Hackers are targeting start-ups. Are we prepared?
LOST IN THE DIZZYING ESCALATION of multibillion-dollar tariff decrees is the fact that there exist other ways to cripple international trade. Bill Priestap, assistant director of the FBI’S counterintelligence division and a 20-year veteran of the agency, says corporate espionage has moved beyond spy-versus-spy and into the realm of businessmen, scientists, and academics – and that it may increasingly target smaller companies that don’t have a security apparatus built in to their business plan. –
POPULAR MECHANICS: Which industries are the main targets of espionage by foreign countries?
BILL PRIESTAP: China has this effort called Made in China 2025, in which the Communist party has identified ten areas in which they want to become more self-sufficient. Things such as artificial intelligence, robotics, biotechnology, energy, aerospace [which are all industries frequently targeted by foreign agents]. So, if you are a world-leading business – and I don’t care what your business is – it is likely you’re being targeted by a foreign adversary, and it is likely you are being targeted by China. PM: A lot of the industries you’ve mentioned are start-up-driven. BP: Before, it was just the largest of the large with the capability to be the greatest inventors. Today, more and more extremely capable people drop out of college or grad school and start a company that can take off and be a world-beating technology. And whereas large companies are very familiar with global risk, start-ups don’t often think of things from a security perspective. They have to make it part of their decision-making as a young company: How do we best secure our unique ideas?
PM: Espionage cases regarding big companies have been seen in the media. How about start-ups? BP: I don’t have as many examples of start-ups being taken advantage of. One reason I’m convinced that is the case is because, in my experience, the start-ups aren’t thinking about their security and protection writ large. And as a result, I believe, most start-ups aren’t identifying the problem like some bigger companies would. The bottom line is that the FBI doesn’t get as many leads or referrals from start-ups as I think are currently being targeted. PM: When there is a referral, how does an investigation unfold? BP: We try to understand the value of the item or information that’s
targeted. That evaluation isn’t just made on potential monetary value, but also applicability. Could it be used in military components that would give our country a distinct strategic advantage? Another thing we take into account is the willingness of the company to work with us. Often, assisting us will mean not doing anything. Firing the suspect isn’t always conducive to allowing us to do what we need to do.
PM: So what security measures do you recommend at small companies? BP: Designate someone as the lead security person. This cannot be an afterthought. The other thing I would suggest is, think hard about what the valuable assets truly are. Sometimes that’ll be an employee with special talents or special knowledge that makes that company unique. It’s not always just information on a computer, or some widget that was produced.
PM: Start-ups often operate in informal ways – co-working spaces, staffing up with university students. Are there security implications to this?
BP: In regard to co-working-type spaces, it would stand to reason that there are. There are a lot of different people and a lot of different organisations all in one facility. It all comes down to what company you are renting from. What are the security protocols in place? When it comes to hiring people, what is the vetting process? You can spend a whole lot of money on this, but you don’t have to. You can have more people you trust interview the applicant. You can require more references. We’re seeing more people check on social-media accounts. The last thing I’d say is that there are ways to phase in access over time as you get to know employees. Just because somebody starts at your company doesn’t mean you have to give them full access to everything you’re doing immediately.
A Q&A WITH: BILL PRIESTAP, assistant director of counterintelligence, FBI