Unintended Consequences
I remember the golden dream of catching my first spy, back when I was a green gumshoe. It was something I hoped could be possible during my career. My mentors were aging, and only one I’d ever met had seen an actual espionage case. For me, it didn’t take long. And it was anything but a golden experience. The arrests made a few peers look bad, and they accused me of orchestrating the abuse of multiple arrested spies. What a trainwreck. The book Dog Company (Vincent & Hill, 2017) detailed that debacle – unfortunately, the case uncovered incompetence and corruption in the ranks, along with some complicated ethical dilemmas. The word “empathy” took on new meaning when senior leaders fired my principal for making difficult decisions when lives were on the line, decisions that cost his and others’ careers but saved lives — unintended consequences. I was fortunate to have a prescient mentor who advised me to keep a detailed investigative log during that case. The cards eventually fell where they needed to.
In the second and third cases I led that resulted in arrests and terminations, once the previously successful insiders were exposed and either arrested or fired, those organizations began to experience devastating attacks for the first time in years. Leaders had come to believe they were immune to spies and losses, but this rested on a false premise. In reality, the adversary had everything they wanted as long as their insiders were in place, so why attack? This is what we often refer to as a false sense of security.
Later in my career, I was involved in cases that resulted in arrests, prosecutions, and sentences. Still, senior officials were not interested enough in the more senior adversaries responsible for driving these insiders to pull the remaining loose strings. They were satisfied with the arrest, a new notch in the belt, a new mug shot on the wall of shame. In one case, I received a proffer from a defense attorney that their recently sentenced client was willing to provide detailed information about those with whom he was in a clandestine relationship. Not one senior leader cared. The pressure to drop the matter was final. The rest of that network is in place, for all I know. As a seasoned Chief Security Officer said to me not long ago, "I refuse to care more about company assets than the people responsible for protecting them." I wished I'd heard it earlier, I'll never forget it. However, my first and best mentor and I decided during that first series of unintended consequences to set the conditions for our success so that when conditions turned in our favor, we were always prepared. I find myself here more often than not.
Throughout my career, I ran into unintended consequences time and again. What happens when we succeed in neutralizing a threat but inadvertently tell the spy’s handlers that they’ve lost one of their assets? Um, well, it depends. If they already had a backup already in place, nothing changed. All remained quiet. Security seemed seamless. However, for those victims who caught the only spy in place, the attacks often amped to legendary proportions - in some cases as a smokescreen to obfuscate more subtle penetrations. Have I got some stories on these scenarios, ¡ay de mi!
During a recent conversation with an industry peer, we discussed this very scenario. For years, all had been quiet on their home front, even though the company was innovating the future of key technologies known to be heavily targeted by multiple threat actors worldwide. Their processes were working. Until they didn’t. It was not pretty. In the aftermath, after looking under the hood, a key observation reminded me of a common political refrain – never let a crisis go to waste.
Once the company learned how their former insider had been successful, they began to look for evidence of similar illicit technology transfer campaigns targeting their critical assets (a polite way of saying industrial espionage). There were others in the ranks. It put a dent in that false sense of security. Suddenly, new overhead investments made sense. Confidence temporarily suffered, but it resulted in an honest assessment of the company’s security maturity and a roadmap to close the gaps. This was a story with silver linings, the best of unintended consequences.
I’ve seen the other side of those unintended consequences firsthand. Arrests, terminations, and other adverse administrative actions have been essential tools of my trade for many years but have, at times, produced surprises. During my military career, we referred to "surprises" as first (likely), second (possible), and third (dammit, this sucks) order effects, and worse - cascading effects (call the ambassador). Neutralizing threats can be cathartic and necessary, but only when carefully used against the right adversary. Each adversary deserves special attention.
