Everyone’s seen the formulaic spy thriller where the secret agent, having impersonated a guest at a party, steals away upstairs to rifle through a cabinet or to download critical data from an unguarded computer. With wireless technologies and malware, kinetic spies are old school and risky.
As a private investigator in the 1990s, competitive intelligence (CI) was a very big business. The world of corporate espionage/competitive intelligence, divides up nicely into black operations/covert jobs [Read: FELONY], white hat/open source [trade journals]/overt jobs [me or others like me], and of course the various shades of gray everywhere. Wikipedia’s entry on competitive intelligence makes these key points.
1. Competitive intelligence is an ethical and legal business practice, as opposed to industrial espionage which is illegal.
2. The focus is on the external business environment.
3. There is a process involved in gathering information, converting it into intelligence and then utilizing this in business decision making. CI professionals emphasize that if the intelligence gathered is not usable (or actionable) then it is not intelligence.
I had a few overt jobs, such as taking pictures of a competitor’s clientele and providing detailed descriptions on what may be called ‘Secret Shopping.’ I also turned down more than a good many covert jobs, including one request to out and out steal an entire home computer system. Once again, Wikipedia mentions the landscape of CI is wide:
Accepting the importance of competitive intelligence, major multinational corporations, such as ExxonMobil, Procter & Gamble, and Johnson and Johnson, have created formal CI units. Importantly, organizations execute competitive intelligence activities not only as a safeguard to protect against market threats and changes, but also as a method for finding new opportunities and trends.
Malware: Go hard, go fast, go now
The question posed to espionage experts in the 21st Century is easily answered: most external threats are generated through malware. Plainly put, malware has incentivized industrial espionage and eclipsed competitive intelligence in the global marketplace. Why? It works far too well:
- It’s far cheaper to go hardcore right out the gate and with very little risk of full investigation based on multiple jurisdiction challenges.
- The same basic code used for crime can be repurposed for espionage, meaning the economy of scale is already in place and dual-purpose.
- The vectors for malware are many; the Deputy Secretary of Defense mentioned how one lowly USB thumb drive changed DoD and Pentagon policy forever.
- While intellectual property (IP) takes many forms, businesses have tremendous effort and expenditure which, when lost, represent a competitive advantage given away in this global economy. Think of this as Intellectual Privacy.
When the thought of trade secrets and intellectual property being systematically stripped from offshore business travelers needs to be framed, think of recent words used by Commerce Secretary Locke:
This isn’t just an issue of right and wrong. This is a fundamental issue of America’s economic competitiveness. As the president has said before, America’s ‘single greatest asset is the innovation and ingenuity and creativity of the American people. It is central to our prosperity and it will only become more so in this century.’
Our founding fathers understood this as well as anyone, which is why they put in place a set of rules and laws to reward and protect the ideas and inventions of the artists, engineers and scientists who create them.
While cybercrime in 2010 has proliferated in a wave from gas pump skimming to hotel data theft centered around credit cards, travelers still have more to risk in overseas visits where jurisdictions of crime activity are not in the favor of the stateside law community. What about the employees who are often traveling in the course of their duties?
Here’s a simple guide:
Counter-intel: Corporate traveler checklist
- What role does this traveler have?
- Where is this person heading?
- Who are they visiting with?
- What information can they completely leave behind?
- What information must they have to perform their duties?
- What sensitive projects or information may they need to access while they are traveling?
Harden the target: International business travelers
Never bring a knife to a gunfight.
One option, should the environment be deemed too risky for personal laptops, would be in bringing a completely empty shell of a system: no ghost data bits floating around for resurrection via computer forensics and no critical business operations data is risked in a simple laptop theft on the street or while left unattended in a hotel during a conference.
By leaving the majority of data behind, question four is answered. As a benefit, you follow Sun Tsu principles and simply aren’t vulnerable where your enemy is strongest.
To answer questions five and six, critical data could be kept in a small encrypted micro-SD card, worn around the neck or carried in a pocket. When used with a USB adapter on a restricted, data-slicked laptop, you’ve got gigabytes available.
Take it up a notch with tamper-proofing on your laptop’s hardware, such as the $10 Tamper Tab solution offered by 3M.
Provides a powerful deterrent to theft and tampering. Perfect for sealing off-limit items, everything from cabinets and files to laptops and luggage.
Simply sign the seal with a ballpoint pen, remove the backing and secure it over anything you want protected.
If the seal is lifted or tampered with, an irreversible pattern immediately appears, alerting you to unauthorized access to your property.
Providing this gives your traveler or the IT team a method to tell at a glance whether someone tried to open up the hardware. Tampering rats out any number of potential cyberspies who tried to access the data, such as in airport baggage areas or by the hotel staff cleaning the rooms.
Laptop lockdown provided courtesy of DoD
Finally, creating a restricted, slicked laptop could be time-intensive and expensive. Fortunately, the backbone of counterintelligence technology is available right now at no cost to you courtesy of dotmil worker bees and your Department of Defense tax dollars at work. Introducing LPS-Public:
LPS-Public is great for those with Macintosh, Linux, Windows, etc., those using others’ computers and/or for more sensitive or risky cyber activity. Booting from a CD and running only in RAM, LPS-Public installs nothing, does not need administrative rights, and purposely cannot access the hard drive. LPS-Public provides a Firefox browser with plug-ins, CAC middleware and a PDF viewer within a very thin Linux operating system.
Rather than simply recommending a download of the LPS-Public disk, I strongly recommend establishing a policy which includes issuing loaner laptops which this OS is able to be run on. Slicked hard drives and no operating system to speak of, there is no data recovery methods which can be successful short of the ones run by our dotgov FBI or other three-letter agencies.
One potential objection to this strategy is that IT managers and CIOs lose tight control over what information can be reviewed/recovered. In the age of the insider threat, this is no small consideration. The ultimate risk assessment coin toss must be thought of case by case as the risk of information capture over the risk of an insider for a limited time.
Think this way: every potential ‘insider threat’ already has their own system hardware at home which an IT department has no control over – therefore it’s not like approaches like LPS-Public would introduce brand new risks.
The costs are negligible: harden your traveling targets with any outdated slick-data laptop, a free bootable operating system and an encrypted micro-SDRAM chip for data storage and seal up the edges to alert the traveler to attempts.
Removing most risk factors for data theft and data fortress infiltration? Priceless.