Competitive intelligence, corporate security and the virtual organization.

In establishing virtual organizations, HUBs have often used relational partnering methodologies in order to network their subcontractor cadres. Relational partnering is premised on the notion that HUBs and their subcontractor cadre can develop long-term learning relationships, thereby achieving mutual and sustainable competitive benefits (Grover, 1995). From the subcontractor perspective, long-term commercial relationships with the HUB permit them to develop expertise, assets and strategic capabilities that will prove useful in (a) initially meeting contract requirements with the HUB; and (b) subsequent competitive activities with other organizations (Rackham, Freidman and Ruff, 1996). On the other hand, relational partnering also has the potential for creating a variety of CI risks/vulnerabilities for both HUBs and subcontractors. Such a risk was recognized by many Boeing employees during the development of the 777 aircraft. Boeing made use of selected partner expertise by inviting subcontractors, suppliers, and even potential customers to participate as members of "Design-Build" teams. As team members, these individuals had access to information regarding product design features and new technologies that would be included in the new aircraft. Many Boeing engineers felt that this policy could result in significant losses of proprietary information since Boeing would not be in a position to monitor how the information might be subsequently disseminated by "Design-Build" team participants (Sabbagh, 1993).

CI vulnerabilities also exist for subcontractors participating in serial-long linked forms of virtual organizations. To maximize efficiency and competitive advantage, many HUBs (e.g.: Motorola, Nissan, Toyota) have required their subcontractors to share information on their innovative work practices and technologies with other members of the partner cadre in order to improve their collective operations in service to the HUB. However, the exchange of this proprietary information can serve to erode the competitive advantages of these subcontractors when they compete against each other in subsequent business dealings (Dabholkar and Neeley, 1998; Fitzpatrick and Burke, 2000b).

COMPETITIVE INTELLIGENCE VULNERABILITIES, SUBCONTRACTOR MANAGEMENT AND THE RECIPROCATING FORM

There exist two methods by which HUBs can utilize reciprocating linkages to manage subcontractor activities. The first corresponds to traditional subcontracting where the HUB directly receives and then combines subcontractor work products prior to delivery to the customer. In this instance, HUBs make extensive use of information technologies to coordinate the sequencing and delivery of subcontractor outputs/activities. In the second form of this methodology, HUBs provide and manage a large central facility where subcontractors perform or provide their services (Fitzpatrick and Burke, 2000a). These subcontractors are granted extensive access to HUB facilities and resources while accomplishing their tasks. This freedom of access is analogous to an extended plant tour or opportunity for observational benchmarking. As such, it creates the potential risk of CI losses by affording subcontractor representatives the opportunity to visually observe proprietary production processes, technologies, job designs, plant layouts, product formulations, R & D activities and even confidential documents. As a result, observers possess enough data to begin reverse engineering of key business technologies and/or to be in a position to disclose confidential information about business plans to competitors. Xerox Corporation's loss of the technologies behind the computer mouse and the GUI (graphic user interface) to Apple Computer Corporation during the 1980s is one of the better known CI coups attributable to the use of this methodology (Cringely and Sen, 1996). More recently, a contract food services employee used his on-site status at MasterCard International to secure documentation of a confidential proposal for a business alliance between MasterCard and The Disney Corporation. He was later arrested by the FBI for attempting to sell trade secrets to a MasterCard competitor for $200,000 (Associated Press, 2001).

The use of temporary or contractor employees has been associated with both breaches in corporate security and significant losses of CI. These security breakdowns can often be traced to the fact that these employees are rarely subject to the extensive background investigations or security clearances required of permanent HUB employees. However, their lack of security clearances is not an impediment to having access to high security areas within HUB facilities (ASIS/PricewaterhouseCoopers, 1999; Winkler, 1997). Frequently, access to these facilities is during time periods where little work is being performed and security procedures are lax. This affords these temporary/contract employees ample opportunities to plant electronic monitoring devices, engage in computer hacking, peruse confidential files and dumpster diving (Winkler, 1997; Nugent, 1992). Hecht and Murphy (2000) describe an incident that suggests corporate security and other support personnel often fail to verify the credentials of subcontractors or their right to access corporate information/facilities. In a security penetration exercise, these authors were able to enter a high security facility during a shift change by masquerading as subcontractors. Without verifying their credentials, a cooperative librarian granted them guest privileges on the library's computer network. Within two hours, they planted password sniffing software and subsequently obtained accounts/passwords to all major corporate computer servers/data bases.

COMPETITIVE INTELLIGENCE VULNERABILITIES AND COMPUTER/TELECOMMUNICATIONS SECURITY ISSUES

For virtual organizations, the extensive use of information and telecommunications technologies permits them to manage their globally dispersed networks of partners and subcontractors (Warren and Hutchinson, 2000). These technologies have allowed virtual organizations to (1) replace inefficient and costly "paper based" processes (Warren and Hutchinson, 2000; Kerwin, Stapaneck and Welch, 2000); and (2) develop creative synergies through the more effective sharing of information and management of virtual teaming/tasking activities (Townsend, DeMarie and Hendrickson, 1998). Virtual teaming has been successfully used by a number of corporations including DEC (Digital Equipment Corporation--now part of COMPAQ), John Brown Engineers & Construction, Ltd., and Boeing. Each of these organizations created extensive IT infrastructures consisting of shared data bases, simulation and modeling systems, videoconferencing, and teleconferencing systems in order to permit the rapid exchange of ideas/information and bolster creative synergy (Grenier and Metes, 1995; Grimshaw and Kwok, 1998; Sabbagh, 1993).

Computer Security Issues

The reliance by virtual corporations on IT to support competitive activities serves to enhance their CI vulnerabilities through cyber attack mechanisms. Many of these attacks are designed to permit CI operatives or hackers to force system entry by exploiting known security failings of an organization's computer hardware/software configurations or discovering the account and password information of legitimate system users. In this first instance, port/network scanning is an important precursor to the cyber attack in that it permits hackers to determine the type of software or services running on remote computer systems. Spoofing, packet and password sniffers permit hackers to illegally enter computer systems/data bases, pirate information and/or sabotage these systems. Spoofing allows attackers to bypass system firewalls by masquerading as authorized internal users of the system. Packet and password sniffers respectively (a) collect system message traffic and data transfers; and (b) locate/retrieve information contained in password files (Schultz, 1999; Warren and Hutchinson, 2000). Hacking activities are often facilitated by ineffective organizational and individual computer password security policies/protocols (Schultz, 1999). While the methodologies and risks associated with these types of cyber attacks are well known within the IT community, relatively few attacks are detected and reported by computer system administrators. A study by the Defense Information Security Agency reported that typically only 4 percent of system intrusions are actually detected and of those detected, only 1.2 percent are actually reported as system violations (Graham, 1998).

Laffin (1996) documents the activity of criminal gangs in both the theft and subsequent ransom of corporate laptop computers. Recently, Qualcomm's CEO had his laptop computer stolen from a California hotel conference room. The computer contained information on proprietary technologies. Its theft is being treated as a potential economic espionage case by the FBI (Associated Press, 2000). Intellectual properties contained on individual computer systems have also been compromised through an electronic sensing technology entitled TEMPEST. This electronic intelligence technology (ELINT) enables CI operatives to reproduce the screen images of computer monitors by capturing the electro-magnetic or Van Eck radiation emitted by these devices at distances of up to one mile (Nugent, 1992; Winkler, 1997; Ward, 1993).

Telecommunications Security Issues