A nasty little secret

Industrial espionage is a dirty little secret in the UK, and an investigation by The Engineer suggests it is on the increase.

In this paranoid climate, fuelled by fears of international terrorism and war, many technology specialists are ramping up security and sealing themselves off from the outside world in order to protect their research.

The problem is that some believe this will stifle the exchange of ideas and co-operation that is vital to technological progress.

In the global economy, knowledge is power. It is also money, particularly for hi-tech companies working in areas such as electronics, telecoms or advanced materials.

When a design, a formula or a process can be worth millions, it is no wonder businesses go to great lengths to protect their ‘crown jewels’. In reality someone could walk out of the door with them and – if they were clever enough – not even commit a criminal offence.

A senior engineer working for the UK subsidiary of a US hi-tech electronics company, which asked not to be named, said anxieties about industrial espionage were increasing.

Against a backdrop of increasingly cut-throat market conditions, he said companies are concerned that competitors may be tempted to short-cut years of expensive R&D by getting hold of confidential information through underhand means.

Fears that technology could reach terrorists are also fuelling a general atmosphere of alarm, said the engineer, some of whose company’s systems are ultimately used in military applications.

‘There’s a lot of paranoia coming from companies and the authorities,’ he said. ‘You sometimes worry that by just going about your everyday business you’re going to be fingered as some sort of threat to security.’

But is this anxiety justified? There are, of course, many ways by which one company can acquire the knowledge of another. It could persuade its competitor’s best staff to switch sides, engage in a perfectly legitimate reverse engineering exercise or simply raise sufficient capital to take over the other firm.

There is also plenty of mileage for cunning use of the patent system, which has become a bear-pit that many companies decline to enter, preferring to keep their secrets in-house rather than advertise them to the world by filing for patent protection.

There is no doubt, however, that in some cases outright theft is seen as the most expedient method. What is unclear is the scale of the problem, because when it comes to industrial espionage there is a glaring absence of any data.

The Home Office, which can produce, on demand, figures on burglaries in Bognor or stabbings in Southend, is stumped.

The DTI, purveyor of a million statistics on output, productivity and competitiveness, is silent over the extent of the problem.

Even industry bodies – usually reliably vocal on any issue that costs their members money – have little to say. ‘None of our members has discussed this issue with us,’ said Intellect, which represents companies in hi-tech sectors such as electronics and telecoms. ‘It would probably be something they would deal with internally.’

Intellect is almost certainly right, because the loss of a valuable piece of intellectual property (IP) is the last thing a company wants to become public knowledge.

The cases of industrial espionage that do make the headlines tend to emerge from the defence industry, with prosecutions brought under the Official Secrets Act.

When bungling would-be spy Ian Parr, an engineer for BAE Systems, wasconvicted of attempting to sell the defence giant’s secrets to Russian agents (who were actually from MI5), it was the breach of state security that left him facing a long prison term.

But for UK technology companies working outside the defence industry the criminal courts offer less of a deterrent to those who seek to profit from theirknowledge.

By one of those strange anomalies that seem to be a speciality of the English legal system, there is currently no criminal offence relating to the unauthorised use or disclosure of trade secrets.

Confidential company information is not regarded as ‘property’ under the 1968 Theft Act. In practice this means that if a document containing the fruits of a £100,000 R&D programme is stolen, the culprit can only be charged with the theft of a few pounds’ worth of A4 paper. The absence of an offence contrasts with other nations, notably the US, France and Germany, which all provide criminal sanctions against theft of confidential company information.

The Law Commission, which recommends law reform in England and Wales, has provisionally proposed that an offence be created, arguing that civil remedies alone are an insufficient form of redress.

In a paper on the subject the Commission said: ‘The imposition of legal sanctions is necessary in order to protect investment and research. Vast sums of money are spent on producing certain types of trade secret such as manufacturing formulas and other technical data, and it seems strange that the criminal law does not provide a sanction.’

The idea of an offence covering trade secrets has been kicking around the legal system since 1997. However, it appears to have become stuck in the vast logjam of legislative reform under consideration. The Law Commission’s proposal is currently dormant, although the body is keen to revive it. Legislation will certainly be some way off.

In the absence of a specific trade secrets law, criminal redress will depend on proving that the crime is covered by another offence.

The obvious candidate is fraud, a notoriously difficult and complex offence to prove. But the Serious Fraud Office (SFO) will generally not consider taking on a case unless the value involved exceeds £1m. The SFO’s expertise also lies far more in the area of financial irregularities than attempts to defraud a company of the value of its IP. Mark Watson-Gandy, a barrister and law professor, said the contrast between the civil courts – which he said ‘are quite clued up’ – and the criminal justice system is striking.

‘The criminal courts are a lot less effective,’ said Watson-Gandy. ‘The police tend to regard these crimes as a civil matter.’

Even if the police can be persuaded to get involved, he said they may have a less than thorough understanding of the value of the stolen material.

‘Investigations take a large number of man hours, and police officers are trained to deal with street crime rather than sifting through books and records.’

Watson-Gandy said the police officers investigating such cases ‘are likely to have little concept of the value of information’.

According to him, industrial espionage is ‘certainly taking place’, though he believes the level in the UK may be lower than that in the US and France.

Those in the know suggest that there is no room for complacency. Paul Leonard, director of the UK Intellectual Property Institute, said the value of knowledge as an overall component of a company’s worth has risen massively in the past few decades.

‘It is not unreasonable to assume that the value of that information to outsiders has increased accordingly,’ said Leonard.

There is, of course, a well-established, and wholly legitimate, industry devoted to securing for its clients as much information as possible about their rivals.

It is called competitive intelligence (CI), and involves monitoring every available outlet, from websites to job advertisements and interviews with former employees, to find out what is going on inside a company.

The key fact that distinguishes CI from espionage is that it uses sources that are in the public domain. Anyone could get hold of it if they knew what to do and could be bothered to spend the time.

When it comes to countering out-and-out espionage, however, other specialists are needed. Bob Fletcher, a director of the Risk Advisory Group, which advises businesses on corporate security, said the number of companies experiencing espionage problems is doubling every year.

According to Fletcher, two factors may explain the boom. The first is agradual erosion of staff loyalty. ‘People are working for companies for shorter periods and don’t have the level of attachment they may once have had.’

Fletcher believes the second reason is the fundamental shift in the UK from a manufacturing-led to a knowledge-led economy. ‘The lifeblood of so many companies is knowledge and information – what they know rather than what they can do,’ said Fletcher.

He admitted that some sections of his industry have been guilty of creating hyperbole around the issue of industrial espionage.

‘The image of the Russian spy hacking into a US company’s secrets is almost always the stuff of Hollywood,’ said Fletcher. ‘There has been a fair deal of crying wolf, which has created some scepticism. But I’ve been in this business a long time, and I think that there is a significantly rising threat.’

That threat will more often than not come from inside an organisation. An employee with a grudge against a company, who is covertly working for a competitor or who is simply motivated by greed, can wreak far more havoc than any outsider.

‘It tends to be the most senior or the most junior people,’ said Fletcher.

In an unwelcome irony, the technology used to carry out industrial espionage is advancing all the time. Twice in the past few months Risk Advisory has found bugs in the offices of its clients.

Veteran private investigator Peter Heims, who has worked for several major engineering and technology firms, said espionage is the UK’s dirty little secret. ‘It’s not seen as very British to go around spying on the next chap. But if someone realises they can save £500,000 on research costs by putting somebody into a rival firm then it is amazing how quickly those ethics can slip a little.’

Heims pointed out that many magazines are bulging with ads for listening devices and other spying equipment. ‘A lot of bugs are being sold and the people buying them are using them, in many cases for illegal activities. But I can’t remember the last time I heard about anyone being prosecuted for doing so.’

It seems clear that industrial espionage is real, and possibly thriving in the modern knowledge-led economy.

Maybe technology-led companies are right to be anxious. But there is an alternative view.

Prof Stuart Macdonald of Sheffield University’s Business School, a leading researcher on espionage, the patent system and technology transfer, claimed that the leaking of knowledge from an organisation is not only inevitable, it is positively desirable.

According to Macdonald, efforts to hermetically seal a company’s secrets can cause more harm than good. ‘When it is done in a heavy-handed way it can have a thoroughly damaging effect,’ said Macdonald. ‘Innovation happens through the exchange of knowledge and ideas.’ He pointed out that R&D engineers working for a company will inevitably have their own ‘private networks’ through which they will interact with colleagues outside the company.

They will attend conferences and meetings of professional institutions and read or contribute to technical journals. But according to Macdonald, companies have become increasingly paranoid about such innocent and beneficial activities. ‘Some businesses don’t want to let their engineers anywhere near the outside world. That is not good for them or for the cause of innovation generally.’

Macdonald said hi-tech companies have become obsessed with hoarding information, judging their success by how much knowledge they own compared with their competitors.

The patent system, Macdonald believes, is now often used as a strategic business tool rather than a genuine protector of intellectual property.

Rather than attempt to seal their assets in cast iron, Macdonald advocates a more relaxed approach.

He pointed out that the founders of the industrial revolution would regularly invite foreign visitors to view their machinery and processes, fully aware that they were spies, but confident that their own powers of innovation would prevail.

CASE 1: Intel

The extent of industrial espionage in Europe and the US has been exposed through court cases affecting household names. While some incidents can be put down to the work of opportunists, others allege the involvement of long-term, high-level planning by their perpetrators.

In December 2001 a former Intel Corp engineer was sentenced to two years in prison after admitting to stealing trade secrets about the company’s high-speed Itanium processor.

Say Lye Ow, 31, of Sunnyvale, California copied sensitive files concerning the chip’s design before leaving the chip-making giant in 1998 to take up a job with rival company Sun Microsystems.

Some of the information was later found on the network of his new employer. Ow had planned to use information about the chip’s design and testing as a resource at his new job and to retaliate against a former supervisor.

CASE 2: canal plus

In 1997 UK-based NDS, a developer of digital television set-top box smart cards, hired Christopher Tarnovsky to help them make their technology hacker-proof.But rivals Vivendi Universal and Echo-Star claimed the former US Army satellite communications specialist and computer hacker kept up his old habits after being hired.

In a lawsuit filed in California, where Tarnovsky is based, they claimed he used a false identity to feed information to websites frequented by cyber-hackers that enabled thieves to create smart cards, allowing them free access to pay-for-view channels.

Worst hit by this ‘cloak and dagger’ operation was Vivendi’s Canal Plus, Europe’s largest pay-TV provider which was robbed of over $1 billion (£630m).The company also provided a digital smart card for the defunct ITV Digital, a UK rival to Murdoch’s pay-TV station BskyB, which claimed its collapse was partly due to smart card fraud.

However, Vivendi later suspended the suit after NDS’s owner Rupert Murdoch’s News Corporation bought a share in Vivendi’s Italian pay-TV division.

But the US Justice Department is still investigating the case, and last autumn NDS was served with 31 grand jury subpoenas. US network DirecTV has also joined the litigation, claiming its smart-cards have been hacked and blaming NDS.

CASE 3: Johnson & Johnson

In 1996 German drug and medical device manufacturers Boehringer Mannheim charged employees of US firm Johnson & Johnson with infiltrating company meetings, as well as stealing confidential documents and a prototype glucose monitor.

The two companies were competing for a share of the $1.75bn (£1.1bn) market for blood monitoring devices for diabetes.

Boehringer alleged that Johnson & Johnson subsidiary LifeScan offered its employees incentives, including prizes named after the fictional characters Inspector Clouseau and Detective Colombo, for spying on Boehringer Mannheim.

The suit claimed that LifeScan employees sneaked into Boehringer sales meetings in Indiana, Florida, Turkey and Germany, stealing marketing information later used to adjust Lifescan’s marketing plan.

But Johnson & Johnson denied the charges and counter-sued, claiming Boehringer contained a LifeScan Competitive Kill Team, had hired detectives to obtain J&J secrets, and that employees had posed as customers to obtain information on its rival’s device.

In 1997 the case was settled out of court with both companies admitting to some of the charges.

Lifescan agreed that it did reward spies, while BM admitted that two employees were involved in snooping on its rival, though not to the extent that Johnson & Johnson had alleged.