The Geography of Corporate Espionage Threats
By TorchStone VP, Scott Stewart
A friend recently asked if I had a list of countries that the FBI or the Cybersecurity and Infrastructure Security Agency (CISA) had declared to be intelligence threats to U.S. companies.
This list would help him formulate a corporate IT security policy outlining the security measures that must be taken to protect proprietary company data when traveling to “high risk” countries.
For example, employees traveling to China would not be permitted to take their regular company laptops and phones and would be required to use specially designated devices that contained only the information required for that trip.
Those dedicated devices would then be checked and wiped after the trip, and could never be connected to the company’s network.
While such policies are well intended, they are misguided. Your devices—and the data they hold—are every bit as vulnerable in Boston or Brussels as they are in Beijing.
By labeling some locations as “safer,” security programs may actually create a false sense of security that can place their sensitive data more at risk.
Threat Actors are Mobile
There is a famous, if apocryphal, quote from bank robber Willie Sutton, who is alleged to have said that he robbed banks because “That’s where the money is.”
This same principle holds true for corporate espionage threat actors: if they want to steal your sensitive proprietary information, they will target the place where it is stored.
In 2017, a Chinese operative sneaked into the Massachusetts-based Medrobotics’ headquarters building. Medrobotics develops new technology for the multi-billion dollar robotic surgery industry.
The intruder was accidentally discovered after hours as he attempted to hack into the company’s wireless network, presumably looking for trade secrets. He had traveled to the U.S. from Canada, crossing the border by car.
However, corporate espionage threat actors can still hone in on obtaining proprietary information via employees themselves—regardless of your corporate IT travel policy.
A great illustration of this was seen in the case of Yanjun Xu, the Deputy Division Director of the Sixth Bureau of the Jiangsu Province Ministry of State Security, who was convicted on economic espionage and trade secrets theft charges on November 5, 2021.
China has struggled with jet engine technology, and Chinese intelligence officers have relentlessly targeted western aviation companies with industrial espionage operations in an effort to overcome that deficiency, as they seek to achieve technological parity with the United States.
From his office in China, Xu used LinkedIn to approach engineers at aviation companies who had access to the technologies he was targeting. Xu used LinkedIn as a tool to conduct the spotting phase of the human intelligence recruitment cycle and communications through LinkedIn as a way to identify those targets who might be the most susceptible to being recruited as a spy.
One of the companies Xu targeted was GE Aviation.
In March of 2017, Xu used LinkedIn to connect with an engineer working for GE Aviation in Cincinnati, OH, and invited him to speak at a conference at the Nanjing University of Aeronautics and Astronomics (NUAA) in China.
The engineer’s travel expenses were paid for, and after the conference, he was introduced to Xu (operating under a pseudonym) at a dinner during which Xu gave him a small cash stipend for his presentation.
The meeting allowed Xu to assess the engineer as a potential spy and develop a deeper relationship with him. The expense-paid trip and the stipend also served as classic “little hooks” intended to get the engineer used to receiving compensation for fulfilling Xu’s tasking requests.
In follow on conversations, Xu began to press the engineer for more technical information and used the offer of another conference in China to entice the engineer to comply with his requests.
At this point, the engineer’s communications with Xu were discovered. It is unclear if the revelation was made by GE Aviation or the FBI. After being confronted over his contacts with Xu by company security and the FBI, the engineer decided to cooperate with the investigation.
As Xu continued to press for more information, the engineer (under the watchful eye of the FBI and company security) sent Xu a sanitized copy of the registry of his company-issued laptop.
The registry greatly interested Xu, who asked the engineer to bring the computer with him to China so Xu could copy its contents. The engineer noted that company policy would not permit him to take his laptop to China, but that he would be carrying it with him on a planned trip to Brussels.
Xu agreed to meet the engineer in Brussels to copy his computer hard drive. When Xu landed, he was arrested by Belgian authorities, who extradited him to the U.S. to face criminal charges.
This case clearly illustrates the willingness of corporate espionage actors to target the information they desire regardless of where it is.
Protecting Your Information
The two cases above demonstrate how the industrial espionage threat is clearly a global one.
Your company’s data can be every bit as much at risk on a computer in Brussels or Boston as it is on a device in Beijing.
When this is not recognized, your company can be victimized by sloppy cyber security in places deemed to be “safer” from espionage threats.
For example, an employee leaving a laptop unsecured in a hotel room, carelessly logging onto a public Wi-Fi network, inserting a thumb drive into their system, or becoming ensnared in an espionage recruitment.
Here are the steps that can be taken to protect your company’s information:
- Identify critical information
Identify what information is truly critical to your business and must be carefully protected, e.g. a manufacturing technique or product design.
It is impossible to protect every piece of your company’s data, so it is imperative to first identify and prioritize the protection of truly critical data.
- Continuous vetting
Thoroughly vet the employees who are given access to the company’s critical information. Vetting can be difficult, and in some corporate cultures contentious; but it is necessary and must be done to the best of the company’s ability.
Many companies have been victimized by insiders who could have been identified as problematic far earlier had they been properly screened.
Vetting should also be done periodically, not just before hiring because people—and their circumstances—change, which can result in them becoming more susceptible to recruitment efforts.
- Limit access to critical data
Once the employees with a legitimate need to access critical data have been identified and vetted, how and where they can access that data must also be limited.
Corporate spies do adapt their methods, and security teams must adjust their security programs and countermeasures to account for, and anticipate, changes in tradecraft.
- Maintain awareness of the global nature of the threat
Finally, it is crucial to recognize and account for the fact that corporate espionage is truly a global threat. Robust measures to protect your company’s critical proprietary information must be instituted wherever that information is located.
Employees must be trained to consider every location to be “high threat.” Company data on a corporate laptop in California should be considered equally as vulnerable as information stored on a computer in China.
It is also important to avoid developing tunnel vision that focuses security efforts against only one or two industrial espionage threat actors. China and Russia are clearly the most active corporate espionage actors globally, but the risk is by no means restricted to them.
Other nation-states and even corporate competitors are also a threat—as are self-motivated insiders.
- Identify critical information
A global threat requires a global effort to protect against it, and a global security program can’t be established without C-suite buy-in.
This means that company leadership must also be educated about the danger espionage threat actors pose to the company.
A program that identifies and protects critical information carefully and consistently screens employees with access to that information, and educates employees and company leadership about the espionage threat can help protect your company’s critical information no matter where it is stored.