Amy Zegart

Spooks, Incorporated

Does every company need its own CIA?


Since 9/11, a quiet intelligence revolution has been brewing inside many of America’s leading companies. Hotel chains, cruise lines, airlines, theme parks, banks, chemical companies, consumer products manufacturers, pharmaceutical companies, and even tech giants have been developing in-house intelligence units that look and act a lot like the CIA.

These organizations don’t steal competitor trade secrets or wiretap your phones. But many conduct surveillance of customers, visitors, and employees to collect information and spot potential threats. Some run "red team" exercises that involve dressing in disguise and casing company locations to test the security. For all of them, the main job is analyzing "hot spot" developments around the world, around the clock — from violence in Syria to environmental protestors in California — anything that could threaten the brand reputation, personnel, or business interests of their parent company.

Typically these in-house intelligence units have nondescript names like "the Office of Global Safety and Security." (Most of these companies do not like to talk openly about their intelligence activities for fear it will scare away customers or hurt their brand reputations.) But don’t let the names fool you. These offices are staffed with former CIA, FBI, and military professionals who have close ties to the U.S. government and conduct global threat reporting by working through formal channels and informal networks around the globe. This is the privatization of American intelligence that you’ve never heard of. And it’s part of the innovative and growing business of political risk management.

Concern about political risks to business is as old as the hills. In ancient Babylon, trade insurance covered looting and pillaging, the political risks of the day. Thomas Jefferson launched America’s first unconventional war in 1801 because thieving thrones in Tripoli, Tunis, and other Barbary states of North Africa were sacking U.S. merchant ships and holding them for ransom. In modern times, oil companies have been at the forefront of political risk management, seeing competitive advantages to understanding turmoil in oil-rich countries. Royal Dutch Shell has been doing scenario planning since the 1970s.

But political risk matters more now than ever, thanks to the convergence of three things:

1.      Supply chain improvements like "just in time" inventory management, which ships goods from factories to consumers as fast as possible but leaves no stockpiles to keep business operating if anything goes awry;

2.      Globalization, which has made it possible to make and sell products in more countries, to more consumers — and, in the process, generates more nodes of disruption;

3.      The information revolution, which enables small groups to transmit messages to mass audiences in real-time.

These three factors have given rise to a fundamental business paradox: Businesses face greater global opportunities and vulnerabilities than ever before. Far-flung supply chains can dramatically lower costs, but they are hard to see and manage, leaving many managers unaware of just how exposed their business is to supplier delays, political events, and natural disasters far, far away. In the old days, the "free world" and "Soviet bloc" were two different universes. Not anymore. Now everything is connected. Sweden’s Ikea has stores in Russia. My CIA alarm clock was made in China. Unrest in Cairo can cause legging shortages in California. And communications happen everywhere. Wifi can be found in Bedouin tents, on the top of Mount Everest, and on buses in rural Rwanda. Kenyan fisherman may lack electricity, but they can check weather conditions and fish market prices on their cell phones. All of this connectedness means that political risks — civil strife, instability, insurgency, coups, weak legal standards, corruption — have more spillover effects. What happens in Vegas does not stay in Vegas.

In 2011, Orange Business Services, the business communications arm of one of Europe’s large mobile phone providers, thought the protests in Tunisia couldn’t possibly affect their operations in Egypt. One week later, they were proven wrong. The domino revolutions of the Arab Spring had cascading effects on a number of industries, ranging from telecom in Europe to the tea trade in Africa. Instability in the Middle East was by no means an outlier. There were nearly three dozen attempted coups in the last decade, seven between 2008 and 2010 alone, ranging from Thailand to Niger to Ecuador. The Fund for Peace’s Failed States Index has listed more than 100 countries in the "alert" or "warning category" for state failure since it began in 2007. That’s more than half the countries in the world. In a 2011 survey of the 100 largest high-tech companies, 81 percent of executives said they were worried about natural disasters, wars, conflicts, and terrorist attacks, a jump of 26 points from the previous year. As Ian Bremmer notes, major geopolitical changes have occurred about once a decade for the past 50 years: de-colonization in 1950s and 1960s, détente in the 1970s, the Cold War’s end in the 1980s, 9/11 and terrorism in the early 2000s. The Arab Spring is the latest. Undoubtedly, there will be others. Large political changes happen far more often than we think.

Little changes also matter more now, too. Thanks to the IT revolution, lone individuals and small groups can have a supersized impact if their messages go viral. Julian Assange used the internet to turn his ragtag WikiLeaks operation into a phenomenon that roiled diplomats across the globe. In 1998, the NGO Global Witness, which started with three friends in a London apartment, exposed the role of conflict diamonds in Angola’s civil war. By 2003, their work helped prompt U.N. sanctions against Sierra Leone, Angola, and Liberia, and cowed the diamond giant DeBeers into a certification scheme to clean up the industry. Two years ago, before the Arab Spring erupted, a Stanford colleague of mine met with Syria’s president, Bashar al-Assad. The Syrian strongman said, presciently, that he was not worried about a U.S. invasion. He was worried about Facebook. He should have worried more: in the internet age, small local movements often don’t stay small and local for long. In business as well as politics, power has gone asymmetric.

Understanding the changing nature of political risk and how to mitigate it is a growing industry. In large part, this is because the U.S. government has left an intelligence gap. In many countries, intelligence services regularly share information with businesses to give them a competitive advantage in the global arena. But U.S. intelligence agencies do not. Since 9/11, the private sector has been filling the gap. In-house intelligence units are the most pioneering examples, but they have plenty of company. There are now scores of open-source intelligence services, analysis shops, and consulting firms led by former high-level officials with names like Chertoff, Albright, Rice, Hadley, and Gates.

So when you think "convergence," don’t just think about drones and spooks. There is a burgeoning convergence of intelligence and business. The CIA may not be getting into corporate espionage, but American companies are getting into intelligence. They’re just not talking about it much.

Amy Zegart is co-director of Stanford University's Center for International Security and Cooperation and is Davies family senior fellow at the Hoover Institution. Twitter: @AmyZegart