The Enemy Without

Your competition may be redefining the 'e' in espionage: the theft of proprietary information, long conducted through the turning of employees, is increasingly performed via hacking. Last year, a software company providing highly technical analysis software to the petrochemical industry sought assistance from global security firm JC Pole & Associates. The client was concerned a departing developer might attempt to steal software source code to take to his new employer, who happened to be a direct competitor.

An examination of available records and materials showed the individual had sent himself several very large e-mail messages the week before he gave notice. However, since the client wasn't storing copies of the actual messages, only their statistics, JC Pole couldn't take the matter further. Then three months after the software developer took up his new position, that competitor released a version of its analysis software containing several features suspiciously similar to new features incorporated in the client's latest software version.

JC Pole immediately stepped in.

"Acting as an agent of another petrochemical company - who is also one of our clients - we obtained an evaluation copy of the newest software from the competitor," says principal consultant Jamie C Pole.

"Unfortunately, that evaluation came with a restriction on reverse-engineering, so we were not able to reverse-engineer the code to make a comparison," Pole says. "Rather, we got around the restriction by going back to the competitor and telling them that our internal IT security people would not let us purchase the software until they had reviewed the source code. Smelling a potential sale, the competitor quickly complied and provided very complete source code for the product.

"It took only five minutes of examination to discover that large sections of the competitor's source code exactly matched the source code that formed our client's most recent release," says Pole. "What sealed the developer's fate was the fact that there were actually original comments in the source code that bore the name of our client and its principal developers."

The developer's new employer subsequently dismissed him and paid out a cash settlement to avoid the threatened lawsuit.

Cybercrime is on the rise, and more of the threat to your company's operations than you ever realise might come from your competitors, as much as from your own employees. The examples are abundant. Consider just two.

In February 1999, citing federal wiretap law, a Pennsylvania district judge ordered Sladekutter, a Web-design firm, to stop hacking into the computer systems of its competitor, Labwerks. "This is corporate espionage by a competitor aimed at putting us out of business," said Labwerks' John Kuntz.

In September 1998, PeopleSoft sued Harris Group LLC, a Chicago recruiting firm, for unfair competition and misappropriation of trade secrets, accusing the start-up of using secret data about PeopleSoft employees' salaries and skills to try to hire them.

It's what Computer Security Institute editorial director Richard Power calls "the corporate world's dirty little secret war". Cyberattacks and other information security breaches are on the rise, says Power in his book Tangled Web: Tales of Digital Crime from the Shadows of Cyberspace. That includes spying attacks from competitors. These days, he says, only "Pollyannas" still hold to the notion that the bulk of security threats lie within an organisation's walls.

Power claims corporate espionage is increasing concomitant with the persuasiveness of the Internet. He backs the claim by saying the most recent CSI/FBI survey of US organisations shows the number of respondents reporting their Internet connections as frequent points of attack has increased every year, rising from 37 per cent in 1996 to 59 per cent in 2000. Meanwhile, the number of respondents citing their internal systems as frequent points of attack actually fell from 51 per cent in 1999 to 38 per cent in 2000. CSI/FBI's 2001 study found 85 per cent of respondents had detected security breaches in the past 12 months, with almost two-thirds incurring financial loss as a result.

"The conventional wisdom about 80 per cent of perpetrators being inside and 20 per cent being outside is simply no longer supported by the data," Power says. "It isn't that the threat from inside has decreased; it is simply that the threat from the outside has risen dramatically because of the rise of the Internet as a means of business communication."

In fact, as well as looking to employees for trouble, between 44 and 55 per cent of respondents now see their US-based corporate competitors as a likely source of attack, Power says, and between 20 and 30 per cent see their foreign competitors and foreign governments the same way. The main reason the figures aren't higher, he claims, is because of a habit of official denial, or off-the-record confirmation from victims and potential victims alike.

Worse, the cost of industrial espionage is, he says, on the rise.

"The number of CSI/FBI Computer Crime and Security Survey respondents that reported theft of proprietary information hasn't increased significantly over the years," Power writes. "Nor has the number of those willing or able to quantify their losses. But the total financial losses reported by the handful that could quantify them has risen every year."

Others have confirmed his findings. A 1999 study by the American Society for Industrial Security (ASIS) in collaboration with PricewaterhouseCoopers found Fortune 1000 companies sustained losses of more than $US45 billion from thefts of their proprietary information that year. Forty-four of the 97 companies that responded reported a total of more than 1000 incidents of thefts, with 579 of those valued at a total estimated loss of almost $US1 billion.

"Security experts agree that 'netspionage' or computer-based espionage, is the most pressing risk for companies," wrote Rachel Emma Silverman in the Wall Street Journal in January 1999. Silverman quoted William Boni, Los Angeles-based director of corporate investigations at PricewaterhouseCoopers, as saying about 80 per cent of trade secrets were stored in digital form. "Hackers are especially dangerous because they can copy data without leaving a trace that they broke into a computer," he told Silverman. She also quoted Alan Brill, senior managing director of Kroll-O'Gara, a New York-based corporate investigation firm, as saying: "You could have all your documents stolen and never know it."

That is part of the trouble. Cyberspies are smart, and getting smarter. An organisation might suffer untold competitive damage and never know how the competitor got their hands on their most valuable information.

"There are a few undisputed facts about computer security compromises," says Andrew Tune, general manager security services with eSec. "The first of those facts is a proportion of computer security compromises go completely undetected. I say proportion because, since they are undetected, no one can count them. No one knows whether the proportion of them that are undetected represent one in two, one in 10, two out of three - no one knows.

"The second thing is, of those which are actually detected there is only a very small proportion that are actually reported. Attacks that are reported probably constitute somewhere between one in 10 and one in four. The reason is that most people a) don't want to publicise the fact that they've been compromised, and b) in many cases even if they're willing to publicise it, they don't know who to tell.

"Of those that are reported, most are not investigated and of those that are, most aren't investigated to the point where you can tell who was responsible. So if you go through the numbers, you figure out somewhere between say 1 and 5 per cent of attacks we actually know something about in terms of forensic data," Tune says.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Sue Bushell

Latest Videos

More videos

Blog Posts