Persistent Insider Threats in Corporate Espionage
By TorchStone VP, Scott Stewart
Companies and organizations face a multitude of different threats from insiders regarding the theft of intellectual property, trade secrets, and proprietary information. Expanding the thought process on how people evaluate and hunt insider threats is integral to stopping corporate espionage—whether a one-time event or a more insidious possibility.
Entrepreneurial Corporate Spies
When people think about the insider threats to critical information, they tend to focus much of their attention on the high-profile cases where an actor has stolen a large quantity of material and then sold it to a competitor, provided it to the media, or to hacktivists. However, the threat posed by a company’s information walking out the door, even a one-time theft of information as an employee leaves a company, is a serious problem.
While accurate figures on intellectual property theft are hard to obtain for obvious reasons, studies suggest that a significant percentage of employees take sensitive information with them when they leave a job, whether they resign or their employment is terminated. In some cases, the information taken by the employee is information they created and feel entitled to, despite any agreements they may have signed. In other cases, it is important/valuable information that another employee created.
Some of the employees who steal corporate information are “entrepreneurial,” that is, they take the information with the intent to peddle it to a competitor. In this way, they are similar to a “walk-in” case in traditional espionage, where a would-be spy steals information and then approaches a foreign intelligence agency. Others may be recruited by a competitor and steal information on their way out the door at the behest of their new bosses.
One-Hit Wonders are not Optimal
Most cases involving “entrepreneurial” corporate spies or employees who take sensitive information when they quit, are fired, or are recruited by a competitor are “one-hit wonders.” In these cases, once the employee leaves the company, they no longer have access to company IT systems or information, meaning whatever they grabbed on the way out the door is all they can get, and it may or may not contain the information the person they are trying to sell it to considers to be the most valuable.
In a traditional intelligence “walk-in” case, after determining the walk-in is legitimate and not a “dangle” sent in by host country counterintelligence, the first thing an intelligence officer will do is try to protect the identity of the walk-in, and the second is to try to send the walk-in back to their place of employment so that they can continue to provide intelligence.
The intelligence officer will provide the walk-in with espionage tradecraft training designed to protect them from being detected when they return to work. This training will include instruction in how to obtain information while leaving little trace, as well as providing clandestine means to transmit that information back to their handler.
Historical examples of walk-ins being converted into long-term agents were Americans John Walker and Aldrich Ames, and Soviets Oleg Gordievsky and Oleg Penkovsky. These agents remain in place and are able to satisfy specific intelligence taskings from their handlers. In this way, they tend to cause far more damage to their employer than a walk-in who cannot get access to more intelligence.
When an intelligence officer recruits a person who works for another government, or a young student whom they send in to penetrate a targeted government, they likewise attempt to train them and position them so that they can operate for as long as possible. Examples of this would be Gabriele Kliem in Germany, the Cambridge Five in the UK, or Ana Belen Montes in the U.S.
Now, let’s bring these traditional espionage concepts back to corporate espionage.
The Confluence
Today, companies (and organizations) are being brazenly and persistently targeted by state intelligence agencies. Some of them, such as Russia and China, have been quite open about their intent to steal trade secrets from Western companies. A well-documented case of this type was the thwarted recruitment of a GE Aviation engineer by the Chinese Ministry of State Security (MSS) that resulted in the arrest of an MSS officer in Belgium in 2018.
In addition to the threat posed by state intelligence agencies, companies across the globe employ former intelligence officers in various capacities. In Russia, Siloviki (roughly translated as securocrats) from Vladimir Putin’s circle have taken critical positions in a number of important companies. Likewise, it is extremely difficult to disentangle most Chinese companies from the Chinese Communist Party and various government security agencies. But of course, China and Russia are not the only countries with companies that employ former intelligence officers.
These government intelligence officers and former intelligence officers will bring their traditional espionage ethos and tradecraft with them when they conduct corporate espionage. Because of this, it is important for insider threat programs to look beyond the massive downloads of data that are an easily detected signal of an untrained “one-hit wonder,” and expand their focus to include searching for the more subtle behaviors exhibited by trained agents who will attempt to remain in place inside the company.
If a government intelligence officer or former officer recruits a spy inside a corporation or organization, they are very likely to provide them with at least some degree of intelligence tradecraft training. This will result in them having a profile and exhibiting behavior that will be far different from more amateurish, untrained corporate spies. Instead of the mass downloads of a one-hit wonder, they will be encouraged to gradually and carefully gather information and taught how to do so without leaving much of a trace.
Also, instead of a scattergun approach of gathering anything they think could be of value, these agents will be more selective, focused on obtaining the specific items of intelligence they’ve been tasked to collect. Additionally, their handlers will be more subtle in the way they use the stolen information so as not to jeopardize their agent in place.
To help protect their intellectual property, many companies are using cyber tools to detect when an employee accesses sensitive information they should not have access to. These tools can also help detect attempts to download large amounts of information, send it to a cloud storage service, or print it. But unless these tools are designed so that they can help spot the more surreptitious behavior of agents in place, an overreliance on technological tools could leave companies with a blind spot to more subtle corporate espionage tradecraft.
Mitigating the Threat of Agents in Place
The first step in mitigating any threat is awareness, and this threat is no different. Effective mitigation of the threat posed by insiders who remain in place to commit espionage requires awareness of the threat at every level of the company or organization, including leadership. If organizational leadership does not support an insider threat program, it is extremely difficult for lower-level personnel to be effective.
The primary means to create the needed awareness is through education and training. As noted above, cyber tools are helpful, but the bottom line is that there is no technological silver bullet that will catch every corporate spy. Employees are a critical front-line defense against agents in place, and there simply is no other insider risk countermeasure that is as valuable as the personal knowledge of trusted employees and the interactions they have with their coworkers.
The corporate security team, HR, corporate legal, etc., commonly do not have much daily interaction with most employees in an organization—far less contact than co-workers and direct supervisors have. Because of this, co-workers and managers need to be educated about the threats posed by insiders, how they operate, and what signs to look for. Most people can intuitively recognize deceptive behavior, even if they may struggle to articulate what it is that strikes them as being off or wrong.
Employees must feel empowered to report suspicious behavior, and insider threat education programs must include instructions on whom to report suspicious activity to and how to report it. The way that reporting of suspicious activity is handled will make or break an insider threat program. Trust is hard to earn and easy to lose, and if reports of suspicious activity are not handled in a confidential and competent manner, employees will quickly become reluctant to report anything.
Another critical component of an insider threat program is vetting. This applies not only to pre-hire screening, but also periodic re-screening, or even better, ongoing monitoring. One area of vetting that is often overlooked is contract employees. It is important to check on the vetting programs of companies that are supplying contract employees to ensure that they meet the standards of your organization, rather than just assuming that contract employees have been properly vetted.
Finally, it is important to emphasize that countering the threat of corporate espionage is not just the responsibility of corporate security and the FBI. It is a community responsibility, and every person in your organization plays a critical role in keeping your company’s sensitive information safe—and helping ensure the future viability of the company. Corporate espionage can place everyone’s job in jeopardy.