When a reporter asked why he robbed banks, the notorious robber Willie Sutton apocryphally retorted "because that's where the money is." Sutton later denied having made this remark. But regardless of who (or if) anyone said it, the quote nevertheless highlights a fundamental truth of crime: criminals will select a target that has the item(s) they wish to steal.
This same principle also holds true for corporate espionage. Your company's secrets are a target wherever they reside, including (and perhaps especially) in locations assumed to be less at-risk. Because of this, it's important to understand that espionage is a truly global and multifaceted threat, requiring security programs equally robust in nature and scope to protect sensitive information from malicious actors.
Corporate espionage remains a persistent and widespread threat to critical proprietary information — and the financial future — of many global businesses. This threat not only emanates from state actors, such as China and Russia, but from corporate competitors as well.
The Trap of Tunnel Vision
Many, if not most, security departments assess the corporate espionage threat based either on the country where a facility that holds critical information is located or on where an employee that has a device that holds such information is traveling to. Because of this, U.S. or European companies often treat the espionage threat to a facility in a "safer" country, such as Japan, differently than they do a similar facility in a country deemed "higher risk," such as China. Likewise, employees traveling to Russia are often given much more robust guidelines and restrictions than those traveling to the United Kingdom.
This segmentation of espionage threats is not unique to private business. During my time at the U.S. State Department, I noticed that foreign service officers assigned to "critical" intelligence threat posts, such as Moscow or Beijing, were given much different counterintelligence briefings than those assigned to "low" intelligence threat posts, such as Ottawa or Santiago.
For hostile actors seeking to steal critical corporate information, it doesn't matter where the key to classified data was obtained. What matters is that it gets the job done.
Of course, this skewed focus is not lost on hostile intelligence agencies. During the Cold War, a good number of CIA case officers and KGB rezidents enjoyed great success in recruiting agents in third countries where the intelligence threat was deemed lower and where the oversight of employees was, in turn, more relaxed. Such targeting continues today, because in the end, it doesn't matter where the cryptographic key to break classified communications was obtained. What matters is if it still gets the job done.
Assessing the Global Threat
This brings us back to assessing the corporate espionage threat. At Stratfor, we use a three-pronged test that examines the interest, intent and capability of a particular state or non-state actor. If we determine that a company's proprietary information is of interest to a hostile actor, we then examine that actor's specific capabilities and intent to steal that information to gauge the threat posed to the company's information.
Some actors are limited in their capabilities, in terms of both their geographic reach and the tactics and techniques that they can employ. But since countries with advanced capabilities have been known to sell intelligence, or trade intelligence and tools for other goods and services, high levels of interest and intent can translate into a heightened threat even when the capability of the primary actor is lacking. Criminals or mercenaries can also serve to increase an actor's capability.
There are a number of cases that highlight the increasingly international nature of the corporate espionage threat, as well as the variety of tools that can be used. Perhaps the most "global" technique is hacking, which enables an actor to attack a company on the other side of the world through an injection of SQL code, a phishing email or some other cyber tool. For the perpetrator, hacking attacks are relatively risk-free and also allow for some degree of plausible deniability, which can be enhanced by the use of cyber mercenaries or other intermediaries to further insulate the actor.
However, in many cases, actors cannot easily obtain what they're looking for through hacking alone. It could be because the victim's cyber defenses are robust, or that the information is not in electronic form. This forces actors to then resort to using other tools to obtain their desired data, such as recruiting a human source who works at the targeted company, or placing an agent into the company to serve as a mole — both of which can pose a global threat, too.
The U.S.-based American Superconductor Corporation (AMSC) learned this risk the hard way when a Serbian engineer who worked at a wholly owned subsidiary in Austria provided its source code to Sinovel, AMSC's largest customer at the time. AMSC knew their source code was highly desired and took great measures to protect it, including using robust encryption in all its motherboards. But a sophisticated global actor was nonetheless able to spot and seize a vulnerability in the company's security program — recruiting a disgruntled employee in a European country assumed to be "safe," while AMSC focused its time and attention on threats elsewhere.
In a similar case, an engineer working for GE Aviation in Ohio was recruited remotely by a Chinese Ministry of State Security (MSS) Officer based on his LinkedIn profile, which indicated he had access to sought-after information. Corporate security protocols would not permit the employee to take his company-issued laptop computer on a trip to China, so the MSS officer arranged to meet him in Brussels — a location where the engineer could travel with his laptop, and where the officer could then copy the contents of his hard drive.
"Black bag jobs," or breaking into a targeted company to obtain desired information, is another intelligence approach we've seen hostile actors use when other means fail. This was the case in a 2017 incident involving the U.S.-based medical equipment manufacturer Medrobotics, when the CEO discovered that a Chinese operative had snuck into a conference room at the company's headquarters in Massachusetts. The mole attempted to infiltrate Medrobotics' computer network via the company's wireless LAN, after entering the United States by crossing the Canadian border.
A group of officers from Russia's Main Intelligence Directorate (known by its Russian acronym GRU) were also conducting this type of black bag job when they attempted to hack into the wireless data network of the Organization for the Prohibition of Chemical Weapons in The Hague in 2018. Information obtained from the laptop later recovered from their vehicle revealed members of the GRU team had used the same equipment in a similar attack against the World Anti-Doping Agency in Geneva, among other targets.
How to Protect Your Company
These are just a handful of many cases that illustrate how sophisticated actors can use a variety of tactics in a variety of locations to conduct corporate espionage — making the threat to corporate security truly global. To protect against such pervasive security risks, there are several key steps companies can take:
1. Prioritize critical information.
The first step is identifying what information is truly critical to your business and must be closely protected — what I refer to as your "special sauce." It is very difficult (and not to mention daunting) to attempt to carefully guard every piece of company data. But when only the most crucial information is prioritized — whether it be a manufacturing technique or product design — protecting it becomes a much easier task.
2. Consistently vet employees.
The next step is to thoroughly vet any employees who do or could have access to that truly critical information. While vetting can be difficult at best (and can even be contentious in some corporate cultures), it still must be done to the best of the company's ability to help protect against moles and employees who could be vulnerable to recruitment. Many companies, including some of those in the aforementioned cases, have been burned by insiders who could have been identified far earlier had they been properly vetted. Vetting should also be done periodically, not just upon hire, because people and their circumstances change — making them more susceptible to recruitment by hostile actors.
3. Limit access to key data.
Once those employees with a legitimate need to access critical data have been identified and vetted, it is also important to carefully limit how and where they can access that data. A pair of recent espionage cases involving Apple's autonomous vehicle program illustrate how corporate spies will adapt to security measures.
In 2018, an engineer downloaded 20 gigabytes of technical specifications and other proprietary data from a restricted Apple database onto a thumb drive and attempted to take it to a Chinese competitor — prompting Apple to limit access to external ports on corporate computer systems. Then several months later, another employee linked to the same competitor was caught taking photos of sensitive documents on his computer screen with his phone to evade the new restriction. Thus, as espionage strategies evolve, so must security policy — and security measures should also attempt to anticipate such changes.
4. Stay aware of the global threat.
Finally, it is crucial to recognize and remember that the corporate espionage threat is truly global when sophisticated actors are involved. This means that measures to protect your company's critical proprietary information must be taken wherever that information resides. It also means that corporate security training programs can't just focus on employees who work in or travel to places deemed "high threat." In other words, data stored on a corporate laptop in Canada should be treated as equally as vulnerable as that stored on a computer in China. It's also important to not develop tunnel vision that focuses only on one or two threat actors. While China and Russia are perhaps the most active industrial espionage actors, the risk is by no means restricted to them.
Of course, such a global approach is difficult to accomplish unless there is C-suite level buy-in. Therefore, security directors must educate company leadership about the threat corporate espionage poses to their business. That way, they can implement a global program to ensure there is no low-hanging fruit a hostile actor can easily pluck.