[ISN] Corporate Snoops Sharpen Skills

From: mea culpa (jerichot_private)
Date: Thu Sep 03 1998 - 02:42:34 PDT

  • Next message: mea culpa: "[ISN] Sendmail Releases MIME Buffer Overflow Fix"

    Forwarded From: "Spencer, Will" <wspencert_private>
    
                       Corporate Snoops Sharpen Skills
                         (Washington Times; 08/31/98)                     
    
       They made one critical mistake: They never checked the shoes. The
    managers of the Long Island Grumman aircraft plant did everything else
    imaginable to ensure their facility met national-security standards for a
    visiting delegation of Russian scientists - no cameras allowed and no note
    taking. 
    
       But security officials failed to inspect the soles of the shoes the
    Russians were wearing. On the bottom of those soles was reversed adhesive
    tape to collect slivers of metal alloys which, when analyzed later,
    identified the precise metallic components used to build U.S. fighter
    planes. 
    
       While that incident occurred 15 years ago during the Cold War - and
    Grumman still does not want to talk about it - intelligence experts are
    warning that industrial espionage in America has not slowed. Many of those
    Cold War spies who once targeted military secrets have been reassigned to
    snoop the economic front. 
    
       Why target America? It holds 70 percent of the world's intellectual
    property, leads in research and development by spending $125 billion
    annually - and within the decade the government and the private sector
    together are expected to spend another $2 trillion on research. 
    
       The means to obtain such American secrets can be as open as pursuing
    public documents on the Internet and include a host of creative schemes
    that have given nightmares to many a corporation. South Koreans have
    dipped their ties into lab samples. French intelligence officers posing as
    flight attendants bugged first-class seats on Air France flights. Japan is
    constructing a national phone- tapping network to eavesdrop on its
    neighbors. 
    
       The spying boom has resulted in a cottage industry of spy busters
    consisting mostly of ex-CIA agents, retired cops, private detectives and
    National Security Agency snoops who try to persuade American corporations
    to invest in security. Curiously, it has been a hard sell. 
    
       The American Society for Industrial Security, or ASIS, released a
    survey in March that shows 62 percent of a list of the Fortune 1000
    companies and the 300 fastest-growing companies have no procedures for
    reporting information loss, and another 40 percent have no formal program
    for safeguarding proprietary information. Less than 3 percent of their
    budgets are spent on security. The White House Office of Science and
    Technology Policy estimates that 6 million American jobs have been lost to
    economic espionage. At the same time, ASIS reports five times more
    companies than in the 1997 survey believe intellectual- property theft is
    increasing, but no one wants to watch the store.  What's going on here? 
    
       "We would like U.S. executives to sit up and listen," says Richard
    Heffernan, who runs the Connecticut-based security company R.J.  Heffernan
    Associates Inc. "American industry just doesn't realize it's getting
    ripped off from pharmaceuticals to entertainment to auto manufacturers.
    People don't see the problem, but the problem is real." 
    
       American corporations lost $250 billion worth of intellectual property
    to foreign and domestic spies last year, according to a survey by ASIS,
    which Heffernan coauthored. ASIS documented more than 1,100 incidents of
    economic espionage and 550 suspected incidents in a survey of 1,300
    companies.  The most frequent targets were high-tech companies, followed
    by manufacturing and service industries. 
    
       Heffernan says the spies - mostly insiders with trusted relationships -
    target research-and-development strategies, manufacturing and marketing
    plans and customer lists. The penetration of information and
    communications systems is the fastest-growing threat. Heffernan says
    computers and telecommunication systems are at risk - especially voice
    mail where messages easily are stolen by high-tech hackers. 
    
       The attack on U.S. corporations from domestic and foreign companies
    resulted in a 323 percent increase in economic espionage in a four-year
    span, according to ASIS. That in part led to Congress passing the Economic
    Espionage Act last year. 
    
       The law imposes a 15-year prison term and/or a maximum $500,000 fine on
    any person and a $10 million fine on any organization that steals or
    destroys a trade secret of value with intent to benefit any foreign power.
    It also imposes a 10-year prison term and/or a maximum $250,000 fine on
    any person and a $5 million fine on any organization who knowingly steals
    or destroys any trade secret with intent economically to benefit anyone
    other than the owner and injure the owner of the trade secret. 
    
       Since its passage, less than half a dozen prosecutions have occurred
    despite the fact that the FBI compiled about 700 cases. "There is an
    embarrassment factor. A company fears that if it is publicly known they
    were victims of espionage they will be criticized by investors," says
    Michael Hershman, a former senior investigator for the Watergate Committee
    who now runs a security- consulting firm, Hershman Decision
    Strategies/Fairfax International.  "This is no longer a funny game; this
    is a substantial problem." 
    
       He says the law does little to protect against serious threats that
    come from foreign competitors who have no financial base in the United
    States with assets that could be seized to satisfy a court judgment. "In
    foreign jurisdictions there is an inability to protect proprietary
    information," Hershman adds. "The standards of morality are different, and
    companies have walked away because they couldn't protect their interests."
    Coca-Cola, for instance, pulled out of deals in India when potential
    bottlers there demanded the secret formula. "Once that formula is out of
    the bag, there is no way to retrieve it," he explains. 
    
       Security consultants say corporations fear court battles - particularly
    criminal cases in which a higher standard of proof is required - because
    trade secrets may leak onto the public record during the trial. One case
    illustrating this involves Bristol-Myers Squibb Co. and the theft of its
    cancer-fighting drug, Taxol. When the FBI busted two Taiwanese men for
    allegedly trying to steal the secret formula for Taxol, it seemed guilty
    verdicts would come quickly. Last October, however, a federal judge
    ordered prosecutors to turn over to the defendants and their lawyers the
    confidential documents that the defendants were charged with trying to
    steal. The judge ruled that the defendants' lawyers needed that evidence
    to prepare their defense and that the rights of defendants to a fair trial
    outweigh the proprietary rights of Bristol- Myers. Prosecutors since have
    appealed that ruling.
    
       Arthur Hulnick, a former CIA operative who now lectures at Boston
    University, says the case represents a serious problem with law. "Why
    would a company turn over its trade secrets to someone who is accused of
    stealing them? It is not surprising to me that companies would be
    reluctant to come forward. We are going to have to take another look at
    revising the Economic Espionage Act because a company has to be able to
    protect its secrets." In the meantime, Hulnick suggests business schools
    start offering courses in industrial security. 
    
       Lynn Schloesser, director of federal affairs, Eastman Chemical Co.,
    says the law doesn't go far enough. The government is downloading business
    regulatory documents on the Internet - making business secrets and
    strategies readily available in real time to competitors. 
    
       Such strategies are important. In 1989, for instance, Coors Brewing Co. 
    became concerned that competitor Anheuser-Busch might be preparing to move
    into the Rocky Mountain region to attack Coors' market there. Coors hired
    a consulting firm, which obtained wastewater-discharge permits from the
    Environmental Protection Agency, or EPA, and learned through analyzing the
    data that Anheuser- Busch couldn't handle such a move. Coors didn't have
    to spend money to fight a nonexistent threat. 
    
       Today this type of information is available at the stroke of a key.  It
    means product testing, results and analysis all are available to the
    competition even before the competitive product is put on the market.
    "This is the trend of regulatory agencies," Schloesser says. "It is the
    beginning of intelligence gathering. It is the mother lode of data
    mining." 
    
       Previously, competitors had to shuffle through thousands of files in
    various jurisdictions, which sometimes took years to assemble and greatly
    reduced early response to the threat of a competitor. Now about 100
    million pages are being downloaded per year at the EPA alone, and the
    computer hits there have increased from about 2 million in 1994 to 36
    million in April - and most recently to about 43 million. 
    
       Another problem with this dissemination of federally required records
    is that the plan for U.S. emergency response - known as the
    risk-management plan or worst-case scenario, is expected to be published
    on the Internet in June 1999. This could include sensitive information of
    great use to Saddam Hussein or terrorists in search of target information.
    The FBI has asked to review it before any such release, but no authority
    exists to prevent a regulatory agency from publishing it. "This is like
    throwing a loaded weapon on a playground,"  Schloesser says. "We need to
    get a dialogue with the executive branch to balance these concerns. We
    want enough public disclosure to meet goals of health safety and
    environment, but at the same time we want to protect against espionage and
    terrorism. That dialogue right now doesn't exist." 
    
       Still, the Economic Espionage Act has had some impact. Three recent
    cases brought under the act ended with convictions; two ended with guilty
    pleas - one from former employees of PPG Industries Inc. of Pittsburgh,
    who were accused of stealing secrets relating to a fiberglass
    manufacturing plant, and another with guilty pleas from former employees
    of Gillette Co. of Boston, who were accused of stealing a new shaving
    cream. In yet another case, involving Avery Dennison Corp., a California
    label maker, a former employee pleaded guilty to selling information about
    adhesive technology to a Taiwan company. He is cooperating with the FBI to
    catch Taiwan citizens who also may be involved. 
    
       Although the Republic of China on Taiwan has denied playing a role in
    the Bristol-Myers theft, if it was involved it certainly would fit a
    pattern outlined by John Fialka in his critically acclaimed book War by
    Other Means: Economic Espionage in America. Fialka writes that agents from
    China, Taiwan and South Korea aggressively are targeting present and
    former nationals working for U.S. companies and research institutions.
    Even France, he says, employs "classic Cold War recruitment and technical
    operations, which generally include bribery, discreet thefts, combing
    through other people's garbage and aggressive wiretapping," while Japan
    uses Japanese private industry and organizations to pursue classified
    proprietary documents and data. 
    
       A National Counterintelligence Center report provided to Congress last
    year showed spying methods are changing from "a reliance on clandestine
    and illegal activity to overt and legal collection." The report noted that
    foreign spies have targeted aeronautics systems, armaments and energy
    materials, chemical and biological systems, directed and kinetic energy
    systems, electronics, guidance systems, information systems, information
    warfare, manufacturing and fabrication, marine systems, nuclear systems,
    sensors and lasers, space systems and weapons-effects and countermeasures. 
    That report also cited companies targeted for espionage in the last few
    years: IBM Corp., Corning Inc., Honeywell Corp., Eastman Kodak, 3M Corp.,
    AT&T and General Electric.
    
       While the Counterintelligence report failed to identify the offending
    countries, the ASIS report ranks the greatest potential threats as
    follows: People's Republic of China, Japan, France, Canada, Mexico, the
    United Kingdom, South Korea, Germany, Russia and Brazil, according to
    ASIS. In fact, FBI Director Louis Freeh warned Congress earlier this year
    that 23 countries actively are involved in illicit acquisition of U.S.
    trade secrets and 12 have targeted U.S. "proprietary economic information
    and critical technologies." 
    
       Of those countries, Communist China poses "the greatest security threat
    to the U.S. today," says W. Raymond Wannall, a retired FBI assistant
    director in charge of counterintelligence. Wannall tells Insight, "China
    has the largest presence in our country of any foreign nation - 3,500
    diplomats and commercial representatives and over 90,000 scholars and
    visiting delegations.  Intelligence officers and agents among this large
    pool of Chinese nationals pose a serious intelligence and espionage
    threat." 
    
       While foreigners are finding both legal and illegal ways to obtain U.S.
    trade secrets, another emerging enemy among American corporations is rival
    U.S.- based companies. More and more U.S. corporations are contacting
    security specialists to spy on their competitors. Richard Fenning, a
    British security consultant with London-based Control Risks Group, recalls
    one company seeking to know the flow of raw material over a rail line. It
    hired a metallurgist to analyze recently discarded track and from that was
    able to determine the quantity of material moved. "Now, that's clever,"
    Fenning says. "I don't think the law was broken. It was regarded as sharp,
    but it goes against the unwritten rule of friendly competition." 
    
       Private detective George Scharm of Gurnee, Ill., observes, "People come
    to us and say they want to get proprietary information. They say, `We
    don't care about how you do it - just get it.' We turn it down and explain
    to them we are willing to do searches of public records but nothing
    illegal. It's mainly U.S.  competitors who have lost the ethical view in
    business." 
    
       On the flip side, when Scharm approaches corporations to help them
    improve security, there is reluctance. "They say it has never happened to
    them, but they don't know. We can go to a trash bin and find their annual
    budget, and some company will pay 500 bucks to bring them that trash.
    Security is like an insurance policy. Why do you want insurance if your
    plant never has burned down? And look at all the mergers - the new
    telephone companies. In order to be in business you have to hire someone
    to get information or to have been in the business yourself. Trade secrets
    are not just formulas. It's strategies. It's payroll. If you get that
    information you can undersell your competitors by reducing salaries and
    benefits." 
    
       Ed Jopeck, a former CIA security analyst who now runs Defensive
    Strategies Inc., of Vienna, Va., agrees. "The whole business of
    intelligence gathering is self-concealing. How do you know that you never
    have been had?" For example, Jopeck says he observed one company that
    didn't control access to its e-mail and copier. The corporation employed
    several foreign-exchange workers.  "The foreign- exchange workers came
    with a shopping bag of clothes and left with shipping containers of
    documents," Jopeck recalls. 
    
       Other companies often rely on the federal government to ensure
    security. The government vets employees, so why worry? But should a
    company trust the government? 
    
       The number of security lapses documented by General Accounting Office
    reports during the Clinton administration suggests background
    investigations have not been as thorough as under prior administrations
    -and sometimes even have been ignored. American intelligence didn't block
    White House access to Wang Jun, chief arms dealer for the People's
    Republic of China; Jorge Cabrera, a convicted Cuban drug godfather;
    Gregori Loutchanski (and his partner Vadim Rabinovich), allegedly linked
    to Russian criminal syndicates; alleged Cambodian heroin trafficker Theng
    Bumma; pipeline hustler Roger Tamraz, who is wanted by Interpol; along
    with suspected Beijing agents Charlie Trie and Maria Hsia, under
    indictment in political money-laundering schemes. 
    
       Then there are the Clinton appointees who received security clearances
    despite dubious backgrounds: ex-bouncer turned White House director of
    personnel Craig Livingstone, who reportedly lied about his school record
    and had been fired twice for dishonesty; Patsy Thomasson, the former
    director of White House administration, who was an associate of convicted
    drug dealer Dan Lasater; ex-Commerce Department executive turned
    Democratic National Committee fund-raiser John Huang, who has been accused
    by House Rules Committee Chairman Gerald B.H. Solomon of committing
    "economic espionage" by giving the Lippo Group classified trade
    information; and U.S. Ambassador to the Dominican Republic Mari Carmen
    Aponte, who allegedly cohabited with a Cuban intelligence agent (see "Do
    You Want to Know a Secret?," March 23, 1998). 
    
       Regardless of these and other security concerns about the government
    itself, corporations continue to turn to the government for security. In
    the last 18 months Insight's interviews with major defense players confirm
    that corporations are distancing themselves from their own responsibility
    for national security. 
    
       For example, when McDonnell Douglas Corp. machine tools used to build
    aircraft were found in a Chinese military factory, McDonnell Douglas
    spokesman Bob O'Brien told Insight his company doesn't "deal with national
    security," that it is the federal government's role. Likewise, when a
    security consultant warned Boeing about entering a joint venture with an
    international consortium led by a Russian space company with ties to
    Russian military intelligence, Boeing ignored the advice, according to
    sources close to the company. 
    
       More recently, Insight reported a case of possible security violations
    involving Wah Lim, a Chinese-born physicist who chaired the Loral Space &
    Communications committee that faxed a sensitive report on Long March
    missile failure to Beijing without State Department approval. The matter
    is under federal and congressional probe, but the damage has been done.
    After that story was broken here, former Loral security manager Robert
    Cooper told Insight, "Security was a joke. They cared more about corporate
    bonuses and executive cars than security." 
    
       Hughes Electronics, also under scrutiny of a Justice Department probe
    for its role in the Long March rocket scandal, hired Lim away from Loral. 
    When Insight asked Hughes if it had checked Lim's family background in
    China, Hughes Vice President and General Counsel Marcy J.K. Tiffany
    replied that they "don't vet relatives." Hughes, too, relied on the
    government, which had granted Lim a top-secret clearance several months
    before so much as completing a background check. 
    
       Security expert Hershman says corporate Americans are "lulling
    themselves to sleep because a government clearance doesn't necessarily
    mean a good employee," adding that his company certainly would vet
    relatives if a client retained an employee born in China. 
    
       No matter who is doing the checking, answers seldom come easily. 
    British security specialist Fenning says he had a Brazilian case involving
    a company with ties to organized crime. After buying the company, his
    client asked how much influence the earlier ties to the crime world might
    have on current operations. "Technically, they may be free" of the mob,
    but the criminals "can still exert some controlling interest" through
    employees who might be controlled or frightened by the syndicate, he says.
    "It's hard to secure against the human factor." 
    
       In the meantime, security consultants continue to troubleshoot for
    corporations. When they make recommendations, however, including such
    simple suggestions as changing computer/telephone passwords, establishing
    a system of access cards or implementing layers of security with personnel
    and locked doors, the corporations often ignore their ideas. Instead,
    corporations may decide to employ $5-an- hour security guards with no
    police training, says Scharm. He adds that one security guard didn't even
    know how to call 911 when an employee was hurt. Asked why he hadn't made
    the call, the guard said he didn't have a quarter - not realizing 911
    calls are free. 
    
       "Corporations have a false sense of security," Scharm says. "For us,
    it's a great deal if they don't implement our recommendations, because it
    means we keep coming back." 
    
    -o-
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:03:08 PDT