|
COVER STORY • INDUSTRIAL ESPIONAGE Who's Stealing Your Information? BY DOROTHY E. DENNING Companies in the United States could be losing more than $250 billion annually to information thieves, according to an American Society for Industrial Security (ASIS) survey of Fortune 1000 firms and the 300 fastest growing U.S. companies. More than half (56 percent) of the 172 companies responding to the survey reported at least one attempted or suspected information misappropriation. Over a 17-month period, some 1,100 documented incidents of intellectual property theft were identified, worth an estimated $44 billion. And the problem may be getting worse: The estimated dollar losses were five times greater than that reported in the previous ASIS survey. If these statistics make you feel a little insecure, they should. No matter what industry or economic sector your organization is in, it produces, maintains and transmits information, intellectual property and trade secrets that others would love to get their hands on. The problem is, the threat is multidimensional, difficult to pinpoint and therefore difficult to prevent. Today, your organization is vulnerable to attacks by people both inside and outside the corporate walls, breaches both physical and electronic, sophisticated scams as well as unintentional leaks, and both legal and illegal competitive intelligence-gathering efforts. Worse yet, even when you can prove intellectual property theft, the law may not always work to your company's advantage. So what do you do? First, you need to recognize the scope of the problem--who's stealing your information, and how they're going about it. Employee Turned Traitor The ASIS survey confirmed what information security experts have been saying for years: The single greatest threat to corporate intellectual property is trusted insiders--current and former employees, temps, onsite contractors, consultants, partners and suppliers. Trusted employees. Trade secrets are routinely smuggled out of companies and sold to a waiting customer or information broker. Just last month, a U.S. nuclear scientist working at the Los Alamos National Laboratory was accused of disclosing top-secret nuclear weapons technology to China in the late 1980s. As Information Security went to press, the extent of the espionage was still unknown, though one U.S. official said the Chinese were able to "telescope the time" required to develop such advanced technology and "could not have done it without information from the U.S." In another case involving China, in 1994 a highly trusted employee of Ellery Systems in Boulder, Colo., allegedly used the Internet to transfer $1 million worth of software to a competing Chinese firm. The accused perpetrator, a Chinese national, had been granted asylum in the United States following the Tiananmen Square incident. Shortly before transmitting the code, he had traveled to Beijing, allegedly to visit his sick mother. But while he was there, he signed a letter agreeing to provide the source code in exchange for $550,000. When he returned to the U.S., he tendered his letter of resignation. The next day, he transferred the software. Duped employees. Some employees have been bribed or seduced into giving away secrets. In his book Corporate Espionage, Ira Winkler tells about a German spy named Karl Heinrich Stohlze who seduced a lonely woman who worked for a Boston biotechnology firm, eventually convincing her to leak corporate secrets. Stohlze, who had been sent by Germany's intelligence agency, the Bundes Nacrichten Dienst, skillfully exploited the relationship, telling the woman he would be transferred back to Germany if she did not get copies of certain documents for him. Not wanting to lose him, the woman supplied him with the information he sought, including DNA research methods and information about the status of company projects. To keep the information flowing, Stohlze used blackmail in addition to romance, according to Winkler. "I may have made a mistake," he told her. "I told one of my associates in Washington what you are doing for me…. The trouble is that Hans is crazy. He does not want to be reassigned; his family is settled here. I fear if the information stops coming, he just might contact your company and show them the documents, just to get even with you." Shortly after that, the woman was caught and fired, although no charges were brought against her. Stohlze was not prosecuted and was later seen working other assignments in Western Europe. Former employees. While current employees constitute the greatest threat to corporate trade secrets, former employees are not far behind. In 1993 General Motors accused its former head of worldwide purchasing, Jose Ignacio Lopez, and seven other former employees of stealing 10,000 proprietary GM documents and computer disks when they defected to Volkswagen. The stolen materials included details of a secret new car model, future sales strategies and purchasing lists. In 1996, GM sued Lopez and VW, causing VW's stock to drop. Ten months later, GM was awarded $100 million in damages. |