OVERVIEW OF DEFENSIVE TACTICS PRIVATE COMPANIES CAN TAKE

This part of the chapter deals with some technical issues relating to attacking computer and information networks, and defensive tactics that private companies can take in stopping or hindering attacks. This part of the chapter will also very briefly deal in passing with some discrete problems that may be encountered in applying traditional forms of risk treatment to what is essentially a new form of risk, and it will then discuss the need for perhaps a new or revised approach to the risk-management system of a corporation in respect of the new form of threat represented by computer terrorism. It will also discuss what has become known as “information peace-keeping” (IP). The three elements of IP are:

• Open source intelligence

• Information technology

• Electronic security and counter intelligence

Interestingly, IP must rely almost entirely on the private sector for sources and services that will require the development of a new national intelligence and secure approach to take into account what has hitherto been an area in which the private sector has not participated. Perhaps the most important aspect of information operations in the 21^st century is that it is not inherently military; instead, civilian practitioners must acquire a military understanding and military discipline in the practice of information operations if they are to be effective. This is known as the enmeshing phenomenon.

Common to all aspects of information operations (IP, IW, and all source intelligence) is open source intelligence. This means that the involvement of the private sector will become more clinical in defense terms in the 21^st century. Along with this must go an increasing identification of the private sector with the defense establishment, both in its own perception and in the perception of outsiders. IP is not:

• Application of information or information technology in support of conventional military peacekeeping operations (contrary to what some may consider revolution in military affairs [RMA] thinking)

• Traditional psychological operations or deception operations

• Covert media manipulation

• Clandestine human intelligence operations or overt research operations

Attempts to avoid the enmeshing phenomenon or to protest that private corporations are essentially that, private, and rely on this as a defense is unwise. It may also be futile. In any event, what is also important is the perception of the other entities with which the private corporation may come face to face (such as substrate and nonstate terrorist groups, the military forces of other nation-states, and also against other corporate competitors).

Defensive Tactics to Thwart the Threat of Business Spies

Threats to the security of business information are numerous and they come from all directions, including organized crime syndicates, terrorists, and government-sponsored espionage, and most global high-technology companies have little idea of the array of hostile forces targeted against them. U.S. businesses that are increasingly expanding their operations into foreign lands are finding the situation challenging because the nature of such threats and how to protect against them is not taught in business school.

Some of the threats might be obvious, as well as the strategies that companies can mount against them, but others might not be so cut and dried. In a world in which countries measure themselves in terms of economic might, many intelligence services around the world are shifting their emphasis and targets to business. Government-sponsored intelligence operations against companies seek information about bids on contracts, information that affects the price of commodities, financial data, and banking information.

Furthermore, government intelligence services want technological production and marketing information, and they usually share what they get with their country’s companies. To get this sensitive information, government intelligence services use many of the techniques developed during the Cold War. That includes bugging telephones and rifling through papers left in hotel rooms by visiting businessmen and businesswomen. In addition, government intelligence services are known to plant moles in companies and steal or surreptitiously download files from unsecured computers. Several also have highly sophisticated signal intelligence capabilities to intercept even encrypted company communications. Messages that are not encrypted with the latest technology are especially vulnerable. These include telecom and computer communications, including e-mail.

Though the French intelligence service is probably the most egregious offender, it is far from alone. Russia, China, South Korea, India, Pakistan, Germany, Israel, and Argentina all have some type of intelligence-gathering operation for the benefit of companies in their countries, and many more countries are doing the same. The United States, however, is not among them.

No American intelligence agency conducts industrial espionage against foreign companies for the advantage of U.S. companies. What the U.S. intelligence community (CIA, NSA, etc.) does is support the efforts of their own government, and that information is not shared with American companies.

Reports originating in Europe, especially France, that the United States is using signal intelligence capabilities as part of a program called “Echelon” to attack European companies for the economic advantage of U.S. companies is simply not true. Another threat comes from the dozens of intelligence services in developing countries that have profited from the training they received from the Soviet Union, Eastern European countries, and the CIA during the Cold War. The result of this history is that the reservoir of professionally trained intelligence mercenaries is growing.

Other threats include terrorism, organized crime and inside operations carried out by disgruntled employees and hackers. Some of these groups are looking for the greatest amount of destruction, and an attack on the critical information infrastructure of the United States would satisfy that goal.

Business needs to understand that the criminal and terrorist threat worldwide is changing and is now both more sophisticated and more dangerous than anyone would have thought. Vulnerabilities that all the different types of attackers exploit include open systems, plug-and-play systems, centralized remote maintenance of systems, remote dial-in, and weak encryption. Companies could provide substantial information security protection for relatively low cost.

Companies should review security measures in sensitive areas of their operations such as research and development, talk to traveling executives who carry company laptops about using precautions to prevent theft, and examine communications with overseas facilities with an eye toward installing commercially available encryption that is all but impossible to crack. The new algorithm recently approved by the Department of Commerce, for example, is so strong that it would take an estimated 149 trillion years to unscramble.

Company executives should also limit physical access to sensitive data and programs and regularly change computer passwords. It’s all obvious, but every one knows how many companies are lax in their actual implementation.

A basic rule is to take time to identify company critical information, whether it is technology, a production technique, basic research and development, financial information, or marketing strategy, and take steps to protect it. What is required first is simply awareness by CEOs and boards of directors that there is a threat and then, second, response using a common-sense way to protect themselves. These are measures that make good business sense even if you are not a target of a government intelligence service, a competitor, a criminal organization, a terrorist, or a hacker.

Cybersecurity Progress in the Private Sector

Many companies have made significant progress since 2000 to protect their infrastructures from attack, but others still face an uphill battle. Nevertheless, the government and private firms must work together to bolster cybersecurity.

The banking and energy industries remain ahead of many other sectors in security preparedness. Other sectors, including telecommunications, transportation, and waterways, face difficult challenges stemming from a vast array of factors such as deregulation and market fluctuations.

However, progress hasn’t proceeded at the same pace in all sectors. There are some sectors that are ahead of others. Nonetheless, private companies accept the challenge that the government has given them to protect the networks that run their infrastructure.

Obstacles

The IT sector has been moving very aggressively. Any perceived slowness is due to a genuine desire by industry to protect proprietary and sensitive information on behalf of their companies, shareholders, and clients.

Corporate concerns regarding shareholder value and increased competition may be getting in the way of security progress at some banks, airlines, and telecommunications companies. Despite the banking industry’s perceived success in the area of security, a recent spate of money laundering schemes in the banking industry, including a $2.5 billion scam against Citigroup Inc. and Commercial Bank of San Francisco that lasted ten years, raises serious questions about the status of security in the industry.

Likewise, the airline and telecommunications sectors have come “under siege” as a result of deregulation and the current climate of mergers and acquisitions. Years of a systematic underinvestment in electric power grid capacity, combined with the effects of wholesale deregulation, have created a potentially perilous security situation.

But security protections against cyberattacks in natural gas and electric industries are being addressed constantly, although the national effort lacks a useful gauge for how much security is enough. If you don’t have any attacks, it’s easy to let the program slip.