February 29, 2008
After several employees of the Oak Ridge National Laboratory acknowledged falling prey to nefarious emails that sought to infect their computers and steal corporate information, they were then told it was part of a broader espionage scheme. The government research organization said that it had been one aspect of a "sophisticated cyber attack" to gain access to several national laboratories and institutions.
No business is immune. While most of the attention is on beefing up information technology units to deal with cyber threats, many smaller-to-mid-sized companies are losing ground to criminals using ordinary techniques. Indeed, industrial espionage can range from stealing intellectual property to trade secrets to marketing materials -- all of which could be obtained by combing through unprotected documents.
Corporate espionage is big business. According to the FBI, such theft costs all U.S. companies between $24 billion and $100 billion annually. Interestingly, only about 20 percent of those losses are tied to cyber threats while the majority of them are associated with low-tech schemes such as unlawfully entering open offices.
"Economic espionage will be increasingly common as nation-states use cyber theft of data to gain economic advantage in multinational deals," says the SANS Institute, an information security firm. "The attack of choice involves targeted spear phishing with attachments, using well-researched social engineering methods to make the victim believe that an attachment comes from a trusted source."
Some well-publicized espionage cases have made the news in recent times and include everything from impersonating reporters and board members to burrowing through tossed trash. In the case of the former, Hewlett Packard had hired investigators to obtain phone records of journalists so that it could find out the source of leaks occurring inside its boardroom. The company just settled claims by agreeing to donate to several charities. Meanwhile, the latter method involved a Canadian drug maker named Biovail Corp., which was taking the trash of a former pharmaceutical analyst for Bank of America.
And in the utility-related world, Germany's SAP has admitted to "inappropriate downloads" from its chief competitor, Oracle, which calls the matter "corporate theft on a grade scale." Meantime, thieves just hit Brazil's state-run oil enterprise known as Petrobras when they stole four notebooks and two hard drives. The computers had confidential information about new and massive oil discoveries in Brazil's Santos Basin.
"A company should conduct a risk assessment to identify vulnerabilities, and the probability that someone will exploit those vulnerabilities and obtain sensitive information," says the SANS Institute, in a white paper.
Illegally Revealed
If private data are illegally revealed, businesses can request criminal investigations that are guaranteed by the Economic Espionage Act of 1996. That law doesn't just shield classified information. It also protects corporate information and gives prosecutors broad discretion to file cases. Before it would get to that point, though, the U.S. Department of Justice advises companies to defend themselves by using encrypted safety codes and legitimate monitoring techniques.
Ira Winkler, global security strategist at CSC Consulting, spoke to Computerworld's Premier 100 Information Technology Conference and said that criminals often have more success through "social engineering" as opposed to computer engineering. Computerworld cites the example whereby Winkler persuaded a guard to admit him into a protected area by saying he lost his badge and presenting, instead, a business card he had picked up. He went on to find several voids in security that included unlocked doors, all of which Winkler says potentially compromised nuclear reactor designs.
"Spies are interested in information, not just computers," he said in the Computerworld story. "You can protect a computer perfectly, but if someone throws out a classified printout, you are out of luck."
Utilities are vulnerable. Not only do they have enemies such as angry former employees, customers and landowners, but they are increasingly using automated technologies that put them in possession of bank account data or credit card numbers. Companies and hackers are always trying to outsmart one another, although about 30 states have tried to mitigate the harmful effect of unlawfully selling confidential information by requiring companies that have been breached to warn the affected communities.
According to a study by the American Society for Industrial Security and consulting firm PricewaterhouseCoopers, proprietary information stolen at Fortune 1000 companies has steadily increased from $24 billion a year in 1995 to at least double that now. Meantime, Fortune 2000 companies experience theft 2 or 3 times a year, other experts say, adding billions more in losses.
Oftentimes, they are unaware. In the case of utilities, the total interconnectivity of networks through the internet has given hackers new ways to get vital information. That's why the North American Electric Reliability Corporation has developed standards for utilities when it comes to protection of their information systems. Indeed, power grids are susceptible to not just worms and viruses that can disrupt business but also to large-scale onslaughts intent on shutting down systems completely.
Beyond cyber threats, companies must keep classified information restricted while requiring employees to sign agreements prohibiting the unlawful use of company trade secrets. Those secrets may include anything that a company knows that is unknown in the marketplace, which gives it an uncommon competitive advantage. "Companies must identify what information is sensitive and classify it as such," says the SANS Institute, adding that some information such as research and development is more conspicuous than things like pricing data and customer lists.
Companies must constantly be on guard and protect their most valuable assets. While criminals are now employing sophisticated tools to steal company secrets they are also still using their street smarts. They are succeeding. But so, too, are the companies and the federal laws set up to safeguard American commerce.
More information is available from Energy Central:
Respond to the editor.
Ken Silverstein EnergyBiz Insider Editor-in-Chief
Read Ken's Blog
