Thursday, March 15, 2007

The Threat of Spies: Often overlooked, often under-estimated, inside and out

I love it when people ask questions about security that cannot be answered definitively, questions like: "What are the three most serious emerging threats?" Indeed, I ask questions like that myself, of others, and of myslef. Why? Because it gets brains working, and the output can be very valuable.
I have been pondering emerging threats quite a bit this year as a result of preparing my keynote for an enterprise security conference in Malaysia last month. But lately I have been asking myself "What are the most persistent threats?" and also "What are the most under-estimated threats?"

And I think I might have a winner, or at least a threat that is a finalist in both categories: industrial espionage (iconically represented by a patent application drawing).

Clearly industrial espionage has been around for a long time (and I'm talking centuries before the late eighties when British Airways started stealing Virgin Atlantic passengers with lies and bribes and a little database hacking on the side--leading to some pretty messy headlines for BA, not to mention some hefty financial settlements in favor of Virgin and its owner, Richard Branson).

VW did it to GM. Boeing did it to Lockheed. WestJet did it to Air Canada (allegedly). Not only has industrial espionage been around for a while, it has always been, quite consistently in my experience, under-rated as a security threat. As with many areas of information security knowledge there are few hard facts to back up my assertion. But my impression, when dealing with clients, when making presentations at conferences, and when teaching seminars, has always been that most people in business don't think--or maybe prefer not to think--that their competitors would break the law to gain advantage. It is not unusual for senior people to come up to me after a presentation that touches on industrial espionage, or criminal hacking in general, and say something like "Do people really do that?"

Perhaps line managers and executives are so busy worrying about all the other critical stuff--like supply, demand, deadlines, sales targets, profit margins--they just don't want to ponder questions like: Are my competitors prowling my network? Sitting outside our offices with a listening van? Going through our garbage? Bribing our employees?

But chances are, they are. Indeed, I would say that if your company is doing more than $100 million in annual revenue then it is unlikely that your competitors are not performing aggressive competitive intelligence ops against you. And of course, the many, many ways in which our "going digital" has made information easier to copy and move now come into play (in the early nineties VW took 90,000 pages worth of documents from GM in hard to hide boxes--today that stuff would fit on a $30 flash memory card you can buy on the High Street and slip into your sock as you walk it through the metal detector undetected).

While the methodology of competitive intelligence (open source, public documents, general and specific observation) is generally legal, it is very easy for such activities to slide into "aggressive competitive intelligence ops" which are illegal. Bear in mind that a lot of spying is done without direct management approval or endorsement. Sometimes employees take it upon themselves.

And thus we arrive at the hidden, two-edged sword of industrial espionage. You are likely to be wounded if you fail to guard against spying from competitors; you may also be wounded by your own staff if you fail to rein them in and they take competitive intelligence too far (and get caught).

Here are a couple of cases to ponder just from the auto parts industry:

Selling secrets to the [Chinese] competition
Selling secrets to the competition

Note that the second link is to article summaries at the New York Times which gives 66 hits on espionage under "Automobiles" alone.

Stay tuned for more on this topic.

P.S. This article by Prof. Mich Kabay, well-respected friend and colleague, gives some examples to get you thinking (but don't think that the examples are not relevant because they are a few years old--I doubt anyone would claim the world is more moral today than it was a decade ago, and it is certainly easier to steal a gigabyte of data in the age of the SD card and USB thumb drive than it was in the age of the floppy and Zip disc).

No comments: