Industrial Espionage

The Federal Bureau of Investigation (FBI) defines industrial espionage as “an individual or private business entity sponsorship or coordination of intelligence activity conducted for the purpose of enhancing their advantage in the marketplace.” While this definition may imply Industrial Espionage to be more or less the same as business or competitive intelligence, but there is an essential difference between the two – while business intelligence is generally under private sponsorship using an “open” methodology, espionage may be either government or privately sponsored and clandestine.

Industrial Espionage is the process of collecting information and data for the purpose of generating revenue. Generating revenue is very important aspect for these people. They are not thrill seeker, if the compensation does not justify the reward they will not bother attempting to collect the required information. Individuals who commit Industrial Espionage are not looking for information for information sake, but for information that will produce a big payday when acquired by a second party or when the information is viewed by unauthorized personnel the value of the information is no longer valuable. Money and power are motivators and the stakes in today’s billion dollar business environment the rewards far exceeds risks.

In the highly competitive and globalized business environment, proprietary intellectual property and economic information is considered the most valuable commodity by all nations, particularly the advanced ones. Businesses and/or governments involve in espionage activities for the purpose of unlawfully or clandestinely obtaining sensitive financial, trade or economic policy information, proprietary/sensitive economic information; or critical technologies including but not limited to data, plans, tools, mechanisms, compounds, designs, formulae, processes, procedures, programs, codes or commercial strategies, whether tangible or intangible, for competitive business advantage. The proprietary information so stolen may have been stored, compiled or memorialized physically, electronically, graphically, photographically or in writing and may be reasonably protected by the owner and not available to the general public.

Proprietary information may be stolen by employees accessing the business and company databases, hackers breaking into the company server, or sponsored teams of burglars. While companies may lose vital business information through employees leaving the job, espionage occurs when the employee willfully looks for the data, steals it, copies it and sells it for money, or for his own unit, when he intends to produce a similar item. Espionage by competitors involve spying the activities of other businesses and unlawfully gathering of secret information, so that they can steer their businesses by adopting appropriate strategies and stay at par with, if not ahead of, competition in the marketplace. Interested outsiders and competitors adopt many methods including bribery, detective spying through shady agencies, searching through garbage, also referred to as ‘dumpster diving’ scams to trick workers through ‘social engineering‘, or even expose loopholes and weak points in the lives of workers and blackmail them for gathering information.

The theft or unlawful receipt of intellectual property and economic information, particularly by competitors and foreign governments threatens the development and production of goods derived from such information and also results in loss of profits, market share and perhaps the business itself and may thereby result in the weakening of the economic power of one’s country. In the present information-driven business environment, businesses tend to address the threat seriously, and in their quest to gain power, maintain control, increase market share and beat competition, nations and businesses espouse espionage, treating it casually and engaging themselves in espionage, using information and technology as armaments of business and economic warfare.

The Process of  Industrial Espionage

The process of Industrial Espionage can be divided into four categories: requirements, collection, analysis, and evaluation. First, the requirements have to be established. This is when the individual is targeted and approached to provide specific information concerning a specific job or task within a company or organization. Most often a third party will inquire to protect the inquiring person, organization, or corporation from liability. Most companies focus their espionage efforts only on certain task or functions. The second phase allows the collector to focus their efforts. Collection is the key component of Industrial Espionage. This is the key element for payment and has the most risk involved. These individuals must evaluate the risk of obtaining the needed information or data with the value of the fee that they will be paid and the risks of being caught. The individual collecting/obtaining the information may use any of the following to obtain the required information/data: physical attacks, electronic attacks, or even attacks against the employees to gain the necessary information. If the rewards are so great (finically), they will go to whatever lengths necessary to obtain the information, even murder if necessary. If the request is for a working copy of a company’s product the Collector might simply have to go out and by one, then send away for the technical information any customer is entitled to. While this might see strange use of a Collector, remember some of the companies collecting information exist in embargoed nations such as Cuba or Iraq where state of the art US product are not readily available. If the request is for the complete production data for a complex computer chip the job might entail illegal, and therefore more risky, methods such as bribery or burglary. Analysis follows. Now that a Collector has accumulated a mass of data and information they must take time to see what they have. This entails everything from reading the contents of documents, both physical and electronic, processing raw data, and in some cases looking at the flow of employees and information to see what might be happening and where it is occurring. Once the data has been analyzed the Collector refers to the original Requirement to see if he has meet his goals. This is the Evaluation phase. If the client’s Requirements have been met the information is package, transmitted, and the Collector paid. “Extra” information collected is evaluated for value to the current of future clients and recorded for future transactions. In those cases where the Requirements have not been met, the Collector uses the information to return to the Collection Phase, thus beginning the process anew.

Industrial Espionage and Corporate Vulnerability

It is often the failure of corporations to adequately protect their information resources that makes them vulnerable to espionage. The vulnerability and the nonchalant attitude of companies are by no means excusable, given the economic implications of the threat of espionage as well as the weakening of the economic power of the subject nation. It may be worthwhile, perhaps vital, to understand the reasons for the vulnerability of corporations in order to prevent espionage and the resulting economic losses to businesses. Businesses make themselves vulnerable to espionage for a variety of reasons, including:

• Proprietary/sensitive business information not identified

• Proprietary information not adequately protected

• Computer and telecommunication systems not adequately protected

• Lack of or inadequate policies and procedures

• Employees not aware of their responsibilities

• Management attitude of “ We don’t have proprietary or sensitive information” and/or “It can’t happen to us”

These factors along with such other threats as increasing miscreants trying to steal information for money and the vulnerabilities of systems on the Internet facilitating information theft on a global scale present pervasive threat to information worth protecting as well as challenge managers, security personnel and law enforcement officials responsible for safety and security of information.

Employees, a Threat or Defence

Your employees are targets of Collectors. People are a two-edged weapon in securing your corporate secrets being both the best protection, and the biggest risk. Proper training, education, and motivation can give people the tools and desire to keep your corporate secrets safe. Conversely, appealing to the vanity, greed, or vengeful nature of disenchanted or bored people has always been a tool of the traditional spy. Now these appeals can be made with protection of the electronic web. After gathering sufficient information on employees the Collector can choose his target. If the individual bites, a face to face meeting can be scheduled, if not the only thing that can be turned over the security is an email address all easily disposed of with no trace to the Collector.

Another method used to attack through your employees is to take the information gathered by Mundane and Cyber means and impersonate another individual or spoof them electronically. Calls are placed over the phone, or messages sent via email pretending to be someone with the authority to make decisions. A good choice would be one of those executive officers with the picture and bio on the corporate web page. Regardless of the role many bored or uncaring individuals will give out information to include IP addresses, system setup, and even passwords and user ids over to phone when intimidated.

Recruiting Insiders is another common practice among Collectors. Many publications on computer security identify the most common source of intentional disruption as authorized individuals performing unauthorized activity. Again, much of the information on the individuals that you would like to recruit can be found in publicly accessible databases and web sites. From this, some casual research can yield those candidates who are most susceptible to bribes or extortion. Often after proper research the Collector can make his presence know to the Insider and have them make the first overtures. This allows the Collector to have some modicum of confidence the individual will no go running straight to corporate security. Insiders are the most valuable assets a Collector can have. They have the time and freedom to search people’s desks, read private memos, copy documents, and abuse coworker friendships. The threat does not end when the Insider leaves the corporation either. In 1992 several General Motors employees were accused of taking over 10,000 documents and disks containing GM trade secrets when they “defected” to Volkswagen. GM sued and in 1997 received a payment of $100 million from Volkswagen.

Inserting Agents is one of the least risky forms of Industrial Espionage. The Collector handpicks the individual who they intend to insert. They provide the training, background story, and decide at which level to attempt to insert the individual. Once hired, even in a position of limited access, the individual becomes a trusted Insider for the Collector, able to provide increasing levels of access and perform some of the Mundane and Cyber attacks from within the corporation with minimum threat of being caught.

Preventing Industrial Espionage

While legal measures and legislation’s that send strong messages against espionage can be effective in preventing its occurrence, the role and responsibility of corporations is crucial. Even as companies take a non-serious approach to espionage, there is little debate that companies should guard themselves effectively against the ‘info-thieves’, both insiders and those unleashed by outsiders, who try to get secrets by all possible means. Measures that may help companies to prevent espionage include:

• Conducting a survey of risk assessment, and identifying potential risk areas,

• Developing a security policy without much of safety risks.

• Frequently evaluating the security policy and procedures and modify if necessary

• Classifying and marking sensitive and valuable information

• Isolating information that should never fall into the hands of a competitor

• Detecting the vulnerable areas that could be exploited by a competitor

• Controlled storage of sensitive information

• Controlled destruction of materials

• Executing Nondisclosure Agreements for employees, vendors and contractors

• Securing computer systems and networks by installing appropriate information system security products

• Monitoring email and Internet use

While the above methods may be useful in protecting against espionage, central to controlling the industrial espionage is security awareness and training of employees as one of the major points of vulnerability is spying activities by people belonging to the same organization. Security awareness and training programs can serve to inform employees about their organization’s information security policy, to sensitize them to risks and potential losses, and to train them in the use of security practices and technologies. By investing in security procedures and training, corporations may train employees in the areas of personnel, cyberspace and physical security; they can also be made aware of their responsibilities regarding information security of the organization.

References

• Boni W. & Kovacich G.L. (2000)  Netspionage: The Global Threat to Information  MA: Butterworth- Heinemann
• Crock, S. (1997) “Business Spies: The New Enemy Within?” Book Review: War By Other Means” Economic Espionage in America By John J. Fialka  Business Week  Available at: http://www.businessweek.com/1997/06/b351325.htm Accessed 02/26/06
• Winkler, I. (1997)  Corporate Espionage  CA: Prima Publishing