In the first two articles in this series, I reviewed some of the information in the annual reports of the National Counterintelligence Center and later the Office of the National Counterintelligence Executive. In this article, I pass along some interesting estimates from surveys of industrial espionage conducted by security associations and cited by the NACIC itself.

In 1995, the American Society for Industrial Security (ASIS) ran a survey that was used by NACIC in its report. Among the significant findings were the following (quoting NACIC but adding bullets):

* Reported incidents increased 323% since 1992.
* Losses of corporate information increased from a reported 9.9 incidents per month in 1992 to an average of 32 incidents per month in 1995.
* About three-fourths of reported losses occurred in the U.S., and the majority of those incidents involved ''trusted relationships'' (employees, vendors, contractors, retirees, and so forth).
* Other incidents were attributable to a variety of sources: domestic competitors, computer hackers, foreign competitors, foreign intelligence services, and foreign business partners.
* Of incidents outside the U.S., approximately half took place in countries traditionally considered allies of the U.S.
* Foreign nationals were identified in 21% of the incidents where the perpetrator's nationality was known.

The 1997 NACIC report cited work by the Computer Security Institute (CSI) in cooperation with the FBI’s International Computer Crime Squad in San Francisco. Interesting results included the following (bullets added to verbatim quotes):

* According to the survey, about 75% of the 563 responding corporations, government agencies, financial institutions and universities surveyed by CSI reported financial losses in the past 12 months.

* [In 1996] financial losses from financial fraud, computer viruses, sabotage, and theft of proprietary information and laptops were up seven percent and topped $100 million. Reflecting the increased competition in the global marketplace, over 50% of the respondents cited foreign competitors as a likely source of attack and 22% cited foreign governments as a likely source of attack.

* The survey also showed that only 17% of the respondents reported crimes to law enforcement authorities. There appears to be reluctance on the part of the private sector to report allegations of computer and economic crime to law enforcement authorities. A large number of these crimes go unreported because of a company's fear of undermining the confidence of their shareholders, negative publicity, and further exposure of trade secret information during prosecution.

M. E. Kabay, PhD, CISSP-ISSMP, is Program Director of the Master of Science in Information Assurance program at Norwich University.