National Security

Spooks, Incorporated

Does every company need its own CIA?

Since 9/11, a quiet intelligence revolution has been brewing inside many of America's leading companies. Hotel chains, cruise lines, airlines, theme parks, banks, chemical companies, consumer products manufacturers, pharmaceutical companies, and even tech giants have been developing in-house intelligence units that look and act a lot like the CIA.

These organizations don't steal competitor trade secrets or wiretap your phones. But many conduct surveillance of customers, visitors, and employees to collect information and spot potential threats. Some run "red team" exercises that involve dressing in disguise and casing company locations to test the security. For all of them, the main job is analyzing "hot spot" developments around the world, around the clock -- from violence in Syria to environmental protestors in California -- anything that could threaten the brand reputation, personnel, or business interests of their parent company.

Typically these in-house intelligence units have nondescript names like "the Office of Global Safety and Security." (Most of these companies do not like to talk openly about their intelligence activities for fear it will scare away customers or hurt their brand reputations.) But don't let the names fool you. These offices are staffed with former CIA, FBI, and military professionals who have close ties to the U.S. government and conduct global threat reporting by working through formal channels and informal networks around the globe. This is the privatization of American intelligence that you've never heard of. And it's part of the innovative and growing business of political risk management.

Concern about political risks to business is as old as the hills. In ancient Babylon, trade insurance covered looting and pillaging, the political risks of the day. Thomas Jefferson launched America's first unconventional war in 1801 because thieving thrones in Tripoli, Tunis, and other Barbary states of North Africa were sacking U.S. merchant ships and holding them for ransom. In modern times, oil companies have been at the forefront of political risk management, seeing competitive advantages to understanding turmoil in oil-rich countries. Royal Dutch Shell has been doing scenario planning since the 1970s.

But political risk matters more now than ever, thanks to the convergence of three things:

1.      Supply chain improvements like "just in time" inventory management, which ships goods from factories to consumers as fast as possible but leaves no stockpiles to keep business operating if anything goes awry;

2.      Globalization, which has made it possible to make and sell products in more countries, to more consumers -- and, in the process, generates more nodes of disruption;

3.      The information revolution, which enables small groups to transmit messages to mass audiences in real-time.

These three factors have given rise to a fundamental business paradox: Businesses face greater global opportunities and vulnerabilities than ever before. Far-flung supply chains can dramatically lower costs, but they are hard to see and manage, leaving many managers unaware of just how exposed their business is to supplier delays, political events, and natural disasters far, far away. In the old days, the "free world" and "Soviet bloc" were two different universes. Not anymore. Now everything is connected. Sweden's Ikea has stores in Russia. My CIA alarm clock was made in China. Unrest in Cairo can cause legging shortages in California. And communications happen everywhere. Wifi can be found in Bedouin tents, on the top of Mount Everest, and on buses in rural Rwanda. Kenyan fisherman may lack electricity, but they can check weather conditions and fish market prices on their cell phones. All of this connectedness means that political risks -- civil strife, instability, insurgency, coups, weak legal standards, corruption -- have more spillover effects. What happens in Vegas does not stay in Vegas.

In 2011, Orange Business Services, the business communications arm of one of Europe's large mobile phone providers, thought the protests in Tunisia couldn't possibly affect their operations in Egypt. One week later, they were proven wrong. The domino revolutions of the Arab Spring had cascading effects on a number of industries, ranging from telecom in Europe to the tea trade in Africa. Instability in the Middle East was by no means an outlier. There were nearly three dozen attempted coups in the last decade, seven between 2008 and 2010 alone, ranging from Thailand to Niger to Ecuador. The Fund for Peace's Failed States Index has listed more than 100 countries in the "alert" or "warning category" for state failure since it began in 2007. That's more than half the countries in the world. In a 2011 survey of the 100 largest high-tech companies, 81 percent of executives said they were worried about natural disasters, wars, conflicts, and terrorist attacks, a jump of 26 points from the previous year. As Ian Bremmer notes, major geopolitical changes have occurred about once a decade for the past 50 years: de-colonization in 1950s and 1960s, détente in the 1970s, the Cold War's end in the 1980s, 9/11 and terrorism in the early 2000s. The Arab Spring is the latest. Undoubtedly, there will be others. Large political changes happen far more often than we think.

Little changes also matter more now, too. Thanks to the IT revolution, lone individuals and small groups can have a supersized impact if their messages go viral. Julian Assange used the internet to turn his ragtag WikiLeaks operation into a phenomenon that roiled diplomats across the globe. In 1998, the NGO Global Witness, which started with three friends in a London apartment, exposed the role of conflict diamonds in Angola's civil war. By 2003, their work helped prompt U.N. sanctions against Sierra Leone, Angola, and Liberia, and cowed the diamond giant DeBeers into a certification scheme to clean up the industry. Two years ago, before the Arab Spring erupted, a Stanford colleague of mine met with Syria's president, Bashar al-Assad. The Syrian strongman said, presciently, that he was not worried about a U.S. invasion. He was worried about Facebook. He should have worried more: in the internet age, small local movements often don't stay small and local for long. In business as well as politics, power has gone asymmetric.

Understanding the changing nature of political risk and how to mitigate it is a growing industry. In large part, this is because the U.S. government has left an intelligence gap. In many countries, intelligence services regularly share information with businesses to give them a competitive advantage in the global arena. But U.S. intelligence agencies do not. Since 9/11, the private sector has been filling the gap. In-house intelligence units are the most pioneering examples, but they have plenty of company. There are now scores of open-source intelligence services, analysis shops, and consulting firms led by former high-level officials with names like Chertoff, Albright, Rice, Hadley, and Gates.

So when you think "convergence," don't just think about drones and spooks. There is a burgeoning convergence of intelligence and business. The CIA may not be getting into corporate espionage, but American companies are getting into intelligence. They're just not talking about it much.


National Security

King David

Why generals shouldn't run the CIA.

As the Petraeus scandal unfolded last week, we got a crash course on the Tampa social scene, General Allen's superhuman ability to write 20,000 to 30,000 pages of "potentially inappropriate" emails, and the romantic attraction of the six-minute mile. What we did not get was a serious discussion of whether it was a good idea to let a warrior-general run the CIA in the first place.

The real Petraeus story is about much more than a seedy tabloid sex scandal. It's about what he did on the job -- his brief tenure at Langley and the militarization of intelligence it represents.

To the outside world, intelligence and defense don't seem so different -- they're both vaguely national security-ish. But looks are deceiving. Military officers, as Samuel Huntington famously wrote, are professionals in the "management of violence." Intelligence, by contrast, is all about the management of information -- how to get it, analyze it, hide it from the wrong people, and share it with the right ones. The Pentagon's primary mission is to fight. The CIA's primary mission is to learn. Fighting and learning are related, but distinct, producing different organizational cultures, activities, and leadership requirements in the Pentagon and the CIA.

Three concerns arise whenever a military leader runs the agency. The first is the risk of tactical tilt -- that war-fighter directors will favor tactical military operations over long-term strategic assessments. Even with a $75 billion overall budget, U.S. intelligence agencies cannot do it all: Too much focus on today leaves us vulnerable to nasty surprises tomorrow.

Michael Hayden, another former general who ran the CIA, during the Bush administration, understood this danger precisely because he was an Air Force intelligence officer. Hayden pushed hard to keep the CIA looking at emerging threats, not just today's battles. He knew the most important customer for the CIA wasn't the war-fighter, it was the president. And because he knew it, "the building" at Langley trusted him. But Petraeus was never an intel guy. He was an infantryman who came to Langley from the battlefield and continued to wage war from within the CIA. Under Petraeus, the CIA's paramilitary activities have continued to escalate. The agency routinely conducts and oversees strikes in places like Pakistan, Yemen, and Somalia. Targeted killing is such big business that the CIA is borrowing drones from the military while its own drone fleet is expanding. Many now worry that old-fashioned intelligence collection and analysis in the nation's premier intelligence agency is getting short shrift.

The second concern with a warrior-director is that military leaders can clash with the CIA's culture. The American military prides itself on having a hierarchical, can-do culture. When the boss gives an order, subordinates are expected to follow it, no matter how great the odds of success or how dangerous the circumstance. American forces are the best in the world in large part because of these cherished values.

The CIA has a different cherished value: speaking truth to power. Analysts and collectors are supposed to present information and assessments even if they know the boss won't like it. No one salutes inside Langley. Hierarchy exists, but the culture prizes rigorous debate to sharpen analysis. Intelligence reports have dissenting footnotes. Military orders do not. As Dianne Feinstein, chairwoman of the Senate Intelligence Committee, said of Petraeus before the scandal broke, "I think he's a brilliant man, but he's also a four-star general. Four-stars are saluted, not questioned. He's now running an agency where everything is questioned, whether you're a four-star or a senator. It's a culture change."

The culture change was clearly hard on Petraeus. Determined to win over "the building," Petraeus arrived from Kabul last year without his large coterie of scholar-soldier acolytes. He decorated his CIA office with military mementos. At a recent event, he even weirdly pinned his military medals onto his business suit. The 60-year-old general faced his first-ever civilian job adrift and isolated from everything he had known in a glorious military career.

The bigger question is whether Petraeus was hard on the CIA's culture. It's difficult to know about something so intangible in an agency so secret, but the indicators are not good. As David Cloud and Ken Dilanian of the Los Angeles Times recently noted, word inside the agency was that Petraeus had lived in his deferential military bubble for so long, the former general would "sometimes visibly blanch in meetings when junior officers spoke up to disagree with him." It is also telling that Petraeus didn't sleep with just any woman. He slept with his "biographer," someone he knew would be likely to write hagiography. Broadwell had no writing credentials but plenty of hero worship. That should have raised some red flags as well as eyebrows: A man who selects someone so unqualified to speak the truth of his own life might have difficulty speaking truth to power or rewarding others who do.

The third concern about putting generals at the helm of the CIA has to do with rules. Rules are the lifeblood of an organization, making clear what matters. In the military there are all sorts of rules about appearance and fitness. How fast you can run, how many push-ups you can do, whether your hair is short enough, how neatly your clothes are pressed. Why? Because unit discipline and individual fitness can spell the difference between life and death, success and failure.

Ever seen a bunch of CIA people? Let's just say appearance and fitness do not spring to mind. Instead, CIA rules are fixated on guarding information, everywhere, all the time. Why? Because in intelligence, that's what can spell the difference between life and death, success and failure. It is hard to overemphasize just how seriously security procedures are taken in this world.

Nobody knows yet whether Petraeus played fast and loose with security rules as he was playing fast and loose with his lover. The CIA is concerned enough that it is conducting its own investigation, and the FBI's "closed" investigation of the affair's security implications suddenly is not so closed. Last weekend's box haul from Paula Broadwell's house found classified documents on her home computer. Her clearance has been suspended. Whether Petraeus gave her access to information she had no business knowing remains to be seen.

But here's the thing: Petraeus did not have to give away the nuclear codes or other "vital national security secrets" to have done a serious wrong. In the intelligence universe, any security breach is serious because big secrets can eventually escape through small holes. Anyone who starts thinking the secrecy rules do not apply to them is a ticking security vulnerability, especially if his mistress has become a jilted lover unhinged enough to send creepy/stalky emails.

Only time will tell whether Petraeus's indiscretion was marital or more. But it's high time we stopped thinking that generals can always run everything. David Petraeus was a soldier and a patriot. But the CIA was a bridge too far for him.

Win McNamee/Getty Images