The challenge facing U.S. businesses is nothing short of existential. As we wrote previously on Lawfare, businesses are being targeted by foreign intelligence agencies seeking to boost the competitive edge of their own governments. To respond, private enterprise will need to open its aperture on intelligence threats and dig into geopolitics in an unprecedented way. If companies remain narrowly focused only on short-term profit-making—and if nation-states continue to enjoy great success from their intelligence attacks on U.S. businesses—the consequences could be severe.
Complicating matters is that most businesses lack two important insights. First, they have not fully recognized the enhanced nation-state threat environment within which they are operating. Second, they do not entirely appreciate the difference between risks and threats. In addition, and perhaps consequently, most businesses are not organized to effectively tackle intelligence risks and threats that cut across the traditional business silos of finance, human resources, compliance, legal, and physical and information security. To combat intelligence attacks, businesses need to improve their understanding of the threat, both its ubiquity and gravity, and enhance their protective efforts.
Many counterintelligence practitioners wondered whether Russia’s interference in the 2016 election might be a 9/11-type event—an occurrence so dramatic and traumatizing to the nation and its core values that it would stimulate a response: an attack that would help crystalize in the minds of Americans how much their world had changed and how precarious their position in it was. That did not happen.
Or at least, as the first premier of the People’s Republic of China, Zhou Enlai, supposedly once said of the significance of the French Revolution, it’s too early to say. Among 9/11’s many effects was to signal to American society writ large that terrorism was a very real and tangible threat. The attacks provided an impetus for a transformation of the way people conducted their lives and protected their families and businesses. More than 19 years later, that transformation, while far from perfect, is largely complete.
Why has the threat from intelligence services, be it to free and fair elections or to U.S. businesses, not been inculcated into the minds of Americans? Certainly, there has been no shortage of attacks. In fact, over the past decade a steady drumbeat of intelligence operations have caused untold damage to businesses and, arguably, undermined trust in the election process. But these losses have not yet coalesced into a cogent need for action on the part of the public.
Americans underestimate the seriousness of the intelligence threat for three reasons: It most often is not violent (at least in the U.S.); its negative impacts are rarely immediately felt; and it is usually targeted at specific organizations or assets. Immediate indiscriminate violence focuses minds; gradual and targeted loss of information, money or democratic values does not. The lack of literal or even proverbial blood in the streets means that the public is unlikely to have a visceral reaction that spurs change. Combine the lack of violence with the specificity of a threat aimed only at certain actors, and it quickly becomes someone else’s problem. In contrast to an act of terrorism—which many Americans have come to believe could affect anyone at any time—the loss of sensitive intellectual property or know-how appears to affect only a very small, identifiable group. The loss of such assets is concerning, even upsetting at times, but it is not seen as a widespread problem. In addition, the effect may only be felt several years after the actual loss. The consequences of commercializing stolen intellectual property or accentuating social divides through malign influence campaigns take time to manifest. As a result, many people assume the impact to be trivial. This misdiagnosis has time and again made Americans underestimate the gravity and pervasiveness of the threat faced.
The damage inflicted on the United States is incredibly difficult to calculate: Economic espionage loss estimates alone range from the tens of billions to the hundreds of billions, annually. But no matter how these losses are calculated, they unfold like a slow-moving car wreck on a busy highway, setting off a cascade of destruction. American companies can be driven out of business when foreign companies, supported by their intelligence services, don’t play by the rules. When companies are driven out of business, jobs are lost and entire communities impacted. Suppliers and customers are also negatively affected. In time, investors may become wary of investing in industries known to be targeted by intelligence services. For similar reasons, companies (or the U.S. government) may become wary of providing funding to universities for cutting-edge research projects if it will be easily and quietly stolen by a hostile nation-state. Over the long run, the U.S. innovation sector—the foundation of the American economy—could be severely damaged.
While a better understanding of the threat environment is critical, businesses and investors may also need to reconsider how they evaluate and manage risk. Doing so begins with an appreciation that they are not simply facing extraordinary risk—they are confronting threats that pose a materially different challenge to their operations.
Unfortunately, many businesses, including geopolitical risk and cybersecurity firms, seem to conflate the notion of risks and threats. They are not the same and must be treated differently. Risk is about the possibility, or even the probability, that an event will occur. Risks are general concerns that are a product of your business environment, your personnel, or your relationships with other organizations or governments. In short, they are often depersonalized and indiscriminate. Many companies have become adept at calculating the risk associated with certain decisions—such as entering a market, partnering with a supplier or hiring a particular specialist. But rarely have companies learned how to understand and evaluate threats.
If a risk is about the possibility of harm occurring, a threat is about the intention to do harm. A risk could come to fruition—but a threat is happening now. If your business is threatened, it doesn’t mean it will be harmed—but it does mean that someone intends to do it harm. A threat is personal, specific and more concrete than a risk. It is targeted at your business, its intellectual property, its people. It is posed by a specific group of individuals, often well trained and sophisticated, who have put your business in the crosshairs. You possess something of value—something that has been identified as necessary for someone else’s economic development or security. This is not the same as a risk that can be generally understood and managed with an actuarial table or the purchase of insurance. To put it another way, there is a difference between the risk of getting into a fatal car accident and knowing that someone is threatening to kill you with their car.
Sometimes, an intelligence threat may first present itself as a risk. That is, based on certain facts, businesses may have a higher or lower chance of being targeted by a nation-state, and as such they should raise their defenses accordingly. However, once that risk has manifested itself into a threat—for example, once a person or group of people is targeting your business—your response must shift from purely assessing and taking precautions to identifying and resolving the issue.
It is time for all business leaders to realize that some nation-states are engaging in intelligence activities intended to do U.S. businesses harm. Their activities pose a threat, not just a risk. Businesses must acknowledge this fact and confront the threat accordingly.
Yet intelligence threats do not fit neatly into the portfolio of any particular executive. Combined with the lack of information and tools discussed in our previous post, this means many threats are never even identified. And even when they are, executives may be reluctant to confront a seemingly intractable issue that is not clearly within their purview. Add this to the fact that the damage may not be apparent for several years, and the issue’s persistence seems inevitable.
Many companies see the intelligence threat as a “cyber” issue, if only because nation-state threats first presented themselves to most companies via a computer intrusion. However, as cybersecurity capabilities increase, nation-states are turning increasingly to insiders to conduct espionage. And cybersecurity experts are often not equipped to adeptly address the threat posed by malicious insiders. While businesses are expending more and more resources on cybersecurity, they face diminishing returns.
Faced with an employee who may be in contact with an intelligence service, other companies have called in their general counsels. This makes sense: Due to the rather complicated legal issues involved in dealing with a rogue employee who may be acting at the behest of a foreign government, the general counsel should be involved. Yet most general counsels don’t have the bandwidth to address the vulnerability that led to the incident in the first place or to examine the future risk of a similar physical intrusion. Without “fixing” that vulnerability, the company is likely to face another malicious insider incident in the near future.
Some companies have tried to consolidate the general responsibility for addressing risk under a chief risk officer. This makes sense in theory, but oftentimes these executives focus on attempting to balance out the various financial and compliance risks associated with a company’s business rather than turning their attention to the cross-organizational risk or threat posed by a nation-state. Chief risk officers also rarely have the authority to implement the difficult companywide solutions necessary to fix the issues.
Investors face an additional challenge to the above-described scenarios. A great deal of the advanced technology being developed in the United States is housed in startup enterprises—which, by their nature, have few resources to put toward keeping those potentially valuable assets secure. Venture capital firms investing in these startups are interested in a quick return on their investment. They are usually not concerned with an espionage issue that may not present itself for several years, likely long after the firm has already divested. As such, startups may be especially vulnerable and present their long-term investors with substantial risk.
Nation-state adversaries have not been dissuaded by the protection efforts businesses have employed to date. They continue to regularly find and exploit gaps in defensive silos—including cybersecurity—and their efforts show no signs of abating. Companies are facing a full-fledged intelligence threat posed by nation-states. As such, they need to address this issue by employing the tools and tactics of counterintelligence. Risks can be managed, but threats must be addressed—head on.