Have you, your company, or anyone you know ever been a victim of economic espionage? Actually, it might be a good issue to bring up at staff meeting to see everyone's reaction: Many companies lack comprehensive counter espionage and information security programs designed to thwart IT and trade secret attacks.
In fact, the 2008 Computer Security Institute Security Survey Report revealed 53 percent of respondents to CSI's annual survey allocated five percent or less of their IT budget to information security. Further, the survey reflects that on average, over the last five years, 10 percent of the respondent companies as having incidents of theft or compromise of proprietary information.
Now, here's the interesting part: Of 5,000 survey forms sent out to companies, only 10 percent responded with completed forms asking them questions about their information security programs and what IT or proprietary information compromise incidents they've had, suggesting very few wanted to disclose problems they've had.
Given the above, this month's issue is devoted to discussing corporate espionage, IT compromise, and trade secret infringement.
The U.S. Economic Espionage Act of 1996 (EEA) makes the theft or misappropriation of a trade secret a federal crime. This law contains provisions for criminalizing two types of activity. The first provision criminalizes the theft of trade secrets to benefit foreign powers, and the second criminalizes the theft for commercial or economic purposes. The EEA also has extraterritorial jurisdiction when the offender or the victim is a U.S. citizen.
The EEA is a broad law that provides criminal prosecution of individuals who steal, appropriate, buy, receive, or possess a trade secret without authorization. It also provides prosecution of individuals who conspire to steal a trade secret. Maximum penalties for an individual include a fine of $500,000, 15 years in prison, or both. In some cases, organizations convicted under this law can face much higher penalties.
Although the law tries to protect the trade secrets of U.S. entities, individuals or organizations victimized by economic espionage must produce documentation showing reasonable steps were taken to protect trade secrets from theft and compromise. If effective security controls cannot be established, the success of prosecution under the EEA can be severely jeopardized.
The following would represent documented efforts to effectively protect trade secrets:
• Clear written policies and procedures regarding trade secrets and information security.
• A formally established security unit tasked in writing to protect trade secrets.
• Nondisclosure statements for employees and contractors.
• Physical, technical, and electronic security protection of trade secrets.
• Access to trade secrets on a need-to-know basis.
• Periodic and random technical countermeasure surveys to reduce the risk of electronic eavesdropping.
• A formal background investigation of all employees and contractors having access to trade secrets.
• A formal mechanism for investigating breeches in the security of trade secret protection.
A landmark case prosecuted under the EEA shortly after the enactment of the law involved a case of economic espionage in which more than $60 million worth of Avery Denison documents, adhesive formulas, tapes, and primers was stolen by an AD employee (Ten-Hong Lee) who was a "mole" for Taiwan-based Four Pillars. Lee was paid $160,000 to steal Avery's trade secrets.
Ironically, a Four Pillars employee alerted Avery to Lee's activities. Lee was persuaded to cooperate with authorities after the FBI arrested him in a sting operation.
When the top executives of Four Pillars came to the U.S. to meet with Lee, he was wired with audio and video equipment as he provided Avery documents to them. The executives were arrested as they attempted to leave the U.S., convicted under the EEA, and ordered to pay $5 million in fines.
A recent case that was not prosecuted under the EEA involved funneling controlled U.S. defense documents to the Chinese government. Chi Mak, a naturalized U.S. citizen, was employed by Power Paragon, an Anaheim, CA-based defense contractor. Mak, his brother, and his sister-in-law were arrested in 2005 as they boarded a flight for Hong Kong. FBI agents subsequently found three encrypted CDs containing documents on submarine propulsion.
In May 2007, Mak was convicted of being an unregistered foreign agent, attempting to violate export control laws, conspiracy, and making false statements to the FBI. In 2008, he was sentenced to 24 years in federal prison.
Why the increase in espionage? Many readers would be surprised to learn more FBI resources are devoted to espionage cases today than before the end of the Cold War. In part, this increase is attributed to globalization; poor pre-employment investigation and vetting by employers; non-existent information security programs; lack of a capability to investigate information compromise; and poorly enforced IT policies.
The following are some ways corporate travelers can reduce their risk of having proprietary information compromised:
• Encrypt sensitive business information and trade secrets on laptop computers.
• Do not establish an auto-logon on laptops that are a pathway into the corporate Intranet.
• Do not leave laptops in hotel rooms, particularly abroad.
• Do not discuss sensitive business issues on the telephone. Phone calls can be compromised and eavesdropped on.
• Don't throw any printed sensitive business information into a trash can, particularly when traveling.
• Take steps to prevent key-logging programs from being installed on your laptop.
• Don't use hotel business centers to print sensitive documents.
• Realize hostile listening devices can be placed in your hotel room, your car or conference rooms where sensitive discussions may take place.
• Don't use BlackBerries and other smartphones in China, where compromise is very probable.
Below are useful resources on the EEA and economic espionage:
http://www.cybercrime.gov/eea (Information on the substance of EEA, as well as resulting convictions.)
http://www.ncix.gov/publications (Access the 2005 Annual Report to Congress: Foreign Economic Collection and Industrial Espionage.)
If you'd like a copy of CSI's annual security survey report, go to www.gocsi.org, where you can download a copy of the report.
Ed Lee is a retired U.S. State Department diplomat and Regional Security Officer (RSO) who spent most of his life abroad, protecting U.S. diplomats and American business executives. He is the author of Staying Safe Abroad: Traveling, Working & Living in a Post-9/11 World. He can be reached at firstname.lastname@example.org.