7
Information and Economic Security
When we practice economic intelligence, we are soon struck by the ease with which information about competitors can be acquired. It is usually available to anyone who knows how to look for it, understand it and imagine or anticipate their adversary’s reactions and in order to take competitive advantage from it. We therefore understand why security has become one of the three main domains of economic intelligence. While everything within legal limits is being done to learn about competitors, competitors must likewise do all they can to prevent others from learning about them to create a disequilibrium in their favor. It is even more important as in the hyper-competitive environment that characterizes today’s markets, some firms do not hesitate to turn to illicit means to find what they are looking for. To this can be added the detection of attempts to influence public opinion given that the more time has passed, the more power a rumor has and the more it becomes a virtual reality believed by more people. We must now add, in cybersecurity, means of protection against all kinds of attack; these are becoming more and more costly and are becoming the foremost source of losses in business. For all these reasons, although some managers do not understand this, it is vital to take account of security problems and to tackle them, as a business that cannot protect itself is destined to fail over time.
7.1. Security
7.1.1. Physical security
Ensuring the security of a business’ assets is an activity that covers many, very different sectors, from patents, internet sites or software to employees, whether on or offsite. The target must be protected from incidents, accidents or attacks, which can occur at any moment. With time, both businesses and citizens have learned to protect themselves using insurance [CHA 17, LOW 17] which, unlike using regulations for online protection, guarantees that losses, damage and potential physical impact will be reimbursed. Today, it is the best means of reducing risk and facing the unexpected, but nevertheless, this does not eliminate risk. Although insurance coverage is very broad, it does not cover everything and leaves elements of important activities uncovered. This is why we must try to identify all potential risks, to see they are covered and suggest measures to secure what we already have. Beyond the compensation or reimbursement of a loss, it is better to avoid the incident happening at all by evaluating risks, monitoring the controls required and implementing the necessary maintenance, renewal or training operations.
Moreover, materials, tools and technologies are changing with time. In previous eras, surveillance in factories was ensured by overseers making rounds onsite at a more or less regular pace. These low-skilled jobs are declining, as they are being replaced by cameras placed in strategic places, which make it possible to see instantly and remotely, or indeed by robots who make the same journey at random, noting anything that is atypical (odor, light, noise, movement, etc.). There will therefore be a gradual decrease in the number of guardians, but, at the same time, we will experience a growing need for qualified personnel to direct the robots, or ensure surveillance via cameras. After having identified the tools of the future, our problem is therefore to train operators in advance so that they are able to run them in new jobs.
7.1.2. Security, personnel and visitors
Beyond sites’ material security, physical security demands particular attention to the movement of personnel. Many problems arise as a result of failure to monitor personnel and visitors when they arrive or leave or as they move around sites. These problems are treated differently once they have become well-defined.
When they arrive, it is necessary to identify people who are really part of the business and move them through the site as quickly as possible. For employees, there has been a shift from badges to electronic contact tags that open doors, and we are reaching remote identification systems that remove the need to stop individuals [COH 16]. However, there is a need to stop and identify visitors and put them in touch with their counterparts on site, as they are a real source of risk. For them monitoring means creating a temporary badge for the duration of the visit, which can easily be identified and can restrict access to a selected part of the site. This is especially true in research and production sites where the movement of unfamiliar people in some zones can be damaging to overall security. This problem of human security is even more significant since badges no longer offer the best protection. In the past, it seemed effective, but it is not enough today: a card without a photo or other identification system making it possible for its use to be checked by an individual during checks is no longer useful. A badge may have been borrowed, misused or stolen to carrying out malicious acts or demonstrations, as we saw when Green Peace [MEY 17] entered a French nuclear power plant. Badges or identification systems should be arranged so that they cannot be used by other people without their knowledge.
To be convincing, we recall that it is enough to add a specific photo to the Vitale (French social security) card, for example, to significantly reduce social security fraud by rendering it no longer possible to share the card between family or friends.
New identification software [COH 16] from Israel and the United States will revolutionize the way we address this problem. After fingerprint recognition, which remains standard for the police even though it is now possible to manufacture fake fingerprints, or iris recognition, which is more complex and slower, but very effective, we are now moving towards identification by step.
As you walk, a classic CCTV camera films you and sends data to software that compares you with stock images. As everyone walks in a different way, the system is very effective once it has data about an individual, or once the way they walk has been identified, even if they conceal their figure or change their clothing. There is no doubt that this new technology will soon be in place and that it will aid the fight against terrorism and organized crime.
As for monitoring sites, individuals will be recognized by their walk when approaching check points. If the individual passes the door will open automatically while it will remain closed for others, forcing them to enter via reception. In some businesses, the latest recognition software of this kind uses “Google glass” type glasses for surveillance, on which the name of the employee appears as they approach. All this happens in real time and will disrupt norms in physical security.
As soon as contact is no longer required for identification, surveillance is facilitated and effectiveness increased. In sensitive sites and in all sites with real security, from when you enter to when you leave, someone will know who you are and which area you are in. Similarly, if someone enters empty handed and leaves with a parcel, this will be noted by computer and will trigger a calculated reaction depending on the procedures in place. Inside leading companies and expert firms, there are protected zones where unauthorized individuals should not be allowed to enter. Badges restricting access to some spaces already make this type of protection possible, but without contact, and paired with traffic and monitoring software, it will make this possible by fluidly triggering door opening and triggering automatic warnings when a visitor enters a forbidden zone.
At this stage, we must consider legal CNIL (French National Commission for Data Processing and Liberties) obligations [CNI 17] to avoid attacks on personal liberties, but also security requirements for the activity. Monitoring traffic within the business from one point to another or keeping an individual in a confined place may be seen as a restriction on employees’ freedom, as the contactless badge system makes it possible to identify them individually in the same way as visitors. It is therefore necessary at the outset to negotiate with social partners to decide the limits for monitoring each category, making them understand that it is not a case of monitoring personnel, but of detecting individuals who have no reason to be there or who are behaving suspiciously. The risk of industrial espionage, which is growing in parallel with an activity’s sensitivity, is not a myth.
Everyone has heard tales of visitors from very competitive countries who always need to go to the toilet, always using toilets furthest from the rest of the group.
We should always ensure that visitors are accompanied from arrival to departure and that they are forbidden to move around alone. This will arise from a state of mind which the business’ personnel should hold with conviction, as security depends on them being motivated. If employees understand that any information that moves outside the business will jeopardize the business, their legacy and their future employment, they will make the effort required. There is therefore real work to be done in raising awareness and training so that each employee understands that security is everyone’s responsibility.
In material security, making it possible voluntarily or involuntarily for others to understand the technologies and machines used, or internal tricks and expertise, means voluntarily or involuntarily ceding competitive advantage to your competitors. This may be your loss.
To give a very simple example, let us take a new bakery that wishes to compete with another that has more clients. They will begin using classic research: what does it produce, what does it sell, what are its prices, who are its employees, what does it put in its window, etc. The new bakery will accumulate information to be similar to the popular bakery. If this does not work, it is without doubt because the new bakery’s products are not as good. It is therefore necessary to look at the ingredients it buys, by noting what is delivered at 5 am: flour, dried fruit, cream, yeast, etc. If this is not enough to make things equal, it is because the popular bakery makes their products in a better way: the new bakery needs to know their expertise. Some might therefore imagine having recourse to a work-experience student or an apprentice in the popular bakery to know how long it takes for the dough to rise, the temperature of the oven, etc.
This makes it possible to draw attention to the instance of apprentices or work-experience students. They need to do work experience for their training and they need help to do this. But at the level of security and whatever the type of business, they should sign a confidentiality agreement specifying that information sent to their teachers about the work experience should remain entirely confidential, under threat of legal sanctions.
To complete your information, you should know that over the years, one or two Internet sites have been created that sell reports from work experience students from prices ranging from a few euros to a few million euros. After they have written their report, some students think it a good idea to sell it to the highest bidder, knowing that depending on the place and type of work experience, this could benefit organizations that are not always well-intentioned.
Everyone should be aware that it is not only large businesses who have security problems. It is a state of mind that should be established in everyone since, from bakeries to Renault, this type of failure can be very expensive. When we employ work-experience students, when we have professional visitors, when the doors are open, when we use sub-contractors, or when we employ experts or consulting firms, we should be aware that some of them may be competitors who will look, take photos and retain secrets belonging to the business, etc. Certainly, this is forbidden by law, as there is no right to sell information obtained by these means, but espionage is unfortunately a reality. Real life is not as pleasant as what we see in the world of Care Bears on television. Some shareholders and leaders, at home and abroad, have such a desire to succeed that they do not hesitate to go beyond legal limits to rise more quickly despite surveillance by police. The latest statistics on general information published on this topic before its disappearance indicated that 60% of attacks on businesses in France were carried out by French citizens against French businesses.
7.1.3. Security of immaterial goods
We know how to account for factories, land, machines, products and financial capital considered when valuing the business. It is secured with the aid of insurance. But the report by Jouyet Levy [LEV 06] showed that this material valuation is not representative of the business’ true value, as immaterial possessions should have been added since these form a growing part of it. Patents, customer files, logistics distribution networks and the business’ image, to cite only a few of these effects, form an integral part of the business’ real value. Defending them first means being aware of them and properly identifying them. This is why security is above all a general state of mind.
A sub-contracted provider should, for the best quality/price ratio, ensure consistent quality and seamless supply. Creating a network of providers meeting these criteria has a market value, as it takes time to form and secure it. The logic behind managing buying does not go the same way. It is focused on price and wants the least-cost solution, but this requires taking security risks with supplies, with quality, which may decline, and with meeting expectations from the business’ own clients. Judging only from results on price, the buyer transfers their sector risk onto the whole business. Experience shows that, in most cases, this is true for all the business’ technologies and all its activities.
To guarantee the security of intangible assets, we must be aware and keep our eyes and ears open and collect all possible useful information. This has become even more difficult, as we have shifted from businesses working in closed circuit to businesses with increasing numbers of sub-contractors, to obtain maximum efficiency across all domains with the best service at the best price. Indeed, any change presents a risk that must be checked and explored in more depth if necessary.
In the domain of business security, we often forget the possibility that we may find ourselves in a major crisis. We must integrate into our consideration a way of managing crises and of preparing ourselves through repeat exercises. The problem is relatively simple if we are facing a fire, where insurance will play a role in security at structural as well as at financial level. But there are other crises in the domain of intangible goods for which responses have not been thought of, as no one has reflected on them. If someone steals your customer files, if you lose your sub-contractors upstream, if you are the victim of blackmail, then you have a problem for which possible solutions have probably not been thought through even though the problem puts the business itself in danger.
Two years ago, a con developed involving income tax and benefits for directors and upper managers. You receive a message from the manager responsible for tax stating that you are owed money due to over-payment. To make the reimbursement, the message sender requires your credit card details and code. A simple way of avoiding the con was to check the name of the Internet address by looking up “details”. Instead of the tax service, one would have seen a xyhsd.com type address showing that you were witnessing credit card fraud from the “dark web” [UPA 16]. Unfortunately, many people were caught up in the scam, which harmed the ministry and the service’s image at a time when citizens were being encouraged to make their tax declarations online.
Considering the growing value of information owned by organizations and individuals, all businesses should take an interest in defending it by creating a hierarchy of the perceived benefit and value of everything that is not classically counted as the business’ property. Each element has the potential to benefit somebody for technical or financial reasons, or to benefit clientele, etc. What are the most interesting areas for your potential competitors? They must be identified so that you can protect them as well as possible by adopting responses to problems. The main problem arises from the weakness of French law in the face of these kinds of attacks. We live in a country where everything physical and material is well protected, while intangible goods are not, aside from forgery and patents. This lack of protection for intangible goods through the absence of a law adapted to these new realities poses an elementary problem that has still not been solved despite the existence of reports containing a number of suggestions, such as the one by the solicitor general, Marc Robert [ROB 14].
How do we defend this intangible property, which we know to be poorly protected by our laws? In the expectation of a much-anticipated change, it will be necessary to protect ourselves by applying rules on secrecy, as practiced by the military: professional secrecy, correspondence secrecy, etc., as well as professional mechanisms specified for business secrecy. Theoretically in French law, citizens’ personal data is protected. But, in the context of Internet applications on smartphones, we voluntarily authorize application providers to use our personal data and our information. This is generally the case with our data on Facebook, Twitter, LinkedIn, etc. It is still true for Fnac, Amazon, etc. which, moreover, can resell it for example to travel agencies. France is therefore facing a real problem that is opposition to the French viewpoint, which aims to protect the individual from the view current in the English-speaking world, by which any data leaving your computer can be sold by whoever holds it. It must be recognized that this is leading us toward behavior contradictory behaviors: on the one hand, personal information can be protected, but on the other, it is freely given to users with the consequence that there are restrictions on our individual freedom to which we have freely consented. This will increase in future and will pose a fundamental problem beyond the level of the individual. We provide our life story on Facebook by talking about our business and our work; when we talk on specialist forums, we give our own information to the business and this will be collected and passed through a diverse range of hands. This will be very difficult to manage. It will be necessary to find solutions that consider both the reality of the market and our behavior, given that the French Civil Code protects our personal information so long as we do not share it.
7.2. Disinformation and image management
Attacks on the business and its image come in most cases from outside, but there may also be problems coming from within [KIM 10]. This is why internal and external communication must be controlled, given that the one can impact the other and vice versa. Today, with whistle-blowers and firms specializing in fake news, rumors can start from inside or outside the business. They can create a negative image for you, for example that “your product is toxic”, which you will not be able to dispel. Experience shows that you must respond immediately, as it can be fatal for the business. The simplicity of the arguments or image used by attackers seems primary and without real risk, but in reality, it is very difficult to manage as time passes. What happened in Europe with sun protection products more than 20 years ago is very instructive.
At this time, Bergasol [PAR 97] was the flagship product for avoiding sunburn. This sun protection product was used throughout Europe, when a competitor who had not managed to break through the market started a rumor that Bergasol contained a carcinogenic extract of bergamot. NGOs amplified the rumor by confirming the danger and, under pressure, Brussels decided that products containing bergamot had to be outlawed across Europe. Thus, the European leader was destroyed in three years without any real basis, since the amount of Bergasol you would have to use before negative effects appeared was a liter per day for at least 10 years. It was therefore a medical absurdity, relying on what was yet to become the precautionary principle, yet it worked, to the delight of competitors.
From the work of Jean-Noël Kapferer [KAP 13], we know that rumors should not be ignored, as they can be fatal.
When Airbus created the ATR for medium-haul flight connections, there was excess icing on the wings during a test flight to test the plane’s behavior. There was an accident and all Airbus’ competitors then launched a global campaign saying that the plane was not viable. Even though the ATR has been demonstrated as having proven security, this rumor followed it for years.
In general, when this sort of attack begins, the business has difficulty believing it, since the alleged facts are inaccurate, based only partly on reality, or have been taken out of context. But this is not the problem. The real question is knowing whether the public or professionals will take this information seriously or whether they will reject it. What will happen over the long term, given that the longer false information remains available, the more power it has? Media pressure changes the virtual world into a strong virtual reality.
Today, rumors can be even stronger with e-reputation. Information posted on the Internet by a site or by social networks spreads all the more quickly, as it seems credible. Taken up by individuals who repeat it to others in their networks, the information circulates very quickly; it takes five days to a week for the whole of France to be aware of it. Moreover, according to an IFOP poll from 2014, seven out of ten French citizens who receive a message from someone they know in good faith believe that it is true. Only three ask if it is serious or credible.
The halting of serious strikes by TGV (French high-speed rail service) conductors in 2016 is a good example of this. A folder of slides circulating via the Internet mentioned their living conditions and gave a breakdown of their salaries, emphasizing their privileges. Among the first images seen: the bedtime bonus and a speck bonus (created in 1880 for steam train conductors and drivers filling the coal furnace, which led to health problems). This shocked users, as this bonus was no longer justified for a TGV conductor. There was a whole series of details of this kind, which led passengers to react violently, since there were even physical pressures, and conductors halted a strike that was becoming more and more unpopular.
Thus, the publication of tendentious information made it possible to change user opinions about a subset of railway employees with almost immediate effect. Today, we see it is possible to destabilize or destroy a product or business in the same way.
When Germany decided to produce a small Mercedes to be located on the “city car” niche, a YouTube film was shown, showing it to be very unstable and showing it overturning when turning corners. In reality, this was an entirely normal internal test film on kinetic balance, but its spread at the hands of fellow car-makers or journalists led the business to defer the launch for nearly a year.
7.3. Pressure groups and NGOs
After image and notoriety, it is disinformation and false information that require the business and its environment to be secured, and we should not forget the role of modern pressure groups, which are successfully replacing most lobbying structures without repeating their constraints. Today, the communication of information is skewed by a newcomer, who is changing the rules of the game by taking leave of reality to rely on emotions. It is mastering social networks perfectly: NGOs [BET 01]. Initially, it was willingly believed that these pure-minded, humanitarian and ecological organizations were obsessed with safe-guarding the planet and its fundamental values. Then the report from the Prometheus foundation [FON 16] was discovered, stating that 70% of NGOs were financed by businesses or states to defend their interests indirectly using messages that benefitted them. Practicing economic intelligence, we must therefore ask ourselves this question each time: does the NGO have integrity and does it deserve to be heard, or is this an organization financed or led externally which is manipulating us?
When the United States were caught engaging in corruption in Europe around the 1980s with the discovery that Northrop Grumman [STE 90] had manipulated European personalities, including a French general, to sell their fighter planes, this created a scandal on a global level. They reacted immediately by launching, directly or indirectly, a counter-attack involving an anti-corruption system based on a OECD convention signed by 30 countries, an NGO to combat corruption (Transparency International) and an NGO for monitoring intermediaries (TRACE [TRA 17]) and internally, the adoption of the Foreign Corrupt Practices Act [WIK 18g], which is extraterritorial. At the same time, they put in place a different system for aiding other countries, based on the use of foundations to protect their businesses.
When the French wished to sell Rafale to Singapore, they had every chance of success, as it had been tested locally by experts from the country and judged to be better than other, competing planes: the F-16, the Sukhoi and the Eurofighter. Nonetheless, France lost and the United States won, despite being ranked third. What happened? There was no direct corruption, but an American official went to Singapore’s management team to explain that they had a stopover problem for their fleet in Southeast Asia. They needed a deep-water port, because airplanes cannot take off from aircraft carriers at the docks and they also needed a nearby airdrome. They therefore suggested building a port for their large aircraft carriers at the expense of the United States as well as enlarging the airport. Then, by coincidence of course, it was the American planes that won the deal. Similar elements were found in Morroco since the buying of planes was accompanied by the installation of an American command center for Africa and a very large donation to support literacy for rural populations.
As far as the neutrality of NGOs is concerned, a good example is provided by Transparency International [BAL 09], which showed its partiality when the English manipulated Saudi Arabia, in the generally corrupt Al Yamamah contract [WIK 18a]. At the time, it was considered the largest-scale instance of corruption in the world in view of the size of all kinds of redistribution; sumptuous commissions were destined for some intermediaries, going as far as providing Boeings equipped with bathrooms with gold faucets. Everyone knew that the English groups had implemented structured corruption, but when the British justice system wished to investigate, the Prime Minister Tony Blair had the affair closed for reasons of state. In the face of this scandalous denial of justice, it might have been thought that the ranking of countries depending on their levels of corruption created by Transparency International would have changed. This did not happen and the United Kingdom remained in the leading group of clean countries along with the United States while France lagged far behind. Faced with these kinds of practices, it would be desirable for Transparency International to publish, annually, all the specific criteria used for ranking countries. In the same vein, when the law on business secrecy was voted on in Brussels, we saw Transparency International appear in lobbies fighting against this project; its suggestions aimed to prevent any European move towards greater protection for industrial activity.
Besides NGOs who are legally endorsed but whose approaches should be checked, including their origin, financing methods and real governance, there are other, more or less violent means of pressure that will attack a business frontally or indirectly, or will attack a particular aspect of it, ranging from the head of the business to the product, via social media or image. Black blocks [WIK 18b], anarchists or libertarians, will not hesitate to attack a company or type of product to which they object, potentially going so far as to destroy the site or its environment internally or externally. This is still not the case in France, but England, for example, has already seen the destruction of laboratories in the name of protecting animals.
These illegal means of pressure will spread in the coming years and we will need to be ready to confront them and decode these actions by anticipating them, all the more so as they can, on a legal level, be carried out by NGOs who do not always have a global view of the problem.
If we take the example of land mines which are a scourge of populations in former combat zones, NGOs and other pressure groups are allied to, rightly, denounce the use and manufacture of land mines. This has led European armament industries to stop their manufacture and banks to stop financing them under pressure from public opinion. The problem is that the United States, China and Russia, who did not sign the international Ottawa convention in 1997, still manufacture and sell land mines.
Moral and virtuous actions in fact lead to a distortion of competition. There are many other examples of this kind, which are leading to the closure of entire business sectors in many countries, while others are continuing to develop them.
Take the case of tax havens; many of our fellow citizens are shocked by their practices and use. It is true that the press and television have taken responsibility for reminding us how much our States are penalized fiscally and economically when tax havens are used. Under pressure from NGOs and international media groups, European tax havens were first combatted, with the result that leading capital investors left for Switzerland, Luxembourg or elsewhere to other tax havens outside Europe. The second stage is now to combat those situated in the Caribbean or elsewhere. When this has been done, there will remain only two countries left: the United States with Delaware and China with Hong-Kong and Macao [DOG 14]. Curiously, while American laws require the disclosure of account-holder names in tax havens, they forbid it in their own country. Delaware is therefore the main beneficiary of this war on tax havens. We might therefore be surprised by the silence of NGOs who are so quick to criticize the rest of the world.
The old adage “look at who profits from the crime” is thus always current. At each attack by defenders of virtue and grand principles we should question their motivations and real aims and be ready to act to thwart their actions if they are unjust.
7.4. IT security
We must now address the many problems posed by digitization and data storage all the more as we are only seeing the beginnings of Big Data and connected objects. Faced with the rising power of this technical environment, it will be necessary to develop defensive abilities to protect ourselves [GUI 13]. Attacks already are and will continue to be of various types depending on the goal sought and the quality of the defense. You may be accused by a pressure group or NGO of storing personal data illegally and using it unethically. Even if this is not true, you will need to be able to defend yourself and have a ready response, as it could lead to a scandal from which it may be difficult to recover. But it is much more serious today with attacks by hackers who can penetrate your system and appropriate your data [ZHU 11]. Our fellow citizens are beginning to understand that one can introduce small programs into a network, which will analyze its structure, explore the IT system and try to find where your protected files are stored. They will locate the most sensitive data and as soon as new data arrives in the right place, they will immediately make an illicit copy of it. The problem is that the victim takes a great deal of time to realize what has happened if the Gartner firm is to be believed [CAR 17]; the firm declared an average delay longer than 200 days. Beyond the loss of effectiveness, this costs businesses millions of euros. Moreover, wrong-doers who commit these data thefts take an extremely low risk, given the failure of our laws to adapt to these problems. From this perspective, bank robbers are merely the vestiges of a past that has been revolutionized in terms of overly high risks, for generally reduced profitability.
Take scamming CEOs, which has caused the loss of hundreds of millions of euros (this loss is counted at more than 400 million euros) over three years in the 160 largest French businesses. This is much more than all attacks on banks, postal vans or money transfers over the same period. The method is simple. One evening, generally on a Friday, an internal email signed by the CEO arrives in the finance or accounting department asking, concerning a secret discussion currently under negotiation, that a very substantial sum should be wired immediately to account yyy. The person who receives this email, written exactly like those of the CEO, contacts their superior, who is absent that day, just like the CEO who is travelling and uncontactable. Faced with this dilemma and the pressure exerted by the email which appears entirely authentic, the person makes the transfer. The next day, or when the CEO returns, when they are told about the difficulties wiring the sum demanded, the penny drops and they realize that the business will has just lost one or several million euros. We will now unpick the mechanism behind this scam. Around 140 days before this attack, according to English-speaking specialists, spyware was introduced into the business’ IT system. It carefully analyzes the communication flow, message recipients, the way people write and express themselves, then rehashes internal rules and forms communications between individuals, etc. The software also puts together an organigram of the business and the various responsibilities of individuals in it. Likewise, managers’ agendas are examined to detect the most favorable moment, that is, the day they will be absent. At the same time, it detects operations under way and how important they are. When this “leg work” is finished, the attack will be launched. It only lasts as long as the time it takes to send the email, that is, a few minutes. When the transfer has been made, it is immediately transferred from the bank that receives it to another bank, then generally to another bank in Asia where all trace of it is lost. The saddest thing is that most of those who make such attacks from abroad have been identified. It has even been possible to visit them, but they risk practically nothing, as they cannot be extradited.
This may seem too high, but it must be noted that millions of euros have been appropriated from respectable French businesses, whose weakness in the face of such practices would not have been suspected, but also small businesses, many of which have had to file for bankruptcy. Defending oneself from such actions means being up to date with the possibility of experiencing kinds of attack that “only happen to others”, then putting in place very strict protocols that should be followed even if external pressures ask you to deviate from them.
One should also be aware that experts who attack businesses do so over time. The IT system is broken into, and taking their time, the attackers look around and gather information. Objectives vary, since they are just as likely to focus on the financial situation and on credit conditions as on pirating patents or appropriating expertise and research plans. To secure their malicious actions, these hackers work using series of machines provided with successive networks (Botnets) [WIK 18c], given that it is extremely difficult to find the origin of an attack occurring in three waves. The mafia and rogue states and also some specialist services also use sub-contracting, which they negotiate in the dark web.
When TV5 Monde was attacked by hackers who managed to block the channel and leave the black flag of Daesh on viewers’ screens for several hours, the conclusion was drawn that Daesh had excellent experts on launching cyberattacks. The enquiry showed that a private group of Russian hackers had carried out the sub-contracted attack for a client who has still not been clearly identified.
Today, any successful business should have a security system that makes it possible to avoid these problems or at least to reduce them considerably.
Let us look at the Sony affair, in which North Korea was accused of having attacked Sony, as it had produced a film about a dictator who resembled its supreme leader, considered scandalous by North Korea. Some weeks later, the energy supply to a city in North Korea was entirely cut off for 12 hours. Some saw this as a response to the attack on Sony, but this group was not capable of blocking an entire city, that is, of taking control of energy distribution, telecommunications, traffic lights, etc. Others hence concluded some weeks afterward that the Sony affair had been fabricated to carry out the attack on North Korea. This was a poor interpretation as specialists later discovered that the North Koreans had a team of experts who were particularly good at cyber-attacks.
In the real world, things are becoming more and more complicated, as we must be able to identify who is behind events, that is, the real attacker. In addition, we are only at the start of the digital era with innovative and ever more effective systems in domains as varied as domotics, smart cities or more generally connected objects. Today, with adapted means, a number of activities can be blocked at all levels.
One of the most virulent recent attacks was carried out against the nuclear fuel enrichment plant in Natanz [KEN 15] in Iran, in which thousands of small centrifuges made it possible, little by little, to enrich uranium. The Stuxnet virus [KUS 13], designed by the United States and Israel, was used to destroy this equipment by disrupting the centrifuge control system to create sudden variations in speed. As the factory was cut off with no communication with the outside world, the virus was certainly introduced through human action by connecting a USB stick containing the virus to the plant’s IT system. This military attack against Iran worked perfectly, since it announced the destruction of 60% of centrifuges. A chronometer had been placed in the virus, enabling the virus to self-destruct after a set time. But this was overlooked, which enabled it to be identified. It is likely that an engineer hoping to work from home connected a USB stick to the plant’s IT system to extract data and that it picked up the virus, which was then passed to his or her computer, and then spread worldwide via the Internet, which enabled it to be followed and identified. This is why the designers invented Flame [WIK 18d], another virus that autodestructs.
The civilian derivative of this software attacks SCADA (Supervisory Control and Data Acquisition) systems in factories, that is, it attacks the computer control of machines and production lines [SEK 16]. The attackers send a virus into a factory and warn management that they will destroy the factory if they do not provide millions of euros or rather bitcoins to a foreign account. The CEO has no more than a few hours to decide whether they will pay or whether they will take the risk of ending up with an unusable factory for a substantial length of time. We are seeing the development of the same kind of technique with the jamming of screens in businesses or hospitals followed by the publication of a demand for payment to stop the blockage, as happened recently with WannaCry [WIK 18e]. In most cases, businesses prefer to pay, as they have little choice and we should be prepared to face this type of attack more often in the near future.
Experience shows that substantial information leaks from businesses have various origins. Incompetence, lack of training and the absence of protection measures are common causes. One might also face internal malicious actions and external attacks by hackers who have been paid to attack, or who are testing new procedures. Finally, there are also little “gremlins” in cyberspace who will steal information to resell it third parties or sell it back to you for a ransom. Our IT systems are usually very fragile and IT systems managers are often poorly prepared to tackle skilled professional hackers.
The world of the Web is separated into three. The visible part, which is the smallest, contains everything we use every day on the net. The “deep web” [MAD 08] makes it possible to go deeper, retrieving existing information, but it also requires specialists to know how to search it. The “dark web” [ABB 10] was invented from the first to facilitate exchanges in total secrecy between intelligence services and their agents on the ground. It can only be accessed with specialist search engines since each address is specific and impossible to find with a simple search. For more information on the deep web, consult the white paper on it [BER 01].
With time, the dark web has become the place for illegal traffic of all kinds. It contains sites that freely sell drugs, arms or pharmaceutical products as well as pirated files or information. It also provides the opportunity to hire a hitman to remove a competitor or to bring together experts to carry out targeted actions that can bring big money to its authors. With the increasing sophistication of offensive and defensive techniques, we can see its actors becoming specialized: some are interested only in using files, in code breaking, in collecting ransoms and other payments obtained by force while others work on penetrating organizations or stealing data. They can come together for one action, like the old gangs of bandits who temporarily brought together locksmiths specializing in safes with robbers and receivers. They are thus able to mount pirating operations without leaving any trace that could lead back to them or even less so to the client, if there is one.
Faced with these criminal organizations which develop as a result of the profitability of their actions and the low risks incurred, we must secure our systems in an increasingly complex environment where innovation does not always benefit the honest. IT directors (DSI in French [WIK 18f]) are even more defenseless the more they make substantial investments to implement IT systems whose permeability they need to be familiar with, once it is identified, and who need to recognize any intrusion they experience. Faced with this situation, we need a change in mindset. Just as the account holder should not sign checks, the IT director should not be responsible for their systems security. Crisis management and security specialists must be named or employed to carry out audits to identify, evaluate and reduce risks. Steps for increasing awareness, training and above all additional investment will result. Considering the cost of the failures and risks run, defense and protection of IT systems is increasingly becoming a priority even though we have only recently become interested in their operational effectiveness.
Attackers’ imaginations can be infinite. We have a good example of this with counterfeit software, such as USB sticks given as gifts. It is striking to see how managers and technicians fall, without any suspicion, into the trap of the infected USB stick in which a small piece of software will spread cookies or other programs that can steal information. Worse still, it may contain viruses able to disrupt your computers. This is why any USB stick given as a gift or one of unknown provenance should at least be monitored and better still reformatted on a dedicated computer to be certain that it is harmless. Unfortunately, this sort of useful precaution is rarely used systematically in businesses or research laboratories.
Security is first and foremost a state of mind that starts with mistrusting anything that is not clearly identified. We should be neither paranoid not naïve, but we recognize that we have a culturally “rose-tinted” mindset and this should be reason enough for us to mistrust ourselves [CDS 09]. We live in a very competitive environment in which each person is trying to take advantage and in which there is “no such thing as a free lunch”. Certainly, altruism and generosity should be part of our lives, but behind the good Dr. Jekyll there may lurk a Mr. Hyde.
7.5. Safeguarding data
In the context of economic intelligence, it is essential to safeguard data and information systems. Everyone knows this should be done regularly to reduce the volume lost in case of accident. Many forget that these safeguards should not be stored in the same place as the servers, as if there is a fire for example, everything will be destroyed at the same time. Cybertools are not immune to breakdowns, bugs or freezing. It is helpful to have envisaged the scenario and better still to have foreseen it, since dealing with equipment failures is one aspect of security. It should be borne in mind that nothing is perfect, that all systems have bugs and that patches are provided by manufacturers to fix them without delay. If we do not, we join the ranks of those trapped by viruses such as WannaCry as a result of not adding the patch quickly enough. Another instance to envisage is one where computer systems break down entirely. If there is an updated global back-up in an independent system, the machine can be reactivated and if not, all data will be lost. This problem is also posed by USB sticks or external hard drives; it is dangerous to lose them if everything is stored on them, although we only need to duplicate them to remove this risk.
To finish on data storage, it should be recognized that there is general awareness of the importance of the problem and the risks run. Useful reflexes and experience have been acquired from the use of effective methods or tools. Over the past 10 years, our protection has relied on the concept of fairly effective firewalls. But things are changing, as the very concept of viruses has evolved and these will be detected less and less often by classic firewalls. The only chance of blocking them will rely on spotting the small parts of the virus after it segments, which will then be recombined after passing through anti-virus software. This involves other tools and shows the importance of remaining attentive to the development of malicious products when considering security.
7.6. Respecting security clearance
We all know that digitally identifying the sender and recipient is essential for flow security whether between two operators or between connected objects. Likewise, in exchanges within organizations or with external contacts, we are rapidly becoming aware of the importance of security clearance and the need to respect this type of authorization.
In sensitive businesses, authorization is given allowing movement within particular zones or across an entire site. Each level of clearance attaches conditions for access and the limits within which given IT systems can be used, according to need. This may be restricted to an office, to data within a single file or particular intranet addresses. It should be specific and should rely on real means of control to be respected by everyone.
Valeo works on future models for many car manufacturers across the world. This obliges them, in order to maintain total confidentiality, to have impermeable partitions between various activities. Each laboratory works in closed circuit to avoid the slightest leak. Nevertheless, in the case of the young Chinese student who came to Valeo for work experience in a number of laboratories, things were different. One day, an engineer noticed that she had connected her computer to the laboratory’s computer circuit. The security manager was alerted and went to the other laboratories and found that the same thing had occurred. There was therefore a serious risk of leaks and the French authorities were alerted. During a search in this student’s room a whole series of computers was found, corresponding to each laboratory. Questioned for industrial espionage, the student denied the charges, explaining that she had extracted various data as information for other students who remained in China. Since she was in prison, the Chinese Ambassador requested a meeting with the CEO to induce him to withdraw his complaint. He agreed, to avoid any trouble for his factory in China. The student, now released, was able to continue her studies at the University of Compiègne and it is told that at a pressing request from the Embassy, the CEO of Valeo was present at her graduation ceremony.
This story reveals the importance of respecting and monitoring security clearances. In this instance, everything had been predicted except the case of itinerant trainees. Today, large modern firms are very difficult to penetrate, as there are internal security services or specialist forms that ensure, on a physical, material and intangible level, that everything that arrives at or leaves the business is monitored along with internal flows. Security clearances contribute to this, but cannot be the only means of implementing this objective.
7.7. Crisis management
Despite all the systems put in place and the effectiveness of teams and systems, we are never safe from attack, or from a competitor or criminal organization taking advantage of a failure. This is why a capacity for resilience is vital in the face of unpredicted events that may have serious consequences. This is a priority for the effectiveness of crisis management. Indeed, we should be aware that we cannot improvise on this. A crisis can only be resolved properly if the eventuality has been tackled upstream [BOI 00]. In all security domains, we need a crisis management team made up of individuals selected for their ability and experience, who will imagine situations and create practice scenarios for solving likely potential crises. So, if there is a real crisis, the team will have acquired useful experience enabling them to deal with the current event based on one or more cases already tackled during exercises. In this team, there is generally someone responsible who will be in control during the crisis, someone responsible for communication and someone who liaises with public authorities, then professionals who will take the necessary initiatives on the ground, etc. It should always be borne in mind that the best means of overcoming crises lies in preparing for them collectively. It is an error to think that one can manage alone, while improvising. This is especially true in the domain of intangible goods. If solutions and procedures for responding in a state of crisis have not been considered beforehand, too much time will be lost and failure will result.
7.8. Conclusion
Beyond practicing physical, material and immaterial security, which are vital to achieving a competitive level of economic intelligence, economic security relies above all on a state of mind. Pragmatically and without any naivety, the practitioner should take care that the information differential with competitors remains in their favor by ensuring that others cannot acquire information on the strong points that differentiate them from competitors. This means following the evolution of technologies with the growing use of artificial intelligence, recognizing methods of attack used against others and their responses, as well as taking care to systematically monitor digital identities used in the business, for sending as well as for receiving. The problem is therefore not to complicate the others’ tasks by force, but to ensure that the business cannot be attacked and ransacked, so as to maintain its economic activity in the best conditions.
7.9. References
[ABB 10] ABBASI A., FU T., CHEN H., “A focused crawler for Dark Web forums”, Journal of the Association for Information Science and Technology, vol. 61, no. 6, pp. 1213–1231, 2010.
[BAL 09] BALL C., “What is transparency?”, Public Integrity, vol. 11, no. 4, pp. 293–308, 2009.
[BER 01] BERGMAN M.-K., “White paper: The deep web: Surfacing hidden value”, Journal of Electronic Publishing, vol. 7, no. 1, 2001, available at: https://quod.lib.umich.edu/cgi/t/text/idx/j/jep/3336451.0007.104/–white-paper-the-deep-websurfacing-hidden-value?rgn=main;view=fulltext.
[BET 01] BETSILL M.-M., CORELL E., “NGO influence in international environmental negotiations: A framework for analysis”, Global Environmental Politics, vol. 1, no. 4, pp. 65–85, 2001.
[BOI 00] BOIN A., LAGADEC P., “Preparing for the future: Critical challenges in crisis management”, Journal of Contingencies and Crisis Management, vol. 8, no. 4, pp. 185–191, 2000.
[CAR 17] CARE J., “Cyber attacks to the left, ransomware to the right. We need to spend money on what?”, Gartner Blog Network, June 27, 2017, available at: https://blogs.gartner.com/jonathan-care/2017/06/27/cyber-attacks-to-the-left-ransomware-to-the-right-we-need-to-spend-money-on-what/.
[CDS 09] CDSE, “L’entretien : Alain Juillet, haut responsable chargé de l’intelligence économique”, March 18, 2009, available at: https://www.cdse.fr/l-entretien-alain-juillet.
[CHA 17] CHASE J., NIYATO D., WANG P. et al., A Scalable Approach to Joint Cyber Insurance and Security-as-a-Service Provisioning in Cloud Computing, IEEE, Piscataway, 2017.
[CNI 17] CNIL, La CNIL en bref, 2017, available at: https://www.cnil.fr/sites/default/files/atoms/files/cnil_en_bref-2016_0.pdf.
[COH 16] COHEN C.-J., BEACH G.-J., CAVELL B. et al., “Cybernet systems corporation”, Behavior Recognition System, vol. 9, no. 304, p. 593, 2016.
[DOG 14] DOGAN A., “Fiscal paradises and G-20 as a global decision maker”, in E. SORHUN, Ü. HACIOĞLU, H. DINçER (eds), Regional Economic Integration and the Global Financial System, IGI Global, Hershey, 2014.
[EYN 13] EYNARD J., Les données personnelles : Quelle définition pour un régime de protection efficace ?, Michalon Éditeur, Paris, 2013.
[FON 16] FONDATION PROMETHEUS, Baromètre 2015–2016 de transparence des ONG, Report, 2016, available at: http://www.fondation-prometheus.org/wsite/wp-content/uploads/Barometre_ONG_2015_2016.pdf.
[GUI 13] GUITTON C., “Cyber insecurity as a national threat: Overreaction from Germany, France and the UK?”, European Security, vol. 22, no. 1, pp. 21–35, 2013.
[KAP 13] KAPFERER J.-N., Rumors: Uses, Interpretations, and Images, Transaction Publishers, Piscataway, 2013.
[KEN 15] KENNEY M., “Cyber-terrorism in a post-stuxnet world”, Orbis, vol. 59, no. 1, pp. 111–128, 2015.
[KIM 10] KIMMEL A.-J., AUDRAIN-PONTEVIA A.-F., “Analysis of commercial rumors from the perspective of marketing managers: Rumor prevalence, effects, and control tactics”, Journal of Marketing Communications, vol. 16, no. 4, pp. 239–253, 2010.
[KUS 13] KUSHNER D., “The real story of stuxnet”, IEEE Spectrum, vol. 50, no. 3, pp. 48–53, 2013.
[LEV 06] LEVY M., JOUYET J.-P., L’économie de l’immatériel : La croissance de demain, La Documentation française, Paris, 2006, available at: http://www.ladocumentationfrancaise.fr/rapports-publics/064000880/index.shtml.
[LOW 17] LOW P., “Insuring against cyber-attacks”, Computer Fraud & Security, no. 4, pp. 18–20, 2017.
[MAD 08] MADHAVAN J., KO D., KOT L. et al., “Google’s deep web crawl”, Proceedings of the VLDB Endowment, vol. 1, no. 2, pp. 1241–1252, 2008, available at: http://www.sysnet.ucsd.edu/sysnet/miscpapers/p1241-madhavan.pdf.
[MEY 17] MEYER T., “Nucléaire et question climatique : Construction et conséquences d’un discours géopolitique en France et en Suède”, Herodote, no. 2, pp. 67–90, 2017.
[PAR 97] PARATTE F., Bronzage, bergamotier, bergaptène et Bergasol®, PhD thesis, Université de Franche-Comté, 1997.
[ROB 14] ROBERT M., Lutte contre la cybercriminalité, Ministère de la Justice, June 30, 2014, available at: http://www.justice.gouv.fr/publications-10047/rapports-thematiques-10049/lutte-contre-la-cybercriminalite-27415.html.
[SEK 16] SEKURIGI, “Irongate : Le malware successeur de stuxnet peut saboter les systèmes scada”, July 25, 2016, available at: https://www.sekurigi.com/2016/07/irongate-malware-successeur-de-stuxnet-saboter-systemes-scada/.
[STE 90] STEVENSON R.W., “Bribe charges backed at Northrop era end”, The New York Times, September 21, 1990, available at: http://www.nytimes.com/1990/09/21/business/bribe-charges-backed-as-northrop-era-ends.html.
[TRA 17] TRACE, Anti bribery compliance solutions, 2017, available at: https://www.traceinternational.org/.
[UPA 16] UPADHYAYA R., JAIN A., “Cyber ethics and cyber crime: A deep dwelved study into legality, ransomware, underground web and bitcoin wallet”, 2016 International Conference on Computing, Communication and Automation (ICCCA), Noida, India, April 29–30, 2016.
[WIK 18a] WIKIPEDIA, “Al-Yamamah arms deal”, 2018, available at: https://en.wikipedia.org/wiki/Al-Yamamah_arms_deal.
[WIK 18b] WIKIPEDIA, “Black Bloc”, 2018, available at: https://fr.wikipedia.org/wiki/Black_Bloc.
[WIK 18c] WIKIPEDIA, “Botnet”, 2018, available at: https://fr.wikipedia.org/wiki/Botnet.
[WIK 18d] WIKIPEDIA, “Flame (ver informatique)”, 2018, available at: https://fr.wikipedia.org/wiki/Flame_(ver_informatique).
[WIK 18e] WIKIPEDIA, “WannaCry”, 2018, available at: https://fr.wikipedia.org/wiki/WannaCry.
[WIK 18f] WIKIPEDIA, “Directeur des systèmes d’information”, 2018, available at: https://fr.wikipedia.org/wiki/Directeur_des_syst%C3%A8mes_d%27information.
[WIK 18g] WIKIPEDIA, “Foreign Corrupt Practices Act”, 2018, available at: https://fr.wikipedia.org/wiki/Foreign_Corrupt_Practices_Act.
[ZHU 11] ZHU B., JOSEPH A., SASTRY S., “A taxonomy of cyber attacks on SCADA systems”, 2011 International Conference on Internet of Things and 4th International Conference on Cyber, Physical and Social Computing, Dalian, China, October 19–22, 2011.