Infocon Magazine Issue One, October 2003
Economic and Industrial Espionage: a Threat to Corporate America?
Wanja Eric Naef
Economic espionage is not a rare occurrence, even if it happens behind closed doors. The media features plenty of stories on hackers defacing web pages or disrupting services, but there is scant coverage of economic or industrial espionage cases. Though perhaps less sensational, these threats may be more dangerous for your company.
Billions of dollars and thousands of jobs are lost due to theft of trade secrets. Corporate America needs to acknowledge the reality of this risk and develop more efficient countermeasures to safeguard survival in a competitive market.
It is easy to seek comfort
in the hope that this problem won’t affect your company. Unfortunately
reality looks different. Companies need to develop proactive measures to
protect their trade secrets. There are reasonably specific, inexpensive,
and intuitive steps that can be taken to address these problems.
Economic and Industrial Espionage: a Threat to Corporate America?
by Wanja Eric Naef
Economic and Industrial Espionage present a series of challenges to many American companies. Take the example of Intel. Just in September one man pled guilty to copying trade secrets as defined under the Economic Espionage Act of 1996--the first case of its kind in Northern California. The US Attorney’s office there revealed that a certain Say Lye Ow, a 31 year old originally from Malaysia, copied sensitive information on Intel’s first 64-bit processor when he left the company in 1998.
In some ways Intel was fortunate. The information, key to the operation of what Intel calls “the engine inside the Internet economy,” was reportedly never sold to any of Intel’s competitors. They succeeded to address the breach before the consequences grew beyond their control. Other companies were not quite so lucky.
A survey conducted by PricewaterhouseCoopers and the American Society for Industrial Security (ASIS) revealed Fortune 1000 companies lost more than $45 billion in 1999 due to theft of their proprietary information alone. These losses, the survey contends, hit the manufacturing industries particularly hard. Since the R & D expenses for manufacturing companies are costly, some companies, foreign or domestic, are tempted to catch up unfairly. The study finds that “although manufacturing reported only 96 incidents, the acknowledged losses of manufacturing companies accounted for the majority of losses reported in the survey, and averaged almost $50 million per incident.”
What is perhaps more alarming than these statistics is the cumbersome response of companies. The report concludes “The majority of companies responding to the survey have not effectively met the challenge of providing a framework in which to safeguard proprietary information.” They are failing to address the threat.
At the end of the Cold War several intelligence agencies needed to develop a new raison d’être. These agencies often turned their skills toward economic espionage. Dismantled intelligence agencies in Eastern Europe left many skilled agents who were available to offer their services to interested parties in the private sector. Experts even believe some of the governments of America’s closest allies actively spy on companies to gain a competitive advantage.
The alert company must
guard against threats from a variety of “info thieves.” Foreign
Intelligence Services (FIS), “mercenary” intelligence agents,
and even foreign and domestic corporations all seek to exploit unprepared
companies. Not all organizations play by the rules. Many companies will use
a variety of methods, some legal, some gray, and some clearly in violation
of the law, to obtain trade secrets. Some businesses have whole departments
devoted to this end, called “business or competitive intelligence units.” These
units may resort to a range of collecting information so varied as to include
bribery, searching through garbage (“dumpster diving”) to scams
to trick unsuspecting workers (“social engineering”). For example,
as is well known, a large proportion of Japanese companies have well-established
units for this purpose, though American companies tend not to have these
offices. For both defensive and legitimate information gathering purposes,
there may be clear advantages to closing this gap. As Bernard Esambert, a
President of the Pasteur Institute, once said “Today’s economic
competition is global. The conquest of markets and technologies has replaced
former territorial and colonial conquests. We are living in a state of world
economic war and this is not just a military metaphor... the companies are
training the armies and the unemployed are the casualties.'
How can your company protect against these threats?
Here are some simple steps to help prevent information leakage.
Companies must first gauge
what information is sensitive and classify it as such. Though some information
such as technological innovations or new market strategies may be easily
identified as “sensitive,” other information, such as customer
complaint data, may be as valuable if it falls into the hands of a rival.
Secondly, a company should conduct a risk assessment to determine the vulnerability of unwanted transmissions of information and the likelihood rivals will seek to exploit those vulnerabilities.
Thirdly a security policy addressing those specific concerns should be developed. Next measures, technological and procedural, should be implemented in accordance with the security policy. Staff must be more clearly informed on what information must be carefully guarded, and the means by which rivals will attempt to garner that information. In the event of a suspected leakage or suspected attempt to solicit sensitive information, a clear line of contact should be in place to better ensure a corporation can cope with the problem, rather than having it lost, unreported, in a bureaucratic quagmire.
Finally, this security policy should regularly be evaluated and modified to reflect changes in competitors and information.
Congress has attempted to aid companies to protect themselves with the Economic Espionage Act of 1996. The Act permits legal action regarding “financial, business, scientific, engineering, technical and economic information,” if a company can demonstrate it has attempted to keep this information classified and protected. But many companies don’t take advantage of the Act, except as a last resort. When news of the breach is known publicly, a company can safely exploit the law in full knowledge that whatever negative conclusions regarding the company’s reliability are already drawn. However, if the trade secret theft is not publicly known, a company has to closely evaluate the advantages and disadvantages of suing another company (and thereby going public) as news of the theft may damage the company’s reputation.
Security Precautions are a Business Enabler
Information breaches are taking place and are costing companies substantial sums of money. Companies, regardless of their sizes, must address these issues. These risks are only enhanced by the looming recession. Not only are companies more tempted to cheat, but potential victims are less willing to fund counter measures. “User education” is often quick to be abolished. This is a risky move, as security is as strong as its weakest link. Therefore, security precautions should be seen not as a dispensable budget expense. Rather it must be regarded as a business enabler.
‘The Awareness of National Security Issues and Response (ANSIR) Program is the FBI's National Security Awareness Program. It is the "public voice" of the FBI for espionage, counterintelligence, counterterrorism, economic espionage, cyber and physical infrastructure protection and all national security issues. See http://www.fbi.gov/hq/nsd/ansir/ansir.htm
Employees' Guide to Security Responsibility. A brilliant resource with lots of information dedicated to education of users. http://www.smdc.army.mil/SecurityGuide/Home.htm
Trends in Proprietary Information Loss 1999. PricewaterhouseCoopers & American Society for Industrial Security (ASIS) Survey. http://www.asisonline.org/spi.pdf
IWS welcomes suggestions
regarding site content and usability. Please use our contact
form to submit your comments.
Last modified: 30 December, 2007 by Wanja Eric Naef
IWS Copyright © 2000 - 2008