Who are the bad guys?
An increasingly significant part of our casework is in the area of OPSEC within the private sector. Left to their own devices, our clients tend to neglect and particularly misunderstand the area of operations security known as threat analysis, and, more specifically within it, the identification of specific adversaries. Clearly, in the government, where there are real spies, knowing who your enemy is of key importance, but how important is this to those of us in industry? Very, in fact, and for many of the same reasons! The First Law of OPSEC (thanks to the DOE/NV) says that if you don’t know the threat, how do you know what to protect? Although specific threats may vary from site to site or program to program, it is more important for employees to be aware of the universal actual and postulated threats . In any given situation, there is likely to be more than one adversary, and each may be interested in different information.
This is as true for industry as for government. You have many competitors and possible competitors. Each of them has a different interest in what you do. Each has different information they would like to have in order to further their goals. In addition, each of your competitors has a different corporate culture, and there are some that would not undertake illegal activities and some that would. In many industries you also have to be concerned about foreign governments that might be interested in stealing information about what you do, and have many fewer scruples than your industrial competitors.
Indeed, many governments will use all of their skills and technology to help acquire your technology for use by their domestic companies.
It is true that there are certain generic things that need to be done as part of the normal course of business. You need to be controlling access to your facilities. You need to be dealing with the kinds of disasters common to your industry and geography. You need to be protecting yourself from dishonest employees by doing pre-hiring background checks, and, in certain cases, continuing background checks. You need to be shredding documents that contain information of generic interest to your competitors. You need to be enforcing a policy of getting rid of old documents and information and data when it is no longer needed.
But these things primarily address what we might term generic incidents of opportunity, rather than specific threats. And, clearly, OPSEC will help you address these areas, which means that competitors who are serious about competitive intelligence, but not willing to cross the line to industrial espionage, will have been stopped.
But when it comes to specific threats from specific competitors, if you have not identified specific competitors who might – based on need, culture, and history – pose a specific threat, you are unlikely to be able to protect yourself from those who are willing to cross the line. Or at least to push it back a bit.
