by M. E. Kabay, PhD, CISSP-ISSMP[  ]
Survey Data & US Government Reports.
China and Titan Rain.
Blocking IP Traffic from Specific Nations.
One of the problems we face in our field of information assurance is the paucity of credible data about threats to our systems. We suffer from problems of ascertainment and problems of data collection in this field; without going into details here, there is plenty of reason to believe that we do not notice many of the system intrusions that take place and that many of those that are noticed are not reported in a way that allows development of a statistical base.[  ]
The US National Counterintelligence Center (NACIC) which later became the Office of the National Counterintelligence Executive (ONCIX) have been reporting annually to Congress since 1995 about foreign economic collection and industrial espionage.[  ] There are some valuable findings and trends in industrial espionage that can help us interfere with industrial spies.
First of all, Section 809 of the US Intelligence Authorization Act for Fiscal Year 1995 defined foreign industrial espionage as “industrial espionage conducted by a foreign government or by a foreign company with direct assistance of a foreign government against a private United States company and aimed at obtaining commercial secrets.”[  ]. Throughout the decade of reporting, there has been little change in the list of targeted technologies; the 2004 report lists the following: Information systems are a key target, with more than 40% of the PhDs employed in the field in 2001 (the most recent year of available data) being foreign-born (compared with 10% of all PhD scientists and engineers overall in the USA). Sensors, aeronautics, electronics, armaments and energetic materials are other industrial targets for espionage. The 1996 report notably added biotechnology, information warfare, manufacturing processes, nuclear systems, space systems, telecommunications and weapons effects and countermeasures to the list of targets.
Industrial espionage is carried out in many ways. The 1995 NACIC report lists the following:
The 2000 NACIC added these methods:
A survey organized by NACIC among about a dozen Fortune 500 company officers extended the list of industrial espionage methods with the following approaches:
I want to make it clear that the NACIC/ONCIX authors and I as a writer reporting on their findings are not implying that foreign nationals and foreign-born citizens in the USA are inherently threats to national security. The vast majority of such people – and I was one myself, having been born in Canada and having been granted US citizenship in July of 2005 – are honest, loyal people who have never done anything against the interests of our country. The US Census Bureau reports that in 2004, there were over 34 million foreign-born residents [  ] out of a total population estimated at over 293 million.[  ] So even if we guessed there were a thousand foreign-born spies (a high estimate for which there is no factual basis whatsoever), that number would represent a mere 0.003% of the foreign-born population – leaving 99.997% as unworthy of suspicion. So the next time someone tries to convince you that purely ethnic profiling divorced from any study of individual behavior is a good idea for law enforcement and national security, do a similar calculation with them and calculate the costs of resources wasted on false-positives.
The NACIC/ONCIX reports are clear on the threat from purely domestic, All-American citizens: “In 1996, the FBI and ASIS also reaffirmed the increase in the reporting of domestic theft or misappropriation of proprietary economic information. An ASIS special report released in March 1996, Trends in Intellectual Property Loss, indicated that 74 percent of intellectual or proprietary property losses stemmed from the actions of ‘‘trusted relationships’’ – employees, former employees, contractors, suppliers, and so forth.”[  ]
An additional source of information is the Annual Report to Congress on Military Power of the People’s Republic of China 2007.[  ] Chapter Five, “Resources for Force Modernization,” reports that “China’s defense industries benefit from foreign direct investment and joint ventures in the civilian sector, technical knowledge and expertise of students returned from abroad, and state-sponsored industrial espionage.” Later in the report, the authors add, “U.S. Immigration and Customs Enforcement (ICE) officials have rated China’s aggressive and wide-ranging espionage as the leading threat to U.S. technology. Since 2000, ICE has initiated more than 400 investigations involving the illicit export of U.S. arms and technologies to China.”
 ] ran a survey that was used by NACIC in its 1995 report. Among the significant findings were the following (quoting NACIC but adding bullets):
The 1997 NACIC report cited work by the Computer Security Institute [ 
] in cooperation with the FBI’s International Computer Crime Squad
In 1998, NACIC reported on a then-new economic modeling tool developed at the
Department of Energy’s Pacific Northwest National Laboratory (PNNL) that was
applied to a single case of theft of intellectual property in which a foreign
competitor succeeded in capturing the market due to the theft. “Using this tool,
the misappropriation of intellectual property in this case resulted in over
$600 million in lost sales, the direct loss of 2,600 full-time jobs, and a resulting
loss of 9,542 jobs for the economy as a whole over a 14-year time frame. Analysis
also determined that the
The “10th Annual Trends in Proprietary Information Loss Survey”
] organized by ASIS reported that respondents in 138 companies in
the Fortune 1,000 and from the US Chamber of Commerce membership list experienced
losses totaling over $50B. About 40% of the respondents reported industrial
espionage incidents during the period
· The greatest risk factors associated with the loss of proprietary information and intellectual property among all companies responding were former employees, foreign competitors, on-site contractors, and domestic competitors. Hackers also were cited as a major concern among some sectors.
· The most commonly cited areas of risk by companies that reported an incident were: research and development (49%), customer lists and related data (36%), and financial data (27%).
· The number of reported incidents, in order of magnitude, were: 1) customer data, 2) strategic plans, 3) financial data, and 4) R&D.
IMPACT OF LOSS
· Among all companies, the greatest impacts of proprietary information loss were increased legal fees and loss of revenue. For large companies (over $15 billion), loss of competitive advantage was the most serious problem. For financial firms, embarrassment was the biggest concern; and for high technology companies, the major issue was loss of competitive advantage.
· The assessment or assignment of intellectual property value is the responsibility of in-house patent and legal counsel who base their judgments on competitive advantage, profitability, and research and development criteria.
The National Counterintelligence Center (NACIC) later became the Office of the National Counterintelligence Executive (ONCIX). In 2004, the ONCIX reported to Congress that
Early reports from NACIC/ONCIX blanked out the names of countries suspected
or known to be engaging in foreign industrial espionage against the
In the 2000 Annual Report, respondents to the NACIC survey of a few (about a dozen) Fortune 500 companies reported that the top countries involved in industrial espionage cases involving their firms were (in order of importance) China, Japan, Israel, France, Korea, Taiwan, and India.
By 2002, the ONCIX Annual Report commented, “The laundry list of countries seeking US technologies in 2001 was long and diverse. Some 75 countries were involved in one or more suspicious incidents. The most active countries in economic espionage, according to DSS data, were an interesting mix of rich and poor and “friend” and foe. Many of the richest nations aggressively sought the latest in advanced technologies both to upgrade their already formidable military infrastructures—particularly command, control, and communications—and to make their already sophisticated industries even more competitive with the United States. Most of the poorer countries, however, continued to exhibit a preference for older ‘off the shelf’ hardware and software to renovate their existing defensive systems and to develop countermeasures to provide them battlefield advantage. The search for lower technology goods by these less developed countries probably reflected their desire to bring in technologies that could be more easily integrated into their existing military structures; a number of these countries were probably not capable of utilizing the most sophisticated US technologies.”
In January 2005, the US Committee on Foreign Investments expressed “concern that Chinese operatives might use an IBM facility for industrial espionage.”[  ]
There is some information available about the people who become industrial spies.
The 2003 ONCIX report stated, “Foreigners from almost 90 countries attempted
to acquire sensitive technologies from the
According to the latest ONCIX report available (2004), “Individuals from both the private and public sectors in almost 100 countries attempted to illegally acquire US technologies in FY2004, roughly the same number of countries as [in 2003]….” However, the report indicates a possible growth in government-sponsored industrial espionage: “foreign state actors accounted for about one-fifth of suspicious incidents and government-related organizations accounted for another 15 percent.” However, “Commercial organizations and private individuals with no known affiliation to foreign governments together accounted for nearly half—36 percent and 12 per cent respectively—of all suspicious incidents. In another 16 percent, the contractors were unable to determine the affiliation of the foreign parties involved in the elicitation.”
In summary, the enormous investment in US intellectual property has been a prime target for nations and firms eager to find shortcuts in the research and development process and thus to reduce their costs by stealing our information.
In this section, I review some interesting specific cases of industrial espionage from these government reports and others. I am summarizing and paraphrasing liberally to keep the length manageable and have deliberately not used quotation marks and ellipses to avoid cluttering the text. All of the information comes either from the NACIC/ONCIX reports, from my INFOSEC Year in Review database or from reports on Web sites for various offices of US Attorneys around the country.[  ]
For extensive historical records of intelligence cases, see the CI Reader volumes from the Office of the National Counterintelligence Executive. At the time of writing (January 2008), there were four volumes available for download as PDF files.[  ]
The immense growth and development of the Chinese economy, especially in the
1990s and 2000s, has been accompanied by a rising tide of industrial espionage
and criminal hacking originating from the People’s Republic of China (PRC).
The CIA Factbook section on China’s economy reports that since the shift
away from a Soviet-style central-command economy, starting in 1978, the Chinese
Gross Domestic Economy has quadrupled. “Measured on a purchasing power parity
TIME Magazine published an interesting report by Nathan Thornburgh on
Aug 29, 2005 about an investigation code-named TITAN RAIN that began in late
2003. As an information systems security officer (ISSO) for Sandia National
Laboratories of the US Department of Energy, Shawn Carpenter noticed a flood
of expert hacker activity focusing on data theft from a wide range of “the country’s
most sensitive military bases, defense contractors and aerospace companies.”
Carpenter discovered that “the attacks emanated from just three Chinese routers
that acted as the first connection point from a local network to the Internet.”
Carpenter worked with US Army and FBI investigators to learn more about the
attacks and the attackers. According to Thornburgh, various analysts judge that
“Titan Rain is thought to rank among the most pervasive cyberespionage threats
So was Carpenter treated as a hero by Sandia managers?
Well, no. He was fired for inappropriate and unauthorized use of Department of Energy computer resources and information. I’m sorry for Carpenter, but I have already written many times in this venue and elsewhere that it is a really bad idea to use corporate resources without written permission from appropriate authorities, especially if there is any risk of being perceived as a law-breaker. Even if Carpenter had acquired written support from his US Army and FBI handlers, that still might not have protected him against termination of employment. I cannot criticize Sandia managers on this count, and I understand that applying policy firmly is an important element of effective security management.
Incidentally, according to the TIME article, the government of the PRC
denied any involvement in the hacker activity – but it also flatly refused to
Scott Granneman wrote a thoughtful and stimulating commentary about Chinese hacker attacks in The Register on the 31st of August 2005.[  ] He also mentioned the Titan Rain case but he focused first on the experience of some personal friends of his who run Web-hosting services.
They both independently discovered that their systems were being swamped by
a flood of peculiar requests originating in a wide range of sites in the People’s
Granneman asked whether his friends had told their clients about their new policy of blocking all packets originating in the .CN domain; they said no.
Granneman, to his credit, raises two ethical questions:
1) Should his friends have told the clients about the global block on Chinese access to their Web sites?
2) Is there something wrong with blocking all access to a Web site for all users in a national domain?
For the first question, I think that simple ethical rules dictate that his friends should indeed have informed their clients of the new policy. One rule in ethical decision making is to consider all the stakeholders affected by a decision, and their clients are potentially affected. Another is that openness characterizes appropriate actions; a desire for secrecy always raises questions about whether a course of action is ethical (it doesn’t mean that all secrecy is bad, just that it raises questions that should be answered).
However, for the second, I cannot conceive of how anyone could reasonably argue that the owners of a private Web site have any limits whatsoever on how they restrict access to their information. The Web is a method for voluntarily sharing documents (and now, much more) using standard protocols (http, html and so on). Nothing in the technology removes the absolute right of the data owner to control how that information is shared. For example, if a copyright holder chooses to restrict access to published documents by requiring registration, that’s fine. If they require access controls using a userID and a password, that’s fine. If they require users to buy smart cards and log in using one-time passwords, that’s a real pain but it’s also fine. If they require users to have biometric equipment for retinal scans, brain-wave measurements and a signature in blood giving away rights to the user’s house, that may be crazy but it’s also perfectly legal. The worse the restrictions, the fewer the users, but no one has an absolute right to access any document on a privately-owned site on the Web.
So if a private Web-site owner wants to block all packets originating from the PRC, there is absolutely nothing morally or legally wrong with such a decision.
Personally, I have blocked all e-mail with country domains from which large amounts of spam originate; if someone in those countries wants to communicate with me, they can write me a letter. Immoral? No. Unethical? No.
MY e-mail. MY Web site. Don’t bother me if I don’t like you, your ISP or your country!
Anonymous (2001). “More theft of trade secrets.” Article in CIND (Counterintelligence
News and Developments) volume 2 (June 2001). No longer currently available
online except in Web Archives (stability of link is indeterminate).
< http://web.archive.org/web/20050310140232/http://www.nacic.gov/archives/nacic/news/2001/jun01.html >
ASIS (2007). “Trends in Proprietary Information Loss Survey Report.” PDF available
< http://www.asisonline.org/newsroom/surveys/spi2.pdf >
Bernstein, R. (2005). “Foreign-Born Population Tops 34 Million, Census Bureau
Estimates.” U.S. Census Bureau News
< http://www.census.gov/Press-Release/www/releases/archives/foreignborn_population/003969.html >
CIA – U.S. Central Intelligence Agency (2007). The World Factbook.
< https://www.cia.gov/library/publications/the-world-factbook/index.html > Downloads of current edition in various sizes of ZIP files available from
< https://www.cia.gov/library/publications/download/ >
Granneman, S. (2005). “On blocking Chinese IP addresses.” The Register (31
< http://www.theregister.co.uk/2005/08/31/blocking_chinese_ip_addresses/ >
Jacobs, M. J. (2003). “Chicago, Illinois Man Pleads Guilty to Theft of Trade
Secrets, Offered to Sell Online Interpreter’s Information.” U.S. Department
< http://www.usdoj.gov/criminal/cybercrime/sunPlea.htm >
Kabay (2007). Understanding studies and surveys of computer crime.
< http://www.mekabay.com/methodology/crime_stats_methods.htm > (HTML) or
< http://www.mekabay.com/methodology/crime_stats_methods.pdf > (PDF)
Kabay, M. E. (1994-2006). Information Security Year in Review Database. PDF reports and Access MDB files freely available from < http://www.mekabay.com/iyir >)
LaBauve, N. (2007). “Two Bay Area Men Indicted on Charges of Economic Espionage.”
U. S. Department of Justice.
< http://www.usdoj.gov/usao/can/press/2007/2007_09_26_lee.ge.indicted.press.html >
Macaulay, L. (2006). “Two Men Plead Guilty to Stealing Trade Secrets from Silicon
Valley Companies to Benefit China: First Conviction in the Country for Foreign
Economic Espionage.” U.S. Department of Justice.
< http://www.usdoj.gov/criminal/cybercrime/yePlea.htm >
NACIC Report (1995)
< http://www.ncix.gov/publications/reports/fecie_all/FECIE_1995.pdf >
NACIC Report (2000)
< http://www.ncix.gov/publications/reports/fecie_all/fecie_2000.pdf >
ONCIX (2001?) CI Reader: An American Revolution into the New Millennium.
Office of the National Counterintelligence Executive. [Author(s) unknown despite
use of first person singular pronouns; date of publication unclear.]
< http://www.ncix.gov/issues/CI_Reader/index.html >
Ribeiro, J. (2004). “Source code stolen from U.S. software company in India:
Jolly Technologies blamed an insider for the theft.” Computerworld.
< http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,95045,00.html >
Spooner, J. G. (2005). “IBM-Lenovo deal said to get national security review.”
< http://www.news.com/IBM-Lenovo-deal-said-to-get-national-security-review/2100-1003_3-5547546.html >
Thornburgh, N. (2005). “The Invasion of the Chinese Cyberspies (And the Man
Who Tried to Stop Them).” TIME Magazine (Aug. 29, 2005).
< http://www.time.com/time/magazine/printout/0,8816,1098961,00.html >
U. S. Census Bureau (2005). MS-Excel file from
< http://www.census.gov/popest/states/asrh/tables/SC-EST2004-04.xls >
US Secretary of Defense (2007). Annual Report to Congress: Military Power of
the People’s Republic of China 2007.
< http://www.globalsecurity.org/military/library/report/2007/2007-prc-military-power.htm >
Chapter 5: Resources for Force Modernization
< http://www.globalsecurity.org/military/library/report/2007/2007-prc-military-power05.htm >
[  ] This article is an edited compilation of a series originally published in the Network World Fusion Security Newsletter in 2005. Archives at < http://www.networkworld.com/newsletters/sec/ >. Updated January 2008 for publication in Vacuum & Coating Technology.
[  ] CTO & MSIA Program Director / School of Graduate Studies / Norwich University, Northfield VT, USA 05663-1035. Web site < http://www.mekabay.com/ >.
]Some archival NACIC and current ONCIX reports are freely available
as PDF files from
< http://www.ncix.gov/publications/reports/index.html >..
] See the ONCIX “One Evil” awareness poster
< http://www.ncix.gov/publications/posters/poster_oneevil.html >
[  ] NewsScan is no longer published. < http://www.newsscan.com >