Brooks Tech Policy Institute (BTPI) Fellow Basim Ali sat down with private sector intelligence experts Colin Reed and Dr. Lewis Sage Passant to discuss the growing role of private sector intelligence in countering nation-state threats. The conversation also delved into Dr. Passant’s latest book “Beyond States and Spies: The Security Intelligence Services of the Private Sector”, that explores the history, practices, and implications of intelligence services operated by private sector organizations and challenges the idea that intelligence is solely the domain of nation states.

Dr Lewis Sage-Passant is the Global Head of Intelligence at one of the world’s largest pharmaceuticals companies, Novo Nordisk, where he advises the company on geopolitical and security risks, as well as leading efforts to combat economic and industrial espionage challenges. He has extensive experience working and living in the Middle East and Asia Pacific regions in a variety of geopolitical and security intelligence roles with major finance, technology, and energy firms. In his academic life, Lewis researches the field of intelligence and espionage. Lewis holds a PhD from Loughborough University, where he is a Visiting Fellow in intelligence studies, and is an adjunct professor teaching intelligence at Sciences Po Paris. He has appeared in numerous media outlets, including the BBC, France24, CNBC, Harvard Business Review, The New Arab, El Mundo, GQ, and others, discussing intelligence, geopolitics, and security topics. He is the author of “Beyond States and Spies: The Security Intelligence Services of the Private Sector”, which explores how corporations use intelligence to navigate and shape the world around them.

Colin Reed is a foresight & intelligence strategy advisor working in the US technology sector, specializing in geopolitical risk and global planning for businesses and executives. In his current role at Salesforce, he leads the Global Strategic Threats program, identifying emerging risks to the company’s interests, including emerging vectors such as nation-state threats and AI, and providing decision advantage to senior Salesforce leaders on topics of geopolitical & economic significance. He chairs Salesforce’s internal Geopolitical Strategy Council, where he brings together business unit leaders from across the company’s global operations to discuss emerging geopolitical themes and helps shape Salesforce’s global posture. Colin previously worked in counterintelligence for the United States government and is passionate about the role intelligence in the private sector plays in shaping global affairs.

Basim Ali: For the purpose of clarification for our audience, I’m going to ask a semantical question to both of you. So, how different is private sector intelligence from corporate espionage. As in the common parlance, intelligence is often associated with the public sector. So how does that definition change, when we go into the private sector and how different is it from corporate espionage?

Lewis Sage-Passant: Great question! I would describe private sector intelligence as a very broad term. It’s a very broad spectrum; at one end you have the kind of very ethical operations. Ethical competitive intelligence is where companies use open source data to look at what their competitors are doing and build their strategy around that. Then you’ve got things like ethical corporate security intelligence, it is what Colin and I do. The reason I caveat with ethical is because there have been some instances of unethical security intelligence which we can talk about later on. But broadly ethical security intelligence is where the overwhelming majority of the field sits. These people who are focused on protecting their company and they do it in a really collaborative way. So, Colin and I work for different companies, but we talk regularly. In some of our flagship analyses we even work together, and this is a really normal thing in this space, even across rival companies so to speak. So, I work for a pharma company , one of our most commercial rivals, our intelligence teams will be talking to each other, we will be sharing information with them. Because of this collaboration, it is a great intelligence community, and we see security as a non-competitive sport. Where it gets challenging and this is where the difference comes in is the opposite end of that spectrum, where you have unethical behavior. It is the unethical twin to open source competitive intelligence, it is things like corporate espionage, where companies are spying on one another. Therefore, internally companies keep a strict firewall between competitive intelligence, even the ethical kind, like security intelligence so that the corporations and security can continue.

But where the fields overlap is that the security intelligence is also responsible for defending against commercial espionage, so we have a role in defending against it, but we don’t do it. At least in the ethical cases, the reason I caveat it ethical security intelligence is because in some very rare cases there have been instances of security teams getting into covert operations type stuff, which is wholly unacceptable for the field. 99% of the practitioners will tell you that they don’t do that because of reputational risks and frankly for the practical reason that it would risk  cutting you off the intelligence sharing network- which is by and large the biggest source of intelligence we have access to.

Colin Reed: Yes, it is really valuable to have the guy who literally wrote the book about this. What Lewis said is 100% true, I think that comparing it back to the public sector, as Basim you asked, I think the main point of comparison that I offer people is that like in the public sector, like in the government you have different parts of the intelligence community that do different things. Some operate overseas and try to steal the secrets that other governments may try to protect, while some agencies play defense, i.e., they are trying to protect the population and trying to keep the adversary from stealing secrets. That is also true in the private sector, there are different parts of the companies that are doing different things. To Lewis’s point, there are ethical and unethical ways of doing those things. We are sitting in the United States right now and intelligence agencies here have a long history of both ethical as well as unethical things that they have done and it is only in the context of wider history and through things like congressional reviews and committees, we see where these lines are drawn normatively. And the norms around this are playing just big of a role in the private sector as they do in the public sector. If someone is regarded as an unethical actor, they will become a bit of a pariah in the private sector and people will not collaborate with them. The judgement that quite a few of us make is that that is an unacceptable trade-off, when trying to keep people safe is our primary goal.

Basim Ali:  You mentioned the pariah part Colin, so can we assume then that the adage which goes that there are friendly countries but no friendly intelligence agencies, doesn’t hold true in the private sector?

Colin Reed: I’m glad that you brought that up. I really like that line a lot. It doesn’t hold true for us right now, but I would also say that we currently live in a time where we are benefiting from the fact that the community in the private sector intelligence is pretty small. To some extent we are all in some kind of former relationship with one another, we have worked with someone, who’s worked with some and so on. So, when I say that becoming a pariah would be really toxic to your program, that’s primarily what I’m talking about, as one would lose access to networks that are very necessary. We don’t have access to say, for example a budget like the CIA right, we don’t have spy satellites, we don’t have signals intercepts, human sources etc., so we are much more reliant on that collection and sharing network of being in a community of peers. I think that way you could compare is that you could look at say something like the Five Eyes alliance, you could look at NATO, and you could see how the development of a normative trust around those relationships is what makes it a mutually reinforcing security arrangement. When you have actors that are threatening that trust or in some cases threatening each other’s territory obviously breaks that trust down.

Lewis Sage-Passant: I’ll jump in on that as well. I love that you use that quote! You know when Olson says that there may be friendly countries but there are no friendly spy agencies, you know, in the private sector you can almost reverse that. You can have unfriendly commercial rivalry, but the intelligence teams are almost always on friendly terms. Often, they learn and teach each other best practices and the dynamic that Colin described is pretty accurate. The one thing that helps in the private sector, that helps more so than in the government is that people move around between these companies and the way the industry recruits tend to be based on those personal networks that Colin touched on. As a result, it is in people’s interests to be seen as an active contributing member of the community on the intelligence sharing groups. This can also be viewed as a personal incentive as the day one needs a job, they will reach out to the same people, and they are more likely to hire them. This doesn’t exist in the government, and it is sort of a double edged sword for the private sector. No one who works for the CIA leaves it to go work for MI6, there may be some exchanges but from a career progression perspective you can’t do that. Occasionally someone leaves the CIA or the NSA and goes to work for the Russians but that is a very big deal and there are criminal sanctions for that. In the private sector leaving one firm to join the other is a very normal part of career progression .The reason that I called it a double-edged sword is from a IP protection and an espionage protection perspective, it does present an opportunity for unethical actors, less so in the security space but across various commercial parts of the company, so it does mean that preventing corporate espionage becomes a much bigger challenge given the movement between those sorts of foreign agencies as you would see in the state context, you it is a completely normal thing but they take that knowledge with them. So, it is a double-edged sword, but it also makes the community closer.

Basim Ali: When we talk about intelligence in the context of national security, it is generally viewed as strategic or tactical. So, when we go into private sector intelligence, how does the strategic and the tactical change? Does it go towards obtaining a competitive advantage or is it about protection from geopolitical threats? It would be great if you could explain this transition.

Lewis Sage-Passant: There is a very clear delineation between those two areas, between the competitive advantage in the commercial sense and protecting against threats. A recent Harvard Business Review article by Maria Robson-Morrow highlighted that security intelligence can also provide competitive advantage as it allows one to take smarter risks and acts as a force multiplier. But the two things are distinct, the idea is that competitive advantage is derived from your commercial intelligence teams, and they are separated by a firewall from the security intelligence teams who ensure that the company is protected and insulated from geopolitical risks. But like I said, in a complex world you could derive competitive advantage from both those things.

Colin Reed: I would just add to it by saying that risks and opportunities are in fact two sides of the same coin. So, if you are able to identify risks accurately and well then with a bit of extra effort you will be able to identify opportunities as well. That kind of landscape analysis is  where we do offer an advantage  to our corporations. We are just not specifically in the business of stealing secrets from other corporations and as Lewis mentioned, it is more of a competitive intelligence or a business intelligence kind of thing.

Basim Ali: Now I’m going into some academic questions, so I remember that I was going across some works of Prof. Richard Aldrich, and he talks about the changing nature of surveillance and how the ‘Big Tech’ is calling the shots in that space. So, in your opinion how will that interaction playout in the future, and how would the nature of private sector intelligence change?

Colin Reed: This is a big topic! Lewis knows that I have a lot of thoughts on this topic. So maybe I’ll kick off. I do think that what has changed in the nature of Big Tech’s role in government surveillance is that if you think back to Snowden leaks and if you think about how the PRISM program was working at that time that was something that the government was interested in. They wanted to collect everything and store it in a big data lake somewhere and be able to access it. I think that we have moved beyond that. I think the nature of how internet works is that there is so much data, and it is being replicated so quickly that the idea that you can suck it all up and store it in a warehouse and search it of outdated view. Relationships between tech companies and government agencies have changed quite a bit in the intelligence space, to a point that now while there are still legal mechanisms by which the government would use to subpoena or gain access to data that would be held by tech companies, those relations now are also much more collaborative in the sense that the tech companies now are proactively self-policing. Also, the interaction between the tech companies and the government has also become more sophisticated. You may recall the tiff a few years ago between  FBI and Apple. The FBI wanted Apple to give it access to backdoors into Apple’s encryption. Apple was really concerned about this as it was a big reputational risk for Apple, especially in the encryption space. That was an interesting political moment, but what happened was that Apple did not cave into FBI’s demands and FBI went off and found other ways to break into encrypted devices and now ironically, we see FBI issue warnings to Americans about encrypting their devices and using Signal other things because the Chinese are everywhere. So, it goes to show the changing nature of the relationship, part of the danger is that the last time the public had an open look at how that relationship worked was in the Snowden leaks and that is really old now. So, trying to continue to base our discussions around those leaks is a bit outdated.

Basim Ali: Dr. Passant, I’m borrowing this from your book ‘Beyond States and Spies: The Security Intelligence Services of the Private Sector’. In one of the sections in the book you mention this concept of ‘secrecy chauvinism’ especially with regard to the British intelligence framework. So, how would that allurement of secrecy play out in the case of ‘Big Tech’ because it would be somewhat of an antithesis to what Colin was just saying?

Lewis Sage-Passant: That’s a great point! I think that most of the secrecy chauvinism sits within intelligence studies, and I also think that it is dissolving very rapidly. I would like to claim that the brilliance of my book and my arguments have solved that problem, but sadly that is not the case. I think what has happened is that the war in Ukraine and the prominence of the open source intelligence community has moved the conversation forward with respect to the efficacy of non-secret intelligence. I think people have started to understand this, and I think within state agencies, through my academic work, I meet with various agencies, and I find less and less resistance to this idea as well. I think there is a growing recognition, there are things the private sector is pretty good at. So, more of the question becomes that how do we interface those relationships and how do we have an appropriate relationship with a private sector entity, which can be complex, as a company might have links to a certain government.

Colin Reed: The only thing that I will add is that in the last 20 or 30 years we have seen decentralization of where power sits in society. Beginning with the internet and continuing through the whole globalized era, power and economics have spread out. Earlier states used to hold all the levers of power, whether it was power over economy, power over how people communicated  etc. All of that has been slowly diluting, so now you have a much more complex environment. Going back to the quote that you gave us in the beginning that there are no friendly intelligence agencies, I think that these corporations have complex relationships with their own flags. They may be multiple countries, and they may be equally important as a business entity, so they are their own actors in a certain way on the international stage. So, they need to be treated as interesting and distinct entities, and I think that the states are realizing this to some degree and trying to adjust their approach accordingly.

Basim Ali: In your book, you discuss the history of private sector intelligence, particularly the role of the British East India Company in intelligence gathering. Could you elaborate on their methods and significance in the history of intelligence collection?

Lewis Sage-Passant: Absolutely! I  love talking about the history of the field. One of the ideas that we talk about is that private sector intelligence is new, often in literature it is seen as something that emerged in the last few years, and you frequently see reference to its eroding government monopoly. In fact, government monopoly never actually existed, at one point there was private sector monopoly that governments displaced. Quite simply, we were doing this stuff first, at least in an organized structured way as it is recognized today. I know that is a bold claim but the reason that I say that when you look back in history you have actors like the British East India Company (BEIC), Venetian merchant guilds etc., that ran large scale intelligence operations. Now, I don’t think that any of them were recognizable as corporations in today’s context. BEIC was essentially an empire structured around a shareholder governance model, but it did do intelligence in a very large scale way, both for defensive like  kind of security purposes (they were dealing with various crises like piracy challenges from regional powers etc.) as well as offensive purposes. At one point every officer of the company, no matter where they were based across company territory, was expected to gather intelligence and report it as a standard part of their job. They even did offensive intelligence operations, they mounted a covert intelligence mission into China, where they sent a guy called Robert Fortune into China to inspect Chinese tea plantations by pretending to be a local government official and he turned up in China and collected samples and brought them to India and kick started the massive scale Indian tea industry. Now, I don’t think BEIC to be the first real e.g. of private sector intel, because they were barely private sector. In fact, the Regulating Act ended up folding them into the British empire because they got so powerful and were able to threaten the crown. But there was another company from 1700s onwards that started running intelligence operations in a way that is quite recognized today and that was Lloyds of London, which was another British intelligence firm that had around 25% of global economy underwritten on their books.              This was an enormous risk to carry and thus to remain profitable they had to quantify it. To quantify you need intelligence, so they established  a human intelligence network on every port across the world.

Basim Ali: Finally, could you recommend any books for someone interested in learning more about the field of private sector intelligence and its history?

Colin Reed: I can go ahead, I’m going to plug Dr. Lewis Sage-Passant’s book ‘Beyond States and Spies: The Security Intelligence Services of the Private Sector’ and I recommend another book called ‘Unruly: Fighting Back when Politics, AI, and Law Upend the Rules of Business’. It is by Sean West and about to come out and ‘Bloc by Bloc: How to Build a Global Enterprise for the New Regional Order’ by Steven Weber.

Lewis Sage-Passant: I will double tap that, I had a chance to read a review copy of ‘Unruly’ and I would recommend it. I would also recommend ‘Political Risk: How Businesses and Organizations Can Anticipate Global Insecurity’ by Amy Zegart and Condoleezza Rice.