The Business of Spying

A Canadian executive is having lunch at a posh Mexico City restaurant with executives from a company they are in discussions to acquire. They are joined by lawyers from both sides. The group sits at a table next to a window that affords them an ample view of the park.  In the days and hours running up to this meeting, lawyers and financial advisors have been working late nights.  Associates have been ordering take out. Hundreds if not thousands of draft pages of contracts have been printed, reviewed, red-lined, and redrafted. The cleaning staff has been disposing of documents – some have been shredded, many more have not. While this may be a fictional setting, it could easily be replayed in Shanghai, Sao Paulo, or New York.

Each one of these activities represents a signal in intelligence terms. If watched closely, it becomes clear that each signal is a piece of an intelligence puzzle that can be put together to provide a window into the moves a competitor may be planning to take. How does this corporate/competitive intelligence process work?

Few companies are autarkic. Most rely upon outside resources, including advisors and outsourced service providers. They are constantly sending and receiving information with the outside world. Consider how each piece of information in the example  above might generate competitive intelligence.

• Restaurant windows are easy to observe through.


• Waiters can be paid to tip-off interested parties.


• Investment bankers know who their competitor’s choice take-out provider might be.


• Law firms and their partners are often associated with their principal clients. (These relations may even be published on their websites.)


• Few companies really know the identities of their outsourced cleaning staff. These “invisible employees” may have access to as much information as the executives do.

To paraphrase the Roman philosopher Seneca, “Luck is preparation applied to opportunity”. Corporate intelligence is the preparation involved in looking for opportunities that can be leveraged to the corporation’s advantage, as well the effort to identify and preempt potential threats to the corporation.

Corporate or Competitive Intelligence is an activity carried out by companies all over the world, albeit using different labels and degrees of intensity, methods, and professionalism, with different results.

Every day, companies generate and transmit information into the market via media and marketing material, as well as at industry and customer meetings. Though some degree of penetration of these communications is inevitable, executives should be aware of the ways in which their company communications may be used to generate intelligence that can be used against them by their competitors.

Corporate Intelligence vs. Industrial Espionage, aka Spying

Espionage or spying is the best known part of the intelligence process, but it is only one step in the process – the collection step – and by definition, espionage is an activity reserved for the state. As a practitioner of corporate intelligence for almost 20 years, I have seen many legitimately-run operations fail because the C-Suite believed there was a black box or simple method for “collecting” aka stealing – information. It isn’t that simple. While industrial espionage is what gives corporate intelligence a “sexy” image, it is misleading and ultimately damaging to the legitimate activity of corporate intelligence.

Today, corporate intelligence is a business function that is carried out by most global companies. Similar to marketing or finance, such activities are carried out through well-developed departments, which often use a combination of in-house experts and external contractors. It has become an important cottage industry of individual professionals, many of whom have military, government, journalism, or business analysis backgrounds.

Strategic and Competitive Intelligence Professionals or SCIP is the international body which was formed in 1986 to provide members with a professional framework, including a code of ethics by which they should abide.

SCIP Code of Ethics for CI Professionals

• To continually strive to increase the recognition and respect of the profession.


• To comply with all applicable laws, domestic and international.


• To accurately disclose all relevant information, including one’s identity and organization, prior to all interviews.


• To avoid conflicts of interest in fulfilling one’s duties.


• To provide honest and realistic recommendations and conclusions in the execution of one’s duties.


• To promote this code of ethics within one’s company, with third-party contractors and within the entire profession.


• To faithfully adhere to and abide by one’s company policies, objectives and guidelines.

Corporate Intelligence Operations

Returning to Seneca’s maxim, a professionally run corporate intelligence operation takes tremendous preparation and is often more about the when than the what when it comes to legally developing intelligence. Let me explain.

Intelligence professionals understand that information never travels in a straight line. It zigzags from data point to data point in the form of processes, people, and places.

By creating a process and recruiting the right people to implement that process, and then correctly positioning both, a company can create a competitive advantage when the opportunity arises.

Process

Corporate or competitive intelligence is the continuous process for planning, collecting, analyzing, and reporting of information used to make business decisions. It’s not a one-time deal. The best results take weeks, months–sometimes years. Not days. The process cannot be set aside as a separate department–it must become an integral part of the corporate decision making process. Companies that understand this recognize that in order to remain competitive, channels must be created through which market intelligence can be continuously fed to decision makers within the C-Suite.

Profiting on Opportunities

For a company to profit from an opportunity, it must have an intelligence process that concentrates on the organization’s preferred outcomes. Competitive intelligence does exactly this by providing an analysis of the external environment that is focused upon the decisions the company wishes to make.

By staying attuned to the competitive forces in the surrounding environment, companies can profit from a potential opportunity, whether a potential change in regulations, the exit of a competitor from the market, or a misstep by a competitor.

One example that I have witnessed comes from the telecommunications industry. Within this ever-changing world of technology, it is important to keep a pulse on a competitor’s relations with their strategic suppliers because this can provide insight as to whether a company is going to be able to deliver its next generation of products on time or be able to react to shifts in demand. Monitoring whether a rival is current on payments and new orders can help predict their agility and operational conditions.

Early Warning

The “early warning” application of corporate intelligence is the use of information to aid a company in anticipating a competitor’s next move, a change in government regulations, or an impending industry disruption. Companies that are blind to their competitors, whether by willful ignorance or insufficient preparation, will never see a threat coming. Precisely for this reason, corporate intelligence managers must be free to question management assumptions regarding the relevant external forces.  

‘History teaches that the most potent competitors often emerge unexpectedly–from surprising sources and unanticipated circumstances.’ During the late 1990s, the Mexican state-owned petroleum company Pemex issued public tenders to modernize its refining operations. During this process, the stalwarts of the country’s engineering and construction industry, ICA and Bufete Industrial, focused their concerns on Mexican competitors. Unfortunately for them, their traditional competitors would not prove to be the problem. The real competitive threat did not publicly show its teeth until it was too late–by the time bid documents were opened, more than four billion dollars of contracts were awarded to two Korean companies, Sunkyong and Samsung, who a year earlier had been minor players in the market. It was the death nail for Bufete, which filed for bankruptcy shortly thereafter.

During the previous five years, these Korean companies had been gathering market intelligence. By carrying out small projects in Mexico they had gained a foothold in the market and had networked with potential suppliers and partners. All the early warning signs were there, but the other companies in Mexico didn’t take them seriously. They could have studied the Korean companies’ moves in other markets such as Latin America and the Middle East as their playbook didn’t change in Mexico.

People

Despite the “internet of things”, corporate intelligence still requires a strong human collection and analytical component. The intelligence collection and analysis process may be aided by web crawlers, visualization tools, and big data, however the most important results tend to come from humans paying attention to information coming from the least likely of places and times.

Generalists as well as industry specialists may be found within CI. CI collection can be organized into online researchers and field operatives well versed in the skills of elicitation (think Mata Hari but with an MBA), analysts, and the planners/managers. A seasoned CI manager is more of a quarterback, to coin Nolan, who described the function in football terms. She needs to be able to use many different skills and coordinate many different people to develop intelligence.

Typically, the Internet and other open sources should be scoured to best understand the company and the issue at hand. Then people should be identified who may possess the sought after information (perhaps a sales representative at a trade show or a scientist at a conference)-these are the “targets”. Finally, it is important to decide which human sources are best placed to ask the target the right questions in order to successfully elicit pieces of information. Collecting competitive information without knowing the industry jargon or looking conspicuous is a sure way of going home empty.

An effective analyst will then put together the pieces to develop the intelligence. Having trained dozens of such analysts, I would suggest that the most useful skills include an innate curiosity about how an industry works, spatial vision (what enables the analyst to see the puzzle through the pieces of collected information), and an elephant-like memory.

Places

Companies send teams of researchers, sales, and marketing staff to industry launches and conferences as well as governmental and academic forums. At these events, companies learn about changes in their competitive and regulatory arenas. At such events, social situation engineering to elicit information is business as usual. It’s quite likely that teams of company competitive analysts or their proxies (independent contractors) are dispatched to work the floor of the conference, exhibition halls, and cocktail circuits. It is at such events that information truly starts flowing, so savvy companies will be those prepared to collect intel from the moment of arrival, and to be targeted by the collection efforts of others.

The Cost of Industrial Espionage

The theft of information is a growing problem which affects companies as well as wider economies. In 2000, Thomas Donahue, President of the U.S. Chamber of Commerce stated that, “There is no challenge more ominous to Global business competitiveness than economic espionage. Espionage is a growing threat… estimated at $2 billion a month.”

The U.S. Chamber of Commerce estimated in 2008 that theft of industrial secrets cost $300 billion a year to American companies. This number is expected to continue growing. At the same time, estimates have companies spending $20 billion per year to protect themselves from the loss of trade secrets and privileged information.

According to the Federal Bureau of Investigation, as of June 2012, pending cases for industrial espionage represented $13 billion dollars of potential losses to the American economy. The largest case of economic espionage in FBI history was documented in a February 2012 indictment, in which several former employees of DuPont Corporation were charged with selling trade secrets to a Chinese state-owned competitor who sought information on the production of titanium dioxide, a white pigment used to color paper, plastics, and paint.  In its attempt to compete with DuPont Corporation for a share of the $12 billion annual market in titanium dioxide, the Chinese competitor involved five individuals and five companies to obtain trade secrets related to DuPont’s technology.

Defensive Competitive Intelligence

If companies are targeted for corporate intelligence, it follows logically that they must consider measures to protect their corporate secrets. In an “integrated business intelligence model” , you start by asking yourself what “nuggets of intel gold” you most want to know about your competitors products, people, plants, and technology. You do this because this is guaranteed to mirror what your competitors most want to know about your company and its secrets. Both military and business intelligence professionals consider this mirror effect in order to determine how their organizations might be at risk. The mirror effect thus forms a base for analyzing how to defend against threats.

Such analysis may lead a company to scrutinize the type of information it publishes via the web and through industry presentations and ask questions like, “who are our company gatekeepers? How well protected are they and, by extension, how the secrets they have access to? Does our company’s architecture strike an appropriate balance between openness and collaboration, and protection?

Some of the biggest cases of data breach or theft that have been kept out of the headlines have been due to actions taken or not taken by the company’s own employees. One of the biggest risks for companies originates from within. For some employees, the James Bond Mystique can be quite enticing. Companies can easily find themselves with staff who don’t consider or care about the loss of intellectual property or competitive damage such theft can inflict.

Alan Brill, a pioneer in the subject of the IT security, applied the phrase “the invisible employee” to reflect the new reality of business process outsourcing. Few companies know who their technology partners employ to operate their IT infrastructure and whether those companies rely on servers or code programmers in Monterrey or Bangalore. For this reason, it is vital to extend background checks to such operators even while they are employed by third parties.

The bank robber, Willie Sutton is famous for having said that he robbed banks “because that’s where the money is”. Information is currency. In most companies, vital information doesn’t sit in vaults or even in computers. It resides in the brains of its scientists, product developers, and CFOs.

I can recall an incident that occurred during the late 1980s at one of Canada’s Centres of Excellence, at which a Cuban biotech student had stolen an engineered bacteria which had potential applications for converting waste biomass into protein for animal feed. He thought the bacterium was the secret when in fact the greater intellectual property was the conversion process. The laboratory discovered the theft only after the student had returned to Havana and complained to his former lab supervisor that the bacteria did not work, and in fact had toxic effects on the animal subjects, and requested a sample of the good stuff.

Most companies aren’t so lucky–they end up finding out about a loss when it is too late.

Today, companies may find their human and information networks subjected to unlawful intrusion by competitors, governments, opposition activists, and their proxies (i.e. Anonymous). In some cases, this has to do with business interests wanting to get a leg up on a competitor, in others it could be a Robin Hood-like approach of “ends justifying the means”. Nuisance hackers are no longer just bored teenagers looking for a cyber-challenge. Some are tasked by faceless online agents to seek entry into specific networks and collect key competitive data.

Compliant Competitiveness

Despite the fact that the business and operating activities of most global companies are regulated wherever they do business, in emerging markets there exist sizable gaps between ethical and legal protections related to industrial espionage, both in theory and in practice.

Legal accountability lags considerably in many countries. For example, in Mexico, the rate of prosecution of trade secret violations is extremely low. Security experts report that although one out of ten companies in Mexico has suffered from industrial espionage, 97 per cent of cases go unpunished. Of the cases that are brought to authorities, only 56 per cent result in damages or fines.

In Russia, Part IV of the Civil Code provides general as well as specific protection of trade secrets and confidential information, including damages. However, given the very high levels of industrial espionage in that country as estimated by the U.S. government and intelligence agencies around the world, the actual protection afforded appears to be very weak.

Given the multiple public policy problems that many emerging countries face, it is unlikely that industrial espionage will rank highly among government priorities. Intellectual property protection is typically viewed as a matter of combating piracy in the music, film, and gaming industries – these are the subjects which gain attention.  Proving theft of company information or secrets requires specialized prosecutorial capabilities plus related forensics tools. Without such competencies, it would be very difficult to prosecute such cases successfully.

Western companies in many emerging markets may find themselves targets of aggressive industrial espionage techniques including wire-tapping, email hacking, and eavesdropping. The availability of equipment from the average spy enthusiast shop makes it easy for companies to use such methods against their rivals. These are but a few examples of the tools against which multinationals must take precautions in the many countries where legislative protection related to industrial espionage and intellectual property is wanting.

It is true that within many emerging markets, such practices are neither seriously regulated nor condoned, but we don’t even have to venture beyond North American to find reasons for caution. In recent months, allegations of state-sponsored hacking and espionage from China has contributed to a growing fear of the tactics that governments may use to advance their industry champions. As western companies compete on the world stage for investment projects and trade deals, they must prioritize the development of robust, global intelligence programs for identifying opportunities and threats to their business. The only way to do this successfully is to study and remain alert to their own vulnerabilities.

 “An army without secret agents is like a man without eyes and ears.”

       – Sun Tzu, The Art of War