Leaks and geeks: International espionage goes high-tech

[William Knowles <wk () C4I ORG>]

http://news.cnet.com/news/0-1003-200-2174240.html

By Rachel Konrad
Staff Writer, CNET News.com
June 29, 2000, 12:55 p.m. PT

International spies, pilfered documents and treasonous allegations:
Are these the irrelevant artifacts of the 1980s Cold War?

Absolutely not, Mr. Bond.

A spate of old-fashioned security leaks and newfangled hack attacks
has made corporate espionage one of the New Economy's hottest topics.
As companies such as Microsoft, Oracle and Intel struggle to protect
trade and investment secrets, tech firms are increasingly the
perpetrators and victims of spy missions--the likes of which British
spy novelist Ian Fleming and his 007 character would be proud.

Although the tech industry has had its share of blatantly illegal
espionage, most modern corporate spy activity falls into a gray zone
between aggressive competition and unethical snooping.

Yesterday, Oracle chief executive Larry Ellison defended his company's
decision to hire detectives to mine garbage pails and investigate two
research groups funded by the company's fiercest rival, Microsoft.
Comedians and satirists are heralding the case, Ellison's increasingly
embarrassing albatross, as "garbage gate."

In another recent case of corporate intrigue, a judge found in May
that Broadcom tried to extract trade secrets from competitors during
job interviews with Intel employees. Filed in California's Santa Clara
County Superior Court, the suit touched a nerve in the Silicon Valley,
where executives often probe job candidates about their current and
future projects at competing firms.

In 1997, Santa Clara County slapped felony charges on software maker
Avant, charging that its top executives conspired to steal trade
secrets from Cadence Design. The case hinged on former Cadence
employee Mitsuru "Mitch" Igusa, who allegedly emailed Cadence software
files to his home in 1995 and had once served as a consultant to the
rival company.

Security experts say such cases--and thousands of other embarrassing
leaks that companies don't want to make public--aren't mindless
paranoia. From Dumpster diving to international data theft, cases of
legal and illegal espionage at all levels are on the rise.

According to a study by the American Society for Industrial Security
(ASIS) and consulting firm PricewaterhouseCoopers, Fortune 1000
companies sustained losses of more than $45 billion in 1999 from the
theft of proprietary information--up from mid-'90s estimates from the
FBI pegging the cost at roughly $24 billion a year.

The average Fortune 1000 company reported 2.45 incidents with an
estimated loss per incident in excess of $500,000. More troubling:
Forty-four of the 97 companies that participated in the ASIS survey
reported a total of more than 1,000 separate incidents of theft.

Tech companies reported the majority of those incidents. The average
tech firm reported nearly 67 individual attacks. The average theft was
pegged at $15 million in lost business.

High-tech booty

What are spies after? Customer lists from high-tech companies are the
No. 1 stolen item--making dot-com start-ups, software firms and
Internet service providers, which typically keep extensive customer
lists in their marketing departments, prime candidates for espionage.

Financial data, research and development work, merger and acquisition
plans, unannounced product specifications, and prototypes round out
the ASIS list of hot commodities.

Experts say the message of this study and others is simple: The
average tech company has too many leaks and needs to batten the
security hatches.

"Most companies don't have the ability to detect when these problems
are even occurring," said Ira Winkler, author of "Corporate Espionage:
What It Is, Why It Is Happening in Your Company, What You Must Do
About It" and president of The Internet Security Advisers Group.

Winkler estimates that blatant, illegal espionage attacks penetrate
the average Fortune 2000 company two to three times per year. But most
companies are completely unaware of the pillage. When competitors come
out with a similar product, service or production method, victimized
companies often chalk it up to fierce competition or dumb luck.

"Companies have got to go ahead and do the basic security things. Keep
audit logs when people access computers and sensitive information.
Keep important information on a need-to-know basis. Require employees
to change passwords frequently," Winkler said. "Usually companies have
policies for that, but rarely do they enforce them."

Although spies may penetrate tech companies more than other companies,
high-tech firms are not alone in their struggles with espionage.

Legendary intrigue

The most colorful and high-stakes case embroiled General Motors and
Volkswagen for much of the 1990s. The cased hinged on a ring of Latin
employees led by a hard-charging Basque expatriate named Jose Ignacio
Lopez de Arriortua. Lopez was head of purchasing for GM and defected
abruptly to VW in 1993.

GM accused Lopez of masterminding the theft of more than 20 boxes of
documents on research, manufacturing and sales. Much of the allegedly
pilfered data involved blueprints for a super-efficient assembly
plant--a factory that GM believed would topple VW's dominance of the
small-car market in emerging markets of Eastern Europe, China and
elsewhere.

The world's largest international corporate espionage case officially
ended in 1997, when VW admitted no wrongdoing but settled the civil
suit by agreeing to pay GM $100 million in cash and spend $1 billion
on GM parts over seven years.

In 1998, German prosecutors dropped criminal charges of industrial
espionage against Lopez, who resigned from VW in 1996 and was injured
in a car accident in Spain two years later. But Germany made Lopez
donate $224,845 to charity.

In "War by Other Means: Economic Espionage in America," author John
Fialka writes that foreigners are pillaging confidential information
from unwitting bureaucrats and U.S. companies in all industries.
Although one Amazon.com reviewer from Silicon Valley dismissed the
1997 tome as "alarmist and overly paranoid," the book was widely
trumpeted as a wake-up call to corporate America.

Fialka recounts a 1991 incident in which spies posing as garbage
collectors scoured the trash cans outside the Houston home of a U.S.
defense contractor executive. One of the ostensible garbage men turned
out to be France's consul general, who said he was collecting fill for
a hole in his yard.

Not so, said the FBI, which suspected he was searching for secrets in
part of a 30-year effort by the French government to reap U.S.
scientific or military secrets.

The book also recounts a vast Japanese corporate spy ring. The group
stole U.S. research into tilt-wing aircraft that represented four
decades' worth of Bell Helicopter experimentation, $3.5 billion of
U.S. government investment, and $17.8 billion in potential U.S.
exports.

Spies on the rise

Experts pinpoint several reasons for heightened spy activity.

The end of the Cold War, which began when the Berlin Wall fell in 1989
and culminated when the Soviet Union dissolved in 1991, ended much of
the storied espionage between the USSR, China and the West.

But experts say that after a brief respite from spy activity,
espionage resurfaced. Instead of international political and military
espionage, it became corporate. By 1997, the FBI reported that 23
foreign governments were systematically scouring American companies of
intellectual assets.

The rise of email as the de facto means of sending messages across
companies and the world has heightened the danger. Hackers can
intercept email on the Internet more easily than they can tap into a
phone call, and skilled spies can even penetrate a company's intranet.

"The Spartans and Athenians went through each other's garbage 1,000
years ago--that's nothing new," said Harris Miller, president of the
Information Technology Association of America. "But now we're seeing
more virtual corporate espionage...Rather than someone (breaking) into
a physical building and (prying) open a file cabinet and (taking) out
documents, the new challenge is for someone to break into an intranet
and steal documents that are being sent back and forth in the
company."

Virtual and physical corporate espionage reached such a pitch--and
corporate victims including GM, Intel, Hughes and Lockheed Martin
raised such a fit--that Congress passed the Economic Espionage Act of
1996.

As a result, theft of trade secrets became a federal offense, with
prison sentences of up to 15 years and fines of up to $500,000 for
individuals. Domestic thieves who sing to corporate rivals face fines
of up to $250,000 and jail sentences of up to 10 years.

But the law hasn't curbed the broader corporate trends that are
fueling espionage, especially in the tech sector.

International security hot spots

The increasingly global world of commerce means that more tech
companies are setting up shop in places such as China and Japan. ASIS
says the "weakest link" in security is often the small sales office in
a foreign country, where employees enjoy easy access to the company
intranet but have little face-to-face contact with or loyalty to top
executives.

According to ASIS, the top five countries cited as security risks are
the United States, China, Japan, France and the United Kingdom. Mexico
and Russia, meanwhile, have the highest increase in spy activity.

Another factor: The tech industry is increasingly becoming an industry
of contractors--hired guns who write software or set up Web sites for
three months to a year before moving to the next job, often at a rival
firm. ASIS found that roughly 20 percent of workers at Fortune 1000
companies are temporary or part-time workers.

Although companies often require regular employees to sign non-compete
clauses, in which employees promise not to work for a direct
competitor for a year or more after they quit, contractors sometimes
fall under the legal radar. ASIS found that few companies do thorough
background checks on temps, yet most have no qualms assigning them to
work with sensitive data.

Despite alarming statistics, some tech workers say espionage fears are
overblown. The vast majority of companies respect the trade secrets of
their rivals, they say.

Intel spokesman Chuck Mulloy didn't deny that many companies rely on
defectors from rivals to determine competitors' plans. There is no
specific law forbidding questions about a worker's current employer in
a job interview, as there are laws against inquiring about age,
marital status or religion.

But in Broadcom's case, Mulloy said, the company overstepped its legal
boundaries concerning trade secrets.

"I don't think this is run-of-the-mill, which is why there's
litigation pending," Mulloy said. "They had four pages of notes about
unannounced products, including a blocked diagram. Nowhere in those
four pages of notes could we find reference to this interviewee's job
history, job performance, salary requirements. This was not a job
interview--it was a case of a company trying to get our trade
secrets."


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".