Christopher Burgess worked in the clandestine service of the U.S. Central Intelligence Agency (CIA) for 30 years. In the course of his career, he served both as Chief of Station and senior operations officer. Richard Power, as editorial director for Computer Security Institute (CSI) and then as director of global security intelligence for Deloitte Touche Tohmatsu (DTT), researched cybercrime and economic espionage for more than a decade.
We have found two profound misconceptions common among CEOs. One of the great misconceptions is that the threat of economic espionage or trade secret theft is a limited concern-that it is only an issue if you are holding on to something like the formula for Coca-Cola or the design of the next Intel microprocessor. The case studies included here illustrate the fallacy of thinking that this threat is someone else's problem.
The other great misconception, held by many business leaders who do acknowledge the danger to their trade secrets and other intellectual property, is that the nature of this threat is sufficiently understood and adequately addressed. Often, on closer inspection, the information-protection programs these business leaders rely on are mired in Industrial Age thinking; they have not been adapted to the dynamic and dangerous new environment forged by globalization and the rise of the Information Age.
This article is based on open-source (i.e., not classified) intelligence. There is a compelling lesson in this fact. A decade ago, such stories rarely made it onto the news wire or into the courts. Today, they are commonplace. Unfortunately, the awareness and defenses required to thwart such damaging activities, although economical and effective, are far from commonplace. Our hope is to change that.
To provide a comprehensive overview of the diverse vectors of attack, and how to evaluate whether your enterprise has the necessary defenses in place, we will look at actual cases organized into three broad categories:
- When insiders and competitors target businesses
- When state-sponsored trade secret theft targets businesses
- When counterfeiters, pirates and organized crime target products
And in our conclusion, we have provided some analysis of the economic and geopolitical impact, and a comprehensive checklist of proactive security and intelligence measures.
Part I: When Insiders and Competitors Target Businesses
Economic espionage or intellectual property theft conducted by insiders, competitors or combinations of the two are the most tangible, most common and most destructive threats.
Such an attack can take many forms, like an employee, a member of the management team, a corporate board member, a third-party contract manufacturer or a collaborative partner in a joint venture. Here are several recent examples, ranging from the sordid to the spectacular:
The company IT director stole and sold trade secrets of the company as it was going out of business.
An AOL software engineer used a colleague's access codes to acquire information on 30 million AOL customers and sold it to spammers.
CCI alleges that a former employee stole and sold proprietary databases.
An employee found blueprints containing trade secrets within a container of material awaiting destruction. Instead of destroying them, he sold them to an Asian competitor.
A former employee of a Taiwanese competitor revealed that an Avery Dennison employee had been supplying the competitor with Avery Dennison's adhesive formulas for the preceding eight years.
Toshiba and Lexar entered into a partnership to compete in the flash memory market. Then Toshiba entered into a partnership with Lexar's main competitor.
Both firms allege that patented methodologies were misappropriated by Chinese competitors and used in products marketed in China, so that, in effect, Citroen and SigmaTel ended up competing against their own product designs.
Part II: When State Entities Target Intellectual Property
State-sponsored economic espionage and intellectual property theft are the most sophisticated and formidable threats.
Why do nation states engage in economic espionage and intellectual property theft? Primarily, to acquire technology to advance a military program, or to advance the economic competitiveness of the nation's industrial base, or simply to ensure that the major companies and contributors to the nation's GDP continue to make that contribution. How do nation states affect the acquisition of coveted intellectual property? In some instances, they engage their own law enforcement or intelligence services to surreptitiously acquire it, while in other instances, they publicly engage the owners of the intellectual property with a demand, which it believes is in the best interest of their citizens.
State-sponsored economic espionage and intellectual property theft are global issues. The threat is not unique to U.S. businesses or researchers. Many nations conduct such activities, and the interests of many nations are targeted.
When an insider is co-opted by an intelligence service, the activity becomes more sophisticated, and the ability to detect and/or defend against it is beyond the means of most corporate security mechanisms.
Ironically, sometimes the target is a company that was itself found guilty by the legal system as having instigated instances of industrial espionage, and to have stolen a competitor's intellectual property. Here are some examples.
Airbus attempted to muscle its way into the 1994 Saudi Arabian Airlines fleet modernization effort by offering bribes to individuals from both the Saudi airlines and government.
In January 2005, Russian Prime Minister Fradkov requested Russia's internal security service (FSB) to increase its efforts to assist Russian commercial enterprises. This was tantamount to a public declaration that Russian government's intelligence and security services engage in collection and reporting activities in support of Russian commercial enterprises.
In May 2001, the U.S. attorney in Ohio indicted Takashi Okamoto and Hiroaki Serizawa for the theft of intellectual property belonging to the Lerner Research Institute of the Cleveland Clinic Foundation, charging that the two then provided the stolen research to a research facility owned by the government of Japan.
In 2005, state-owned Russian space technology company TsNIIMASH-Export's director, his deputy and an aide were arrested by the FSB, and charged with embezzlement and the selling of secret Russian space technology to China.
In 1977, Coca-Cola controlled the Indian cola market, but a new industry minister told Coca-Cola officials to divest and transfer their intellectual property (the syrup formula) to their Indian partners. Coca-Cola opted to leave.
In 2005, the Brazilian Ministry of Health presented Abbot Laboratories of Chicago with an ultimatum: Reduce the price of Kaletra (an effective AIDS/HIV drug), or we will break the patent and produce the drug ourselves.
Despite requests from a number of countries to allow generic production of the anti-bird flu drug Tamiflu, Roche stands firm on not relinquishing the patent, which is protected into 2016, and demanding a licensing fee.
Where Does It End?
Attacks on intellectual property, whether covert or overt, have profound consequences and sweeping implications.
A lawless world, in which government intelligence services routinely insinuate themselves into competition between commercial enterprises in the private sector, and internationally recognized patents can be unilaterally disregarded by governments, whether motivated by the social good or geopolitical ambition, will certainly not contribute to the establishment of peace and prosperity for all nations. Nor does a lawless world, in which private-sector corporations can move freely and globally, without restraint, conscience, accountability or international oversight, lead us any closer to that lofty goal.
The United States has no program or policy to provide economic or industrial competitive intelligence to U.S. businesses. The country's economic policy precludes it.
U.S. governmental efforts are focused on the protection of intellectual property owned by U.S. persons or U.S. corporate entities, and keeping the economic pitch level as U.S. corporations compete within the global marketplace.
Discussion points have been made both for and against allowing U.S. governmental agencies and departments, such as the Department of State, Department of Commerce, the National Intelligence Director and the various agencies that make up the U.S. intelligence community, to devote resources and provide economic intelligence to U.S. persons or corporations.
The best approach is to maintain the current policy, except when U.S. corporate interests are specifically targeted by a foreign government-sponsored activity, or when the economic playing field must be leveled. The U.S. government's abilities should be dedicated to national security issues. No U.S. intelligence officer should put his or her life in jeopardy to improve shareholder value. The ultimate sacrifice should be reserved only for the nation's security.
According to a study published by USA for Innovation (www.usaforinnovation.org) in late October 2005, intellectual property in the United States alone carried the value of US$5 trillion to $5.5 trillion, equivalent to 45 percent of the gross domestic product, far larger than the GDP of any other nation. The intellectual property retained by U.S. companies is central to U.S. economic security. This study also indicates that a direct correlation exists between the level of a nation state's protection of foreign-owned intellectual property and the level of foreign investment in that same country-i.e., where the state offers increased protection of the investor's intellectual property, investors increase their investment in the nation's economy.
The United States is under economic attack, according to the National Counterintelligence Executive's report to U.S. Congress in February 2005. The report goes into some depth in identifying the types of foreign entities conducting industrial and economic espionage, the kind of information targeted by these foreign entities, and which foreign entities are attempting to acquire sensitive U.S. technology (either classified or proprietary)-be they private or governmental.
The report indicates that individuals from almost 100 separate countries attempted to acquire sensitive U.S. information. Characterizing the role of the state-supported intelligence collection effort against U.S. technology and intellectual property, it states: "It is clear, however, that some foreign countries, including the major players, also continued to employ state actors-including their intelligence services-as well as commercial enterprises, particularly when seeking the most sensitive and difficult to acquire technologies."
The report identified several dual-use areas as being targeted, including:
- Information systems
- Military production processes and communication systems
- Energy materials
The report laments the difficulty of tracking the foreign targeting of purely civilian technologies, and highlights U.S. organizations' reluctance to share information. Such reluctance, it opines, is due to their not wishing to highlight their losses, because such revelations could have a deleterious effect on "investor and consumer confidence and stock prices."
Commercial technologies identified as stolen by foreign entities included:
- Semiconductor production processes
- Computer microprocessors
- Proprietary information
- Chemical formulas
The U.S. counterintelligence community expects no decline in foreign intelligence activities, and also notes that stemming the flow of information will become even more difficult. The report specifically mentions the challenge of isolating trade secrets from foreign managers and employees and U.S. companies' increasing practice of placing their research and development centers in foreign environs.
U.S. corporations must take appropriate steps, on their own initiative, and incorporate security procedures in order to effectively protect their intellectual property against the efforts of foreign governments eager to obtain it.
Part III: When Counterfeiters, Pirates and Organized Crime Target Products
The counterfeiting and piracy of products, activities often sponsored by organized criminals, make up the most insidious intellectual property threat, and certainly the most pervasive threat to the global economy as a whole.
The U.S. Chamber of Commerce estimates that counterfeit and pirated products account for 5 percent to 7 percent of the global economy, and results in the loss of more than 750,000 jobs and approximately $250 billion in sales to the United States alone.
Via trade missions and educational programs, the chamber has directed its efforts at China, Brazil, South Korea and Russia, and toward the goal of encouraging enhanced enforcement of intellectual property protection laws within these countries. In addition, it offers an intellectual property protection toolkit for each of these countries. And in 2005, working with various law enforcement entities, the chamber initiated Strategy Targeting Organized Piracy (STOP).
In the United Kingdom, the Alliance Against IP Theft has produced a 40-page primer, Proving the Connection: Links Between Intellectual Property Theft and Organised Crime, detailing the deleterious effect on the U.K. economy, and the clear and unambiguous involvement of organized criminal elements. It cites case studies identifying organizations with points of origin in Russia, South Asia, China and Ireland, which serve as points of origin for either the financial backing to achieve the manufacture, distribution and sale of pirated and counterfeit goods in the United Kingdom, or as points of origin for the counterfeit goods themselves. The alliance puts the value of these illegal items at more than 9 billion pounds.
According to a global study commissioned by the Business Software Alliance, piracy rates in 50 countries have increased over the prior year.
Counterfeiting, of course, isn't limited to software.
Counterfeit shoes are commonplace in the open markets of Southeast Asia.
A few successful cases against individuals for illegal file sharing do little to stanch the estimated $3 billion in losses due to piracy of motion pictures.
According to the DOPIP Security Counterfeit Intelligence Report, in October 2005 alone, there were more than 341 separate incidents involving goods valued at more than U.S. $1 billion, and involving more than 54 separate countries. Not surprisingly, the top 10 brands counterfeited included Adidas, Nike, Louis Vuitton, Microsoft, Chanel, Gucci, Prada, Fendi, Manchester United and Puma.
The report also highlighted the evidence of links between copyright and trademark infringements and more serious crimes. In 37 percent of the cases, counterfeiters were involved in drug trafficking; in 20 percent of cases, they carried weapons; in 11 percent they committed other frauds, and in 26 percent they carried out other crimes such as assault, extortion, murder, theft, immigration violations, money laundering, identity theft and robbery. Increasingly, violent criminals are becoming involved because the profit margins are higher, and penalties and chances of being arrested are relatively low.
Today, the U.S. economy faces many threats, including spiraling energy costs, corporate governance abuses, huge federal deficits, foreign ownership of the national debt, the loss of jobs to offshore outsourcing and the impact of disasters (whether terrorist related or environmental). And of course, there is the looming possibility of a bird flu pandemic or other global health emergency that could result in the closing of borders, the interruption of business, the cessation of travel and the deaths of many thousands.
But as you can see from this overview, there is another threat, difficult to quantify or even detect, one that has not yet grabbed the headlines or captured the imagination, and yet is relentlessly and efficiently looting, pillaging and plundering the U.S. and global economies of the magic ingredient-i.e., trade secrets.
Economic espionage is as real a threat as terrorism or global warming. But it is subtle, insidious and stealthy. Even if the United States finds the will to come to grips with the many threats it faces, this silent, invisible hemorrhaging of intellectual know-how and trade secrets could deliver the death blow to our pre-eminent place in the global economic world before we even wake up to the magnitude of the danger.
According to the U.S. Commerce Department, intellectual property theft is estimated to top $250 billion annually (equivalent to the impact of another four Katrinas), and also costs the United States approximately 750,000 jobs, while the International Chamber of Commerce puts the global fiscal loss at more than $600 billion a year. But both estimates appear to be woefully underestimated; by some other estimates, there was over $251 billion worth of intellectual property lost or illegal property seized in August 2005 alone.
The United States, like other great nations, stands on three legs: military power, political power and economic power. Arguably, economic power is the most vital of the three. Without economic power, the political elite would be bereft of the consultants and lawyers who insulate it; it would have nothing to bargain with at the geopolitical roulette table, and it would lack the bureaucratic muscle to impose its will domestically. Without economic power, the military would be unable to deploy advanced weapons systems, spy on its enemies from space, span the globe with bases or even raise an army.
Secrets are the magic ingredient of power. When state secrets-i.e., political and military secrets-are stolen, governments fall and wars are lost, people are disgraced and people die. When trade secrets, such as scientific or engineering secrets, are stolen, corporations lose their competitive edge, small entities cease to exist, and whole sectors of the economy weaken and fall behind in the global marketplace; people lose their livelihood and their children's futures.
In other words, the United States could win the war on terrorism, overcome the challenges of global warming, balance the federal budget, strengthen the United Nations, end global armed conflict and restore our edge in science and engineering, and still end up behind China, India, Japan, Russia or Brazil in several vital sectors of the economy, and at a serious, if not fatal, disadvantage within the global marketplace.
The threats of economic espionage, intellectual property theft, counterfeiting and piracy are global, dangerous and increasingly common.
It is within your power to decide for yourself if your enterprise is going to be a hard target or soft target. The time for action is now. You can be prepared.
Remember, it is important to invest in protective measures commensurate to the value of the asset being protected. Here are some recommendations for a comprehensive program:
Where security reports within an organization is perhaps the most vital issue of all. Consider appointing a chief security officer, who reports to either the chief executive office or the chief financial officer. This person should hold the reins of personnel security, physical security and information security, and should not be a stranger to the board room.
Awareness and Education
Educate your workforce on an ongoing basis about the threats of economic espionage, intellectual property theft, counterfeiting and piracy. Help them understand your expectation that they will protect the enterprise's intellectual property and, by extension, their own livelihood. Provide general education for the entire workforce, and specialized education for executives, managers, technical personnel, etc.
Implement a "Personnel Security" program that includes both background investigations and termination procedures. You need policies that establish checks and balances, and you need to enforce them. Know the people you are going to hire. Don't lose touch with them while they work for you. Consciously manage the termination process if and when they leave the enterprise.
Recruit certified information security professionals (e.g., CISSP, CISM, etc.) Adopt best practices, and establish a baseline. Utilize appropriate information security technologies, such as firewalls, intrusion detection, encryption, strong authentication devices, etc. Pay attention to data retention and data destruction as well as data access.
Do not overlook the "Duh" factor. It is pointless to invest in information security, or commit to background investigations, if agents of an unscrupulous competitor or a foreign government can simply walk away with what they covet.
You need both business and security intelligence. Know your competition, your partners and your customers. Research the market environment. Keep abreast of the latest trends in hacking, organized crime, financial fraud and state-sponsored economic espionage. You can outsource this expertise. But someone must be looking at both streams of intelligence, with the particulars of your enterprise in mind.
Actively participate in industry working groups appropriate to your sector and environment. Talk with your peers about the types of attacks or threats they are encountering.
Leverage your tax dollars. Avail yourself of threat information from law enforcement, foreign ministries, elected officials, regulatory and trade organizations in your enterprise's country, and in those countries where you conduct business.
Realize that even when right is on your side, a market may be lost to you, and protecting a portion of the global market is sometimes a viable survival strategy. Litigation is not the solution; it is confirmation that intellectual property theft has occurred. Work to protect your intellectual property and avoid the costs associated with litigation. Don't let a small legal mind make decisions about big legal issues. Get expert legal advice on intellectual property issues.
In sum, your security is in your hands. Employees tend to apply effort and intellect to the issue in portions commensurate with management attention to the topic of intellectual property protection. Employees line up smartly behind the leader providing direction, guidance and support. Providing that leadership is essential to your own continued economic viability in the global economy of the 21st century.
Christopher Burgess has recently retired as an officer of the U.S. Central Intelligence Agency, with 30 years of experience in the clandestine services. He can be reached via e-mail: firstname.lastname@example.org. Richard Power (www.wordsofpower.net) is an internationally recognized authority on cybercrime, information age espionage and other threats. He can be reached via e-mail: email@example.com.
NOTE: Portions of this study were reviewed, and cleared without objection, by the Publication Review Board of the U.S. Central Intelligence Agency.