Economic Espionage

Fraud examiners who work for global corporations need to protect their employers by being savvy with the latest "under/over-invoicing" schemes used by money launderers and terrorist fundraisers. If they don't, the courts might find their businesses criminally liable.

A business risk need not be extraordinary to be potentially devastating. Some of the greatest hazards arise from sources both familiar and apparently harmless. Case in point: A seemingly honest employee's 1997 theft of top-secret design plans for The Gillette Company's then revolutionary Mach 3 triple-blade razor. Gillette had spent $750 million developing it. If the company didn't get the anticipated return on this massive investment, it wouldn't have survived.

But Steven L. Davis, a process controls engineer for Wright Industries Inc., a subcontractor for Boston-based Gillette, would've been happy to see the razor maker go under. Angry at both Wright and Gillette about being demoted to a lower role in the project, Davis resolved to get even by illegally disclosing extensive Mach 3 trade secrets to Gillette's primary competitors - American Safety Razor Co.; Bic; and Warner-Lambert Co., owner of Schick-Wilkinson Sword - and, thereby, violating provisions of the Economic Espionage Act of 1996. Davis didn't seek money; he just wanted to ruin Gillette's future because he felt it had ruined his.

"Unfortunately for him," said Rick Deslauriers, deputy assistant director of the FBI's Counterintelligence Division in Washington, D.C., "Schick immediately reported it to Gillette, which called the local FBI office." A few months later, Deslauriers - then based in Boston - became supervisor of the squad assigned to the case. "We were able to identify the culprit," he said. "But obviously it was key that Schick did the right thing. That doesn't always happen."

What did happen is that Davis was caught, convicted, and sentenced to 27 months in prison. He received a relatively light sentence (he could have gotten 10 years on each of five charges) in part because his motive wasn't mercenary and none of Gillette's trade secrets was actually lost to its competitors.

RULES OF THE GAME 

Section 1831 of the Economic Espionage Act defines economic espionage as the knowing theft, misappropriation, or illegal obtaining or conversion of trade secrets by anyone or group. This multifaceted practice niche offers numerous opportunities for professional fulfillment. Here we provide an inside view of the field and the strategies and tactics CFEs and FBI special agents use to protect American businesses from intellectual property thieves. Thanks to 21st century communications technology, these fraudsters prey on U.S. companies as easily from the other side of the planet as they do from across the street.

CFEs who work on economic espionage usually don't carry firearms. Instead, they might cultivate relationships with electrical engineers, audio and video technicians, and high-tech electronics vendors. Or, depending on their experience, interests, and aptitudes, they might prefer to focus on business intelligence gurus and think-tank researchers. No matter their specialties, a strong intellectual curiosity fuels their efforts.

While CFEs' arsenals contain powerful informational and technological weapons supplied by these experts and from their own research, they nevertheless are often at a considerable disadvantage; their clients are largely unaware - and frequently skeptical - of their urgent need for professional help in actively safeguarding their most precious trade secrets.

Why? Economic espionage victims don't want to discuss their losses. Seeking to avoid public scrutiny and shareholder wrath, many CEOs, boards of directors, and security chiefs believe it's best to quietly learn from their mistakes and move on. Yet, because it's one of the most under-reported felonies, trade secret theft remains an underestimated threat to the nation's most technologically advanced and innovative businesses.

THE FBI PERSPECTIVE 

Deslauriers doubts it's possible to accurately quantify U.S. companies' losses from economic espionage. "But it wouldn't be a stretch," he ventured, "to say they amount to billions of dollars annually."

And the perpetrators' boldness is startling. Earlier this year, a former Boeing Company engineer was indicted on charges of economic espionage and acting as an unregistered foreign agent of the People's Republic of China (PRC), for whom he stole Boeing trade secrets relating to the space shuttle and other U.S. aerospace programs.

According to the FBI, he supplied China with two dozen manuals on the B-1 bomber and traveled to Asia supposedly as a lecturer but secretly met with Chinese government officials and agents. In another 2008 case, a U.S. Department of Defense weapons systems policy analyst supplied PRC agents with documents containing classified information on U.S. national defense.

The FBI recommends six countermeasures designed to foil economic espionage.

1. Recognize that economic espionage is a real threat. "It could come from inside or outside the U.S.," Deslauriers said. The threat could be from a domestic competitor eager to obtain your client's technology secrets by any means necessary. Or it could originate with a foreign government targeting the United States. But more often, he said, the danger is from someone inside the company who's motivated by greed or revenge.
2. Identify and valuate trade secrets. "Businesses themselves are best qualified to value the future sales of their products," Deslauriers said. In the Gillette case, the projected Mach 3 future sales valuation was more than $1 billion. To convict someone under the Economic Espionage Act, he said, the government must show that the victim company took steps to protect its trade secret, which must have an independent, quantifiable economic value.
3. Implement a definable plan for safeguarding trade secrets. Your client's proprietary information won't be treated as a trade secret under the law if the company doesn't treat it as one. "That means protecting it with documented policies and procedures," Deslauriers said. "Employees must be informed of, and comply with, such rules."
4. Secure physical trade secrets. 
5. Confine intellectual knowledge. 
6. Provide ongoing security training to employees. The protection aspect is most important, Deslauriers said. Sometimes, a company that believes it's the victim of economic espionage will file a report with the FBI. But there will be no case if the company hasn't documented the policies, procedures, and regulations it implemented to protect its intellectual property. And it also must produce proof that it informed employees about those rules and that they should follow them. That's the most important part for CFEs and anyone else involved in these cases. "If the company did not exercise any oversight of a stolen trade secret," Deslauriers said, "its theft will not be prosecutable."

THE HIGH-TECH CFE 

Kevin D. Murray, CFE, of Murray Associates in Oldwick, N.J., has 30 years' experience in technical surveillance countermeasures including bug detection and security camera installation. He lectures on these topics as a visiting instructor at John Jay College of Criminal Justice of the City University of New York.

A CFE's effectiveness in economic espionage investigation often depends on electronic gadgets. Murray's use of a thermal imaging camera enabled him to solve a puzzling case. (Murray adapted and customized this camera, which has now become the investigative standard, he said.)

"A company president called us in to run a 'sweep' of his corner office," Murray recalled. He was positive someone in his company was electronically surveiling him. He told Murray his staff was surprisingly too well-informed about his plans and business dealings. So, while he watched, Murray and his team conducted a full inspection - a physical search, telephone analysis, computer check, radio frequency spectrum analysis, and a thermal emissions spectrum analysis. When the results were negative, the president was disappointed and Murray was stumped. "This guy was sure he was right," he said, "and I believed him."

But then Murray aimed his thermal camera downward. "And that's when I saw - through the camera monitor - black dots on the carpeting," he recalled. Thermal images show heat, not light: heat is white; cold is black. The line of dots started outside the president's office door and scalloped its way along the two outer windows. Water on a carpet is often invisible to the eye, but it takes a long time to evaporate so it looks cold (or black) to a thermal imager. The windowed walls were lined with office plants near the president's desk. It appeared that someone had dribbled while watering them. However, Murray saw through the camera that the dotted line abruptly turned away from the last window plant, headed straight behind the desk, and grew into a dense cluster of dots.

"We both figured it out at the same time," Murray said. The client now knew that one of his staff - the one with the green thumb - was reading everything he left on his desk and sharing it with others in the company. As often happens in such cases, the company president didn't reveal how he would deal with the incident and his untrustworthy employee. But it's likely he was much more cautious about what he left on his desk for anyone to see.

Case conclusion: The CFE didn't discover electronic espionage, but he solved the case with high-tech equipment, which warranted its expense.

THE CFE AND NEW PRODUCT SECRECY 

Jonathan E. Turner, CFE, CII, is a managing director with Wilson & Turner Inc. in Memphis, Tenn. He specializes in preventing and detecting financial fraud and employee crime issues such as unauthorized leaks of new product descriptions.

Controlling the flow of information, according to Turner, is a difficult challenge for organizations. Say a company that's about to release a new product is worried it won't be able to keep it a secret until the rollout. Turner would advise that the company is better off actively strategizing for an acceptable outcome - such as making its own planned and limited announcements right before the rollout - than passively hoping it won't have to endure an outcome it dreads: major, unauthorized leaks long before the rollout.

He offered an example. After Apple released the first version of its iPhone, other manufacturers developed competing products with similar features. Can a leading company's competitors make an adequate profit if they have to wait for the leader to release its product so the followers can "reverse-engineer" it (take it apart and replicate it) and then release their imitation versions? Often, Turner said, having enough lead time will enable a market leader to maintain its market share as shown by Apple's skillful protection of its design information before rolling out the iPhone.

So instead of striving vainly for absolute secrecy, a more effective strategy is to accept that others somehow will learn all about your clients' new products. After that mental adjustment, CFEs should focus their clients on identifying how much leakage is acceptable and on working toward achieving or exceeding those goals. "Many clients call us in when they realize their new product's details have been leaked," Turner said. "They want us to figure out how it happened and show them how to prevent its reoccurrence."

In his view, policy and procedures are merely theory. "They describe the way things should be done. But you have to measure actuality. In some places, theory and actuality meet; in others, they diverge. When actuality significantly deviates from expectation, that's an opportunity for fraud," Turner said.

Case conclusion: Encourage clients to make information security programs flexible enough to respond to changing conditions and not think of success and failure in all-or-nothing terms.

THE CFE AND TELECOM SECURITY 

Paul DeMatteis, CFE, is founder of Global Security Risk Management, a consulting firm in Marlboro, N.J., and a senior adviser for corporate security programs at John Jay College of Criminal Justice. Security and business professionals take classes in those John Jay programs to learn ways to avoid inadvertently revealing sensitive information in conversations.

DeMatteis gave an example from his personal life. During a party, he met a Ph.D. researcher of future TV entertainment concepts who smoothly talked about his position without revealing any secrets.

"He was well-coached," DeMatteis said. "His company had prepared him to speak safely in a social environment without insulting his listener. But that was the only time I've seen anyone trained so well."

Case conclusion: Educate your clients on the importance of information protection and the need for an information classification system.

DeMatteis also does a lot of public speaking. "When I've worked internally for companies, some of them will review the documentation for my upcoming presentations," he said. "But others couldn't care less. Most research people speak frequently, and their companies have no guidelines on what a speaker can discuss or present or include in an article. So a lot of confidential information is leaked by naïve and ill-trained employees. To address that problem, every organization should have an information classification and protection system."

While much of DeMatteis' work focuses on human behavior, he also offers clients considerable telecommunications expertise. He has worked on a dozen cases involving fraudulent abuse of computerized corporate phone systems also known as private branch exchanges or PBXs.

These systems often have a feature that allows customer service and sales managers to monitor surreptitiously their staff members' phone calls. Unfortunately, not all corporate telecommunications managers are aware of their firms' PBX features or think that no one uses them. So any telecom worker with high-level rights can secretly listen to any company phone call over the company's computer network even from a remote location. And no one - not even a PBX specialist - can detect this intrusion without requesting a report from the PBX system during the time the eavesdropping feature is enabled. So no record of the fraud will remain if the snoop turns on the feature at the beginning of a board of directors' conference call and turns it off when the call ends, and no one runs a report while the snoop has the feature enabled.

In one case, DeMatteis said, a business unit employee entered the PBX room to report a phone problem and heard and saw a telecom employee using the PBX monitoring function to eavesdrop on a senior managers' conference call about coming layoffs. The first employee reported the infraction to the corporate security department, which investigated and found that the listening employee was seeking information about risks to the jobs of his close friends in the company.

Fortunately, the first employee stumbled into the situation, but unless you actually catch someone in the act, you can't tell where - or even if - it was perpetrated.

Case conclusion: Strongly advise clients to assess the adequacy of their PBX systems' security management programs and reevaluate listening rights assignments.

THE CFE-EDUCATOR 

Professor Steven McNally, CFE, is program director at the American Military University's graduate and undergraduate security management programs. The university is in Charles Town, W.V.

According to McNally, 99 percent of corporations don't understand the Economic Espionage Act and what they have to do to be protected by it. "Some corporate officers may be familiar with it," he said, "and some security fraud professionals may be aware of it. But it hasn't been adequately published and promoted by the government."

McNally believes the CEO is ultimately responsible. "But the CFE at each location should be the primary person to prevent information losses. It'll be someone in security or accounting/auditing. They work closely on anything fraud-related or involving the loss of financial information or financial losses."

Conclusion: CFEs should advise their CEO clients to confirm that whomever oversees fraud-related compliance and litigation knows everything about the Economic Espionage Act.

CFE, PROTECT THYSELF (FROM CLIENT LAWSUITS) 

Kevin Murray, CFE, Murray Associates:  

"When I first got into this field 35 years ago, my first impression of people in the field was not a good one. Many had no scruples or morals, and they were scaring people into thinking their premises were bugged. So I offered to undergo a polygraph test any time I found a bug in a company's office. We still have that policy today, but no one has ever taken me up on it."

"We also carry all the proper insurance - general liability, workmen's comp, and errors and omissions. A lot of practitioners don't get the right insurance, but few clients check them."

Paul DeMatteis, CFE, founder, Global Security Risk Management: 

"To reduce your odds of being sued in such a situation, you should document your expectations for providing service to your client. For example, will there be any situations in which you will take data from the client site with you in order to analyze it? And will you be responsible for its security?"
"Develop a working agreement with your client about how you're going to handle information on suspicious activities you have detected. Will you take custody of the data, or will someone internal do that? It all should be spelled out in your initial contracts."

"I have never felt that anyone is suspicious of me or my organization. But I still keep controls over the documentation. For example, if I removed a hard drive from a client site, I would 'bag and tag' it and make sure no one had access to it. I then would bring it directly to my office safe, where it would be stored securely."

Jonathan Turner, CFE, managing director, Wilson & Turner: 

"We have established protocols to mitigate the risk of a client suit against our firm. The more sensitive information is, the more likely it is we will access it using the client's systems, rather than remove a copy."

"When we need data to manipulate, we work closely with the client to ensure it understands why that approach is necessary."

"Also, as a small firm, we don't have the head-count exposure of a much larger firm."

"This combination of policies and protocols, electronic controls, common sense, and good client management keeps us on the straight and narrow."

DENIAL DOESN'T WORK

Be alert to high-tech and exotic economic espionage threats. But don't neglect the commonplace ones such as a potentially disgruntled employee who has access to highly sensitive proprietary information. "It's better for your client to address that issue right up front," the FBI's Deslauriers said, "than to later see its product perfected and marketed by a competitor. When it comes to economic espionage," he said, "denial doesn't work."

Robert Tie is a New York business writer.  

Sensitive Information Protection Principles 

• The creator of a document or other information record usually is best qualified to classify it for security purposes.
• An internal recipient of a sensitive document should tell the document's unaware creator that he should classify it.
• A document's means of distribution should correspond to its sensitivity. For example, certain documents might be too confidential to convey by unencrypted e-mail.
• Employees' awareness of the importance of information security is essential. Devise training and compliance measures to ensure their informed participation.
• Ensure your information classification system isn't too complex.
• Write thorough document destruction procedures so all targeted material becomes useless to unauthorized parties.

Source: Paul DeMatteis, CFE, John Jay College of Criminal Justice  

CFEs Discuss Economic Espionage Niche 

Economic espionage is a fascinating, but demanding, area of practice. Here, three CFEs interviewed for this article share additional insights on how and why they entered this challenging field and on the enduring rewards.

Paul DeMatteis, CFE

"I'm a senior adviser for corporate security programs at John Jay College of Criminal Justice, where I've been teaching since the early 1990s. I've spent my 30-year career developing, implementing and maintaining security, safety, fraud prevention and emergency management programs for Fortune 100 companies.

"Three years ago I started a consultancy, Global Security Risk Management, to help large and small companies develop and implement risk mitigation controls. I had thought mostly smaller companies without internal security departments would consult me. But because of my extensive experience with large companies, most of my work is with them. Few have effective programs.

"I've always been heavily involved in technology. So when something new comes out, I examine its vulnerabilities especially if it's a data storage device, such as a portable music player. Someone could be sitting at his desk, bopping to a tune and at the same time downloading information. So I don't look just at how new technology is designed to be used; I look at all the possibilities.

"You may be surprised to know what's available. In, for example, German airports or the Akihabara retail electronics district in Tokyo, anyone can buy espionage equipment, such as a device that could be inserted between your keyboard and PC to gather information for later retrieval, even over a network. Another example: A customized 'Blackberry' could be left on a conference room table where a high-level meeting is taking place. Its owner then could excuse himself to make a photocopy and eavesdrop via the Blackberry, while those in the meeting wrongly assume he can't hear them.

"Never tell clients they must take certain steps; they won't listen. None of them wants to lose information or competitive edge or not get a big bonus. Instead, rely on education; it's the best way to foster change."

Kevin D. Murray, CFE
"Before founding Murray Associates in 1978, I was national director of electronic countermeasures and New Jersey director of investigations at Pinkerton's Inc. I get calls from people who want to get into this business. They're excited to hear I do sweeps for bugs. And I say, 'Guess when that work is done? Nights and weekends. And when I'm not doing that, I'm in the office writing reports.' So you really have to like this field, which also involves lugging around heavy equipment and crawling above false ceilings and under dirty desks. It's not like what they show on TV.

"You have to be sensitive to 'red flags.' If you walk into a room and something seems suspicious, you can't just say, 'That's odd,' and keep walking. For example, if you're doing a physical search, you could do a great job between two feet above the floor and two feet below the ceiling. It's not human nature to make that extra effort and check those spaces, so that's where some bugs will be.

"You don't need a technology degree. If you have a basic understanding of electronics from high school or college courses, you'll be fine. You wouldn't be reading Fraud Magazine if you weren't inquisitive, and that's good, because this is probably the most important qualification. Either you keep up in this field, or you sink."

Jonathan E. Turner, CFE, CII

"When my partner and I founded our firm, we were experienced in investigating, detecting, documenting and resolving fraud. We don't focus on any particular industry. Our typical clients are publicly traded multinationals. Their operations are big targets for fraudsters and have a wider diversity of circumstances in which fraud could succeed - at least for some time.

"Typically, an organization will retain me to help prevent, detect, or document fraud. Once the facts have been investigated and the documentation is complete, I take it directly to a law enforcement agency or a prosecutor and explain what I've found and done. Often, it's helpful for them to understand what crimes you believe may have been committed, what elements there are to those crimes and what proof would meet those elements.

"I take classes taught by lawyers and judges on preparing cases for prosecution, but mostly I rely on continuing professional education and on-the-job training.

"Some of my firm's services are proactive, in which we design controls, do risk assessments, or look for as yet unknown problems. We also provide reactive services in response to something we or our clients have detected. Right now, 50 to 80 percent of the services we provide are reactive. When times are good and organizations are focused on improving their internal operations, they invest a little more in proactive services. But when times are bad, they focus on reactive services, and wait until something bad happens. That's human nature."

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.