Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
How to Steal Corporate Secrets
1.8k Plays11 months ago
In today's episode we speak to Dr. Maria Robson-Morrow and Holden Triplett about the fascinating world of corporate espionage.
Dr. Maria Robson-Morrow is the Program Manager at the Harvard Kennedy School's Intelligence Project. She worked as a global security intelligence analyst at Nexen Energy in Canada and then as an independent security intelligence consultant before returning to academia to study public-private intelligence cooperation. She earned a PhD in Political Science in 2021 from Northeastern University and holds a Master’s in Military and Strategic Studies from the University of Calgary and a BA in International Relations, Economics, and History from the University of Toronto. Maria's research has been published in Intelligence and National Security, Harvard Business Review, and the Journal of Intelligence History. She teaches courses on Intelligence at Johns Hopkins University. Maria serves on the Board and Education Committee for the Association of International Risk Intelligence Professionals.
Holden Triplett is the founder of Trenchcoat Advisors, where he advises clients facing sophisticated nation-state risks. He spent nearly 15 years with the FBI and has extensive international and domestic risk intelligence and security experience. He also spent several years in overseas assignments, notably leading the FBI’s offices in Russia and China. Holden is conversant in Mandarin and Russian, and has unique understanding of the objectives, capabilities, and methodologies of the Chinese and Russian intelligence services. During his time in Russia, Holden coordinated U.S. government security efforts of the Sochi Winter Olympics, including establishing a first of its kind joint threat intelligence unit with the Russian security services. While in Beijing, he worked closely with People’s Republic of China security services to plan for the joint security of the Beijing Winter Olympics. Upon his return to the United States, he served as the Director for Counterintelligence at the National Security Council, at the White House. In his last government position, Holden was the FBI Faculty Chair at the National Intelligence University, where he taught courses in Counterintelligence, National Security Law and Intelligence, and Chinese Intelligence and Information Warfare. He is currently an adjunct professor at Georgetown University’s Walsh School of Foreign Service.
Recommended
Transcript
Introduction to the Podcast
00:00:02
Speaker
Welcome to How to Get on a Watchlist, the new podcast series from Encyclopedia Geopolitica. In each episode, we'll sit down with leading experts to discuss dangerous activities. From assassinations and airliner shootdowns through to kidnappings and coups, we'll examine each of these threats through the lenses of both the Dangerous Act to seeking to conduct these operations and the agencies around the world seeking to stop them. In the interest of operational security, certain tactical details will be omitted from these discussions.
00:00:34
Speaker
However, the cases and threats which we discuss here are very real.
Meet the Hosts
00:01:05
Speaker
I'm Louis H. Prisant, the founder and co-editor of Encyclopedia Geopolitica. I'm a researcher in the field of intelligence and espionage with a PhD in intelligence studies from Loughborough University. I'm an adjunct professor in intelligence at Science Pro Paris and in my day job I provide geopolitical analysis and security focused intelligence to private sector corporations.
00:01:26
Speaker
My name is Colin Reed. I am a former U.S. intelligence professional now working in the private sector to bring geopolitical insights and risk analysis to business leaders. So today we're discussing how to steal corporate secrets. And joining us for this are Dr. Maria Robson Morrow and Holden Triplett.
00:01:44
Speaker
Dr. Maria Robson Morrow is the program manager at the Harvard Kennedy School's Intelligence Project. She worked as a global security intelligence analyst at Nexon Energy in Canada, and then as an independent security intelligence consultant before returning to academia to study public-private intelligence cooperation.
00:02:01
Speaker
She earned a PhD in Political Science in 2021 from Northeastern University and holds a Masters in Military and Strategic Studies from the University of Calgary and a Bachelor's in International Relations, Economics and History from the University of Toronto.
Guest Introductions
00:02:17
Speaker
Maria's research has been published in Intelligence and National Security, Harvard Business Review and the Journal of Intelligence History. She teaches courses on intelligence at Johns Hopkins University,
00:02:27
Speaker
and she serves on the board and education committee for the Association of International Risk Intelligence Professionals.
00:02:33
Speaker
Holden Triplett is the founder of Trench Code Advisors, where he advises clients facing sophisticated nation-state risks. He spent nearly 15 years with the FBI and has extensive international and domestic risk intelligence and security experience. He also spent several years in overseas assignments, notably leading the FBI's offices in Russia and China. Holden is conversant in Mandarin and Russian and has unique understanding of the objectives, capabilities, and methodology of the Chinese and Russian intelligence services.
00:03:01
Speaker
During his time in Russia, Holden coordinated U.S. government security efforts facing the Sochi Winter Olympics, including establishing a first-of-its-kind Joint Threat Intelligence Unit with the Russian Security Services.
00:03:13
Speaker
While in Beijing, he worked closely with the People's Republic of China Security Services to plan for the joint security of the Beijing Winter Olympics. Upon his return to the United States, he served as the director for counterintelligence at the National Security Council at the White House. In his last government position, Holden was the FBI faculty chair at the National Intelligence University, where he taught courses in counterintelligence, national security law and intelligence, and Chinese intelligence and information warfare.
00:03:39
Speaker
He is currently an adjunct professor at Georgetown University's Walsh School of Foreign Service. Well, Maria and Holden, thank you very much for joining us. Thank you very much. It's a pleasure to be here. Yes, thank you. Glad to be here.
Paths to Intelligence Work
00:03:52
Speaker
So two very fascinating backgrounds there. So the question we always like to ask our guests is how did you get into your line of work?
00:04:00
Speaker
In my case, it was really puzzles and crosswords. It was studying Bletchley-Park over to cryptography, cryptanalysis, and realizing that the core of any technical problem, any today cyber problem, but historically technical signal problem, signals intelligence, is a human.
00:04:17
Speaker
It's all about human ingenuity, human error, human creativity. So that fascination took me through studying and then ending up working as an intelligence analyst in corporate security, looking at challenges that ultimately had to do with humans. And then I returned to academia to study intelligence in the private sector. I was fascinated by the challenges, but also the collaboration we see and patterns, which I'm sure we'll talk about. But ultimately, it was that human factor.
00:04:45
Speaker
and cognitive psychology, human ingenuity, and human error. So mine starts with an event I think for a lot of people around my age. So I was in law school during my second year when 9-11 happened.
00:05:00
Speaker
And I had intended to go into corporate law and do essentially project finance work, infrastructure development and that type of thing. And 9-11 really changed that trajectory. I think a lot of people wanted to felt like a need to participate. And so I almost quit law school at the time, but
00:05:19
Speaker
Thankfully, my parents sort of guided me through that and made sure I could contribute in a number of different ways. So I finished that out and then started applying to different parts of the intelligence community. Soon thereafter, in 2004, the 9-11 report came out and they kind of decimated the bureau, the FBI that is, as the main kind of investigative arm deal with terrorism. And so that's where I ended up.
00:05:43
Speaker
Funnily enough, actually, my father was in the FBI for 30 years, actually, as a special agent. So I grew up with, it seems a little creepy now, of pictures of Herbert Hoover all around my house. So anyway, it may have been predestined, or there's probably some psychological thing that needs to be unpacked there. But anyway, ended up in the FBI after all that. Well, that's excellent. So let's get this started with Maria for some framing of
Corporate Espionage Overview
00:06:07
Speaker
the problem. When we talk about corporate secrets, what are the types of data we're talking about when we say that?
00:06:14
Speaker
Absolutely, thank you Colin for the question and it's again a pleasure to be here to talk about this. So I wanted to start by saying that I'll be touching as we go on some known cases that have been taken to court, ones that are documented and so forth and I look forward to delving into some of those.
00:06:31
Speaker
But looking at espionage on corporations, they're really divided into a few different categories. So we see nation states targeting companies, I think we'll talk more about all of this, but so nation states targeting companies and companies targeting companies, and we can divide that into their disgruntled employees who are leveraged, employees who are looking for financial gain out of this.
00:06:57
Speaker
Sometimes, collection without any sort of insider involved, it's possible to target companies and collect information without being directly having an in, but often we do see that insider risk piece of it. I'm sure we'll talk more about all of this, but we see different types of perpetrators and very different objectives.
00:07:18
Speaker
Holden, if I can hot pursuit this with a question for you. Maria has touched on this idea of both companies targeting other companies, but also nation states having an interest in stealing corporate data. Can you tell me a little bit more about that? That's a really interesting distinction.
00:07:35
Speaker
Yeah, I mean, it's sort of a wild world at this point where you've got all kinds of adversaries out there coming after corporate data. I think just trying to really simplify it. I try to think of it as falling into three buckets of what people are after within a corporation. It's either information influence to some degree or just pure on money.
00:07:54
Speaker
And then largely will fall into these three buckets. And on the information side, I think, you know, Maria is absolutely right. They're looking for some of this kind of cutting edge data and certainly a lot of people's minds go to this high end IP, you know, be it sort of AI or quantum or things like that. But what I've seen in a lot of times is it can also be the sort of very mundane types of things that most people wouldn't think about.
00:08:17
Speaker
who are your suppliers, your corporate strategy. We can talk about the motivations of the different groups, be it a sophisticated criminal group or a nation state or even a social political extremist who might come after a corporation.
00:08:33
Speaker
In the end, there are some who are looking to get a particular edge by stealing some very high-end intellectual property or cutting-edge technology, but there are others who are just looking to dominate in an industry. They're looking for any competitive edge they can get at. Knowing what your corporate strategy is, knowing who your customers are, knowing who your partners are, suppliers, those types of things can give them a competitive advantage.
00:08:59
Speaker
I think it's really important for people to kind of keep the aperture open and think about the wide range of data that they could be after. And that's just sort of, again, information bucket influence and money or even kind of additional things added onto that that they're focused on.
Espionage: Then and Now
00:09:16
Speaker
If I can add on to that fantastic, I'll delve in and add on to a few things. If we think about the information and the incentive for corporations to collect proprietary data or corporate secrets, one of the motivations would be that it's
00:09:35
Speaker
more costly and takes more time to innovate from scratch than to steal someone else's plan and to try to beat them to market or be competitive with their product if you know what it's going to look like before it comes out. And this is akin to me of what we saw in the Cold War with state-on-state espionage with the Soviets targeting the Manhattan Project, the nuclear project in the US and Canada and with the United Kingdom, the idea that it was
00:10:04
Speaker
faster, more effective for Soviet spies to collect the plans and to smuggle documents out for the Soviets to replicate the atomic bomb as opposed to building it from scratch. And fast forwarding to 2023, we're coming out of the COVID-19 pandemic and we saw the incredible ingenuity and research going on for mRNA vaccines. And it's a reminder that in the health sector, the pharmaceutical industry
00:10:27
Speaker
It takes a lot of time and resources to research, develop, test, and bring a new product or drive onto the market. It can be much more cost-effective and time-effective to steal those plans.
00:10:40
Speaker
So let's talk a little bit about vectors now and Maria will start with you and then Holden.
Methods of Corporate Espionage
00:10:44
Speaker
I like your thoughts on this as well. Most people's idea of stealing secrets is something of a Hollywood idea, right? There's someone rappelling down a rope over a pressure plated floor and stealing something from a vault. But how does it actually work, right? How does this work in practice when people are stealing secrets from corporations?
00:11:03
Speaker
Absolutely. I would say actually potentially controversially that Hollywood isn't far from the truth. In a lot of the cases that we look at, it's not all repelling and stealing trash, but sometimes it is stealing trash. There are some historical cases where companies or nation states have actually employed private investigators to go through papers that were discarded and so forth that we think would be obsolete, but actually there's some surprisingly recent cases where this has taken place.
00:11:32
Speaker
So in terms of what it can look like, I'll talk about six different types. So there's some are human intelligence or human, some are for the signals intelligence or cyber side and then open source. So in terms of what it can look like on the human side, there's
00:11:50
Speaker
The insider threat of an employee bringing documents, bringing information proprietary data out of a company, for example, IBM has famously been targeted over and over again by other corporations and nation state actors. There's some very well documented cases where employees were taking thousands of documents out of the company.
00:12:12
Speaker
There's also human intelligence side of just listening to conversations in public places, so this wouldn't always make Hollywood, it could be pretty boring, but there have been, again, cases where a private investigator, for example, was sitting at the next table in a restaurant, listening to a conversation that executives didn't realize wasn't actually private, that happens a fair bit, as well as monitoring the patterns of individuals walking
00:12:33
Speaker
to work and then figuring out, okay, this person usually takes business calls while he's walking and you can listen in on them and things like that. The third one would be no longer quite insider, but hiring away an employee. There are cases of companies identifying individuals with access information, giving them a lucrative offer at their company, and then they bring the information with them.
00:12:57
Speaker
And then one I hope we can talk more about, which I saw in my time in the private sector, is the idea of information being left lying around. We're in a slightly different world now with remote workforces or hybrid, but something that I get passionate about because I saw too often that those with the most sensitive information weren't necessarily the ones who were compulsively safeguarding their information and walking their computers and things like that. So that's all around the human side. And then on the more electronic side,
00:13:26
Speaker
intercepting email and communications, phishing attempts. Again, this isn't the stuff of Hollywood anymore, but getting someone to click on the wrong email, accessing people's login data, that is a common way of accessing systems. And I've got a couple cases that I'm happy to talk about if our conversation takes us there. But then the final one I want to mention is open source. So a lot of what we're talking about is illegal, but there are some interesting examples where
00:13:55
Speaker
Foreign state-owned enterprises have used freedom of information requests, so FOIA requests, to access information. For example, if companies submitted data to the Food and Drug Administration, that can be accessed through a FOIA if you have a U.S. entity, a U.S. individual who can submit that request. And that's not illegal, but it's a big problem for the company.
00:14:20
Speaker
Yeah, I think it's a great way to think about it. And I mean, just generally talking about that there's a lot of illegal techniques, which is the more Hollywood-esque sort of part that a lot of people think about, or at least maybe sort of kind of borderline. But there's some extremely effective legal techniques, or at least kind of maybe in that gray zone, where you're hiring someone away and they've got the secrets in their head, or maybe they're even the IP creator, right? And then they're sort of adapting what that was and bringing it to a new place.
00:14:50
Speaker
Are they violating copyright or trade secret or some other type of IP protection? It gets a little bit murky, but can be extremely effective in terms of injecting new ideas into a company. But I think there is a lot of that. I agree with Marie. There is an element to this. It seems very Hollywood-esque, but it's also very true. Think about the physical part of it. There's still physical intrusions into places.
00:15:15
Speaker
I'm gonna really gloss over the details but there's a famous case about tapper i think is what it's called which was essentially a robotic arm that tap the mobile was using for cell phone account test mobile devices and the prc wanted it.
00:15:32
Speaker
And so they tried a whole bunch of different ways, including cyber intrusions, to kind of get at how it worked. And ultimately they went on tours in the building and stuff, and ultimately couldn't replicate it. And so finally they went on a tour and they just ripped it out of the wall and put it in a bag and tried to walk out with it.
00:15:48
Speaker
which seems like a not very effective way to do it because they got caught, but be surprised that there's some really effective ways. I mean, if you imagine just thinking about the amount of companies that employ cleaning staffs at night and how difficult would it be to pay them $50,000 to put a thumb drive into a computer for an hour, then pull it out after they go home or when they're going home, can be a pretty effective sort of hybrid attack that's out there. And certainly on the human side, I think it does, you know,
00:16:14
Speaker
Sacks of cash and romantic relationships are extremely effective at motivating people. I think that it continues to really work. The Russians and the Chinese use them with both those techniques with abandon and are really effective ways to recruit people, get blackmail material, and then coerce them into giving information or other things from it.
00:16:38
Speaker
There is certainly, I think, as Maria alluded to, a really boring side to it, which is that it's just a lot of times a lot of work and building up towards it. And that's really a necessary part of the sort of techniques. But there is a sort of sensational piece still that exists out there.
00:16:53
Speaker
And just on the note of convincing someone to plug a USB key in, we've seen the extent of damage that can happen when that's done against a nation state.
Skills Transfer from Government to Private Sector
00:17:03
Speaker
Edward Stone, the National Street Agency contractor who did that deliberately to reveal U.S. government secrets is an example.
00:17:11
Speaker
When I worked in corporate security, our colleagues in IT security would have someone stand in the lobby of the building and hand out USB keys and see how many of them got plugged into the system without being scanned. And the results were somewhat distressing, but very, very useful. So I will talk more about solutions to that later.
00:17:32
Speaker
there is that idea of the malicious actor or the the agent or asset who agrees to do that knowing what they're doing but then there's also the unwitting employee who might fall victim to something.
00:17:44
Speaker
So you've spoken a lot here about if I'm a hostile actor with experience in state, stealing government secrets, there are ways to apply this trade to the private sector. You talk a lot about the skills that translate well, but are there any skills that don't translate from public to private? Are there any areas of government intelligence that you think just aren't possibly being replicated in the private sector? I'm happy to kick it off. I think one of the
00:18:11
Speaker
challenges now can be on the other side of things that outside of government is just the idea of privacy. When you are in the government and you essentially sign your life away, they can do continuous background checks on you and that's just part of it. You're getting access to sometimes very sensitive information and that comes with the territory that you mentioned that are fairly invasive into your life, polygraph regularly, that sort of thing.
00:18:42
Speaker
But I think that type of verification is very difficult in the private sector. You know, maybe if you're in sort of, you know, defense industry adjacent, that's sometimes possible. But, you know, there's just a for good reason as well. Like, there's there's a general antipathy to
00:19:00
Speaker
You know, digging into your employees lives, having them give up kind of continual information. I mean, it'd be great to know if your employees were experiencing financial distress,
Balancing Privacy and Security
00:19:08
Speaker
right? Or if they had a change in marital status and putting all that information into kind of figure out, are they more vulnerable now than they were before from a corporate security standpoint? It could be very helpful.
00:19:18
Speaker
But certainly from a privacy standpoint that can be really frightening right that you suddenly you have some issues in your life that you're dealing with have nothing to do hasn't changed how you approach work but now something they've got you on a enhance monitoring program at work.
00:19:33
Speaker
that you were on before and now they're seeing all sorts of you know things that you were hoping maybe they wouldn't see that are to minimize but it's there they're watching a lot more closely so i think that balance in terms of the kind of the security and privacy is is.
00:19:48
Speaker
I think the line is a lot different in the private sector than it is in the government. And I think that makes a lot of the techniques that were possible in the government a lot more difficult for someone on the corporate security side to employ. And it's actually a bit more creative and a little bit more, I think, engaging with the individuals that are involved rather than kind of holding them as potential threats, which is sort of how the government approaches insider issues like that.
00:20:15
Speaker
So Maria mentioned earlier a number of sort of cyber case studies that she might want to
Real-world Espionage Cases
00:20:21
Speaker
share with us. I want to talk about those primarily so that we can get down into this question of, is the cyber vector, is the technology vector the most effective one? Is there even a reason to do kind of the old gumshoe style of stealing secrets anymore? Thank you, Colin. I'm very glad that we are delving into that a bit. I actually had a couple of cases I wanted to touch on that have
00:20:45
Speaker
a separate but also a human angle one in particular. So this one we've alluded to holding mentioned nation states that are probably top of mind when it comes to industrial or corporate espionage. So China and Russia, there are a lot of historic cases of friendly countries such as France and Japan conducting industrial espionage. And then there are cases of corporation on corporation, which we haven't talked about too much. So
00:21:12
Speaker
I want to bring up a potential curveball which is a Canadian company spying on another Canadian company a few years ago. This was a case of two Canadian airlines where WestJet covertly accessed the internal data of Air Canada and they did this
00:21:29
Speaker
through essentially like a phishing attack of using an employee's login details to access the intranet of Air Canada. And they were able to collect vast streams of data such as trends of how full Air Canada flights were, their flight operations and patterns. And this was very useful operational competitive advantage information. And they ceased doing this when Air Canada detected
00:21:55
Speaker
this and determined that this wasn't this employee who was accessing and letting all of this data. This was actually a rival corporation. And then the plot thickens even further. They came to a financial settlement where they agreed on WestJet covering Air Canada's legal fees and then the two jointly donating $10 million to children's charities. But they came to this agreement after they discovered that
00:22:21
Speaker
Air Canada, meanwhile, who had been the victim, had actually hired private investigators to comb through trash at a WestJet executive's home. So there are a few layers to this, but we see the intrusion using a very traditional technique of accessing someone's login information, then paired with this counter effort that involved combing through recycled materials and trash.
00:22:47
Speaker
So this was in the mid 2000s, I believe. So this is a fairly recent example of this taking place using not even that sophisticated methods. So sorry, Colin. I know it would be fun to talk about a much more sophisticated cyber case, but in this case, it was just accessing a password. Yeah, I could agree more. I mean, I think there's
00:23:09
Speaker
At times, myopic focus on the technical threat and cyber, it's obviously very concerning because
00:23:18
Speaker
In theory, it can really appear from anywhere in the world, and so it makes the attack vectors, or potential number of threat actors is very large. But I think the reality is, when you really break it down, there's a significant number of these intrusions, which are based more on social engineering, manipulation, or a mistake by a person who is lured into doing something.
00:23:47
Speaker
versus a highly sophisticated attack that relied on a zero day exploits in order to get into a. Corporation and so I don't want to downplay on the cyber threat it obviously is very serious and very real but in my experience there's there's fewer and fewer times where it doesn't involve a human at some point either exploiting their vulnerability or.
00:24:08
Speaker
even say, pretending to exploit their vulnerability. So again, thinking of a scary scenario of like, you know, how difficult is it to find someone within a business that if you paid a certain amount of money to click on a well-constructed email that looks like it comes from, say, maybe their university as an alum email, and you're going to put a link in there that is automatically downloads a payload, and where they could then go to, you know, the CISO and say, hey, I don't know, I got, you know,
00:24:38
Speaker
I get this University of Michigan email every month and I clicked on it like I always do. And this time something happened. Right. And so they've got plausible deniability. And so I actually think these probably have a lot more often than we imagine. But you have.
00:24:54
Speaker
sort of happy parties on both sides and so no one really wants to talk about it and a lot of times things are put out as accidents might have been orchestrated.
Insider Threats
00:25:03
Speaker
There's an example from a few years back. It was a failed attempt to get into Tesla but it was an employee who essentially was approached by a criminal group which may have been acting as a proxy for the Russian government. It's a little bit unclear from the facts in the case
00:25:18
Speaker
But ultimately, they were asking the employee to first describe what the cyber infrastructure looks like so they could design a ransomware attack that would be more successful. And then ultimately, we're asking him to help facilitate it by either plugging in a thumb drive, clicking on a link, and then even offered to conduct a DDoS attack simultaneously to hide the fact that he was helping with their intrusion.
00:25:43
Speaker
And he reported it and investigated and arrested etc so happy ending but if you think about it if you decided not to report and it's just gone forward perhaps a new story would have been you know tesla attacked by sophisticated outside ransomware attack knew exactly how to get into the system and it would look like this incredibly sophisticated technical attack in reality they recruited someone on the inside.
00:26:06
Speaker
So I think there's a lot there, a lot of interplay between where you recruit someone to help facilitate a cyber attack or you conduct a cyber attack to figure out who are the right people to recruit because they have access to the really sensitive information. I think you get a lot of both on both sides of it. And so I think it's actually a lot more complicated to protect from these types of attack than simply just saying, hey, we've got a great cybersecurity network security program.
00:26:32
Speaker
And we got a great inside program but actually don't talk to each other which is sometimes the case. So we've calibrated on the ways these threats manifest a little bit holding i'd like to start with you and then maria get your thoughts as well we're thinking a lot about.
00:26:47
Speaker
you know, the ramifications here. And we tend to think that in corporate espionage, kind of the worst thing that can happen is somebody steals the formula for Coke, right, and makes a whole bunch of money, and that's bad for the Coke corporation. But maybe talk to us about some of the more serious, maybe life and death ramifications that can stem from corporate espionage. I'm thinking here, we had a recent episode titled How to Sell Fake Drugs Online, and that was talking to us all about how dangerous pharma crime can be.
00:27:14
Speaker
So, maybe give us some examples of that if you're aware of any. Yeah, I mean, I think there's some accidental stuff that has happened or some concerns that could have grown into something larger. The ones that I'm really concerned about I think are more theoretical at this point and concerns and there was
00:27:34
Speaker
Maria earlier mentioned the COVID-19 vaccines that were developed. And there was a lot of information that came out about both China and Russia targeting not just the actual vaccine, but the whole sort of process for how it was created. And part of the concern was, could they go in and manipulate it? Is there something they could do in order to sort of poison the well of data that was being utilized in order to hurt the vaccine? Maybe it wouldn't kill anyone, but maybe just would be ineffective. And so when the US is sort of promoting their vaccines and giving them out,
00:28:04
Speaker
Could it have a negative effect? There's a lot of testing in the pharmaceutical industry which happens all around the world.
00:28:11
Speaker
How difficult would it be to slightly change the formula on certain things? And so it did have a potentially negative effect. You can imagine that there would be certain nation states who are trying to dominate industries that would be advantageous to or even from a corporate side if they're trying to get into a particular market and they're able to crash the company shares, which brings up another idea, which has been some years now, but there was some movement years back where there was
00:28:39
Speaker
Russian intrusions into various exchanges in New York, where the worry was they may be sort of crashing share prices until someone else could buy it up at a lesser price. No physical damage there, but obviously some financial damage. But I do think there is some real risk to this, especially as the world continues to get more volatile and you have more and more threat actors who are
00:29:04
Speaker
taking actions and conducting, as we just recently potentially had in Canada, see how the evidence plays out, but who are conducting overseas assassinations. And it's not too much of a farther step to think about how could they affect corporate data, get into systems in order to cause damage, in order to hurt companies, in order to cause chaos. I think there's a real potential there.
Threat Landscape in Corporate Espionage
00:29:29
Speaker
colonial pipeline, which happened a decade ago, but I guess it was only a couple of years ago, if that had gone in a different direction or some other type of critical infrastructure, could it be used at a nuclear plant, for example, make this centrifuges spend too fast to cause an overload or to cause other problems that would ultimately cause death and destruction? These are all things I think that the government is wrestling with in terms of protection.
00:29:59
Speaker
I see it less so on the corporate side because they just, talking about Hollywood, that seems too Hollywood-esque for them. I think, unfortunately, it's becoming a greater and greater likelihood, even if it's still less likely right now. That's fantastic. And just to add on this, but to take the question a bit of a different direction, not quite the implications of the espionage itself, but thinking really about the individuals within a company who pose potential insider risks.
00:30:28
Speaker
So often, these individuals who are vulnerable because of challenges in their home life, financial debts and so forth, there are a few different ways that they can take that situation. And one of them is lucrative corporate espionage.
00:30:44
Speaker
agreements so forth providing information for money that helps them resolve their situation or perhaps other types of offers from someone who maybe is a private investigator maybe back on behalf of a corporation or a nation state some sort of false flag operation where they think that they're doing something for their country or for another cause maybe they've been offered medical support for a sick family member something like that but thinking about cases of these vulnerable or
00:31:11
Speaker
or disgruntled individuals. There's a nation state analogy case of Jeffrey Paul Delil who was a Canadian Naval officer in approximately 2010 who sold secrets to Russia.
Psychological Motivations for Espionage
00:31:24
Speaker
And it was really not for a vast amount of money. It was certainly some money, but it was not a huge amount. And delving into what he did, it actually turned out that he was depressed. His wife had left him or was on the verge of leaving him and he considered
00:31:40
Speaker
suicide or espionage. And so those were his option sets. That was how he saw the way forward away out of his situation. And he ended up selling secrets from NATO to the Russians. But there are analogous situations, imagine in the private sector and corporations where you have disgruntled individuals and we've seen horrific situations such as the shooting at YouTube years ago,
00:32:05
Speaker
there was a media corporation with an employee who I believe had been let go, who then ended up killing colleagues on air. And so we have these situations of the insider threat that turns violent, but also cases where insiders go to us. So, Colin, this is not quite what you asked at the beginning, but really thinking about that source of vulnerability
00:32:30
Speaker
There's that path towards selling secrets, but there are other possible paths that lead to different, really, really unfortunate, sometimes awful outcomes.
00:32:41
Speaker
I want to follow up on that. We're talking a lot about human psychology. We're talking a lot about these motivations behind it. One of my favorite cases I've ever come across in the insider risk world was a case in which a British private investigations firm convinced a young employee of a target company that they were actually MI6. They recruited him, making him think that he was essentially taking part in a national security mission when really he was taking part in a
00:33:08
Speaker
privately motivated mission. Motivation is clearly important. With that in mind, a question that really comes to me is, with the rise of creative activism targeting corporations, is there a non-financial aspect?
Activist Motivations in Espionage
00:33:21
Speaker
Think about this as well, that it's not just a rival trying to steal secrets, but possibly an activist group trying to cause damage to a company or something like that.
00:33:31
Speaker
I think this goes back to what I said earlier, talking about the kind of information influence and money. I put this squarely in the influence bucket. You've got, certainly in the United States, and I think in some other countries, we've got ESG policies.
00:33:49
Speaker
by some corporations and you literally can't win. You can have the strongest one in the world and someone's going to be upset at you or you can have not at all and someone's going to be upset at you. So there's some group that's going to be mad at you one way or another and so there's really no way around it. But what we're finding is
00:34:06
Speaker
The reason these corporations and their policies are getting attacked is because it's an excellent way to draw attention to the particular position that that group has, right? So if you think about where they want, what they want to do in order to highlight some of these issues, you know, and sort of influence, use the company's position in one way or the other, and perhaps they can get the company to switch positions on a particular policy, right? And certainly we've got more and more companies taking
00:34:33
Speaker
Those are obviously in the kind of the social political aspect of policies, but you have more and more companies who are taking what might be considered political positions on geopolitical events that are happening, which are going to make some people very happy and some people very upset. I think there's really a risk here that companies are missing as one aspect of influence, that they're basically the game board to be used for both sides to kind of take shots at each other.
00:35:03
Speaker
We've seen some examples. I can't go into a lot of detail where that's been combined with essentially what is a kind of like ransomware attack and even some doxing of particular executives that they were upset at. You know, a COO or CEO makes a decision that affects a particular policy or they state a position about something politically that someone's very upset about and then groups going after them personally.
00:35:25
Speaker
I'm going after their kids and threatening to put out kind of very private information publicly in order to get them to retract statements or change their viewpoints so again only a few sort of anecdotes at this point but you can see the power that that has you get a fortune one hundred company changing their position on something and starting to push in a particular direction.
00:35:48
Speaker
And that's the type of attention that a lot of groups are looking for. And so you can imagine that this is now as corporate entities sort of take new kind of more public positions on issues that might have been traditionally sort of in the government realm.
Government-Private Sector Dynamics
00:36:03
Speaker
They're certainly having to contend with the same sort of back and forth kind of political football issues that a lot of government entities have been having to deal with for a number of years.
00:36:12
Speaker
Lewis, on your note about the individual who was a private investigator who poses an MI6 officer, I wanted to add that I'm aware of a case, I won't say the agency or the country involved, but a friendly Western country whose intelligence officers attempted to recruit an individual in industry who rejected it. The approach failed because this person had already been targeted
00:36:34
Speaker
by an individual who posed as an intelligence officer for the person due to their patriotic duty, but was actually a private spy. We're discussing how to steal corporate secrets with Dr. Maria Robson Morrow and Holden Triplett. After the break, we'll examine how to protect corporate secrets from theft.
00:37:03
Speaker
You have been listening to How to Get on a Watchlist, the podcast series from Encyclopedia Geopolitica. If you like this show, don't forget to check out our other content at Encyclopedia Geopolitica, which you can find at howtogettontawatchlist.com, where you can find our analysis on various geopolitical issues, as well as reading lists covering topics like those discussed in the podcast.
00:37:27
Speaker
Please also consider subscribing to the podcast on your streaming platform of choice, giving us a rating and joining our Patreon.
00:37:43
Speaker
So before the break, we spoke a lot about the threat and it's very clear there are some pretty sophisticated and pretty large scale threats to corporate secrets out there. So what are some of the traditional ways companies go about protecting their secrets against these threats? Well, I'm happy to kick off an answer here. I mean, I think...
00:38:04
Speaker
Unfortunately, what I found is that sometimes they don't do a whole lot, which is really not the best way to handle it. I mean, I think there's unfortunately a little lack of appreciation of how serious this can be. And so there isn't always the kind of effort that is needed. And just to say, kind of taking a step back for a moment.
00:38:27
Speaker
to give them sort of, in all fairness, the sophistication of the threat has really increased dramatically in the last couple of years and decade, maybe a better way to term it.
Strategies Against Espionage
00:38:41
Speaker
Because I think previously they were dealing with kind of pinprick incidents that would happen that could be dealt with on a sort of more of a reaction basis. But now with both sort of nation states and then you've got sort
00:38:55
Speaker
sophisticated cyber criminals and other types of criminals who are often leveraging, you know, nation state level tools and tactics, which are increasingly available in the private sector. You know, it is a different ballgame. You have individuals who are spending all their time, highly professional, well resourced, going after companies. And so this really requires a much more sort of holistic effort and really a lot more focus on the preventative side.
00:39:23
Speaker
But one of the things that there's obviously the general corporate security and CISOs and now more and more people have insider risk and there's even sometimes layered on top driving all this is an intelligence program looking for threat intelligence. But even just some basic things about knowing what's valuable in a company. If you talk to someone and say, what are your most important assets? A lot of companies have a hard time doing that. What's everything? What's our people? And it's this. And they'll list about 40 different things.
00:39:53
Speaker
They're not wrong. They all are valuable, but it's really impossible to protect everything at the same level. And so one thing that we now being in the private sector, sort of emphasizing prioritization of like what's most important, like if you lost at your companies, it's underwater. It's gone in terms of information and really thinking about concentrating resources in those particular places. And how do you manage the risk?
00:40:19
Speaker
Eliminating it sometimes is impossible if you operate in certain geographic areas or you're in certain industries that are going to be targeted, but it is certainly possible to manage it. I think we can talk about it a bit more just by employing some real basic fundamental techniques. You don't need to get into the Hollywood-esque purely counterintelligence and running false flag operations and double agents and all this type of thing.
00:40:44
Speaker
What is that would be you don't need to actually do that to protect things at a corporate level. There's a lot of things you can do to just short circuit sophisticated intelligence operations that are the very beginning. Absolutely and all add on or build on what holding just laid out there holding mentioned.
00:41:04
Speaker
The insider risk teams and capacities within companies often reporting into or working with on a horizontal level intelligence teams and companies and there's a report that just came out 2023 report from code 42.
00:41:19
Speaker
on data exposure and insider risk that indicated that insider risk losses were reported as increasing, even though 72% of companies have some sort of insider risk program or report having that kind of program, and that CISOs, Chief Information Security Officers, reported insider threats as being a greater risk to them than malware. And those can go hand in hand as we've talked about, but they saw insider risk as the number one concern beyond malware and other types of data loss.
00:41:47
Speaker
measures. But in terms of what corporations can and are doing about it, it would separate into two of their internal measures and then their more external measures. And in terms of internal, there are mitigation measures that I'll get back to. But I wanted to point to the external idea that corporations aren't facing this in the vacuum. We talked about corporate espionage of them competing with each other.
00:42:10
Speaker
However, there is an amazing level of cooperation and we were asking at the beginning how we all got into this space. One of the things that drew me to it was that that human ingenuity and creativity, it transcends companies and when it comes to security, there's this term, there's no competition in security.
00:42:25
Speaker
There's this idea that if one bank is targeted today, another bank could be targeted tomorrow. And the flip side is people talk about you don't need to outrun the barrier, you need to be less vulnerable than your competitor. But what we actually see when we peel back the surface is this amazing level of cooperation. And Lewis and I actually knew each other when we were both working in private sector intelligence at different firms in the same industry. And when it comes to threat information, there's this level of sharing.
00:42:49
Speaker
So there's that external community of comparing notes on threat vectors, on mitigation measures. There's daily benchmarking about mitigation measures going on in the private sector. And then there are also public-private partnerships that are intended to tackle these types of problems. And the level of sophistication and participation in these partnerships has increased notably over the past few years.
Public-Private Partnerships
00:43:11
Speaker
I've been tracking these partnerships since 2016 and the real
00:43:17
Speaker
gold standard cases, many of them didn't exist when I started looking at it, or there wasn't much corporate buy-in. There was a lot of hesitation a few years ago to share incidents to admit that you'd been hacked, that you had data compromised, and there are still hesitations around that, but there have been initiatives. The Canadian government, for example, has an initiative for companies to share anonymized information so that others are aware, and it also helps intelligence agencies partner with companies to help mitigate these vulnerabilities.
00:43:46
Speaker
And if I may, just going back to the internal side of mitigation measures, hold them laid out a lot of things that really need to be kept in mind. And I wanted just to delve into a few aspects that there is a security awareness component that's really top of mind if we haven't worked in corporate security.
00:44:05
Speaker
And I alluded to this earlier, but I was very aware that those of us who worked on the security side were always hitting Windows L, or the Mac equivalent, but in my company it was Windows L, to lock our screens before we walked away from our computers. And if we didn't, our IT friends would sneak in and change our desktop pictures or other things so that we knew that we had been compromised. So there was that
00:44:29
Speaker
security awareness and culture on the security side, but at a lot of companies, it seems as though that doesn't permeate, for example, the business development side, where you might have the corporate security teams, the IT security teams, blocking their computers, putting papers in the lock drawer at the end of the day, and then business development, for example, not to pick just on them, but those who have access
Fostering Security-Conscious Culture
00:44:48
Speaker
to very sensitive information might leave it on their desks and hold, and I think you mentioned the cleaning staff as a potential source of vulnerability or access. There's a lot of information that isn't
00:44:58
Speaker
safeguarded by those teams that have access to very sensitive intellectual property and corporate secrets. So always on my mind is how do you encourage that security awareness? And there are companies that are taking different measures to promote a culture of security. Another aspect of that is travel security, especially if you're going to a country that's known to target corporate data.
00:45:21
Speaker
How do you ensure that employees are using clean devices, are not leaving laptops or sensitive information in a safe that isn't that safe in their hotel room, things like that. So I want to stay on this. You brought up cooperation between corporations and governments to tackle the CI threat, especially I think in the realm of nation state. We've seen case studies recently, right? I'm thinking of the GE case, right, where the FBI worked very closely with GE on that insider that they had.
00:45:51
Speaker
Holden, I'm keen to get your take on this because of your background and experience. How does that coordination usually work between a corporation and, say, the FBI? How has that kind of changed over time and what are your views on that? And then Maria, also, you can give us maybe the historical perspective, just deep dive a bit on how that's changed over time and how that sensitivity and the relationship there has modified.
00:46:15
Speaker
Yeah, I think there's been a lot to kind of sketch this out in a much more concrete way. My experience I've seen it gone from a place where there just was not a lot of cooperation and really holding the FBI at arms length.
00:46:34
Speaker
I can understand why people don't want to be around their business in case something else is not perfectly copacetic but you know i think there's what's changed and getting to raise point about awareness is it companies now can start to recognize this when it's happening not all of them but it's much better than before.
00:46:54
Speaker
I'll say in my private sector advisory practice now, we still encounter companies all the time who don't quite recognize it when it's happening, that they're in the midst of a recruitment effort. They're just talking to government officials. It's nothing that serious where if you have the right background, you can see that no, no, this is typical progression for how recruitment is done.
00:47:21
Speaker
So I think there's a better recognition that it happens now. And as a result of that, you're having companies reach out to the FBI at times or other parts of the US government to say, hey, this is happening. One, I want to tell you as a good sort of corporate citizen, but two, can you help us figure out what to do here? And it also happens
Information Sharing Challenges
00:47:38
Speaker
the other way. The Bureau, through various means, develops information that they know an individual has been approached or is working with an intelligence service.
00:47:48
Speaker
And the bureau has different ways of collecting that intelligence and partnerships or its own techniques and various things. And so then they may approach a company and say, you may not know this, but, you know, Holden Triplett has been talking and meeting with, you know, this official from this country. And we're concerned about what they're actually talking about. So we can kind of start either way, but it's very ad hoc.
00:48:09
Speaker
There are these, and I think they're more nascent, at least in my experience. I'm buoyed by the fact that they exist now, these public-private partnerships. But I think there's really a mountain of information on both sides that is not being shared. As much as the optic that I thought I kind of had in the government about what was going on to American companies and from the NSC, I think I could see most of everything that the government could see.
00:48:35
Speaker
Being on the corporate side now, I'm still astonished by how much is going on and how much doesn't always percolate up to the government to tell them about it. So I think on both sides, there's a whole lot more that could be done, but there's some trust issues and how that gets shared. We don't have quite a great mechanism for doing that. It's a new thing, so it's gonna take some time. But I'm hopeful that these partnerships that have started and are starting to show good work will continue to really deepen that relationship because
00:49:03
Speaker
I don't think we're going to, just speaking from a sort of on the US national security side, I don't think we're going to win this unless that public private partnership is really worked out. It's an essential piece of it. And right now it's still at the beginning stages, at least in my opinion.
00:49:19
Speaker
It definitely is, and I'll, as invited, take us back a few years and then, Holden, I agree with where you left us in terms of the present very much. But we see sporadic instances of known cooperation cases where we know that there was active public partnership to catch perpetrators, but that would often be, the FBI has brought in because there's a breach, there's known to be illegal activity, and the FBI is part of a sting operation to catch the individual. So I mentioned IBM being targeted. There's a documented case of
00:49:48
Speaker
Hitachi, the Japanese company targeting IBM proprietary information where the FBI was part of having agents go undercover to catch that individual. So we see cases of that over time. But what I'd really love to see more of, and I know that companies and government agencies are wrestling with this, is proactive sharing, building that trust that's really key to cooperation, to mitigate and to tackle these threats.
00:50:14
Speaker
collectively instead of in isolation. And the FBI has the law enforcement mandate. So in those cases where there's known or strongly suspected illegal behavior, then the FBI can be part of detection and apprehension. But it's very challenging for
00:50:32
Speaker
intelligence agencies than the US government to cooperate with corporations without being accused of vaporitism in a lot of cases, especially if there's an economic angle to it, which sealing corporate secrets sometimes there is. So I've talked to individuals at ODNI and the Office of the Director of National Intelligence and elsewhere who
00:50:51
Speaker
Discuss this challenge and there are some solutions the Department of Defense has really come up with the concept of sharing with the defense industrial base of the company is. I don't have this cooperative relationship with the government and they can share with them and make information available across so.
00:51:07
Speaker
There are mechanisms underway to deal with this, but this is a perpetual challenge that comes up of, unless it's an imminent threat of duty to warn, which still has its, I understand talking to individuals who have navigated this challenges internally, it sounds simple, but if you have a threat to a company, sometimes they're so large of bureaucracy to get through before you can share that. But there are mechanisms that are evolving as we speak to try to tackle this better.
00:51:31
Speaker
I just wanted to follow up on one thing I thought that Maria said was really interesting. And talking about the FBI having the law enforcement mandate, and it kind of ties back, I think something we talked about earlier, which is that one of the difficult pieces of this is that the activity itself may not be illegal, right? So if you think about like 1,000 talent plans, you know, the most notorious 1,000 talent, you know, and go to a specific case, the Charles Lieber case at Harvard, not to pick on Harvard, but, you know, go through the case,
00:52:00
Speaker
The illegal activity that the Bureau was ultimately able to charge him with was, one, putting money in your shoes and that's how you brought the money into the United States, which everyone should know is probably a big no-no. If you're hiding your shoes, you should know, and then lying to the FBI about it.
00:52:18
Speaker
The other part of this, which is the part that we're most concerned about in the FBI, sort of on the hook for trying to investigate this stuff is individuals who are being recruited by these talent plans. And then essentially, we helped build a sophisticated lab in China, and there was a lot of sharing of information that was very helpful to the government.
00:52:35
Speaker
that part isn't illegal. You know, it may think it's against our national security. And when I think many people do think that maybe Mr. Lever might've thought differently, but I think this is part of the challenge is that, you know, companies may recognize that one, it's hurting them and it could be hurting national security, but they can't find something that to kind of either a corporate policy to adjudicate, get rid of the person. They can't find a clear, you know, getting up to an evidentiary standard to prosecute someone is very high.
00:53:02
Speaker
That's probably not the right standard for most corporations to operate on. Maybe they should operate more on a sort of a risk standard in terms of employees. But they really are looking for that sort of juicy piece of evidence that shows that someone committed a crime. That can be very difficult to find with a lot of these techniques, and especially the PRC has been excellent at coming up with methodologies that skate right along the lines of legality and illegality and being able to suck information out using these.
00:53:31
Speaker
And so that presents a real challenge to the companies as well as the FBI, where we don't have the necessary legal infrastructure now to go after a lot of this. So I think there's some onus on Congress or others to think about what can we do in these circumstances where we could make something illegal. But then also may think that we may have to come up with a different way to approach this problem. We don't want to make this activity illegal for various reasons.
Legal Complexities in Espionage
00:54:01
Speaker
making recruitment and approach by headhunter and that sort of thing making that illegal or even trying to figure out some part of it making it legal is probably a little bit difficult and so maybe we need a non-law enforcement approach for that. We don't really have it right now nor is there an agency to fill in that space.
00:54:18
Speaker
And so there's a lot of struggle with trying to put this kind of square peg in the round hole of having the FBI deal with it, I think. And where I think there's some space for our US government at least to be a little bit more creative about how do we handle this? How do we approach this in a different way?
00:54:33
Speaker
To add on this in terms of the challenges and then possible solutions, so certainly on the government side is holding me talked about there are such complexities and a lot of questions being asked in terms of how to handle this appropriately. We haven't talked yet in depth about what's going on inside companies. We refer to disgruntled employees, but a trend that concerns me is the level of job turnover that
00:54:56
Speaker
remarkably high levels we've seen, particularly with COVID-19 pandemic and what was referred to as the great resignation. But the level of turnover goes hand in hand with a lack of loyalty to your employer. Often we're seeing that individuals certainly of my generation are changing jobs every few years compared to those in my grandparents or parents generations who might have a job for life or only a couple of jobs for life. So part of it is also in the company's
00:55:26
Speaker
if they can instill a sense of trust in the company and employee satisfaction, then that's part of the mitigation strategy as well. But that's much easier said than done. I often tell my students that a government intelligence officer defecting to another country is a really big deal, but in the private sector, someone defecting from company A to company B is actually just business as usual. So given all of these limitations that we've talked about,
00:55:54
Speaker
that we don't have access to, as Hold mentioned, government level screening. We don't have access to a lot of these kind of protective measures. The legislation may not be up there.
Innovative Risk Management Approaches
00:56:05
Speaker
What are some of the more innovative ways that corporations can approach this problem?
00:56:11
Speaker
Something that I've seen that has some level of effectiveness is exercises where you map out what you would do. So mapping out the vulnerabilities, potential sources, as we've talked about, but also putting people in the shoes of
00:56:27
Speaker
the teams responding to a potential insider threat and I've been in a room of professionals from different companies that were doing this together and we were voting on the actions we would take in the situation and it went so very quickly where we were told okay the decision you made now your company's proprietary information has been leaked online.
00:56:46
Speaker
So really walking through that, that stuck with me of, okay, in that situation, these are the things I should have thought about before this crisis took place. So we talked about crisis simulation exercises. Unfortunately, in 2023, we've seen some cases of armed conflict breaking out with serious ramifications in Russia invading Ukraine. And now as we're speaking, there's another crisis unfolding in Israel. And
00:57:09
Speaker
Corporations, security teams, crisis management teams have tabletop exercises where they map this out, but this should be happening with cyber as well. And some companies are doing this and not necessarily the community can do this again, cross companies of really seeing, dancing. How does this play out? What are the potential source of vulnerability that could lead to this? And then what do we actually do in this situation? What are the ramifications?
00:57:33
Speaker
how do we do an after-action report and learn from it, because that's something else. I won't become a soapbox about that, but after-action reports are not always present in the private sector and the intelligence and security domain, and they're really, really important for patching vulnerabilities for risk mitigation going forward. So I would say that encouraging those types of scenarios, role-playing tabletops beforehand can be really helpful.
00:57:59
Speaker
No, I couldn't agree more. I mean, I think those are really helpful just getting people prepared when introducing the ideas, as Maria was saying, and then also kind of building that muscle memory about how do you deal with these situations. I also just even like go at a really fundamental level and trying to think about something that could have a cascading effect throughout the entire organization is kind of focusing on the cultural aspect of this.
00:58:21
Speaker
We touched on this a little earlier that in many ways, the security apparatus in the corporate world has been focused on a particular type of more incident-based, and this is really at a different level that they're facing. A lot of companies have made great strides in making these adjustments.
00:58:41
Speaker
But in my mind, it really comes down to some really fundamental things they could do on a cultural level. And it's just recognizing that security and what is really probably better termed risk management with regards to these new risks, it is an enterprise risk. It is not something that is just sort of for the security shop to deal with. And unfortunately, various historical reasons, it often gets handled, plugged there, and kept there when it actually has a much broader impact for the company.
00:59:10
Speaker
You know it's called political risk and geopolitical risk or nation state risk none of them are excellent terms for capturing what is the sort of a rise of newly sort of sophisticated and a huge number of groups that through technology and various types of ict can reach out and touch you wherever you are in the world.
00:59:31
Speaker
because you have this massively expanded threat landscape, and it can affect everything within your corporation from your sensitive IP to your strategy, to your employees, their travel, and it appears in so many different areas, this is something that really has to kind of broaden almost at a board level and at the C-suite level, and then let it trickle down, where I think now it's sort of kind of coming up from the security shops and risk management shops up into the board.
Cultural Shift for New Risk Landscapes
00:59:57
Speaker
Getting that knowledge at that higher level that this is the new playing field that they've got to get used to. We've had almost 80 years of stability. Even if it was a cold war, there was stability to it. By all accounts, that's probably ending and maybe not to come back during any of our lifetimes.
01:00:16
Speaker
We can sort of bemoan that another time. But I think in getting the sort of businesses ready to navigate this, they need to understand that their world that they're going to have to function in is going to be a lot more volatile, a lot more chaotic, a lot more dangerous. They're going to have risks and threats pop up in all sorts of other places that can have an outsized impact from how they had before and really affect their livelihood going forward. And getting the sort of corporate apparatus to change its mindset, I think,
01:00:45
Speaker
It maybe sounds easy, but I think it's a cultural shift, and so it can take a lot of time. But that could help, I think, to prepare the rest of the organization for all the other changes that are necessary. So to round this out, Maria, and then Holden, our traditional question, what keeps you up at night?
01:01:01
Speaker
I'm looking forward to Holden's answer to this, but all wrote two things. One is a company spying on another company in a way that would destroy the trust in the private sector intelligence community, which I prize so much, which I think is key to tackling these challenges together. I mentioned, I find it remarkable how there's no competition in security and teams work with each other and
01:01:25
Speaker
I dread the day if we were to see or to find out that a team had spied on another team, for example, or a company on company in a way that would really undermine that trust, which is so special and also key to tackling these challenges. So that would be one thing.
01:01:43
Speaker
And then the second one is, I must play devil's advocate in terms of we've been talking about people as vulnerabilities in this mitigation. But ultimately, this is all about humans. And so I would lie worrying about a situation where we have that idea of zero trust architecture to the point where everyone's seen as a threat. And then employees don't feel trusted, valued by their companies. And ultimately, it's all about humans. So trust and satisfaction and loyalty can go a long way too.
01:02:12
Speaker
mitigating. So I wouldn't want to get to the point where we're just going around seeing every human as a potential agent or asset of a foreign government or of another company spying on us. So trying to balance those two of having healthy skepticism and awareness of the vulnerabilities, but still trying to focus on human satisfaction, employee satisfaction.
01:02:36
Speaker
Yeah, that overcorrection can be really frightening actually if we now start to, probably doesn't do a whole lot of help to the idea of the great resignation who wants to work for a company that considers you a threat, that anytime you're just going to steal their information. Yeah, that's going to keep me up at night now. But to add to that, what are other things?
01:02:56
Speaker
We've talked a lot about the private sector side, and I think that's a really important part to it. But I think one thing that I'm really concerned about that's going to start in the government side, but have a huge impact, I think, on the private sector side.
01:03:13
Speaker
I don't want this to sound political, but I think all sides of political spectrum in the United States could agree that our government seems a little less effective than it has been.
Government's Role and Global Instability
01:03:23
Speaker
I don't want to contribute that to all sorts of reasons, but at the very least, one of the reasons is I think that it is overwhelmed by, again, we talk about this expanded landscape of risks and threats that are out there.
01:03:36
Speaker
you know if you really want to go conspiratorial we've got you know russia soaking a war in ukraine right now you've got ron at least appears to be fairly involved in soaking things with hamas and possibly hezbollah in the future against israel and then you've got china kind of doing the same that's thankfully not too um it's staying away from uh kinetic conflict at this point um vis-a-vis taiwan
01:04:00
Speaker
You know, I need now is North Korea sort of lobbing some more missiles at Japan or at South Korea and you could have a very unstable situation just with those four couple that with this sort of number of countries that are, you know, having conflicts that be it from, you know, even between Serbia and Kosovo or just, you know, what's going on in Sudan. There's just a huge number of issues that are taking the attention of the US government. Why that's important for businesses, I think, is that as the
01:04:27
Speaker
That continues and I think it is going to continue and going to worsen the ability for the US government to provide that sort of backdrop or that protect the landscape to protect the playing field in which many corporations have become used to that there are rules that people are held accountable accountable for things they've done when they filed a law and they've stolen something or they backed it outside the boundary.
01:04:50
Speaker
That is going to become more and more difficult as the US is more and more distracted. And so businesses, I believe, are increasingly coming to this awareness, I think. But it's going to be a shock to many of them that what they thought was the normal way of doing things is going to become more and more difficult. And the owners is going to shift more and more to them. And they're going to have to get used to a very topsy-turvy world where they still have to abide by the rules.
01:05:18
Speaker
Because otherwise they're gonna face punishment by the US government, but you've got a whole lot of other competitors who are able to throw that proverbial or literal sack of cash into to get that deal to secure that market right or to set up a romantic relationship to get blackmail pictures of someone to ensure that they're the ones who get the mining contract and not their competitor.
Future Challenges for Corporations
01:05:42
Speaker
That's the future and so I mean it's already playing out now but I think it's gonna be much much more pervasive and so understanding how to navigate along that when you cannot operate like that and you've got a CPA and other types of constrictions on how you operate that is gonna be a challenge for companies and I worry there's gonna have a learning period for a few years where there's gonna be a lot of damage done. Well Maria and Holden thank you very much for joining us.
01:06:11
Speaker
Thank you, Lewis. Thank you, Colin. And thank you, Holden. This has been a real pleasure. Yes, thank you very much. It's great to talk with you, Maria and Lewis and Colin. So I'll do this again. You've been listening to How to Steal Corporate Secrets with Dr. Maria Robson Morrow and Holden Triplett. Our producer for this episode was Edwin Tran. Our researchers were Alex Smith, Edwin Tran, Colin Reed, and other members of the Encyclopedia Geopolitica team. To our audience, as always, thank you very much for listening.
01:06:41
Speaker
If you enjoyed this show, please consider checking out our other content at Encyclopedia Geopolitica. We'd also appreciate it if you could subscribe to the podcast, leave a review, or support us on Patreon. Thanks for listening.