A software engineer illegally downloads data worth an estimated $10 million to $20 million about plans for a new version of a well-known computer processor.
A Russian hacker breaks into a bank's network and transfers millions of dollars to accounts around the world.
China sends an undercover agent to the U.S. to learn about corporate America's greatest technology secrets.
Although these incidents sound like plots for James Bond flicks, each actually happened. When the cold war ended, many foreign intelligence agents who were suddenly out of work found lucrative employment in economic espionage.
Several foreign governments assist companies in business intelligence activities that further their national interests, according to congressional records and other published reports. Surprisingly, the offenders most often cited aren't usually thought of as U.S. adversaries - France, Germany, Israel and South Korea.
The reason comes as no surprise: It's the allure of cold, hard cash. U.S. firms spend more on research and development than many of our foreign counterparts. Some foreign interests figure it's easier and more cost-effective to acquire certain proprietary infor-mation from U.S. companies than to develop it themselves.
"Certain business information is more valuable than heroin," says Larry Watson, national program manager for the FBI's Awareness of National Security Issues & Response (ANSIR) unit. ANSIR regularly alerts U.S. companies via e-mail and fax to potential economic threats from foreign sources.
Intellectual property theft costs U.S. companies $100 billion per year, according to ANSIR estimates. The American Society for Industrial Security (ASIS), an Alexandria, Va.-based organization of security professionals, thinks the figure is much higher - around $300 billion per year.
There's great demand for customer lists, research and development data, product and process information, manufacturing and marketing plans, and security techniques. Companies in the high-tech, manufacturing and service industries are the most attractive targets, according to ASIS.
And don't count on the law to protect your company's assets. While the U.S. has the Economic Espionage Act of 1996 and extensive intellectual property and trade secret laws, other countries do not.
That means even if you have the goods on the bad guys, it may be hard to prosecute them, says Stevens Miller, a network security specialist for Decision Strategies Fairfax, LLC, an international investigative firm in Falls Church, Va. Borders can be a tremendous boon to foreign snoops and a hindrance to U.S. companies that are trying to stop criminals from exploiting proprietary data outside the country, says Miller, who also has a law degree.
Distance and physical security offer little protection in the high-tech world. Spies can snoop - legally or illegally - through your network or Web site, and can contact your employees, clients and vendors via e-mail or usenet groups.
To fight back, Matt Mancuso, a network security analyst with Price Waterhouse, in Baltimore, suggests you assess your current security risks, standardize your network and implement centralized audit and intrusion-detection capabilities. How-ever, none of that will work if you fail to educate users about corporate espionage and are lax in maintaining a security compliance program.
The variables in network security - the mix of protocol, network setup and type of end user - are potential security weaknesses, Mancuso explains. Most companies haven't fully thought out where to apply certain controls for public or private data, particularly when it comes to the Internet.
For example, if your security policy calls for encrypting sensitive data before transmitting it over the 'Net, you need to define proper data classifications and where to apply the policy, Mancuso says. Pin down who truly needs access to sensitive or proprietary information and how to keep it secure.
But protecting your network from spying activities isn't enough. Businesses need to rethink the free flow of information, according to Miller. "A clever investigator can infer a great deal from the information on your Web page," he says.
For instance, someone monitoring your company directory may be able to determine the type of projects your company is working on by examining changes in personnel. Think twice before posting this data, and ask yourself whether your company's Web presence makes your firm an easy target.
Naturally, it is better to plan ahead and protect your data before it is compromised, Mancuso warns. Once an intruder gains access to your data, not only will you have to rebuild your network security system, recompile compromised data and undergo downtime, but your company's income stream will suffer from lost opportunities.
Unfortunately, you may not know your systems have been breached until your trade secrets appear in your competitor's products. If that competitor operates in another country, good luck trying to recoup your losses.
"It's a fool's errand to believe you can prevent all corporate espionage," Miller says. "You just don't want to be the easy nut to crack."
Prencipe is a freelance writer and an attorney in Springfield, Va. She can be reached at LWPrencipe@mailexcite.com.
Special section on securing the enterprise, Network World, 1/27/97.
US National Counterintelligence Center
The Federal Bureau of Investigation
Main page for security company and hacker page links.
