The White House administration recently launched a strategy to mitigate the theft of U.S. trade secrets. (see:  www.whitehouse.gov/blog/2013/02/19/launch-administration-s-strategy-mitigate-theft-us-trade-secrets )

Part of the new White House strategy includes supporting ” industry-led efforts to develop best practices to protect trade secrets and encourage companies to share with each other best practices that can mitigate the risk of trade secret theft.”  

[…www.whitehouse.gov]  This is something many of us in the security and TSCM industry have been calling for for decades.

How valuable is your information?

Hopefully many corporations will begin to pay closer attention to their information security needs.  Often we have heard from corporate clients who really don’t think it would hurt them much if a little information went missing.  One company who developed medical equipment for cancer treatment did not have an alarm system in their office. When I asked about that oversight, they said they had nothing worth stealing. “If someone stole a PC or a laptop, it would only be a loss of a thousand dollars at most, and easily replaced” I was told by the manager.  I was quite surprised at his laid back attitude. He had no concept of the value of the information contained on their computers.  That manager no longer works there, probably a good thing.

Information that is discussed in conference rooms, in personal offices, and on private phone calls, could be worth millions of dollars to the right competitor, or could cost the company millions in damage to stock prices or market presence, if leaked to the right adversary.

Who could be the perpetrator?

While there may be the possibility of a shady character or foreign operative sneaking into your facility after hours, scaling a wall or rappelling down from a skylight, planting a listening device, then slipping away into the shadows, the majority of incidents of corporate spying or eavesdropping that we have seen have been perpetrated by employees and even executives already working within the company.  They are the ones who have access to sensitive areas, and they can easily be motivated- by money, blackmail, sex, jealousy, rivalry, almost any vice, even an “innocent” desire to advance their career.  

One incident we worked on involved the COO of a stock trading firm who wanted to listen in to government officials when they came to do an audit, so he bugged the meeting room they used. He bought a high powered microphone from a spy shop in Manhattan and wired it directly to a recorder in his own desk.  He thought he was doing something to help his company or perhaps to strengthen his own position; but he did not realize the laws he was breaking, the trouble he was creating for his company, or that he was going to lose his job as a result of his actions.

Another case involved an executive who bugged his own company’s conference room with audio and video recording.  He had not been invited to some of the management meetings and felt he was being passed over.  He may have thought he was just trying to protect his own position. But the information he obtained could have prompted him to look to a competitor for the compensation he felt he was missing. If news got out to the press, or to the stock holders, that a high level executive was spying on the other executives, it would have been a major PR disaster for this firm.  

“We’ve spent thousands of dollars protecting our computer networks, isn’t that enough”?

Reports of cyber espionage are found every day in the news. Computer security is undoubtedly a serious and common, nationwide threat. But corporations should not overlook the dangers that are also posed by audio and video eavesdropping.  Cyber threats are dealt with by the IT department following standard protocols in network security, firewalls, and advanced programming techniques.  Audio and video surveillance countermeasures, on the other hand, require a very different skill set as well as unique, sophisticated, inspection equipment. There are no standard protocols taught in schools for this protection. Knowledge of computer security alone is not enough. Understanding physical security is also not enough. They are significant, but also needed is training in radio technology, audio and video transmission, telephone system design and wiring, even an understanding of construction materials and facility design is important. A qualified Technical Surveillance Countermeasures (TSCM) firm will have this training and such a company is necessary to protect your facilities from these types of threats.  

Do you really have “trade secrets”?

If confidential information has been intercepted or stolen, you want to have the full weight of the law on your side.  There are serious penalties for theft of trade secrets. But in order for the information to be considered a trade secret, an important requirement is to establish not just that you believed the information was proprietary but also that you took appropriate steps to protect the information.  Under US law, for information to be considered a trade secret, as defined under 18 U.S.C. § 1839(3) (A), (B) (1996), it must be determined that along with the information being considered valuable and private (“the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by the public”), it is also required that “the owner thereof has taken reasonable measures to keep such information secret”.  If no attempt has been made to protect the information discussed, be it in phone calls or in conference rooms, then such information may not be considered a “trade secret” and may not be prosecute-able under espionage laws. Conducting TSCM sweeps on a regular basis is one of the best ways to establish this protection. 

 

by Charles Patterson,  TSCM Specialist
charles@execsecurity.com
www.execsecurity.com 

copyright 2013, Charles Patterson