Next message: mea culpa: "[ISN] Sendmail Releases MIME Buffer Overflow Fix"
Forwarded From: "Spencer, Will" <wspencer�t_private>
Corporate Snoops Sharpen Skills
(Washington Times; 08/31/98)
They made one critical mistake: They never checked the shoes. The
managers of the Long Island Grumman aircraft plant did everything else
imaginable to ensure their facility met national-security standards for a
visiting delegation of Russian scientists - no cameras allowed and no note
taking.
But security officials failed to inspect the soles of the shoes the
Russians were wearing. On the bottom of those soles was reversed adhesive
tape to collect slivers of metal alloys which, when analyzed later,
identified the precise metallic components used to build U.S. fighter
planes.
While that incident occurred 15 years ago during the Cold War - and
Grumman still does not want to talk about it - intelligence experts are
warning that industrial espionage in America has not slowed. Many of those
Cold War spies who once targeted military secrets have been reassigned to
snoop the economic front.
Why target America? It holds 70 percent of the world's intellectual
property, leads in research and development by spending $125 billion
annually - and within the decade the government and the private sector
together are expected to spend another $2 trillion on research.
The means to obtain such American secrets can be as open as pursuing
public documents on the Internet and include a host of creative schemes
that have given nightmares to many a corporation. South Koreans have
dipped their ties into lab samples. French intelligence officers posing as
flight attendants bugged first-class seats on Air France flights. Japan is
constructing a national phone- tapping network to eavesdrop on its
neighbors.
The spying boom has resulted in a cottage industry of spy busters
consisting mostly of ex-CIA agents, retired cops, private detectives and
National Security Agency snoops who try to persuade American corporations
to invest in security. Curiously, it has been a hard sell.
The American Society for Industrial Security, or ASIS, released a
survey in March that shows 62 percent of a list of the Fortune 1000
companies and the 300 fastest-growing companies have no procedures for
reporting information loss, and another 40 percent have no formal program
for safeguarding proprietary information. Less than 3 percent of their
budgets are spent on security. The White House Office of Science and
Technology Policy estimates that 6 million American jobs have been lost to
economic espionage. At the same time, ASIS reports five times more
companies than in the 1997 survey believe intellectual- property theft is
increasing, but no one wants to watch the store. What's going on here?
"We would like U.S. executives to sit up and listen," says Richard
Heffernan, who runs the Connecticut-based security company R.J. Heffernan
Associates Inc. "American industry just doesn't realize it's getting
ripped off from pharmaceuticals to entertainment to auto manufacturers.
People don't see the problem, but the problem is real."
American corporations lost $250 billion worth of intellectual property
to foreign and domestic spies last year, according to a survey by ASIS,
which Heffernan coauthored. ASIS documented more than 1,100 incidents of
economic espionage and 550 suspected incidents in a survey of 1,300
companies. The most frequent targets were high-tech companies, followed
by manufacturing and service industries.
Heffernan says the spies - mostly insiders with trusted relationships -
target research-and-development strategies, manufacturing and marketing
plans and customer lists. The penetration of information and
communications systems is the fastest-growing threat. Heffernan says
computers and telecommunication systems are at risk - especially voice
mail where messages easily are stolen by high-tech hackers.
The attack on U.S. corporations from domestic and foreign companies
resulted in a 323 percent increase in economic espionage in a four-year
span, according to ASIS. That in part led to Congress passing the Economic
Espionage Act last year.
The law imposes a 15-year prison term and/or a maximum $500,000 fine on
any person and a $10 million fine on any organization that steals or
destroys a trade secret of value with intent to benefit any foreign power.
It also imposes a 10-year prison term and/or a maximum $250,000 fine on
any person and a $5 million fine on any organization who knowingly steals
or destroys any trade secret with intent economically to benefit anyone
other than the owner and injure the owner of the trade secret.
Since its passage, less than half a dozen prosecutions have occurred
despite the fact that the FBI compiled about 700 cases. "There is an
embarrassment factor. A company fears that if it is publicly known they
were victims of espionage they will be criticized by investors," says
Michael Hershman, a former senior investigator for the Watergate Committee
who now runs a security- consulting firm, Hershman Decision
Strategies/Fairfax International. "This is no longer a funny game; this
is a substantial problem."
He says the law does little to protect against serious threats that
come from foreign competitors who have no financial base in the United
States with assets that could be seized to satisfy a court judgment. "In
foreign jurisdictions there is an inability to protect proprietary
information," Hershman adds. "The standards of morality are different, and
companies have walked away because they couldn't protect their interests."
Coca-Cola, for instance, pulled out of deals in India when potential
bottlers there demanded the secret formula. "Once that formula is out of
the bag, there is no way to retrieve it," he explains.
Security consultants say corporations fear court battles - particularly
criminal cases in which a higher standard of proof is required - because
trade secrets may leak onto the public record during the trial. One case
illustrating this involves Bristol-Myers Squibb Co. and the theft of its
cancer-fighting drug, Taxol. When the FBI busted two Taiwanese men for
allegedly trying to steal the secret formula for Taxol, it seemed guilty
verdicts would come quickly. Last October, however, a federal judge
ordered prosecutors to turn over to the defendants and their lawyers the
confidential documents that the defendants were charged with trying to
steal. The judge ruled that the defendants' lawyers needed that evidence
to prepare their defense and that the rights of defendants to a fair trial
outweigh the proprietary rights of Bristol- Myers. Prosecutors since have
appealed that ruling.
Arthur Hulnick, a former CIA operative who now lectures at Boston
University, says the case represents a serious problem with law. "Why
would a company turn over its trade secrets to someone who is accused of
stealing them? It is not surprising to me that companies would be
reluctant to come forward. We are going to have to take another look at
revising the Economic Espionage Act because a company has to be able to
protect its secrets." In the meantime, Hulnick suggests business schools
start offering courses in industrial security.
Lynn Schloesser, director of federal affairs, Eastman Chemical Co.,
says the law doesn't go far enough. The government is downloading business
regulatory documents on the Internet - making business secrets and
strategies readily available in real time to competitors.
Such strategies are important. In 1989, for instance, Coors Brewing Co.
became concerned that competitor Anheuser-Busch might be preparing to move
into the Rocky Mountain region to attack Coors' market there. Coors hired
a consulting firm, which obtained wastewater-discharge permits from the
Environmental Protection Agency, or EPA, and learned through analyzing the
data that Anheuser- Busch couldn't handle such a move. Coors didn't have
to spend money to fight a nonexistent threat.
Today this type of information is available at the stroke of a key. It
means product testing, results and analysis all are available to the
competition even before the competitive product is put on the market.
"This is the trend of regulatory agencies," Schloesser says. "It is the
beginning of intelligence gathering. It is the mother lode of data
mining."
Previously, competitors had to shuffle through thousands of files in
various jurisdictions, which sometimes took years to assemble and greatly
reduced early response to the threat of a competitor. Now about 100
million pages are being downloaded per year at the EPA alone, and the
computer hits there have increased from about 2 million in 1994 to 36
million in April - and most recently to about 43 million.
Another problem with this dissemination of federally required records
is that the plan for U.S. emergency response - known as the
risk-management plan or worst-case scenario, is expected to be published
on the Internet in June 1999. This could include sensitive information of
great use to Saddam Hussein or terrorists in search of target information.
The FBI has asked to review it before any such release, but no authority
exists to prevent a regulatory agency from publishing it. "This is like
throwing a loaded weapon on a playground," Schloesser says. "We need to
get a dialogue with the executive branch to balance these concerns. We
want enough public disclosure to meet goals of health safety and
environment, but at the same time we want to protect against espionage and
terrorism. That dialogue right now doesn't exist."
Still, the Economic Espionage Act has had some impact. Three recent
cases brought under the act ended with convictions; two ended with guilty
pleas - one from former employees of PPG Industries Inc. of Pittsburgh,
who were accused of stealing secrets relating to a fiberglass
manufacturing plant, and another with guilty pleas from former employees
of Gillette Co. of Boston, who were accused of stealing a new shaving
cream. In yet another case, involving Avery Dennison Corp., a California
label maker, a former employee pleaded guilty to selling information about
adhesive technology to a Taiwan company. He is cooperating with the FBI to
catch Taiwan citizens who also may be involved.
Although the Republic of China on Taiwan has denied playing a role in
the Bristol-Myers theft, if it was involved it certainly would fit a
pattern outlined by John Fialka in his critically acclaimed book War by
Other Means: Economic Espionage in America. Fialka writes that agents from
China, Taiwan and South Korea aggressively are targeting present and
former nationals working for U.S. companies and research institutions.
Even France, he says, employs "classic Cold War recruitment and technical
operations, which generally include bribery, discreet thefts, combing
through other people's garbage and aggressive wiretapping," while Japan
uses Japanese private industry and organizations to pursue classified
proprietary documents and data.
A National Counterintelligence Center report provided to Congress last
year showed spying methods are changing from "a reliance on clandestine
and illegal activity to overt and legal collection." The report noted that
foreign spies have targeted aeronautics systems, armaments and energy
materials, chemical and biological systems, directed and kinetic energy
systems, electronics, guidance systems, information systems, information
warfare, manufacturing and fabrication, marine systems, nuclear systems,
sensors and lasers, space systems and weapons-effects and countermeasures.
That report also cited companies targeted for espionage in the last few
years: IBM Corp., Corning Inc., Honeywell Corp., Eastman Kodak, 3M Corp.,
AT&T and General Electric.
While the Counterintelligence report failed to identify the offending
countries, the ASIS report ranks the greatest potential threats as
follows: People's Republic of China, Japan, France, Canada, Mexico, the
United Kingdom, South Korea, Germany, Russia and Brazil, according to
ASIS. In fact, FBI Director Louis Freeh warned Congress earlier this year
that 23 countries actively are involved in illicit acquisition of U.S.
trade secrets and 12 have targeted U.S. "proprietary economic information
and critical technologies."
Of those countries, Communist China poses "the greatest security threat
to the U.S. today," says W. Raymond Wannall, a retired FBI assistant
director in charge of counterintelligence. Wannall tells Insight, "China
has the largest presence in our country of any foreign nation - 3,500
diplomats and commercial representatives and over 90,000 scholars and
visiting delegations. Intelligence officers and agents among this large
pool of Chinese nationals pose a serious intelligence and espionage
threat."
While foreigners are finding both legal and illegal ways to obtain U.S.
trade secrets, another emerging enemy among American corporations is rival
U.S.- based companies. More and more U.S. corporations are contacting
security specialists to spy on their competitors. Richard Fenning, a
British security consultant with London-based Control Risks Group, recalls
one company seeking to know the flow of raw material over a rail line. It
hired a metallurgist to analyze recently discarded track and from that was
able to determine the quantity of material moved. "Now, that's clever,"
Fenning says. "I don't think the law was broken. It was regarded as sharp,
but it goes against the unwritten rule of friendly competition."
Private detective George Scharm of Gurnee, Ill., observes, "People come
to us and say they want to get proprietary information. They say, `We
don't care about how you do it - just get it.' We turn it down and explain
to them we are willing to do searches of public records but nothing
illegal. It's mainly U.S. competitors who have lost the ethical view in
business."
On the flip side, when Scharm approaches corporations to help them
improve security, there is reluctance. "They say it has never happened to
them, but they don't know. We can go to a trash bin and find their annual
budget, and some company will pay 500 bucks to bring them that trash.
Security is like an insurance policy. Why do you want insurance if your
plant never has burned down? And look at all the mergers - the new
telephone companies. In order to be in business you have to hire someone
to get information or to have been in the business yourself. Trade secrets
are not just formulas. It's strategies. It's payroll. If you get that
information you can undersell your competitors by reducing salaries and
benefits."
Ed Jopeck, a former CIA security analyst who now runs Defensive
Strategies Inc., of Vienna, Va., agrees. "The whole business of
intelligence gathering is self-concealing. How do you know that you never
have been had?" For example, Jopeck says he observed one company that
didn't control access to its e-mail and copier. The corporation employed
several foreign-exchange workers. "The foreign- exchange workers came
with a shopping bag of clothes and left with shipping containers of
documents," Jopeck recalls.
Other companies often rely on the federal government to ensure
security. The government vets employees, so why worry? But should a
company trust the government?
The number of security lapses documented by General Accounting Office
reports during the Clinton administration suggests background
investigations have not been as thorough as under prior administrations
-and sometimes even have been ignored. American intelligence didn't block
White House access to Wang Jun, chief arms dealer for the People's
Republic of China; Jorge Cabrera, a convicted Cuban drug godfather;
Gregori Loutchanski (and his partner Vadim Rabinovich), allegedly linked
to Russian criminal syndicates; alleged Cambodian heroin trafficker Theng
Bumma; pipeline hustler Roger Tamraz, who is wanted by Interpol; along
with suspected Beijing agents Charlie Trie and Maria Hsia, under
indictment in political money-laundering schemes.
Then there are the Clinton appointees who received security clearances
despite dubious backgrounds: ex-bouncer turned White House director of
personnel Craig Livingstone, who reportedly lied about his school record
and had been fired twice for dishonesty; Patsy Thomasson, the former
director of White House administration, who was an associate of convicted
drug dealer Dan Lasater; ex-Commerce Department executive turned
Democratic National Committee fund-raiser John Huang, who has been accused
by House Rules Committee Chairman Gerald B.H. Solomon of committing
"economic espionage" by giving the Lippo Group classified trade
information; and U.S. Ambassador to the Dominican Republic Mari Carmen
Aponte, who allegedly cohabited with a Cuban intelligence agent (see "Do
You Want to Know a Secret?," March 23, 1998).
Regardless of these and other security concerns about the government
itself, corporations continue to turn to the government for security. In
the last 18 months Insight's interviews with major defense players confirm
that corporations are distancing themselves from their own responsibility
for national security.
For example, when McDonnell Douglas Corp. machine tools used to build
aircraft were found in a Chinese military factory, McDonnell Douglas
spokesman Bob O'Brien told Insight his company doesn't "deal with national
security," that it is the federal government's role. Likewise, when a
security consultant warned Boeing about entering a joint venture with an
international consortium led by a Russian space company with ties to
Russian military intelligence, Boeing ignored the advice, according to
sources close to the company.
More recently, Insight reported a case of possible security violations
involving Wah Lim, a Chinese-born physicist who chaired the Loral Space &
Communications committee that faxed a sensitive report on Long March
missile failure to Beijing without State Department approval. The matter
is under federal and congressional probe, but the damage has been done.
After that story was broken here, former Loral security manager Robert
Cooper told Insight, "Security was a joke. They cared more about corporate
bonuses and executive cars than security."
Hughes Electronics, also under scrutiny of a Justice Department probe
for its role in the Long March rocket scandal, hired Lim away from Loral.
When Insight asked Hughes if it had checked Lim's family background in
China, Hughes Vice President and General Counsel Marcy J.K. Tiffany
replied that they "don't vet relatives." Hughes, too, relied on the
government, which had granted Lim a top-secret clearance several months
before so much as completing a background check.
Security expert Hershman says corporate Americans are "lulling
themselves to sleep because a government clearance doesn't necessarily
mean a good employee," adding that his company certainly would vet
relatives if a client retained an employee born in China.
No matter who is doing the checking, answers seldom come easily.
British security specialist Fenning says he had a Brazilian case involving
a company with ties to organized crime. After buying the company, his
client asked how much influence the earlier ties to the crime world might
have on current operations. "Technically, they may be free" of the mob,
but the criminals "can still exert some controlling interest" through
employees who might be controlled or frightened by the syndicate, he says.
"It's hard to secure against the human factor."
In the meantime, security consultants continue to troubleshoot for
corporations. When they make recommendations, however, including such
simple suggestions as changing computer/telephone passwords, establishing
a system of access cards or implementing layers of security with personnel
and locked doors, the corporations often ignore their ideas. Instead,
corporations may decide to employ $5-an- hour security guards with no
police training, says Scharm. He adds that one security guard didn't even
know how to call 911 when an employee was hurt. Asked why he hadn't made
the call, the guard said he didn't have a quarter - not realizing 911
calls are free.
"Corporations have a false sense of security," Scharm says. "For us,
it's a great deal if they don't implement our recommendations, because it
means we keep coming back."
-o-
Subscribe: mail majordomo�t_private with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30
: Fri Apr 13 2001 - 13:03:08 PDT