Background and Effects
When the word espionage is used, it often brings visions of obscure intelligence agents making dead drops of secret information and products under cover of darkness. Movies, television and pop-culture have put an indelible mark on the public’s perception of spying, espionage and sabotage. While opposing nations and militaries have been conducting intelligence, surveillance and reconnaissance operations for millennia, it is often overlooked that private corporations and organizations do the same thing. Additionally, state sanctioned collection of industrial, economic, technological and other intellectual property is occurring at an increasing and alarming rate. This poses a danger not only to national security interests, but competitive advantage of private corporations. According to the Federal Bureau of Investigation (FBI), the U.S. economy alone suffers a loss of between $225-$600 billion per year as a result of counterfeit goods and theft of trade secrets.
What is Industrial / Corporate Espionage?
Espionage, more commonly referred to as spying, is the attempt to gather and transmit unauthorized and potentially sensitive data from one entity to another, gaining a competitive advantage. The information and proprietary information sought depends on the target and the intelligence needs of perpetrator. Some may include:
- Product and/or Service Pricing
- Future Patents
- Customer Databases
- Marketing Plans & Techniques
- Product Research & Development
- Board Meeting Minutes
- Public and/or Private Bid Proposals
- Product Ingredients
- Employee Information
- Business Continuity Plans
Who is at risk?
Any organization that produces a specialized product and/or service, is vulnerable to corporate espionage. This does not limit itself to large, multinational corporations. Organizations that are integrated with, produce for or service Critical Infrastructure are at increased risk. As an example, a recent FBI study revealed the following sectors to be of significant interest to the government-sponsored collection efforts of the People’s Republic of China:
- Information Technology
- Aerospace & Defense
- Maritime & Transportation Technology & Systems
- Electric Vehicle Technology
- Agricultural Industry
- Medical & Pharmaceutical Research
Who are the Perpetrators?
The tactics, techniques and procedures that competing organizations deploy to gain access to sources and assets for industrial espionage are often similar in nature to those that have been put into practice by nation states. Visual surveillance, stealing physical documents from secure environments using insider sources, utilizing blackmail, extortion and bribery are common. Additionally, the use of information technology and malware to exploit cyber security gaps and gain access to networks have increased exponentially. The ability exists for a talented and modestly equipped hacker to steal information from across the globe, with a few keystrokes.
Nation states such as China, North Korea, Russia and others are known to have active and robust corporate, economic, cyber and industrial espionage operations on a global scale. Often overlooked are the potential insider leaks that an organization may face, from disgruntled employees to those seeking financial gain or being extorted.
Is Competitive Intelligence the Same as Espionage?
Competitive Intelligence is the use of publicly available data to develop business and marketing strategies. It can be helpful in benchmarking sales and customer preference trends along with marketplace dynamics. It is legal and used by businesses of all types and sizes in an effort to streamline processes and improve their product or services. There are even specialized firms that provide Competitive Intelligence as a service by using open-source tools and techniques to deliver actionable data points to company decision makers.
Information Security, often shortened to INFOSEC, is the practice of actively mitigating information risks, preserving sensitive or privileged information and identifying leakage early. Protocols are in place to ensure only personnel with “need to know” have access to specific information while minimizing risks, such as employee theft, external collection, information technology vulnerabilities, social engineering and sabotage.
- Deter potential entities from assessing the organization and/or its personnel as being an easy target. Every organization, regardless of size, should have a detailed and comprehensive information security policy in place. A thorough risk and vulnerability assessment is conducted to drive that set of policies.
- Detect unauthorized intrusions, data leakage, employee theft and internal vulnerabilities. Physical security protocols play a key role in the protection of information by ensuring access control measures are strictly adhered to by everyone.
- Deny an adversary the ability to carry out successful collection by implementing sound infosec practices, such as safe storage, adherence digital information transmission guidelines and encouraging personnel to report suspicious activities or people attempting to gain unauthorized physical or digital access.
- Defend against an attack, such as from cyber intrusions or malware by ensuring network systems are protected (anti-virus, firewalls, personnel training and awareness). Additionally, physical, information, cyber and corporate security professionals should be synchronized and coordinate efforts to mitigate and adapt to current and emerging threats.
Espionage and the Law