The 21st Century is often referred to as the information age; the developing global marketplace has contributed to the entrance of new cultures and economies into the competitive global economy. Due to globally available infrastructure and the development of global telecommunication/computing capabilities, it has enabled individuals, companies and countries to compete globally on a level playing field with traditional Western powers even from some of the most remote parts of the world. Unfortunately this has also created conditions in which the threat of corporate espionage has been rapidly proliferating due to the ease threat actors can ply their trade both through physical and virtual actions against U.S. corporations.
It is becoming routine to hear about corporate/state-sponsored espionage cases in the media. Annual losses to corporate espionage are estimated to be at $300 billion annually, which would be comparable to all of the United States exports to Asia annually. Think about that for a moment – $300 billion annually…The terrorist attacks on 9/11 were estimated at a total of $62 billion in physical asset and insurance loss which pales in comparison to the annual espionage loss in the U.S.
According to the Brookings Institute: as much as 65+ percent of most companies value, sources of revenue, sustainability and growth lie in information assets, intellectual property (IP) and proprietary competitive advantages. It is important to acknowledge that in the 21st century the essential risk to corporations is the protection of these information based assets from the threat of corporate espionage.
Corporate or economic espionage simply stated is the unlawful theft/acquisition of intellectual property, such as key trade secret and patent information as well as industrial manufacturing techniques and processes, ideas and formulas. Or it could also include sequestration of proprietary or operational information, such as that on customer data, sales, pricing, research and development, policies, prospective bids, planning or marketing strategies, or the changing compositions and locations of production. Basically it could involve anything that gives your business an advantage in the marketplace and what makes your business successful.
Proprietary Information/Intellectual Property identification
What always amazes me is how unaware some corporations are of what sources of information are actually critical to their corporate success and economic viability and the importance of properly protecting that key information/IP. Generally speaking corporations are much better focusing on external threats and physical security then they are on internal threats and identifying/protecting information assets. The following key areas within corporations are important and are all under assault by corporate espionage threats and should be safeguarded:
- Trade Secrets/Patents– These should be legally protected. Whether they’re formulas, practices, process designs or inventions, these are the crown jewels and should have more than appropriate safeguards.
- Executives/Board Members– Sensitive discussions/knowledge/meetings on strategy, strategic vision, expansion plans, mergers/acquisitions and partnerships.
- Human Resources/Staffing– Hiring processes, salary and compensation of key employees and performance evaluations.
- Research/Development– Sensitive information on new designs, inventions, pending patents, research and key individuals with valuable knowledge.
- Manufacturing– Companies’ supply chain partners and components, special manufacturing methodologies, finished goods, raw materials and key processes.
- Sales and Marketing– Sales strategies, pricing plans, marketing plans/budgets, bid information, customer lists and information on reseller networks.
- Company Operations– Costs, margins, budget data, IT infrastructure and business continuity plans.
Corporate Espionage Threat Identification and Indicators
We have identified above key information/intellectual property areas within corporations that are of interest and routinely get targeted by corporate espionage threats. It is equally important for corporations to understand the likely threats to their business are and how they might try to conduct espionage against them. The following represent those threats:
- Insiders with Access– These frequently represent the insider-threat term we hear so often in the industry. But increasingly employees are leaving corporations and taking intellectual property and other key information with them illegally. Another area not often not accounted for is contractors/temp/H1B visa workers, here today but gone tomorrow potentially with your sensitive information. The fact is, according to a study from the Executive Corporate Board, 75 percent of departing employees are disgruntled with their employer. So they can be potentially ripe targets for competitors and foreign intelligence agents to capitalize on.
- Criminal Organizations– Global criminal organizations have learned this is a very profitable area for them with very little risk compared to their traditional modes of making money. They have one goal – making money by violating your intellectual property rights.
- Marketplace Competitors– There are two types of competitors; the first one will exploit any edge legally in the global business marketplace you provide them. The second will conduct illegal activities to gain that edge. Planting of employees, stealing of key information, paying a current employee of your organization for your information/IP are all acceptable actions to this actor.
- Foreign Intelligence Agencies/State Entities– These are the foreign intelligence agencies that are targeting U.S. corporations’ key information and IP. If it has economic value then they are in the game and there to provide that data to their business entities within their countries. Many countries including some allies of the U.S. routinely conduct corporate espionage within the United States. In the case of China for instance, the FBI estimates that there are 3,000 front companies operating in the U.S. all conducting intelligence collecting operations on behalf of China.
- Inadvertent Disclosure– This is when our own corporate employees make mistakes due to not being aware of the threats and say or do the wrong thing at the wrong time which provides key information to the corporate espionage threat. I am always amazed what I am able to see and hear in regards to sensitive corporate information at the hotel, airport or on a plane.
- So now that we have identified the “who” of the corporate espionage threat, it is now time to look at the “how” of conducting their operations or their Modus Operandi. It is my experience along with other industry colleagues that espionage collection activities rarely use just one method of collection in isolation to collect information from their target but rather using various methodologies to gather information into a concerted program of espionage. The following areas represent these channels:
- Agent Recruitment– Developing a trusted person inside a company who can provide proprietary/sensitive information. Intelligence Collectors use the acronym “MICE” (Money, Ideology, Coercion, Ego) as the way they are able to develop and recruit an agent. Playing to one or multiple areas of these are how most intelligence collectors will develop sources within an organization.
- Surveillance– Conducting physical and electronic surveillance on sources of information/IP. This threat is heightened when U.S. corporate employees are on international travel, there should be no expectation of privacy in foreign countries, especially when the telecommunication infrastructure is owned or operated by the nation-state.
- Technical Operations– This includes computer intrusions (spear-phishing etc.), telecommunications targeting, and planting of listening devices/malware.
- Foreign Students/Workers– Playing to their national loyalties and or pressuring them to conduct espionage by threating harm/difficulties for other family members back in their home country.
- Trade Conference Elicitation– Intelligence collectors/competitors/information brokers routinely target these events to develop information and individuals while they are in a fairly open environment.
- Corporate Merger/Acquisition– Several countries use these transactions to acquire sensitive technologies.
- Hiring Competitors’ Staff– Foreign companies and competitors will try to do this and learn your corporate secrets/advantages and make them their own.
- Social Engineering– This comes in many forms, such as unsolicited enquiries via personal contacts, telephone, email, fax and other forms of communication, in search of sensitive information. Also social media is often used as a tool by intelligence collectors to learn more about targets and develop approaches to gather sensitive information.
Counter Corporate Espionage Program
Mitigating the threat of corporate espionage can seem like a daunting task for corporations. From the viewpoint of the Chief Security Officer (CSO) having global operations, rapidly changing technology, a disparate workforce composition and limited financial resources to get the job done it can appear to be impossible. The hardest part of the battle is to get executive leadership to realize that this threat is actively working against them due to the clandestine nature of most threat actions. The key component of a successful counter espionage program is to have a holistic risk management program that addresses the following core areas:
- Personnel Security– Implement a comprehensive program that addresses pre-employment screening and solid employee termination/exiting procedures. Monitor your workforce for potential insider threats and manage accordingly.
- Legal Support– Protect your intellectual property legally and go after offenses vigorously.
- Education and Awareness– Educate your employees about the threat of corporate espionage on an ongoing basis. With a special emphasis of techniques and tactics used by intelligence collectors. Provide specialized and tailored training to key personnel and executives.
- Physical Security– Ensure your physical security program does the basics well. Confident access control is the goal.
- Intelligence– Keep on top of latest trends in corporate espionage, and understand your company’s operations and strategic goals. Develop good business/market intelligence as well as security intelligence and understand how it relates to your corporations strategic direction.
- Government Liaison and Industry Relations– Develop strong contacts with the FBI, the government agency tasked with criminally enforcing the Economic Espionage Act of 1996 (EEA). This is the federal law that addresses both state sponsored espionage as non-state sponsored espionage as well. The FBI has several partnering programs with private industry such as the Domestic Security Advisory Program (DSAC) and the Strategic Partnership Program. It is all very important to stay in tune with peers from the private sector charged with protecting corporate IP to discuss/share information on industry/threat trends.
- Information Security– All levels of IT and network security need to be covered.
- Converged Structure– In a perfect world both physical security and cybersecurity would report into the same management or be part of the same organization, this would drive threat information sharing and help to eliminate the silos that too often exist in U.S. corporations. This should be the goal the same social engineering attack on a lobby receptionist could be part of an IT network intrusion attempt in another part of the organization, but it is critical that both groups communicate to eliminate gaps that corporate espionage threat actors can exploit or remain undetected.