Skip to content

Industrial espionage: Data out of the door

February 2, 2011

Financial Times, 1 Feb 2011: Jin Hanjuan was about to board a flight to Beijing almost four years ago when a random check stopped her in her tracks.

According to court documents and an FBI affidavit filed in an economic espionage case against her, when customs officers at O’Hare airport in Chicago inspected the bags of the 40-year-old software engineer, they found more than 1,000 confidential papers that are alleged to have been stolen from Motorola, the US electronics group for which Ms Jin had worked until two days before the flight.

The court papers say the officers also discovered Chinese military manuals, a European company’s catalogue of military products, documents detailing Chinese military applications for electronics equipment that had been drafted by an unnamed Chinese telecommunications company, and $30,000 in cash.

In the criminal indictment against Ms Jin, due to be heard next month in a Chicago court, Motorola says the research and development costs of the information in her possession exceed $600m. The company would lose substantial global revenues if the contents were made public, it adds. Ms Jin has pleaded not guilty.

In a separate civil case brought by Motorola, Ms Jin is a co-defendant with Huawei, the Chinese telecommunications equipment maker, over an allegation that she and others were “secretly engaged” in product development for the Chinese company at the same time as they were employed by Motorola. Huawei has said the case brought by Motorola is “without merit” and has refused to comment on the criminal case.

The legal actions involving Ms Jin have thrown the spotlight on the murky world of industrial espionage – defined as the use of illicit means by companies or their agents to disrupt their rivals’ operations or gain access to their secrets.

Interest in the subject has been heightened by a highly publicised affair in France that has led to Renault, the automotive group, sacking three top executives after alleging they had passed on confidential documents to outsiders. According to Carlos Ghosn, the group’s chief executive, the alleged theft relates to the company’s business model for battery powered electric cars – an area where Renault and Nissan, its Japanese partner that Mr Ghosn also heads, are investing €4bn ($5.5bn) in a significant early bet on the technology.

Industrial espionage is being catapulted to a position of great relevance to many of the world’s top companies as technological change becomes of growing importance to business performance. Companies across the world are increasingly interested in gaining access to their competitors’ secrets as early as possible in the development cycle for new products and services.

“There is … more globalisation and the players are more … in competition. The more competition, the more crime,” says Olivier Buquen, head of the Economic Intelligence Office in Paris, a bureau of 12 experts created in 2009 to co-ordinate French corporate intelligence efforts.

According to Dane Chamarro, managing director for North Asia at Control Risks, a security group, industrial espionage affects many more sectors than high-profile activities such as computers, cars and telecoms. “Virtually any company with high levels of research and development and where technology has an impact on the product faces some kind of threat,” he says.

The chief executive of one of the world’s biggest aerospace and defence groups says that in his industry, “industrial espionage is a problem now and it will be even more in the future”.

Most corporate intelligence gathering is legitimate, based on such conventional practices as picking up scraps of information about competitors by attending trade shows. But few people involved doubt that the illicit part of this activity is bigger than it ever was.

The ways that secrets are taken vary. One of the most widely used is when employees switch jobs, taking with them confidential designs. Andrea Riello, chief executive of Riello, a large Italian machine tool maker, says: “In our company, we’ve seen three times in five years that some of our technical secrets have been taken and used in a rival’s products. In each case it seems as though a former employees has taken details to other businesses.” The practical difficulties in gathering evidence mean, Mr Riello adds, that his company has not yet tried to seek legal redress for the “theft” of technologies.

Other instances can be more unusual. One French engineering supplier found that an engineer from an Asian company when visiting its factory stooped to lace up his shoes more often than seemed necessary. The ruse was intended to collect tiny pieces of metal from the floor – discarded from machining operations – that were picked up with a piece of tape on his overlong tie and could later be analysed by a rival business.

Taking into account all types of industrial espionage but counting only the cost to American businesses, US intelligence officials put the cost of lost sales due to illicit appropriation of technology and business ideas at $100bn-$250bn a year. General Motors, Ford, General Electric, Intel and Boeing are among the US companies known to have suffered from industrial espionage attacks, though all are wary of discussing the details.

In Europe, concerns about the loss of technical know-how have resulted in a push in Brussels for the European Commission to set up a group to monitor foreign investment activity.

According to many people involved with corporate intelligence, Beijing state agencies are often heavily involved in efforts by Chinese companies to gather information about foreign businesses. Russia, France and Israel also have active state-led programmes as well as corporate programmes to appropriate technology from foreign companies but China’s methodical approach is regarded as unique by many in the corporate security industry.

One veteran corporate security manager working for large multinational companies in China says Washington considers that country the biggest threat in terms of targeting US companies’ commercial proprietary information, technical information and data. Nigel Inkster, a director at the London-based International Institute for Strategic Studies, warned in a speech last month, meanwhile, that commercial espionage was now a “big business” with countries such as China engaged in the activity “on an industrial scale”.

COUNTER MEASURES

Companies should protect themselves with a mix of technical measures and common sense against disgruntled employees passing information to rivals, according to most security experts, write Joseph Menn, Peggy Hollinger, Peter Marsh and Daniel Schäfer.

While hard to measure precisely, the scale of the problem is not in doubt.

The vast majority of cyber-espionage cases in the US, which are linked to “hacking” into computer networks, have been traced to e-mails with plausible-looking attachments that use parts of Microsoft Word and other commonplace programs to extract information and channel it to unauthorised people over the internet. Warnings about such espionage are often ignored by staff, however, so experts recommend that businesses focus instead on rapid patching of such software “vulnerabilities”.

For added protection against potentially highly damaging leaks, every company should put in place an “anti-espionage” plan setting out who has access to sensitive data, advises Frank Hülsberg, head of compliance at the German arm of the KPMG consultancy. He also recommends that computers containing sensitive data are separated from the internet.

Often human frailty is at fault. Peter Pender-Cudlip, chief executive of London-based corporate security company GPW, says: “Behind every case of industrial espionage sits an individual driven by the age-old motives of money, ideology, compromise or ego.” It therefore follows that keeping staff reasonably happy – reducing motivation to settle scores by leaking information – is a good first principle.

On occasion, corporate theft can be linked to particular personal relationships. In a recent instance, one German engineering company found it was frequently beaten on price by a competitor. The group discovered an employee in its information technology department was related to its archrival’s CEO. The IT specialist had wiretapped his own CEO’s office and phone and put a tracking device on his car, enabling him to follow his movements and identify the customers to whom he was talking.

While it might seem unfair to those working in IT, security experts warn that staff in the sector are often the main sources of leaks simply because they are in a better position than others to gain access to secrets.

While some of this stems from the blurry line that separates the government and companies in a country where many of the big guns of industry are state-controlled, another factor is history. Twenty-five years ago next month, Deng Xiaoping, China’s leader of the time, approved a government programme that would become known as the “863 project” (named after the date – the third month of 1986). The 863 programme still exists and is funded and administered by the Beijing government.

Its stated goal is to stimulate advanced technologies in a range of fields, to render China independent of financial obligations for foreign technologies. Many in the west believe, however, that its remit in reality extends to backing the illicit acquisition of foreign proprietary technology.

Whatever the scale and scope of the 863 unit’s activities, China’s state-led industrial espionage operations are uniquely patient and cautious, say China-based economic intelligence experts – a way of working known as the “thousand grains of sand” approach.

They collect “whatever they can in a very broad area that they’re interested in and then they patiently distil their finding down until they get what they need”, according to one corporate security chief working in China. “Their approach contrasts significantly with the Russians, who tend to be overly ambitious and clumsy by comparison.”

The form can vary from paying employees to hand over information or gathering know-how about processes or products while on factory visits, through to cyber-attacks based around hacking into databases or electronic networks.

Cyber-spying has fast become a specific threat for many companies. “Industrial cyber-espionage is one of the biggest problems that all nations are facing,” says Melissa Hathaway, a former US intelligence official and the leader of a digital security review set up by President Barack Obama.

The scale of hacking to gain corporate information has gone so far, she says, that the Securities and Exchange Commission, the US stock market regulator, might soon need to require companies to assess routinely for the benefit of shareholders how well they are protecting themselves from electronic attacks.

One of the most high-profile companies to have suffered in this way is Google. After announcing last year that it had been the victim of a sophisticated hacking campaign from China, it emerged that attackers had appropriated some of Google’s search engine source codes, a vital piece of intellectual property.

Google later notified more than a dozen other companies it identified as victims of the same campaign. Outside researchers later concluded that more than 100 concerns had been hit, including a big investment bank, other high-technology hardware and software companies and defence contractors. Among those in the Chinese sights were Symantec, Adobe Systems and Northrup Grumman. In all cases, the target was intellectual property, including software codes, chip designs and the like.

The campaign originated on computers used at two universities in China, one of which has strong ties to the military. While the Chinese government publicly denies that it engages in industrial espionage or computer hacking, this view is regarded by many foreign companies as intelligence agencies as being some way from the truth.

What should companies do about the threat of industrial espionage? One answer may be to minimise the possibility of leakages either through elaborate information technology methods or sometimes ideas that owe more to plain common sense. Another may be to abandon any hope that all leaks can be plugged and concentrate on the most advanced technologies and products that are all but impossible to replicate by any outsider due to their complexity and the use of novel ideas.

Dieter Zetsche, chief executive of Daimler, the German automotive group, says he has “no concerns” about a theft of his company’s secrets. “We shouldn’t waste our time trying to protect our intellectual property but try to be innovative and faster than the other guys.”

That said, efforts to crack down on thefts of technology or other valuable business information seem likely to be central to companies’ efforts to stay competitive – especially in sectors such as machine building or high-tech engineering products, where the developed world retains a commercial edge.

Back in the US, when Ms Jin arrives at the Chicago court in the coming weeks, she faces six counts of trade theft and economic espionage, each carrying a potential penalty of 10-15 years in prison and a fine of as much as $500,000. If she is found guilty, a lot of people interested in thwarting industrial espionage in all its forms will raise a small cheer.

Advertisements

Comments are closed.

%d bloggers like this: