The Cold War has ended and many thought that this would end the need for spying and espionage. Of course, this was not the case, an even bigger threat has risen, and it has no nation or face. This new threat is called Economic Espionage and it is causing governments and businesses billions of dollars in lost information. In 1993, R. James Woolsey compared the Russians to a large dragon and terrorist to poisonous snakes, “We have slain a large dragon.” He then added: “But we live now in a jungle filled with a bewildering variety of poisonous snakes. And in many ways, the dragon was easier to keep track of.” (Arkin, 1994, p. 64) I go a step further and say that we now have spiders in the web of information. Like real spiders, and unlike snakes, they can be anywhere, your office, home, work, and they often go unnoticed. These spiders are hackers, the spies of your competitors, as well as foreign spies involved in industrial espionage.
According to the Encyclopedia of American Espionage, the definitions of espionage and industrial espionage are as follows:
“Espionage can be defined as the clandestine and unlawful stealing of political, business, or military secrets. Espionage takes place in both times of peace and in wartime. It is done by civilians or by military personnel. (Hastedt, 2011, p. 388)
Industrial espionage is usually the focus of clandestine operations during peacetime” (Hastedt, 2011, p. 388)
Industrial Espionage is like a lone wolf. It is espionage from a business perspective. The main goal is to be on top of the market and squash the competition. The other espionage is Economic Espionage and it is sponsored by a government to better or enhance the country’s needs. The FBI describes it as “(1) whoever knowingly performs targeting or acquisition of trade secrets to (2) knowingly benefit any foreign government, foreign instrumentality, or foreign agent. (Title18 U.S.C., Section 1831).” It’s espionage on a greater scale from country to country. This type of espionage operates in the target selection in three ways;
- They aggressively target and recruit insiders (often from the same national background) working for U.S. companies and research institutions;
- They conduct economic intelligence through operations like bribery, cyber intrusions, theft, dumpster diving (in search of discarded intellectual property or prototypes), and wiretapping; and,
- They establish seemingly innocent business relationships between foreign companies and U.S. industries to gather economic intelligence, including trade secrets. (Investigation)
It’s similar to the three espionage tactics used by businesses for Industrial Espionage;
1. Steal, conceal, or carry away by fraud, artifice, or deception;
2. Copy, duplicate, sketch, draw, photograph, download, upload, alter, destroy, photocopy, replicate, transmit, deliver, send, mail, communicate, or convey;
3. Receive, buy, or possess a trade secret, knowing the same to have been stolen or appropriated, obtained, or converted without authorization. (Investigation)
One of the earliest known acts of Industrial Espionage was perpetrated by Alfred Do Pont in 1889 when the U.S. Army Chief of Ordnance wanted Du Pont to steal the secrets of the French smokeless gunpowder. At first Alfred tried to bribe French officers overseeing the project, but he failed. So he did the next best thing and went undercover. He posed as a factory worker to gain access to the facility and succeeded.
There are three reasons why someone would commit Industrial Espionage;
- To steal information or data
- To destroy information or data
- To alter information or data.
Du Pont was stealing data from within the company. The threat was an “insider attack”, one of the three threat attack types which include external attacks, insider attacks, and malicious code. According to the PSI Handbook an external attack “comes from people who use weaknesses in a computer system or software to gain access to a system.” (Coombs, 2008, p. 2) An example would be the group Anonymous who has been terrorize business and government agencies worldwide and become more aggressive when the US government arrested Megaupload creator Kim Dotcom. Insider threat attacks are performed by “current or former employees, including contract workers.” (Coombs, 2008) Which is seen by the example of Du Pont and the number one threat I see here in the Dominican Republic outsourcing call centers? The third malicious codes are “viruses, worms, and Trojan horses.” (Coombs, 2008)
How do we combat these threats? By having a good operational security (OPSEC) plan. OPSEC is “a formal process for looking the protection of critical information from the viewpoint of an adversary and then denying that adversary the information it needs” (Purpura, 2008, p. 515)
US companies experienced attacks while outsourcing to the Dominican Republic. Agents were approached by unknown individuals willing to pay top $$$ for customers phone numbers and account details from Sprint in the Dominican Republic. These individuals then clone the phone numbers and sell them or make calls to and from the Dominican Republic with the stolen numbers. Even worse was when credit card information was stolen from within the company and the thieves use the card numbers to purchase over the internet. This happened frequently because customer service agent left on break and didn’t lock their computers. Eventually the FBI swarmed in with helicopters and SWAT. The Company closed for almost two months while every computer was investigated line by line.
Having a strong password can stop insider threats from using your computer at the office. The password must be strong. It should be mixed with upper and lower case letters along with numbers and a special character. For example [ 4ex@mPle]. Another great tool for combating insider threats is having employee’s company emails monitored. An example is what almost happened with Kodak and my current employer Xerox back in 1999.
In 1999 Kodak company secrets almost landed in the hands of the competition, in this case, the Xerox Company. It wasn’t a counter-espionage agent or a great security measure that stopped the threat. What prevented the plans success was a simple discovery made by mistake. This threat came from a temp who should not have had access to any sensitive information in the first place. The first mistake she made was trying to send email through an email gateway that was provide by the company. She used and email address something like email@example.com. These emails are always monitored and can be read at any time. This security measure would not have stopped the plan because by the time the company read the email it would have been too late. What did foil the plan was the file she attached to the email was over the allowed limit and caused the email to bounce, which sparked an investigation. This was probably handled by the web administrator in charge of maintaining the network, not someone involved in intelligence countermeasures.
On their web site, the FBI lists some of the reasons insider attacks occur;
- Greed or Financial Need:
- Anger/Revenge: Disgruntlement to the point of wanting to retaliate against the organization.
- Problems at work: A lack of recognition, disagreements with co-workers or managers, dissatisfaction with the job, a pending layoff.
- Ideology/Identification: A desire to help the “underdog” or a particular cause.
- Divided Loyalty: Allegiance to another person or company, or to a country besides the United States.
- Adventure/Thrill: Want to add excitement to their life, intrigued by the clandestine activity, “James Bond Wannabe.”
- Vulnerability to blackmail: Extra-marital affairs, gambling, fraud.
- Ego/Self-image: An “above the rules” attitude, or desire to repair wounds to their self-esteem. Vulnerability to flattery or the promise of a better job. Often coupled with Anger/Revenge or Adventure/Thrill.
- Ingratiation: A desire to please or win the approval of someone who could benefit from insider information with the expectation of returned favors.
- Compulsive and destructive behavior: Drug or alcohol abuse, or other addictive behaviors.
- Family problems: Marital conflicts or separation from loved ones.
They also list areas of breach which companies could have prevented with better security measures;
- The availability and ease of acquiring proprietary, classified, or other protected materials. Providing access privileges to those who do not need it.
- Proprietary or classified information is not labeled as such, or is incorrectly labeled.
- The ease that someone may exit the facility (or network system) with proprietary, classified or other protected materials.
- Undefined policies regarding working from home on projects of a sensitive or proprietary nature.
- The perception that security is lax and the consequences for theft are minimal or non-existent.
- Time pressure: Employees who are rushed may inadequately secure proprietary or protected materials, or not fully consider the consequences of their actions.
- Employees are not trained on how to properly protect proprietary information.
The other threat a company faces is from the outside and these threats come mainly from hackers such as the Anonymous group. There are many schools of thought on the typology of hackers, but the main two used in this article are from John Maxfield and Larry Coutourie.
The first typology comes from Maxfield (1985):
- Pioneers — those who are fascinated by evolving technology and explore it without knowing exactly what they are going to find
- Scamps — hackers with a sense of fun who intend no overt harm
- Explorers — hackers motivated by a delight in breaking into computer systems. The more geographically distant, or more secure the target it, the greater the delight
- Game players — those who enjoy defeating software or system protection, with hacking seen as a sort of game itself
- Vandals — those who cause damage for no apparent gain
- Addicts — nerds who are literally addicted to hacking and computer technology. (Maxfield, 1984)
A second typology describes the relationship of a hacker to their computer: (Coutourie, 1989)
- Playpen — in which the computer is seen as a toy
- Fairyland — where cyberspace is an unreal world where wrong cannot be done
- Land of opportunity — where there’s nothing wrong with exploiting a vulnerable system
- Tool box — in which the computer is just a way to get other things done
- Cookie jar — with the computer as a place to go borrow things now and again
- War game — where hostile feelings are vented against machines rather than people
The snakes mentioned early are still in play when it comes to this type of espionage. Just recently a video from Al-Qaeda came out issuing a virtual jihad. “Al Qaeda may be turning its destructive attention to cyber-warfare against the United States. In a chilling video, an al Qaeda operative calls for “electronic jihad” against the United States, and compares vulnerabilities in vital American computer networks to the flaws in aviation security before the 9/11 attack.” (Cloherty, 2012)
So you see, having a good OPSEC can reduce the threat. It may not stop all threats because the computer spies are always advancing faster then we can protect our information. I discussed just two types of threats and briefly touch on hackers and terrorist. I focused more on the insider threat because of my own experiences working in call centers in foreign countries and those are threats we face most often and the ones we need to guard against daily.
Arkin, W. M. (1994). The 30-Minute World . The Bulletin of the atomic scientists Volumen 50 , 64.
Cloherty, J. (2012, May 22). Virtual Terrorism: Al Qaeda Video Calls for ‘Electronic Jihad’. Retrieved May 25, 2012, from ABC News: http://news.yahoo.com/virtual-terrorism-al-qaeda-video-calls-electronic-jihad-214355054.html
Coombs, W. T. (2008). PSI Handbook of Business Security Volumes 1 . Westport, Connecticut: PRAEGER SECURITY INTERNATIONAL.
Coutourie, L. ( 1989). The Computer Criminal- An Investigative Assessment. FBI Law Enforcement Bulletin , 18-21.
Hastedt, G. P. (2011). Spies, Wiretaps, and Secret Operations; An Encyclopedia of American Espionage. Santa Barbara, California: ABC-Clio.
Investigation, F. B. (n.d.). Economic Espionage. Retrieved April 14, 2012, from The FBI Federal Bureau of Investigation: http://www.fbi.gov/about-us/investigate/counterintelligence/economic-espionage
Maxfield, J. F. (1984). Computer Bulletin Boards and the Hacker Problem. The Electric Data Processing Audit, Control and Security Newsletter. , 32-33.
Purpura, P. (2008). Security and Loss Prevention: An Introduction. San Diego, CA: Butterworth-Heinemann.