify how a competitor was able to anticipate certain market moves - particularly new product introductions - that the firm had yet to take. Remember that one of the more important functions of competitive intelligence is to alert senior leadership to changes in the marketplace so as to prevent surprise. And this rival's competitive intelligence team was very good at identifying our new client's initiatives long before they were announced.
Recall, if you will, some of the steps in the Business Intelligence Protection Model, especially the parts of the process where you match up what you have learned about the competitor's collection processes and how he uses them to exploit your vulnerabilities. It was at this point that we entered the fray to identify the approaches that the competitor's intelligence people were using.
We began by approaching the client as if we were working for their competition, looking for the various activities that would be fairly obvious indicators of the events and activities our client wanted to keep closely held. We found a number of potential indicators which - when considered all together - would allow the intelligence collectors and analysts at the competitor company to find out what was going on. Information that, in turn, would point them in the right direction to collect even more.
In this company's case, one of the more consistent indicators was its leasing and purchasing of warehouse space. And, as our inquiries continued, we learned some interesting pieces from the client's real estate firm. The brokers mentioned that they received at least monthly inquiries about warehouse space from one individual who never revealed which company he was representing. The real estate firm's representatives had even joked about their "mystery caller." He always seemed very interested in what was available and what was not available in the city, who was leasing or buying what from whom, and so on - but was never interested enough to lease or buy anything himself. Upon further research, we were able to determine that the conversation with the mystery caller always seemed to get around to what transactions our client was involved in.
From there, it was a fairly simple and straightforward management of the rival's perceptions. Obviously, they saw the acquisition of warehousing space as a consistent indicator of what our client did before bringing a new product to market. The answer to the client's problem lay in changing the nature of the information that the rival got.
Before the next roll-out of a new product line, the client changed several things about the way they did business. They were based on a strategic theme that they wanted their rival to believe: that they were not launching any new products and that they were going to be focussing on some brand and line extensions instead. The message was broken down into a variety of component parts.
First, they began leaving broad hints with the real estate company that they might not be renewing some of their current leases. Second, they established a relationship with another real estate firm - where they executed a binding, non-disclosure agreement about property leased through them to the client.
Then, the client made some other relationship changes as well - changes which had to be made in order to corroborate the entire picture that needed to be created in the minds of their business rivals. The overall theme was consistent with the brand and product extensions mentioned above.
When the salesmen from the sign company - which they had used exclusively for years - came in for new orders, they were told that they had no plans for any new artwork, nor were there going to be any changes or enhancements at the places they already had. And, because the people inside the client company were only told that there wouldn't be any new signage bought for the upcoming year, they were not in any position to make further explanations to the salesmen.
When the salesman from the trucking company that handled a large part of the plant to warehouse hauling effort came by, he was told that they had no increased need for his company's trucks. He was content just knowing that the client was going to be cutting back from other shippers as well. He didn't really bother to ask if they were engaging another shipper - one with whom the client had no previous relationship. Yet, the client was beginning a fairly significant relationship, complete with a very detailed non-disclosure agreement with a new shipper.
Thus, when the competitive intelligence collectors from our client's rival began to contact their regular sources of information, all the signs pointed in one direction: that no new products were on the drawing boards or bound for the production lines. Those salesmen who had proved such good sources for the rival collectors in the past had a uniformly consistent message. And, since they'd been reliable in the past, there apparently didn't seem to be any reason to try and get any alternative sources of information on line. That is, until three new products came out: each with packaging from a different sub-contractor, launched out of different warehouses in surrounding towns, and carried in trucks that had never before been used to get the client's products to the distribution channels.
Massive Steel on Target
This last example derives its title from one of the ways to best destroy an enemy - artillery rounds falling all around his position. In this case, however, we'll use information instead of howitzer ammunition to influence the behavior of the target. But, that's not to say that you won't be able to gaze into the sunrise and say "Ah, there's nothing like the smell of cordite in the morning."
By setting up an in-house security awareness and training program, employees were encouraged to report interesting or unusual requests for information that they received. Through the real-world examples we provided, employees became quite familiar with the kinds of questions and interests that competitive intelligence practitioners had about their company's operations. In turn, this understanding increased the quality of their reporting later on.
Within a few weeks, numerous employees had reported on the five or six people who had called in to the firm to ask questions about the many disparate pieces of information that went into a competitive analysis. Being able to identify who in the company the rival firm was calling paid out great dividends in deciding who was going to be told what to say the next time they were called.
By the time the next series of inquiries came in, the overall theme that the company's leadership wanted to communicate to the rival's management had been thoroughly developed: confusion. Instead of just creating an impression about a false course of action that they wanted to mislead the rival firm into believing - which is a more typical approach in deception - they wanted to sow uncertainty and disequilibrium. Their hope was to undermine the confidence of the rival firm's leadership in the competency of their competitive intelligence staff.
Thus, when the rival firm's competitive intelligence collectors called, they got a tremendous amount of information - much of it contradictory - which led to general confusion in deciding what the information meant. The perception management campaign was predicated on the fact that the rival collectors would be collating and analyzing the data they had obtained - with an expectation that it would be as clear a result as they had obtained in the past. Only this time, they couldn't make much sense out of what they had gotten.
Each of the people they had spoken to had seemed to be just as open and straightforward as they had been before, except that now there wasn't any clear pattern. Of course, this was because the sources they had relied on in the past had been given only what they needed to know in order to participate in this protective deception. Naturally, virtually none of the sources on whom the competitors had relied in the past were witting of their role in this project and were thus able to carry off their roles without raising any suspicion on the part of the rivals.
By the time the competitors were able to discern that they could not advise their leadership competently about where our client was going, it was too late: the possible advantage that their intelligence might have afforded them was lost. This, in turn, did several things.
First, it reduced the confidence that the rival firm's leadership had in being able to get quality information from its intelligence unit on a timely basis. Second, it caused the intelligence collectors to be unsettled and uncomfortable with any information that would get from these formerly "reliable" sources. Third, it caused the rival's collectors to develop a number of other sources inside the company - several of which had been "dangled" in front of them so that they could be the medium through which very special messages could be sent at critical times.
Like any weapon in any arsenal, we cannot emphasize enough the need to use such measures as deception wisely and caution. In the latter case example, this approach was appropriate only because the company was privately-held and not publicly traded. It would have been unfortunate indeed, if securities analysts had gotten the same message from a firm - with implications, at minimum, for stock prices.
At bottom, we see that a little awareness, a little imagination, and a little planning can go a long way to achieving the old military toast "Confusion to our enemies!"
