Spies among us: State-sponsored actors want to steal your sensitiveinformation and company culture is your best defense

By Christian Ford, Partner at DLA Piper and Holden Triplett, Founder of Trenchcoat Advisors

Over the last few years national security experts have been sounding the alarm over state-sponsored actors looking to steal sensitive information — not just from aerospace and tech companies, but from companies across all industries. In response, many businesses have doubled down on internal surveillance and investigative programs, often ignoring the most impactful defense available to them: their company’s culture.

Simply described as the shared values, goals, and practices that define a particular organization, company culture is now one of the primary drivers of employee recruiting and retention. While security has traditionally been the responsibility of the Chief Security Officer and the Chief Information Security Officer, the severity of the threat is such that security awareness needs to be introduced and ingrained as part of a company’s culture. In short, the security business is now everyone’s business.

The recent joint statement of FBI Director Christopher Wray and Ken McCallum, Director General of the UK’s Security Service (popularly called MI5) is a case in point. It highlights both the growing state-sponsored threat to businesses and the need for businesses to take their security more seriously. The statement warned that even sophisticated businesspeople don’t realize the severity of the threat.

While such statements from national security and intelligence organizations have been increasingly frequent in recent years, even the lay person should start paying attention and begin taking these statements more seriously. To put this particular statement in perspective, it is the first joint statement by the FBI and MI-5 ever. Despite the difficulty in coordinating such a statement, both organizations believed the effort was worth it to capture the public’s attention.

We highlight four takeaways from this historic joint announcement.

1. Government security agencies can no longer protect businesses from state-sponsored economic theft

The joint statement is an implicit admission by both governments that they can no longer protect private businesses from state-sponsored intellectual property theft. The threat has become too complex and pervasive for either organization to address alone. Consequently, this statement was necessary to alert the business community to the fact that companies must now take increased responsibility for protecting their intellectual property.

2. State-sponsored theft of sensitive information from private companies is perpetrated by more than one country

The state-sponsored theft of sensitive information, particularly intellectual property including trade secrets, is not perpetrated by just one country. A multitude of countries have realized both the ease and near total impunity with which they have been able to steal valuable assets from businesses.

The class of assets targeted, of course, includes not just sensitive and cutting-edge technology, but also a whole host of other assets, such as key employees and customer data.

3. Cyber is not the only method nation-states use to steal sensitive information from the private sector (even though cyber gets the most attention)

As many businesses begin focusing on the potential theft of their intellectual property and confidential data, they often focus on cyber intrusions, even seeing them as the only avenue for such an attack. Unfortunately, cyber intrusions are just one method sophisticated nation-states (and their criminal proxies) may use to steal important information. Recent criminal prosecutions by the Department of Justice have shown that nations-states have also enlisted the help of insiders such as company employees to steal intellectual property from their respective employers.

That is why businesses should take a number of measures, beyond cybersecurity, to protect themselves by creating a strong set of values, including loyalty. In the fight to secure business assets, employees are essential. A well-placed employee can evade any physical or cybersecurity program protections. Nation-states will seek to exploit employees to get information they need. Businesses should consider how they can best educate their employees to protect the company and the employees themselves from outside exploitation. If these steps are not taken, businesses risk leaving themselves enormously vulnerable.

4. What companies can do: be proactive, not reactive

There are several additional steps companies can take to minimize the risk of state-sponsored theft of intellectual property and sensitive information.

First, companies need to have procedures in place to clearly identify and mark proprietary information. These markings are important to ensure that anyone who has access to the information is on notice that the information is proprietary and correspondingly, that a company has made efforts to protect the information.

Second, information identified as trade secret or proprietary has to be properly stored, with controls on employee access and sharing. These controls can include locked rooms with limited access, nondisclosure or confidentiality agreements, and document destruction procedures.

Third, employees should receive training not just in cybersecurity and cyber awareness, but also in detecting anomalies that indicate a potential insider threat. This should include establishing procedures for reporting anomalies to the appropriate individuals within an organization.

These steps are meant to be preventive. Unfortunately, typical risk management programs these days tend to take a reactive approach and only emphasize what should be done after an incursion, to detect a loss or an attack. Few are looking at how to prevent such a loss in the first place or limit the damage of a potential loss in the future. Taking a holistic approach to this complex and pervasive challenge will not only protect your most important assets better but will preserve your options and limit your damage in the unfortunate case that you suffer a loss.

In addition to the above steps, businesses should endeavor to create a security-focused company culture, ensuring it is embraced by the most junior employees and senior executives alike. This culture should rest on trust among employees, a sense of a common mission that is worth protecting, and a level of knowledge and awareness across a company that gives employees the tools they need to properly respond to potential issues in the workplace (particularly those that touch on the threat highlighted by the FBI and UK’s Security Service above). Creating an environment where your employees are aware of the security risks and are seen — and see themselves — as an essential part of the company’s protection provides the best defense.

Christian Ford is a partner in the global law firm DLA Piper. He represents U.S. and non-U.S. corporations and individuals in government investigations and advises on regulatory compliance and national security matters.

Prior to joining DLA Piper, Christian served as a federal prosecutor and senior official in the U.S. Department of Justice. As a trial attorney in the Department of Justice’s Counterintelligence and Export Control Section, Christian managed complex cross-border investigations spanning numerous countries and involving large multinational corporations, as well as U.S. and non-U.S. individuals. His investigations focused on a wide range of violations, both civil and criminal, including economic sanctions and export controls, theft of trade secrets, money laundering, insider threats, and cyber intrusions. Christian was also a Deputy Assistant Attorney General in the Office of Legal Policy (OLP), where he managed national security and crime prevention portfolios.

Prior to joining the Department of Justice, Christian was an Associate Deputy General Counsel at the Department of Defense, where he advised on complex national security litigation.

Christian is also a veteran and former Navy SEAL. Find out more about him here.

Holden Triplett has extensive international and domestic experience in national security and intelligence matters, especially with respect to their impact on businesses and private enterprises. In addition to his work at Trenchcoat, Holden is an adjunct professor at Georgetown University’s Walsh School of Foreign Service, where he teaches a course on Chinese Intelligence, Security and Influence.

Holden left the FBI in mid-2020, after almost 15 years of service. In his last position, Holden was the FBI Faculty Chair at the National Intelligence University where he taught courses in Counterintelligence, National Security Law and Intelligence, and Chinese Intelligence and Information Warfare.

In 2017, Holden was designated the Director for Counterintelligence at the National Security Council. While at the White House, he led the development of counterintelligence policy for the United States; drafting Presidential Directives and legislation to protect the U.S. government and the private sector from exploitation by foreign governments.

Holden has substantial overseas experience. He served as the FBI’s senior official in the People’s Republic of China from 2014–2017. During his time in Beijing, Holden was the primary U.S. interlocutor with the Chinese security services on a number of cyber intrusion and economic espionage matters involving U.S. companies. Immediately prior, he was an FBI representative to the Russian Federation in Moscow for two years, where he engaged with the Russian security and intelligence services. Following the Boston Marathon bombing, Holden persuaded Russian security services to provide wide-ranging investigative support to the FBI. He conducted joint activities in Dagestan and other locations in the Caucasus. Holden previously served as the FBI representative to the Joint Task Force on Terrorism Financing in Riyadh, Saudi Arabia in 2008.

Earlier in his career, Holden was assigned to the FBI’s New York City office. In New York, Holden gained significant national security and intelligence experience, conducting sensitive investigations and enforcing over 300 federal statutes. In addition, he successfully led an effort to enhance the office’s intelligence capabilities. Later, Holden managed a counterintelligence team of special agents, intelligence analysts, forensic accountants, and linguists dedicated to protecting the United States from a national security threat country.

Before joining the FBI, Holden worked as a project finance and renewable energy attorney at private law firms in California. He has a J.D. from the University of California, Berkeley where he was a FLAS fellow. His B.A. is in Philosophy and Russian Literature from the University of Texas, Austin where he was elected to Phi Beta Kappa. He is conversant in Chinese and Russian. Find out more about him here.