-- Edmund Burke

Introduction

Knowledge is power.

-- Francis Bacon

Call it what you will--industrial intelligence, industrial espionage (my personal favorite, as it doesn't attempt to obfuscate, and which I shall refer to as 'indesp' throughout this paper), competitive intelligence, marketing--the process and tradecraft of intelligence gathering in the free market is an old and time honoured profession, albeit an infrequently admitted one.

Intelligence suffers an artificial bifurcation in the public perception--military/political intelligence and industrial/commercial intelligence. This is clearly absurd; information is information, and economic strength translates to power of many sorts, including military power. If intelligence must be categorized, perhaps a better 'split' would be strategic (intent) and tactical (means and methods); strategic intelligence does tend to translate along military and political lines, while tactical intelligence falls onto the ways that such goals might be achieved.

The Cold War between the Soviets and United States showed clear examples of such things--submarine technology (including silent propulsion and hull composition), or computer hardware and software. How to preserve the mobile retributive strike capability of a viable ballistic missile submarine fleet? How to improve C4I, design weapons of mass destruction, develop stealth aircraft, make and break advanced cryptographic systems? All that remains are the implementation details of such grandiose strategic plans, and therein lies the rub. There is no 'dual use' technology, as it appears that everyone in the world except the United States seems to have realized--intelligence is intelligence, power is power. Global powers--Russia, France, Japan, China, Germany, Britain--have extensive programmes for the gathering and utilization of intelligence, without regard for any such artificial distinctions.

If power is the motive, and the purpose of this paper is to provide some discussion of method, what of opportunity, the third leg in the tripod of criminal undertakings? If, as Locke suggests, property is the act of plucking something from Nature and making it your own (through the act of acquisition, or through the addition of value), then 'property is theft' reaches a pinnacle with information. Data and information, being 'virtual,' have numerous advantages from a thief's point of view--easy to conceal, easy to transport, extremes of value, freely copyable, and not necessarily a noticeable absence--the apogee of crime, and what is espionage after all, but sanctioned criminality? What of the loss? Loss of market, loss of moral or material surprise, loss of a strategic advantage? How to define and put a value to an unknown, a potential? What separates the pirate making perfect digital copies and the intelligence officer of a sovereign nation? Damned little--as Samuel Johnson said, patriotism is the last refuge of a scoundrel; do not bestow false dignity to the latter, nor revile the former. Both are opportunists, taking advantage of the happenstance of information--not that it wants to be 'free,' but that it defies any attempt at control.

The Usual Suspects

When Thales was asked what was difficult, he said, "To know one's self." And what was easy, "To advise another." When asked what wine he liked to drink, he replied, "That which belongs to another."

-- Diogenes Laertius

A rather distinct but covert subculture of 'indesp' professionals exists, sometimes in partnership, occasionally under contract, usually in competition with the government sponsored intelligence officers. Indesp is a global business practice--the act of arbitrage in information, knowledge, and skills, the software and wetware of the modern age. Commercial intelligence 'levels the playing field,' moving product and process knowledge from the 'haves' to the 'have nots.' Amateurs might do it from a belief (notable historical example of this freelance action to balance the powers: nuclear weapons technology), but professionals do it for the money, and like any industry, there is a complicated network in place to accommodate, facilitate, and otherwise service indesp pros.

Sources

Knowledge is of two kinds: we know a subject ourselves, or we know where we can find information upon it.

-- Samuel Johnson

Information of the vendable sort (a market being created when there is one more person who wants it than has it) is either in someone's head (where it must be induced to be communicated), or published in some form somewhere, no matter how restricted the readership list. Human intelligence is the best mechanism for acquiring what might be desired; in a world of 'data, at rest and in motion,' humans are always in the loop, and the weakest part. Insiders can always be found, through blackmail or cash payments, or arranged, as with moles. The foibles of humans, just as with a sword blade, are the easiest place to bend someone: drug use, deviant sexual behavior, criminal activity, all provide the leverage for cooperation; human capital is always undervalued, and such inequities, as well as a show of appreciation, can be rectified in a way that satisfies the knowledgeable personnel's need for material and emotional gratification that corporations don't satisfy. Given a reasonable and diverse skillset, an indesp professional can provide themselves with layers of cover story (including legitimate operations, false fronts, manufactured credentials, or even identity theft) and run their own penetration, acting as a 'mole' to gather intelligence. Another option, and a favorite of the amateur (not a reflection on their skill, just on their financial motivation, see the bracketed paragraph following this one), is 'wetware hacking' or 'social engineering,' using a variety of methods to elicit information--sweet-talking, FUD (fear, uncertainty, doubt), C3 (chaos, catastrophe, confusion), authoritative bluster, "we're all in the same boat," "help the confused customer/newbie/co-worker," and the ever popular "you can go anywhere with a clipboard" method. A great deal of intelligence of interest is already located outside the control of the point of origin (once information is 'on the loose,' who can tell how far it might go?)--in the hands of people like the media, system integrators/outsourcers, contractors, financial institutions, examiners/auditors, participants in corporate agreements (partnerships, strategic relationships, acquisitions, due diligence)--places and people who will likely be far less careful with it.

[The reader may be under some misimpression by my use of the word 'amateur,' a term that has negative connotations in the idiom of American English. A proper definition of the term is 'one who engages in an activity as a pastime rather than a profession.' As I said, this is not a statement upon the actual skill of the individual or performance, just that of motivation; it is a particularly American conceit that if you aren't doing it 'for the money,' it is because you aren't good enough to. This is asinine, of course, but does lead to difficulties: I believe that a great deal of the confusion over such things as the 'hacker ethic' derives from this source--hackers rarely engage in their activities for a profit motive (to the chagrin of those attempting to prove such to prosecute hackers under the law), but more for the sheer love of the art.]

Technology provides an additional body of sources, but again, the cornerstone is people--a fundamental flaw in the design of security systems is that they are oriented around trust and access control, and without considerable effort, it is very difficult for a machine to distinguish one human from another. Security systems make a poor bald assumption--once access is granted, you have relatively carte blanche access. Human-oriented and run security processes, such as guards, have all the flaws of human judgment, as mentioned above; computer-oriented and run security processes have all the flaws of human judgment, as well the handicap of having such flaws as automated constraints; mixed systems, those utilizing computers and humans, can be arbitraged through trust assumptions, where one element of the system can be subverted to override the judgment of the other (such as a guard overriding a security system and allowing access to a controlled area, or the guard's assumption that what the computer is telling him/her must be more accurate than their own judgment).

Computers, computer networks, phone systems, and all the other tools and toys of technology give rise to spoofing (pretending to be someone else on the other end of the connection), sniffing (watching packets of data on networks, from passwords to electronic mail), hacking (or cracking, breaking into computer systems for the data they contain), signals (bugging, or more interesting intercept methods such as TEMPEST radio emissions from electronic devices, or watching microvoltages in covert channel attacks), trashing (everything ends up in the trash, from voluminous print-outs to trivial details that help put layers onto cover stories or enable wetware hacking), and even that low-tech answer to high-tech protections, the 'black bag' job (forced or surreptitious entry). While such technical methods of gathering leave smaller footprints than the use of human sources (critical in the game, to sever the relationship of cause and effect that might make the espionage a provable offense), 'open source' methods leave smaller footprints still--data acquired from public sources such as computer databases, the media and public domain publication, educational and research establishments, or the other mechanisms of an open society, like the patent office, conferences, conversation, and even things such as the Freedom of Information Act (what of nations where informational controls are tight, and this sort of open source work isn't as easy? The indirect response to that question is a question of my own--what closed society has made significant commercial advances that require espionage to obtain? The informational controls used in closed societies also act to inhibit internal communication and advance--closed societies only rarely are the subjects of industrial espionage because they so rarely have information worth stealing).

Buyers

Free trade is not a principle, it is an expedient.

-- Benjamin Disraeli (Earl Beaconsfield)

An indesp professional may engage in an operation with a buyer arranged or not; regardless, this point merely shifts some of the uncertainty. Having a buyer in place prior to the espionage effort begs the question of whether the desired information can be acquired, not certain by any means; having acquired information of some value, a suitable client must then be ascertained, and an arrangement reached, a proposition also not without some risk.

There is, in general, no shortage of potential clients--market competitors, or the competitive intelligence programs of multinationals or governments. Client contacts are through accepted channels or cut-outs--attorneys, research firms, or technological methods; such contacts are the riskiest element of the indesp profession. Given the nature of the product, exchanges of value can well leave the professional holding the bag, or vice versa--the client has what they want, the professional is left empty handed by way of payment; the client gets what they want, while the professional embraces the payment and lines up yet another client for the same product.

That buyers for the outcome of industrial espionage operations aren't in short supply is an interesting indication of the state of the global economy, as well as a hint at the darker side of industrial capitalism.

Dirty Little Secret

Look beneath the surface; let not the several quality of a thing nor its worth escape thee.

Look to the essence of a thing, whether it be a point of doctrine, of practice, or of interpretation.

-- Marcus Aurelius Antoninus

The Intelligence Process

Inconsistencies of opinion, arising from changes of circumstances, are often justifiable.

-- Daniel Webster

Before I expose the rot at the core, let me step back and briefly comment on the 'standard' intelligence process, as practiced by modern large-scale intelligence agencies, which has some deficiencies. All spooks work for pay--it is merely a matter of degree, and the coin; the political nature of some recompense, however, exacts a corresponding toll, a focus on quantitative answers. Both these elements are dangerous to an accurate picture: 'quantitative' intelligence by definition is limited to those things that can be counted, graphed, numbered, or have some metric applied (numbers of tanks, numbers of troops, megatonnage at the press of a button), the stuff that military dreams and nightmares are made of; 'answers' are just as limiting, a static snap-shot that don't actually resolve matters, yet are beguiling to the uninitiated consumer. There are rarely 'answers,' and 'facts' that substitute temporarily will only briefly represent a fragment--this bit connects to that bit, which is linked to those over there, which connect into a broad tapestry. What started World War II? Who shot President Kennedy, and why? Incredibly well documented events, with facts but no answers, and to understand any of it, you have to connect it with the ever-shifting network of other facts. The intelligence process participants, from consumer down the food chain through analyst to source, are ill prepared to ask the right sort of question; questions define the boundaries of knowledge, identify the assumptions of the person asking, and only rarely give any thought to consequences. A good example is the quiet 'in joke' and dirty secret of the indesp profession.

Bootstrapping

I have found you an argument; I am not obliged to find you an understanding.

-- Samuel Johnson

Progress is a funny thing; you don't know what you don't know; most of scientific discovery came from (and still does, since that process is far from over) accidents, or collateral discoveries, or as the by-product of basic research. Our steady march into the future is a blind one, no maps, no signposts. Knowing of something, a direction, or that something is possible, has a profound effect--look at the development of the fission and then fusion weapons. Knowledge of the existence and functionality of the weapon dramatically shortened the development cycle for those who entered it late--not only were they able to prune their search trees because of negative feedback (they had an idea of what the wrong answers were), but they knew where to go look for the right answers (among which espionage was a potent tool).

Complexity, however, soon rears its ugly head. While the basics of the nuclear development cycle can be manipulated with WWII-era tools (still a reasonably advanced industrial requirement, remember), more complex developments require advanced tools--computer models, refinement processes, fast explosives, switches of incredible precision. Soon enough, the tools to build the tools to build the tools to build the end product becomes a deep, complicated network. Think of taking every bit of information, knowledge, and skill related to jet manufacture, and setting it down in a primitive, tribal region of Africa (or in King Arthur's time, you Connecticut Yankee)--can they build jets? Not without building a lot of other things first--one of the open 'secrets' of the development of political economies is that while the products of the technological age can be used everywhere, they cannot actually be constructed in an agrarian or simple industrialized economy. This dirty little secret is why the Soviets spent themselves into oblivion trying to keep pace with the technological development of the West and still fell short--they were as well equipped as a Cargo Cult to build advanced gear, even if they were able, through espionage, to get their hands on production specifications. The only reason the Soviets made it so quickly to the level of development necessary to become a nuclear power after WWII was that the U.S. had shipped a great deal of its production processes to its wartime ally, providing a closer level of parity. During the Cold War, rigid controls on production processes and products were the unsung heroes which collapsed the communist giant--because no matter how much labour or energy Marxist doctrine said could solve a problem, people are not interchangeable, and knowledge is the key ingredient.

Contemporary indesp is tightly focused on just this sort of issue--the knowledgeable players are quietly gathering as much process-related intelligence as possible, since without it, any product-related intelligence is nigh worthless. Does the know-how on how to manufacture the latest computer chip, even if delivered to a client in a complete package, make any difference? The knowledge-to-labour ratio is still weighed against them for having cut the corners; the only way the short-cut actually has any real value is if they are already on the verge of it themselves. A work-around that has risen in the indesp industry has been to step back from work-process espionage and to focus on mixed knowledge/labour or pure knowledge targets. This is why certain domains and industries are the most regularly targeted--computer software, biotechnology/pharmaceuticals, fashion, financial knowledge that can be traded on. These are industries that have incredibly fast product turnover cycles, coupled with products that are heavy on information-knowledge and light on labour. Complex processes, particularly those related to the production of military materiel, are hard targets--not because of the security around them, but because the production cycles are so long (not to mention deeply complex network structures), the potential client base is small, and the labour and value-chains necessary to go into production are extreme. If a 'rogue' nation with an underdeveloped political economy is in the market for weapons, they'll be looking for those already assembled, or with minimal production requirements--it won't be plans for a nuclear device, it will be the finished product; but it might be the know-how for chemical, biological, or informational weapons, those they can build themselves.

So that's the dirty secret that indesp professionals don't tell their clients or prospective clients-- the client asks for the wrong sorts of intelligence, so when they get what they asked for, they either can't use it (they don't have the necessary infrastructure to exploit their new knowledge), or if they can, they didn't need to (or shouldn't have had to, see the conclusion of this paper) resort to industrial espionage (and their competition still has lead-time, the same product/process, as well as the team that created it). In short, indesp professionals know that they're finagling their customers, one way or another.

Opportunities

There is nothing so powerful as truth--and often nothing so strange.

-- Daniel Webster

I thought a selection of laundered (to protect the innocent as well as the guilty) comments from the trade might drive these points home.

Lab Rats

Technology companies have various advanced technology groups (ATGs), labs, and killer projects; not only do the personnel here have access to most of the technology inside their own organization, they'll commonly have access to comparable technology in other corporations. A wonderful leverage point, the only problem is that potential clients will be able to guess the source of the information (which is a danger), or in a number of cases, the technology isn't going to be worth anything. For example, the pen computing market was a small, insular community, where everyone knew everyone else's business, and even then, none of the products from the first few generations of pen systems made a significant impact in the marketplace. In another instance, significant dollars of ATG development, upon careful review and numerous attempts, piqued no market interest whatsoever; pet projects, regardless of how expensive, have little real value.

Orwell's Revenge

Companies who view their employees as 'slaves' will have corporate monitoring systems for electronic mail, PBXs (to ostensibly monitor the phone calls of their sales staff), have open cubicles, etc. These monitoring programs certainly simplify the process, as what works on one will work on another--including the management, who's corporate e-mail and phone conversations will commonly provide gossip, financial details, and technical discussions. Some PBX systems, aside from having weak voicemail security, can even have their audio monitoring functions patched to the outside lines, so a phreak dialing in to the switch can monitor the company from the comfort of their home. This leverage point has yielded up everything from 'inside' information to be traded upon, to realistic assessments of technical projects' feasibility, valuable to a worried competitor.

Garbage In, Garbage Out

Everything ends up in the trash sooner or later, and dumpster diving or trashing can come across all sorts of valuable intelligence. While some organizations will shred some documents, collateral intelligence, such as phone logs, scraps from the copy room, personal materials, outdated materials, and the accidental bit of confidential material do end up on the trash heap. While some interesting examples such as the Clipper-chip documents, or the 911E sourcecode, have provided direct public demonstrations of the value of trashing, it isn't the entire story. People appear to go numb above the shoulders when they throw things out, as they provide the most intimate details of their lives to anyone willing to fish for it--useful in backstopping, efforts at blackmail, or hacking the wetware of the target's people.

Fly Me!

Even with the use of electronic means of data transfers, a great deal of worthwhile information is wandering around inside of portable computers. Traveling personnel are at great risk, and not just from theft of their machine during a security check or from baggage handling. Some aircraft have been wired with TEMPEST gear, to snoop on the work done by first-class international passengers, a hurdle that acts to help filter the quality of the information; hotels have been similarly wired, including the full audio/visual spectrum. On more than one occasion, I myself have had my computer held up in Customs, where a later review on my logs shows that a number of attempts were made to get at datafiles (which is why I now cipher everything and leave my files in an offshore datahaven, for later retrieval/decipher once I reach my destination; my portable is clean, and my crypto software is on floppy in my pocket, as well as available via remote).

Wetware Hacking

If people are the weak link, then the skill of social engineering is the most crucial; it essentially depends upon having a plausible reason to ask questions. Skilled practitioners will do their research to provide the best cover story for inquiry, including nesting cover stories in the event that someone 'peels the onion' and questions the story. While people have talked passwords or bank account information out of an individual on the phone, the in-person treatment (while riskier) provides a better chance of real success. With a little backstopping (business cards, a shell corporation, phone/mail receiving, appropriate costume), there are very few places you can't get into, acquire what you desire, and walk back out, at which point all that gets remembered is the plumber, painter, mover, delivery man, copier repair man, caterer, building inspector, etc.

Birds of a Feather

The amazing thing about questionable activities is that those engaged in them stick together--be it drug use, sexual behavior, or whatever, being 'in the group' lowers a number of guards. It commonly isn't even necessary to resort to blackmail--the bond of the mutual, shared sin offers grounds for 'mutual' concealment and disclosure of confidential details. One instance of this had an indesp professional discussing hacking and drugs, both of which he had developed a deliberate reputation for, with a group of similarly interested individuals; in the process of sharing details of their sins, the professional learned who to contact for the information sought, the best way to approach the subject, and the rough details, at least enough to pretend significant knowledge already, and to extrapolate considerably more.

Asynchronous Communication

Technological systems like e-mail, audio distribution systems (voicemail), and intranets are just mechanisms to leave information lying around; who comes along to pick it up is a matter of access control, a joke at best. During a notorious 'hacker war' of the 1980s one company, which provided an outsourced backbone for a set of multinational corporations' e-mail, became the battleground of rival hacker tribes; massive disruptions of service were just a small part of the war, but more significant was that in a number of the corporations, e-mail was spoofed to force bad business decisions, and other e-mail was used for information on the schedule and announcement of the corporations' financial and acquisition moves. One professional taking advantage of the opportunity copied offline many years of corporate data, which became the basis of a 'Harvard Business School'-type case-study business education, comparing corporate actions with market success and failure. The outsourcing or use of independent system providers still provides system insiders considerable opportunity for access to intelligence-grade information.

Deep Throat

A superb method to plausibly ask questions is a cover as a journalist; this is one reason why the U.S. Central Intelligence Agency desires to continue using such covers. Journalists have great access to information, including 'off the record' sources that can provide significant details once aggregated together. An indesp practitioner once successfully participated in the founding and operation of a technology publication just for the cover such credentials provided; the proliferation of reputable newsletters and on-line publications of similar intent have made this sort of cover the most readily available and fruitful.

Mercenaries

Machiavelli's warnings regarding the use of mercenaries is rarely heeded, perhaps because they are called 'consultants' in modern parlance; the boom of the consulting industry, from those related to the accounting firms, to the craze regarding 'business process re-engineering' have made consulting firms a license to steal. From providing the opportunity to question anyone in the corporation, including management, to performing detailed systems/operational analysis upon the organization, consulting can translate into getting paid by the target to develop the intelligence, which only incidentally happens to be provided to the target itself.

Nearer My God to Thee

God, religion, and cults are good covers: one indesp professional planted and monitored listening devices in confessionals of religious institutions in target-rich areas, a rich source of blackmail (God may forgive, but, oh, the wife and family...). One notable international cult movement requires its members to unburden themselves (for a fee, no less) to 'licensed' members trained for such purposes; a professional who joined this cult for the expressed purpose of landing such a position used it for years to gather high-grade intelligence from members in high-tech, law enforcement, and military positions. That the organization itself also seemed to be after similar sorts of information was considered by the professional to be more than a coincidence; a sizeable portion of the 'congregation' were also UFO (unidentified flying objects, the belief that the Earth was being regularly visited by aliens from another planet) enthusiasts, who would regularly trek out to classified military installations, using everything from photographic equipment to sensitive gravitational detectors in the area. As a cover story, this provides a solid example of good layering--gathering intelligence where, if discovered, one can pretend to be mentally unstable (UFOs, then the cult), thus not a significant threat to the installation.

Job Hunt

The employment process provides a great deal of information in both directions, and has been used for such. A prospective candidate can gather relevant project details based on the hiring profile of the target organization, and has an open license to ask questions during the interview process (subversion of a professional headhunter in the target industry has also proven fruitful). Conversely, a corporation can use its hiring system as a method to gather intelligence, targeting the skilled personnel of a rival corporation, and using the recruiting process to establish the competitive project's status and details.

Wizards and the Smell of Victory

Technical wizardry, such as hacking or sniffing, can be performed from outside an organization, but are far easier from withing; legitimate access, even of a limited source, provides system details, as well as opportunity (for example, sniffing the packets of a network require only the proper software on a network-based machine, commonly provided to even the most junior of employees in an organization). More profound tactics have been coming into play after the Cold War, as spooks and warriors, put out to pasture, turn the tradecraft they learned to their own benefit; such tradecraft rapidly becomes an element of the domain knowledge of the community, and explains the increasing use of TEMPEST, covert channel, and other signals attacks in the last few years. Such tradecraft might have been pioneered by the formal intelligence community, but it has rapidly settled in the indesp domain.

Follow the Money

The faceless, grey men of the accounting profession have access to considerable data long in advance of the standard financial markets possessing it; workers in this profession are typically overburdened, overworked, underappreciated, recent business school graduates labouring under their educational debt burden, a textbook target. Another financial mechanism of intelligence gathering has been the 'due diligence' process, between strategic partners or potential acquisition targets, allowing access to financial (and other data, such as process, production, and technical disclosures) intelligence without any real commitment. Indesp professionals have also been utilized to confirm or refute the 'smoke and mirrors' presentations that are part of the diligence process, so that the potential acquiring organization has a more accurate picture of the value and reality of the target.

Full Service Bank

One notable financial institution was a 'full service' bank for indesp professionals--providing money laundering, contact cut-outs, client management, and a number of other services. When this bank was forced to close its public doors, the informal 'black network' providing such services remained operational, and still provides important services to this day.

Already In-Progress

A number of indesp professionals have found steady employment inside the competitive intelligence groups of multinational corporations. The opportunities to leech out worthwhile intelligence and arrange for independent marketing of it is significant, particularly to the security/counterintelligence departments of the original target; this creates the obvious self-perpetuating marketplace, where intelligence is acquired, the target alerted, the target implements new measures, which requires new operations for acquisition, and so on.

The Curious Software Giant

An interesting negative example is that of one massive software corporation, which is roughly immune to indesp efforts (but not above engaging in them, incidentally). While enormously successful in the marketplace, this organization has been a technology 'follower,' not leader, and has built successful product lines on the 80/20 rule (bring a product to market fast, with only 80% of the functionality of the competitor, for only 20% of the original effort, and then develop marketshare using its overall clout). This same organization has also run successful disinformation campaigns in the marketplace, talking up vaporware products not even in development, but that the phantom existence of discourages corporate buyers from purchasing available products from competitors. Even the fact that the technical vision of the founder and senior scientists has been almost entirely at odds with what has actually occurred in technology and the market hasn't seemed to have had an effect. This example shows that having the technical edge isn't at all necessary for success, and that market clout and contracts can make one immune to the consequences of espionage or one's own bad products.

A Matter of Interpretation

Worth noting is another curious example, a computer hardware/software corporation that even having an 'inside track' on is of dubious value. An analysis of stock movements confirmed an offhand remark made by one knowledgeable insider--the stock would rise on product announcements, and fall on the actual product release. Overpromise and underdeliver is no market pleaser; perception of information still has dramatic impact on its value, leaving any who interpret it at as much risk as those not in possession at all.

Conclusions

History is little else than a picture of human crimes and misfortunes.

-- Voltaire

Industrial intelligence/espionage is indeed about having an 'inside guide'--like Willie Sutton robbing banks because "that's where the money is," you have to go where the information is. Indesp as an industry is a growth one; the idea of 'property' is a fuzzy one at best, and has grown increasingly difficult to manage as technology advances. Information is just too portable to control.

Global players, from governments to corporations, have made the cognitive shift in understanding that financial success in any form translates into the sort of power they already understand, and they are willing to undertake most any operation that provides them with an edge. The U.S. is essentially alone, as a practical matter, in demanding that virtual property rights exist, and this is reflected even into the intelligence establishment, which not only eschews industrial intelligence, but has stepped back on the Cold War efforts which protected intellectual property in the form of products and processes. It is no wonder that the major indesp playing field is the U.S.--few controls, poor protection, and a continual source of the new and novel that can be taken, improved upon, and exploited back into the marketplace.

It is important to note, however, that resorting to industrial espionage, whether by a corporation or government, is an indication of a fundamental weakness, a clear sign of some incapacity or inadequacy. A look at the global players is instructive:

-- The Soviet Union, and now Russia, is laboring under a non-functional economy; by a fluke of history, the USSR was once a global competitor for domination, but the effort wore it out, an exhaustion that lingers to this day. Indesp efforts are an attempt to convert the old State intelligence apparatus into something useful, something which can help assuage the woes of a collapsing nation. Controlled economies are just not creative, creativity being a threat to hierarchical control; free market economies are wildly creative because anyone with an idea can attempt to bring it to the marketplace. This creates a great deal of market flux and chaos, but stability occurs because success in a market greatly depends upon the consumer, who decides life and death by the purchase (or not) of products and services. Much like predators and prey in an ecosystem, political economies thrive best when left alone.

-- France is suffering similar economic woes, and for similar reasons--controlled economies can't compete with free economies, and socialist supports in market segments cause artificial skewing of those few market forces actually in-play. Indesp is viewed as a way of poaching on the successes of others, without having to alter the fundamental flaws in their own economy; it works, to a point. They keep hoping it will work better.

-- Japan/Korea labour under controlled economies, and also have a keen understanding of a cultural shortcoming--they are fantastic at refinement, but not nearly so good at discovery. Once a proof-of-concept is laid out, in process or product, both countries excel at making it work better, faster, and cheaper. I'm personally inclined to view this as a necessary thing--pioneers and settlers both have their function, and one should appreciate the other, but formalizations of such partnership relationships are seemingly anathema. Indesp efforts for these economic giants are essential--they require a continual in-flux of the new and novel to subject to process refinement because the old and accepted can only be refined so far. Much like an expansionist empire that must grow or die, this is the modern equivalent.

-- China is playing at capitalism, while quietly hoping to do to the U.S. what the U.S. did to Great Britain--offer a huge potential market for goods and services, but steal as many of the processes as quickly as possible. The rise of the U.S. and the fall of the U.K. as the dominant global power, however, involved more than just the acquisition of technology, it required Great Britain to get involved in some very crippling and financially burdensome wars, something the Chinese may either hope will happen to the U.S. by chance, or with a little help. Note that China's large scale indesp efforts are not necessarily because of any cultural flaw--the success of the Hong Kong economy under sound management so demonstrates--but again from the cancer of collectivism. The attitude that resides behind the human rights position of the Chinese leaders is also the limiting factor that will preclude significant advance--a complete non-recognition of the value of the individual, even to the point of being willing to utterly eradicate the slightest aberration of individualistic behavior. Indesp can only make up for so much; the true shame of the matter is how willingly many of the targets of Chinese industrial espionage operations give up valuable intelligence. While it remains to be seen whether China's efforts can make them into a global power such as the Soviets once were, two points are important to remember--the effort nearly destroyed the country and satellites under Soviet control (not to mention the effect on NATO members), and that, for a time, the Soviets held the power in their hands to eradicate all life on the planet, a threat that conferred some leverage upon world affairs.

-- Israel is one of the world's worst indesp offenders; they have wide ranging indesp efforts inside the U.S., among others, and utilize the political/emotional clout built since the Holocaust to manipulate their victims. The political economy of Israel, for all the democratic trappings, varies from fascist to theocratic; indesp is only a minor manifestation of a psychology that was founded upon theft (of Palestine). I am perpetually boggled at the level of support and coddling the U.S. provides to Israel, particularly in light of the moral and ethical outrages regularly performed; having suffered and survived a genocide attempt does not convey the moral authority to attempt it upon others. It is almost difficult to call Israeli efforts 'espionage' when they seemingly have the tacit support of the U.S.; the on-going relationship is curious, in light of such revelations as Israeli nuclear proliferation, aid to the Apartheid regime in South Africa, human rights atrocities, and military operations (Lebanon, the Six Day War, the Liberty incident). The only rationale I can fathom is that some forms of moral illness are contagious; from the Nazis, to the Israelis, and onward.

What to do about indesp efforts, regardless of the players? I can immediately offer a number of worthwhile suggestions:

-- Treat your employees well. Either they are the company assets (as much as corporations like to say this, they don't act as if it were true), or they have the company assets in their head, or they have access to them. Humans are the first line of defense, and a happy, satisfied employee is hard to get a handle on.

-- Trust mechanisms, particularly those of security systems, are hopelessly binary; either you have no access, or once you pass a threshold, you have total access. Trust comes in shades of grey, not black and white.

-- Communication of any type needs to be carefully thought about; this isn't just "think before you speak," but "what sort of information is being shipped around." Data at rest is vulnerable to one sort of threat, but data in motion is vulnerable to many sorts. This counts from networks to the trash, as all of it has value.

-- Monitoring mechanisms, as much as they warm the heart of Big Brother and Taylerist sorts of managers, just provide a tool in-place to be used against you. They have a very low value when viewed on a risk-return basis.

-- Three words: strong, un-escrowed cryptography. It's the subject of another paper, but cryptographic security (where all data, on a point-to-point session-to-session basis, is enciphered, and the 'reader makes right' by deciphering at the end-point) beats access security hands down.

Finally, I'll close up on the meta-rule: security isn't superficial. If you have something worth stealing, then do something about it. Security needs to be a continual process; the value of what is being protected should have some impact on just how dramatic the security measures, but once the decision is made to commit to security-as-a-lifestyle, it shouldn't be hedged on. After all, it's a jungle out here.