Espionage: Is Your Company The Target?

To anyone outside the manufacturing company Avery Dennison, the theft of research and development techniques used to make the adhesive found in diaper tags and double-sided tape wouldn’t classify as a state secret.

But the case study in corporate espionage underscores the importance of keeping proprietary knowledge, be it an IT company’s database or a tape company’s research, close to home and securing it, said Philip Moyer, president of Complex Systems Analysis Corp., at the Computer Security Institute (CSI) here this week.

For the companies that used the information illegally gained by Four Pillars Consulting, it meant a $10 million shortcut in R&D, leap-frogging years of experimentation to bring a product similar to Avery’s to market immediately.

It might not have the glamour of a James Bond movie, where 007 spies on any number of world-dominating wannabes and organizations, but what do adhesives have to do with IT companies? A lot, Moyer said, if you’re a company that has a better way to do business cheaper, or has a technology worth exploiting.

According to a joint CSI/Federal Bureau of Investigation (FBI) survey published earlier this year, theft of proprietary property amounted to more than $170 million in losses for U.S. companies in 2001. That figure is a conservative one, officials said, because only 44 percent of the companies who answered the survey would report a figure. CSI officials expect that number to be much, much higher.

The U.S. government maintains a National Critical Technologies List (NCTL), which points out the industries most sought after by foreign competitors. They range from energy conservation and nuclear energy companies to information systems (IS) and e-commerce companies.

“If you’re in an area competing against companies in other countries, they’re going to target you to help their company,” he said.

“They” range from competing companies to government intelligence agencies where the companies are found. According to Moyer, the biggest culprits for corporate espionage are some of the U.S.’s biggest allies: France, Japan, China, Israel, South Korea and Russia.

All actively collect information on U.S. companies using an apparatus honed to perfection during the Cold War. Now, in addition to national security information, these organizations are finding out what makes successful companies so successful.

While independent hackers are credited as the biggest reason for network breaches and information theft these days, the report shows 26 percent of those surveyed think foreign governments and corporations are likely sources of corporate attacks. It’s a figure that’s stayed relatively consistent over the past six years, ranging from 21 to 31 percent in CSI studies.

Moyer had some examples of corporate espionage. The South Korean government funded an “industry collaboration center” for electronics components in San Jose some years ago; it was a place U.S. and South Korean scientists could come together and talk about the latest technologies and techniques they were employing.

Soon enough, South Korea began outpacing the U.S. in certain industry niches, notably the ones discussed at the collaboration center. The Asian government plans to open up another such center in San Jose for the biotechnology industry.

Other examples abound. The French government, Moyer said, used to wiretap first-class seats on Air France aircraft, having the flight crew hand over the tapes of the conversations to intelligence agents when back on French soil. Foreign companies with offices in France are required to hire a certain percentage of French citizens. Ostensibly to get agents into the business, he said.

It’s forcing many companies in the U.S. to rethink their security strategy, from closing up holes in the network to making sure their employees aren’t taking the information to the highest bidder.

A senior IT manager for one of the Big Three automakers in Detroit, who asked not to be identified, said his company is spending more time and effort to forge a comprehensive security policy for its wide area network (WAN), which is now a hodge-podge of individual policies.

“There’s people (in our company) out there at remote locations putting together security in their own way, sometimes without telling us what they’re doing,” he said. “How do I know that that isn’t going to be how someone is able to get onto my network?”

Motivation for selling company information comes down to one essential element, Moyer said: greed. While conventional wisdom in past decades suggested ideology (i.e., for religious or national roots), he finds money is the common denominator in today’s corporate espionage.

“The vast majority of people spy on their company for money,” he said. “Contractors, for example, have unusually high access on corporate networks. Some sell the information because they feel slighted, because they don’t get the perks (salaried employees do).”

Disgruntled employees, however, are just as likely to sell proprietary information for profit, Moyer said. He said intelligence agents follow a structured process to find out who those potential informants might be, using a methodology that’s little different from what Russian and American agents used in year’s past:

* Spotting — finding out who has access to sensitive information.

* Assessment — finding out who has a motive to sell the information (personnel problems, high debt).

* Development.

* Recruiting.

According to CSI, incidences of disgruntled employees have dropped since 1998, from 87 to 75 percent, though separate results show 35 percent of IT security managers don’t know whether their systems were compromised from the inside or not.