Eavesdropping Detection Audits
FOR BUSINESS & GOVERNMENT
• executive suites
• boardrooms
• trading floors
• conference rooms
• vehicles and aircraft
• corporate apartments
• executive home offices
• off-site business meetings
• WLAN security & compliance

"Espionage is a foreseeable risk."


Home

Audits
Introduction (start here)
FAQs Estimate Worksheet
Contact us

Background
QualificationsPeople
InstrumentationHistory
InnovationsPolicy
Comparison Chart
Client Testimonials

Eavesdropping News
Kevin's Security Scrapbook
(free email subscription)

Advice
100+ Spybuster Tips
250+ Books and Movies
Ask your questions

Interesting Extras
MoviesCartoons
Eavesdropping History
Client SouvenirsArtwork
Subcontracting


Advanced Search
Translate this page automatically

Spybusters, LLC dba
Murray Associates
PO Box 668
Oldwick, NJ 08858 (USA)
+1-908-832-7900

U.S. TSCM Services FlagEavesdropping Detection Services
are available directly throughout the Americas.


European Union TSCM Debugging FlagEuropean Union Eavesdropping Detection Services
are conducted in association with Security Counsellor Group.


United Kingdom TSCM Debugging FlagUnited Kingdom Eavesdropping Detection Services
are conducted in association with Whiterock.

Services available in selected other countries via our network of local associates.

Inquiries about Eavesdropping Detection and Counterespionage Consulting services are invited from corporate, government and professional entities.

Murray Associates is classified by US Government regulations for Federal procurement purposes as a Small- Business Professional Consulting Firm.


Certified Protection Professional Banner CPP - www.asisonline.org


International Association of Professional Security Consultants Banner - www.IAPSC.org

Certified Fraud Examiner CFE - www.cfenet.com
American Society for Industrial Security ASIS
Board Certified Forensic Examiner BCFE - www.acfei.com
High Technology Crime Investigation Association

Digimarc Graphics Copyright Banner - www.digimarc.com

Use of this site indicates acceptance of Terms of Use, Linking, M2k, Site Map and Privacy Statements.

©1996-2008, Kevin D. Murray (080407)

 



A STUDY OF  SECURITY COUNTERMEASURES TO REDUCE ECONOMIC ESPIONAGE 
IN THE UNITED STATES 
FROM 1975 TO 1996


by Glenn Moule
gm_moule@prodigy.net

SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF BACHELOR OF SCIENCE IN CRIMINAL JUSTICE / LOSS CONTROL AT LAKE SUPERIOR STATE UNIVERSITY, SAULT STE. MARIE, MICHIGAN

December 9, 1996
 

Electronically formatted and distributed with permission by:
Murray Associates


(printer friendly version)

ABSTRACT

Economic espionage poses a serious threat to the United States business community. Any type of business or industry that deals with proprietary information is a potential target for economic espionage. The loss of proprietary information can seriously damage a corporation, possibly even force it into bankruptcy.

Competition in the business world is now global. This global competition results in both foreign and domestic threats of economic espionage against the United States. Due to this intense competition, an increasing number of companies are turning to economic espionage to give themselves an advantage in the business community. The constant development of technology has resulted in competitors using sophisticated methods of espionage in order to gather sensitive information. These advanced methods of espionage, coupled with the amount of competition, has resulted in an effort for companies to protect themselves against the threat of economic espionage.

Many corporations have now developed security programs that are devoted exclusively to protecting proprietary information. These security countermeasures incorporate a wide variety of protection techniques due to the number of espionage techniques that exist. Corporations are very dependent on the knowledge of changing technology. Corporations must be aware of any advancements in technology in order to ensure that their countermeasures are on the same level as the espionage techniques of the competition.

TABLE OF CONTENTS

CHAPTERS / Page

I. INTRODUCTION AND STATEMENT OF THE PROBLEM

Introduction 4

Statement of the Problem 5

Purpose of the Study 6

Hypothesis 6

Delimitations 6

Methodology 6

Assumptions 7

Justification of the Study 7

Definition of Terms 7

II. REVIEW OF RELATED LITERATURE

Brief History of Economic Espionage 9

Current Trends in Economic Espionage 9

Reasons for Economic Espionage 10

Actors 10

Target Areas 11

Frequency 11

Impact 11

Methods of Espionage 12

Electronic Eavesdropping and Surveillance 14

Security Countermeasures and Counterintelligence 15

Garbage Security 16

Visitor Security 17

Computer Security 17

Detection and Prevention of an Insider 17

Securing Meeting Areas 18

Cloaking Operations 18

Operations Security 18

Surveillance and Eavesdropping Detection 19

III. ANALYSIS OF DATA

Rationale for Implementing Countermeasures 21

Companies That Might Use Security Countermeasures 21

Guidelines for Effective Security Countermeasures 22

Advantages of Security Countermeasures 23

Disadvantages of Security Countermeasures 23

IV. SUMMARY OF MAJOR FINDINGS

Economic Espionage 24

Target Industries 24

Impact 24

Methods of Espionage 25

Security Countermeasures 25

Conclusion 26

Limitations 26

Recommendations 26

REFERENCES

CHAPTER 1
Introduction and Statement of the Problem

Introduction

Proprietary economic information is a crucial aspect of business in the United States, and is essential to maintain the competitiveness of the United States economy. The theft or misuse of proprietary economic information, by foreign or domestic agents, directly threatens the health of the United States economy (Freeh, 1996).

Due to the increasing value of proprietary information and the constant changes in technology, opportunities and motives for conducting economic espionage have increased as well. Quite often in the United States, foreign governments, as well as United States citizens, target United States firms, industries, and government to steal technologies, data, and information to give their business sectors a competitive advantage.

Economic espionage has become a business epidemic. Virtually every traditional espionage technique used in time of war is being employed in today's business sector. Economic crime and corruption are responsible for losses of an estimated $260 billion a year out of United States based companies (Perry, 1996). Corporate leaders must be able to identify their company's vulnerabilities to economic espionage, as well as develop strategies to protect the technology and information that is most at risk in this economic war.

The corporations themselves are the only organizations that can provide protection from economic espionage. Property law is viewed as weak and provides barley any protection for the United States companies that are victims of industrial spies. As well as realizing that companies must protect themselves, new protective measures must be implemented. Traditional protection options have become obsolete as a deterrent to economic espionage. Corporate security systems often fail because they are set up to protect employees and physical assets, but not the sensitive information that is sent along the world's electronic highways (Perry, 1996).

In order to counter economic espionage, corporate leaders must become knowledgeable in the areas of intelligence and counterintelligence. Security measures designed to protect information and resist espionage must be developed and implemented. Also, corporations must realize that methods used to protect information are quite different than conventional security systems.

It is estimated that fewer than 5% of major US companies have a business intelligence system in place. In contrast, 100% of Japanese companies are thought to have such a system in place (Perry, 1996). This surprising estimate illustrates the need for US companies to change their way of thinking and at least become aware of the potential damage that economic espionage can inflict. The United States business community is in desperate need to implement a new style of security system that is designed to protect its proprietary information from foreign and domestic competitors. In order for proprietary information to be protected, security countermeasures and counterintelligence systems must be viewed as a vital component of business, and as important as the customers, employees, or the finished product.

Statement of the Problem

Economic espionage has had a major impact on the business world. Competition in the business community has led to industrial spying and theft of proprietary information. Economic espionage refers to the theft of trade secrets, plans, confidential procedures, and other sensitive information.

This type of espionage occurs in the United States on a national and international basis. US competitors and foreign competitors have both used this relatively new form of business tactic. Companies that desire a share in a particular market, or companies that do business in the same market are always looking for a way to rise to the top. Stealing corporate information has become a very popular method for reaching that goal.

Stolen information can be worth billions of dollars, depending on the nature of it. Acquiring secret information and using it before the competitor can, could produce great profits while causing the competitor huge losses. Proprietary information can be acquired from a wide variety of industries. The main industries that have been targeted are areas such as biotechnology, aerospace, telecommunications, computer software and hardware, engine technology, as well as several others.

Corporate leaders in these industries have a crucial need to identify their company's vulnerability to economic espionage, and use that knowledge to develop strategies to protect the information most at risk to this rising problem. Accepting economic espionage as a regular type of loss is no longer an option for the shareholders, financial institutions, and insurance companies who must deal with these losses.

Purpose of the Study

A study needs to be conducted to show that security measures and counterintelligence techniques will reduce and resist the effects of economic espionage for companies in the United States. Economic espionage results in tremendous losses for US firms every year. A study needs to be done to show that these losses can be reduced and they should not be viewed as unavoidable.

With new and innovative security countermeasures and counterintelligence techniques in place, companies will be more prepared to prevent and deter industrial spies from robbing them of their secrets. Through this study, the author feels that the implementation of security measures and counterintelligence techniques designed to prevent economic espionage would greatly benefit United States industry.

Hypothesis

Protective countermeasures and counterintelligence techniques will not affect the occurrence of economic espionage in United States industry.

Delimitations

This study will not deal with the economic espionage trends outside of the United States, specifically foreign countries spying on each other. Although economic espionage occurs on a global level, the author's study will focus only on US based corporations. This study will also not deal with any legal consequences of economic espionage) specifically courtroom procedures.

All types of business will not be incorporated into this study. The areas of business covered by this study will be the most vulnerable and affected by economic espionage, thereby focusing on large corporations and selected industries.

Methodology

Data gathered for this study will be done with the use of unobtrusive research. Sources of this secondary research will be primarily gathered at the Kenneth J. Shouldice Library at Lake Superior State University. Data will be compiled from journals, newspapers, periodicals, professional organization publications, textbooks, reports, and the Internet.

Assumptions

Economic espionage involves the stealing of proprietary information from a certain company or industry which will benefit a competitor. The reader should understand that economic espionage is prevalent in the United States and requires direct attention from the business community and the government of the United States.

The reader should assume that economic espionage will always exist. Security countermeasures will not stop economic espionage completely, but may deter its occurrence and offer considerable resistance to the theft of proprietary information.

Justification of the Study

Economic espionage is a relatively new concept for the business world. Corporations must be aware that economic espionage poses a tremendous threat to their existence, as well as to the national security of the United States. Economic espionage has become a major problem in recent years, and will continue to affect United States industry unless something is done to prevent it from occurring.

Companies must start to focus on business intelligence as a tool that is just as important as marketing or accounting. Companies must become educated about the ways to prevent and resist economic espionage If US companies started to develop new security countermeasures and counterintelligence policies, as well as started to view economic espionage from a military standpoint, industrial spying would take a significant decline in the United States.

Definition of Terms

Business: Any occupation for a livelihood.

Compete: To strive against others to win something.

Competitor: One who competes.

Corporation: A legal, municipal, or professional association.

Countermeasure: A retaliatory measure.

Counterintelligence: Thwarting the intelligence gathering efforts of a foreign power.

Detect: To discover.

Deter: To discourage.

Economic: Pertaining to the distribution, use, or production of income, wealth, and commodities.

Economic Espionage: The theft, misappropriation, transfer, or use of proprietary economic information by a competitor or outside agency.

Espionage: The practice of employing secret agents.

Implementation: To put into practice.

Industry: A particular branch of trade or manufacture.

Loss: The act of losing possession of something.

Market: A place of purchase and sale of products.

Measure: Action or procedure intended as a means to an end.

Proprietary: Pertaining to property or ownership.

Protect: To defend.

Reduce: To diminish.

Secret: Kept from general knowledge.

Security: Something that protects or makes safe.

Spy: One who enters enemy territory to gain information

Strategy: Skillful management in getting the better of an adversary.

Surveillance: Close watch.

Technique: Procedure or method used in a specific field.

Treason: Act of betrayal.

Vulnerability: A place difficult to defend.

CHAPTER 2
Review of Related Literature

Brief History of Economic Espionage

Economic espionage has probably been around since there has been an economic system in place. One of the earliest accounts of economic espionage was recorded in China. China was the only source of silk at the time, and expeditions to China to obtain this material were long and dangerous. The process of the manufacture of silk was revealed to the Roman Emperor Justinian by Persian monks who were traveling the country. It is estimated that for ample rewards, Justinian convinced the monks to smuggle silkworms out of China, therefore giving Greece the methods of manufacturing silk. Due to this loss of sensitive information, China lost millions of dollars in foreign trade (Bottom, Gallati, 1984).

Another early victim of economic espionage was Brazil. Up until the early 20th century, Brazil had a monopoly on the rubber industry. The British desired a share in the market, and this was accomplished by the smuggling of rubber plants out of Brazil and cultivating them in Malaya. The British enjoyed huge profits, while Brazil suffered great losses (Bottom, Gallati, 1984).

A more recent example happened during the 1970's. The Soviet Union had obtained many corporate secrets and technology from the United States through the use of the KGB. The recent collapse of communism has resulted in the creation of mass economic espionage. Foreign powers have now directed their intelligence agencies from the political to the corporate spy arenas (Hansen, 1992). Many nations have been striving for democracy, and a share in the world market serves as a means to achieve that goal. Economic espionage has become a very popular way to gather economic information and bypass the time and costs associated with developing original data and ideas.

Current Trends in Economic Espionage

Virtually every espionage technique used in a time of war is being employed in the business sector. The methods have not changed, only the setting and the targets. Most economic espionage goes unreported, because successful espionage goes unprevented.

Reasons for Economic Espionage

The use of economic espionage allows companies and nations to avoid the high expenses of research and development, marketing, product testing, etc. This information has tremendous value. It can be used by the company that stole it, or can be sold to another company that bids the highest.

The actual theft of this proprietary information is perceived to be relatively easy and safe because the police, FBI, and CIA are very limited under the law to help corporations deal with this problem. Any property and electronic eavesdropping laws in place have been weak and unenforced. Also, there are few penalties for spies who actually get caught. They rarely serve any jail time, and since many are U.S. allies, the United States prefers to keep these matters private to avoid risking political embarrassment. In order to deal with this problem, some new laws have come into effect. The Economic Espionage and Protection of Proprietary Information Act of 1996 improves the FBI's ability to investigate economic espionage incidents (Pasternak, 1996). Also, a law enacted in 1994 by Attorney General Janet Reno allows rewards up to $500,000 to be given for information leading to the arrest and conviction of anyone involved in economic espionage.

There are several other reasons other than lack of deterrence why economic espionage has such widespread use. Advanced technology has made it possible to easily intercept business communications. Competition in business in now on a global level, and there are more competitors than ever before. Finally, probably the most common reason for economic espionage is that business ethics are certainly not what they used to be.

Actors

Economic espionage is carried out by people or organizations that fall into one of four basic categories. These are foreign entities, foreign owned U.S. entities, U.S. owned entities, or unknown entities (Heffernan, 1991). The Unites States government is most concerned with foreign entities because they pose a threat to the national security of the United States. These foreign powers are traditional enemies to the United States as well as allies. Allies to the Unites States are perhaps more dangerous because they can get closer to the information they want due to their past friendship with the United States. The United States business community is just starting to realize that the majority of major foreign companies have had a full time business intelligence department in place for many years.

There is also a considerable amount of domestic economic espionage in the United States. Victims of domestic economic espionage have included such industries as snack foods, medical suppliers, and automobiles.

Target Areas

Most cases of economic espionage occur in industries that are fast paced, innovative, and rely on research and development. Examples of these types of target industries include: biotechnology, aerospace, telecommunications, computer software and hardware, engine technology, advanced materials and coatings, energy research, defense and armaments, manufacturing processes, and semiconductors. Individual corporations are frequently targeted as well as whole industries. For example, companies that have a impact on a whole industry when a decision is made or product is introduced, are likely targets for economic espionage (Freeh, 1996).

Frequency

According to the American Society for Industrial Security (ASIS), reported cases of economic espionage in United States companies have grown 260% since 1985 (Perry, 1996). In 1991, the ASIS Standing Committee for Safeguarding Proprietary Information conducted a survey of 165 companies to determine the frequency of economic espionage. 37% of the companies reported that they had experienced a theft of proprietary information within the year. A 1992 study showed that 49% of 246 companies had experienced a theft of proprietary information. Of all the companies that had experienced a theft of information, the average occurrence of these thefts were ten incidents per month (Heffernan, Swartwood, 1993).

Impact

Economic espionage accounts for an estimated loss of $260 billion per year from United States based companies (Perry, 1996). When a 1055 of proprietary information occurs, it results in a chain reaction which causes additional losses throughout a corporation. Capital investments are lost if the product does not reach the market in time and production line are idle. The losses that occur when research and development information is stolen are tremendous. The competitor receives free information while the victim has spent millions of dollars for nothing. Staff time may have to be increased in the security department, and new plans must be formulated due to the information loss. Also, layoffs may occur as a result of the incident. Debts that were made from the development of the project may inhibit the company from proceeding with an alternate project. Market share will be decreased, and projected revenue and sales from the project will be altered if not lost completely. A significant loss occurs from the theft of proprietary information if the employee morale is lowered, and the employees start to lose faith in their company.

Minor and major losses seriously affect a corporation. 72% of all businesses that experience a major loss of information or data, and have not made preparations for that loss go out of business within two years (Copen, 1996).

Methods of Espionage

There are many methods to secretly obtain sensitive information. Regardless of the method used, an operative is required to carry out that method. Corporate spies are chosen and selected in various ways. Most of the time, industrial spies are recruited from a company's own business intelligence department. If a particular task requires special circumstances or conditions that the operative must work in, additional recruitment methods must be used. Foreign students are sometimes recruited before they come to the United States to attend school. These students frequently acquire jobs with firms in the United States and carry on their espionage operations over many years. Foreign nations will also hire well connected consultants to produce reports on the desired topic of interest.

The most effective operative for economic espionage is a trusted employee within the target corporation. This employee could be anyone from a janitor to an executive. Secretaries and other support personnel have good access to proprietary information, and their low wages make them more susceptible for recruitment. Some employees will even contact competitors and volunteer themselves to be a spy. These people are usually driven by greed, financial situations, stress, or drug and alcohol abuse.

A profile of a typical corporate spy was developed by the Business Espionage Controls and Countermeasures Association. It describes a typical operative as:

• 21-35 years old, female as often as male.

• college graduate with a low level degree.

• broad, short term employment background. 

• money problems.

• military intelligence experience. 

• considered a loner or outsider.

• acquaintances with law enforcement backgrounds.

• active interest in firearms.

• romantic hobbies or interests (i.e. scuba, skydiving, etc.) 

(Murray, 1995)

Sensitive information can often be acquired through legal .sources. These sources are public information sources such as corporate statements, stockholder reports, news releases, product information, government reports, and financial analyst reports. These sources offer general information about a company. Specific information must be acquired through other means.

The collection of specific proprietary information can be gathered by numerous ways. By calling different departments of a company and asking specific questions, a spy can gather much useful information. This technique relies on the premise that most people do not know any better than to talk about sensitive matters and operations with unknown people. The theft of a company's garbage, often referred to as dumpster diving, is considered to be the number one method of business espionage, because it is legal. On May 17, 1988, the Supreme Court declared that taking garbage was legal once it was outside the property and left for pickup. This method makes it very easy to locate specific information. Different departments in companies use different colors of envelopes and letterheads. By opening several bags, a spy can quickly find the desired bag and merely take it away.

Theft of customer lists, technical data, and computers by leaving employees is common. When a computer is stolen, many companies regard it as a loss of property. Management and security personnel seldom realize that the target of this theft was the information on the computer, not the computer itself Other methods of espionage by employees include unauthorized reproduction of documents, removal of information from offices, or leaving doors, files, and desks unlocked for an accomplice to gain access to.

A good spy can enter most premises in the day or night unprevented. Spies may pose as maintenance people, repair people, technicians, cleaning crews, electricians, etc. This method of information collection is effective because much information is left in plain sight during or after business hours. Often employees fail to lock doors, desks, and file cabinets. This allows easy access for a spy to duplicate, photograph, or steal any desired information. Another effective technique is to remove the carbon ribbons from typewriters and prints, and replace them with new ones. These may contain highly sensitive information, and usually nobody discovers that a theft has occurred. Industrial spies have even resorted to drastic measures to obtain information such as robberies, burglaries, theft of luggage and even murder (Jones, 1990).

Different cultures use different espionage techniques. The Chinese and Japanese send many people to collect information from many areas. Other nations may only send out one operative at a time to collect information on one area. The Japanese pioneered a technique called reverse engineering. This involves the disassembly of a competitor's product to gather information on the components, manufacturing, and costs of a product. Another Japanese technique that American workers use to laugh at was Japanese tourists taking of hundreds of photographs during plant tours and trade shows. United States companies were slow to realize that these pictures could contain valuable information (Hamit, 1991).

Electronic Eavesdropping and Surveillance

This technique is the most devastating collection method of economic espionage. These electronic devices are so small that they can be placed or disguised almost anywhere and not be prevented by physical observation. The majority of these devices are audio transmitters and recorders. These transmitters can be disguised as pens, decorations, or even neckties. A popular eavesdropping device is the wireless intercom. This device can transmit audio by radio frequency or over the regular power lines in a home or office. This intercom is about the size of a pack of cigarettes are can be built into walls, floors, ceilings, and furniture. It is also very effectively disguised as an electrical wall outlet (Jones, 1990).

Another popular place for hiding transmitters and recorders is on telephone lines. These can also be placed inside a phone as a fake component, and any conversations are transmitted when a call is either made or received. Recorders can be placed on phone lines that are voice activated. This allows for the batteries and the tape to remain in the recorder without having to be regularly changed. Another type of phone transmitter can be placed on or near any telephone, and will prevent that telephone from ringing. The spy then calls that phone and activates the transmitter without the phone ringing. This method allows people to listen in on any room that has a telephone.

A new type of audio transmitter is now being used that transmits the audio signal via an infrared light beam. This type of transmitter allows the listening post to receive audio from the target room up to five miles away.

Fax transmissions are easily intercepted as well. The tones that are produced by the fax machine to send a message are recorded and then played into another fax machine. This allows a fax transmission to be received by any fax machine, as long as it receives the specific tones that were produced by the original message.

Security Countermeasures and Counterintelligence

Information is as important as any other asset, and must be protected. The United States is just beginning to realize this concept, and comprehensive counterintelligence programs are starting to be implemented by most large companies.

Counterintelligence has existed as long as the concept of espionage. Two thousand years ago, Sun Tzu stated in the Art of War that, "it is essential to seek out enemy agents who have come to conduct espionage against you" (Swartwood, 1993). A 1992 survey conducted by the Standing Committee for Safeguarding Proprietary Information of ASIS discovered that out of the 246 companies that responded, 76% of them had a formal Safeguarding Proprietary Information (SPI) program in place. This program however, is only updated annually by 33% of those companies (Heffernan, Swartwood, 1993).

In order to decide if a SPI program would be beneficial, a company must weigh the cost of the program against the potential information loss. The potential loss is usually much greater than the cost of a SPI program, and the ASIS 1992 survey reported that the security program that cost the most was only between $51 100 thousand dollars.

Before any countermeasures can be implemented, the security department must have the full support of upper management and the employees. Top management must realize the importance of guarding proprietary information and the consequences of an information loss. All employees must be given training and education on how to deal with economic espionage. The goal of this training is to develop a corporate culture with a counterespionage frame of mind. In order to accomplish this, the employees should be given realistic training and constant reinforcement.

Part of the training should include workshops that give employees an opportunity to develop lists of potential information vulnerabilities and how to go about protecting those vulnerabilities. Employees should be aware of the various information collection techniques and how to counter them. Employees should be taught never to discuss business or use lap top computers in public places such as restaurants or parks. They should be instructed to always lock doors, desks, and files when not in use or after hours.

Security personnel should be informed to check desktops for sensitive information left out after hours. Security should be in charge of reminding employees about counterespionage methods. Security should be trained to spot suspicious people around the property, and to check all bills of lading for proper clearance (Goodboe, 1992).

Reinforcement of the counterespionage mindset can be accomplished by emphasizing security countermeasures in corporate publications, posters, or information flyers. Refresher courses should also be given annually.

Once there is company wide awareness of the importance of guarding proprietary information, a SPI program can be developed. An obstacle that usually hinders the effectiveness of a security program is that the security department does not know what to protect. Management should inform security about what is sensitive and what is not.

Security should then pass this information onto the employees. There are many types of SPI programs. Some consist of just one specific countermeasure, others are general and cover the whole corporate picture. A typical program usually involves many different countermeasures to deter the many methods of economic espionage. In order for a SPI program to be effective, management must realize that a counterintelligence system is much different than a traditional security program. A traditional security program responds to theft by increasing locks, alarms, and guards. These physical security techniques do not affect or deter the industrial spy.

Since there are many different methods of collecting proprietary information, specific countermeasures have been developed to minimize the occurrence of specific methods of collection. Some examples of these countermeasures include eliminating plant tours, encryption or non-usage of cellular phones, and refraining from faxing sensitive information. Executives that travel frequently must always guard their luggage and lock their rooms and vehicles.

Garbage Security

The best countermeasure for garbage theft is the shredding of all paper. Vertical cutting shredders are not adequate because the industrious spy will piece documents back together. Cross-cut shredders are the best type to use. Shredders should be available next to copiers in the office and at executive's homes. Instead of having one central shredder for a whole floor, desk side shredders are a good alternative. Employees will be more apt to use them, and it also provides the employees with a perceived status symbol. All shredding should be done within the corporation. A recycling agency should not be trusted to do the shredding for a company. An alternative to shredding paper waste is burning. This method is not as convenient, but it is more cost effective (Murray, 1995).

Visitor Security

The security department should check and photocopy all work orders. All repair and maintenance personnel should be instructed to do their work during business hours only. Any visitors or maintenance personnel should be escorted to and from their destinations and wear visitor badges. Upon entering and leaving the property, any visitors should be required to sign in and out.

Computer Security

Securing computers should start by limiting the physical access to them, as well as to any software. Employees should secure all disks and backups, use quality passwords, and always log off when they are finished their work. Sensitive information should never be left on a computer unless it is in active use, and computers should be disconnected from networks if they are not being used. All disks should be erased prior to disposal, and should be disposed of separate from paper waste. Borrowed software should never be used, and software should never be copied for personal use or given to unauthorized personnel. Employees should report any suspected intrusions or altered data in a computer, and should be instructed never to disclose any information regarding the computer security system.

Detection and Prevention of an Insider

An employee that is conducting espionage within the organization is extremely dangerous to the company. This type of employee is one that usually feels unappreciated and stuck in his/her job. There are some countermeasures that can help in the prevention of an insider, but the best way to stop espionage from within is to prevent potential spies before they are hired. This can be done by conducting detailed background checks of employees, especially if the position deals with sensitive information. During this investigation, any period of employment that were not listed on the application should be checked thoroughly. Upon hiring new employees that have access to sensitive information, a release should be signed which gives the company the right to check the employee's financial records every five years. This would enable prevention of any unexplained large sums of money that the employee might be receiving. Periodic polygraph testing is another countermeasure that can be used to prevent an insider. The only problem with this countermeasure is that it might be possible to wrongly accuse someone just because of a poor test result. Finally, it is necessary that management take an interest in employees beyond their names and positions. If an employee feels appreciated, it might help avoid an incident of betrayal (Fox, 1994). Despite these countermeasures, insiders are fairly difficult to prevent once they have established themselves in an organization, but there are some places to start the search. One consultant stated that "wherever the money changes hands, so does information" (Pavlicek, 1992).

Securing Meeting Areas

These are the areas where the most sensitive proprietary information is developed and discussed. Meeting rooms should be one of the first areas of a company that utilizes security countermeasures. Any wiring that exists in the room has the potential to be used for electronic eavesdropping. All unnecessary or unused wiring should be removed from the area. A search for recording and transmitting devices should take place at the same time as the removal of wiring. It is a good idea to have the room soundproofed as well. The door to the conference room should be locked at all times, and be in an area of restricted access to nonessential employees. During meetings, all windows and blinds should be closed to prevent eavesdropping and photography, and as a final precaution for electronic transmitters, all telephones and speakers should be unplugged.

Cloaking Operations

Cloaking operations, otherwise known as deception, prevent any competitors from discovering the activities of a company. This countermeasure is extremely important for situations such as the development of a new product or a corporate merger. The everyday functioning of a corporation can reveal much information to the trained spy. These spies can gain information about a company by observing traffic fluctuations, garbage pickup rates, shipments, amount of emissions, etc. The key to successfully cloaking the operations of a company is to avoid unusual patterns of activity. This can be done by controlling several factors. Business hours must be kept as uniform as possible. Any workers that are present during unusual business hours should be provided in-house food, instead of going out to eat. If increased production will produce increased emissions, these emission changes should be done gradually. Also, increased computer usage should start with nonsensitive processing in the case of travel, the names of low profile workers should be used to book hotels and any other travel arrangements. Executive travel should be kept to a minimum, and their departure and arrival times should be staggered (Mendell, 1994).

Operations Security

Operations security (OPSEC) is a systematic process that uses a competitor's perspective of a corporation to determine its vulnerabilities to proprietary information. This countermeasure is complex and very broad, but it is well worth the effort if it is used properly. The concept of operations security was adopted by the government from the United States military in 1988. The United States business community is now implementing this security countermeasure. The framework for this program is built by a company asking itself three main questions: What must the company protect? From who must the company protect it? And for how long must it be protected (Swartwood, 1993)

The OPSEC process is implemented by the completion of five steps. First, critical information must be identified. Second, the threat must be analyzed. Any potential adversaries should be identified and ranked in order of importance during this stage. The third step is an analysis of any vulnerabilities. Management should realize that a vulnerability is only worth protecting if a competitor wants that information. The OPSEC process ensures that risks are at least considered by the CEO. However, a problem can arise when information that might help a competitor is not defined and identified. The fourth step is a ~ risk assessment. Ant potential effects of a vulnerability are identified and measured. The last step involves the implementation of countermeasures. These may take the form of changing some processes or procedures used to produce, communicate, and protect proprietary information (Jelen, 1994).

Surveillance and Eavesdropping Detection

This countermeasure is the most expensive, yet precise countermeasure that can be used. The actual search for surveillance and eavesdropping device is considered the countermeasure. The technical name for searching for these devices is called Electronic Intercept Detection (EID), and is usually performed by a Technical Surveillance Countermeasures (TSCM) team. Due to the danger that electronic spying devices pose to a corporation, and the difficulty of discovering them with the naked eye, these searches are very necessary for some corporations.

Before hiring a TSCM team, they should be interviewed and investigated to ensure that they are professionals. Credentials that are required for people to conduct EID searches include formal training and education in EID, and some states require EID technicians to have a license. EID consultants will often have about ten years experience in offensive as well as defensive experience in EID. The team should submit a list of their equipment, and it should be very expensive and state of the art. Also, a nondisclosure agreement should be a standard part of the contract. The average cost of a thorough EID is about $1OO,OOO or more, so that cost should be weighed against the potential losses due to eavesdropping to determine if an EID is a logical choice (Jones, 1990).

An EID should be planned so that only a minimum number of people know that it will be done. The search should not interfere with the daily business operations, or be viewed by employees. The best time to do an EID is after normal business hours. Before the search can be done, the TSCM team will need some information about the company such as floor plans, wiring, heating, ventilation, air conditioning systems, as well as communication systems and the makes and models of all components. 

An EID should be done at the site of the corporation as well as at the homes of any key executives. The EID should cover four main areas. First, the radio frequency spectrum should be checked for any audio using a spectrum analyzer. Second, all AC power lines should be tested for any audio transmissions. This is done by connecting a tunable receiver to the power lines. Next, all telephones and telephone line should be checked, as well as the telephone room and junction blocks. A telephone analyzer measures the on and off hook voltages of the telephones. A physical examination of the telephones for should be done to prevent any unauthorized or modified components. The last stage in the EID process is the search for dormant devices. These are devices that do not constantly emit a signal, and could have been missed earlier in the search. Examples of these devices are voice activated transmitters and recorders. Ventilation ducts and pipes should be checked for these devices, and inspected for potential audio conductivity. All walls, floors, ceilings, and furnishings should be thoroughly inspected for eavesdropping devices as well. Ultra violet light will reveal fresh paint, putty, structural changes, or any evidence of tampering on walls, ceilings, etc. (Calhoun, 1992). Night vision binoculars with the infrared filter removed are used to prevent any infrared transmitters. A probe attached to an amplifier is used to determine if the light is capable of transmitting audio because there are normal sources that emit this type of light.

Sometimes during an EID, nonstandard or false wiring will be installed in walls. This tactic is used so that if an eavesdropping device is attached to the wiring, no audio will be transmitted through it.

It is important to remember that no BID is 100% accurate. It is possible to miss some devices, due to their size and advanced technology. After completion of the BID, an oral report is given that states any findings. This report is followed by a written report that explains the search, search methods, results, and recommendations. The written report should follow the oral report within 30 days.

Regardless of the type of countermeasure or counterintelligence program in place, the constant change in technology and competition demands that these security measures be modified regularly. It is recommended that security programs be updated and tested biannually with the use of LID, information security surveys, employee awareness refreshers, vulnerability testing, and security audits and surveys.

It is also important to understand that economic espionage may occur even in the most secure corporation. While security countermeasures for economic espionage are not guaranteed, developing a security program to prevent, deter, and neutralize espionage is a corporation's most effective weapon against economic espionage.

CHAPTER 3
Analysis of Data

As previously stated, economic espionage will continue to develop and occur regardless of any security countermeasures that a company may have in place. Due to the constant development of innovative technology and the potential value of proprietary information, industrial spies Will eventually modify their techniques in order to penetrate a company's security program. This statement however, does not imply that the development and implementation of security countermeasures is futile and will provide no protection for proprietary information. Although no security countermeasure is guaranteed, companies that have a counterespionage program in place are much less likely to be victims of economic espionage, compared to companies that leave themselves defenseless against industrial spying.

Rationale for Implementing Countermeasures

In order for a company to decide whether or not to implement espionage countermeasures, several factors must be addressed. First, does the company have anything that a competitor might want? Excluding a few types of companies, the majority of businesses have some type of sensitive information. 

Secondly, how real is the threat? After any potential losses have been identified, possible competitors must be identified and evaluated on the potential damage that they could inflict by gaining any sensitive information. The final step in deciding to use security countermeasures is determining the potential cost of an information loss (Swartwood, 1993). 

If a loss of proprietary information would not significantly affect a corporation, implementing a counterespionage program would not be economically sound. A company must weigh the cost of security countermeasures versus the cost of a potential loss, keeping in mind that potential losses can mean much more than money.

Companies That Might Use Security Countermeasures

The size of the corporation and the type of industry that it is involved in usually determines which companies have counterespionage programs. It would not be financially feasible for a company employing 20 people to have an EID conducted annually, but for a semiconductor research facility employing 80 people, and annual BID would be essential.

Any company that is involved in high technology or research and development should have a counterespionage program in place, regardless of any past history of economic espionage. Small to medium sized companies that operate on a tight budget, but have many competitors, can still protect themselves. Security countermeasures do not have to be extremely expensive. Obviously a small company could not afford to hire a TSCM team, but it could afford to shred its sensitive documents, conduct employee awareness seminars, and ensure that office doors and files are locked after hours.

Large corporations that can afford to implement a comprehensive counterespionage program should do so. At this level of competition, the cost of the program is insignificant compared to the cost of potential losses. It is possible that information may still be lost, but without any security measures in place, information losses would be much greater.

Guidelines for Effective Security Countermeasures

Effectiveness of a counterespionage program depends on several factors. The program must utilize several different countermeasures, must be reviewed and updated continually, and must have the support of upper management and all employees.

In order to reduce economic espionage, a variety of countermeasures must be used. There are many methods that can be used by spies to gain access to sensitive information, and many vulnerabilities exist for information to be lost. By correcting and safeguarding these vulnerabilities, a company can minimize the risk of potential losses. It is imperative to remember that a vulnerability cannot be protected unless it has been identified.

If a counterespionage program is to remain effective, it must be reviewed and updated regularly. A company must not let its security countermeasures become outdated. Corporate spies are continually attempting to breach these countermeasures, and will eventually formulate a new method for collecting the desired proprietary information. The best type of counterespionage program is a proactive one. Reactive countermeasures allow for at least one information loss before further attempts can be prevented. Depending on the nature of the information that was stolen, the impact of that loss may be irreversible.

The security director can only do so much to reduce economic espionage. In order for the company to effectively reduce the probability of economic espionage occurring, upper management and all employees must give the program their full support. Support of upper management is crucial because they are the people responsible for setting an example and ensuring that the employees do the same. Upper management should be in close contact with the security department to discuss possible vulnerabilities and possible courses of action. The employees have a considerable impact on the effectiveness of the program. The negligence or ignorance of an employee can severely compromise the integrity of the security program. If employees are made aware of economic espionage, and are included in the prevention of it, the resulting counterespionage program will be very effective, and will have support from the full spectrum of employees. If a company has all of its employees participating to reduce economic espionage, a counterespionage corporate culture is formed which increases the effectiveness of the overall security program.

Advantages of Security Countermeasures

Security countermeasures provide companies with many advantages. Apart from significantly decreasing the probability of economic espionage occurring, security countermeasures have residual effects on a company. Employee morale will be increased due to the fact that the employees will feel more secure in their jobs and have increased faith in the company. Communication within the company will be enhanced with regular seminars and memos regarding the prevention of economic espionage. Security countermeasures offer many advantages, but the most important advantage is the reduction of information losses that the company will experience due to the implementation of these security countermeasures.

Disadvantages of Security Countermeasures

There are very few disadvantages that may occur by implementing a counterespionage program. The only disadvantages that companies may experience are the cost of the program, and the fact that industrial spies may find a way to compromise these countermeasures. These disadvantages are preventable. The cost of a counterespionage program is insignificant compared to the potential losses that may occur if the program was not in place. This concept should be brought to upper management's attention if there are any doubts regarding the implementation of security countermeasures. The chance of spies devising a way to penetrate these countermeasures can be avoided as well. By regularly testing and updating the security program, the likelihood of corporate spies adapting to the security program is significantly reduced. It may appear that there are disadvantages that exist if any security countermeasures are to be used. Upper management and the security director should discuss these perceived disadvantages, and by doing so, may be able to realize that these disadvantages can be justified, if not at all prevented.

CHAPTER 4
Summary of Major Findings

Economic Espionage

The use of economic espionage allows nations and corporations to avoid the high costs of research and development, marketing, product testing, etc. Economic espionage poses a serious threat in the United States because it is a major economic power, and the theft of proprietary information is relatively easy due to weak property and eavesdropping laws. Recently however, there have been some attempts by the United States government to reduce the frequency of economic espionage. The Economic Espionage and Protection of Proprietary Information Act of 1996 has improved the FBI's ability to investigate economic espionage incidents, and a law was passed in 1994 which allows rewards up to $500 000 for information leading to the conviction of anyone involved in economic espionage (Pasternak, 1996).

According to the American Society for Industrial Security (ASIS), reported cases of economic espionage in the United States have grown 260% since 1985 (Perry, 1996), but it is important to note that this figure includes cases that were prevented. Since successful economic espionage goes unprevented, the actual frequency of economic espionage is probably much greater.

Target Industries

Most cases of economic espionage occur in industries that are fast paced, innovative, and rely on research and development. Examples of these industries include: biotechnology, aerospace, telecommunications, computer software and hardware, engine technology, energy research, manufacturing processes, and semiconductors. Individual corporations are also targeted as well as whole industries. For example, companies that have a significant impact on a whole industry when a decision is made or a product is introduced are likely targets for economic espionage.

Impact

Economic espionage accounts for an estimated loss of $260 billion per year from United States based companies (Perry, 1996). Additional losses that are related to an information loss include capital investments, staff time, layoffs, debts, market share, and employee morale.

Methods of Espionage

Corporate spies use many different methods to acquire proprietary information. Sensitive information can be obtained by looking through a company's garbage, calling different departments within the company and asking generalized questions, and simply observing the production of the company. These methods are widely used because they are completely legal. Specific information is usually gathered by illegal means such as property theft, breaking and entering, or electronic eavesdropping impossible to prevent. Sensitive information can be easily acquired and reported back to the competitor. Offices, files, and computers are often left unsecured, and are excellent sources of proprietary information.

Technology has had a major impact on economic espionage. Electronic surveillance and eavesdropping are widely used to gather sensitive information. Eavesdropping and surveillance devices pose a serious threat to the information security of a company. They can be placed virtually anywhere, and are usually unpreventable by the naked eye. This technology allows for the interception of phone calls, fax transmissions, and voice mail. These use of this technology also allows competitors to listen in on meetings, conferences, and any other type of potentially sensitive discussion.

Security Countermeasures

The increasing frequency of economic espionage has given rise the use of security countermeasures by companies to reduce the occurrences of information losses. A 1992 survey by ASIS reported that out of 246 companies, 76% of them had a formal Safeguarding Proprietary Information (SPI) program in place. This program however, is only updated annually by 33% of those companies (Heffernan, Swartwood, 1993).

An effective counterespionage program will involve nearly every aspect of the company. Everyone from top management to the janitorial staff should participate and support the program in order for it to work. Simple changes such as shredding all paperwork and locking office doors and files will dramatically reduce the possibility of an information loss. All employees should be aware of possible vulnerabilities and what they can do to minimize these vulnerabilities. The security department is in charge of the implementation of the counterespionage program, but the success of the program relies on the participation and support of top management and the employees.

An additional component to a counterespionage program is an Electronic Eavesdropping Detection (EID) survey. This countermeasure prevents and neutralizes any electronic eavesdropping or surveillance devices that may be present within the premises. This security option is very effective, but very expensive as well. A cost benefit analysis should be done before implementing this countermeasure.

Regardless of the security countermeasures a company may have in place, the constant change in technology and competition demands that these security measures be tested and modified regularly. Corporate spies are very persistent, and will eventually find a way to breach a countermeasure. The only way for a company to ensure that this will not happen, is to constantly update their security countermeasures and remain knowledgeable about the cutting edge of technology.

Conclusion

Economic espionage poses a serious threat to the United States economy. This type of espionage is increasing and becoming more dangerous with the advancement of technology. The implementation of security countermeasures greatly reduces the possibility of a company experiencing an information loss. These countermeasures must be implemented and managed correctly in order for them to remain effective. Economic espionage will never be completely eliminated in the United States, but corporations can take it upon themselves to implement countermeasures that will ensure that they will not be easy targets for industrial spies.

Limitations

This study was limited to library resources such as journals and periodicals. The study could have been developed further with specific information and statistics from major corporations in the United States. By investigating the frequency and circumstances of economic espionage concerning major United States firms, the author could have gathered more accurate data regarding the success and effectiveness of certain security countermeasures.

Recommendations

In order to develop and implement effective security countermeasures, a company should consider several key factors. If the security director is unsure that all the vulnerabilities have been identified, a professional security consultant who specializes in economic espionage should be brought in to ensure that this task is completed. Once in place, the counterespionage program should be tested and updated biannually with the use of security audits and surveys. An annual Electronic Eavesdropping Detection survey is recommended for companies that can afford this service. A crucial part of the effectiveness of security countermeasures is employee participation. Employee refreshers such as memos, posters, and flyers regarding economic espionage should be distributed regularly.

REFERENCES

Bottom, N. & Gallati, R. (1984). Industrial espionage intelligence techniques and countermeasures. Boston: Butterworth.

Calhoun, J. (1992, September). Clear the air with TSCM (technical surveillance countermeasures survey). Security Management. pp. 5459.

Canton, S. A. (1992, December). Industrial espionage: reality of an information age. Research Technology Management. pp. 18-24.

Copen, J. "Spyzone". 1996. http://www.spyzone.com/CCST.html (25 Sep. 1996).

Davis, D L (1992, February). OPSEC: not for government use only. Security Management pp 4849.

Donnelly, J F (1993, September). Dependable enemies, undependable friends. Security Management. pp. 159.

Freeh, L. "Hearing on Economic Espionage". 1996. http://www.fbi.gov/ecespio2.htm#methods (11 Sep. 1996).

Fox, J. (1994, May 9). Security. Forbes. pp. 12-13.

Garland, J. 5. (1994, May). Uncovering a trail of sheer treachery. Security Management. pp. 45-48.

Goodboe, M. B. (1992, April). A trained eye wilt see the spy (teaching employees how to recognize the signs of espionage. Security Management. pp. 49.

Hamit, F. (1991, October). Taking on corporate counterintelligence. Security Management. pp. 3435.

Hansen, M. (1992, September). Counterespionage techniques that work (safeguarding proprietary information). Security Management. pp. 4446.

Heffernan, R. I. (1990, December). A little TSCM (technical surveillance countermeasures). Security Management. pp. 3537.

Heffernan, R. J. & Swartwood, D. T. (1993, January). Trends in competitive intelligence. Security Management. pp. 7073.

Jones, P. (1990, December). When competitors really bug you (industrial espionage). Security Management. pp. 44-47

Mendell, R. (1994, May). Ask me no secrets, I'll tell you no lies (utilizing cloaking and misdirection methods to counter industrial espionage). Security Management. pp. 24-26.

Murray, K. D. "Espionage 101 and much more." Security Management. pp. 106114.
http://www.spybusters.com/

Murray, K. D. "Ten Spy-Busting Secrets
http://www.spybusters.com/

O'Connell, E P. (1994, May). Countering the threat of espionage. Security Management, pp. 35-37.

Pavucek, L (1992, April). Developing a counterintelligence mind-set. Security Management. pp. 54-56.

Perry, S. "Economic Espionage". 1995. http://www.emporium.turnpike.net/lntllnt/econ.html (11 Sep. 1996).

Somerson, I. S. (1994, October). Information: what it costs when it's lost. Security Management. pp.61-62.

Spring, S. (1995, April). Making a clean sweep of spies (technical surveillance countermeasures). Security Management. pp. 44-46.

Swartwood, D. T. (1993, June). Is the secret out? Security Management. pp. 42-46.

Electronically formatted and distributed with permission by:

Murray Associates