Operational Security Part 6: The Spy
By Richard McEachin
When considering OPSEC it is wise to heed Confucius’s warning that “fine words and an insinuating appearance are seldom associated with true virtue.”
By Richard McEachin
Sound OPSEC means restricting your security intelligence products to only those people who need them. Using two-factor authentication will make your computer networks much harder to penetrate. Isolating the security intelligence personnel, computers networks, and documents from all but senior managers will limit the opposition’s espionage opportunities.
The opposition will first try to disrupt your intelligence efforts. If they suffer a defeat thanks to your security intelligence system, they will try to get information from within it to use against you — perhaps to engage in lawfare or an adverse PR campaign.
Most often, employees commit industrial espionage. In the U.S., employees account for 85 percent of industrial espionage, which inflicts loses of up to $100 billion per year. Most of this occurs from obtaining a physical document, disk, or password, rather than hacking. Furthermore, local contacts conduct over 80 per cent of a foreign agent’s espionage. This local contact is usually a very naïve Canadian who is anxious to please his new friend.
Protestors and activists can use the same playbook
Foreign entities frequently influence and support protest movements and activists in Canada and they sometimes provide operational guidance. Without this, the opposition can always rely on the Internet and books to tell them how to subvert people within a targeted company. The opposition will quickly learn to rely on the turncoat’s traditional motives summarized by the acronym, MICE, which stand for Money, Ideology, Compromise or Coercion, and Ego or Extortion.
Getting a spy into the right place at the right time is a difficult and time-consuming task. Subverting someone already in place is usually easier to accomplish. Make it difficult to identify anyone with access to the security intelligence information. Make it difficult to locate any information useful to the opposition. Coach those with access to recognize overtures by the opposition.
Once you deal with a threatening incident, destroy any superfluous source material and reports. Carefully distill the collected source material and reports down to a few key database entries or into one carefully worded report. After a major incident, it might also be wise to eliminate the ISP and VPNs used during online interactions. These precautions impose severe time and resource constraints on the opposition and helps prevent them finding anything about your past operations. These precautions will discourage future attempts to spy on your security intelligence operations. It will also discourage exploratory litigation.
Protection from the Spy
The neophyte security person always wants to lock away all the company’s information. He does not understand that this will not work.
Only one thing thwarts the determined spy — the education of all employees about what, when, where and with whom they may share information. This builds a climate of integrity and responsibility, which should create loyal and security-conscious personnel who are comfortable with making suggestions to improve security.
Some information always leaks out. The true security professional prevents these scraps of information from forming an intelligible picture by limiting the information that exists in the company records and by strict control of its distribution. The professional will also restrict knowledge of which employee has access to what information. Combined with well-educated employees, these measures create a nearly insurmountable obstacle for the spy.
OPSEC is a balancing act. In the end, OPSEC has to work or the enterprise suffers. It can fail by revealing what should be hidden. It can fail by costing too much, thereby reducing profit. It can fail by being oppressive, thereby reducing the productivity of the process it protects. Confucius said it best: “To overshoot is as bad as to fall short.”
Richard B. McEachin is the principal of McEachin & Associates Ltd. (ConfidentialResource.com).