The writer emphasizes the risk of digital information being stolen, and also notes “non-cyber” methods of espionage. He did not mention however, the risks of interception of verbal information or communications. When performing audits of departing employees, or any other information security audit, a full TSCM sweep may be in order as well. —
The Obama Administration’s recent white paper, Administration Strategy on Mitigating the Theft of U.S. Trade Secrets, purports to formally elevate the theft of U.S. trade secrets to a national priority, and the Administration has requested public submissions seeking recommendations for legislation that would enhance the protection of trade secrets. Last week, “cyber threats” were recognized by the Defense Department as “the top threat” facing the United States, even ahead of terrorism. And meanwhile the House of Representatives has passed legislation attempting to make it easier for companies to share information to defend against such threats, although the President has threatened to veto the bill because of privacy concerns.
This cyber swirl emphasizes a fundamental fact: corporate espionage, either by foreign governments or by business competitors, is more persistent and insidious than ever. And more than ever technology exponentially facilitates the theft of trade secrets. In particular,
- Almost all business data primarily exists in digital form, which can be easily copied, downloaded, transmitted, and corrupted.
- Cyber devices which store and transmit data are smaller, more portable, and harder to detect; malware is more pervasive.
- Moving data – and trade secrets – to the cloud presents new opportunities for espionage by government or corporate sponsored hackers.
- Mobile devices will continue to proliferate – and so will employees’ use of devices outside of their company’s firewall to save work files, especially with the increasing number of employees working remotely.
- Both private companies as well as foreign governments are dedicating more resources to carry out economic espionage.
Of course, as the Administration’s white paper reminds us, there are more conventional, “non-cyber” methods to conduct economic espionage:
- Unsolicited requests for information seeking classified or business sensitive information, often under the guise of soliciting a significant business relationship.
- Conferences, conventions, and trade shows to learn about sensitive technologies and identify the experts on those technologies.
- Targeting U.S. visitors overseas to surreptitiously acquire information either by electronic means or in person. Both “less friendly allies” (Russia and China) as well as more traditional U.S. allies engage in this targeting.
- Aggressive, in-depth collection of publicly available open source information.
The Administration’s trade secrets strategy in part focuses on what government can do: renew diplomatic efforts to ensure “trade secret theft is a serious issue,” devote more resources to investigating and prosecuting trade secret thefts, and seek enhancements of existing Federal economic espionage legislation such as the Theft of Trade Secrets Clarification Act of 2012 and the Foreign and Economic Espionage Penalty Enhancement Act of 2012. None of this will lock up your trade secrets.
And for the most part the remaining parts of theAdministration’s strategyin effect tell American business – you’re on your own. See, e.g., “Promote Voluntary Best Practices by Private Industry…..” on page 6 and “Public Awareness and Stakeholder Outreach” on page 12.
So what is your best weapon here? Innumerable resources describe trade secrets best practices, but there is one straightforward, critical practice that companies routinely ignore: Forensically audit all electronic devices of your departing employees.
The majority of private enterprise trade secret thefts are made by departing employees. Most occur within one month of the employee’s departure. If possible, commence your audit not when the employee actually departs, but when the employee announces his or her departure.