By the Office of The National Counter-Intelligence executive.
Executive Summary
Foreign economic collection and industrial espionage against the United States represent significant and growing threats to the nation’s prosperity and security. Cyberspace—where most business activity and development of new ideas now takes place—amplifies these threats by making it possible for malicious actors, whether they are corrupted insiders or foreign intelligence services (FIS), to quickly steal and transfer massive quantities of data while remaining anonymous and hard to detect.
US Technologies and Trade Secrets at Risk in Cyberspace
Foreign collectors of sensitive economic information are able to operate in cyberspace with relatively little risk of detection by their private sector targets. The proliferation of malicious software, prevalence of cyber tool sharing, use of hackers as proxies, and routing of operations through third countries make it difficult to attribute responsibility for computer network intrusions. Cyber tools have enhanced the economic espionage threat, and the Intelligence Community (IC) judges the use of such tools is already a larger threat than more traditional espionage methods.
Economic espionage inflicts costs on companies that range from loss of unique intellectual property to outlays for remediation, but no reliable estimates of the monetary value of these costs exist. Many companies are unaware when their sensitive data is pilfered, and those that find out are often reluctant to report the loss, fearing potential damage to their reputation with investors, customers, and employees. Moreover, victims of trade secret theft use different methods to estimate their losses; some base estimates on the actual costs of developing the stolen information, while others project the loss of future revenues and profits.
Pervasive Threat from Adversaries and Partners
Sensitive US economic information and technology are targeted by the intelligence services, private sector companies, academic and research institutions, and citizens of dozens of countries.
• Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the IC cannot confirm who was responsible.
• Russia’s intelligence services are conducting a range of activities to collect economic information and technology from US targets.
• Some US allies and partners use their broad access to US institutions to acquire sensitive US economic and technology information, primarily through aggressive elicitation and other human intelligence (HUMINT)
tactics. Some of these states have advanced cyber capabilities.
Outlook
Because the United States is a leader in the development of new technologies and a central player in global
financial and trade networks, foreign attempts to collect US technological and economic information will continue
at a high level and will represent a growing and persistent threat to US economic security. The nature of the cyber
threat will evolve with continuing technological advances in the global information environment.
• Over the next several years, the proliferation of portable devices that connect to the Internet and other
networks will continue to create new opportunities for malicious actors to conduct espionage. The trend in
both commercial and government organizations toward the pooling of information processing and storage will
present even greater challenges to preserving the security and integrity of sensitive information.
• The US workforce will experience a cultural shift that places greater value on access to information and less emphasis on privacy or data protection. At the same time, deepening globalization of economic activities will make national boundaries less of a deterrent to economic espionage than ever.
We judge that the governments of China and Russia will remain aggressive and capable collectors of sensitive US
economic information and technologies, particularly in cyberspace.The relative threat to sensitive US economic information and technologies from a number of countries may change in response to international economic and political developments.
One or more fast-growing regional powers may judge that changes in its economic and political interests merit the risk of aggressive cyber and other espionage against US technologies and economic information.
Although foreign collectors will remain interested in all aspects of US economic activity and technology, we judge that the greatest interest may be in the following areas:
• Information and communications technology (ICT), which forms the backbone of nearly every other technology.
• Business information that pertains to supplies of scarce natural resources or that provides foreign actors an edge in negotiations with US businesses or the US Government.
• Military technologies, particularly marine systems, unmanned aerial vehicles (UAVs), and other aerospace/ aeronautic technologies.
• Civilian and dual-use technologies in sectors likely to experience fast growth, such as clean energy and health care/pharmaceuticals.
Cyberspace provides relatively small-scale actors an opportunity to become players in economic espionage. Underresourced governments or corporations could build relationships with hackers to develop customized malware or remote-access exploits to steal sensitive US economic or technology information, just as certain FIS have already done.
Similarly, political or social activists may use the tools of economic espionage against US companies, agencies, or other entities, with disgruntled insiders leaking information about corporate trade secrets or critical US technology to “hacktivist” groups like WikiLeaks.
US Technologies and Trade Secrets at Risk in Cyberspace
The pace of foreign economic collection and industrial espionage activities against major US corporations and US Government agencies is accelerating. FIS, corporations, and private individuals increased their efforts in 2009-2011
to steal proprietary technologies, which cost millions of dollars to develop and represented tens or hundreds of millions of dollars in potential profits.
The computer networks of a broad array of US Government agencies, private companies, universities, and other institutions—all holding large volumes of sensitive economic information—were targeted by cyber espionage; much of this activity appears to have originated in China.
Increasingly, economic collection and industrial espionage occur in cyberspace, reflecting dramatic technological, economic, and social changes that have taken place in recent years in the ways that economic, scientific, and other sensitive information is created, used, and stored. Today, nearly all business records, research results, and other sensitive economic data are digitized and accessible on networks worldwide.
Cyber collection can take many forms, including: simple visits to a US company’s website for the collection of openly available information; a corporate insider’s downloading of proprietary information onto a thumb drive at the behest of a foreign rival; or intrusions launched by FIS or other actors against the computer networks of a private company, federal agency, or an individual.
The Appeal of Collecting in Cyberspace
Cyberspace is a unique complement to the espionage environment because it provides foreign collectors with relative anonymity, facilitates the transfer of a vast amount of information, and makes it more difficult for victims and governments to assign blame by masking geographic locations.
Security and attribution. Collectors operating in a cyber environment can collect economic information with less risk of detection. This is particularly true for remote computer network exploitation (CNE). Foreign collectors take advantage of the fact that it is difficult to detect and to attribute responsibility for these operations.
There is increasing similarity between the tools, tactics, and techniques used by various actors, which reduces the reliability of using these factors to identify those responsible for computer network intrusions.
• The proliferation of malicious software (malware) presents opportunities for intelligence services and other actors to launch operations with limited resources and without developing unique tools that can be associated with them.
• Hacker websites are prevalent across the Internet, and tool sharing is common, causing intrusions by unrelated actors to exhibit similar technical characteristics.
• FIS and other foreign entities have used independent hackers at times to augment their capabilities and act as proxies for intrusions, thereby providing plausible deniability.
• Many actors route operations through computers in third countries or physically operate from third countries to obscure the origin of their activity.Another factor adding to the challenge of attribution is the diverging perspectives of the actual targets of economic espionage in cyberspace.
• At a conference sponsored by ONCIX in November 2010, US private industry representatives said they saw little difference between cybercrime—for example, identity theft or the misappropriation of intellectual property such as the counterfeiting of commercial video or audio recordings—and the collection of economic or technology information by intelligence services or other foreign entities.
Private sector organizations are often less concerned with attribution and focus instead on damage control and prevention; moreover, few companies have the ability to identify cyber intruders.
• US Government law enforcement and intelligence agencies, on the other hand, seek to establish attribution as part of their mission to counter FIS and other clandestine information collectors. They, unlike companies, also have the intelligence collection authorities and capabilities needed to break multiple layers of cover and to establish attribution where possible.
Cyberspace also offers greater security to the perpetrator in cases involving insiders. Although audits or similar cyber security measures may flag illicit information downloads from a corporate network, a malicious actor can quickly and safely transfer a data set once it is copied. A physical meeting is unnecessary between the corrupted insider and the persons or organizations the information is being collected for, reducing the risk of detection.
Faster and cheaper. Cyberspace makes possible the near instantaneous transfer of enormous quantities of economic and other information. Until fairly recently, economic espionage often required that insiders pass large volumes of documents to their handlers in physical form—a lengthy process of collection, collation, transportation, and exploitation.
• Dongfan Chung was an engineer with Rockwell and Boeing who worked on the B-1 bomber, space shuttle, and other projects and was sentenced in early 2010 to 15 years in prison for economic espionage on behalf of the Chinese aviation industry. At the time of his arrest, 250,000 pages of sensitive documents were found in his house. This is suggestive of the volume of information Chung could have passed to his handlers between 1979 and 2006.
The logistics of handling the physical volume of these documents—which would fill nearly four 4-drawer filing cabinets—would have required considerable attention from Chung and his handlers. With current technology, all the data in the documents hidden in Chung’s house would fit onto one inexpensive CD.
Extra-territoriality. In addition to the problem of attribution, it often is difficult to establish the geographic location of an act of economic espionage that takes place in cyberspace. Uncertainty about the physical location of the act provides cover for the perpetrators and complicates efforts by US Government law enforcement or intelligence agencies to respond.
Non-Cyber Methods of Economic Espionage
Although this assessment focuses on the use of cyber tools and the cyber environment in foreign efforts to collect sensitive US economic information and technologies, a variety of other methods also remain in use.
Requests for Information (RFI). Foreign collectors make unsolicited direct and indirect requests for information via personal contacts, telephone, e-mail, fax, and other forms of communication and often seek classified, sensitive, or export-controlled information.
Solicitation or Marketing of Services. Foreign companies seek entrée into US firms and other targeted institutions by pursuing business relationships that provide access to sensitive or classified information, technologies, or projects. Conferences, Conventions, and Trade Shows. These public venues offer opportunities for foreign adversaries to gain access to US information and experts in dual-use and sensitive technologies.
Official Foreign Visitors and Exploitation of Joint Research. Foreign government organizations, including intelligence services, use official visits to US Government and cleared defense contractor facilities, as well as joint research projects between foreign and US entities, to target and collect information.
Foreign Targeting of US Visitors Overseas. Whether traveling for business or personal reasons, US travelers overseas—business people, US Government employees, and contractors—are routinely targeted by foreign collectors, especial especially if they are assessed a Chung was prosecuted only for possession of these documents with the intent to benefit the People’s Republic of China (PRC) and acting as an unregistered foreign agent for China.
He was not charged with communication of this information to the PRC or any other foreign entity. On average, one page of typed text holds 2 kilobytes (KB) of data; thus, 250,000 pages x 2 KB/page = 500,000 KB, or 488 megabytes (MB). A data CD with a capacity of 700 MB retails for $0.75, and a flashdrive with a capacity of 4 gigabytes costs about $13.00. as having access to some sensitive information.
Some US allies engage in this practice, as do less friendly powers such as Russia and China. Targeting takes many forms: exploitation of electronic media and devices, surreptitious entry into hotel rooms, aggressive surveillance, and attempts to set up sexual or romantic entanglements.
Open Source Information. Foreign collectors are aware that much US economic and technological information is available in professional journals, social networking and other public websites, and the media.
Large but Uncertain Costs
Losses of sensitive economic information and technologies to foreign entities represent significant costs to US national security. The illicit transfer of technology with military applications to a hostile state such as Iran or North Korea could endanger the lives of US and allied military personnel. The collection of confidential US Government economic information—whether by a potential adversary or a current ally—could undercut US ability to develop and enact policies in areas ranging from climate change negotiations to reform of financial market regulations.
The theft of trade secrets from US companies by foreign economic rivals undermines the corporate sector’s ability to create jobs, generate revenues, foster innovation, and lay the economic foundation for prosperity and national security. Data on the effects of the theft of trade secrets and other sensitive information are incomplete, however, according to an ONCIX-sponsored survey of academic literature on the costs of economic espionage.
• Many victims of economic espionage are unaware of the crime until years after loss of the information.
• Even when a company knows its sensitive information has been stolen by an insider or that its computer networks have been penetrated, it may choose not to report the event to the FBI or other law enforcement agencies. No legal requirement to report a loss of sensitive information or a remote computer intrusion exists, and announcing a security breach of this kind could tarnish a company’s reputation and endanger its relationships with investors, bankers, suppliers, customers, and other stakeholders.
• A company also may not want to publicly accuse a corporate rival or foreign government of stealing its secrets from fear of offending potential customers or business partners.
• Finally, it is inherently difficult to assign an economic value to some types of information that are subject to theft. It would, for example, be nearly impossible to estimate the monetary value of talking points for a meeting between officials from a US company and foreign counterparts.
The Cost of Economic Espionage to One Company
Data exist in some specific cases on the damage that economic espionage or theft of trade secrets has inflicted on individual companies. For example, an employee of Valspar Corporation unlawfully downloaded proprietary paint formulas valued at $20 million, which he intended to take to a new job in China, according to press reports.
This theft represented about one-eighth of Valspar’s reported profits in 2009, the year the employee was arrested.
Even in those cases where a company recognizes it has been victimized by economic espionage and reports the incident, calculation of losses is challenging and can produce ambiguous results. Different methods can be used that yield divergent estimates, which adds to the difficulty of meaningfully comparing cases or aggregating estimated losses.
• An executive from a major industrial company told ONCIX representatives in late 2010 that his company has used historical costs—tallying salaries, supplies, utilities, and similar direct expenses—to estimate losses from cases of attempted theft of its trade secrets. This method has the advantage of using known and objective data, but it underestimates the extent of losses in many cases because it does not capture the effect of lost intellectual property on future sales and profits.
• Harm is calculated in US civil court cases involving the theft of trade secrets by measuring the “lost profits” or “reasonable royalty” that a company is unable to earn because of the theft. Although this method requires subjective assumptions about market share, profitability, and similar factors, it does offer a more complete calculation of the cost than relying strictly on historical accounting data.
• Estimates from academic literature on the losses from economic espionage range so widely as to be meaningless—from $2 billion to $400 billion or more a year—reflecting the scarcity of data and the variety of methods used to calculate losses.
To read more information about this great report please go to : http://www.ncix.gov/publications/reports/fecie_all/Foreign_Economic_Collection_2011.pdf
