Cipher Brief Expert Stephanie Douglas, former Executive Assistant Director (EAD) National Security Branch, FBI weighs in on the practical challenges that U.S. businesses face in securing their technological advantage.
The U.S. technology sector continues to be uniquely innovative compared to that of both our friends and adversaries in part, because the workforce is among the most diverse and most educated of any other countries’. It has access to stellar educational tools, global professional networks, and endless opportunities for continuing education. All of this makes the U.S. tech sector’s global pre-eminence a critical component of our national security.
National security experts agree that a strong and successful domestic economy is crucial to keeping our nation safe and having the upper hand in the development of super-fast processors, state of the art bio-tech devices, adaptive ways to generate and store energy are just a few examples of our leadership strength. While pursuing new innovation is important, protecting these technologies is imperative.
So how do you protect what’s critical when every day we hear about another technology falling victim to a malicious theft at the hands of either a current or former employee or contractor? The motive can be greed or revenge on the part of the individual and or the lure of a nation state actor, (usually China), as the motivation behind an individual’s actions.
While large, well-resourced companies can pursue civil and sometimes criminal actions against the individual, the loss of their key technology can be irreversibly devastating to a smaller company. To many in the technology sector, ideas and advancements happen so quickly, some loss is simply considered “the cost of doing business.” Tech employees often come and go and know well that their skills are in demand. Competitors are always on the lookout for those who have specific expertise and they are not afraid to court them, even in tightly knit tech communities. Adversaries take advantage of this as well.
While the world continues to become more connected, adversaries no longer have to work as hard as they previously did to exploit U.S. talent. Because there has been a consistent push for the U.S. to acquire necessary talent to maintain its capability in technology, it has successfully drawn world class engineers via legal immigration such as with the use of the H1B visa program. In an effort to access the talent directly, foreign entities are arriving in the U.S. in the form of research arms of foreign companies. With U.S. based research presence, foreign companies also take advantage of U.S. based talent by simply hiring them. Like other tech firms, they can use efforts to identify key employees in specific companies of interest and “recruit” the right people. These employees can bring with them at the very least, their expertise. The worst-case scenario, of course, is that the individual brings more than just experience but also details of previous work, including actual trade secrets or proprietary information.
Government agencies including the Department of Defense and the Federal Bureau of Investigation have active outreach efforts to the tech sector that are focused on identifying critical technologies and assisting companies to proactively protect them. Often, however, the government is unaware of the specifics around a technology until there is a notification of a theft or even a potential act of economic espionage. After the fact, it’s too late. For those companies who brave long and sometimes public litigation around the theft, it can have a devastating financial and reputational impact. For other less diverse companies, it can sometimes result in their dissolution.
While many tech companies have excellent interaction with national security components of the U.S. government and work tirelessly to protect key technologies, other tech firms still lack basic understanding. The tech sector cannot rely on the government to tell them what matters and what needs protection. Companies must be engaged in understanding their own risk around their technology, putting in place protections and educating their own employees. Technology firms routinely utilize non-disclosure agreements or employment agreements that lay out expectations of employees around the protection of critical, company information. While few employees read and/or take seriously the limitations of these agreements, fewer still business environments provide controls and structure to encourage compliance.
In less mature corporate environments, with fast-paced goals of new product launches and efforts to beat the competitors to the market, practical application of controls around critical information are routinely dismissed. Convenience and speed generally win out without much thought given to security. In spite of well-articulated agreements, some tech employees consider their ideas, their advancements and their inventions, even while in the employment of a company, their own. It is often in a detailed exit interview, if that happens, when the employee is reminded of his/her obligations to continue to protect company information that concerns arise. Sometimes this reckoning is when the employee is headed out the door to set up their own, sometimes similar business or walk across the street to a competitor. Some of these competitors are foreign businesses and some with nation state sponsors.
Companies can take actions to better protect their critical information as well as their employees. They can fully vet employees before offering them a position, looking for issues around integrity and compliance. They can provide security training and put into place an assortment of monitoring tools to identify anomalies and track employee interaction with sensitive information. They can administer layers of physical and logical security tools around critical technical information to make it harder to access without notice.
Today’s tech environment is exciting and will help the U.S. retain our status as the world’s innovator. However, we cannot rely on the government to know about, or protect technology’s next great invention. The tech sector must become more disciplined and engaged in the discussion around the reality of national security threats. While we need tech to be successful, tech needs to understand the responsibly that goes along with the rewards.