In this article we take a look at recent trends in intellectual property theft and corporate espionage which is on the rise globally. According to a recent article by CNBC, 20% of US companies say that China has stolen their IP in 2019 while 69% of said companies surveyed were not sure.
The FBI has reported that it is investigating over a 1000 cases related to Chinese corporate espionage alone and that the cost of IP theft to companies is estimated to be in the range of $225 to $600 billion each year. Many attack methods are being reported but particularly damaging ones include; boardroom spying, [spear]phishing / smishing and insider espionage where sensitive data can by siphoned out and sold to a nation state or on the black market or to a direct competitor. In many cases, data is exfiltrated over a period of time out of the organisation giving rise to the term “advanced persistent threat” in cyber-security circles. This could include real-time conversations from board-room surveillance. Enisa the European security agency however reports that 63% of espionage cases involve phishing where boardroom members are often the main target.
INT-LM001 Long Range Laser Listening Device
From the early days of the cold-war, covert surveillance has been in existence primarily for state security and military intelligence purposes. Over the last 30 years that’s expanded into corporate espionage where commercial gain is the prime objective and board rooms and members are primary targets. Popular surveillance methods include;
Conference Bridge Snooping
Laser Based Listening Systems
Hacked Presentation Laptops
Voice Activated Recorder
Fiber Optic Camera
Smartphone Recording S/W
A new technique has even been reported in the Israeli media of lightbulb vibration eavesdropping called “lamphone.” This method allows spies with a laptop, telescope and a $400 electro-optical sensor to listen to conversations from hundreds of feet away by observing the minuscule vibrations created on the glass surface of a light bulb inside the room. Needless to say a booming industry of counter-surveillance firms has mushroomed with anti-bugging techniques such as spectrum analysers [shown below] which detect RF transmissions.
To find out more about TCSM or technical surveillance counter measures head on over to wikipedia by clicking Here.
We’ve discussed methods, now we’ll focus on motivation of which there are a few main categories which include;
| Competitors can use information to get their products and services to market quicker and perhaps save millions on R&D costs. Military aircraft and weapons specs and clinical data for new drugs comes to mind when nation states are involved.
| Discussions about, and lists of high net worth clients maybe stolen and used for retargeting or poaching by the spying party.
| Information about business deals, M&A activity, quarterly earnings, remuneration packages etc would be valuable information for competitors
Information about successful campaigns, target market, budget etc. could be gleaned here.
Corporate Espionage & The Law
In the US, the Economic Espionage Act of 1996 has governed corporate crime in this area while in the EU “The EU Trade Secrets Directive (EU 2016/943)” governs the scope of what’s considered a crime for EU states.
With regards to the US law, it has and will continue to be very much focused on punishing foreign sale of information as was seen in the first trial conviction under the law which involved a Boeing engineer who had sold trade secrets to China.
The US determines takes into account the following factors when applying the law and administering penalties which include;
The scope of the criminal activity, including evidence of involvement by a foreign government, foreign agent, or foreign instrumentality
The degree of economic injury to the trade secret owner
The type of trade secret misappropriated
The effectiveness of available civil remedies
The potential deterrent value of the prosecution
While the EU laws define the following type data in scope of their regulation which are largely agnostic of whether foreign powers were involved.
Marketing Data and Planning
Customer or Supplier Lists
Financial info and biz planning
Process know-how and technology
Formulae and recipes
While the existing top end of the scale in fines is 5 million and/or 6 months in prison under the EU law it would pale in comparison to the US where prison sentences for espionage can be closer to life sentences on conviction and no set limits on fines.
In the area of corporate espionage, were likely to see more sophistication of attack methods as nation states and criminal gangs arm themselves with attack tools like those stolen recently from Fireeye and EternalBlue before that. We’re also likely to see greater penalties over time by the EU as the 2016 directive matures and hence greater visibility as an issue at the board level. Vigilance and proactive countermeasures are more important than ever.