Another semester in the bag. I finished my last Information Assurance course in graduate school this past week. The class was on Trusted Systems and we spent a lot of time discussing the Common Criteria, the ratings, mandatory vs discretionary access controls, and we even created a Protection Profile. All very exciting, I can "assure" you (pun intended).
This semester, I decided to do my research paper on a topic that has been intriguing me, having it heard it from those of you in the Real World, and also hearing the particulars from a presentation delivered by the CI Centre, aka "The Centre for Counterintelligence and Security Studies". The topic is economic espionage, and I've become quite interested in it. A good majority of this is occurring through "data leakage" which is the security buzzword of the year. In 2007 alone, both the DuPont corporation and the Denso Corporation have been victimized. A survey conducted in 1999 by PriceWaterhouseCooper and ASIS found that Fortune 100 companies had lost in excess of $49 Billion directly related to the loss of intellectual property!! (Does that horrify anyone else?!). I've included some excerpts from my paper for your perusal. (Please refrain from comments regarding the proper use of ABA style):
"According to the U.S. National Counterintelligence Executive’s 2005 Annual Report to Congress on Foreign Economic Collection and Industrial Espionage a record number of countries – 108 – were involved in the collection of intelligence and trade secrets. During this time the FBI opened 89 economic espionage cases and had 122 cases pending by the end of the fiscal year in September. The number of illegal export cases conducted by the U.S. Immigration and Customs enforcement team was even worse, with over 1,050 export investigations initiated and more than 2,400 investigations tied directly to the violation of specific Acts and Regulations pertaining to the illegal export of defense technologies.
The DuPont Corporation was established in 1802 and is responsible for the production of things from black powder in its infancy, to items such as artificial leather, cellophane, ammonia, neoprene, nylon, kevlar, tyvek, and nomex, to name a few. Intellectual property from their R&D department is truly the lifeblood of DuPont.
In 2007, the U.S. Department of Justice released the details of one of the most costly corporate espionage cases in history. Gary Min (aka Yonggang Min) was a 10-year DuPont employee and worked as a research scientist where he conducted research on high-speed polymer films. In October 2005, Min accepted an employee agreement with DuPont competitor, Victrex, with an agreed start date of January 2006 and would relocate to their Shanghai office (Min is a Chinese national). Victrex also makes a high-speed polymer that directly competes with DuPont. Min informed DuPont of his career change on December 12th, 2005. During the time period from August 2005 – December 12th 2005, Min had access to the DuPont Electronic Data Library (EDL) server and downloaded over 22,000 abstracts and accessed about 16,706 documents. Min’s access was 15 times higher than the next highest user. DuPont isn’t saying how they noticed the activity, whether through a warning about the extreme amount of documents accessed or through the perusal of database logfiles, but the local FBI and Department of Commerce offices were contacted. It was determined that the documents Min accessed were unrelated to his current research and the net value of the information was estimated at over $400 million by DuPont.
Min went to work at Victrex in January 2006 and in February 2006 he uploaded over 180 confidential DuPont documents to his new Victrex laptop. The following day, Federal agents informed Victrex of Min’s actions and they seized his laptop. During the same time, Federal agents searched Min’s home in Ohio and found several computers with DuPont documents marked “confidential” and shredded hard copies of DuPont confidential documents, including some remnants of burned documents in the fireplace. They were also able to stop a disk-erasure program in progress on an external hard drive. Mr. Min plead guilty to the charge of stealing trade secrets and faces a maximum fine of $250,000 and/or a 10-year prison term, plus restitution. He is scheduled to be sentenced on March 29th, 2007.
Denso Corporation is a Japanese company that is a “leading supplier of advanced automotive technology, systems and components for all the world's major automakers, operates in 32 countries and regions with more than 106,000 associates. Global consolidated sales totaled US $27.3 billion for fiscal year ended March 31, 2006.” On Friday, March 16th, 2007 the Aichi region prefecture police arrested Mr. Yang Luchuan, an engineer at Denso on suspicion of “embezzlement”. The police seized the laptop which contained over 130,000 design specifications and blueprints for over 1,700 Denso products including sensors, robotic arms, and a diesel fuel injection pump. According to a representative from Denso, 280 of these are considered to be classified. Mr. Yang was suspected of downloading the majority of the data in the second half of 2006 and had traveled home to his native China three times in the past 6 months. Prior to arrest, Mr. Yang was able to destroy the hard drive of his laptop, in an obvious attempt to destroy any incriminating evidence. Prior to his arrival at Denso, Mr. Yang worked as an engineer at a Chinese state-run military complex that manufactures missiles and other weapon technologies. The maximum penalty for “embezzlement” under Japan’s Penal Code is 5 years. However, the Japanese Unfair Competition Prevention Law has just recently been raised to 10 years, which is similar to the U.S. Economic Espionage Act. However, there is currently no section of this Law that pertains directly to targeted economic espionage.
Next post: I'll discuss both some of the technical and non-technical methods for helping you mitigate the risk associated with economic espionage.
 This report is completed in August of each year. The 2006 report will be completed in 2007. This specific report covers from 1 October 2004 – 30 September 2005.
 Arms Export Control Act, International Traffic in Arms Regulations, Trading with the Enemy Act, etc.
 Japan Today. “Chinese auto engineer held over suspected data leak” March 17th, 2007. http://www.japantoday.com/jp/news/401118
 Yomuri Shimbun. “Denso's management of classified data lax.” Daily Yomiuri Online. March 29th, 2007. http://www.yomiuri.co.jp/dy/editorial/20070320TDY04005.htm