One problem common to both government and private industry is white-collar crime. How is it possible that government officials, virtually all of whom have undergone expensive, extensive background checks and even polygraph exams before being hired, still turn out to be criminals? Some, like the infamous Aldrich Ames, steal secrets for money, while others skim public funds, embezzle, or even blackmail their employers. Usually, they are caught because they trip up or brag about their exploits.

More serious is the problem of cybercrime, though there is a great deal of information about strategies for data protection, much of it based on systems already used in government. In the aftermath of the September 11 terrorist attacks, private industry has awakened to the need for good security, protecting property, operations, and data.

One of the dilemmas often faced in industrial security is convincing management that there are threats that ought to be addressed. Again, cost is a factor, but the private sector has another tool that is unavailable in government—insurance. In many cases, private firms can choose to spend money insuring against loss rather than paying the cost of security for loss prevention. Management has to decide which is more cost effective. In government, insurance is not an option because the government is essentially self-insured.

Ferreting out threats to private industry is an intelligence problem, but the private sector has been slow to recognize this. In order to protect their firms, security planners have to understand the nature of the threats they face. A growing number of private sector intelligence firms are prepared to provide current intelligence 24 hours a day. These services existed well before September 11, but the need for them has now become more apparent.

Covert Companies

One issue that has received very little attention concerns covert action. In government, covert action refers to secret operations designed not to collect or analyze intelligence but to carry out foreign policy while leaving open the possibility that the state could later deny its involvement. This is called plausible deniability, even though in most cases the denial may hardly be plausible.

Covert action includes the use of secret agents who carry out political or economic action to help friends abroad, including the distribution of false or misleading information—called disinformation—or the use of deception to confuse or distract adversaries. Another form of covert action is what professionals term black propaganda, a form of enhanced or manipulated information, usually based on true material but presented in such a way that the hand of the manipulator or the real source of the information is hidden.

One would think that covert action has no place in the private sector, since such activity is not only illegal but morally reprehensible. Yet evidence is beginning to surface showing that covert action is used in the private sector when firms want to weaken their competitors. There are several areas where traditional kinds of covert action have been used in the private sector. Black propaganda, the main form of covert action, often uses a lobbying group or association whose ties to the sponsor can be buried.

Another covert strategy might be to use deception to hide business activity in various ways so that competitors are fooled into strategies that will prove ineffective. Information can be spread about an alleged new product a firm might produce to goad competitors into wasting time and money to match the effort. Disinformation can also be used to discredit a competitor firm or its products.

In a recent example, software giant Microsoft apparently tried to gain ground on its competition by using allegedly independent organizations to take full-page ads in major newspapers attacking the software giant’s rivals. As the story emerged in the press, it appeared that corporate espionage was involved as well, including efforts to buy the rival firm’s trash. Coming as it did during government efforts to break up Microsoft, one must wonder about the timing of the revelations.

One use of covert action that has received less attention in the press is sabotage, the attempt to thwart a competitor firm by destructive operations in which the hand of the operator is hidden. Airlines have been particularly active in trying to stop start-up competition in this fashion, although they deny any such activity as a matter of course. One major carrier, British Airways, used this technique to try to drive rivals, including Virgin Atlantic, out of business, finding mixed success.

The private sector has a tool to use against covert action that is not really available to government: legal action to seek redress and compensation. The problem for the victim firm in private covert action is gathering the evidence needed to prove injury. After all, the direction and management of covert action is supposed to be hidden, and, if found out, plausibly deniable. In cases that have been made public, the use of covert action has not shown great benefit for the firm using such dubious tactics, although the victimized firms may suffer serious loss or be driven out of business.

The Bottom Line

Before the events of September 11, business managers in the United States probably understood the benefits of good security even if they did not always apply good security practices, but they were much less concerned about the need for good intelligence. The terrorist attacks in the United States have been something of a wake-up call for the private sector. Vague and unfocused government warnings about possible attacks on banks and supermarkets make it clear that the private sector cannot afford to shut down every time Washington cries wolf. It needs more and better intelligence to be able to evaluate threats and plan for contingencies.

US intelligence managers are wrestling with the challenge of overhauling the government’s large and bureaucratic intelligence system to meet the threats of the 21st century. Private sector managers have a different task: they have to integrate good intelligence and effective security to become more productive and safe in an increasingly interdependent world. As US intelligence managers struggle to determine what went wrong on September 11 so they can find and correct flaws in national intelligence, private industry should recognize that it cannot wait to implement good intelligence and security practices. The cost of failure, as governments know, is too high.