Infocon Magazine Issue One,
Economic Espionage Interview with David Cid
Wanja Eric Naef
also Economic and Industrial Espionage: a Threat to Corporate America?
Cid is President of Salus International (http://www.salusinternational.com)
an Information Security and Crises Management Consultancy.
Prior to joining Salus, Mr. Cid served as a Terrorism and
Counterintelligence specialist for the FBI, with assignments
both domestically and abroad. From 1987 to 1990, he served
in the Intelligence Division of FBI headquarters, Washington,
DC, where he advised the CIA on security matters, having
oversight for Espionage Investigations nationwide.
Q: Economic and industrial espionage are very widespread
in the US, but hardly anyone is willing to admit it. Could you
give us a typical example of an espionage case?
Cid: Yes, I could. Please let us first make a distinction
between economic espionage and business intelligence. When
you speak of economic espionage in the sense of its definition
under United States Law it is actually a criminal activity.
That is the theft of intellectual property, (or) proprietary
information or research and development material. It is
a felony, which means it is a serious crime in the US.
There have been a number of very interesting economic espionage
cases that have been prosecuted under federal law. Some
states have also promulgated laws and regulations concerning
the protection of intellectual property. Economic espionage,
as it is defined in the law, is considered to be theft.
Intelligence or Competitive Intelligence on the other hand
is not illegal, although it poses a threat to the viability
and competitive abilities of a company. Business Intelligence is
the lawful collection of information to give one a competitive
advantage. So there is an important distinction to be made there.
There have been many cases of economic espionage. That is the
illegal acquisition of intellectual property and trade secrets.
One notable example is a company
called Recon Optical. They were based in Michigan and engaged in a joint venture
with the Israelis to develop a certain type of lens that was going to have
both a civilian and military application. Recon Optical alleges that the Israelis
got access to their lens grinding processes, used the information and began
producing that particular lens in Israel without their permission or without
any agreement as to sharing of revenue and so on. Recon Optical actually went
from having a significant market share in this particular area to near bankruptcy.
That was one example. There is another example in Denver a couple of years
ago where Chinese Intelligence officers or at least individuals affiliated
with the Chinese Intelligence Service attempted to steal sensitive software
from a company in Denver.
Q: What methods are usually used to collect illegal intelligence
about other companies, and is the threat usually originating from insiders
Cid: Let me
answer the second part of the question first. Most serious compromises
of information happen as a result of something
done by someone who has lawful access to the sensitive information.
So the answer is - it is the insider who is the greatest threat.
There are two scenarios where this can happen: the first is inadvertent
disclosure by someone who has the information, i.e. they don't understand what they are
doing, they don't recognise the sensitivity of it and they provide it to someone
they should not. The other one is the individual in a company who makes a conscious
decision to sell the information to a competitor or use it for their own purposes
in some way. In most cases weather you are talking about business, economic
or even traditional espionage, insiders are involved, as it is very difficult
to get access to the information if you do not have someone inside the organisation
or government agency.
There are quite a few techniques to collect information from outside the company.
For example, the pretext telephone call, which is a very common technique.
By that I mean representing yourself as someone other than who you are. For
example, calling a company that is making a particular type of electronic equipment
and wanting to know something about the distribution of equipment or how it
is designed. They will call and represent themselves not as competitor or as
business intelligence collector, but perhaps as a student pursuing research
on that particular type of electronic device and ask to speak to an engineer.
You get an engineer who is not sensitive to the possibility that it may be
an intelligence operation and they ask for help and most people wanting to
be helpful especially in the context of talking to a student will provide information
that could be awfully damaging to the company.
Other types of pretext calls involve doing a notional survey or calling representing
yourself as a supplier to the company you are targeting. For example, saying
that you are taking a survey for Mr. Jones who is responsible for supplying
the targeted company with paper boxes. Questions would be along the lines of: 'we
would like to know how many boxes were delivered per month, were they the quality
you need, if you have a shortage of boxes and how many will you need next month'.
Questions like this may give someone an idea of how many of a certain product
someone is producing that can lead to inferences about product distribution,
market share, customer base and so on. It may also identify initiatives in
opening new markets.
Another common technique is looking through rubbish. This may not involve trespassing,
if the trash is off property. In this case there is no violation of privacy
under United States law as anyone can go through your rubbish once it is off
your property. It is considered abandoned property. You can go through someone's
rubbish and look for documents, letters, relevant research papers and that
sort of thing. This is very common. Another common technique is simply to go
to places where employees of a particular company lunch and listen to the conversations:
People are insensitive to the possibility that someone might be listening and
talk about all sorts of things that are going on inside companies. Carry that
a step further; employing someone who is very good at what we call human source
development (getting people to talk). You might put a professional business
intelligence collector in a restaurant where people have lunch or in the bar
where they congregate after work to start up a conversation with someone and
ask them what they do in the context of a friendly chat over a drink. This
is called elicitation, getting people to say things that they probably should
not without realising the sensitivity of the information they are divulging.
Other techniques border on or are unlawful for example when you ask someone
to give you something which is clearly not appropriate as a conscious decision
has been made to steal something.
The elicitation process can go further to the point where you as the collector
of intelligence identify someone, who, say has money problems or has a drug
or alcohol problem and exploit that. You may offer them money for information
they have access to. That is clearly unlawful. That is where the Economic Espionage
Act (EEA) comes into play. So elicitation runs the entire spectrum from simply
phoning and representing yourself as someone else to recruiting someone within
the company to steal something for you and pay them for it. Of course there
is the insider who simply decides that he has access to all this information
and has money problems that the competitor will solve. He will just take it
to them and see if anybody is interested in buying it. So those are some of
the techniques that are used.
Now, in the business intelligence world all sorts of research is done on public
documents. Good business intelligence people can analyse at FCC filings, regulatory
stuff, published articles about the company, all the public source documents
the company must produce when they are on the stock market and features of
company leaders. And they take all this information and can draw inferences
about what the company might be doing. These are entirely lawful techniques.
But illegal techniques really involve theft and breach of trust and contractual
Q: Do you think the Economic Espionage Act (EEA) is a useful tool to fight
any sort of economic and industrial espionage or would you say that the law
needs to be improved in this area?
Cid: I think it is a useful tool, but it is a blunt instrument, as
any law is. A court of law is really not the place where you can draw careful
distinctions and nuances about human behaviour. So, when there is a breach
or violation or when the behaviour is clearly criminal, yes the economic espionage
act is a helpful response, but as a practical matter the most important thing
companies can do, which are presently relying on the Economic Espionage Act,
is to have a sensible information security program and to be aware of the tools
and techniques of business intelligence collectors and others, to include foreign
The first line of defence is really protection. Once you have to go to the
United States Attorney's Office and say someone stole this information from
us the damage has already been done. So the EEA provides a disincentive for
someone to do that, but it really does not help the company per se. The criminal
courts are the kinds of places where you are not made whole, you simply punish
the person who did something bad. On the civil side there is the possibility
of recovering damages and you may recoup monetarily, but again the process
of litigation takes forever, it is embarrassing to the company and it can cause
loss of faith of stockholders and other investors. So, there is really nothing
good about having a serious information compromise. The EEA is an important
facet of our society's response to this sort of thing, but it is really not
a solution and it is really not the best option available to a company. Once
you need to go to criminal trial you have already been seriously damaged.
Q: When do you think, if at all, a company should call law enforcement
for help in an espionage case and which law enforcement agency should they
Cid: This is a very complex question. The answer is not a simple one
and here is why:
A company may have lost information and there may be a violation of law. This
company can call a law enforcement organisation any time and say, 'I think
we have a problem' and someone will come and talk to the company. The organisation,
which investigates economic espionage in the United States, is the FBI. But
the decision whether someone calls is a little bit more complicated than that
due to all the unintended effects of publicising the fact that you have had
an information compromise. If this is a serious and damaging compromise to
the company and you are going to sue civilly, which means making it public,
then it really makes sense to proceed with supporting a criminal prosecution.
But a decision has to be made concerning the risk versus the reward. And by
that I simply mean this: By exposing an information compromise especially if
it is a serious one, there is the negative publicity effect, there is a loss
of shareholders' confidence, there is a loss of investment banking, a loss
of confidence in the company, the company may have problems recruiting top
end employees as people may see it as a damaged enterprise.
There are lots of other considerations that one has to weigh when trying to
decide whether or not to call law enforcement. Now, I think if you ask the
law enforcement organisations they will say, rightly so, that if you think
you have been a crime victim you need to call them. That is an appropriate
answer from a law enforcement organisation. But from the standpoint of a CEO
from a major corporation the answer is little bit more complicated than that.
What they have to do is to weigh the pros and cons of exposing their loss and
the damage they suffered and all of those other consequences, which might affect
the company's long-term viability.
Q: What advice would you give to companies in order to protect their intellectual
property from such attacks? Technology alone is certainly not the solution.
Might it be education?
Cid: Technology alone is not the answer. Here is why: Because the compromise
of information is a human issue. And because it is a human issue, no matter
how sophisticated the technology, it is not going to be the answer.
Typically what companies do is they become obsessed with controlling access
to their space, so they have card keys and guards. This kind of response is
an important part of company security for a variety of reasons (obviously you
don't want somebody to be able to just walk in off the street and start picking
documents from other people's desks). But this response is definitely not the
entire answer. The answer has several parts.
Firstly, the company has to have some sense who their competitors are and who
might have an interest in their particular type of intellectual property and
sensitive information. That is what is called a threat assessment.
Secondly, companies need to have information security policies and protocols
that are responsive to those threats. And when they do that, they need to look
at how they handle the information (the process piece) and who has access to
the information (the human piece). Sound information security practices and
processes lead to an educated workforce that understands why this is important
and what they need to do if they think someone is trying to access sensitive
Another important piece is ensuring that when you have intellectual property
you have done everything you need to do under law to establish this legally
as intellectual property, so if something does happen to it and you decide
to use civil or criminal remedies then you have a legal basis to do so. But
clearly the most cost effective and important piece of information protection
is making employees aware that there is a threat and the way in which it manifests
itself and the need to report things that are suspicious such as people talking
to you and asking you what you do in great detail or people calling in for
information. Those sorts of things you not only need to report to the security
department but also to the relevant department which has that particular business
function so that they can be aware of it.
And the last thing I would suggest companies do, if they have a business intelligence
operation themselves is make sure that their business intelligence shop and
the security shop are talking to one another, as this is the best place you
can go and find out what a competitor would be interested in. And I am not
suggesting companies having business intelligence shops are doing illegal activities.
What I am saying is people can do a lot of collection against your company
that can be very damaging and can be totally within the borders of the law.
People can talk out of school, people can say things they should not say and
you can give up a lot of sensitive information and no laws have been broken.
So, the important thing is that there is some sort of match between the security
department and the business intelligence people so that there is global understanding
of the threat. That will help you to design information protection features,
which are responsive to the specific threats. And that is a whole other conversation,
but those are the basic things to do.
Q: What is a bigger threat to corporate America? Economic espionage conducted
by foreign intelligence services or industrial espionage done by companies
or a combination of both?
Cid: This is really hard to measure so I won't be able to answer this
question. Let me give you some context. There are more intelligence officers
in the United States from foreign countries collecting information today than
there were at the end of the Cold War. At the end of the Cold War the political
and philosophical struggle was over and it then became an economic war if you
want to characterise as that. With that, these countries decided to direct
their intelligence services from strategic and tactical information (although
they still do that to a certain degree) to collecting economic information.
Many of these countries understand that they can never compete with us (the
USA) or the British, or the French, or the Germans or the other industrialised
nations. But they can steal information. If you want to get information effectively,
an intelligence service is the ideal collection tool since that is what an
intelligence service is designed to do. So, the threat from foreign intelligence
services is significant and it is kind of under the radar of many companies.
So, I would call it an equally significant threat to a company's information.
The business intelligence people are important and so are the foreign intelligence
IWS welcomes suggestions
regarding site content and usability. Please use our contact
form to submit your comments.
30 December, 2007
by Wanja Eric Naef
IWS Copyright © 2000 - 2008