Image credit: Nathan Dumlao via Unsplash
One of the best-known books on legendary C.I.A. spy hunter James Jesus Angleton was called “Wilderness of Mirrors,” an idiomatic title borrowed from a poem by T.S. Eliot. The turn of phrase is a vivid metaphor for the world of counterintelligence — it calls to mind a vast expanse of reflections, some distorted, some flat, tilted at various angles, placed at different distances, each casting back divergent versions of reality in a cacophony of information that overwhelms the traveler. It helps us understand that while counterintelligence is a relatively simple concept on its face, that apparent simplicity belies greater complexity at every turn.
In most of corporate America, counterintelligence is treated more or less synonymously with security. Famously secretive companies like Apple go to great lengths to protect their intellectual property, and with good reason. Vast sums of R&D and marketing dollars go into developing new products, and there is no shortage of ravenous competitors looking for a way to get ahead with the Next Big Thing.
But security is not the same as counterintelligence. Executive Order 12333, signed by Ronald Reagan in 1981, defined counterintelligence thusly:
“…information gathered and activities conducted to protect against espionage, other intelligence activities, sabotage, or assassinations conducted for or on behalf of foreign powers, organizations or persons, or international terrorist [organizations]…”
“One Two Triple Three,” as it’s known in intelligence circles, was revised in 2008, but the definition of counterintelligence remains substantially the same, and is still notably broader than the U.S. corporate understanding of “security” or “loss prevention.” Counterintelligence isn’t just the act of preventing loss, it’s also about collecting information on adversaries’ efforts in order to thwart them.
There was always a key reason why companies weren’t particularly troubled with counterintelligence, except in special circumstances like defense contractors working with U.S. Government secrets. “Normal” American companies were mainly concerned with preventing intellectual property losses from competitors, not threats from foreign sovereign states.
Some foreign intelligence services were always trying to steal from U.S. companies, of course. The K.G.B. stole American industrial secrets wherever it could during the Cold War to give them to its state-owned enterprises. China later got into the act, too, using a variety of collection techniques to acquire plans and I.P. in order to empower its manufacturers and exploit lower production costs to beat Western companies (this is still going on, of course). The F.B.I. did its utmost to prosecute trade secret thefts, and eventually began educating companies in how to protect themselves, but it was a rear-guard action at best.
But with every passing day it’s becoming painfully apparent that Twentieth Century was a vastly different threat environment to where we find ourselves today.
Image credit: Hongmei Zhao via Unsplash
Arguably since at least the turn of the millennium, the breakneck growth of technology companies has changed the calculus which guided the historical separation between companies engaged in counterintelligence (the Military Industrial Complex) and those concerned primarily with security (everyone else).
In the 20th century, most traditional media organizations were at least cognizant of past attempts by foreign governments to use them for propaganda purposes, even if their success in thwarting this was spotty at best. It was generally understood among reporters that many, if not most, Soviet ‘journalists’ had some sort of intelligence affiliation, either as undercover KGB officers or as cooperating contacts. That did not prevent the Soviets from placing propaganda in the American media, but it certainly made it more challenging for Moscow.
A look at a list of the biggest American companies in 1990, i.e. auto makers, energy companies, and manufacturing conglomerates, shows a group of businesses that were already well aware of how to protect their trade secrets from both competitors and foreign states. Their I.P. was reasonably easy to lock down and also physically based in the United States.
By contrast, in 2017, half of the top ten American companies by market cap were technology companies. Their I.P. is dynamic and spread across the cloud, their ‘customers’ are their products, and their value is tied not so much to products sold, but attention paid. Moreover, their historical skepticism of the federal government (justified or not) has left them largely ignorant of lessons gleaned by others about the realities of espionage.
Since the late 1990s, American tech companies have happily considered themselves “global citizens,” basking in (or perhaps just dishonestly propagating) the conceit that the Internet had created a new world of frontierless commerce, as if sovereign borders no longer mattered.
But borders — and governments — still matter. The Internet didn’t change that. And tech companies must internalize the notion that risks to their business come not just from competitors, but from foreign governments and other actors. Left unchecked, these problems can become existential threats to business models because they leave companies vulnerable to either business-killing regulation or catastrophic public relations disasters.
Image credit: Allesio Lin via Unsplash
It is possible (indeed, probable) for example, that foreign intelligence services have compromised key employees of one or more big U.S. technology companies. How many CEOs have even considered the implications of such a development, much less what to do about it? How many companies have a plan for responding to threats from insiders that aren’t just venal malcontents working for competitors?
It’s tempting to believe that the counterintelligence threats faced by American companies are limited to distant state-sponsored rooms of hackers in far off lands (the Russian “troll factory” is a lurid example), but foreign intelligence collection can also take many other, more alarming forms. An adversary can take advantage of insiders, as in the example of Edward Snowden, and human intelligence (HUMINT) attacks on American soil against businesses have certainly been well-documented.
And it’s not just nation-state actors: increasingly, terrorist groups, organized crime syndicates, and transnational non-governmental intelligence organizations (e.g. Wikileaks) are demonstrating collection capabilities comparable — albeit still inferior — to sovereign countries.
None of these threats are new. But pre-2000, they were essentially analog and primarily focused on governments. Now that technology — whether social media, or payments, or encryption, or cryptocurrencies — has evolved to a point where it can be used as a tool of statecraft, the formerly bright line between government and business has faded to near-invisibility.
It’s supremely ironic that, in their zeal to supposedly protect American citizens from assumed excesses of U.S. law enforcement and intelligence organizations, American tech companies have ignored their own vulnerability to exploitation by the worst of America’s enemies.
American companies no longer have the luxury of ignoring the discipline of counterintelligence. The wilderness of mirrors is real, and we’re all navigating it together.
Marc C. Johnson is a global security consultant and former CIA Operations Officer. Follow him on Twitter at @blogguero