Secrets stolen, fortunes lost for want of protection

Data theft and copyright violations are costing companies and governments big-time

Christopher Burgess worked in the clandestine service of the US Central Intelligence Agency for 30 years. In the course of his career, he served both as Chief of Station and senior operations officer.

Richard Power, as editorial director for the Computer Security Institute (CSI) and then as director of global security intelligence for Deloitte Touche Tohmatsu (DTT), researched cybercrime and economic espionage for more than a decade.

We have found two profound misconceptions common among CEOs. One of the great misconceptions is that the threat of economic espionage or trade secret theft is a limited concern — that it is only an issue if you are holding on to something like the formula for Coca-Cola or the design of the next Intel microprocessor. The case studies included here illustrate the fallacy of thinking that this threat is someone else’s problem.

The other great misconception, held by many business leaders who do acknowledge the danger to their trade secrets and other intellectual property, is that the nature of this threat is sufficiently understood and adequately addressed. Often, on closer inspection, the information-protection programmes these business leaders rely on are mired in Industrial Age thinking; they have not been adapted to the dynamic and dangerous new environment forged by globalisation and the rise of the Information Age.

This article is based on open-source (that is, not classified) intelligence. There is a compelling lesson in this fact. A decade ago, such stories rarely made it onto the news wire or into the courts. Today, they are commonplace. Unfortunately, the awareness and defences required to thwart such damaging activities, although economical and effective, are far from commonplace. Our hope is to change that.

To provide a comprehensive overview of the diverse vectors of attack, and how to evaluate whether your enterprise has the necessary defences in place, we will look at actual cases organised into three broad categories:

• When insiders and competitors target businesses

• When state-sponsored trade secret theft targets businesses

• When counterfeiters, pirates and organised crime target products

And in our conclusion, we have provided some analysis of the economic and geo-political impact, and a comprehensive checklist of proactive security and intelligence measures.

When insiders and competitors target businesses

Economic espionage or intellectual property theft conducted by insiders, competitors or combinations of the two are the most tangible, most common and most destructive threats.

Such an attack can take many forms, such as an employee, a member of the management team, a corporate board member, a third-party contract manufacturer or a collaborative partner in a joint venture. Here are several recent examples, ranging from the sordid to the spectacular:

• Lightwave Microsystems

The company IT director stole and sold trade secrets of the company as it was going out of business.

• America Online (AOL)

An AOL software engineer used a colleague’s access codes to acquire information on 30 million AOL customers and sold it to spammers.

• Casiano Communications

Alleges that a former employee stole and sold proprietary databases.

• Corning

An employee found blueprints containing trade secrets within a container of material awaiting destruction. Instead of destroying them, he sold them to an Asian competitor.

• Avery Dennison

A former employee of a Taiwanese competitor revealed that an Avery Dennison employee had been supplying the competitor with Avery Dennison’s adhesive formulas for the preceding eight years.

• Toshiba and Lexar Media

Toshiba and Lexar entered into a partnership to compete in the flash memory market. Then Toshiba entered into a partnership with Lexar’s main competitor.

• Citroen and SigmaTel

Both firms allege that patented methodologies were misappropriated by Chinese competitors and used in products marketed in China, so that, in effect, Citroen and SigmaTel ended up competing against their own product designs.

When state entities target intellectual property

State-sponsored economic espionage and intellectual property theft are the most sophisticated and formidable of threats.

Why do nation states engage in economic espionage and intellectual property theft? Primarily, to acquire technology to advance a military programme, or to advance the economic competitiveness of the nation’s industrial base, or simply to ensure that the major companies and contributors to the nation’s GDP continue to make that contribution. How do nation states acquire coveted intellectual property? In some instances, they engage their own law enforcement or intelligence services to surreptitiously acquire it, while in other instances, they publicly engage the owners of the intellectual property, issuing a demand, which they believe is in the best interest of their citizens.

State-sponsored economic espionage and intellectual property theft are global issues. The threat is not unique to US businesses or researchers. Many nations conduct such activities, and the interests of many nations are targeted.

When an insider is co-opted by an intelligence service the activity becomes more sophisticated, and the ability to detect and/or defend against it is beyond the means of most corporate security mechanisms.

Ironically, sometimes the target is a company that was itself found guilty by the legal system of having instigated instances of industrial espionage, and to have stolen a competitor’s intellectual property. Here are some examples.

• French intelligence

Airbus attempted to muscle its way into the 1994 Saudi Arabian Airlines fleet modernisation effort by offering bribes to individuals from both the Saudi airlines and government.

• Russian intelligence

In January 2005, Russian Prime Minister Michail Fradkov requested Russia’s internal security service (FSB) increase its efforts to assist Russian commercial enterprises. This was tantamount to a public declaration that the Russian government’s intelligence and security services engage in collection and reporting activities in support of Russian commercial enterprises.

• Cleveland Clinic Foundation

In May 2001, the US attorney in Ohio indicted Takashi Okamoto and Hiroaki Serizawa for the theft of intellectual property belonging to the Lerner Research Institute of the Cleveland Clinic Foundation. He charged that the two had turned the stolen research over to a research facility owned by the Japanese government.

• TsNIIMASH-Export

In 2005, state-owned Russian space technology company TsNIIMASH-Export’s director, his deputy and an aide were arrested by the FSB, and charged with embezzlement and the selling of secret Russian space technology to China.

• Coca-Cola in India

In 1977, Coca-Cola controlled the Indian cola drink market, but a new industry minister told Coca-Cola officials to divest and transfer their intellectual property (the syrup formula) to their Indian partners. Coca-Cola opted to leave.

• Abbot, Merck and Gilead in Brazil

In 2005, the Brazilian Ministry of Health presented Abbot Laboratories of Chicago with an ultimatum: reduce the price of Kaletra (an effective AIDS/HIV drug) or we will break the patent and produce the drug ourselves.

• Roche in India

Despite requests from a number of countries to allow generic production of the anti-bird flu drug Tamiflu, Roche stands firm on not relinquishing the patent, which is protected into 2016, and demands a licence fee.

Where does it end?

Attacks on intellectual property, whether covert or overt, have profound consequences and profound implications.

A lawless world in which intelligence services routinely insinuate themselves into competition between commercial enterprises in the private sector, and where internationally recognised patents are disregarded by governments (whether motivated by the social good or geopolitical ambition) will not contribute to the establishment of peace and prosperity.

Nor will a lawless world in which private-sector corporations move freely and globally, without restraint, conscience, accountability or international oversight, lead us any closer to that lofty goal.

According to a study published by USA for Innovation in late October 2005, intellectual property in the United States alone carried a value of between US$5 trillion to $5.5 trillion (NZ$8.6 trillion), equivalent to 45% of the gross domestic product, far larger than the GDP of any other nation. This study also indicates that a direct correlation exists between the level of a nation state’s protection of foreign-owned intellectual property and the level of foreign investment in that same country. Where the state offers increased protection of the investor’s intellectual property, investors increase their investment in the nation’s economy.

When counterfeiters, pirates and organised crime target company products

The counterfeiting and piracy of products, activities often sponsored by organised criminals, are the most insidious intellectual property threat, and certainly the most pervasive threat to the global economy as a whole.

The US Chamber of Commerce estimates that counterfeit and pirated products account for 5% to 7% of the global economy and results in the loss of more than 750,000 jobs and approximately US$250 billion in sales in the United States alone.

Using trade missions and educational programmes, the chamber has directed its efforts at China, Brazil, South Korea and Russia, towards the goal of encouraging enhanced enforcement of intellectual property protection laws within these countries. In addition, it offers an intellectual property protection toolkit for each of these countries. And in 2005, working with various law enforcement entities, the chamber initiated Strategy Targeting Organised Piracy (STOP).

In the United Kingdom, the Alliance Against IP Theft has produced a 40-page primer, Proving the Connection: Links Between Intellectual Property Theft and Organised Crime, detailing the deleterious effect on the UK economy and the clear and unambiguous involvement of organised criminal elements. It cites case studies identifying organisations with points of origin in Russia, South Asia, China and Ireland. These serve as points of origin for either the financial backing to achieve the manufacture, distribution and sale of pirated and counterfeit goods in the United Kingdom, or as points of origin for the counterfeit goods themselves. The alliance puts the value of these illegal items at more than £9 billion (NZ$14 billion).

• Software

According to a global study commissioned by the Business Software Alliance, piracy rates in 50 countries have increased over the past year.

• Technology

Counterfeiting, of course, isn’t limited to software.

• Shoes and apparel

Counterfeit shoes are commonplace in the open markets of south east Asia.

• Entertainment

A few successful cases against individuals for illegal file-sharing have done little to staunch the estimated US$3 billion in losses due to piracy of movies.

According to the DOPIP (Document Product and Intellectual Property) Security Counterfeit Intelligence Report, in October 2005 alone there were more than 341 separate incidents involving goods valued at more than US$1 billion, and involving more than 54 separate countries. Not surprisingly, the top ten brands counterfeited included Adidas, Nike, Louis Vuitton, Microsoft, Chanel, Gucci, Prada, Fendi, Manchester United and Puma.

The report also highlighted the evidence of links between copyright and trademark infringements and more serious crimes. In 37% of the cases, counterfeiters were involved in drug trafficking; in 20% of cases they carried weapons; in 11% they committed other frauds, and in 26% they carried out other crimes, such as assault, extortion, murder, theft, immigration violations, money laundering, identity theft and robbery. Increasingly, violent criminals are becoming involved because profit margins are high, and the penalties and chances of being arrested are relatively low.

Join the newsletter!

Error: Please check your email address.

Tags data theftcopyrightSecurity ID

More about AdidasAdidasAmerica OnlineAOLAvery Dennison MaterialsBusiness Software AllianceComputer Security InstituteCorningDeloitte Touche TohmatsuDeloitte Touche TohmatsuFendiIntelLexarLexar MediaLightwave MicrosystemsMicrosoftNikeRocheTechnologyToshiba

Show Comments

Market Place

[]