Say you suspect someone in your company is conducting espionage. In your company. On your time. With your hard developed information. Perhaps even selling your expensively created items, or even your intellectual property. If you work for a corporation with clearance holders, stop right there. Your obligation is to report the incident immediately. Don’t take action beyond that. What ‘action’ are we referring to? Let’s take a look at some real incidents, where real problems occurred. Let’s see what came as result of doing things right, and doing things wrong.
An Incident Report for a Security Clearance Holder
A report was circulated that money was coming to an employee from overseas. No one could identify the source of the money, but clearly the person who received it was one of the senior officers of a cleared company. How was he doing it? Who were the people sending him this money? You first hear about this, and this is all you know. What do you do?
First, stop any home made ‘investigation’. If you believe someone in a senior position is taking money from a foreign source, contact your Defense Counterintelligence and Security Agency (DCSA) officer, or the FBI. Why these agencies? First, the DCSA provides security for the Department of Defense and a number of other federal agencies. This includes providing industrial security oversight and assistance for contractor facilities. You should know who these people are by their routine visits. They are people you call on to advise your company personnel of national security threats, and how to avoid them. Their industrial security oversight people are the ones who come to show you how best to protect your physical plant, your information, your personnel issues that fall under classified headings.
What about the FBI? They have a counterintelligence and criminal investigative role. To have a lead which says that one of the primary members of your staff is receiving unknown money from abroad can be scary. The FBI can handle this. This requires your company to do a few things, none of which involves investigating on your own.
What Happens When You Report to the FBI or DCSA?
When you pass along any information to an investigative agency, it is kept confidential. This protects the source of the information, and allows the investigation to proceed. You provide a summary of what you know, and help with any follow up questions. The FBI, let’s say, may ask for identifying data on the individuals involved. They may want to know about practices in the company, who comes and who goes. They will also want to know who deals with foreign companies and individuals, the better to pursue a potential crime. Of course, as the case proceeds, they will need much more perhaps. Nevertheless, their investigation will proceed successfully based on your cooperation, and silence. Indeed, you must not advise anyone about the nature of the investigation. To do so, to ‘keep someone in the loop’ will compromise a case in many instances.
Let’s say you tell a senior manager who has no need to know. There is the key phrase again, need to know. Too often many senior managers, given the least information, want to ‘find out for themselves what’s going on’ and interfere with professional investigative activities. Your company would be well served by periodic updates from the investigators to key personnel who do have a need to know. This does a couple things. It assures the management that all is under control, that action is being taken. Further, it obviates the need to advise people who might cloud the issue. Know who knows, and why. Keep a minimal advisory group available to help with the case as it proceeds. Only a few in this group needs to know the ‘whole investigative story’. For instance, if you need to know background information on your suspect’s activities, and you ask a question of the personnel security employee, there is no need to enter into long explanations. After all, working through existing chains of command–in a strictly limited, need to know manner— is one of the best ways to help any FBI or other investigation.
If this cannot be done, other measures might have to be taken. Say, for example, you fear a mid level manager, who is friends with the suspect, might tip him off that ‘security is asking about you’. Then good investigators need to know this beforehand. You can work with the investigative team to come up with another means of determining what they need to know.
In short, teamwork is required. If you know your investigative counterparts ahead of time, so much the better. When you call upon them for help, you know with whom you are beginning. If not, then you can still start with a good case that doesn’t have virtually everyone knowing that ‘something is up.’ Keep those aware of the issue limited. Not everyone needs to know the whole story. Keep others with a partial need to know only partially aware as best you can. Unanticipated, unconscious leaks can damage a case even as much as malicious ones. So, keep need to know limited.
Why do we say ‘don’t conduct your own investigations’? First, looking at your own company is a conflict of interest. If I know something that could bring my company into disrepute, I might not take appropriate actions against those who have brought us to the brink. I might not be fair to all involved. I might jump to conclusions that a proper investigation would not support, if conducted by professionals who are also dispassionate and disassociated. They will have far more objectivity that not. They will have more investigative techniques and technology available than you can dream of. In fact, at the end of the day, a proper investigation, pursued by outside professionals, can determine more, protect reputations better, and come to a solution closer to the truth than something done ‘in house’.