Industrial Espionage Intelligence

Industrial Espionage Intelligence The information revolution and the advances in technology during the past decades has brought to fore many challenges and issues to both governments and businesses, the age-old crime of espionage or the practice of spying to gather secret information is one the most potential issues facing information-based societies such as the United States, today. Although, much has been documented as fact and fiction concerning the traditional foreign agents and spies, in todays world of multi-national, multi-billion dollar corporations, and industrial espionage is a growing danger. Furthermore, this is aggravated by the fact that many large businesses are physically disseminated which has distributed management and administration, and more job specialization. High technology offers the ability to collect and use information for competitive edge over others in meeting business and government objectives, it also makes modern information and technology-based nations and businesses vulnerable as information can be stolen from electronic storage media and transmitted in seconds without even physically removing the data. The paper attempts to examine and understand the challenge of espionage to industries and businesses in America. However, in doing so, it shall also look at the historical development of espionage and examines how the advances in technology in the recent years have facilitated the act of espionage, and also the measures that may prove useful in controlling Industrial Espionage. As a prelude to the research, it may be worthwhile to understand how industrial espionage is defined, its nature and implications. Industrial Espionage Definition and Nature The Federal Bureau of Investigation defines industrial espionage as â€Å"an individual or private business entity sponsorship or coordination of intelligence activity conducted for the purpose of enhancing their advantage in the marketplace.† [Cited Boni and Kovacich, 2000; p. 48] While this definition may imply Industrial Espionage to be more or less the same as business or competitive intelligence, John F Quinn explains the essential difference between the two while business intelligence is generally under private sponsorship using an â€Å"open† methodology, espionage may be either government or privately sponsored and clandestine. [Cited Boni and Kovacich, 2000; p. 47] My definition of Industrial Espionage is it is the process of collecting information and data for the purpose of generating revenue. Generating revenue is very important aspect for these people. They are not thrill seeker, if the compensation does not justify the reward they will not bother attempting to collect the required information. Individuals who commit Industrial Espionage are not looking for information for information sake, but for information that will produce a big payday when acquired by a second party or when the information is viewed by unauthorized personnel the value of the information is no longer valuable. Money and power are motivators and the stakes in todays billion dollar business environment the rewards far exceeds risks. In the highly competitive and globalized business environment, proprietary intellectual property and economic information is considered the most valuable commodity by all nations, particularly the advanced ones. Businesses and/or governments involve in espionage activities for the purpose of unlawfully or clandestinely obtaining sensitive financial, trade or economic policy information, proprietary/sensitive economic information; or critical technologies including but not limited to data, plans, tools, mechanisms, compounds, designs, formulae, processes, procedures, programs, codes or commercial strategies, whether tangible or intangible, for competitive business advantage. The proprietary information so stolen may have been stored, compiled or memorialised physically, electronically, graphically, photographically or in writing and may be reasonably protected by the owner and not available to the general public. [Boni and Kovacich, 2000; p. 48] Proprietary information may be stolen by employees accessing the business and company databases, hackers breaking into the company server, or sponsored teams of burglars. While companies may lose vital business information through employees leaving the job, espionage occurs when the employee willfully looks for the data, steals it, copies it and sells it for money, or for his own unit, when he intends to produce a similar item. Espionage by competitors involve spying the activities of other businesses and unlawfully gathering of secret information, so that they can steer their businesses by adopting appropriate strategies and stay at par with, if not ahead of, competition in the marketplace. Interested outsiders and competitors adopt many methods including bribery, detective spying through shady agencies, searching through garbage, also referred to as ‘dumpster diving, scams to trick workers through ‘social engineering, or even expose loopholes and weak points in the live s of workers and blackmail them for gathering information. The theft or unlawful receipt of intellectual property and economic information, particularly by competitors and foreign governments threatens the development and production of goods derived from such information and also results in loss of profits, market share and perhaps the business itself and may thereby result in the weakening of the economic power of ones country. [Boni and Kovacich, 2000] In the present information-driven business environment, businesses tend to address the threat seriously, and in their quest to gain power, maintain control, increase market share and beat competition, nations and businesses espouse espionage, treating it casually and engaging themselves in espionage, using information and technology as armaments of business and economic warfare. [Jones, Kovacich and Luzwick, 2002] The Process The process of Industrial Espionage can be divided into four categories: requirements, collection, analysis, and evaluation. First, the requirements have to be established. This is when the individual is targeted and approached to provide specific information concerning a specific job or task within a company or organization. Most often a third party will inquire to protect the inquiring person, organization, or corporation from liability. Most companies focus their espionage efforts only on certain task or functions. The second phase allows the collector to focus their efforts. Collection is the key component of Industrial Espionage. This is the key element for payment and has the most risk involved. These individuals must evaluate the risk of obtaining the needed information or data with the value of the fee that they will be paid and the risks of being caught. The individual collecting/obtaining the information may use any of the following to obtain the required information/data: physical attacks, electronic attacks, or even attacks against the employees to gain the necessary information. If the rewards are so great (finically), they will go to whatever lengths necessary to obtain the information, even murder if necessary. If the request is for a working copy of a companys product the Collector might simply have to go out and by one, then send away for the technical information any customer is entitled to. While this might see strange use of a Collector, remember some of the companies collecting information exist in embargoed nations such as Cuba or Iraq where state of the art US product are not readily available. If the request is for the complete production data for a complex computer chip the job might entail illegal, and therefore more risky, methods such as bribery or burglary. Analysis follows. Now that a Collector has accumulated a mass of data and information they must take time to see what they have. This entails everything from reading the contents of documents, both physical and electronic, processing raw data, and in some cases looking at the flow of employees and information to see what might be happening and where it is occurring. Once the data has been analyzed the Collector refers to the original Requirement to see if he has meet his goals. This is the Evaluation phase. If the clients Requirements have been met the information is package, transmitted, and the Collector paid. Extra information collected is evaluated for value to the current of future clients and recorded for future transactions. In those cases where the Requirements have not been met, the Collector uses the information to return to the Collection Phase, thus beginning the process anew. Espionage A Brief History The technological advances and the global Internet have drastically reformed the art of espionage. The practice of espionage has transformed revolutionarily over the years, as any aspect of life and civilization, from the old manual and human intensive profession to the sophisticated, hi-tech pursuit of stealing electronic information in networked societies. Toffler and Heidi provide a Three Wave Evolution model to explain the technological evolution, as well as the evolution of espionage. [Toffler, 1980; Toffler Heidi, 1994] Accordingly, during the First Wave period, extending from the beginning of human race to about mid 1700s and characterized by the agricultural revolution, information was passed by word of mouth or in written correspondence. The theft of information was minimal as most of the people could not read or write and espionage was manual, relying mostly on personal observation and one-to-one contact. The Second Wave or the ‘rise of the industrialized civilization, which followed and last until a few years after World War II, experienced exponential growth in communications and the sharing of information, made possible by such inventions as telegraph, telephone and computers. The later years of this period saw the development and use of cryptography as communication protection and anti-espionage tool, though essentially by governments. While businesses had also begun to use computers, most of the systems were stand-alone and hence the threat of espionage was limited. Espionage was thou ght of primarily as a government and/or military problem and anti-espionage measures during the period essentially consisted of some form of physical security of physical documents and equipment, such as combination of locks, guards, alarms and fences. Emphasis was also placed on personnel security hiring honest and ethical employees in computer field was deemed to limit espionage threats. As only few people operated computers, the threat to electronically stored information was limited. [Toffler, 1980; Toffler and Heidi, 1994] The Third Wave or the age of technology and information, sweeping the world today has seen more advances in communication and information sharing, and paradoxically more threats, than the First and Second Wave periods combined. While the Internet and the globally linked communication systems serve as a mainstream business medium, objectionable reports on how high-tech criminals in businesses and government intelligence agencies of all advanced nations are exploiting the possibilities of the cyber world to meet their various ends, continue to be appal the world conscience. Today, a large number of organizational actors and individual information-brokers sponsored by government and otherwise, are using the Internet to commit the old crime of espionage in a revolutionary new way what Boni and Kovacich terms the ‘netspionage or network enabled espionage. According to them, in the present information-driven globalized society, the distinction between espionage motivated wholly by m ilitary advantage and the quest for market domination is blurred of not completely eliminated. The researchers claim that the 21st century, envisaged as ‘the â€Å"Information Age† or the â€Å"Age of Technology† to be may instead come to be known as the â€Å"Age of Netspionage Agent and Techno-Spy.† [Boni and Kovacich, 2000; p. 5] Before attempting to understand the occurrence of industrial espionage in America, it may be vital to understand the techniques used by the modern espionage Netspionage agents and techno-spies so that adequate and effective measures could be adopted to prevent the threat of espionage. Some of the common methods used by Netspionage agents include: Data Diddling changing data before or during entry into the computer Scavenging Obtaining information left around a computer system and in trash cans Data Leakage Removing information by smuggling it out as part of the printed document Piggybacking/ Impersonation Physical access to electronic data using anothers User ID and password to gain computer access and protected information. Simulation and Modelling Using the computer as a tool to plan and/or control a criminal act Wire Tapping Tapping into a computers communication links to be able to read the information being transmitted between systems and networks [Boni and Kovacich, 2000; p. 58] Apart from the above, the use of software application programs, which are standardized over the years enable the use of a variety of hacker tools including Trojan Horse enabling covert placement of instructions in the program for unauthorized functions; Trap Doors for inserting debugging aids that provide breaks in the instructions for insertion of additional code and intermediate output capabilities; Logic Bombsor programs executed at a specific time period; and the common Computer Virus which are malicious codes that cause damage to the system information. [Boni and Kovacich, 2000; p. 59] The Cyber Threat With the advent of the cyber age where information roams free along the electronic corridors of the Internet at the speed of light, another arena has been opened up to the Collector. The tools used are those developed by Hackers and Crackers over the years coupled with the good old social engineering of days past. The potential for gathering information is unlimited. The arena, of course, is the World Wide Web and the target sits on your disk as you view this HTML document. In 1997 it was estimated there were fewer than 1000 people that qualified as Professional Hackers. That is, people who are capable of creating tools or developing original methods for Hacking. [11] Therefore it is safe to assume there are very few Collectors who are true computer geniuses. Collectors are just individuals adept at turning existing tools toward collecting information. An excellent Hackers Toolkit (a software package which contains scripts, programs, or autonomous agents that exploit vulnerabilities [6]) can be downloaded from the internet with just a few hours of searching. Converting computer tools to information collection is relatively easy, because with computers everything is information and everything created for a computer collects and/or transmits information to one degree or another. Corporate web sites hold increasingly detailed information regarding a companys structure, products, employees, and the physical layout of its facilities. Some sites boast fly thr ough tours of their facilities, pictures and bios of their executive officers, telephone numbers, and of course email addresses of key employees. The sole purpose of these web sites is to transmit the information to anyone who asks. Web browsers collect this information and provide it to the requestor who can view and store the information, as they desire. This type of information is invaluable to individuals who choose to exploit it as a means to collect further information. With the wealth of information freely available in todays on-line environment Collectors can do much of their preliminary research without leaving the comfort of their own home or breaking a single law. Armed with the freely available information Collectors are now prepared use the net to gather even more information. With the bios and names of executives and key employees they can search the net for their favorite electronic haunts. Spoofing can then be used. Spoofing is defined as masquerade by assuming the appearance of a different entity in network communications. [6] Emails or ICQ addresses can be spoofed, sent with the Collector poising as an investor, potential customer, a reporter, or even a student researching the rising stars of the corporate world. After receiving replies, Email spoofing can be further used to appear as someone in authority within the corporation who can direct mailing of information, the establishment of computer access accounts, and even grant greater access for established accounts. All of these gives the collector access to just a little bit more of the corporation and its secrets, all with minimal exposure of the collector and sets the stage for furt her attacks. These can range from accessing an unsecured port for downloading files, to exploiting any one of a number of known security holes to gain root access to a system. A good example of the potential for Cyber Industrial Espionage comes from a New York Times report that claimed Reuters Analytics, Inc. hired a Collector to steal the underlying software and codes for their rivals, Bloomberg, L.P, data terminals. Though Reuters had a head start in the industry, Bloombergs product was considered superior. Yearly sales of these data terminals exceeds $6.5 Billion. [11] By mixing Mundane and Cyber techniques collectors can multiply the effects of their collection efforts. The routine of the office, gathered by watching, can enable the collector to plan physical break-ins of the building. While roaming the halls of the corporation they can steal trade secrets, clone drives of key employees, and even set in place login captures, all acts that could go totally undetected because it does no involve the removal of a single piece of property. Well planned daytime entries over lunch the lunch hour can allow the informed collector time clone disks, copy key files, or even send emails from key employees desks to set into motion chains of events to leak information or disrupt company performance. Collectors can make use of internal networks to transmit the documents outside the building to avoid security. Industrial Espionage in America The United States being the most dominant economic power in the world today is also a major target of espionage. In 1988, the FBI accused a former Amgen Inc. researcher of peddling secret documents concerning the wonder drug Epogen. In 1989, U.S. agents tracked down three moles working at an IBM affiliate in France after they supposedly botched a sale of confidential documents. [Cited Crock, 1997] The massive information technology infrastructure enables businesses and industries to tap proprietary and secret information of competitors to gain control of the global market place. Research suggests that the threat of espionage and the loss of proprietary/sensitive information have hit the manufacturing industries particularly hard. As the R D expenses for manufacturing companies are costly, some companies, foreign or domestic, are tempted to catch up even if through unlawful means. [Naef, 2003] Industrial espionage is rampant in the United States according to the FBI, of the 173 world nations, 57 were actively running operations targeting the U.S. companies; about 100 countries spent some portion of their funds targeting U.S. technologies. [Boni and Kovacich, 2000; p. 50] A survey conducted by PricewaterhouseCoopers and the American Society for Industrial Security revealed that Fortune 1000 companies lost more than $45 billion in 1999 due to theft of their proprietary information alone. The study finds that â€Å"although manufacturing reported only 96 incidents, the acknowledged losses of manufacturing companies accounted for the majority of losses reported in the survey, and averaged almost $50 million per incident.† [Cited Naef, 2003] While current and former employees, suppliers and customers are considered to be responsible for 70 to 80% of proprietary/sensitive information losses, an unidentified survey suggests that 21 percent of attempted or actual thefts of proprietary/sensitive information occurred in overseas locations. [Boni and Kovacich, 2000; p. 50] It is significant to note that the U.S is not only a target of espionage, but also actively indulge in espionage activities themselves. The US government has admitted using commercial espionage phone calls were illegally tapped to determine that a French competitor of a US firm was bribing Brazilian officials to obtain an air traffic control radar contract; it was later revealed that the US firm was also bribing officials. It is generally believed that large intelligence agencies of developed nations are involved in the practice of espionage. A commission of the European Parliament suspects that ECHELON, a communications espionage system operated by the U.S. National Security Agency and agencies of the United Kingdom, Germany, Canada, Australia and New Zealand, is used for political espionage and occasionally to help American companies against European competitors. [Vest, 1998] Economic Espionage Act of 1996 Economic and industrial espionage present many challenges to many American companies as rampant information breaches are costing companies substantial sums of money. While corporations and businesses often do not report espionage incidents to law enforcement, the Federal government today recognizes industrial and economic espionage as a crime; the Congress has legislated the Economic Espionage Act of 1996 in an attempt to aid companies to protect themselves from espionage. Section 19831 punishes the theft, misappropriation, wrongful alteration and delivery of trade secrets when accused parties intended to, or knew that their misconduct would benefit a foreign government, instrumentality or agent. The Act allows for legal action regarding â€Å"financial, business, scientific, engineering, technical and economic information,† if a company can demonstrate it has attempted to keep this information classified and protected. The prescribed maximum punishment for an individual offen der is 15 years imprisonment, $ 500,000 fine or both; for an organization the fine is $10 million. [Kelley, 1997] It is understood that many companies dont take advantage of the Act; companies safely exploit the law in full knowledge when news of the breach is known publicly. However, as Naef observes, if the trade secret theft is not publicly known, a company may have to meticulously assess the advantages and disadvantages of suing another company and thereby going public as news of the theft may damage the companys reputation. [Naef, 2003] Yet, cases of industrial and economic espionage have been reported since the enactment of the Act, though scantily. In September 2003 one man was pled guilty of copying trade secrets as defined under the Economic Espionage Act of 1996; the case was the first of its kind in Northern California. The US Attorneys office later publicized that Say Lye Ow, a 31 year old originally from Malaysia, copied sensitive information on Intels first 64-bit processor when he left the company in 1998. [Naef, 2003] Industrial Espionage and Corporate Vulnerability It is often the failure of corporations to adequately protect their information resources that makes them vulnerable to espionage. The vulnerability and the nonchalant attitude of companies are by no means excusable, given the economic implications of the threat of espionage as well as the weakening of the economic power of the subject nation. It may be worthwhile, perhaps vital, to understand the reasons for the vulnerability of corporations in order to prevent espionage and the resulting economic losses to businesses. Businesses make themselves vulnerable to espionage for a variety of reasons, including: Proprietary/sensitive business information not identified Proprietary information not adequately protected Computer and telecommunication systems not adequately protected Lack of or inadequate policies and procedures Employees not aware of their responsibilities Management attitude of â€Å" We dont have proprietary or sensitive information† and/or â€Å"It cant happen to us† [Boni and Kovacich, 2000; p. 50] These factors along with such other threats as increasing miscreants trying to steal information for money and the vulnerabilities of systems on the Internet facilitating information theft on a global scale present pervasive threat to information worth protecting as well as challenge managers, security personnel and law enforcement officials responsible for safety and security of information. Employees, a Threat or Defence Whether called Social Engineering, as in most Hacker manuals, or HUMINT (Human Intelligence), as the Department of Defense refers to it, your employees are targets of Collectors. People are a two-edged weapon in securing your corporate secrets being both the best protection, and the biggest risk. Proper training, education, and motivation can give people the tools and desire to keep your corporate secrets safe. Conversely, appealing to the vanity, greed, or vengeful nature of disenchanted or bored people has always been a tool of the traditional spy. Now these appeals can be made with protection of the electronic web. After gathering sufficient information on employees the Collector can choose his target. If the individual bites, a face to face meeting can be scheduled, if not the only thing that can be turned over the security is an email address or ICQ number, all easily disposed of with no trace to the Collector. Another method used to attack through your employees is to take the information gathered by Mundane and Cyber means and impersonate another individual or spoof them electronically. Calls are placed over the phone, or messages sent via email pretending to be someone with the authority to make decisions. A good choice would be one of those executive officers with the picture and bio on the corporate web page. Regardless of the role many bored or uncaring individuals will give out information to include IP addresses, system setup, and even passwords and userids over to phone when intimidated. Recruiting Insiders is another common practice among Collectors. Many publications on computer security identify the most common source of intentional disruption as authorized individuals performing unauthorized activity. [13] Again, much of the information on the individuals that you would like to recruit can be found in publicly accessible databases and web sites. From this, some casual research can yield those candidates who are most susceptible to bribes or extortion. Often after proper research the Collector can make his presence know to the Insider and have them make the first overtures. This allows the Collector to have some modicum of confidence the individual will no go running straight to corporate security. Insiders are the most valuable assets a Collector can have. They have the time and freedom to search peoples desks, read private memos, copy documents, and abuse coworker friendships. [3] The threat does not end when the Insider leaves the corporation either. In 1992 se veral General Motors employees were accused of taking over 10,000 documents and disks containing GM trade secrets when they defected to Volkswagen. GM sued and in 1997 received a payment of $100 million from Volkswagen. [11] Inserting Agents is one of the least risky forms of Industrial Espionage. The Collector handpicks the individual who they intend to insert. They provide the training, background story, and decide at which level to attempt to insert the individual. Once hired, even in a position of limited access, the individual becomes a trusted Insider for the Collector, able to provide increasing levels of access and perform some of the Mundane and Cyber attacks from within the corporation with minimum threat of being caught. Preventing Industrial Espionage While legal measures and legislations that send strong messages against espionage can be effective in preventing its occurrence, the role and responsibility of corporations is crucial. Even as companies take a non-serious approach to espionage, there is little debate that companies should guard themselves effectively against the ‘info-thieves, both insiders and those unleashed by outsiders, who try to get secrets by all possible means. Measures that may help companies to prevent espionage include: Conducting a survey of risk assessment, and identifying potential risk areas, Developing a security policy without much of safety risks. Frequently evaluating the security policy and procedures and modify if necessary Classifying and marking sensitive and valuable information Isolating information that should never fall into the hands of a competitor Detecting the vulnerable areas that could be exploited by a competitor Controlled storage of sensitive information Controlled destruction of materials Executing Nondisclosure Agreements for employees, vendors and contractors Securing computer systems and networks by installing appropriate information system security products Monitoring email and Internet use [Winkler, 1997; Boni and Kovacich, 2000] While the above methods may be useful in protecting against espionage, central to controlling the industrial espionage is security awareness and training of employees as one of the major points of vulnerability is spying activities by people belonging to the same organization. â€Å"Security awareness and training programs can serve to inform employees about their organizations information security policy, to sensitize them to risks and potential losses, and to train them in the use of security practices and technologies† [Denning, 1998, p.382]. By investing in security procedures and training, corporations may train employees in the areas of personnel, cyberspace and physical security; they can also be made aware of their responsibilities regarding information security of the organization. Conclusion The increasing value of trade secret information in the global and domestic marketplace and the possibilities of the information technology revolution have resulted in a significant rise in espionage activities in the recent years, particularly against the U.S. being the most dominant economic power in the world. While legislations may be useful in preventing the crime of industrial and economic espionage, the onus is largely on corporations to implement adequate security policies and measures to protect themselves from business losses as well as prevent the weakening of the economic power of their country. References 1. Boni W. Kovacich G.L. (2000) Netspionage: The Global Threat to Information MA: Butterworth- Heinemann 2. Crock, S. (1997) â€Å"Business Spies: The New Enemy Within?† Book Review: War By Other Means† Economic Espionage in America By John J. Fialka Business Week Available at: http://www.businessweek.com/1997/06/b351325.htm Accessed 02/26/06 3. Denning, D. E. (1998) Information Warfare and Security MA: Addison-Wesley 4. Jones A. Kovacich G.L. Luzvick P.G. (2002) Global Information Warfare: How Businesses, Governments and Others Achieve Objectives and At