Industrial espionage: Data out of the door

Un article intéressant sur l’espionnage industriel.

Extrait de : Industrial espionage: Data out of the door, By Jamil Anderlini in Beijing, Peter Marsh and John Reed in London, Joseph Menn in San Francisco, Peggy Hollinger in Paris and Daniel Schäfer in Frankfurt, FT, February 1 2011

Jin Hanjuan was about to board a flight to Beijing almost four years ago when a random check stopped her in her tracks.

According to court documents and an FBI affidavit filed in an economic espionage case against her, when customs officers at O’Hare airport in Chicago inspected the bags of the 40-year-old software engineer, they found more than 1,000 confidential papers that are alleged to have been stolen from Motorola, the US electronics group for which Ms Jin had worked until two days before the flight.

The court papers say the officers also discovered Chinese military manuals, a European company’s catalogue of military products, documents detailing Chinese military applications for electronics equipment that had been drafted by an unnamed Chinese telecommunications company, and $30,000 in cash.

In the criminal indictment against Ms Jin, due to be heard next month in a Chicago court, Motorola says the research and development costs of the information in her possession exceed $600m. The company would lose substantial global revenues if the contents were made public, it adds. Ms Jin has pleaded not guilty.

In a separate civil case brought by Motorola, Ms Jin is a co-defendant with Huawei, the Chinese telecommunications equipment maker, over an allegation that she and others were “secretly engaged” in product development for the Chinese company at the same time as they were employed by Motorola. Huawei has said the case brought by Motorola is “without merit” and has refused to comment on the criminal case.

The legal actions involving Ms Jin have thrown the spotlight on the murky world of industrial espionage – defined as the use of illicit means by companies or their agents to disrupt their rivals’ operations or gain access to their secrets.

Interest in the subject has been heightened by a highly publicised affair in France that has led to Renault, the automotive group, sacking three top executives after alleging they had passed on confidential documents to outsiders. According to Carlos Ghosn, the group’s chief executive, the alleged theft relates to the company’s business model for battery powered electric cars – an area where Renault and Nissan, its Japanese partner that Mr Ghosn also heads, are investing €4bn ($5.5bn) in a significant early bet on the technology.

Industrial espionage is being catapulted to a position of great relevance to many of the world’s top companies as technological change becomes of growing importance to business performance. Companies across the world are increasingly interested in gaining access to their competitors’ secrets as early as possible in the development cycle for new products and services.

“There is ... more globalisation and the players are more ...
in competition. The more competition, the more crime,”

says Olivier Buquen, head of the Economic Intelligence Office in Paris,

 a bureau of 12 experts created in 2009 to co-ordinate French corporate intelligence efforts.

According to Dane Chamarro, managing director for North Asia at Control Risks, a security group, industrial espionage affects many more sectors than high-profile activities such as computers, cars and telecoms. “Virtually any company with high levels of research and development and where technology has an impact on the product faces some kind of threat,” he says.

The chief executive of one of the world’s biggest aerospace and defence groups says that in his industry, “industrial espionage is a problem now and it will be even more in the future”.

Most corporate intelligence gathering is legitimate, based on such conventional practices as picking up scraps of information about competitors by attending trade shows. But few people involved doubt that the illicit part of this activity is bigger than it ever was.

The ways that secrets are taken vary. One of the most widely used is when employees switch jobs, taking with them confidential designs. Andrea Riello, chief executive of Riello, a large Italian machine tool maker, says: “In our company, we’ve seen three times in five years that some of our technical secrets have been taken and used in a rival’s products. In each case it seems as though a former employees has taken details to other businesses.” The practical difficulties in gathering evidence mean, Mr Riello adds, that his company has not yet tried to seek legal redress for the “theft” of technologies.

Other instances can be more unusual. One French engineering supplier found that an engineer from an Asian company when visiting its factory stooped to lace up his shoes more often than seemed necessary. The ruse was intended to collect tiny pieces of metal from the floor – discarded from machining operations – that were picked up with a piece of tape on his overlong tie and could later be analysed by a rival business.

. . .

Taking into account all types of industrial espionage but counting only the cost to American businesses, US intelligence officials put the cost of lost sales due to illicit appropriation of technology and business ideas at $100bn-$250bn a year. General Motors, Ford, General Electric, Intel and Boeing are among the US companies known to have suffered from industrial espionage attacks, though all are wary of discussing the details.

In Europe, concerns about the loss of technical know-how have resulted in a push in Brussels for the European Commission to set up a group to monitor foreign investment activity.

According to many people involved with corporate intelligence, Beijing state agencies are often heavily involved in efforts by Chinese companies to gather information about foreign businesses. Russia, France and Israel also have active state-led programmes as well as corporate programmes to appropriate technology from foreign companies but China’s methodical approach is regarded as unique by many in the corporate security industry.

One veteran corporate security manager working for large multinational companies in China says Washington considers that country the biggest threat in terms of targeting US companies’ commercial proprietary information, technical information and data. Nigel Inkster, a director at the London-based International Institute for Strategic Studies, warned in a speech last month, meanwhile, that commercial espionage was now a “big business” with countries such as China engaged in the activity “on an industrial scale”

While some of this stems from the blurry line that separates the government and companies in a country where many of the big guns of industry are state-controlled, another factor is history. Twenty-five years ago next month, Deng Xiaoping, China’s leader of the time, approved a government programme that would become known as the “863 project” (named after the date – the third month of 1986). The 863 programme still exists and is funded and administered by the Beijing government.

Its stated goal is to stimulate advanced technologies in a range of fields, to render China independent of financial obligations for foreign technologies. Many in the west believe, however, that its remit in reality extends to backing the illicit acquisition of foreign proprietary technology.

Whatever the scale and scope of the 863 unit’s activities, China’s state-led industrial espionage operations are uniquely patient and cautious, say China-based economic intelligence experts – a way of working known as the “thousand grains of sand” approach.

They collect “whatever they can in a very broad area that they’re interested in and then they patiently distil their finding down until they get what they need”, according to one corporate security chief working in China. “Their approach contrasts significantly with the Russians, who tend to be overly ambitious and clumsy by comparison.”

The form can vary from paying employees to hand over information or gathering know-how about processes or products while on factory visits, through to cyber-attacks based around hacking into databases or electronic networks.

. . .

Cyber-spying has fast become a specific threat for many companies. “Industrial cyber-espionage is one of the biggest problems that all nations are facing,” says Melissa Hathaway, a former US intelligence official and the leader of a digital security review set up by President Barack Obama.

The scale of hacking to gain corporate information has gone so far, she says, that the Securities and Exchange Commission, the US stock market regulator, might soon need to require companies to assess routinely for the benefit of shareholders how well they are protecting themselves from electronic attacks.

One of the most high-profile companies to have suffered in this way is Google. After announcing last year that it had been the victim of a sophisticated hacking campaign from China, it emerged that attackers had appropriated some of Google’s search engine source codes, a vital piece of intellectual property.

Google later notified more than a dozen other companies it identified as victims of the same campaign. Outside researchers later concluded that more than 100 concerns had been hit, including a big investment bank, other high-technology hardware and software companies and defence contractors. Among those in the Chinese sights were Symantec, Adobe Systems and Northrup Grumman. In all cases, the target was intellectual property, including software codes, chip designs and the like.

The campaign originated on computers used at two universities in China, one of which has strong ties to the military. While the Chinese government publicly denies that it engages in industrial espionage or computer hacking, this view is regarded by many foreign companies as intelligence agencies as being some way from the truth.

What should companies do about the threat of industrial espionage? One answer may be to minimise the possibility of leakages either through elaborate information technology methods or sometimes ideas that owe more to plain common sense. Another may be to abandon any hope that all leaks can be plugged and concentrate on the most advanced technologies and products that are all but impossible to replicate by any outsider due to their complexity and the use of novel ideas.

Dieter Zetsche, chief executive of Daimler, the German automotive group, says he has “no concerns” about a theft of his company’s secrets. “We shouldn’t waste our time trying to protect our intellectual property but try to be innovative and faster than the other guys.”

That said, efforts to crack down on thefts of technology or other valuable business information seem likely to be central to companies’ efforts to stay competitive – especially in sectors such as machine building or high-tech engineering products, where the developed world retains a commercial edge.

Back in the US, when Ms Jin arrives at the Chicago court in the coming weeks, she faces six counts of trade theft and economic espionage, each carrying a potential penalty of 10-15 years in prison and a fine of as much as $500,000. If she is found guilty, a lot of people interested in thwarting industrial espionage in all its forms will raise a small cheer.

Extrait de: FBI probes Chinese cyberattacks on oil groups, By Joseph Menn in San Francisco, FT, February 10 2011

The US Federal Bureau of Investigation is probing a series of cyber-espionage attacks on at least five major oil, gas and petrochemical companies by hackers based in China.

The attacks, which began more than a year ago and are continuing, have succeeded in capturing sensitive financial information, including plans for bidding on drilling rights in specific fields, and production information, such as the configuration of equipment.

“These were company worker bees, not freestyle hackers”, said Dmitri Alperovitch, a researcher at Intel-owned antivirus firm McAfee and a contributor to a white paper on the campaign being published on Thursday.

Mr Alperovitch said he and his colleagues had briefed the FBI and that the agency was investigating.

“We are aware of the threat to the oil and gas industry” from cyber-espionage, said FBI spokeswoman Jenny Shearer, adding that she could not confirm or deny specific inquiries.

The National Cyber Forensics and Training Alliance, a US non-profit group that works with private companies as well as law enforcement and academia, has also been researching the case, and group chief executive Rob Plesco said it was the first that he knew of against the oil and gas industry.

Mr Plesco praised McAfee for going public with a description of the attacks on its clients, since targeted companies themselves rarely confess to such breaches and they can serve as an effective warning.

According to the white paper and Mr Alperovitch, the attacks began with an assault on the companies’ external websites using a common technique known as ‘SQL injection’, named after holes in the Structured Query Language used to communicate with databases. Hacking tools readily available on underground forums in China were then used to gain access inside the company’s servers, and automated cracking techniques gave the intruders user names and passwords.

The hackers then installed software to control the compromised machines and sent off e-mails and targeted documents to internet addresses in China.

They used previously known software flaws and did not go to great lengths to cover their tracks, the researchers found.

Such attacks are commonplace in many industries, investigators and law enforcement officials say, but are rarely divulged or explained.