Forwarded From: "Spencer, Will" <wspencert_private> Corporate Snoops Sharpen Skills (Washington Times; 08/31/98) They made one critical mistake: They never checked the shoes. The managers of the Long Island Grumman aircraft plant did everything else imaginable to ensure their facility met national-security standards for a visiting delegation of Russian scientists - no cameras allowed and no note taking. But security officials failed to inspect the soles of the shoes the Russians were wearing. On the bottom of those soles was reversed adhesive tape to collect slivers of metal alloys which, when analyzed later, identified the precise metallic components used to build U.S. fighter planes. While that incident occurred 15 years ago during the Cold War - and Grumman still does not want to talk about it - intelligence experts are warning that industrial espionage in America has not slowed. Many of those Cold War spies who once targeted military secrets have been reassigned to snoop the economic front. Why target America? It holds 70 percent of the world's intellectual property, leads in research and development by spending $125 billion annually - and within the decade the government and the private sector together are expected to spend another $2 trillion on research. The means to obtain such American secrets can be as open as pursuing public documents on the Internet and include a host of creative schemes that have given nightmares to many a corporation. South Koreans have dipped their ties into lab samples. French intelligence officers posing as flight attendants bugged first-class seats on Air France flights. Japan is constructing a national phone- tapping network to eavesdrop on its neighbors. The spying boom has resulted in a cottage industry of spy busters consisting mostly of ex-CIA agents, retired cops, private detectives and National Security Agency snoops who try to persuade American corporations to invest in security. Curiously, it has been a hard sell. The American Society for Industrial Security, or ASIS, released a survey in March that shows 62 percent of a list of the Fortune 1000 companies and the 300 fastest-growing companies have no procedures for reporting information loss, and another 40 percent have no formal program for safeguarding proprietary information. Less than 3 percent of their budgets are spent on security. The White House Office of Science and Technology Policy estimates that 6 million American jobs have been lost to economic espionage. At the same time, ASIS reports five times more companies than in the 1997 survey believe intellectual- property theft is increasing, but no one wants to watch the store. What's going on here? "We would like U.S. executives to sit up and listen," says Richard Heffernan, who runs the Connecticut-based security company R.J. Heffernan Associates Inc. "American industry just doesn't realize it's getting ripped off from pharmaceuticals to entertainment to auto manufacturers. People don't see the problem, but the problem is real." American corporations lost $250 billion worth of intellectual property to foreign and domestic spies last year, according to a survey by ASIS, which Heffernan coauthored. ASIS documented more than 1,100 incidents of economic espionage and 550 suspected incidents in a survey of 1,300 companies. The most frequent targets were high-tech companies, followed by manufacturing and service industries. Heffernan says the spies - mostly insiders with trusted relationships - target research-and-development strategies, manufacturing and marketing plans and customer lists. The penetration of information and communications systems is the fastest-growing threat. Heffernan says computers and telecommunication systems are at risk - especially voice mail where messages easily are stolen by high-tech hackers. The attack on U.S. corporations from domestic and foreign companies resulted in a 323 percent increase in economic espionage in a four-year span, according to ASIS. That in part led to Congress passing the Economic Espionage Act last year. The law imposes a 15-year prison term and/or a maximum $500,000 fine on any person and a $10 million fine on any organization that steals or destroys a trade secret of value with intent to benefit any foreign power. It also imposes a 10-year prison term and/or a maximum $250,000 fine on any person and a $5 million fine on any organization who knowingly steals or destroys any trade secret with intent economically to benefit anyone other than the owner and injure the owner of the trade secret. Since its passage, less than half a dozen prosecutions have occurred despite the fact that the FBI compiled about 700 cases. "There is an embarrassment factor. A company fears that if it is publicly known they were victims of espionage they will be criticized by investors," says Michael Hershman, a former senior investigator for the Watergate Committee who now runs a security- consulting firm, Hershman Decision Strategies/Fairfax International. "This is no longer a funny game; this is a substantial problem." He says the law does little to protect against serious threats that come from foreign competitors who have no financial base in the United States with assets that could be seized to satisfy a court judgment. "In foreign jurisdictions there is an inability to protect proprietary information," Hershman adds. "The standards of morality are different, and companies have walked away because they couldn't protect their interests." Coca-Cola, for instance, pulled out of deals in India when potential bottlers there demanded the secret formula. "Once that formula is out of the bag, there is no way to retrieve it," he explains. Security consultants say corporations fear court battles - particularly criminal cases in which a higher standard of proof is required - because trade secrets may leak onto the public record during the trial. One case illustrating this involves Bristol-Myers Squibb Co. and the theft of its cancer-fighting drug, Taxol. When the FBI busted two Taiwanese men for allegedly trying to steal the secret formula for Taxol, it seemed guilty verdicts would come quickly. Last October, however, a federal judge ordered prosecutors to turn over to the defendants and their lawyers the confidential documents that the defendants were charged with trying to steal. The judge ruled that the defendants' lawyers needed that evidence to prepare their defense and that the rights of defendants to a fair trial outweigh the proprietary rights of Bristol- Myers. Prosecutors since have appealed that ruling. Arthur Hulnick, a former CIA operative who now lectures at Boston University, says the case represents a serious problem with law. "Why would a company turn over its trade secrets to someone who is accused of stealing them? It is not surprising to me that companies would be reluctant to come forward. We are going to have to take another look at revising the Economic Espionage Act because a company has to be able to protect its secrets." In the meantime, Hulnick suggests business schools start offering courses in industrial security. Lynn Schloesser, director of federal affairs, Eastman Chemical Co., says the law doesn't go far enough. The government is downloading business regulatory documents on the Internet - making business secrets and strategies readily available in real time to competitors. Such strategies are important. In 1989, for instance, Coors Brewing Co. became concerned that competitor Anheuser-Busch might be preparing to move into the Rocky Mountain region to attack Coors' market there. Coors hired a consulting firm, which obtained wastewater-discharge permits from the Environmental Protection Agency, or EPA, and learned through analyzing the data that Anheuser- Busch couldn't handle such a move. Coors didn't have to spend money to fight a nonexistent threat. Today this type of information is available at the stroke of a key. It means product testing, results and analysis all are available to the competition even before the competitive product is put on the market. "This is the trend of regulatory agencies," Schloesser says. "It is the beginning of intelligence gathering. It is the mother lode of data mining." Previously, competitors had to shuffle through thousands of files in various jurisdictions, which sometimes took years to assemble and greatly reduced early response to the threat of a competitor. Now about 100 million pages are being downloaded per year at the EPA alone, and the computer hits there have increased from about 2 million in 1994 to 36 million in April - and most recently to about 43 million. Another problem with this dissemination of federally required records is that the plan for U.S. emergency response - known as the risk-management plan or worst-case scenario, is expected to be published on the Internet in June 1999. This could include sensitive information of great use to Saddam Hussein or terrorists in search of target information. The FBI has asked to review it before any such release, but no authority exists to prevent a regulatory agency from publishing it. "This is like throwing a loaded weapon on a playground," Schloesser says. "We need to get a dialogue with the executive branch to balance these concerns. We want enough public disclosure to meet goals of health safety and environment, but at the same time we want to protect against espionage and terrorism. That dialogue right now doesn't exist." Still, the Economic Espionage Act has had some impact. Three recent cases brought under the act ended with convictions; two ended with guilty pleas - one from former employees of PPG Industries Inc. of Pittsburgh, who were accused of stealing secrets relating to a fiberglass manufacturing plant, and another with guilty pleas from former employees of Gillette Co. of Boston, who were accused of stealing a new shaving cream. In yet another case, involving Avery Dennison Corp., a California label maker, a former employee pleaded guilty to selling information about adhesive technology to a Taiwan company. He is cooperating with the FBI to catch Taiwan citizens who also may be involved. Although the Republic of China on Taiwan has denied playing a role in the Bristol-Myers theft, if it was involved it certainly would fit a pattern outlined by John Fialka in his critically acclaimed book War by Other Means: Economic Espionage in America. Fialka writes that agents from China, Taiwan and South Korea aggressively are targeting present and former nationals working for U.S. companies and research institutions. Even France, he says, employs "classic Cold War recruitment and technical operations, which generally include bribery, discreet thefts, combing through other people's garbage and aggressive wiretapping," while Japan uses Japanese private industry and organizations to pursue classified proprietary documents and data. A National Counterintelligence Center report provided to Congress last year showed spying methods are changing from "a reliance on clandestine and illegal activity to overt and legal collection." The report noted that foreign spies have targeted aeronautics systems, armaments and energy materials, chemical and biological systems, directed and kinetic energy systems, electronics, guidance systems, information systems, information warfare, manufacturing and fabrication, marine systems, nuclear systems, sensors and lasers, space systems and weapons-effects and countermeasures. That report also cited companies targeted for espionage in the last few years: IBM Corp., Corning Inc., Honeywell Corp., Eastman Kodak, 3M Corp., AT&T and General Electric. While the Counterintelligence report failed to identify the offending countries, the ASIS report ranks the greatest potential threats as follows: People's Republic of China, Japan, France, Canada, Mexico, the United Kingdom, South Korea, Germany, Russia and Brazil, according to ASIS. In fact, FBI Director Louis Freeh warned Congress earlier this year that 23 countries actively are involved in illicit acquisition of U.S. trade secrets and 12 have targeted U.S. "proprietary economic information and critical technologies." Of those countries, Communist China poses "the greatest security threat to the U.S. today," says W. Raymond Wannall, a retired FBI assistant director in charge of counterintelligence. Wannall tells Insight, "China has the largest presence in our country of any foreign nation - 3,500 diplomats and commercial representatives and over 90,000 scholars and visiting delegations. Intelligence officers and agents among this large pool of Chinese nationals pose a serious intelligence and espionage threat." While foreigners are finding both legal and illegal ways to obtain U.S. trade secrets, another emerging enemy among American corporations is rival U.S.- based companies. More and more U.S. corporations are contacting security specialists to spy on their competitors. Richard Fenning, a British security consultant with London-based Control Risks Group, recalls one company seeking to know the flow of raw material over a rail line. It hired a metallurgist to analyze recently discarded track and from that was able to determine the quantity of material moved. "Now, that's clever," Fenning says. "I don't think the law was broken. It was regarded as sharp, but it goes against the unwritten rule of friendly competition." Private detective George Scharm of Gurnee, Ill., observes, "People come to us and say they want to get proprietary information. They say, `We don't care about how you do it - just get it.' We turn it down and explain to them we are willing to do searches of public records but nothing illegal. It's mainly U.S. competitors who have lost the ethical view in business." On the flip side, when Scharm approaches corporations to help them improve security, there is reluctance. "They say it has never happened to them, but they don't know. We can go to a trash bin and find their annual budget, and some company will pay 500 bucks to bring them that trash. Security is like an insurance policy. Why do you want insurance if your plant never has burned down? And look at all the mergers - the new telephone companies. In order to be in business you have to hire someone to get information or to have been in the business yourself. Trade secrets are not just formulas. It's strategies. It's payroll. If you get that information you can undersell your competitors by reducing salaries and benefits." Ed Jopeck, a former CIA security analyst who now runs Defensive Strategies Inc., of Vienna, Va., agrees. "The whole business of intelligence gathering is self-concealing. How do you know that you never have been had?" For example, Jopeck says he observed one company that didn't control access to its e-mail and copier. The corporation employed several foreign-exchange workers. "The foreign- exchange workers came with a shopping bag of clothes and left with shipping containers of documents," Jopeck recalls. Other companies often rely on the federal government to ensure security. The government vets employees, so why worry? But should a company trust the government? The number of security lapses documented by General Accounting Office reports during the Clinton administration suggests background investigations have not been as thorough as under prior administrations -and sometimes even have been ignored. American intelligence didn't block White House access to Wang Jun, chief arms dealer for the People's Republic of China; Jorge Cabrera, a convicted Cuban drug godfather; Gregori Loutchanski (and his partner Vadim Rabinovich), allegedly linked to Russian criminal syndicates; alleged Cambodian heroin trafficker Theng Bumma; pipeline hustler Roger Tamraz, who is wanted by Interpol; along with suspected Beijing agents Charlie Trie and Maria Hsia, under indictment in political money-laundering schemes. Then there are the Clinton appointees who received security clearances despite dubious backgrounds: ex-bouncer turned White House director of personnel Craig Livingstone, who reportedly lied about his school record and had been fired twice for dishonesty; Patsy Thomasson, the former director of White House administration, who was an associate of convicted drug dealer Dan Lasater; ex-Commerce Department executive turned Democratic National Committee fund-raiser John Huang, who has been accused by House Rules Committee Chairman Gerald B.H. Solomon of committing "economic espionage" by giving the Lippo Group classified trade information; and U.S. Ambassador to the Dominican Republic Mari Carmen Aponte, who allegedly cohabited with a Cuban intelligence agent (see "Do You Want to Know a Secret?," March 23, 1998). Regardless of these and other security concerns about the government itself, corporations continue to turn to the government for security. In the last 18 months Insight's interviews with major defense players confirm that corporations are distancing themselves from their own responsibility for national security. For example, when McDonnell Douglas Corp. machine tools used to build aircraft were found in a Chinese military factory, McDonnell Douglas spokesman Bob O'Brien told Insight his company doesn't "deal with national security," that it is the federal government's role. Likewise, when a security consultant warned Boeing about entering a joint venture with an international consortium led by a Russian space company with ties to Russian military intelligence, Boeing ignored the advice, according to sources close to the company. More recently, Insight reported a case of possible security violations involving Wah Lim, a Chinese-born physicist who chaired the Loral Space & Communications committee that faxed a sensitive report on Long March missile failure to Beijing without State Department approval. The matter is under federal and congressional probe, but the damage has been done. After that story was broken here, former Loral security manager Robert Cooper told Insight, "Security was a joke. They cared more about corporate bonuses and executive cars than security." Hughes Electronics, also under scrutiny of a Justice Department probe for its role in the Long March rocket scandal, hired Lim away from Loral. When Insight asked Hughes if it had checked Lim's family background in China, Hughes Vice President and General Counsel Marcy J.K. Tiffany replied that they "don't vet relatives." Hughes, too, relied on the government, which had granted Lim a top-secret clearance several months before so much as completing a background check. Security expert Hershman says corporate Americans are "lulling themselves to sleep because a government clearance doesn't necessarily mean a good employee," adding that his company certainly would vet relatives if a client retained an employee born in China. No matter who is doing the checking, answers seldom come easily. British security specialist Fenning says he had a Brazilian case involving a company with ties to organized crime. After buying the company, his client asked how much influence the earlier ties to the crime world might have on current operations. "Technically, they may be free" of the mob, but the criminals "can still exert some controlling interest" through employees who might be controlled or frightened by the syndicate, he says. "It's hard to secure against the human factor." In the meantime, security consultants continue to troubleshoot for corporations. When they make recommendations, however, including such simple suggestions as changing computer/telephone passwords, establishing a system of access cards or implementing layers of security with personnel and locked doors, the corporations often ignore their ideas. Instead, corporations may decide to employ $5-an- hour security guards with no police training, says Scharm. He adds that one security guard didn't even know how to call 911 when an employee was hurt. Asked why he hadn't made the call, the guard said he didn't have a quarter - not realizing 911 calls are free. "Corporations have a false sense of security," Scharm says. "For us, it's a great deal if they don't implement our recommendations, because it means we keep coming back." -o- Subscribe: mail majordomot_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:03:08 PDT