Introduction

When you hear the word espionage, perhaps you conjure up a number of exciting and glamorous images. Perhaps you have visions of a well-dressed man who drinks martinis, shaken but not stirred, traveling to glamorous locations with equally glamorous travel companions. Or perhaps you envision some exciting covert operation with high-speed car chases and guns blazing in faraway exotic lands. Espionage is often much less exciting than those popular media portrayals. The ultimate goal of espionage is to obtain information that would not otherwise be available. Generally, espionage is best done with as little fanfare as possible. Rather, information is the goal, and blazing gun battles and glamorous locations are unlikely—and would probably raise flags. If possible, it is best to obtain that information without the target organization even realizing that its information has been compromised.

Many people assume that such spying is only engaged in by governments, intelligence agencies (such as the CIA, NSA, MI6, FSB, and so on), and nefarious international organizations, such as Al Qaida or ISIS. While those entities do indeed engage in espionage, they are certainly not the only organizations that do so. The aforementioned organizations desire to acquire information for political and military goals. However, economic goals are also dependent on accurate and often sensitive data. With billions of dollars at stake, a private company can become engaged in industrial espionage as either a target or a perpetrator. What company would not like to know exactly what its competitor is doing? In fact, corporate or economic espionage is on the rise.

The boundary between industrial espionage and the activities of intelligence agencies is becoming blurred. There have been numerous cases of industrial espionage against Western nations that at least appear to have been supported by foreign intelligence services. Tech companies have often been the targets of such attacks.

Corporate or economic espionage is a growing problem, but it can be difficult to accurately assess just how great the problem is. Companies that perpetrate corporate espionage do not share the fact that they do it—for obvious reasons. Companies that are victims of such espionage often do not wish to reveal that fact either. Revealing that their security was compromised could have a negative impact on their stock value. It is also possible, in certain cases, that such a breach of security might open the company to liability claims from customers whose data may have been compromised. For these reasons, companies often are hesitant to disclose any industrial espionage activities. Because you will want to protect yourself and your company, it is important that you learn about espionage methods and protections. In the exercises at the end of this chapter, you will work with some of the tools you have learned about so far in this book—antispyware, key loggers, and screen-capture software—so that you can learn how they work and, hence, become cognizant of the risks they pose.

The journal CSO Online featured a story on industrial espionage in 2018.¹ This story mentions the Economic Espionage Act of 1996, which is a U.S. federal law that criminalized the stealing of commercial secrets.

1. https://www.csoonline.com/article/3285726/what-is-corporate-espionage-inside-the-murky-world-of-private-spying.html

In 2019, Forbes ran an article on spying incidents at Apple Inc.² In the cases examined in this article, the line between corporate espionage and state-sponsored spying was blurry. In one of the cases, Apple employee Jizhong Chen was accused of stealing trade secrets related to self-driving cars and providing them to the Chinese government. The same article estimated the cost of corporate espionage at $1.1 trillion per year.

2. https://www.forbes.com/sites/betsyatkins/2019/02/12/learning-from-apples-spying-incidents-how-to-protect-yourcompany-from-corporate-espionage/#54d18f7d6fb4

What Is Industrial Espionage?

Industrial espionage is the use of spying techniques to find out key information that is of economic value. Such data might include details on a competitor’s new project, a list of a competitor’s clients, research data, or any information that might give the spying organization an economic advantage. While the rationale for corporate espionage is different from the rationale for military espionage, corporate espionage often involves the same techniques employed by intelligence agencies, such as monitoring, photocopying files, or compromising a member of the target organization. Not only does economic espionage use the same techniques as intelligence agencies, but it often also uses the same people. There have been a number of incidents in which former intelligence agents have been found working in corporate espionage. When such individuals bring their skills and training to the world of corporate espionage, the situation becomes especially difficult for computer security experts.

Information as an Asset

Many people are used to viewing tangible objects as assets but have difficulty appreciating that information can be an asset. Companies spend billions of dollars every year on research and development. The discovered information is worth at least the amount of resources taken to derive the information plus the economic gain produced by the information. For example, if a company spends $200,000 researching a process that will in turn generate $1 million in revenue, then that data is worth at least $1.2 million. You can think of this economic gain as a simple equation:

VI (Value of Information) = C (Cost to Produce) + VG (Value Gained)

While some people are not yet fully cognizant of the concept, data does indeed represent a valuable asset. When we speak of the “information age” or our “information-based economy,” it is important to realize that these terms are not just buzzwords. Information is a real commodity. It is as much an economic asset as any other item in the company’s possession. In fact, it is most often the case that the data residing on a company’s computer is worth far more than the hardware and software of the computer system itself. It is certainly the case that the data is much more difficult to replace than the computer hardware and software.

To truly appreciate the concept of information as a commodity, consider the process of earning a college degree. You spend 4 years sitting in various classrooms. You pay a significant amount of money for the privilege of sitting in those rooms, and listening to others speak at length on various topics. At the end of the 4 years, the only tangible product you receive is a single piece of paper. Surely you can get a piece of paper for far less cost and with much less effort. What you actually paid for was the information you received. The same is true of the value of many professions. Doctors, attorneys, engineers, consultants, managers, and so forth all are consulted for their expert information. Information itself is the valuable commodity.

The data stored in computer systems has a high value for two reasons. First, a great deal of time and effort go into creating and analyzing the data. If you spend 6 months with a team of five people gathering and analyzing information, then that information is worth at least an amount equal to the salaries and benefits of those people for that length of time. Second, data often has intrinsic value, apart from the time and effort spent acquiring those facts. If the facts are about a proprietary process, invention, or algorithm, the value is obvious. However, any data that might provide a competitive edge is inherently valuable. For example, insurance companies frequently employ teams of statisticians and actuaries who use the latest technology to try to predict the risks associated with any given group of potential insureds. The resulting statistical information might be quite valuable to a competing insurance company. Even a customer contact list has a certain inherent value.

Thus, as you work in the computer security field, always keep in mind that any data that might have economic value is an asset to your organization and that such data provides an attractive target for any competitors who may not have ethical inhibitions against using espionage. If your company management thinks that this threat is not real, then they are very much mistaken. Any company is a potential victim of corporate espionage. You should take steps to protect your valuable information—and the first critical step in this process is asset identification.

Asset identification is the process of listing the assets that you believe support your organization. This list should include things that impact direct day-to-day operations as well as those that are tied to your company’s services or products. The CERT website offers a very useful worksheet that you can use to itemize the assets in your organization.³ This workbook includes a number of other useful worksheets for assuring information security within your organization. As the table of contents in Figure 7.1 shows, this workbook is also a tutorial that steps you through the various considerations in information security.

3. https://www.us-cert.gov/sites/default/files/c3vp/crr_resources_guides/CRR_Resource_Guide-AM.pdf

Table 7.1 is a variation on the worksheet provided by CERT. Armed with this table and based on your knowledge and experience with your company, you can complete an asset identification by following the steps outlined below:

1. In the first column of the table, list the information assets. You should list the types of information used by people in your company—the information people need to do their jobs. Examples are product designs, software programs, system designs, documentation, customer orders, and personnel data.

2. For each entry in the first column, in the second column fill in the names of the systems on which the information resides. In each case, ask yourself which systems people need to perform their jobs.

3. For each entry in the first column, in the third column fill in the names of the related applications and services. In each case, determine what applications or services are needed for individuals to perform their jobs.

4. In the last column, list any other assets that may or may not be directly related to the other three columns. Examples are databases with customer information, systems used in production, word processors used to produce documentation, compilers used by programmers, and human resources systems.

Once you complete these steps to fill out Table 7.1, you will have a good understanding of the critical assets for your organization. With this information, you will know how best to devote your defensive efforts. Some specific protective steps will be examined later in this chapter.

Real-World Examples of Industrial Espionage

Now that you have been introduced to the concept of corporate espionage, let’s look at five actual cases. These case studies are of real-world espionage found in various news sources. This section should give you an idea of what types of espionage activities actually occur. Note that while some of these cases are a bit old, they do illustrate the way industrial espionage is done. And it is frequently the case that details of an industrial espionage incident do not emerge until many years later, if at all.

How Does Espionage Occur?

There are two ways that espionage can occur. An easy, low-technology avenue would be for current or former employees to simply take the data or for someone to use social engineering methods (discussed in Chapter 3, “Cyber Stalking, Fraud, and Abuse”) to extract data from unsuspecting company employees. The second, more technology-oriented method is for individuals to use spyware, which includes the use of cookies and key loggers. There are also other technological methods we will discuss.

Low-Tech Industrial Espionage

Corporate espionage can occur without the benefit of computers or the Internet. Disgruntled former (or current) employees can copy sensitive documents, divulge corporate strategies and plans, or perhaps reveal sensitive information. In fact, whether the method used is technological or not, disgruntled employees are the single greatest security risk to any organization. A corporate spy need not hack into a system in order to obtain sensitive and confidential information if an employee is willing to simply hand over the information. Just as with military and political espionage, the employees’ motives for divulging information vary. Some engage in such acts for obvious financial gains. Others may elect to reveal company secrets merely because they are angry about some injustice (real or imagined). Whatever the motive, any organization has to be cognizant of the fact that it has any number of employees who may be unhappy with some situation and have the potential to divulge confidential information.

Certainly, one can obtain information without the benefit of modern technology; however, computer technology (and various computer-related tactics) can certainly assist in corporate espionage, even if only in a peripheral manner. Some incidents of industrial espionage are conducted with technology that requires little skill on the part of the perpetrator, as illustrated in Figures 7.2 and 7.3. This technology can include using universal serial bus (USB) flash drives, compact discs (CDs), or other portable media to take information out of the organization. Even disgruntled employees who wish to undermine the company or make a profit for themselves will find it easier to burn a wealth of data onto a CD and carry that out in their coat pocket rather than attempt to photocopy thousands of documents and smuggle them out. And the new USB flash drives, smaller than your average key chain, are a dream come true for corporate spies. These drives can plug into any USB port and store a tremendous amount of data. As of this writing, one can easily purchase small portable devices capable of holding 2TB or more of data.

While information can be taken from your company without overt hacking of the system, you should keep in mind that if your system is unsecured, it is entirely possible that an outside party could compromise your system and obtain that information without an employee as an accomplice. In addition to these methods, other low-tech and even virtually “no-tech” methods can be used to extract information. Social engineering, which was discussed at length in Chapter 3, is the process of talking a person into giving up information she otherwise would not divulge. This technique can be applied to industrial espionage in a number of ways.

The first and most obvious use of social engineering in industrial espionage is in direct conversation in which the perpetrator attempts to get the targeted employee to reveal sensitive data. As illustrated in Figure 7.4, employees will often inadvertently divulge information to a supplier, vendor, or salesperson without thinking the information is important or realizing that it could be given to anyone. The attacker simply needs to try to get the target to talk more than she should. In 2009, there was a widely publicized case of a Russian spy ring working in the United States. One of their tactics was simply to befriend key employees in target organizations and, through ongoing conversations, slowly elicit key data.

Another interesting way of using social engineering is via email. In very large organizations, one cannot know every member, so a clever industrial spy could send an email message claiming to come from some other department and perhaps simply asking for sensitive data. A corporate spy might, for example, forge an email to appear to be coming from the legal office of the target company requesting an executive summary of some research project.

Computer security expert Andrew Briney says that people are the number-one issue in computer security.

Protecting Against Industrial Espionage

By now, you are aware that there are many ways that your organization’s valuable information assets can be compromised. What steps can you take to alleviate the danger? Note that I said alleviate the danger. There is nothing you can do to make any system, any information, or any person totally secure. Totally unbreakable security is simply unattainable. The best you can do is work to achieve a level of security that makes the effort required to get information more costly than the value of the information.

One obvious protection is to employ antispyware software. As mentioned earlier in this book, many antivirus programs also have antispyware capabilities. This software, coupled with other security measures, such as firewalls and intrusion detection software (examined in Chapter 9, “Computer Security Technology”), should drastically reduce the chance that an outside party will compromise your organization’s data. Furthermore, implementing organizational policies (also discussed in Chapter 9) that help guide employees on safely using computer and Internet resources will make your system relatively secure. If you add to your protection arsenal the strategy of encrypting all transmissions, your system will be as secure as you can reasonably make it. (Chapter 8, “Encryption,” is devoted to encryption.) However, all of these techniques (firewalls, company policies, antispyware, encryption, and so forth) will only help in cases in which the employee is not the spy. What do you do to ameliorate the danger of employees intentionally stealing or compromising information? Actually, there are several courses of action any organization can take to lessen risks due to internal espionage. Here are 12 measures you can use:

• Always use all reasonable network security: firewalls, intrusion detection software, antispyware, patching and updating the operating system, and proper usage policies.

• Give the personnel of the company access to only the data that they absolutely need to perform their jobs. This concept is referred to as least privileges. The employees are given the minimum privileges necessary to perform their job tasks. Use a need-to-know approach. One does not want to stifle discussion or exchange of ideas, but sensitive data must be treated with great care.

• If possible, set up a system for those employees with access to the most sensitive data in which there is a rotation or a separation of duties. In this way, no one employee has access and control over all critical data at one time.

• Limit the number of portable storage media in the organization (such as CD burners and flash drives) and control access to these media. Log every use of such media and what was stored. Some organizations have even prohibited cell phones because most phones allow the user to photograph items and send the pictures electronically.

• Do not allow employees to take documents/media home. Bringing materials home may indicate a very dedicated employee working on her own time or a corporate spy copying important documents and information.

• Shred documents and melt old disks/tape backups/CDs. A resourceful spy can often find a great deal of information in the garbage. If any storage media is disposed of, it should be completely wiped. Degaussing is a good technique for hard drives and USB drives.

• Do employee background checks. You must be able to trust your employees, and you can only do this with a thorough background check. Do not rely on “gut feelings.” Give particular attention to information technology (IT) personnel who will, by the nature of their jobs, have access to a wide variety of data. This scrutiny is most important with positions such as database administrators, network administrators, and network security specialists.

• When any employee leaves the company, scan the employee’s PC carefully. Look for signs that inappropriate data was kept on that machine. If you have any reason to suspect inappropriate usage, then store the machine for evidence in subsequent legal proceedings.

• Keep all tape backups, sensitive documents, and other media under lock and key and allow limited access to them.

• If portable computers are used, then encrypt the hard drives. Encryption prevents a thief from extracting usable data from a stolen laptop. A number of products on the market can accomplish this encryption, including the following:

  • VeraCrypt (see Figure 7.5) is one example of a free tool for encrypting drives, folders, or partitions. The tool is remarkably easy to use and can be found at https://www.veracrypt.fr. There are several other similar tools, most of which are low cost or free.

    

  • Microsoft Windows includes two types of encryption. Windows 7 Enterprise or Ultimate editions included BitLocker for encrypting entire hard drives. BitLocker is also available on later versions of Windows (8, 8.1, 10). And all versions of Windows since Windows 2000 have included Encrypted File System for encrypting specific files or folders (see Figure 7.6).

    

  • This list is not exhaustive; therefore, it is highly recommended that you carefully review a variety of encryption products before making a selection.

  • Have all employees with access to any sensitive information sign nondisclosure agreements. Such agreements give an employer recourse in the event that an ex-employee divulges sensitive data. It is amazing how many employers do not bother with this rather simple protection.

• Conduct security awareness sessions. Clearly, employee education is one of the most important things you can do. An organization should have some method for routinely advising employees about security issues. An excellent way to do that is to have an intranet site with bulletins posted to it. It is also a good idea to hold periodic training sessions for employees. These need not be lengthy or in depth. Most nontechnical employees only need an introduction to security concepts.

Unfortunately, taking these simple measures will not make you totally immune to corporate espionage. However, using these strategies will make any such attempts much more difficult for any perpetrator; thus, you will improve your organization’s data security.

The Industrial Espionage Act

The Industrial Espionage Act of 1996 was the first U.S. law to criminalize theft of commercial trade secrets. This law provides for significant penalties for violators. The following wording is quoted from the law:

(a) Whoever, with intent to convert a trade secret, that is related to or included in a product that is produced for or placed in interstate or foreign commerce, to the economic benefit of anyone other than the owner thereof, and intending or knowing that the offense will injure any owner of that trade secret, knowingly—

(1) steals, or without authorization appropriates, takes, carries away, or conceals, or by fraud, artifice, or deception obtains such information;

(2) without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys such information;

(3) receives, buys, or possesses such information, knowing the same to have been stolen or appropriated, obtained, or converted without authorization;

(4) attempts to commit any offense described in paragraphs (1) through (3); or

(5) conspires with one or more other persons to commit any offense described in paragraphs (1) through (3), and one or more of such persons do any act to effect the object of the conspiracy, shall, except as provided in subsection (b), be fined under this title or imprisoned not more than 10 years, or both.

Spear Phishing

Phishing, as you know, is the process of attempting to get personal information from a target in order to steal the target’s identity or compromise the target’s system. A common technique is to send out a mass email that is designed to entice recipients to click on a link that purports to be some financial institution’s website but is actually a phishing website.

Spear phishing uses the same technology as phishing but in a targeted manner. For example, if an attacker wanted to get into the servers at a defense contractor, he might craft email and phishing websites specifically to target software and network engineers at that company. The emails might be made to appeal to that specific subgroup of people. Or the attacker might even take the time to learn personal details of a few of these individuals and target them specifically. This technique has been used against executives at various companies. In 2010 and 2011, this problem began to grow significantly.

Whaling is a form of phishing in which an attacker attempts to compromise information regarding a specific highly valuable employee. It involves the same techniques as phishing but is highly customized to increase the chances that the single individual target will be fooled and actually respond to the phishing attempt.

Summary

A number of conclusions can be drawn from this chapter’s examination of industrial espionage. The first conclusion: It does indeed occur. The case studies clearly demonstrate that industrial espionage is not some exotic fantasy dreamed up by paranoid security experts. It is an unfortunate, but quite real, aspect of modern business. If your firm’s management chooses to ignore these dangers, then they do so at their own peril.

The second thing that can be concluded from this brief study of industrial espionage is that there are a variety of methods by which espionage can take place. An employee revealing confidential information is perhaps the most common. However, compromising information systems is another increasingly popular means of obtaining confidential and potentially valuable data. You will want to know the best way to protect your company and yourself. In the upcoming exercises, you will run screen-capture software, key loggers, and antispyware so you can learn more about espionage tactics and how to deal with them.

Test Your Skills