Giri Sivanesan, senior security consultant at Pentura, warns that with the emergence of global markets and global competition, espionage has evolved and taken on a new meaning. Businesses are now the target of espionage, carried out by businesses or states or state-sponsored businesses.
Espionage attacks on private sector businesses are a dominant feature on information security news wires. In 2010, the British press reported that a technology house had misplaced a prototype phone, prompting fears that the phone was the target of competitive espionage and an electronic espionage network dubbed 'GhostNet' was reported to have penetrated the networks of hundreds of organisations worldwide. The French newspaper La Tribune also reported that a major aircraft manufacturer had uncovered several attempts of espionage at its plant in France. By the end of 2010, both the UK and US governments had voiced their plans to secure national infrastructure from electronic or 'cyber' espionage attacks with the creation of an Office of Cyber Security (OSC) in the UK and a Cyber Security Office in the White House.
The litany of espionage attacks affecting established commercial organisations over the past year has raised the profile of espionage to new heights. Many people assume the threat of espionage has disappeared. They associate it with the Cold War. They think of novels by John Le Carre and Len Deighton. Of course, the threat has not disappeared. The Director General of MI5 said in a speech a couple of years ago that there were more foreign intelligence officers operating in London now than at any time since the end of the Cold war. With the emergence of global markets and global competition, espionage has evolved and taken on a new meaning.
Businesses are now the target of espionage, carried out by businesses or states or state sponsored businesses. Even so, businesses will assume that espionage is a threat that does not fit on their risk register. They believe that espionage is about stealing state secrets, information about foreign policy or defence or military research, however it is not just about this. For the private sector, the threat of espionage is about protecting intellectual property, business proposals, evidence to support legal activities or other confidential information from competitors.
Espionage might involve covert techniques and sophisticated types of technical and non-technical attacks. The abundance and availability of business and commercial information online or through commercial press sources means that espionage attackers can identify particular networks, computers or individuals, often through aggregating lots of disparate bits of information, to target their attacks on.
There are other challenges too. Some businesses have become so complex that countering the threat of espionage is a challenge in itself or the gulf between decision makers and those responsible for looking after the information that their business depends on is too wide. These organisations seem to live in the hope that their business critical information is adequately protected even from sophisticated attackers.
Businesses can be forgiven for thinking they have enough risks to manage without adding another one to the list: flooding, flu, crime, hacking, employees who do not comply with the rules and accidental data loss. It might be right for a business to accept the risk of espionage but it cannot make that decision wisely unless it is aware of the potential threat it faces. As the number of organisations that have been financially impacted by espionage grows, the need to address this becomes ever more acute. Until recently, there has been very little in the way of professional services to help organisations looking to address espionage proactively with the majority of risk mitigating activities being reactive and always newsworthy.
Counter-espionage is about identifying the vulnerabilities that might be exploited by a competitor and putting in place the controls to mitigate those risks.