Corporate espionage is espionage conducted for commercial or financial purposes. Corporate espionage is also known as industrial espionage, economic espionage or corporate spying.
That said, economic espionage is orchestrated by governments and is international in scope, while industrial or corporate espionage generally occurs between organizations.
Foreign governments, especially those where many businesses are state-owned and have a strong focus on economic development, are common users of corporate spying. As a result, other governments find themselves drawn into it too. One of the main motivations United States President Donald Trump has given for escalating the trade war with China has been to fight against Chinese theft of U.S. company trade secrets.
What are the forms of economic and industrial espionage?
Economic and industrial espionage has two forms:
- Acquisition of intellectual property, such as manufacturing processes or techniques, locations of production, proprietary or operational information like customer data, pricing, sales, research and development, policies, prospective bids, planning or marketing strategies.
- Theft of trade secrets, bribery, blackmail or technological surveillance with different types of malware.
As well as orchestrating espionage on commercial organizations, governments can also be targets. For example to determine the terms of a tender for a government contract.
What is a trade secret?
Trade secrets are defined in the Uniform Trade Secrets Act (UTSA) and state laws based on the UTSA.
The term trade secret means all forms and types of financial, business, scientific, technical, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if:
- The owner thereof has taken reasonable measures to keep such information secret; and
- The information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, the public.
How is industrial espionage carried out?
There are a number of techniques that fall under the umbrella of industrial espionage:
- Trespassing on a competitor's property or gaining unauthorized access to their files
- Posting as a competitor's employee to learn trade secrets or gain access to their customers' personally identifiable information (PII)
- Using wiretapping, a lack of SSL or another form of man-in-the-middle attack to listen in on competitor communication.
- Hacking into or disabling a competitor's computer using a cyber attack like the WannaCry ransomware attack.
- Changing the registration of a competitor's domain name using domain hijacking.
- Gaining access to a competitor's internal network by abusing poor network security practices.
- Attacking a competitor's website by exploiting a CVE-listed vulnerability.
- Using email spoofing and phishing to trick a competitor's employees into revealing confidential information or sensitive data.
- Looking for third-party data breaches and data leaks on the dark web.
That said, not all corporate espionage is so dramatic. Much of it comes from an insider transferring trade secrets from one company to another. Disgruntled employees or a former employee who now works for a competitor can inadvertently or directly reveal proprietary information and corporate secrets.
Given the competitive advantage that comes from innovation, it isn't hard to see why corporate spying has become such a large cybersecurity risk.
What's the difference between competitive intelligence and corporate spying?
Competitive intelligence, to put it in information security terms, is the white hat version of corporate espionage.
Competitive intelligence companies generally use legal methods to gather and analyze information that's publically available, whether that be merger and acquisition news, new government regulations, blog content or social media noise. In fact, counterintelligence based on public information can be so successful that many companies now have OPSEC teams that manage what information is released to the public.
That said, other competitive intelligence companies cross the line and fall into illegal corporate spying.
Is industrial espionage illegal?
It is not illegal to spy on a private company as long as the information is obtained by legal means. For instance, it's totally legal to buy satellite images of a competitor's parking lot to determine how many customers they're serving each year or to pay a private investigator to walk around a trade show and share what they hear.
However, acquiring trade secrets without the consent of the intellectual property holder is generally against the law.
The U.S. government governs corporate espionage by the Economic Espionage Act of 1996.
The law codified what a trade secret was and made stealing commercial secrets a federal crime. Penalties for corporate espionage can result in prison time and millions of dollars in damages. Its harshest punishments are aimed at those who transfer trade secrets to foreign companies or governments. In fact, the first trial conviction under the Economic Espionage Act of 1996 involved a Boeing engineer who sold trade secrets to China.
How does the U.S. Department of Justice decide which industrial espionage cases to pursue?
Not every case merits criminal prosecution, the U.S. Department of Justice has guidelines of which cases it will pursue based on:
- Scope of criminal activity
- Evidence of foreign engagement
- Degree of economic injury to the intellectual property owner
- Type of trade secret stolen
- Effectiveness of available civil remedies
- Value of the case as a potential deterrent
That said, just because the Department of Justice doesn't pursue an industrial espionage case doesn't make stealing trade secrets legal. Many violations can serve as the basis for lawsuits in civil courts and many U.S. states have additional laws about corporate espionage that can be stricter than federal law.
What industries are common targets for corporate espionage?
Industrial and economic espionage is commonly associated with high-tech industries such as:
- Computer software
- Transportation and engine technology
- Machine tools
Silicon Valley is one of the world's most targeted areas for corporate espionage. Along with Silicon Valley, automakers often disguise upcoming car models with camouflage paint patterns, padded covers and deceptive decals to obfuscate the vehicle's design.
In reality, any organization with sensitive information can be the target of corporate espionage.
How have computers changed corporate espionage?
Due to the rise of the Internet and increasing connectivity of computer networks, the range and detail of information available, as well as the ease of access has increased the popularity of cyber espionage immensely.
The use of computer based corporate espionage increased rapidly in the 1990s. Information is commonly stolen by individuals posting as workers, such as cleaners or repairmen, who gain access to unattended computer and copy information from them. Laptops also remain a prime target for those travelling abroad on business.
Perpetrators of espionage are known to trick individuals into parting with, often only temporarily, from their laptop, enabling them to access and steal information. Hotels, taxis, airport baggage counters, baggage carousels and trains are common places this happens.
Internet-based cyber attackers are also common, though they will usually fall into the category of economic espionage carried out by governments rather than competitors.
Along with stealing sensitive information, the increasing reliance on computers means that industrial espionage can extend to sabotage. This is an increasing concern for governments due to potential attacks by terrorist groups or hostile foreign governments via distributed denial of service (DDoS) or other cyber attacks.
How to prevent cyber espionage
Preventing cyber espionage is akin to preventing any form of security incident.
A defense in depth strategy that uses a series of layered redundant defensive measures is key.
Data has become a key target of industrial espionage due to the ease at which it can be copied and transmitted, leading to many organizations to digital forensics and IP attribution to try determine if, when, how and who caused a data breach or data leak. Pair this with the fact that most businesses are outsourcing more than ever and many third-party vendors have poor security measures and the need to prevent data breaches has never been higher.
Operationalizing a third-party risk management framework, vendor management policy and vendor risk management (VRM) program is laborious. In recent years, the cost of a data breach has ballooned to an estimated $3.92 million. Data breaches involving third-parties are estimated to be $370,000 more expensive at an average total cost of $4.29 million.
It's no longer enough to have your information security policy only focus on your organization. Cyber threats inside and outside of your organization can lead to trade secrets being stolen and your information risk management and cybersecurity risk assessment process should reflect this. It has never been more important to have robust cybersecurity to prevent corporate spying.
What are the origins of corporate espionage?
Francois Xavier d'Entrecolles in Jingdezhen, China revealing the manufacturing methods of Chinese porcelain to Europe in 1712 was an early case of industrial espionage.
There are historical accounts of corporate espionage between Britain and France in the 18th century, attributed to Britain's emergence as an industrial creditor. There was a large scale-state sponsored effort to steal British industrial technology for France.
In the 20th century, East vs West economic espionage became popular. Soviet industrial espionage was a well known part of their overall spying activities up until the 1980s with many CPUs appearing to be close or exact copies of American products.
Following the demise of the Soviet Union and the end of the Cold War, many Western and former communist countries began using their underemployed spies for international corporate espionage. Not only were personnel redirected but spying equipment like computer databases, eavesdropping tools, spy satellites, bugs and wires were all employed for industrial espionage.
What are notable examples of industrial espionage?
- Hewlett-Packard: In 2006, Hewlett-Packard, in efforts to find out leaking secrets to the press hired investigators who used "pretexting", a deceptive and illegal method of obtaining private information to collect the telephone records of several reporters. Hewlett-Packard eventually paid $14.5 million to the state of California and additional money to the reporters it spied on.
- IBM and Texas Instruments: Between 1987 and 1989 IBM and Texas Instruments were thought to have been targeted by French spies with the intention of helping France's Groupe Bull.
- General Motors: Opel, the Germain division of General Motors accused Volkswagen of industrial espionage in 1993 after Opel's Chief of Production and seven other executives moved to Volkswagen. The case was settled in 1997 with Volkswagen agreeing to pay General Motors $100 million and to buy at least $1 billion of car parts from over 7 years.
- Google: On January 13, 2010 Google announced that operators from within China had hacked into their Google China operation and stole intellectual property and accessed email accounts of human rights activists. The attack was thought to have been part of a widespread cyber attack on companies within China and has become known as Operation Aurora.
- Oracle: In 2000, Oracle was caught paying investigators to acquire Microsoft's garbage because they suspected that it was paying two supposedly independent research organizations to release pro-Microsoft reports.
- Gillette: In 1997, a process controls engineer at Wright Industries Inc., a subcontractor of Gillette had been demoted to a lower role in the company's Mach 3 project and decided to send trade secrets to multiple Gillette rivals. Schick reported the act to Gillette who got the FBI involved.
How UpGuard can protect your organization from data breaches and data leaks
There's no question that cybersecurity is more important than ever before. That's why companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data and prevent data breaches.
UpGuard BreachSight can help combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors' security posture over time while benchmarking them against their industry.
Each day, our platform scores your vendors with a Cyber Security Rating out of 950. We can even alert you if their score drops.