Leaks and geeks: International espionage goes high-tech

Absolutely not, Mr. Bond.

A spate of old-fashioned security leaks and newfangled hack attacks has made corporate espionage one of the New Economy's hottest topics. As companies such as Microsoft, Oracle and Intel struggle to protect trade and investment secrets, tech firms are increasingly the perpetrators and victims of spy missions--the likes of which British spy novelist Ian Fleming and his 007 character would be proud.

Although the tech industry has had its share of blatantly illegal espionage, most modern corporate spy activity falls into a gray zone between aggressive competition and unethical snooping.

Yesterday, Oracle chief executive Larry Ellison defended his company's decision to hire detectives to mine garbage pails and investigate two research groups funded by the company's fiercest rival, Microsoft. Comedians and satirists are heralding the case, Ellison's increasingly embarrassing albatross, as "garbage gate."

In another recent case of corporate intrigue, a judge found in May that Broadcom tried to extract trade secrets from competitors during job interviews with Intel employees. Filed in California's Santa Clara County Superior Court, the suit touched a nerve in the Silicon Valley, where executives often probe job candidates about their current and future projects at competing firms.

In 1997, Santa Clara County slapped felony charges on software maker Avant, charging that its top executives conspired to steal trade secrets from Cadence Design. The case hinged on former Cadence employee Mitsuru "Mitch" Igusa, who allegedly emailed Cadence software files to his home in 1995 and had once served as a consultant to the rival company.

Security experts say such cases--and thousands of other embarrassing leaks that companies don't want to make public--aren't mindless paranoia. From Dumpster diving to international data theft, cases of legal and illegal espionage at all levels are on the rise.

According to a study by the American Society for Industrial Security (ASIS) and consulting firm PricewaterhouseCoopers, Fortune 1000 companies sustained losses of more than $45 billion in 1999 from the theft of proprietary information--up from mid-'90s estimates from the FBI pegging the cost at roughly $24 billion a year.

The average Fortune 1000 company reported 2.45 incidents with an estimated loss per incident in excess of $500,000. More troubling: Forty-four of the 97 companies that participated in the ASIS survey reported a total of more than 1,000 separate incidents of theft.

Tech companies reported the majority of those incidents. The average tech firm reported nearly 67 individual attacks. The average theft was pegged at $15 million in lost business.

High-tech booty
What are spies after? Customer lists from high-tech companies are the No. 1 stolen item--making dot-com start-ups, software firms and Internet service providers, which typically keep extensive customer lists in their marketing departments, prime candidates for espionage.

Financial data, research and development work, merger and acquisition plans, unannounced product specifications, and prototypes round out the ASIS list of hot commodities.

Experts say the message of this study and others is simple: The average tech company has too many leaks and needs to batten the security hatches.

"Most companies don't have the ability to detect when these problems are even occurring," said Ira Winkler, author of "Corporate Espionage: What It Is, Why It Is Happening in Your Company, What You Must Do About It" and president of The Internet Security Advisers Group.

Winkler estimates that blatant, illegal espionage attacks penetrate the average Fortune 2000 company two to three times per year. But most companies are completely unaware of the pillage. When competitors come out with a similar product, service or production method, victimized companies often chalk it up to fierce competition or dumb luck.

"Companies have got to go ahead and do the basic security things. Keep audit logs when people access computers and sensitive information. Keep important information on a need-to-know basis. Require employees to change passwords frequently," Winkler said. "Usually companies have policies for that, but rarely do they enforce them."

Although spies may penetrate tech companies more than other companies, high-tech firms are not alone in their struggles with espionage.

Legendary intrigue
The most colorful and high-stakes case embroiled General Motors and Volkswagen for much of the 1990s. The cased hinged on a ring of Latin employees led by a hard-charging Basque expatriate named Jose Ignacio Lopez de Arriortua. Lopez was head of purchasing for GM and defected abruptly to VW in 1993.

GM accused Lopez of masterminding the theft of more than 20 boxes of documents on research, manufacturing and sales. Much of the allegedly pilfered data involved blueprints for a super-efficient assembly plant--a factory that GM believed would topple VW's dominance of the small-car market in emerging markets of Eastern Europe, China and elsewhere.

The world's largest international corporate espionage case officially ended in 1997, when VW admitted no wrongdoing but settled the civil suit by agreeing to pay GM $100 million in cash and spend $1 billion on GM parts over seven years.

In 1998, German prosecutors dropped criminal charges of industrial espionage against Lopez, who resigned from VW in 1996 and was injured in a car accident in Spain two years later. But Germany made Lopez donate $224,845 to charity.

In "War by Other Means: Economic Espionage in America," author John Fialka writes that foreigners are pillaging confidential information from unwitting bureaucrats and U.S. companies in all industries. Although one Amazon.com reviewer from Silicon Valley dismissed the 1997 tome as "alarmist and overly paranoid," the book was widely trumpeted as a wake-up call to corporate America.

Fialka recounts a 1991 incident in which spies posing as garbage collectors scoured the trash cans outside the Houston home of a U.S. defense contractor executive. One of the ostensible garbage men turned out to be France's consul general, who said he was collecting fill for a hole in his yard.

Not so, said the FBI, which suspected he was searching for secrets in part of a 30-year effort by the French government to reap U.S. scientific or military secrets.

The book also recounts a vast Japanese corporate spy ring. The group stole U.S. research into tilt-wing aircraft that represented four decades' worth of Bell Helicopter experimentation, $3.5 billion of U.S. government investment, and $17.8 billion in potential U.S. exports.

Spies on the rise
Experts pinpoint several reasons for heightened spy activity.

The end of the Cold War, which began when the Berlin Wall fell in 1989 and culminated when the Soviet Union dissolved in 1991, ended much of the storied espionage between the USSR, China and the West.

But experts say that after a brief respite from spy activity, espionage resurfaced. Instead of international political and military espionage, it became corporate. By 1997, the FBI reported that 23 foreign governments were systematically scouring American companies of intellectual assets.

The rise of email as the de facto means of sending messages across companies and the world has heightened the danger. Hackers can intercept email on the Internet more easily than they can tap into a phone call, and skilled spies can even penetrate a company's intranet.

"The Spartans and Athenians went through each other's garbage 1,000 years ago--that's nothing new," said Harris Miller, president of the Information Technology Association of America. "But now we're seeing more virtual corporate espionage...Rather than someone (breaking) into a physical building and (prying) open a file cabinet and (taking) out documents, the new challenge is for someone to break into an intranet and steal documents that are being sent back and forth in the company."

Virtual and physical corporate espionage reached such a pitch--and corporate victims including GM, Intel, Hughes and Lockheed Martin raised such a fit--that Congress passed the Economic Espionage Act of 1996.

As a result, theft of trade secrets became a federal offense, with prison sentences of up to 15 years and fines of up to $500,000 for individuals. Domestic thieves who sing to corporate rivals face fines of up to $250,000 and jail sentences of up to 10 years.

But the law hasn't curbed the broader corporate trends that are fueling espionage, especially in the tech sector.

International security hot spots
The increasingly global world of commerce means that more tech companies are setting up shop in places such as China and Japan. ASIS says the "weakest link" in security is often the small sales office in a foreign country, where employees enjoy easy access to the company intranet but have little face-to-face contact with or loyalty to top executives.

According to ASIS, the top five countries cited as security risks are the United States, China, Japan, France and the United Kingdom. Mexico and Russia, meanwhile, have the highest increase in spy activity.

Another factor: The tech industry is increasingly becoming an industry of contractors--hired guns who write software or set up Web sites for three months to a year before moving to the next job, often at a rival firm. ASIS found that roughly 20 percent of workers at Fortune 1000 companies are temporary or part-time workers.

Although companies often require regular employees to sign non-compete clauses, in which employees promise not to work for a direct competitor for a year or more after they quit, contractors sometimes fall under the legal radar. ASIS found that few companies do thorough background checks on temps, yet most have no qualms assigning them to work with sensitive data.

Despite alarming statistics, some tech workers say espionage fears are overblown. The vast majority of companies respect the trade secrets of their rivals, they say.

Intel spokesman Chuck Mulloy didn't deny that many companies rely on defectors from rivals to determine competitors' plans. There is no specific law forbidding questions about a worker's current employer in a job interview, as there are laws against inquiring about age, marital status or religion.

But in Broadcom's case, Mulloy said, the company overstepped its legal boundaries concerning trade secrets.

"I don't think this is run-of-the-mill, which is why there's litigation pending," Mulloy said. "They had four pages of notes about unannounced products, including a blocked diagram. Nowhere in those four pages of notes could we find reference to this interviewee's job history, job performance, salary requirements. This was not a job interview--it was a case of a company trying to get our trade secrets."