by

Bernie R. Milligan

ES-PI-ON-'AGE / The practice of spying or the use of spies to obtain information about the plans and activities of a foreign government or a competing company (Industrial).

The threat to U.S. corporations from industrial espionage has seen a significant increase throughout the 80's and 90's. The most significant threat and most publicized attacks have been identified as international sponsored spying on high-tech U.S. firms, which compete in the international market place. U.S. firms are facing a new challenge due to documented evidence of foreign government sponsorship of espionage for their international competitors. The U.S. Government recognizes the international threat to its business sector, but cannot offer the assistance or counter the continuous threat from organized, well educated and aggressive international spy rings.

Although corporate America has recognized this type of threat and in many cases suffered the competitive losses associated with high tech spying, corporate security departments find themselves years behind their international competitors. The primary reasons that support these issues are budget constraints, and lack of threat recognition corporate structure and necessary management control. The results are always the same throughout corporate America: reactionary problem solving, after a major loss has been identified, and a return to status quo or business as usual.

If corporate America is going to survive in the new world order of industrial high tech competition they must change their view of their competitors. U.S. research and development costs are increasing, along with the associated marketing and sales expenses. The cost recovery of R&D expenditures have been condensed into smaller time frames and the loss of critical R&D often devastates the corporate return on capital investment. U.S. firms can no longer allow international competitors to reap the benefits of U.S. corporate R&D through the use of industrial espionage.

In a 1991 survey by the American Society for Industrial Security, 37 percent of the 165 U.S. firms responding said they had been targets of espionage. The 1992 French intelligence budget was increased nine percent to enable the hiring of 1000 new employees. Former French Spy Master Marion publicly disclosed in 1991 that the French intelligence services had conducted extensive international spying to keep abreast of changes in the commercial and technological industries to support French commerce. He also confirmed that the French built a computer with stolen American technology and, as a joke, nicknamed it with the initials of the French Secret Service. The French intelligence services are not the only government-sponsored operations spying on U.S. businesses. U.S. intelligence and law enforcement groups have identified Israeli, British, Canadian, Japanese, South Korean, Argentine, Egyptian, Chinese, German, and Swedish Intelligence groups in recent years.

Documented cases of U.S. industrial espionage by foreign competition have seen a significant increase in the nineties. In a well publicized case between GM and Volkswagen, German prosecutors linked an ex-GM executive, Inaki Lopez, who had joined Volkswagen, to a cache of secret GM documents. In 1992, Recon/Optical, a suburban Chicago military contractor, charged the Israeli Air Force with trying to steal the blueprints for a top secret airborne spy camera - the Israelis agreed to pay $3 million in damages. Approximately 10 years ago, an FBI sting operation caught senior level executives with Hitachi and Mitsubishi attempting to purchase confidential information on the latest IBM computer chips, both companies pleaded guilty to charges connected with theft. According to NBC's "Expose," in 1991 a French government spy planted hidden microphones in business class seats on Air France aircraft; a charge which Air France categorically denies. Applications International Corp., a California based high-tech company, prosecuted an employee for the theft of codes to their computer programs and learned that the information had been given to a spy ring that included major Japanese corporate giants, Mitsubishi, Nissan and Toshiba. In 1992, during a House Judiciary subcommittee hearing to assess U.S. corporate espionage damages IBM estimated 1992 losses of $1 billion to French and Japanese intelligence operations.

The Federal Bureau of Investigation and industry experts have estimated the U.S. trade secret theft in 1992 cost U.S. companies more than $100 billion in lost revenues. If left unchecked, analysts estimate the losses could grow an additional 50% by the year 2003. Documented cases of industrial espionage are further supported by the numerous methods used by foreign companies, which include, bur are not limited to, theft of high-tech equipment from loading docks, warehouses and assembly lines, wire taps and microphones, fax interceptors, recruitment of competitor's employees, planting of moles, and hiring "hackers" to break into telephone and voice mail systems, computers and corporate networks. Cellular telephone usage has increased the threat to executive confidentiality. A high-tech threat which has recently been documented include EMI intrusion or electronic eavesdropping, of computer and telephone systems by sensitive electronic monitoring equipment.

Cellular telephones have been examined to extract programmed speed call numbers, and in some cases, programmed passwords. Portable personal computers often contain programmed passwords, and computer encryption software used by large firms has recently become the targets of industrial spies. Documented cases also exist of U.S. executives traveling to foreign countries and while having dinner or attending meetings, their briefcases, luggage and personal belongings have been searched in hotel rooms.

Industrial espionage by U.S. firms has taken place domestically and internationally, but as a general rule it is discouraged by corporate executives. Generally, competitive information of a classified nature moves from one U.S. firm to another through normal employee attrition and competition. Therefore, the average U.S. firm is naive about company-financed and government-advocated espionage. Historically, U.S. firms have viewed our government as a tax collection agency, which hampers business by imposing rules and regulations that minimize profits and production. The opposite holds true for international firms which are often subsidized by government to allow increased employment, or are financed by their governments to encourage competition in the international market place, thereby increasing exports and taxes.

Business philosophies outside the U.S. are also quite different in the international market place. While the U.S. competed against the Soviet Union in the Cold War, other governments (many of which the U.S. considers friendly) viewed entire nations, such as the U.S., as competitors in the high tech, high export, worldwide market place. Foreign competitors have developed, and enforce, stringent security policies to protect confidential information from U.S. competitors. U.S. corporations have, over the past five years, begun to take the threat of industrial espionage seriously and to evaluate the costs of compromised research and development. This is a good beginning for U.S. firms but years behind their international competitors.

The first step in protecting against the threat of industrial espionage is the recognition that your firm is susceptible to these types of losses. If a company is competing in the international market place as a prime contractor, or in a supporting role as an equipment or logistics supplier, that firm can be, has been or will be a target of competitive industrial espionage. Once recognition of this type of threat has been established, a risk analysis should be performed to identify the specific type of threat each company will encounter. Determining the potential damage with an estimated potential loss should be calculated to support the most important aspect of corporate America - the security "Budget." Industry analysts always face the same response when addressing these issues with corporate security managers: the same old statement, "the money is not in my budget." In most situations, the company has already been compromised when industry experts are brought in to assist in an investigation. The rebuttal to that same old statement is, "How much did the company budget for this recent loss?" Therefore, the importance of corporate recognition and departmental budget go hand in hand. One without the other is worthless when addressing competitive espionage.

The second step is the development of policies and procedures. Policies, if properly developed, will identify the critical threat areas. These areas include, but are not limited to, telecommunications, data communications and processing, physical and executive information security. These categories represent a basic starting point. Individual companies may have others areas to cover when addressing security issues. Industrial spies are Looking for information. In most cases, something as simple as a telephone directory provides critical information about specific personnel, departments, computer rooms, sales departments, research and development and protected areas. Easy access to executive schedules and travel information encourage competitive eavesdropping. Most data networks are connected to telecommunications systems, which allow computer hackers to download files, often without detection. Telephone lines to fax machines and executive offices are often tapped. Development of procedures will determine how critical areas will be protected and establish steps employees should take when specific threats or unusual activities are recognized.

Corporate security procedures provide an action plan once a problem has been solved. A good example of the lack of set policies and procedures recently occurred in Houston, Texas, when a data processing manager was notified by the telephone company that unusual activity had been identified on an incoming 1-800 line. Further review by the data processing manager revealed that the activity was directed at the company's local area network (LAN), which connected to a wide area network (WAN). Only recognizing the local threat, the data processing manager believed that his system passwords were being compromised, and removed the passwords. The hacker then gained access to the entire company data network and mainframe. The losses sustained by the company initially appeared to be $70,000 in long distance charges, but within 30 days, the president of the firm received disturbing information about a large competitive bid. The confidential information was leaked by his strongest competitor and could only have originated from within his company. The company is in the process of developing strong corporate policies and procedures. Losses cannot yet be estimated, because the extent of compromised information is not known.

The third step to stopping competitive espionage is strong countermeasures. The old saying "a good defense is a good offense" holds true in competitive industrial espionages and supports the second half of Step one "The Security Budget." Countermeasures is best defined as a measure designed to counter another measure, or in the case of espionage, to counter an intrusion or system attack seeking competitive information. A caution to security departments - telecommunications staffs and MIS managers: countermeasures is a learned discipline, and it is strongly recommended that third party experts in this field be employed to support the initial setup and training for countermeasure implementation, intrusion threats are changing as technology advances, and the methods deployed to use and subsequently counter them are known by a limited number of countermeasures personnel. These experts are generally trained by the NSA ASA or White House Communications groups, and are often referred to as "spooks."

Countermeasures take many forms, but the most important aspect to remember is that a threat is being countered. All computer gateways, whether LAN, WAN or host computers should have protection and monitoring devices. These devices will provide password protection and immediate alarming if attempts are made to hack passwords. Authorization codes and password protection should be used to provide identification of all personnel entering the company's computer systems. This information should be managed daily to detect unusual activity and produce exception reports. In recent years, management systems have been developed to provide exception reporting to replace large data security staffs.

All telecommunications systems should be evaluated to determine levels of vulnerability. This includes voice mail, which is easily "hacked" to listen to confidential messages. In the international market place, time zones vary and voice messaging is a business necessity. Spies are fully capable of hacking voice mail, and they use these systems every day. Telecommunications systems are often the gateways to computer systems. Together, they support all corporate transactions, including R&D, payroll, competitive information, voice mail systems, fares and the telephones in the executive offices. Computerized security management systems have been developed to support security services by monitoring for unusual activity within the telephone system. The documented cases of industrial spying show that computer and telecommunications system intrusion generally takes place after hours when the company is at its most vulnerable point. Computerized security management systems are on line 24 hours a day, including weekends and holidays.

Encryption units are also available for confidential or sensitive telephone conversations. Cellular telephone usage has increased over the last five years, and can be attributed primarily to executives and sales personnel for business use. Cellular telephones are, in fact, radios that operate in the 800mHz range, and can be monitored with a $159.00 scanner/receiver bought over-the-counter in most electronic stores. Spies utilize more sophisticated equipment designed to listen to and/or record specific cellular telephone calls. Competitive information from these conversations and in many cases voice mail passwords, computer passwords and personal confidential information are used to infiltrate systems, gain a competitive edge, or blackmail employees. The only countermeasure for cellular eavesdropping is cellular encryption, which requires a unit at both ends of the conversation.

The encryption technology available to U.S. firms has recently been boosted by the release of technology developed by the U.S. government during the Reagan administration. This type of technology was developed under the (Secure Telephone Units) STU-III program. AT&T has released a commercial version which is lightweight, portable and user friendly. The AT&T Model 3600 encryption device utilizes a randomly selected algorithm through public key management, which must match the far end encryption key security device. These units provide a cost effective means of securing sensitive conversations within the U.S. corporate market place. Should a U.S. corporation require additional encryption support, AT&T has developed a complete line of fax, data, and link encryption units which support a hard hitting corporate countermeasures initiative.

The fourth and final step to development of a strong corporate security policy to counter industrial espionage involves testing the policies and procedures for functionality and establishing a program to test the countermeasure program. The testing results will provide critical insight to the short comings of the most ambitious corporate countermeasure programs. The best approach to testing involves third party or security consultant "Tiger Team" attacks, which provide corporate security personnel with a modern view of the methods used to attack a firm. Always remember technology is constantly changing, which supports new ways of entering systems and extracting critical competitive information.

The threat of industrial espionage can no longer be thought of by U.S. corporations as a minimal threat or a problem to which weapons or defense industry firms will be subjected. The documented cases of industrial espionage in the U.S. are on the rise, and before a case can be documented it must first by identified. Industry's best estimate of reported cases represent only 10 percent of the known industrial espionage events. U.S. industry faces a new challenge with the NAFTA Agreement: Pacific Rim and European competitors now view the U.S., Mexico and Canada as stronger competitors. They will use NAFTA to justify more aggressive approaches to gather critical information, and will justify their actions as self protective, or in their eyes, fair competition.

Bernie R Milligan is the president of Communications & Toll Fraud Specialists, Inc., a Houston based corporation specializing in communications security consulting and toll fraud prevention. Mr. Milligan's background includes twenty-one years of telecommunications systems designing, engineering and implementation. Ten years of his experience were dedicated to U.S. Governmental Communications, in the area of countermeasures and information security.

The End.

This article was published in a security magazine in February 1994, and is copyrighted. Reproduction of the article must be approved by the author, Bernie R. Milligan.

2621 Words
Rights Selling
Copyright Bernie R. Milligan