Industrial Espionage xxix
Introduction
mail addresses it obtained from the existing e-mail address book it found on
the victim’s machine. It immediately began sending out these infectious e-
mails from every machine it touched. The Melissa infection spread across
the Internet at an exponential rate. Systems were literally brought down
from overload as a result of exponential propagation.
Industrial Espionage
A company might be subject to industrial espionage simply because its
competitors share some level of sensitive customer information that might
be worth millions for interested parties, which range from governments to
the press to corporate and private entities. This situation might be encour-
aging enough for many hackers to tempt fate and attempt to obtain such
information. Internal staff might consider the risk minimal and give away
such information. There could be active attempts to retrieve information
without authorization by hacking, sniffing, and other measures. A case of
espionage can have serious consequences for a company, in terms of incur-
ring the cost of lawsuits and resulting damage awards. This situation can
also devastate a company’s reputation in the marketplace.
Formally defined, industrial espionage is the act of gathering proprietary
data from private companies or governments for the purpose of aiding oth-
ers. Industrial espionage can be perpetrated either by companies seeking to
improve their competitive advantage or by governments seeking to aid their
domestic industries. Foreign industrial espionage carried out by a govern-
ment is often referred to as economic espionage. Since information is pro-
cessed and stored on computer systems, computer security can help protect
against such threats; it can do little, however, to reduce the threat of autho-
rized employees selling that information.
Cases of industrial espionage are on the rise, especially after the end of
the Cold War, when many intelligence agencies changed their orientation
towards industrial targets. A 1992 study sponsored by the American Society
for Industrial Security (ASIS) found that proprietary business information
theft had increased 260 percent since 1985. The data indicated 30 percent
of the reported losses in 1991 and 1992 had foreign involvement. The
study also found that 58 percent of thefts were perpetrated by current or
former employees. The three most damaging types of stolen information
were pricing information, manufacturing process information, and product
development and specification information. Other types of information
stolen included customer lists, basic research, sales data, personnel data,
compensation data, cost data, proposals, and strategic plans.
xxx Industrial Espionage
Within the area of economic espionage, the Central Intelligence Agency
has stated that its main objective is obtaining information related to tech-
nology, but that information on U.S. government policy deliberations con-
cerning foreign affairs and information on commodities, interest rates, and
other economic factors is also a target. The Federal Bureau of Investigation
concurs that technology-related information is the main target, but also
lists corporate proprietary information, such as negotiating positions and
other contracting data, as a target.
Because of the increasing rise in economic and industrial espionage cases
from the mid-1980s to the mid-1990s, the U.S. government passed the
Economic and Espionage Act of 1996. This law, coded as 18 U.S.C.
§1832, provides:
(a). Whoever, with intent to convert a trade secret, that is related to or
included in a product that is produced for or placed in interstate
or foreign commerce, to the economic benefit of anyone other
than the owner thereof, and intending or knowing the offense
will, injure any owner of that trade secret, knowingly—
(1). steals, or without authorization appropriates, takes, car-
ries away, or conceals, or by fraud, artifice, or deception
obtains such information;
(2). without authorization copies, duplicates, sketches, draws,
photographs, downloads, uploads, alters, destroys, photo-
copies, replicates, transmits, delivers, sends, mails, com-
municates, or conveys such information;
(3). receives, buys, or possesses such information, knowing
the same to have been stolen or appropriated, obtained,
or converted without authorization;
(4). attempts to commit any offense described in paragraphs
(1) through (3); or
(5). conspires with one or more other persons to commit
any offense described in paragraphs (1) through (3), and
one or more of such persons do any act to effect the
object of the conspiracy, shall, except as provided in
subsection (b), be fined under this title or imprisoned
not more than 10 years, or both.
(b). Any organization that commits any offense described in subsec-
tion (a) shall be fined not more than $5,000,000.
Get Business Continuity and Disaster Recovery for InfoSec Managers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
