“Corporate America ought to be darned worried. If you are a major corporation with very sensitive technology, you have been targeted. Somebody is spying on you right now.” Todd Davis, FBI supervisor in Sacramento
There’s been a great deal of debate lately about spying – FISA and domestic spying issues, for example – and now the news that Blackwater is augmenting its army, navy and air force with its own CIA. While I’m routinely bemused by the conclusions we seem to reach (we’re about to approve a new Attorney General who doesn’t think waterboarding is torture, remember), I do welcome these kinds of discussions. The world of information and intelligence has been changing dramatically for years and our policy deliberations haven’t kept pace. It’s critical to think about what we know, how we know it, what we do with it, and the implications of not knowing it, because despite the fact that they’ve been awfully cavalier about the Constitution, our conservative friends are generally right in noting that there are bad guys in the world. In the end, the question really boils down to how can we best deal with the bogeys without becoming bad guys ourselves.
There’s one area that we aren’t talking about, though, and it’s a topic we ought to be very concerned with: corporate espionage.
In 1999, Fortune 1000 companies lost more than $45 billion from the theft of trade secrets, according to a survey by the American Society for Industrial Security and Price Waterhouse Coopers. Winn Schwartau and the SANS Institute estimate that the theft of trade secrets costs US companies between $100-200 billion per year. These estimates are 5-10 years old, and there’s no reason to believe that the toll has lessened. In fact, documented losses to foreign corporate espionage alone amount to billions upon billions of dollars, and it’s a safe bet that actual damage is in the trillions.
Let’s add a layer of pain to the numbers: in InfoWar, Schwartau also estimated that espionage had resulted in 3-8 million lost American jobs as of the mid-’90s.
Consider some examples:
Oracle chief Larry Ellison himself had ordered professional snoopers to pilfer the garbage of his archrival Microsoft boss Bill Gates.Procter & Gamble was caught doing the same to Unilever.
Software maker Avant lost almost 50% of its stock value in the spring of ’97, when its top executives were caught stealing trade secrets.
And the same decade witnessed the drama of the high profile corporate espionage case of GM’s Jose Arriortua. He had defected to Volkswagen with blueprints of a ‘super-efficient’ assembly plant that threatened to end the dominance of VW in the small car segment.
Closer home, Mahindra & Mahindra Chairman Anand Mahindra summarised the situation aptly when he said: “The assets of our company are not what we hold in our inventory today — but what we are going to hold in our inventory tomorrow.”
And some more:
- The chief technology officer at Business Engine Software Corp. in San Francisco, who pled guilty in July to downloading trade secrets, such as information on customers and products in development, from rival Niku Corp. in Redwood City, Calif.
- The information-technology director at Lightwave Microsystems in San Jose, who was indicted in May 2003 on charges of stealing the network equipment maker’s Manufacturing Execution Database and other secrets, stored on backup tapes. His alleged intent: sell the secrets to competitor JDS Uniphase. He pleaded not guilty.
- The chief technology officer of Speedera Networks, a Santa Clara, Calif., provider of Web hosting and content delivery services; according to a civil suit filed in California Superior Court in Santa Clara County, he allegedly broke into a database at Keynote Systems to steal performance data about Akamai Technologies, a Cambridge, Mass., competitor. Speedera denies any wrongdoing.
- The CEO of Orbit Communications, a satellite data reseller, who allegedly recruited technology security consultants to attack the Web sites of three of Orbit’s competitors, according to an FBI complaint. The CEO is a fugitive.
- The former network and information-technology manager at Manufacturers Electronic Sales Corp. (MESC), a sales representative in Santa Clara, Calif., for electronic component makers. The manager pleaded guilty in August to breaking into the company’s computer system from his new employer. He was charged with downloading a customer database, reading e-mail and deleting data, then destroying evidence of the break-in.
The SANS Institute notes some of the lucrative tidbits that corp spies are after:
A few of the information targets competitors seek out include the following:
- Marketing and new product plans
- Source code
- Corporate strategies
- Manufacturing, technological operations
- Target markets and prospect information
- Plant closures and development
- Usual business methods
- Product designs, research and costs
- Alliance and contract arrangements: delivery, pricing, terms
- Company Websites
- Customer and supplier information
- Merger and acquisition plans
- Financials, revenues, P&L, R&D budgets
- Marketing, advertising and packaging expenditures
- Pricing issues, strategies, lists
- Staffing, operations, org charts, wage/salary
It’s impossible to pin down the exact damage because no company wants to admit that it was a victim of trade secret theft. Companies don’t usually notify the authorities, because they don’t want their shareholders to know and are frightened that admitting to a security breach will cause its stock prices to plummet or a major deal or negotiation to fall through. Banks are notorious for not reporting computer or network security breaches because they don’t want the federal government nosing around their systems or questioning their policies and practices. And small businesses don’t report incidents of corporate espionage for fear that their trade partners won’t do business with them if they find out that their systems aren’t secure.
Most companies have compliance programs designed to protect them from employee malfeasance and corporate espionage, of course, but still they remain exposed. Potential leverage points are rampant, including:
- disloyal employees and vengeful former employees looking to settle scores or simply cash in
- unsecured wireless networks
- failure to account for lost and stolen hardware (laptop theft, etc.)
- lack of executive will and/or expertise
- lack of official (governmental, regulatory) support
- lack of counter-intrusion capabilities
- inability to effectively leverage information resources within the company
- inability to effectively manage external information resources
Too many compliance programs, however, depend heavily on the honor system and are rarely backed by meaningful verification/enforcement mechanisms. And as Business Week notes, when companies do take more active measures, they lack sufficient sophistication.
According to Freedonia Group, a market research firm in Cleveland, corporations spent $95 billion on corporate security in 2005 alone, but most of that money was spent on surveillance efforts, such as installing closed-circuit cameras and hiring guards to patrol the premises. They’re failing to protect themselves from more sophisticated forms of espionage.
For instance, what about the high-tech demands of securing sensitive private meetings?
Laser listening devices are among the most “sophisticated forms of offsite eavesdropping,” McCann says. When the Laser-3000 is aimed at a target’s window, the device lets the user listen to everything being said in that room. The laser picks up on vibrations in the window’s glass made by voices in the room and then decodes that information and sends it back to the device.
Schwartau explains that the US government is well aware of the problem, but the CIA and FBI lack both the resources and the legal mandate to protect American economic interests. As the San Francisco Chronicle reports there’s an increasing number of “anti-hacking” units in US Attorney offices around the country, but we’re still a long way from being as secure as we need to be.
With friends like these…
Many Americans will probably be stunned to learn that not only are foreign companies spying on American firms, but that they’re doing it with the blessings and assistance of their governments.
Earlier this year, a report to the European Parliament, asserted that American and European companies routinely engage in corporate espionage.And many foreign corporations regularly receive help from intelligence-gathering networks in their own governments, which use the latest in information-monitoring technology to keep tab on threats to the state.
And here stop and think about it. What would be the reaction if it were revealed that the CIA were running espionage against foreign-based competitors to American corporations, especially if those companies were strategic allies?
We’d be outraged, I imagine, but “[t]he FBI has a list of about 20 countries that actively spy on U.S. companies, according to corporate security consultant John Case, who does not want to name any countries.” No problem there – Schwartau and others are happy to name names, and when they point out the culprits what do we do with the knowledge that our companies have been victimized by the likes of Japan, Israel, England, South Korea, France and Germany?
An increase in unemployed intelligence officers since the Cold War ended and the proliferation of advanced technology has made corporate spying much easier. Dr. Robert Ing, author of Improvised Technology in Counter-Intelligence Applications, says that “instead of missile launch codes, the new targets of choice are technological and scientific data concerning flat-panel TV, electric cars, new computers, competitive strategies and innovative manufacturing/distributing processes.”
Yes, you read that correctly. Many of today’s corporate spies are former Cold War spooks. Since the end of the Cold War, a number of countries have transformed spy operations into corporate espionage units and the increase in unemployed intelligence officers has made corporate spying much easier.
What are the options?
So, to review:
- companies are getting their clocks cleaned by dirty tricks
- significant damage is being done
- the government is limited in its ability to protect them
- the culprits are often working hand-in-hand with massive governmental spook assets
Under these circumstances, it’s not hard to imagine how leadership might arrive at a decision to fight fire with fire. And with so much riding on the business – including the well-being of hard-working and wholly innocent employees and the families that depend on them – it’s not hard to sympathize with the decision to take matters into their own hands.
But why, in a nation with America’s resources, should it come to this? Why should a business executive ever be pushed to the point where “cheat or die” looks remotely viable?
Maybe the answer is a significant counter-intrusion program. Maybe the answer is a new and well-funded Dept. of Commerce “competitive intelligence” operation. We can have the ethical argument if you like, but when push comes to shove our policies should encourage fair competition and penalize dirty tricks, not the other way around.
Richard Nixon was a scoundrel, but he wasn’t an idiot. He was no doubt aware of the Japanese adage that “business is war” when he predicted over 20 years ago that the next great global conflict would be economic in nature.
Maybe it’s time the US realized that this war is well under way and began formulating a policy for winning it. We owe it to our entrepreneurs. We owe it to our workers. We owe it to their families and communities. So what’s the hold-up?