What Are We Protecting?

One of the first steps a good defense lawyer will do in defending a client in a trial involving espionage is convince the judge and the jury that her/his client did not know the information or equipment stolen was classified or proprietary. The defense lawyer may place an employee of the company - corporate official or security officer - on the witness stand and ask her/him what reasonable measures were taken within the company to clearly identify classified or proprietary information and ensure its protection. If the witness cannot satisfactorily articulate the reasonable measures and safeguards used to protect the classified or proprietary information, the case could be dismissed.

Within the United States, we have various federal laws to help ensure the protection of "classified" U.S. Government information. These laws have been used numerous times to prosecute U.S. and foreign citizens for committing espionage against the U.S. Government. Until recently, we did not have a federal law to protect the unclassified proprietary information or trade secrets of private U.S. companies. The Economic Espionage Act of 1996 was specifically enacted to provide some protection to U.S. companies to cover this oversight.

One responsibility every company official has is to clearly identify to employees what classified or proprietary information requires protection. In other words, a company has a responsibility to take reasonable measures to protect classified U.S. Government information or their company trade secrets.

The term "Trade Secret" means all assets such as financial, business, scientific, technical, engineering or economic information. This includes patterns, plans, compilations, program devices, prototypes, formulas, design, procedures, methods, techniques, codes, processes, or programs -- whether tangible or intangible and whether or how stored, compiled or memorialized physically, electronically, graphically, photographically, or in writing if

  • the owner has taken reasonable measures to keep such information secret; and
  • the information derives independent economic value (actual or potential) from not being generally known to, and not being readily ascertainable through proper means by, the public.

Recognizing that not all assets and activities warrant the same level of protection, a company needs to identify which assets need safeguarding and to assess their relative value or importance. Asset value need not be assessed in dollars. However, the cost of the security countermeasures used to protect assets must be reasonable in relation to their overall value. Assets can be valued relative to their potential loss impact. Within the Department of Defense, the impact of the loss of an asset might involve human lives or national interests.

An asset to the U.S. Government is any person, facility, material, information, or activity, which has a positive value to the U.S. Government or a company. The asset may have value to an adversary, as well as the U.S. Government or company, although the nature and magnitude of those values may differ.

The categories listed below may help identify the general types of assets relevant to a U.S. company. The five basic categories include the following:

  • People
    • Government personnel
    • Contractors
    • Military personnel
  • Activities/Operations
    • Intelligence collection/analysis
    • Sensitive movement of operations/personnel/property
    • Conduct of sensitive training
    • Communications/networking
    • RDT&E and sensitive technology
    • Production of sensitive technology
    • Protection of nuclear/chemical/biological materials
    • Protection of weapons, explosives, and equipment
  • Information
    • Classified
    • Sensitive Compartmented Information
    • Top Secret
    • Secret
    • Confidential
    • Unclassified
    • System designs
    • Intellectual property
    • Patents
    • System capabilities/vulnerabilities
    • Sensitive methods
    • Sensitive financial data
  • Facilities
    • Industry sites
    • Headquarters
    • Field offices/administrative buildings
    • Training facilities
    • Contractor facilities
    • Storage facilities
    • Production facilities
    • R&D laboratories
    • Power plants
    • Parking facilities
    • Aircraft hangars
    • Residences
  • Equipment/Materials
    • Transportation equipment/vehicles
    • Maintenance equipment
    • Operational equipment
    • Communications equipment
    • Security equipment
    • Weapons
    • Automated information systems equipment

Information about critical assets can be gathered from a variety of sources. The "asset owners" or program managers (often company officials) are generally the most knowledgeable about the assets in need of protection. Sometimes it may be an engineer or scientist. These individuals generally have the best idea as to which assets are the most sensitive and valuable.

Understanding the nature and value of the assets being protected allows security professionals to make more rational decisions about related vulnerabilities and about the allocation of security countermeasures. It also helps ensure that critical assets will be protected first and that resources will be allocated where they will be the most effective.

Public Release #981210-06