Corporate espionage and what can be done to prevent it
Ben Rothke, CISSP
Espionage is the collection, collation, and analysis of illicitly gained information. In the
case of industrial espionage, the most common objectives are to determine competitors
activities with regard to new products, formulations, research areas of interest, production
methodology, production quantities, promotional programs, distribution, and economics.
Corporate espionage is also used to examine products or ingredients for perceived or
actual risks, time markets or establish pricing. All too commonly, companies find
themselves the targets of such activities without the knowledge or methodology to
effectively counter it.
As we move towards an information-driven society where information is traded and
brokered, knowledge has become more powerful than ever. Knowledge theft is
becoming an increasingly important and influential crime, and one that has become
increasingly difficult to combat.
The business world has become more vulnerable than ever before to corporate espionage
as we move information systems from paper-based to on-line. Now that many companies
are moving their corporate information to the web, they need to realize that most
computers systems were never intended to be secure, and that should give a cause for
The landmark National Debt Clock was recently shut down in New York City due to the
fact the debt is now decreasing. But if there were some type of device to measure the
losses due to corporate and industrial espionage, it would be an enormous calculation.
And it would be increasing at a dramatic rate.
Did you ever wonder why the Russian supersonic airplane, the TU-144 looks
dramatically similar to the European built Concorde? Coincidence, twist of fate? No
way. The Soviet-built look-alike, which was nicknamed Konkordski, was built during the
Cold War when the Russians, Americans & Europeans were in a fierce battle for profit
and honor to build the first supersonic aircraft. What was unique about this battle was
that it was fought not only in the skies by the world’s top aircraft designers, but also on
the ground, by secret agents of Communist Russia. The Konkordski is one of the classic
examples of industrial espionage.
The pilfering of the Concorde’s designs was a top priority for the Kremlin and KGB.
While the Russian’s were able to succeed somewhat, (the TU-144 flew before the
Concorde, but never made it into mass production), their espionage required a large
network of spies located in many different countries. Such requirements necessitate huge
budgets, logistics and personnel. Too bad for the Russians that the Internet wasn’t
around then; it could have saved them immense effort. But while the end of the Cold
War put many spies out of work, they are now finding new jobs in the area of corporate
Some of the effects compromised corporate information includes:
Loss of market share
Loss of profits
Loss of business
Weakened balance of trade
Ira Winkler, a former analyst with the National Security Agency and author of Corporate
Espionage: What It Is, Why It Is Happening in Your Company, What You Must Do About
It asserts that that American companies lose billions of dollars each year due to corporate
espionage. What is ironic is that much of these losses are preventable.
Corporate espionage is known to a certain degree as competitive intelligence
competitive intelligence is a legitimate and strategic business tool, when taken too far, it
becomes corporate espionage. The problems of unlawful corporate espionage were so
severe that it led to the passage of the Economic Espionage Act (EEA) of 1996
The EEA is one of the most significant criminal intellectual property legislation’s in
history. The act was designed to combat the theft of American intellectual property by
foreign governments and foreign companies. The EEA makes industrial espionage a
criminal offense as opposed to a civil crime (which is how it was dealt with previous to
the EEA). Prior to the EEA, if an act of corporate espionage had occurred, recourse for
such wrong was generally limited to instituting a civil action against the party
misappropriating the trade secrets, and perhaps involving state authorities through an
unfair trade practice statute. Protection of trade secrets through federal criminal
prosecution was exceedingly unlikely.
Specifically, the EAA:
makes it a federal criminal act for any person to convert a trade secret for their
own benefit, or the benefit of others, intending or knowing that the offense will
injure the owner of the trade secret.
makes it a federal criminal offense to receive, buy or possess the trade secret
information of another person knowing the same to have been stolen,
appropriated, obtained or converted without the trade secret owner's authorization.
Defines the term trade secrets to mean all forms and types of financial, business,
scientific, technical, economic, or engineering information, including patterns,
program devices, formulas, designs, prototypes, methods, techniques, processes,
procedures, programs or codes, whether tangible or intangible, and whether how
stored or compiled, memorized physically, electronically, graphically,
photographically, or in writing; and a federal offense has been committed if the
owner thereof has taken reasonable measures to keep such information secret and
The media often intertwine the following terms - competitive intelligence, business intelligence, industrial
espionage, information warfare.
the information derives independent economic value, actual or potential, from not
being generally known to, and not being readily ascertainable through proper
means to the public.
Imposes up to a 10 year prison term and/or maximum fines up to $250,000.00 on
any person and $5 million fine on any organization.
Requires the forfeiture to the US government of proceeds or property derived
from economic espionage and may require forfeiture of property use to commit
A prime factor in the creation of the EEA was as a reaction to the conflict between
General Motors and Volkswagen
. The case involved the alleged theft of intellectual
property, including numerous designs and trade secrets by Jose Lopez, a former General
Motor’s executive. Volkswagen lured away Lopez, along with his voluminous stockpile
of intellectual property, in an effort to learn more about GM’s design plans for new
products and existing technology. GM sought to take action against Volkswagen in the
United States, but found its remedies limited. Criminal action was basically foreclosed
by the absence of criminal trade secrets legislation. GM was left fighting a protracted
civil action with VW in the U.S., while Lopez spirited GM’s secrets to Europe. Only in
late 1996, did the German government take criminal action against Lopez and others.
Competitive Intelligence Methods
There are numerous legal methods of competitive intelligence, such as the review of
public information. But once eavesdropping and dumpster diving are carried out, such
activities generally cross the line into illegal activities.
As an example, the National Counterintelligence Center (http://www.nacic.gov) offers
the following suggestions to assist companies in safeguarding their corporate
1. Obtain support for information security from senior management.
2. Don’t waste resources protecting that which does not require protection.
3. Identify which information should be protected and for how long.
4. If extremely sensitive, material should be hand-carried or transmitted using
5. To dispose of sensitive material, shred or make it unreadable.
6. Valuable company information must not be left unattended in hotel rooms.
This includes printed copies and removable media.
7. E-mail and voicemail passwords must be protected and changed frequently.
8. All sensitive materials must be removed from conference rooms and
chalkboards and whiteboards erased after meetings.
9. Where possible, conduct background investigations on all individuals with
access to sensitive information.
10. Obtain nondisclosure agreements from employees, vendors and others with
access to proprietary information.
11. The disgruntled employee is the greatest threat to your organization.
12. Telephone conversations, both fixed and mobile, are vulnerable to intercept.
13. Information regarding the movement of your company aircraft, including
routes and destinations, is available for sale on the Internet.
14. Be knowledgeable of your organization's physical assets, information assets,
In addition, some addition steps to prevent information release include:
Physical security. While some companies obsess on using 4028-bit encryption keys,
they neglect to lock the doors to the data center. Passwords alone won’t keep
determined infiltrators from stealing.
Shred all paper documents before trashing them.
Don’t discuss company secrets in unsecured environments.
Don’t assume your consultants and temps are necessarily working on your behalf.
A little well-placed paranoia could save your company from financial calamity and
Competitive intelligence and the new economy
Intelligence and surveillance have in the past required significant resources. In the last
10 years, intelligence and surveillance have gone mainstream and has migrated into a
discipline known as competitive intelligence. Competitive intelligence is the act of
gathering information about competitors’ activities.
Competitive intelligence has become vital in the Internet age since the nature of the new
Internet-based economy often lowers barriers and entrance times. This new paradigm,
combined with systems being rolled-out in Internet Time means that companies must
react to its competitors and business partners in record time.
In the rush to get on the Information Superhighway, many companies have entered often
blind to the myriad security risks involved. This has resulted in organizations spending
money on physical security, while not properly budgeting for information systems
Tom Jones, General Manager of Cookeville, Tennessee based Research Electronics
International (www.research-electronics.com) notes that people are using the Internet to
see what is going on at their competition. Jones notes that there are many, many ways to
gain information on a companies activities. These methods may range from digging
through trash, to compromising the competitions employees, to actually planting bugs.
And, this barely scratches the surface on how to gain competitive information”.
The double-edged sword Jones notes is that if revenues are down and budgets have to be
cut, security often is the first to get the axe. The problem is that there may be active
espionage occurring, and when security is the first to get cut, the rest of the organization
becomes even more vulnerable. Jones notes that from his experience, money must be
spent on security, irrespective of the economy.
“I believe in many environments it’s almost impossible to catch somebody who is good
enough,” states Richard Power editorial director for the Computer Security Institute
<www.gocsi.com> and author of Tangled Web: Tales of Digital Crime from the Shadows
of Cyberspace (Que Publishing 2000, ISBN: 078972443X). Power comments that “One
of the great blunders in the defense of cyberspace is that the threat is juvenile hackers.
They end up in the headlines because they get caught. But professionals most often don’t
Preventing information release
One of this first steps in attempting to protect data is information management. The basic
idea behind information management is that to the degree data has value to an
organization, is its comparative value to the competition. As an organization’s
intellectual property moves from the filing cabinet to the network, it becomes much hard
to mange using traditional protection methods.
The first recommendation to prevent information release is that every company, no
matter how small, needs to have a structured business intelligence effort. Part of this
business intelligence effort is a comprehensive risk analysis & assessment. Without a
complete risk analysis, security endeavors will exist in a vacuum. An effective risk
assessment and analysis ensures that organizations are worrying about the right things.
A risk assessment should define items into categories of threats, vulnerabilities and risks.
At a high level, they can be broken out as:
What are they?
Who are they?
What techniques do they make use of?
How sensitive is your information?
How valuable is that information?
How well is your infrastructure currently protected?
Is the protection adequate?
If is it no adequate, how do you plan on rectifying it?
Taking the aspect of a risk analysis further, in Economic Espionage: An Information
, Dr. Myron Cramer details five approaches to preventing
Defensive - A heavily defensive posture is characterized by an emphasis on
information protection including significant access-control and limited external
system interconnections. This posture might be appropriate for a dominant market
leader or an organization that benefits from the status quo. This strategy will have
advantages in an environment containing emerging adversaries who are pursuing
strategies to attack the leader or to change the current situation.
Offensive - The offensive posture is characterized by an emphasis on information
denial including attacks on the market leader. This posture might be taken by
organizations that are dissatisfied by their current standing and who may be desperate
to take down their stronger adversaries.
Quantity - The quantity posture is characterized by an emphasis on supreme
information transport capability. An organization adopting this posture places its
confidence in its ability to move and use massive amounts of information over large
well-established infrastructure. It depends upon the sheer volume and timeliness of its
data to make attacks impractical. This posture will work best when the value of the
organization’s information is widely distributed and is of low sensitivity.
Quality - The quality posture is characterized by an emphasis on information
management. A practitioner of this posture gains its advantage by its ability to
manage its information needs better than its competitors. Compared with these
competitors, its investments may be more modest, but they are wisely made. It makes
better use of less information, and optimizes its use of modest protection. This
posture may have advantages in a highly competitive, cost-sensitive market.
Sponge - The sponge posture is characterized by an emphasis on information
collection and an insatiable thirst for large amounts of information. Practitioners of
this posture may have adopted a follower strategy in which they quickly bring
products to market based upon the innovations of others. They gain their competitive
advantage by saving in research and product development. To avoid being left
behind, they must monitor the activities of other more innovative adversaries and
survey market responses so that once they can decide to follow a given initiative, they
an quickly catch up in the marketplace using their previous market presence.
The Internet has made competitive intelligence in many cases nearly effortless. Using the
Concorde development effort as an example, the Russians needed physical access, money
to bribe, meeting locations, etc. With so many companies putting their corporate crown
jewels on unprotected and misconfigured networks, many spies now don’t even have to
leave their home base.
While many networks do release an overabundance of data, an organization can
counterattack against competitive intelligence. When designing an Internet presence,
system architects must make certain that security is an integral part of the design. As an
example, certain marketing information such as prices and sales policies are customarily
disclosed to outsiders, they should never be placed on unsecured systems where they
could be disclosed to competitors. Similarly, marketing strategies, marketing plans,
market share status, and other marketing information should never be shared with
competitors. Designing systems with such a paradigm is often a confusing point for
people working in sales and marketing. On one hand, certain information such as prices
and sales policies is discussed with just about any prospect or customer. On the other
hand, this information is of great value to the competition.
Granted, third parties working for the competition could gather this information on behalf
of the competition, but such a design forces the competition to engage in a borderline
unethical activity (changing or concealing their identity in order to get information to
which they would not otherwise be entitled). Just because it’s questionable, doesn't mean
that the competition isn't going to use third parties to gather competitive intelligence
(industrial espionage) information; this policy just makes it harder for them. Separately,
such a design assumes that people working in sales and marketing know who the
competition is; in some industries (like restaurants in a large city) there are so many
competitors, it is not feasible to have an up-to-date list of them all (even in the yellow
pages phone directory). On another note, each organization will need to clarify the
precise types of information that it wishes to withhold from the competition (or
implement a data classification system).
Corporate espionage is a real problem that affects many organizations. Companies spend
billions of dollars in research and development. But if they are not spending an adequate
amount to protect those developments, then their competition will likely find a way to
take advantage of their valuable and vulnerable assets.
For further information
American Society for Industrial Security
Society of Competitive Intelligence
Corporate Espionage Taking Over Where
Cold War Spying Left Off
Netspionage’ costs firms millions
The Economic Espionage Act
When Is It Wrong to Know: Ethics of
The art of corporate spying
Unmasking Cybercrime - A survey of
corporate espionage, fraud, and bad behavior
Targets of opportunity – A video to increase
employee awareness of Corporate Espionage
and competitive intelligence threats
The Art of Information Warfare: Insight into
the Knowledge Warrior Philosophy
Richard Forno & Ronald Baklarz
Corporate Espionage: What It Is, Why It Is
Happening in Your Company, What You
Must Do About It
The Information Systems Security Officer's
Guide : Establishing and Managing an
Information Protection Program
Netspionage : The Global Threat to
William Boni & Gerald Kovacich
Competitive Intelligence: How to Gather and
Use Information to Move Your Business to
1996 Touchstone Books
DOJ’s Federal Guidelines for Prosecution of
Violations of Intellectual Property Rights
Spy vs. Spy, Industrial Style
Certified Confidentiality Officer (CCO)
National Counterintelligence Center