10 November 2019

An Era of Unparalleled Espionage Risk Is Upon Us

Scott Stewart
Former U.S. Attorney General Jeff Sessions announces the creation of a new initiative to crack down on Chinese intelligence officials stealing intellectual property from U.S. corporations through hacking and espionage during a press conference at the Justice Department on Nov. 1, 2018.

China and Russia have become increasingly aggressive in their industrial espionage efforts, though the proliferation of espionage tools ensures they are far from the only threat actors.
Technology has also made it easier to hack into corporate systems remotely and to download massive quantities of data from inside an organization.

Combined with the spread of post-truth attitudes in the workplace, these factors create an environment rife with corporate espionage risk. 

Today, corporate espionage actors are busier and more successful than ever thanks to an alarming confluence of factors. China's and Russia's escalating great power competition with the United States, for one, is pushing them to more boldly and brazenly obtain Western companies' secrets. But the simultaneous proliferation of espionage tools, mobile devices, digital data and postmodernist thought has also made it so that even a low-level employee can now feasibly have both the means and motive to find and steal massive quantities of information. All of these threats are formidable in their own right, and thus worthy of attention. But it's equally crucial to understand how they all tie together to fully capture the increasingly dire and incredibly multifaceted espionage risk facing today's businesses and organizations.


The Big Picture

Corporate espionage remains a serious, pervasive and persistent threat that emanates from a widening array of state and private actors. Today, if an actor has the interest and intent to obtain a piece of information — as well as the means to access outsourced tools and tradecraft — we must presume they can acquire the capability to do so. 

Technology: The Enabler 

Advances in technology have largely proved a boon for corporate espionage actors. The internet, in particular, has enabled them to hack targets remotely and gather vast amounts of open-source data. It has also greatly assisted human intelligence efforts by allowing actors to spot, assess and, in some cases, even make an initial approach to prospective agents at targeted companies both remotely and en masse. 

Technological advances have also significantly eased the process of exfiltrating data from companies. Gone are the days of smuggling hard copies of documents out the door, or photographing them in the office using a specialized spy camera. Today's spies can transmit sensitive information by simply emailing it to themselves or their handlers, or by downloading stolen data onto either external storage sites or removable (and easily concealable) media such as CDs, thumb drives and SD cards). 

The limitless tech tools at almost anyone's disposal today also enable agents to quickly adapt their techniques in response to changes in security protocols. Apple, for example, disabled USB ports on company computers after discovering a spy in its autonomous vehicle program had downloaded proprietary data onto a thumb drive in 2018. To circumvent the new hurdle, a second agent used his cellphone to take photographs of the same documents on his monitor instead, which he was arrested for in January.

At the same time, the digitization of data and widespread use of laptops and other mobile devices also means sensitive information can be found and thus stolen almost anywhere. On a daily basis, many employees now carry around — often unknowingly — large quantities of proprietary information. I'd argue that many people aren't even aware of how much valuable data is in their hands, and how leaving work devices in an unattended hotel room offers an inviting target for corporate espionage actors. Many companies recognize this threat when it comes to certain countries like China and Russia, and restrict what information their employees can bring with them when traveling to such places. However, threat actors are increasingly mobile (thanks again to technology) and will direct their operations to where the information can be obtained.

In 2018, the Chinese Ministry of State Security attempted to recruit an engineer from GE Aviation in Ohio. When the engineer told his Chinese handler that he could not bring his company-issued laptop to China, the officer told him that he would meet him in Brussels on an upcoming trip instead. Unfortunately for the Chinese officer, he walked into a sting operation and was promptly arrested by Belgian authorities. But the case nonetheless illustrates how technology has made critical information vulnerable to increasingly global and versatile threat actors — especially those from China and Russia.
China and Russia: The Aggressors

The fact that the Chinese and Russians are behaving so aggressively in regards to corporate espionage should come as no surprise. Indeed, they've both told the world quite publicly that they intend to reach technological parity and surpass the West (namely, the United States) by whatever means necessary. China, in particular, first openly signaled this desire when it launched the 863 Program in 1986. And since then, Beijing has continued its espionage push through its current Made in China 2025 and Thousand Talents programs

Soviet and Russian intelligence officers, meanwhile, have aggressively targeted Western technology since before they stole the plans for nuclear weapons from the American Manhattan Project in the 1940s. But Russian efforts have become increasingly bold in recent years. In 2014, the United States sanctioned Russia after its seizure and annexation of Crimea from Ukraine. In response, Moscow ordered the Russian industrial base, aided by government intelligence agencies, to develop the capacity to indigenously produce 77 key technologies and publicly announced its intent to do so.

Gathering corporate secrets is nothing new for Chinese or Russian intelligence agencies. But they are now doing so on a greater scale, and more brazenly than ever before. The volume of their efforts has been reflected by the increasing number of prosecutions for corporate espionage, particularly those involving Chinese actors (as in the aforementioned GE Aviation and Apple cases). Of course, the Chinese and Russians are by no means the only threats out there, especially in light of the proliferation of espionage tools. They are, however, the most pernicious. 
Postmodernism: The Vindicator 

China and Russia, as well as other corporate espionage actors, will and certainly do recruit employees as spies. But not all corporate espionage threats come from external actors. We have also seen a widening array of cases in which insiders have decided to steal sensitive information on their own to either sell, leak or use as leverage to obtain a job with a competitor. Whether self-motivated or recruited, I believe the rise of postmodern thinking helps insider spies seek to justify their actions.

The Encyclopedia Britannica defines postmodernism as "a late 20th-century movement characterized by broad skepticism, subjectivism, or relativism; a general suspicion of reason; and an acute sensitivity to the role of ideology in asserting and maintaining political and economic power." The assertion that all truth is subjective and individualistic has become widely accepted in academia and throughout Western educational systems. As a result, it can now be found in nearly every aspect of Western society. 

Feelings increasingly trump facts today, as the notions of what's "right" and "true" become relative — so much so that in 2016, the Oxford English Dictionary named "post-truth" its Word of the Year. The skepticism peddled by postmodernist thought naturally places any formal authority under the greatest scrutiny, whether it's a company or the U.S. legal system. Clearly, this has security implications for society at large, including the workplace. Employees can now cherry-pick data — regardless of whether it's accurate or relative to the matter at hand — to justify any illegal activity, whether Foreign Corrupt Practices Act violations, insider trading, workplace theft or conflicts of interest.

But the danger of this "post-truth" world is also extremely applicable to corporate espionage, as companies can no longer rely on one set of formal rules and general norms to keep employees from stealing sensitive data. It doesn't matter if someone doesn't have the whole story and comes to a false conclusion. The fact that they just so much "felt" it was wrong is now reason enough to permit retaliation. In other words, if I believe my employer to be "bad," is it really wrong to act against them?

In this "post-truth" world, employees can cherry-pick data to justify any illegal activity, from insider trading to corporate espionage.

I'd argue postmodern thought was at play when former U.S. Army soldier Chelsea Manning and former National Security Agency employees Edward Snowden and Reality Winner all decided (separately) to steal highly classified government information in response to what they perceived to be wrongdoing. In each of these cases, they publicly broadcast their findings instead of going through the formal whistleblower channels to make their concerns known to the proper authorities.

Combine this line of thinking with a little bit of old-fashioned greed, or perhaps an employee grievance, and you have the perfect recipe for corporate espionage. Meanwhile, employees also have more places to find data, more tools to steal it with when they do, and more Chinese and Russian intelligence officials looking to pay them handily to do so. Taken together, it is not difficult to see how we've entered an era of unparalleled corporate espionage risk, making it all the more crucial that companies ensure their data security programs are up to the task in light of this threat, and are expansive, creative and constantly updated.

No comments: