The objectives of private companies and government do not always align, in fact it is seldom that they do. One has the role of supporting and protecting its citizens while the other provides products and services for those same people. There are some similarities in what they provide, but the methods and motivations are drastically different. However, the different means they use to reach their end goals require many of the same things. They require safety, security, and stability to provide the support, products, and services that are their core mission.
That piece of common ground creates an opportunity for collaboration, it is an opportunity that many organizations partake in.
Overlapping Security Concerns.
When it comes to protecting human and physical assets, government uses law enforcement agencies and private security to watch and protect. They use fences, guards, cameras, and more to keep unwanted people and items out of facilities and to protect public servants going about their daily work. Private companies must do this same thing as well.
Factories, research facilities, and office buildings all use some type of access control. It could just be locking a door when work is done for the day or it could be razor wire topped fences with a gate secured by armed security guards. This kind of physical security can be expensive to set up, but there’s not many special tricks or secrets. There is a need to be aware of both current and emerging threats, as government and private organizations see new incidents arise they find ways to protect against them. Maybe traveling workers are having their cars stolen, perhaps thieves are breaking into buildings to steal valuable electronics or raw materials, or it could be that terrorists attempting to target government offices and production sites that use hazardous materials.
For protecting information and intellectual property, there are more complex techniques to stop cyber attacks and spies. Some are defensive and try to stop loss of valuable information before it can happen, others are offensive and aimed at targeting the people and groups that carry out this theft to degrade their capability to carry out such an act. Physical security and this type of information security or counterespionage are drastically different fields with very few things that carry over.
Those things that do carry over are procedures that protect sensitive information such as safes for documents, locks preventing flash drives from being inserted to computers or servers, and special access control measures to prevent unauthorized people from going to where sensitive information is present. These are all security measures that, like other physical security measures, are not very complicated but can be very expensive.
Partnering for security
With so little that carries over between the two fields of security, one other area where they connect is in the people who need them- governments and companies. This is where Public-Private Partnerships come in.
Sharing information about incidents, threats, and illegal acts is often difficult because few government agencies and fewer companies want to let people know when they are victims. For governments, the issue may be not wanting to acknowledge sensitive facilities or programs while for companies it is often that they need to keep confidence in their investors and business partners. For both, and this is mostly in the sense of information theft, they don’t want their adversary to know that they know an incident ever took place. To create an environment where such threat intelligence can be communicated more fully and with a degree of confidence in the ability to secure the information about an incident, public-private partnerships often create an appropriate forum.
Some of the more common Public-Private Partnerships, or at least the ones I’ve interacted with in my career, focus on physical, travel, and cyber security as well as preventing economic espionage. They’ve been run by major government agencies such as the U.S. Federal Bureau of Investigation (FBI), U.S. Bureau of Diplomatic Security (DS), and German Federal Criminal Police Office (BKA).
InfraGard is a program managed by the FBI that facilitates information sharing and provides training for American businesses that own and oversee critical infrastructure. The Overseas Security Advisory Council, or OSAC, is DS operated organization that shares information between private companies doing business around the world and the U.S. Department of State. OSAC then shares this information and compiles it into reports that allow companies affected by crime or terrorism to remain anonymous while making other countries more aware of the risks they may face when engaging in international travel or commerce. The BKA participates in the Global Players Group with Germany’s largest countries and other domestic security and law enforcement agencies. The group also facilitates information sharing with companies doing business around the world while also providing training and seminars on emerging threats and mitigation measures.
GPS team members have been involved with information sharing and training with all of these organizations throughout our careers. We’ve found them to be great sources of information and networking within the fairly quiet corporate security world.
Special Concerns in Partnerships
The information shared through these partnerships is often used to provide reports that list trending and newly found trends and incidents. This information allows companies to avoid risks and plan for their response if they do occur.
Sometimes the information shared with these federal law enforcement agencies will trigger and investigation or prompt law enforcement to join an investigation already being conducted by a company. These investigations may involve terrorism, organized crime, or espionage.
Terrorism and organized crime issues fall within the scope of the partnerships already mentioned. Economic espionage, however, is responsible for hundreds of billions of dollars of losses per year and it involves especially sensitive and secretive investigations. This makes it a difficult area for partnership, especially for international companies who may not trust national security services to help investigate incidents in which other national security services may be trying to steal their information.
Few companies are willing to work with outside partners of any kind, admitting that they lost their most valuable information could be a blow to the company if it became public. For companies willing to partner and seek investigative help though, there are options.
In the United States, the FBI manages the Business Alliance Initiative. The organization helps prepare companies for cyber and espionage related threats. They do this by providing briefings, vulnerability assessments, specific intelligence, and invitations to regional meetings on relevant topics. It is an excellent program that has helped to prepare and protect many American companies for the threats they face. It has also helped them to engage in investigations more effectively and efficiently than companies without a direct link to the FBI.
Gecko Professional Services consistently recommends to our clients engaging in these partnerships to ensure ethical business practices can be combined with enhancing national security. These programs have proven valuable tools for companies of all sizes and types. No company has the reach or capability of an effective national security service, although some companies have very impressive security apparatuses. Past this, absolutely no company has an ability to prosecute offenders. This is often the aftermath of major investigations and incidents so it just makes sense to engage in partnerships with those who have the end responsibility to prosecute these offenders.