He that wrestles with us strengthens our nerves and sharpens our skill. Our antagonist is our helper.
-- Edmund Burke
Knowledge is power.
-- Francis Bacon
Call it what you will--industrial intelligence, industrial espionage (my personal favorite, as it
doesn't attempt to obfuscate, and which I shall refer to as 'indesp' throughout this paper),
competitive intelligence, marketing--the process and tradecraft of intelligence gathering in the
free market is an old and time honoured profession, albeit an infrequently admitted one.
Intelligence suffers an artificial bifurcation in the public perception--military/political
intelligence and industrial/commercial intelligence. This is clearly absurd; information is
information, and economic strength translates to power of many sorts, including military power.
If intelligence must be categorized, perhaps a better 'split' would be strategic (intent) and tactical
(means and methods); strategic intelligence does tend to translate along military and political
lines, while tactical intelligence falls onto the ways that such goals might be achieved.
The Cold War between the Soviets and United States showed clear examples of such
things--submarine technology (including silent propulsion and hull composition), or computer
hardware and software. How to preserve the mobile retributive strike capability of a viable
ballistic missile submarine fleet? How to improve C4I, design weapons of mass destruction,
develop stealth aircraft, make and break advanced cryptographic systems? All that remains are
the implementation details of such grandiose strategic plans, and therein lies the rub. There is no
'dual use' technology, as it appears that everyone in the world except the United States seems to
have realized--intelligence is intelligence, power is power. Global powers--Russia, France, Japan,
China, Germany, Britain--have extensive programmes for the gathering and utilization of
intelligence, without regard for any such artificial distinctions.
If power is the motive, and the purpose of this paper is to provide some discussion of method,
what of opportunity, the third leg in the tripod of criminal undertakings? If, as Locke suggests,
property is the act of plucking something from Nature and making it your own (through the act of
acquisition, or through the addition of value), then 'property is theft' reaches a pinnacle with
information. Data and information, being 'virtual,' have numerous advantages from a thief's point
of view--easy to conceal, easy to transport, extremes of value, freely copyable, and not
necessarily a noticeable absence--the apogee of crime, and what is espionage after all, but
sanctioned criminality? What of the loss? Loss of market, loss of moral or material surprise, loss
of a strategic advantage? How to define and put a value to an unknown, a potential? What
separates the pirate making perfect digital copies and the intelligence officer of a sovereign
nation? Damned little--as Samuel Johnson said, patriotism is the last refuge of a scoundrel; do
not bestow false dignity to the latter, nor revile the former. Both are opportunists, taking
advantage of the happenstance of information--not that it wants to be 'free,' but that it defies any
attempt at control.
The Usual Suspects
When Thales was asked what was difficult, he said, "To know one's self." And what was easy, "To advise another." When asked what wine he liked to drink, he replied, "That which belongs to another."
-- Diogenes Laertius
A rather distinct but covert subculture of 'indesp' professionals exists, sometimes in partnership,
occasionally under contract, usually in competition with the government sponsored intelligence
officers. Indesp is a global business practice--the act of arbitrage in information, knowledge, and
skills, the software and wetware of the modern age. Commercial intelligence 'levels the playing
field,' moving product and process knowledge from the 'haves' to the 'have nots.' Amateurs might
do it from a belief (notable historical example of this freelance action to balance the powers:
nuclear weapons technology), but professionals do it for the money, and like any industry, there
is a complicated network in place to accommodate, facilitate, and otherwise service indesp pros.
Knowledge is of two kinds: we know a subject ourselves, or we know where we can find information upon it.
-- Samuel Johnson
Information of the vendable sort (a market being created when there is one more person who
wants it than has it) is either in someone's head (where it must be induced to be communicated),
or published in some form somewhere, no matter how restricted the readership list. Human
intelligence is the best mechanism for acquiring what might be desired; in a world of 'data, at rest
and in motion,' humans are always in the loop, and the weakest part. Insiders can always be
found, through blackmail or cash payments, or arranged, as with moles. The foibles of humans,
just as with a sword blade, are the easiest place to bend someone: drug use, deviant sexual
behavior, criminal activity, all provide the leverage for cooperation; human capital is always
undervalued, and such inequities, as well as a show of appreciation, can be rectified in a way that
satisfies the knowledgeable personnel's need for material and emotional gratification that
corporations don't satisfy. Given a reasonable and diverse skillset, an indesp professional can
provide themselves with layers of cover story (including legitimate operations, false fronts,
manufactured credentials, or even identity theft) and run their own penetration, acting as a 'mole'
to gather intelligence. Another option, and a favorite of the amateur (not a reflection on their
skill, just on their financial motivation, see the bracketed paragraph following this one), is
'wetware hacking' or 'social engineering,' using a variety of methods to elicit
information--sweet-talking, FUD (fear, uncertainty, doubt), C3 (chaos, catastrophe, confusion),
authoritative bluster, "we're all in the same boat," "help the confused
customer/newbie/co-worker," and the ever popular "you can go anywhere with a clipboard"
method. A great deal of intelligence of interest is already located outside the control of the point
of origin (once information is 'on the loose,' who can tell how far it might go?)--in the hands of
people like the media, system integrators/outsourcers, contractors, financial institutions,
examiners/auditors, participants in corporate agreements (partnerships, strategic relationships,
acquisitions, due diligence)--places and people who will likely be far less careful with it.
[The reader may be under some misimpression by my use of the word 'amateur,' a term that has
negative connotations in the idiom of American English. A proper definition of the term is 'one
who engages in an activity as a pastime rather than a profession.' As I said, this is not a statement
upon the actual skill of the individual or performance, just that of motivation; it is a particularly
American conceit that if you aren't doing it 'for the money,' it is because you aren't good enough
to. This is asinine, of course, but does lead to difficulties: I believe that a great deal of the
confusion over such things as the 'hacker ethic' derives from this source--hackers rarely engage
in their activities for a profit motive (to the chagrin of those attempting to prove such to
prosecute hackers under the law), but more for the sheer love of the art.]
Technology provides an additional body of sources, but again, the cornerstone is people--a
fundamental flaw in the design of security systems is that they are oriented around trust and
access control, and without considerable effort, it is very difficult for a machine to distinguish
one human from another. Security systems make a poor bald assumption--once access is granted,
you have relatively carte blanche access. Human-oriented and run security processes, such as
guards, have all the flaws of human judgment, as mentioned above; computer-oriented and run
security processes have all the flaws of human judgment, as well the handicap of having such
flaws as automated constraints; mixed systems, those utilizing computers and humans, can be
arbitraged through trust assumptions, where one element of the system can be subverted to
override the judgment of the other (such as a guard overriding a security system and allowing
access to a controlled area, or the guard's assumption that what the computer is telling him/her
must be more accurate than their own judgment).
Computers, computer networks, phone systems, and all the other tools and toys of technology
give rise to spoofing (pretending to be someone else on the other end of the connection), sniffing
(watching packets of data on networks, from passwords to electronic mail), hacking (or cracking,
breaking into computer systems for the data they contain), signals (bugging, or more interesting
intercept methods such as TEMPEST radio emissions from electronic devices, or watching
microvoltages in covert channel attacks), trashing (everything ends up in the trash, from
voluminous print-outs to trivial details that help put layers onto cover stories or enable wetware
hacking), and even that low-tech answer to high-tech protections, the 'black bag' job (forced or
surreptitious entry). While such technical methods of gathering leave smaller footprints than the
use of human sources (critical in the game, to sever the relationship of cause and effect that
might make the espionage a provable offense), 'open source' methods leave smaller footprints
still--data acquired from public sources such as computer databases, the media and public
domain publication, educational and research establishments, or the other mechanisms of an open
society, like the patent office, conferences, conversation, and even things such as the Freedom of
Information Act (what of nations where informational controls are tight, and this sort of open
source work isn't as easy? The indirect response to that question is a question of my own--what
closed society has made significant commercial advances that require espionage to obtain? The
informational controls used in closed societies also act to inhibit internal communication and
advance--closed societies only rarely are the subjects of industrial espionage because they so
rarely have information worth stealing).
Free trade is not a principle, it is an expedient.
-- Benjamin Disraeli (Earl Beaconsfield)
An indesp professional may engage in an operation with a buyer arranged or not; regardless, this
point merely shifts some of the uncertainty. Having a buyer in place prior to the espionage effort
begs the question of whether the desired information can be acquired, not certain by any means;
having acquired information of some value, a suitable client must then be ascertained, and an
arrangement reached, a proposition also not without some risk.
There is, in general, no shortage of potential clients--market competitors, or the competitive
intelligence programs of multinationals or governments. Client contacts are through accepted
channels or cut-outs--attorneys, research firms, or technological methods; such contacts are the
riskiest element of the indesp profession. Given the nature of the product, exchanges of value can
well leave the professional holding the bag, or vice versa--the client has what they want, the
professional is left empty handed by way of payment; the client gets what they want, while the
professional embraces the payment and lines up yet another client for the same product.
That buyers for the outcome of industrial espionage operations aren't in short supply is an
interesting indication of the state of the global economy, as well as a hint at the darker side of
Dirty Little Secret
Look beneath the surface; let not the several quality of a thing nor its worth escape thee.
Look to the essence of a thing, whether it be a point of doctrine, of practice, or of interpretation.
-- Marcus Aurelius Antoninus
The Intelligence Process
Inconsistencies of opinion, arising from changes of circumstances, are often justifiable.
-- Daniel Webster
Before I expose the rot at the core, let me step back and briefly comment on the 'standard'
intelligence process, as practiced by modern large-scale intelligence agencies, which has some
deficiencies. All spooks work for pay--it is merely a matter of degree, and the coin; the political
nature of some recompense, however, exacts a corresponding toll, a focus on quantitative
answers. Both these elements are dangerous to an accurate picture: 'quantitative' intelligence by
definition is limited to those things that can be counted, graphed, numbered, or have some metric
applied (numbers of tanks, numbers of troops, megatonnage at the press of a button), the stuff
that military dreams and nightmares are made of; 'answers' are just as limiting, a static snap-shot
that don't actually resolve matters, yet are beguiling to the uninitiated consumer. There are rarely
'answers,' and 'facts' that substitute temporarily will only briefly represent a fragment--this bit
connects to that bit, which is linked to those over there, which connect into a broad tapestry.
What started World War II? Who shot President Kennedy, and why? Incredibly well documented
events, with facts but no answers, and to understand any of it, you have to connect it with the
ever-shifting network of other facts. The intelligence process participants, from consumer down
the food chain through analyst to source, are ill prepared to ask the right sort of question;
questions define the boundaries of knowledge, identify the assumptions of the person asking, and
only rarely give any thought to consequences. A good example is the quiet 'in joke' and dirty
secret of the indesp profession.
I have found you an argument; I am not obliged to find you an understanding.
-- Samuel Johnson
Progress is a funny thing; you don't know what you don't know; most of scientific discovery
came from (and still does, since that process is far from over) accidents, or collateral discoveries,
or as the by-product of basic research. Our steady march into the future is a blind one, no maps,
no signposts. Knowing of something, a direction, or that something is possible, has a profound
effect--look at the development of the fission and then fusion weapons. Knowledge of the
existence and functionality of the weapon dramatically shortened the development cycle for those
who entered it late--not only were they able to prune their search trees because of negative
feedback (they had an idea of what the wrong answers were), but they knew where to go look for
the right answers (among which espionage was a potent tool).
Complexity, however, soon rears its ugly head. While the basics of the nuclear development
cycle can be manipulated with WWII-era tools (still a reasonably advanced industrial
requirement, remember), more complex developments require advanced tools--computer models,
refinement processes, fast explosives, switches of incredible precision. Soon enough, the tools to
build the tools to build the tools to build the end product becomes a deep, complicated network.
Think of taking every bit of information, knowledge, and skill related to jet manufacture, and
setting it down in a primitive, tribal region of Africa (or in King Arthur's time, you Connecticut
Yankee)--can they build jets? Not without building a lot of other things first--one of the open
'secrets' of the development of political economies is that while the products of the technological
age can be used everywhere, they cannot actually be constructed in an agrarian or simple
industrialized economy. This dirty little secret is why the Soviets spent themselves into oblivion
trying to keep pace with the technological development of the West and still fell short--they were
as well equipped as a Cargo Cult to build advanced gear, even if they were able, through
espionage, to get their hands on production specifications. The only reason the Soviets made it so
quickly to the level of development necessary to become a nuclear power after WWII was that
the U.S. had shipped a great deal of its production processes to its wartime ally, providing a
closer level of parity. During the Cold War, rigid controls on production processes and products
were the unsung heroes which collapsed the communist giant--because no matter how much
labour or energy Marxist doctrine said could solve a problem, people are not interchangeable,
and knowledge is the key ingredient.
Contemporary indesp is tightly focused on just this sort of issue--the knowledgeable players are
quietly gathering as much process-related intelligence as possible, since without it, any
product-related intelligence is nigh worthless. Does the know-how on how to manufacture the
latest computer chip, even if delivered to a client in a complete package, make any difference?
The knowledge-to-labour ratio is still weighed against them for having cut the corners; the only
way the short-cut actually has any real value is if they are already on the verge of it themselves. A
work-around that has risen in the indesp industry has been to step back from work-process
espionage and to focus on mixed knowledge/labour or pure knowledge targets. This is why
certain domains and industries are the most regularly targeted--computer software,
biotechnology/pharmaceuticals, fashion, financial knowledge that can be traded on. These are
industries that have incredibly fast product turnover cycles, coupled with products that are heavy
on information-knowledge and light on labour. Complex processes, particularly those related to
the production of military materiel, are hard targets--not because of the security around them, but
because the production cycles are so long (not to mention deeply complex network structures),
the potential client base is small, and the labour and value-chains necessary to go into production
are extreme. If a 'rogue' nation with an underdeveloped political economy is in the market for
weapons, they'll be looking for those already assembled, or with minimal production
requirements--it won't be plans for a nuclear device, it will be the finished product; but it might
be the know-how for chemical, biological, or informational weapons, those they can build
So that's the dirty secret that indesp professionals don't tell their clients or prospective clients--
the client asks for the wrong sorts of intelligence, so when they get what they asked for, they
either can't use it (they don't have the necessary infrastructure to exploit their new knowledge),
or if they can, they didn't need to (or shouldn't have had to, see the conclusion of this paper)
resort to industrial espionage (and their competition still has lead-time, the same product/process,
as well as the team that created it). In short, indesp professionals know that they're finagling their
customers, one way or another.
There is nothing so powerful as truth--and often nothing so strange.
-- Daniel Webster
I thought a selection of laundered (to protect the innocent as well as the guilty) comments from
the trade might drive these points home.
Technology companies have various advanced technology groups (ATGs), labs, and killer
projects; not only do the personnel here have access to most of the technology inside their own
organization, they'll commonly have access to comparable technology in other corporations. A
wonderful leverage point, the only problem is that potential clients will be able to guess the
source of the information (which is a danger), or in a number of cases, the technology isn't going
to be worth anything. For example, the pen computing market was a small, insular community,
where everyone knew everyone else's business, and even then, none of the products from the first
few generations of pen systems made a significant impact in the marketplace. In another instance,
significant dollars of ATG development, upon careful review and numerous attempts, piqued no
market interest whatsoever; pet projects, regardless of how expensive, have little real value.
Companies who view their employees as 'slaves' will have corporate monitoring systems for
electronic mail, PBXs (to ostensibly monitor the phone calls of their sales staff), have open
cubicles, etc. These monitoring programs certainly simplify the process, as what works on one
will work on another--including the management, who's corporate e-mail and phone
conversations will commonly provide gossip, financial details, and technical discussions. Some
PBX systems, aside from having weak voicemail security, can even have their audio monitoring
functions patched to the outside lines, so a phreak dialing in to the switch can monitor the
company from the comfort of their home. This leverage point has yielded up everything from
'inside' information to be traded upon, to realistic assessments of technical projects' feasibility,
valuable to a worried competitor.
Garbage In, Garbage Out
Everything ends up in the trash sooner or later, and dumpster diving or trashing can come across
all sorts of valuable intelligence. While some organizations will shred some documents,
collateral intelligence, such as phone logs, scraps from the copy room, personal materials,
outdated materials, and the accidental bit of confidential material do end up on the trash heap.
While some interesting examples such as the Clipper-chip documents, or the 911E sourcecode,
have provided direct public demonstrations of the value of trashing, it isn't the entire story.
People appear to go numb above the shoulders when they throw things out, as they provide the
most intimate details of their lives to anyone willing to fish for it--useful in backstopping, efforts
at blackmail, or hacking the wetware of the target's people.
Even with the use of electronic means of data transfers, a great deal of worthwhile information is
wandering around inside of portable computers. Traveling personnel are at great risk, and not just
from theft of their machine during a security check or from baggage handling. Some aircraft have
been wired with TEMPEST gear, to snoop on the work done by first-class international
passengers, a hurdle that acts to help filter the quality of the information; hotels have been
similarly wired, including the full audio/visual spectrum. On more than one occasion, I myself
have had my computer held up in Customs, where a later review on my logs shows that a number
of attempts were made to get at datafiles (which is why I now cipher everything and leave my
files in an offshore datahaven, for later retrieval/decipher once I reach my destination; my
portable is clean, and my crypto software is on floppy in my pocket, as well as available via
If people are the weak link, then the skill of social engineering is the most crucial; it essentially
depends upon having a plausible reason to ask questions. Skilled practitioners will do their
research to provide the best cover story for inquiry, including nesting cover stories in the event
that someone 'peels the onion' and questions the story. While people have talked passwords or
bank account information out of an individual on the phone, the in-person treatment (while
riskier) provides a better chance of real success. With a little backstopping (business cards, a
shell corporation, phone/mail receiving, appropriate costume), there are very few places you can't
get into, acquire what you desire, and walk back out, at which point all that gets remembered is
the plumber, painter, mover, delivery man, copier repair man, caterer, building inspector, etc.
Birds of a Feather
The amazing thing about questionable activities is that those engaged in them stick together--be
it drug use, sexual behavior, or whatever, being 'in the group' lowers a number of guards. It
commonly isn't even necessary to resort to blackmail--the bond of the mutual, shared sin offers
grounds for 'mutual' concealment and disclosure of confidential details. One instance of this had
an indesp professional discussing hacking and drugs, both of which he had developed a
deliberate reputation for, with a group of similarly interested individuals; in the process of
sharing details of their sins, the professional learned who to contact for the information sought,
the best way to approach the subject, and the rough details, at least enough to pretend significant
knowledge already, and to extrapolate considerably more.
Technological systems like e-mail, audio distribution systems (voicemail), and intranets are just
mechanisms to leave information lying around; who comes along to pick it up is a matter of
access control, a joke at best. During a notorious 'hacker war' of the 1980s one company, which
provided an outsourced backbone for a set of multinational corporations' e-mail, became the
battleground of rival hacker tribes; massive disruptions of service were just a small part of the
war, but more significant was that in a number of the corporations, e-mail was spoofed to force
bad business decisions, and other e-mail was used for information on the schedule and
announcement of the corporations' financial and acquisition moves. One professional taking
advantage of the opportunity copied offline many years of corporate data, which became the basis
of a 'Harvard Business School'-type case-study business education, comparing corporate actions
with market success and failure. The outsourcing or use of independent system providers still
provides system insiders considerable opportunity for access to intelligence-grade information.
A superb method to plausibly ask questions is a cover as a journalist; this is one reason why the
U.S. Central Intelligence Agency desires to continue using such covers. Journalists have great
access to information, including 'off the record' sources that can provide significant details once
aggregated together. An indesp practitioner once successfully participated in the founding and
operation of a technology publication just for the cover such credentials provided; the
proliferation of reputable newsletters and on-line publications of similar intent have made this
sort of cover the most readily available and fruitful.
Machiavelli's warnings regarding the use of mercenaries is rarely heeded, perhaps because they
are called 'consultants' in modern parlance; the boom of the consulting industry, from those
related to the accounting firms, to the craze regarding 'business process re-engineering' have
made consulting firms a license to steal. From providing the opportunity to question anyone in
the corporation, including management, to performing detailed systems/operational analysis upon
the organization, consulting can translate into getting paid by the target to develop the
intelligence, which only incidentally happens to be provided to the target itself.
Nearer My God to Thee
God, religion, and cults are good covers: one indesp professional planted and monitored listening
devices in confessionals of religious institutions in target-rich areas, a rich source of blackmail
(God may forgive, but, oh, the wife and family...). One notable international cult movement
requires its members to unburden themselves (for a fee, no less) to 'licensed' members trained for
such purposes; a professional who joined this cult for the expressed purpose of landing such a
position used it for years to gather high-grade intelligence from members in high-tech, law
enforcement, and military positions. That the organization itself also seemed to be after similar
sorts of information was considered by the professional to be more than a coincidence; a sizeable
portion of the 'congregation' were also UFO (unidentified flying objects, the belief that the Earth
was being regularly visited by aliens from another planet) enthusiasts, who would regularly trek
out to classified military installations, using everything from photographic equipment to sensitive
gravitational detectors in the area. As a cover story, this provides a solid example of good
layering--gathering intelligence where, if discovered, one can pretend to be mentally unstable
(UFOs, then the cult), thus not a significant threat to the installation.
The employment process provides a great deal of information in both directions, and has been
used for such. A prospective candidate can gather relevant project details based on the hiring
profile of the target organization, and has an open license to ask questions during the interview
process (subversion of a professional headhunter in the target industry has also proven fruitful).
Conversely, a corporation can use its hiring system as a method to gather intelligence, targeting
the skilled personnel of a rival corporation, and using the recruiting process to establish the
competitive project's status and details.
Wizards and the Smell of Victory
Technical wizardry, such as hacking or sniffing, can be performed from outside an organization,
but are far easier from withing; legitimate access, even of a limited source, provides system
details, as well as opportunity (for example, sniffing the packets of a network require only the
proper software on a network-based machine, commonly provided to even the most junior of
employees in an organization). More profound tactics have been coming into play after the Cold
War, as spooks and warriors, put out to pasture, turn the tradecraft they learned to their own
benefit; such tradecraft rapidly becomes an element of the domain knowledge of the community,
and explains the increasing use of TEMPEST, covert channel, and other signals attacks in the last
few years. Such tradecraft might have been pioneered by the formal intelligence community, but
it has rapidly settled in the indesp domain.
Follow the Money
The faceless, grey men of the accounting profession have access to considerable data long in
advance of the standard financial markets possessing it; workers in this profession are typically
overburdened, overworked, underappreciated, recent business school graduates labouring under
their educational debt burden, a textbook target. Another financial mechanism of intelligence
gathering has been the 'due diligence' process, between strategic partners or potential acquisition
targets, allowing access to financial (and other data, such as process, production, and technical
disclosures) intelligence without any real commitment. Indesp professionals have also been
utilized to confirm or refute the 'smoke and mirrors' presentations that are part of the diligence
process, so that the potential acquiring organization has a more accurate picture of the value and
reality of the target.
Full Service Bank
One notable financial institution was a 'full service' bank for indesp professionals--providing
money laundering, contact cut-outs, client management, and a number of other services. When
this bank was forced to close its public doors, the informal 'black network' providing such
services remained operational, and still provides important services to this day.
A number of indesp professionals have found steady employment inside the competitive
intelligence groups of multinational corporations. The opportunities to leech out worthwhile
intelligence and arrange for independent marketing of it is significant, particularly to the
security/counterintelligence departments of the original target; this creates the obvious
self-perpetuating marketplace, where intelligence is acquired, the target alerted, the target
implements new measures, which requires new operations for acquisition, and so on.
The Curious Software Giant
An interesting negative example is that of one massive software corporation, which is roughly
immune to indesp efforts (but not above engaging in them, incidentally). While enormously
successful in the marketplace, this organization has been a technology 'follower,' not leader, and
has built successful product lines on the 80/20 rule (bring a product to market fast, with only
80% of the functionality of the competitor, for only 20% of the original effort, and then develop
marketshare using its overall clout). This same organization has also run successful
disinformation campaigns in the marketplace, talking up vaporware products not even in
development, but that the phantom existence of discourages corporate buyers from purchasing
available products from competitors. Even the fact that the technical vision of the founder and
senior scientists has been almost entirely at odds with what has actually occurred in technology
and the market hasn't seemed to have had an effect. This example shows that having the technical
edge isn't at all necessary for success, and that market clout and contracts can make one immune
to the consequences of espionage or one's own bad products.
A Matter of Interpretation
Worth noting is another curious example, a computer hardware/software corporation that even
having an 'inside track' on is of dubious value. An analysis of stock movements confirmed an
offhand remark made by one knowledgeable insider--the stock would rise on product
announcements, and fall on the actual product release. Overpromise and underdeliver is no
market pleaser; perception of information still has dramatic impact on its value, leaving any who
interpret it at as much risk as those not in possession at all.
History is little else than a picture of human crimes and misfortunes.
Industrial intelligence/espionage is indeed about having an 'inside guide'--like Willie Sutton
robbing banks because "that's where the money is," you have to go where the information is.
Indesp as an industry is a growth one; the idea of 'property' is a fuzzy one at best, and has grown
increasingly difficult to manage as technology advances. Information is just too portable to
Global players, from governments to corporations, have made the cognitive shift in
understanding that financial success in any form translates into the sort of power they already
understand, and they are willing to undertake most any operation that provides them with an
edge. The U.S. is essentially alone, as a practical matter, in demanding that virtual property rights
exist, and this is reflected even into the intelligence establishment, which not only eschews
industrial intelligence, but has stepped back on the Cold War efforts which protected intellectual
property in the form of products and processes. It is no wonder that the major indesp playing
field is the U.S.--few controls, poor protection, and a continual source of the new and novel that
can be taken, improved upon, and exploited back into the marketplace.
It is important to note, however, that resorting to industrial espionage, whether by a corporation or government, is an indication of a fundamental weakness, a clear sign of some incapacity or inadequacy. A look at the global players is instructive:
-- The Soviet Union, and now Russia, is laboring under a non-functional economy; by a fluke of history, the USSR was once a global competitor for domination, but the effort wore it out, an exhaustion that lingers to this day. Indesp efforts are an attempt to convert the old State intelligence apparatus into something useful, something which can help assuage the woes of a collapsing nation. Controlled economies are just not creative, creativity being a threat to hierarchical control; free market economies are wildly creative because anyone with an idea can attempt to bring it to the marketplace. This creates a great deal of market flux and chaos, but stability occurs because success in a market greatly depends upon the consumer, who decides life and death by the purchase (or not) of products and services. Much like predators and prey in an ecosystem, political economies thrive best when left alone.
-- France is suffering similar economic woes, and for similar reasons--controlled economies can't compete with free economies, and socialist supports in market segments cause artificial skewing of those few market forces actually in-play. Indesp is viewed as a way of poaching on the successes of others, without having to alter the fundamental flaws in their own economy; it works, to a point. They keep hoping it will work better.
-- Japan/Korea labour under controlled economies, and also have a keen understanding of a cultural shortcoming--they are fantastic at refinement, but not nearly so good at discovery. Once a proof-of-concept is laid out, in process or product, both countries excel at making it work better, faster, and cheaper. I'm personally inclined to view this as a necessary thing--pioneers and settlers both have their function, and one should appreciate the other, but formalizations of such partnership relationships are seemingly anathema. Indesp efforts for these economic giants are essential--they require a continual in-flux of the new and novel to subject to process refinement because the old and accepted can only be refined so far. Much like an expansionist empire that must grow or die, this is the modern equivalent.
-- China is playing at capitalism, while quietly hoping to do to the U.S. what the U.S. did to Great Britain--offer a huge potential market for goods and services, but steal as many of the processes as quickly as possible. The rise of the U.S. and the fall of the U.K. as the dominant global power, however, involved more than just the acquisition of technology, it required Great Britain to get involved in some very crippling and financially burdensome wars, something the Chinese may either hope will happen to the U.S. by chance, or with a little help. Note that China's large scale indesp efforts are not necessarily because of any cultural flaw--the success of the Hong Kong economy under sound management so demonstrates--but again from the cancer of collectivism. The attitude that resides behind the human rights position of the Chinese leaders is also the limiting factor that will preclude significant advance--a complete non-recognition of the value of the individual, even to the point of being willing to utterly eradicate the slightest aberration of individualistic behavior. Indesp can only make up for so much; the true shame of the matter is how willingly many of the targets of Chinese industrial espionage operations give up valuable intelligence. While it remains to be seen whether China's efforts can make them into a global power such as the Soviets once were, two points are important to remember--the effort nearly destroyed the country and satellites under Soviet control (not to mention the effect on NATO members), and that, for a time, the Soviets held the power in their hands to eradicate all life on the planet, a threat that conferred some leverage upon world affairs.
-- Israel is one of the world's worst indesp offenders; they have wide ranging indesp efforts
inside the U.S., among others, and utilize the political/emotional clout built since the Holocaust
to manipulate their victims. The political economy of Israel, for all the democratic trappings,
varies from fascist to theocratic; indesp is only a minor manifestation of a psychology that was
founded upon theft (of Palestine). I am perpetually boggled at the level of support and coddling
the U.S. provides to Israel, particularly in light of the moral and ethical outrages regularly
performed; having suffered and survived a genocide attempt does not convey the moral authority
to attempt it upon others. It is almost difficult to call Israeli efforts 'espionage' when they
seemingly have the tacit support of the U.S.; the on-going relationship is curious, in light of such
revelations as Israeli nuclear proliferation, aid to the Apartheid regime in South Africa, human
rights atrocities, and military operations (Lebanon, the Six Day War, the Liberty incident). The
only rationale I can fathom is that some forms of moral illness are contagious; from the Nazis, to
the Israelis, and onward.
What to do about indesp efforts, regardless of the players? I can immediately offer a number of worthwhile suggestions:
-- Treat your employees well. Either they are the company assets (as much as corporations like to say this, they don't act as if it were true), or they have the company assets in their head, or they have access to them. Humans are the first line of defense, and a happy, satisfied employee is hard to get a handle on.
-- Trust mechanisms, particularly those of security systems, are hopelessly binary; either you have no access, or once you pass a threshold, you have total access. Trust comes in shades of grey, not black and white.
-- Communication of any type needs to be carefully thought about; this isn't just "think before you speak," but "what sort of information is being shipped around." Data at rest is vulnerable to one sort of threat, but data in motion is vulnerable to many sorts. This counts from networks to the trash, as all of it has value.
-- Monitoring mechanisms, as much as they warm the heart of Big Brother and Taylerist sorts of managers, just provide a tool in-place to be used against you. They have a very low value when viewed on a risk-return basis.
-- Three words: strong, un-escrowed cryptography. It's the subject of another paper, but
cryptographic security (where all data, on a point-to-point session-to-session basis, is enciphered,
and the 'reader makes right' by deciphering at the end-point) beats access security hands down.
Finally, I'll close up on the meta-rule: security isn't superficial. If you have something worth
stealing, then do something about it. Security needs to be a continual process; the value of what
is being protected should have some impact on just how dramatic the security measures, but once
the decision is made to commit to security-as-a-lifestyle, it shouldn't be hedged on. After all, it's
a jungle out here.