IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Infocon Magazine Issue One, October 2003

Economic Espionage Interview with David Cid

Interviewer: Wanja Eric Naef

See also Economic and Industrial Espionage: a Threat to Corporate America?

David Cid is President of Salus International (http://www.salusinternational.com) an Information Security and Crises Management Consultancy. Prior to joining Salus, Mr. Cid served as a Terrorism and Counterintelligence specialist for the FBI, with assignments both domestically and abroad. From 1987 to 1990, he served in the Intelligence Division of FBI headquarters, Washington, DC, where he advised the CIA on security matters, having oversight for Espionage Investigations nationwide.

Q: Economic and industrial espionage are very widespread in the US, but hardly anyone is willing to admit it. Could you give us a typical example of an espionage case?

David Cid: Yes, I could. Please let us first make a distinction between economic espionage and business intelligence. When you speak of economic espionage in the sense of its definition under United States Law it is actually a criminal activity. That is the theft of intellectual property, (or) proprietary information or research and development material. It is a felony, which means it is a serious crime in the US. There have been a number of very interesting economic espionage cases that have been prosecuted under federal law. Some states have also promulgated laws and regulations concerning the protection of intellectual property. Economic espionage, as it is defined in the law, is considered to be theft.

Business Intelligence or Competitive Intelligence on the other hand is not illegal, although it poses a threat to the viability and competitive abilities of a company. Business Intelligence is the lawful collection of information to give one a competitive advantage. So there is an important distinction to be made there.

There have been many cases of economic espionage. That is the illegal acquisition of intellectual property and trade secrets. One notable example is a company called Recon Optical. They were based in Michigan and engaged in a joint venture with the Israelis to develop a certain type of lens that was going to have both a civilian and military application. Recon Optical alleges that the Israelis got access to their lens grinding processes, used the information and began producing that particular lens in Israel without their permission or without any agreement as to sharing of revenue and so on. Recon Optical actually went from having a significant market share in this particular area to near bankruptcy. That was one example. There is another example in Denver a couple of years ago where Chinese Intelligence officers or at least individuals affiliated with the Chinese Intelligence Service attempted to steal sensitive software from a company in Denver.  

Q: What methods are usually used to collect illegal intelligence about other companies, and is the threat usually originating from insiders or outsiders?

Cid: Let me answer the second part of the question first. Most serious compromises of information happen as a result of something done by someone who has lawful access to the sensitive information. So the answer is - it is the insider who is the greatest threat. 

There are two scenarios where this can happen: the first is inadvertent disclosure by someone who has the information, i.e. they don't understand what they are doing, they don't recognise the sensitivity of it and they provide it to someone they should not. The other one is the individual in a company who makes a conscious decision to sell the information to a competitor or use it for their own purposes in some way. In most cases weather you are talking about business, economic or even traditional espionage, insiders are involved, as it is very difficult to get access to the information if you do not have someone inside the organisation or government agency. 

There are quite a few techniques to collect information from outside the company. For example, the pretext telephone call, which is a very common technique. By that I mean representing yourself as someone other than who you are. For example, calling a company that is making a particular type of electronic equipment and wanting to know something about the distribution of equipment or how it is designed. They will call and represent themselves not as competitor or as business intelligence collector, but perhaps as a student pursuing research on that particular type of electronic device and ask to speak to an engineer. You get an engineer who is not sensitive to the possibility that it may be an intelligence operation and they ask for help and most people wanting to be helpful especially in the context of talking to a student will provide information that could be awfully damaging to the company. 

Other types of pretext calls involve doing a notional survey or calling representing yourself as a supplier to the company you are targeting. For example, saying that you are taking a survey for Mr. Jones who is responsible for supplying the targeted company with paper boxes. Questions would be along the lines of: 'we would like to know how many boxes were delivered per month, were they the quality you need, if you have a shortage of boxes and how many will you need next month'. Questions like this may give someone an idea of how many of a certain product someone is producing that can lead to inferences about product distribution, market share, customer base and so on. It may also identify initiatives in opening new markets.

Another common technique is looking through rubbish. This may not involve trespassing, if the trash is off property. In this case there is no violation of privacy under United States law as anyone can go through your rubbish once it is off your property. It is considered abandoned property. You can go through someone's rubbish and look for documents, letters, relevant research papers and that sort of thing. This is very common. Another common technique is simply to go to places where employees of a particular company lunch and listen to the conversations: People are insensitive to the possibility that someone might be listening and talk about all sorts of things that are going on inside companies. Carry that a step further; employing someone who is very good at what we call human source development (getting people to talk). You might put a professional business intelligence collector in a restaurant where people have lunch or in the bar where they congregate after work to start up a conversation with someone and ask them what they do in the context of a friendly chat over a drink. This is called elicitation, getting people to say things that they probably should not without realising the sensitivity of the information they are divulging. Other techniques border on or are unlawful for example when you ask someone to give you something which is clearly not appropriate as a conscious decision has been made to steal something.

The elicitation process can go further to the point where you as the collector of intelligence identify someone, who, say has money problems or has a drug or alcohol problem and exploit that. You may offer them money for information they have access to. That is clearly unlawful. That is where the Economic Espionage Act (EEA) comes into play. So elicitation runs the entire spectrum from simply phoning and representing yourself as someone else to recruiting someone within the company to steal something for you and pay them for it. Of course there is the insider who simply decides that he has access to all this information and has money problems that the competitor will solve. He will just take it to them and see if anybody is interested in buying it. So those are some of the techniques that are used. 

Now, in the business intelligence world all sorts of research is done on public documents. Good business intelligence people can analyse at FCC filings, regulatory stuff, published articles about the company, all the public source documents the company must produce when they are on the stock market and features of company leaders. And they take all this information and can draw inferences about what the company might be doing. These are entirely lawful techniques. But illegal techniques really involve theft and breach of trust and contractual responsibilities.

Q: Do you think the Economic Espionage Act (EEA) is a useful tool to fight any sort of economic and industrial espionage or would you say that the law needs to be improved in this area?

Cid: I think it is a useful tool, but it is a blunt instrument, as any law is. A court of law is really not the place where you can draw careful distinctions and nuances about human behaviour. So, when there is a breach or violation or when the behaviour is clearly criminal, yes the economic espionage act is a helpful response, but as a practical matter the most important thing companies can do, which are presently relying on the Economic Espionage Act, is to have a sensible information security program and to be aware of the tools and techniques of business intelligence collectors and others, to include foreign intelligence services.

The first line of defence is really protection. Once you have to go to the United States Attorney's Office and say someone stole this information from us the damage has already been done. So the EEA provides a disincentive for someone to do that, but it really does not help the company per se. The criminal courts are the kinds of places where you are not made whole, you simply punish the person who did something bad. On the civil side there is the possibility of recovering damages and you may recoup monetarily, but again the process of litigation takes forever, it is embarrassing to the company and it can cause loss of faith of stockholders and other investors. So, there is really nothing good about having a serious information compromise. The EEA is an important facet of our society's response to this sort of thing, but it is really not a solution and it is really not the best option available to a company. Once you need to go to criminal trial you have already been seriously damaged.

Q: When do you think, if at all, a company should call law enforcement for help in an espionage case and which law enforcement agency should they contact?

Cid: This is a very complex question. The answer is not a simple one and here is why: 

A company may have lost information and there may be a violation of law. This company can call a law enforcement organisation any time and say, 'I think we have a problem' and someone will come and talk to the company. The organisation, which investigates economic espionage in the United States, is the FBI. But the decision whether someone calls is a little bit more complicated than that due to all the unintended effects of publicising the fact that you have had an information compromise. If this is a serious and damaging compromise to the company and you are going to sue civilly, which means making it public, then it really makes sense to proceed with supporting a criminal prosecution.

But a decision has to be made concerning the risk versus the reward. And by that I simply mean this: By exposing an information compromise especially if it is a serious one, there is the negative publicity effect, there is a loss of shareholders' confidence, there is a loss of investment banking, a loss of confidence in the company, the company may have problems recruiting top end employees as people may see it as a damaged enterprise. 

There are lots of other considerations that one has to weigh when trying to decide whether or not to call law enforcement. Now, I think if you ask the law enforcement organisations they will say, rightly so, that if you think you have been a crime victim you need to call them. That is an appropriate answer from a law enforcement organisation. But from the standpoint of a CEO from a major corporation the answer is little bit more complicated than that. What they have to do is to weigh the pros and cons of exposing their loss and the damage they suffered and all of those other consequences, which might affect the company's long-term viability.

Q: What advice would you give to companies in order to protect their intellectual property from such attacks? Technology alone is certainly not the solution. Might it be education?

Cid: Technology alone is not the answer. Here is why: Because the compromise of information is a human issue. And because it is a human issue, no matter how sophisticated the technology, it is not going to be the answer. 

Typically what companies do is they become obsessed with controlling access to their space, so they have card keys and guards. This kind of response is an important part of company security for a variety of reasons (obviously you don't want somebody to be able to just walk in off the street and start picking documents from other people's desks). But this response is definitely not the entire answer. The answer has several parts.

Firstly, the company has to have some sense who their competitors are and who might have an interest in their particular type of intellectual property and sensitive information. That is what is called a threat assessment. 

Secondly, companies need to have information security policies and protocols that are responsive to those threats. And when they do that, they need to look at how they handle the information (the process piece) and who has access to the information (the human piece). Sound information security practices and processes lead to an educated workforce that understands why this is important and what they need to do if they think someone is trying to access sensitive information. 

Another important piece is ensuring that when you have intellectual property you have done everything you need to do under law to establish this legally as intellectual property, so if something does happen to it and you decide to use civil or criminal remedies then you have a legal basis to do so. But clearly the most cost effective and important piece of information protection is making employees aware that there is a threat and the way in which it manifests itself and the need to report things that are suspicious such as people talking to you and asking you what you do in great detail or people calling in for information. Those sorts of things you not only need to report to the security department but also to the relevant department which has that particular business function so that they can be aware of it.

And the last thing I would suggest companies do, if they have a business intelligence operation themselves is make sure that their business intelligence shop and the security shop are talking to one another, as this is the best place you can go and find out what a competitor would be interested in. And I am not suggesting companies having business intelligence shops are doing illegal activities. What I am saying is people can do a lot of collection against your company that can be very damaging and can be totally within the borders of the law. People can talk out of school, people can say things they should not say and you can give up a lot of sensitive information and no laws have been broken. So, the important thing is that there is some sort of match between the security department and the business intelligence people so that there is global understanding of the threat. That will help you to design information protection features, which are responsive to the specific threats. And that is a whole other conversation, but those are the basic things to do.

Q: What is a bigger threat to corporate America? Economic espionage conducted by foreign intelligence services or industrial espionage done by companies or a combination of both?

Cid: This is really hard to measure so I won't be able to answer this question. Let me give you some context. There are more intelligence officers in the United States from foreign countries collecting information today than there were at the end of the Cold War. At the end of the Cold War the political and philosophical struggle was over and it then became an economic war if you want to characterise as that. With that, these countries decided to direct their intelligence services from strategic and tactical information (although they still do that to a certain degree) to collecting economic information. Many of these countries understand that they can never compete with us (the USA) or the British, or the French, or the Germans or the other industrialised nations. But they can steal information. If you want to get information effectively, an intelligence service is the ideal collection tool since that is what an intelligence service is designed to do. So, the threat from foreign intelligence services is significant and it is kind of under the radar of many companies. So, I would call it an equally significant threat to a company's information. The business intelligence people are important and so are the foreign intelligence people.

IWS welcomes suggestions regarding site content and usability. Please use our contact form to submit your comments.

Last modified: 30 December, 2007 by Wanja Eric Naef

IWS Copyright 2000 - 2008