Comments

SteveSeptember 15, 2006 8:15 AM

"Industrial spying is estimated to cost global business more than $200 billion a year"

I wonder how much money global business *makes* through industrial spying. There's some proportion of the size of the spy and spy equipment industry itself, plus at least as much again in benefits to their customers (since otherwise it wouldn't be economical to pay the spys).

Maybe this is good for the economy, despite the costs to those spyed on.

ChrisSeptember 15, 2006 8:45 AM

Don't forget the rumours of the NSA stealing industrial secrets from European companies and selling or giving them onto their American counterparts.

Michael AshSeptember 15, 2006 9:11 AM

@Steve

Making money through industrial spying sounds like a broken windows fallacy to me. Sure, the individual spies and individual companies are better off with spying than without, but on the whole it costs everybody. If those spies weren't spying then they could be doing something productive, instead of simply moving information without the permission of its masters.

Clive RobinsonSeptember 15, 2006 10:03 AM

@Chris

Retired Director of the DGSE, Pierre Marion told CNN once about industrial espionage,

"This espionage activity is an essential way for France to keep abreast of international commerce and technology. Of course, it was directed against the United States as well as others. You must remember that while we are allies in defense matters, we are also economic competitors in the world."

You can also find a number of other usefull quotes and refs at,

http://web.textfiles.com/software/sfs6.txt

However treat the rest of the artical as you would any document of unknown provinence.

Clive RobinsonSeptember 15, 2006 10:20 AM

@Chris

Another thing to look into is the TU-144 Konkordski aircraft crash at the Paris Air Show in 1973.

Apparently the French beleived that the Konkordski was a "chinese copy" of the Anglo-French Concord super sonic passenger aircraft. The French flew a Mirage fighter air craft doing photo reconosance very close to the TU-144 in clouds which might account for why the TU-144S stalled / dived steaply, lose control and crash.

http://en.wikipedia.org/wiki/Tupolev_Tu-144

SteveSeptember 15, 2006 12:34 PM

@Michael

You may well be right: on balance the people who conduct industrial espionage are probably willing to wreck $2 of opportunity to make $1 for themselves, so chanches are they are more damaging than productive. Still, it'd be interesting to see it worked through.

Certainly I don't think that "moving information without the permission of its masters" is *necessarily* going to be harmful to the economy and/or unproductive.

For example, HP spies on its directors in order to identify and remove a leaker - if they hadn't got caught, that would clearly have been to their advantage. Maybe immoral and illegal, but nevertheless economically productive...

Stealing stock tips, on the other hand, almost certainly does no good at all to the size of the economy, although I Am Not An Economist.

HarimadSeptember 15, 2006 12:40 PM

I question the amount as well. Companies overvalue losses due to espionage and piracy, by assuming all the goods stolen would otherwise have been purchased at full list price. Do you really think that all users of pirated Windows, would otherwise have paid list? I don't think so either.

Monkey SuitSeptember 15, 2006 1:55 PM

Ira Winkler, the author of "Spies Among Us" alleges that France has well organised systems for collecting information useful for economic development. Among other things, Winkler says that France has
- Hotel staff recruited by DGSE to search the rooms of travelling business executives
- Staff placed in US companies who are expected to progress their companies careers to get access to new developments
- Bugged the first-class cabins of some Air France jets

Winkler also alleges that China and India have well organised programs to extract advanced technological information that can be used to develop their economies.

Note that industrial espionage doesn't necessarily involve hi-tech hacking or anything like that. A lot of companies give out information which they really shouldn't. Sometimes a lot of potentially useful information can be acquired by thorough research.

If you are involved in business, especially international business, then it useful to understand that foreign competitors will not think twice about collecting information to help compete with you; that is the way business is done.

Michael AshSeptember 15, 2006 2:41 PM

@Steve

You're correct that moving the information via industrial espionage could be better overall than keeping it locked up. What I really meant was that industrial espionage is always a net loss over simply moving the information willingly. In other words, less secrecy and less spying together will free up people for more useful things.

My guess is that even with secrets being kept, industrial espionage is a net loss, and is only common because it confers a marginal improvement on each individual player, leading to an equilibrium where all players engage in it. I'm much less certain about this one, though.

mroonieSeptember 15, 2006 4:02 PM

So there's two problems I would like to address here.....

1) After this whole HP Dunn thing, it seems rather obvious that internal threats exist as well as external threats. Hopefully businesses caught onto that.

2) The article mentions email as a huge carrier for these trojans.

How are these two problems related? The solutions to both is encryption.

If encryption is used to protect company IP, an individuals personal information, and also email attachments, we could decrease the amount of snooping that goes on today. Because viruses and trojans cannot "read" encrypted documents, they cannot snoop in them either. Nor can they attach themselves to the encrypted docs. So by sending and receiving email attachments that you KNOW are encrypted, you don't have to worry about getting an unexpected "spy".

Read more on how to secure your company's assets.
http://www.essentialsecurity.com/Documents/article17.htm

Monkey SuitSeptember 15, 2006 4:58 PM

@Steve
@Michael Ash

I posted something earlier on this blog about government sponsored spying on other countries.

When you discuss the costs of spying versus free information flow do you mean globally or at a national level?

I can see that (say) within the US, free flow of information between companies might lead to greater productivity but what about international spying?

The way I see it, the US has the most advanced technology and wealth, especially when compared with developing economies like China and India. There is lots of technology in the US that could be used by China and India to boost their economies but there is little in China or India that is of interest to the US apart from cheap labour.

This disparity in wealth means that when China and India copy US technology to make money, the US is actually losing wealth.

In some areas this is inevitable; it is obvious that the US cannot compete with Chinese or Indain labour on wages which is why there are lots of cheap consumer goods from China and outsourced programming in India.

What is not inevitable is leaking hi-tech research and development to foreign competitors due to lax company security.

P.S.
Sorry to any non-Western readers if this seems a bit racist; I don't blame the Indians or Chinese for trying to improve the standard of living for their people.

Stefan WagnerSeptember 15, 2006 8:00 PM

@mroonie:
The article sounds like something I heard about some months ago.
The infected documents weren't infected by accident, and went to the victim by random, but have been infected intentionally to spy that specific target.

Encrypting an email will not work in that case.

Demoprograms for stock-analysis and things like that where used, to make the victim install the software or to allow makros.

A solution would be to test such things only on a seperate or inside a virtual machine which is time expensive and therefore ...

Clive RobinsonSeptember 15, 2006 9:01 PM

@Monkey Suit

"The way I see it, the US has the most advanced technology and wealth,"

When you talk about technology you have to be careful.

First off a lot of "US Companies" are not infact owned by U.S. interests but those abroad (think Britain, Germany, Japan Korea and one or two other countries more recently China and Middle Eastern all be it indirectly through intermeduary companies).

Likewise technology development, although a lot of "High Tec" may be made (initialy) in the U.S. it is quite often designed in other countries where there is greater expertease).

As the USD weakens against other currencies as it is almost certainly to do over the next year or so (despite the up turn in the U.S. economy) You will see an influx of work to exisiting high tec plants from other parts of the world to fill spare capacity.

The simple fact is that "Global outlook" organisations will where possible, use spare or existing capacity where it best suits them world wide. As the usuall business driver is "share holder value" seen as either growth/profit you will see these organisations take advantage of the weak USD. However the trend will quickly reverse if other developing countries (China India Tiwan Philapiens etc) give better shareholder value.

Unfortunatly this "outsourcing" abroad whilst providing nominal "share holder value" actuall critically damages a home economy.

A simple example assume you are an information based organisation like an Insurance company. Cheep global communications alows your call center to be just about anywhere in the world you would like it to be.

So as a CEO/CFO etc you think hey I have a call center with 100 staff on 15K a year and the building etc costs are another 2M a year (total 3.5million). I get a call from a company in India who after negotiation offer a package that costs only 2million a year. The apparent share holder value is increased by 1.5M if you outsource to India.

However you are taking between 2M and 3.5M (depending on the shareholders location) out of the home economy and ditching 100 jobs. This hits both the local economy and the national economy quite hard. Various economists indicate that each unit of currency outsourced has the effect of taking upto ten units of currency out of the national economy. DO you as a CEO/CFO care, no even if the company does show a downturn as a result, you are likley to have moved on to another organisation within 18 months so you will have jumped. If you cann't jump you probably have a Golden Parachute to make a nice soft landing so no it does not effect you.

The problem gets worse, as the loss of jobs in the home country means less people able to spend money with the company (how many US car workers drove US cars then ditched them for non US manufactured when they suffered enforced down sizeing?).

Secondly how many of the new Outsorced workers in the other country will actually buy the product of the "home country" companies in prefrence to those made in their own country?

Oh and when it comes to wealth, a weakening currency usually encorages finacial investment to move else where in the world, keeping the weakening trend going. If organisations are going to increase capacity, they will try to raise money via job initiatives (ie local or central Gov money grants / tax breaks) borrow in the depriatiating currency and move money made out of the depretiating currency as quickly as possible.

About the only thing that stops the USD falling through the floor at the moment is that it is still used as a major international trading currency. However organisations are seeing the advantages of other currencies so the use of the USD outside of trade with the US is where possible decreasing.

Imagine if you will what would happen if one or two of the larger oil producing nations decided to sell oil not in USD but say Euros...

BOB!!September 17, 2006 5:59 PM

@Michael Ash

On a global level, for industrial espionage to be a net loss, the sales losses to the company being spied on plus the cost of conducting the espionage to the company doing the spying has to exceed the sales increase plus the R&D savings for the company doing the spying.

That said, the cost to global business is definitely vastly inflated. Unless the industrial espionage is actually industrial sabotage, the 'cost' is merely shuffling profit from the company being spied on to the company doing the spying. Companies wouldn't be stealing the information if they could duplicate the research themselves or buy the rights cheaper.

Sanjay TandonSeptember 17, 2006 8:12 PM

It takes about 5 seconds to compromise the security of virtually any organization in the world - you just have to know which bit to flip.

Speaking of which, who needs WMDs? All you need is two WDs in the right plACE and it's GAME OVER.

Know what I'm talking about?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..