With the FBI recently announcing that it opens a new China-related counterintelligence case every ten hours, American businesses increasingly find themselves at the epicenter of an international spy game once thought of as just for the CIA. In 2019 alone, the Commission of the Theft of American Intellectual Property estimated that the total theft of U.S. trade secrets accounted for anywhere from $180 to $540 billion dollars annually, with China accounting for most of that theft. With years of expensive R&D on the line for U.S. companies, many of which have been hacked before, it is hard to fathom why so little attention is paid to counterintelligence and cybersecurity in business school, let alone other C-suite settings.
As September is National Insider Threat Awareness Month, there is no better time than the present to seriously reconsider how we educate America’s next generation of business leaders about these critical intelligence issues. As we wait on MBA programs to catch up to America’s new geopolitical reality, these are the three most important issues business schools, early stage entrepreneurs, and even seasoned pros should consider as they protect their life’s work.
Soft skills AND software
Espionage is a people business and boils down to a person’s ability to effectively read a situation, identify potential vulnerabilities, and mitigate serious threats before they manifest themselves. For all of the time spent by business students and executives pouring over spreadsheets and refining pitch decks, almost no time is spent teaching how to approach due diligence on potential investors, employees, or supply chains.
Business leaders cannot establish a strong counterintelligence mindset by simply reading a book or attending a conference. Developing this type of muscle memory requires weaving a nuanced framework into every course taught at b-school and beyond, whether it involves organizational behavior and finance or marketing and strategy. While business leaders are often taught to embrace an offensive, first-to-market mentality, a greater institutional and educational focus on defensive training is critical to their interactions with foreign suppliers, venture capitalists, and even government officials who are keen to learn about the “next big thing.” While the latest software or service offering can certainly help balance the scales in their favor, at the end of the day, and particularly when dealing with Chinese government-affiliated entities, “distrust but verify.”
Mr. and Mrs. Smith
Loose lips can sink more than ships. Employee screening and monitoring is typically an afterthought outsourced to human resources or consultants. In early stage start-ups, these tasks often fall on the shoulders of overworked founders. Hundreds, and in some cases, thousands of dollars are spent on-boarding a new employee, yet most businesses invest almost nothing in maintaining situational awareness into their workforce.
Nearly every time an insider threat has been successfully identified, there were clear signs that something was amiss. Erratic behavior, unexplained foreign travel, extravagant spending, working strange hours - these are all hallmarks of a potential insider threat. In far too many instances, these warning signs are ignored, often resulting in the compromise of sensitive information and the loss of millions, if not billions, of dollars. The solution to this challenge is not winning over employees with free food or dry-cleaning perks, but rather building robust systems to quickly and proactively identify and address these issues before they become a threat to the business.
Go Go Gadget
That revolutionary idea or algorithm can present itself in a blink of an eye - and be stolen just as quickly if stored in an unencrypted digital environment. In the modern era, information is currency. In many cases, what has been deleted can be restored. Teaching students and perhaps more importantly, seasoned business executives, the ins and outs of how new, user-friendly encryption platforms operate is essential to safeguarding a company’s intellectual property from foreign adversaries and competitors alike. Establishing stand-alone systems from the get go is a great first step, but as former CISCO CEO John Chambers famously said - there are two types of companies: those that have been hacked and those that do not know it yet.
This dangerous reality is not an excuse to throw in the proverbial towel, but rather an opportunity to think creatively. Can you convince a foreign hacker they are breaking into your R&D network when, in fact, it is a decoy system or perhaps one populated with purposely altered schematics of your products? Denial and deception are tools of the trade in traditional espionage. There is no reason they shouldn’t be fair game in business as well.
We live in a time when an entrepreneur’s entire suite of intellectual property can be surreptitiously pilfered by a few lines of malicious code or a click of a mouse. As businesses face more threats every day, business schools must not only keep up, but get ahead of the curve to ensure our entrepreneurs are incorporating intelligence threats into their business plans.