Published by The Lawfare Institute
in Cooperation With
American companies are in a bind. They are on the front lines of a fierce new geopolitical competition that threatens their businesses like nothing they have seen before. This competition is driven by the primary lesson of the Cold War, a lesson that China and other nations have learned well: Economic power is the key to national power. Those countries with a strong economic base across a wide swath of key industries will be well positioned to advance their national agendas. They not only will have significant financial resources to direct toward their goals but also will have a multitude of economic levers with which to influence other nations.
Many authoritarian governments are doing everything they can, including using their spy services, to build successful businesses and grow their economies. Indeed, even some nonauthoritarian governments are taking this approach. The reason for this is simple: A large number of nation-states view privately owned companies within their jurisdictions as extensions of their governments. They support and protect the companies as if those entities were integrated parts of government. These nation-states are consciously building national champions to dominate industries to extend their national power—not just domestically but also worldwide.
U.S. companies must understand that in many cases they are no longer simply competing with corporate rivals. They are competing with the nation-states supporting their corporate rivals—nation-states with enormous resources and capabilities and with very little restraint on what they will do to succeed. What chance does a U.S. company, playing by the rules, have of competing with a rival company that is supported by its home government, including that government’s spy service? U.S. businesses are decidedly not supported by U.S. government spy agencies. For this reason, they are often competing on an uneven playing field.
Exacerbating the problem is the fact that businesses and investors are woefully unprepared for this new environment. They have neither the information nor the tools they need to protect themselves, and they can’t reliably turn to the U.S. government for help, because the government is limited to broadly protecting industries and the economy. Government agencies have neither the inclination nor the resources to protect individual companies. The interests of the U.S. government and those of private companies overlap to some degree, but not entirely. Even if the U.S. government ultimately punishes someone for stealing intellectual property from a U.S. company, the U.S. company has still likely lost whatever strategic advantage it possessed. And there is little, if anything, the U.S. government can do to make the company whole.
Put simply, the business and investing world is being transformed by nation-state competition and the weapon of choice within that competition: espionage. And the only way for American businesses and investors to protect themselves is to develop a broad understanding of that weapon.
Until the 2016 U.S. presidential election—and now perhaps continuing with the 2020 election—the average American has not been concerned with the spy business. Previously, the practice of intelligence was typically limited to a small group of people. Those people, on behalf of their government employers, wielded intelligence tools against one another in a constantly evolving game of cat and mouse. And their primary objective was to steal other governments’ plans or at least to understand the governments’ intentions.
No more. Intelligence and the art of spying are no longer constrained to the government sphere. While spy tools and tactics are more readily available, what is truly driving this proliferation is the intelligence realm’s shift in focus from government to businesses. The assets that competitor states are now seeking to obtain from the United States are not possessed by the government—they are possessed by companies. By and large, businesses control the most sophisticated intellectual property, the most unique know-how and the most expert personnel. As a result, China and other authoritarian powers have been targeting American businesses and others around the world to obtain these valuable assets. And one of the primary tools authoritarian governments use to acquire those assets is spying.
This monumental shift in focus has been percolating in the background for quite some time. China, in many ways, has been at the vanguard of this change. But only recently have a significant number of other countries started to emulate their practices comprehensively. The change has come much as Hemingway described how one goes bankrupt: in two ways, gradually, then suddenly.
Yet, while the spy business has become a topic du jour on any number of news outlets in the years since 2016, it is still poorly understood, especially in the business and investing world. Until relatively recently, most businesses and investors did not need to be concerned with espionage, as it did not have a widespread impact on the business world.
In addition, most companies are focused too myopically on strong cybersecurity as a panacea for spying. Of course, cybersecurity is extremely important, but it protects only one vector by which a nation-state could spy on and subsequently loot a company. One person with bad intentions on the inside of a company could circumvent the most sophisticated and expensive cyber defense. This concept can be taken one step further: One malicious actor on the inside of a company can undermine almost any security system, be it physical or virtual.
At its core, spying is about the pursuit of knowledge. And people are the ultimate fount of that knowledge. If one company wants to know what another company knows, the targeted company’s employees often can provide the most insight. While intellectual property stolen from another company via cyber intrusion is certainly of value, it is even more valuable to have the person who developed the intellectual property explain how it was developed. Similarly, while voluminous amounts of data stolen from another company via cyber intrusion are also of great value, it is even more valuable to have that same company’s expert explain how the data is exploited. The way to gain that knowledge is through recruitment.
Recruiting people who know what you want to know is the paramount objective of spying. This is why people are simultaneously the greatest defense and the greatest vulnerability of any organization—be it a government agency or a business. The strengths and weaknesses of an organization’s people are the strengths and weaknesses of its business. That is often true in general, but it is especially true when considering the threat of espionage.
If companies are not working with their employees to protect them from malicious actors, they are missing the big picture. For example, do employees know who to inform if they are approached, offered a bribe or are being blackmailed? And if you are an investor, and the companies in which you are investing do not have a program to safeguard employees, then you have just bought an enormous amount of unknown risk.
If businesses want to protect their assets, then developing an understanding of spies and their activities should become standard practice for business leaders and investors today. Businesses in the United States are on their own, and they must adapt to survive and thrive. They need to develop sophisticated defenses to the slew of attacks from nation-states. Despite the power imbalance between sophisticated competitor nations and U.S. businesses, the latter are not without recourse. In many ways, the solution is relatively straightforward.
First, companies must “know” their business and their business environment. They should have a keen understanding of their industry and where their business fits into the global landscape. Take, for example, the “Made in China 2025” plan—a Chinese government list, established in 2015, that details 10 key industries, then dominated by foreign companies, in which China aims to dominate first domestically and then globally. Is the business in an industry identified in the “Made in China 2025” plan? Is the business in an industry that produces a key technology needed for another country’s economic or military development? Answering these types of questions helps a business understand the severity of risk it faces based on its industry. It matters greatly, for example, if the business is facing an advanced persistent threat—that is, an individual or group with a full range of intelligence techniques and specific objectives—or a more generalized risk, which could simply be opportunistic rather than targeted.
Companies can also face risk based on the environments within which they operate. If they, their partners or their supply-chain vendors are located in jurisdictions that require them by law to provide information or otherwise cooperate with the local intelligence and security services, possibly without judicial review, then a competitor nation could easily and “legally” obtain their most valuable assets.
Second, companies must identify their most important assets—those that, if lost, would greatly affect the company’s ability to succeed moving forward. This is not just about advanced technology or cutting-edge research and development. While these things are sought after by nation-states, so are knowledgeable employees, key suppliers, and unique business processes and strategies. Consider for a moment the advantage a company’s competitor would gain if it stole that company’s business strategy for the coming years. Companies must understand the myriad things that need protecting; anything that provides a business with a competitive edge may be targeted and exploited.
Third, companies must find their vulnerabilities and address them. In doing so, businesses need to think beyond the obvious cyber vulnerabilities. Spy services often look to employees as an entry point into a company. If such employees have financial or familial connections to competitor nations with sophisticated spy services, then they could be targeted. Companies must actively prepare employees to weather such attacks and ensure that they are not left to their own devices against a sophisticated adversary. Spy services may also target a business via its partners and vendors, so it is equally important to shield those entities from potential attack or attempted exploitation.
But companies must also be conscious of additional issues when it comes to espionage and nation-state competition. We will expand on this further in a series of articles on Lawfare that endeavor to provide U.S. businesses and investors with the necessary background to survive. This post is the first in that series.
Understanding and mitigating the activities of spies must become standard practice for business leaders. And if investors don’t see companies doing this, they should hold onto their money—tightly.