Feature

What is corporate espionage? Inside the murky world of private spying

Companies gather intelligence on their rivals just like nation-states do. Sometimes its legal, but industrial espionage can easily slip over the line into criminality.

Josh Fruhlinger Jul 03rd 2018 A-A+
corporate-espionage.jpg

Corporate espionage — sometimes also called industrial espionage, economic espionage or corporate spying — is the practice of using espionage techniques for commercial or financial purposes. We usually think of "espionage" in terms of spies working on behalf of one government trying to get information about another. But in fact, many of the same techniques — and even many of the same spies — work in both realms.

Types of industrial espionage

LegalMatch outlines a number of techniques that fall under the umbrella of industrial espionage:

  • Trespassing onto a competitor's property or accessing their files without permission
  • Posing as a competitor's employee in order to learn company trade secrets or other confidential information
  • Wiretapping a competitor
  • Hacking into a competitor's computers
  • Attacking a competitor's website with malware

But not all corporate espionage is so dramatic. Much of it can take the simple form of an insider transferring trade secrets from one company to another — a disgruntled employee, for instance, or an employee who has been hired away by a competitor and takes information with them that they shouldn't.

Then there's competitive intelligence— which is, to put it in infosec terms, the white hat hacking of corporate espionage. Competitive intelligence companies say they're legal and above board, and gather and analyze information that's largely public that will affect their clients' fortunes: mergers and acquisitions, new government regulations, chatter on blogs and social media, and so forth. They might research the background of a rival executive — not to dig up dirt, they say, but to try to understand their motivations and predict their behavior. That's the theory, anyway, though sometimes, as we'll see, the line separating these operators from criminality can be thin.

It's also worth noting here that not all corporate espionage involves private businesses spying on other private businesses. Governments get into the game too — especially in countries where many businesses are state-owned and the regime views economic development as an important national goal. As a result, other governments find themselves drawn in to various degrees as well; one of the main motivations President Trump has given for escalating a trade war with China has been to fight against Chinese theft of American trade secrets. When state actors are involved in the process, the specific term often used is economic espionage.

Is industrial espionage a crime?

Many people are under the impression that spying on a private company isn't illegal the way that spying on, say, a foreign country is. And it's true that it's not illegal to obtain information about competitors via legal means, even if those means are secretive or deceptive. For instance, you can send "secret shoppers" into a rival's store to see how they do business, or hire a private investigator to lurk around a trade show and see what they can overhear.

But beyond that, things get legally trickier. In general, acquiring trade secrets (commercial secrets that have monetary value to the businesses that owns them) without the consent of their owners is against the law.

The U.S. federal law that governs corporate espionage is the Economic Espionage Act of 1996.  The law made stealing commercial secrets (as opposed to classified or national defense information) a federal crime for the first time, and codifies a detailed definition of what constitutes a trade secret. It also lays out penalties for corporate espionage, which can run into the millions of dollars and years of prison time. Much of the harshest measures of the law are aimed at those who transfer trade secrets to foreign companies or governments, and indeed the first trial conviction under the law involved a Boeing engineer who had sold trade secrets to China.

However, it's important to note that not every case of corporate espionage merits criminal prosecution, and the U.S. Department of Justice has laid out guidelines for which cases to pursue, The factors include:

  • The scope of the criminal activity, including evidence of involvement by a foreign government, foreign agent, or foreign instrumentality
  • The degree of economic injury to the trade secret owner
  • The type of trade secret misappropriated
  • The effectiveness of available civil remedies
  • The potential deterrent value of the prosecution

But just because an act doesn't merit prosecution doesn't make it legal, and violations can serve as the basis for lawsuits in civil court. And finally, many U.S. states have their own laws about corporate espionage that are stricter than federal law; the Hewlett-Packard "pretexting" case (more on which in a moment) involved conduct that wasn't illegal under U.S. federal law but was in California, and resulted in a $14 million fine.

A corporate espionage case study

Security vendor Securonix has made available a great case study of a typical act of corporate espionage. Two people who had been classmates in a Ph.D. program at the University of Southern California (USC) went to work for U.S. tech companies and slowly and methodically exfiltrated data over several years to collaborators in China, with the intent of setting up their own company there with the stolen intellectual property. Securonix lays out the methods used and what the attackers did right — and wrong.

Corporate and industrial espionage examples

One of the truths about corporate espionage is that most cases go unreported, even if the victims learn about it. That's because the harm to the victim's reputation if it's revealed that they haven't done their security due diligence may outweigh the benefit of taking legal action against their attacker. Nevertheless, there have been many high-profile cases of corporate espionage, particularly in the tech industry, where ideas and code are all-important and easily pasted into an email.

  • The runaway VP. Danny Rogers, CEO and Founder of the dark web data intelligence startup Terbium Labs, told CSOonline that he once worked at a small company where the VP of engineering left and took all the company data and files with him to go to a larger competitor. That competitor then tried to out-compete the company for a contract. Ultimately, the police got involved, the person was prosecuted, and then went to prison.
  • HP's civil war. One of the highest-profile industrial espionage cases of the '00s involved Hewlett-Packard spying on ... itself. Desperate to figure out who was leaking damaging information to the press, the company hired multiple PI agencies to spy on their own board members, who in turn gathered the targets' phone records via "pretexting" — essentially, contacting phone companies and bluffing them into believing that you're the owner of the phone account you're looking to get information about. It's a criminal act in California, and the saga ended the careers of several HP execs.
  • Battle of the blades. In 1997, Steven L. Davis was a process controls engineer for Wright Industries Inc., a subcontractor for Gillette, and had just been demoted to a lower role in the company's Mach 3 project. Angry at what he saw as an attack on his career, he decided to get even by sending trade secrets about the Mach 3 project, unsolicited and without any request for cash, to multiple Gillette rivals. Honorably, Schick immediately reported the act back to Gillette, who got the FBI involved, and Davis ended up going to prison for more than two years.
  • A trashy investigation. In 2000, Microsoft was in the midst of battling an anti-trust suit from the U.S. federal government, and Larry Ellison, CEO of Oracle, suspected that two supposedly independent research organizations that were releasing pro-Microsoft reports, the Independent Institute and the National Taxpayers Union, were secretly on Redmond's payroll. After getting caught paying investigators to acquire the groups' garbage, Ellison claimed Oracle was just doing its "civic duty" to help the government's case, and offered to send his own company's trash to Microsoft HQ in the interest of full transparency.
  • Not very hospitable. In 2010, two huge hotel chains, Hilton Worldwide and Starwood Resorts & Hotels, resolved a legal dispute over industrial espionagein a way that demonstrates how steep the penalties can be even if criminal prosecution isn't pursued. The scandal arose when Hilton, trying to replicate the success of Starwood's W brand of "lifestyle hotels," hired away two Starwood execs, who took trade secrets with them. In the ensuing legal agreement, Hilton agreed to pay Starwood $75 million in cash, offer them another $75 million in hotel management contracts, not open any lifestyle hotel brands for two years, and submit to being "baby sat" by court appointed monitors to ensure compliance.

Corporate espionage jobs

If the world of corporate espionage sounds exciting to you, you might want to take a look at SCIP, the trade organization for competitive intelligence professionals. They can connect you with resources and other information.

As to how you break into the field: well, many of the people working in corporate espionage got their start on the government side of spy work. In fact, so many are former CIA and FBI agents, using the skills they've acquired with Uncle Sam to protect or further the cause of private companies that some have questioned whether U.S. taxpayers are subsidizing corporate skullduggery.

Corporate espionage companies

Big corporations often maintain their own internal competitive intelligence departments, with in-house analysts trying to keep a leg up on the competition. Some of the biggest spenders are in the pharmaceutical business; more than a quarter of pharma companies spend north of $2 million a year on competitive intelligence. But just about any big company will spend money on counterintelligence measures; after Nasim Najafi Aghdam tried to attack YouTube headquarters in 2018, a Google exec toldVanity Fairthat she had been serendipitously prevented from entering the building by security measures that had actually been put in place to protect data.

There are also standalone companies and consultancies that specialize in corporate and industrial espionage, and their names tend to only appear in the news when they've done something particularly creepy or egregious. They include Kroll, Inc., which helped recover funds looted by a dictatorial regime but also keeps secrets for Wall Street banking firms;  C2i International,which infiltrates activist groups, not only to report on their activities but also to turn members against each other; and Black Cube, a company founded by ex-Mossad agents that worked to undermine Harvey Weinstein's accusers.

Corporate espionage movies

Looking to see industrial espionage on the big screen? One of the biggest hit films on the subject of recent years is Inception, which features consultants attempting to acquire corporate secrets. Of course, there's the small matter of the methods they used — invading their subjects' dreams — that isn't quite realistic.

For a somewhat more down-to-earth take, you might want to check out Duplicity, an underrated 2009 caper film starring Julia Roberts and Clive Owen, which in addition to not involving sci-fi dreamscapes has the added realistic bonus of making its two stars ex-spies for the CIA and MI-6 who then go into corporate intelligence.