Industrial espionage (IE) is defined as the illegal acquisition of secrets from business competitors. It is an enigmatic phenomenon in business practice. IE is distinguished from all legal activities of competitive intelligence and scanning of the organizational informational environment. In addition to the distinction between legal and illegal activities, industrial espionage differs from environmental scanning with respect to the focus of the activities. The latter ones are systematized by three methods of managerial information gathering: (1) discovery: gathering of new information, at best largely unguided by the given a priori knowledge and predispositions; (2) expansion: incorporating well-defined information needs and being, thus, more focused on particular aspects that are considered to be worth investigating in further detail; and (3) monitoring: shifting from detection to a permanent observation of relevant developments.
With respect to this scheme, IE activities fit into the category of expansion. Because the spying organization usually has prior knowledge of the rival firm, it uses IE activities to complement this prior knowledge. Therefore, IE is unlikely to reveal “new” developments in the competitive arena, as proposed by the mass media.
Several historical examples clarify the importance of the IE problem: For instance, the Russian supersonic airplane TU-144 is suspected to have been constructed on the basis of the Anglo-French Concorde project. More recently, Oracle took SAP to court because of the illegal download of internal documents. Another prominent case is the 2007 “unauthorized intrusion” into computer systems of the TJX Companies, where 45.7 million credit and debit card numbers were hacked, along with 455,000 merchandise return records containing customers’ driver’s license numbers, Military ID numbers, or Social Security numbers. Apart from the sheer number of customers affected, this case is remarkable because even after disclosing the fraud, the company was unable to stop the intrusion immediately.
Besides machinery construction and software engineering, the pharmaceutical and the chemical industries are frequently the targets of espionage attacks. The Economic Crime Survey, conducted in 2007, summarizes data from 5,400 companies located in 40 countries. More than 43 percent of these companies admitted that they had been a victim of one or more significant economic crimes during the previous two years, although not all the frauds were IE-related. According to these data, China, Russia, India, Indonesia, Brazil, Mexico, and Turkey are high-risk countries because they harbor many aggressive IE offenders. Notably, in some nations, IE activities are supported or even initiated by governmental administrations. According to the U.S. National Counterintelligence Center, a total of 109 nations were identified as having conducted IE activities in order to steal U.S. corporate intellectual property in 2005. Thus, the distinction between IE and national security activities does not hold for business practice. Proceedings, methods, and technologies are similar; only the legalization differs.
Targeted Information
Secrets acquired by IE are typically divided into three data qualities: (1) customer data, particularly transactional details like prices, discounts and order volumes, credit card details, purchase histories, preferences, etc.; (2) technical data, such as formulas, manufacturing process details, etc.; and (3) strategic information, for instance plans for new product introductions, entries into foreign markets, negotiation results on alliances, cost calculations, etc.
According to these data qualities, companies face different IE threats. With respect to strategic information, internal threats arising from negligent employees and related business partners are critical. For instance, employees frequently pass on information about their company to Wikipedia or publish their daily work in Web blogs. The Chronology of Data Breaches provided by the Privacy Rights Clearinghouse is peppered with entries of lost laptops, backup tapes, and external hard disks. Exploiting this weakness is common practice in IE. Additionally, former or malicious employees are frequently willing to provide the desired information to rival companies.
In order to support private organizations in protecting their data in the United States, the Economic Espionage Act (EEA) was passed in 1996. Under this act, trade secrets are broadly defined as tangible or intangible information that is subject to reasonable measures to preserve its confidentiality and derives independent economic value from not being generally known to or ascertainable by the public. Measures to protect strategic information include the following:
- Establishing and enforcing clear policies about the handling of confidential information.
- Systematically informing employees and all business partners regarding the proprietary information.
- Requiring employees and all business partners to sign confidentiality and nondisclosure agreements.
- Limiting physical and virtual access to storage of trade secrets.
- Restricting the number of copies of critical data sets (e.g., documents or calculation schemes) and numbering these copies.
- Using encryption algorithms for the protection of digital data.
Technical data are frequently subject to IE by tapping e-mail correspondence, voice phone exchanges, or taking photos of production or engineering facilities. Built-in cameras of cellular phones enable almost anybody with physical access to critical areas or documents to take photos and transmit them immediately worldwide. Customer transaction data can be obtained by infiltrating spyware, particularly by e-mail in the digital information processing systems of an organization. These codes are transmitted via e-mail, gadgets from the Web, or digital advertisements.
Various approaches have been used to profile typical internal spies. This is indeed a challenge as the phenomenon is embedded in the organizational context of a company and its complexities. Furthermore, the fact that the interest in secrets comes from competing or partnering organizations adds to the complexity. Consequently, the phenomenon is not captured by simple descriptive or linear statistical methods. A researcher group from Carnegie Mellon University conducted extensive simulations using a dynamic mathematical model specification. With respect to IE, the following results were obtained:
- Stressful events and organizational sanctions increase the likelihood of espionage.
- Espionage is often “pre-announced” by the spies’ behavior.
- Technical actions by insiders hint at malicious acts, such as IE.
- Companies frequently ignore fraud or fail to detect rule violations.
- A lack of access controls facilitates IE.
- Spies have common personal predispositions, particularly in the taking of risks.
The latter result is in line with an empirical investigation of incidences in German companies that revealed that the typical spy in Germany is male (87 percent), between 30 and 50 years of age (70 percent), with at least six or more years working within or affiliated to the organization.
Industrial Spies
Beyond these quantitative results on internal spies, two prototypes of external spies are characterized in the literature: the social engineer and the hightech digital thief. Basically, the social engineer takes advantage of employees’ ingenuousness through telephone calls. By feigned telephone calls, he pretends to be a supplier, a customer, or service technician and asks for details on his subject of investigation. Using telephone calls is merely a historical part of this description. Nowadays, the smoker-meetings outside the office buildings, after-work happy hours, etc., provide external spies with a variety of opportunities to establish contacts with insiders. The art of this type of external IE is the manner of establishing an intimate interaction, which will not trigger formal identity checks. The attacker first establishes small talk and then distracts the victims with technical jargon and irrelevant details. To worsen the situation, the employees are frequently less concerned about access to draft documents, which embrace the same information as the final documents or put a massive set of carbon copy recipients in their e-mails. As a consequence, additional employees become valuable victims of this type of attacks.
An impersonal extension of this IE strategy is sending phishing (short for password fishing) e-mails in order to obtain user names, passwords, PINs, etc. The pattern is similar to the feigned telephone calls, but because of the increasing number of phishing attacks in the individual’s private life (mostly targeting bank account details and transaction data), an increasing number of employees are aware of the danger, and as a result, this type of IE is about to lose its impact. The term pharming refers to the manipulation of the Domain Name System retrieval of Web browsers (DNS-Spoofing). An employee will not recognize that this is passing his or her data not to the organization’s information system, but to a different system. Even the Transport Layer Security protocol or the widespread Secure Sockets Layer give the impression of safe data transfer, but offer no confidential protection against pharming.
The high-tech spy does not aim to establish a pretended trustful interaction with employees, but attacks the information processing systems of the target organization. A sophisticated variant is called Van-Eck-Phreaking, which enables eavesdropping of computer monitors up to 100 meters away. Conventional Yagi antennas have been found to provide a good recording of the amplitudes broadcast by monitors, if the broadcasting frequencies are within a narrow range. Otherwise, special broadband antennas are needed, which might disclose the spy attack. The contents, displayed on cathode-ray-tube computer monitors, are clearly read at longer distances or in neighboring buildings. Flat-panel displays can pose an even larger emission security risk than cathode-ray-tube monitors. The eavesdropping is simplified by low illumination of the environment or under office-light conditions by direct line of sight. Office partition walls or windows do not hamper the recoding of the electromagnetic signals.
The increasing spread of LAN networks, wireless phones, and Bluetooth connections in office life provides the spies with additional entries into organizations’ information processing systems. Noticeably, many music publishers and movie producers add rootkits to their digital products, even in cases where the products are bought legally. These become effective with the next boot of the system and enable control over the system, including the readout of data. Thus, companies should not allow any entertainment applications in their information processing infrastructure, including laptops, palms, and cellular phones. However, in addition to all these digital attacks on companies’ information systems, there are conventional attacks. In particular, “dumpster diving” is still common practice. For instance, Unilever’s hair-care business unit fell victim to dumpster diving by Procter & Gamble in 2001. The spies gathered piles of unshredded documents revealing Unilever’s plans for this segment.
Using Stolen Information
Another critical question is the alignment of information gathered in espionage to the companies’ strategy. As outlined previously, espionage actions occur usually in the expansion modus. Here, the spying organization already has vested solid knowledge on the topic of interest. The use of this additional information in business strategy development can be systematized by Michael E. Porter’s five forces framework.
- Potential entrants: This is the domain of IE that gains most attention by the mass media, if the IE is uncovered and the offender is taken to court. Actually, the amount of loss caused by these activities is difficult to quantify, because the information by itself would have become public in the course of time anyway. This argument holds for the reverse case of declining markets as well.
- Customers: With respect to the customers, three qualities of information have to be separated: first, the transactional details (credit card numbers, etc.,) which damage the reputation of the companies as well as the relationship commitment of the affected customers. Specialized metrics have been developed to quantify both. Second, the fact that a customer buys products and services from a particular company and what prices a customer pays. This weakens the position for future negotiations because the offender is likely to offer a better deal to the customer. Third, knowledge about customers’ preferences, perceptions, etc. Here, two scenarios are relevant: The knowledge might be obtainable in market research activities. Then, the damage equals the price of such market research activities. In the other scenario, the stolen information is unique. In this case, the total change of operational profits has to be taken into account.
- Substitute products and services: Here, the stealing of chemical formulas or details of the production process and information frauds that support product plagiarism becomes relevant. In addition to the loss in sales, the decrease of quality perception, and exclusivity of products, all efforts of product development have to be taken into account to quantify the damage.
- Suppliers: If information on suppliers is disclosed, the offender might try to bulkhead the organization from indispensable deliveries, or try to take advantage of the suppliers’ innovativeness. Moreover, if the supplier is the offender, he might strengthen his position in further negotiations.
- Industry competitors: Here, the intended actions and reaction plans on competitive threads are relevant. If these are known to the competitors, it might be easy to outsmart the victim in the competitive arena. However, game-theoretic results suggest that this intuitive idea does not generally hold. On the other hand, plans obtained by IE activities are likely to be taken as fact in their strategy development. Consequently, the offender is not coequal in his strategy development. Linking these game-theoretic results with empirical evidence by econometric model-fitting to overcome the limitations of anecdotal evidence is the focus of the New Empirical Industrial Organization, but in this field, much research is pending. Thus, quantification of IE damage in this domain is doubtful.
The latter point foreshadows the power of counterintelligence activities. These are all means of preventing IE actions against one’s own company and all measures of feeding fake data into the offender business’s intelligence systems. Since a high credibility is likely to be assigned to these data, an identified but not disclosed IE attack can be used to remote control both the offender’s tactical maneuvers and the offender’s strategic planning. However, this procedure puts the victim on the same level of unethical behavior as the offending organization.
Bibliography:
- R. Band et al., Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis, Technical Report, Software Engineering Institute (Carnegie Mellon University, 2006);
- Crane, “In the Company of Spies: When Competitive Intelligence Gathering Becomes Industrial Espionage,” Business Horizons (2005);
- Decker, R. Wagner, and S. Scholz, “An Internet-Based Approach to Environmental Scanning in Marketing Planning,” Marketing Intelligence and Planning (2005);
- Jurg Gerber and Eric L. Jensen, Encyclopedia of White-Collar Crime (Greenwood Press, 2007);
- International Business Risk Consulting, Wirtschaftskriminalität durch Informationsabflüsse (2005);
- Jaquith, Security Metrics: Replacing Fear, Uncertainty, and Doubt (Addison-Wesley, 2007);
- Andrew Jones, “Industrial Espionage in a Hi-Tech World,” Computer Fraud and Security (v.2008/1, 2008);
- Kadiyali, K. Sudhir, and V. R. Rao, “Structural Analysis of Competitive Behavior: New Empirical Industrial Organization Methods in Marketing,” International Journal of Research in Marketing (2001);
- G. Kuhn, “Compromising Emanations: Eavesdropping Risks of Computer Displays,” Technical Report UCAMCL-TR-577, University of Cambridge (2003);
- E. Porter, Competitive Strategy (Free Press, 1980);
- Privacy Rights Clearinghouse, “A Chronology of Data Breaches” (2008);
- Rothke, “Corporate Espionage and What Can Be Done to Prevent It,” Information Systems Security (2001);
- W. Rustmann, “CIA, INC.: Espionage and the Craft of Business Intelligence” (Potomac Books, 2002);
- C. Samli and L. Jacobs, “Counteracting Global Industrial Espionage: A Damage Control Strategy,” Business and Society Review (2003);
- W. Scholz and R. Wagner, “Autonomous Environmental Scanning in the World Wide Web,” in IT-enabled Strategic Management: Increasing Returns for the Organization, B. A. Walters and Z. Tang, eds. (Idea Publishing, 2006);
- S. National Counterintelligence Center, Annual Report to Congress on Foreign Economic Collection and Industrial Espionage (2005);
- Winkler, Corporate Espionage: What It Is, Why It Is Happening in Your Company, What You Must Do About It (Prima Lifestyles, 1997).
This example Industrial Espionage Essay is published for educational and informational purposes only. If you need a custom essay or research paper on this topic please use our writing services. EssayEmpire.com offers reliable custom essay writing services that can help you to receive high grades and impress your professors with the quality of each essay or research paper you hand in.