• Advertise
  • Subscribe
  • Forums
  • Buyer's Guide
  • Contact Us
  • Connect on LinkedIn
    1. Home

    Helping Hands

    Oct. 27, 2008
    Tom Mahlik and Kevin Favreau of the FBI are working with the private sector to enhance corporate security and to promote national security

    “We’re with the FBI.”

    Those four words, uttered by a couple of strangers flashing badges on the doorstep, are enough to make nearly anyone nervous. Historically, they have been particularly nerve-wracking for terrorists, spies, cybercriminals…and CEOs.

    When the FBI shows up at a corporation to investigate a potential problem, corporate executives probably do not immediately think of them as friends working to protect the company and the nation. While they recognize the important role the FBI plays in national security, they can’t help but visualize the worst-case scenario and see them as a potential concern for shareholders and corporate reputation.
    Fortunately, that is all beginning to change. The FBI’s Counterintelligence (CI) Domain Program is positioning the Bureau in a much more proactive stance by building pre-incident dialog and information-sharing partnerships with businesses, academia and other government agencies.

    Security executives and directors in organizations of all types may soon find themselves working with the Bureau to harden their organizations ahead of an incident. Companies big and small, international and domestic, all participate in activities that could invite cyber attacks, terrorism and counterintelligence activities — private security threats that fall directly within FBI’s new focus.

    The Risks and Opportunities of Going Global
    A number of factors contributed to this focus shift within the Bureau, but chief among them are the myriad threats to the public and private sector posed by globalization. “The worldwide expansion of businesses and universities is a good thing, and the FBI doesn’t want to stand in the way of that,” says Kevin Favreau, Deputy Assistant Director of the FBI’s Counterintelligence Division. “But institutions that go abroad need to be aware of the risks they’ll face as a result of their decision.”

    The speed of business and information transfer over the Internet has combined with other factors to allow businesses to disperse their offices and factories to take advantage of lower costs and efficiencies that may be leveraged from abroad. “For many companies, it makes sense from a business perspective to outsource or offshore manufacturing or R&D,” Favreau says. “This helps companies gain competitive advantage in today’s global market. The business landscape is now the world as opposed to one country.” Similarly, universities are launching international campuses, both to open new opportunities for domestic students and to draw in talented students from overseas. U.S. universities have always attracted foreign nationals to their U.S. campuses as well, but whereas these students used to remain in this country after completing their education, they are now routinely returning to their homelands, in effect exporting new knowledge and talent to other countries.

    New businesses or academic campuses that are based abroad may inadvertently put tangible and intangible assets within easier reach of foreign threats, such as terrorists and criminals. Further exacerbating the risk, the host country’s government may not be able to prevent or respond to the threats, and they may not be able to dedicate enough enforcement resources to offset them. On the cyber security front, businesses or universities that rely more heavily on online or digital transmission of data due to geographical distance may suffer more heavily from cyber attacks if not properly secured.
    In addition, if a company’s or university’s intellectual property is compromised abroad, there may be no legal recourse. “Most intellectual property laws around the world do not have any extra-territorial provisions or criteria in them. Even if they did, it is questionable if would they be enforceable,” says Lynn Mattice, Chairman of the Board of Advisors for the Security Executive Council and Chairman Emeritus of the National Intellectual Property Law Institute. “If intellectual property has been developed for a U.S. company in India or China, for example, then technically, that development is under those laws, and U.S. Patent laws may not apply.”

    Executives Underestimate the Threats
    Most private-sector organizations have flawed or incomplete understandings of these and other risks inherent in globalization. Mattice emphasizes that this is compounded by CEOs’ current Wall Street-prompted focus on short-term gain. This short-term focus has been driven by pressure to tie the compensation of senior executives to the value of company stock in order to generate larger shareholder returns, he says. “The CEO that’s in place now is willing to accept significantly more risk in the global environment because he’s focused on the short-term,” Mattice says. “He wants to find the cheapest way to do things, because the more he increases the value of the shares, the more he gets in his own pocket.

    “In many cases, the CEO isn’t really concerned because he knows he won’t be there to deal with the almost assured downturn,” Mattice adds. “Any negative impacts or resulting issues from this short-term thinking will more than likely be the next person’s problem. The shareholders and employees, however, are the ones who ultimately lose in the long term.” Supporting this theory, Chief Executive magazine highlighted in its March 2008 issue a 91.3-percent increase in departures of Fortune 100 CEOs in the five years since the enactment of the Sarbanes-Oxley Act in 2002, when compared to the five-year period prior to SOX. The magazine’s study also notes that 14 percent of Fortune 1000 CEOs stepped down in 2006 alone.

    The lack of awareness of the threats associated with globalization is a problem for both large and small organizations. Nearly 20 percent of Fortune 500 companies still do not employ a corporate security officer to assist in identifying, analyzing and managing such threats, and many of those that do still choose to tip the risk/profit balance significantly toward profit for the short-term. “Extrapolate that to the Fortune 50,000, where you have a CEO who’s wearing 15 hats and one of those covers the security of the organization,” Mattice says. “The problem is that most of the time they never think to put on that Security hat. As a result, they may have no idea what the risks are or how to mitigate them. Since the Fortune 50,000 is the real economic engine of the country, our economic stability is placed at greater risk. A study by the Small Business Administration clearly shows that the preponderance of innovation and employment is generated out of small companies with fewer than 500 employees; they are also the county’s supply chain, the engine that makes the Fortune 500 click.”

    Economic Security = National Security
    So why does the FBI care about the risks faced by the private sector? Because it has come to recognize, as stated by Favreau and his colleagues at the FBI, that the economic viability of the United States is tied to its national security. The Bureau and the government in general have recast its net of responsibility to encompass not only protecting the traditional targets such as government contractors and military secrets, but also the corporations and other institutions whose innovations and intellectual property (IP) portfolios keep the U.S. economy strong.

    Defeating the Network with a Network
    On the counterintelligence front specifically, says Tom Mahlik, Chief of the CI Strategy and Domain Section, CI Division: “The FBI has recognized a shift from a primarily symmetrical threat — that is, a threat that is establishment-centric or state sponsored, with international spies based out of embassies and consulates — to an asymmetrical threat — with sensitive information being stolen or transmitted by a network of scientists, engineers, foreign businessmen, students or employees of foreign background. This is in addition to approximately 500 known or suspected intelligence officers that roam our country,” Mahlik says. “There are tens of thousands of asymmetric collectors in positions to do more damage because they have hands-on access to our country’s intellectual property, and sometimes our nearest and dearest classified secrets.

    “In addition, the evidence from hundreds of ongoing FBI espionage-related cases pointed to the fact that incursions were on the rise and that the targets of choice had shifted from classified to the unclassified but sensitive R&D and IP,” Mahlik continues. “We knew that the earliest detection of such incursions was not going to come exclusively from deployed FBI assets, but rather, directly from the private sector.”

    These factors combined led to the formal 2005 launch of the Counterintelligence Domain Program, which was geared towards creating a closer working relationship with potentially affected targets in the private sector: industry and academe. “Simply, the call was for the FBI’s CI corps to know their domain — to work with constituents and stakeholders to identify economic and military ‘crown jewels’ in their jurisdictions, and then to overlay our knowledge of the threats in the same domain to help us prioritize where we could have the most preventive and responsive impact,” Mahlik says. “It wasn’t just the Bureau against the world anymore; it had to be a Bureau-led network of new eyes and ears from both the private and public sectors. Building domain-wide awareness, while at the same time improving communications between the private sector and the FBI, was deemed to be the most effective approach for starters.”

    Domain Awareness
    As FBI Director Robert S. Mueller III became aware of the best practices that were being generated by the CI Division under the auspices of the CI Domain program, he recognized that adopting the “Know your Domain” campaign across the whole FBI would help the Bureau transform into a more proactive, preventive agency. Along these lines, the “Know your Domain” basic premise has since evolved into a much broader, yet more defined “Domain Awareness” concept that compels each of the FBI’s 56 field divisions to develop a 360-degree understanding of all national security and criminal threats to the assets, equities and entities in a specific area of responsibility or domain. “We are reengineering internal processes that will assist in knowing the ‘knowns’ and ‘unknowns’ and closing the intelligence gaps of the ‘unknowns’; knowing and pursuing priorities; knowing internal capabilities and limitations; knowing and tailoring the portfolio of FBI products; and knowing the FBI customers,” Mahlik says. “And at the center of the evolving Domain Awareness campaign is knowing and leveraging partners — both public and private. This puts us directly in the mainstream of working with corporate America in a partnership, before the crisis, to come up with joint solutions that will not only protect corporate interests but also national security. The front line of defense is the private sector. The battle plan on how we’re going to defend this country is domain awareness.”
    The program is built upon three partnership-building initiatives: business alliances, academic alliances, and alliances with other government agencies.

    • Business Alliances. Through its business alliances, the FBI will meet with corporations to educate them on the threats they may face and to help them identify, audit and protect valuable tangible and intangible assets. “As corporations on their own volition recognize the threats that we communicate to them and begin to make adjustments, they will help to strengthen national security,” Mahlik says. Businesses and the Bureau will share information, in both directions, to ensure that both sides are privy to the most current and relevant threat information available.

    • Academic Alliances. In the CI Domain Program, the academic alliances consist of the National Security Higher Education Advisory Board (NSHEAB) and the College and University Security Effort (CAUSE). Both groups exist to establish dialogue between the FBI and academic institutions to increase awareness of threat and national security issues. Communication is core to these efforts because of the cultural differences divides that have traditionally existed between institutions of higher learning and bodies of governmental authority. These cultural boundaries are being broken down through dialogue in the interest of protecting national security without hindering the educational opportunities and scientific discoveries universities can offer.

    • Alliances with Other Government Agencies. Other state and federal agencies also provide important information-sharing resources within the Domain Program. They can be yet another set of eyes and ears to help the FBI envision an accurate picture of the total domain picture.

    “Thus far, the effort has been all consuming,” Mahlik says of the continued development of the program. “The more you learn, the more you realize there’s so much more to learn. Knowing your customers and their issues, building networks, creating discourse — domain awareness is now a state of mind for all the FBI to embrace.”

    Marleah Blades is Senior Editor for the Security Executive Council. Prior to joining the SEC, she served for six years as managing editor of Security Technology & Design magazine.