Undercover ops, one of the darker sides of life, occasionally suffers from sudden exposure in the media, witness how the Concorde’s specification blueprints ended up in Russia or when US secret services used massive listening Big Ears (Echelon) to monitor official, supposedly privy phone exchanges. Yet, far from limiting its activities to the covert manoeuvers to access and analyse State secrets, the spy business today has refocused for some time now on industrial targets. The challenges and techniques used evolve constantly. In an open world, where information systems play an increasingly structuring role, the issue of how to protect sensitive data and technologies has now become a priority question.
Many secrets are now open books, given that everyone is spying on everybody, moreover in a more or less sophisticated manner. In those countries where horrified comments heralded the news of the NSA Echelon operations, a number of discreet back-offices (public and private), continued business as usual. The media of course made a hay-day out of seeing the American embarrassed at being caught with their fingers in the jam, so to speak, but a great number of the countries, the majority in fact and their special services targeted, have clearly heard the shells whistling overhead. Notwithstanding the pause induced by a short spell of embarrassment, the listening game will resume, on an even more intense scale, if only to catch up on the time lost. In those countries that had been spied on – and supposing that some agents hesitate to play the same game – we can also rest assured that any hesitation has now been dispelled. Economic intelligence (the polite term for spying) has a bright future ahead.
Up to the end of the Cold War period, economic spying generally revolved around East-West issues and was aimed mainly at the defence sector or aeronautics, even if, on the Western side, a few affairs amongst friendly, allied nations were reported in the 1980s, throwing light on certain practices that went back a fair amount of time. But the principal change came with the collapse of the USSR, such that by the end of the Cold War, the various State intelligence services were on the lookout for new missions to accomplish.
This period, moreover, saw a more lenient connotation for the expression “economic warfare.” Thus, we tended to talk less about enemies and more about competitors, the latter comprising the other economic powers of the planet, all vying for market slots in a global market. The French military take some pleasure in saying that “we have allies but no friends,” the American services deem that they have no friends, just targets. Texts such as the Federal Industrial Espionage Act of 1996 frame and confirm the new arrangements and line-up for the US security services.
The sudden upsurge of digital data processing and storage brought with it a series of new techniques and new fragilities, with new actors including the (in)famous hackers who, like the pirates of yesteryears sail the seas (the Internet world) under their flag or, occasionally, even offer their services to States. Techniques in today’s espionage, apart from being used to hack through protected computer system backdoors and in the hands of private actors some of whom come from the State’s intelligence services, have been gradually but increasingly been applied to open sources. This shift in practice has led to a prolific sector known as “economic intelligence,” viz., economic information used for private purposes. Any piece of information that is processed and analysed becomes “information” in military parlance, but the same logic holds in the private sector. The issues involved are all the more tricky that legislation in this field takes time to become enforceable. Certain a priori anodyne questions had to be dealt with, e.g., does making a copy of a data file constitute legal theft? Can a non-authorized access to a network be compared to a physical break-in? And, in this case, who is responsible? Is it the software editor, or the head of the hacked data processing service, or the imprudent user? Given that hackers often operate from foreign countries, would this not call for transnational jurisdictions? So far, questions like these and others have only received jurisprudential answers and the spirit of law has depended on the wisdom of the courts in which cases have been raised. The very definition of cyber-criminality, a term covering all forms of penal misdemeanours using or targeting information processing infrastructures, seems somewhat restricted.
No company, no commercial/industrial/financial sector escapes the hackers’ attention. July 2013, the World Federation of Exchanges reported that half of the 46 exchanges it surveyed had been victims of cyber-attacks in the previous year. In a Financial Times article, in the same year, the Depository Trust and Clearing Corporation, which processes large securities transactions for U.S. capital markets, described cyber-crime “as arguably the top systemic threat facing global financial markets and associated infrastructure” (see in Paris Tech Review: Cyber crime: the Achilles heel of the business world).
Omid Nodoushani and Patricia A. Nodoushani, in a now benchmark, key-note article they published in 2002, coined the expression “The dark side of the digital age.” State authorities themselves are party to such practice, notably via their own counter-espionage programmes and the fight against terrorism that have enabled the counties to develop and implement some very efficient tools. If the NSA is a service that, at least partly, serves private enterprise concerns, it is not the only intelligence agency “on the market.” If it can be observed that the USA have shown themselves to be in a proactive assault-mode, with the help of the United Kingdom (the UK GCHQ’s Tempora programme) or Italy, they in turn undergo notorious attacks from other countries such as China, Israel, France or Germany. There is only one rule for the players – do not ever get caught! Since every country round the world is a covert player, complying with its own set of rules i.e., impossible to “govern,” there is at least one area where a State can legitimately take action: to defend national enterprises against attempted systems intrusions or espionage, or in a larger framework, defending its enterprises against corporate take-over bids.
We often ignore the fact that the first and foremost way to acquire technological secrets is to purchase them (e.g., by buying out the proprietary owner/company). Of prime importance here is the field called “critical technologies” or “sovereign technologies” and it has become a highly sensitive topic. Traditionally, they are to be found in the defence sector, but today the scope is far wider and includes technologies that underpin the “vital interests” of a country: in the defence sector but also in energy procurement, ICTs, aerospace…
In France, the so-called ‘Gemplus affair’ left its scars, which we can recall: towards the end of the 1990s, when Gemplus was a prosperous, dynamic company producing smart-card patents, SIMs, its executives envisaged registering the company on the stock exchange to raise funds, not only to ensure new corporate developments but also to compensate for the end of the public authorities’ incentive subsidies. They were contacted at this time by Texas Pacific Group, an American investment fund, who offered 550 million euros to acquire 1/3 of the shareholder votes, plus the CEO’s position and a shift of the Home Office from France to Luxemburg. Once a certain number of financial packages were enacted, the introduction of Gemplus on the US Nasdaq exchange went through so well that the now American executives considered delocalizing the company’s head office to the USA. This led to a spate of panic among the historic founders and also at the level of the French state authorities who realized that the moves aimed at transferring the patent rights to the USA. The manoeuvre was stopped just in time by the French Ministry for Industry and Finance but the rot had clearly set in. However, the case did serve as an electro-shock.
In France, as elsewhere, the question of the means at the State’s disposal to defend enterprises who have developed so-called critical technologies, often with direct or indirect public funding, is now on the table. Numerous domains are concerned, but the enterprises concerned are generally ‘majors’, characterised by investing a lot in R&D. In an open economy, with international regulations, where public authorities cannot in fact interfere or intervene because such action would impact on investors’ security, State possibilities are somewhat restricted. There is also the question of scales of data: the human, technical and financial resources that a State can assign to this task are not always adequate to the challenges.
Beyond critical technologies, there is also the question of how a country should defend its technical and technological interests in a wider connotation, viz., those technologies and processes that procure a competitive edge in the world market-places. Industrial secrets of this order are not only sought after by States, but also by a much more varied range of economic actors, from Mafioso organizations to multinational corporations or holdings, not forgetting the militant hackers defending various ‘moral’ causes…
If a few affairs have made the headlines in a resounding manner, it is because it is rare to see spies being caught in the act, although there are many more such events than one would think. “Every year,” explained Olivier Buquen, French Interministerial Delegate for Economic Intelligence, in an article published in Le Monde daily newspaper (Oct.6, 2012), “the French State monitoring services have registered close on a thousand attacks on enterprises.” Such attacks often have the same objectives/results – theft or loss of digitized data – in document or software formats. In the most recent case, BMW was caught red-handed spying the battery recharging system designed and supplied by Bolloré for Autolib’ vehicles (shared electric cars), where Jules Varin, spokesman for Bolloré admitted that “for the moment Bolloré do not know exactly what information had been extracted from the charging posts or indeed even what technologies were used to do this. To start, you need a special key to access the posts, but after that the information is there.”
An economic war is above all else an information war. Whereas before, wars were waged for possession of patent rights – and this forced a certain level of visibility (the competitors knew each other and also knew the methods employed) – now they take a new form in cyberspace and the operations engaged become more covert. The digitizing our information heritage has brought with it at least one serious setback: increasing numbers of malevolent persons are tempted to gain unauthorized access. And in addition to industrial spying, we now see new economic criminal trends, from simple personal account phishing to blackmail and even demands for ransom. Companies such as Apple or Dominos Pizza recently came under ransom attacks.
The possible economic damage is potentially serious. Economic value pilfered by cyber-criminals in 2013 amounted to some 190 billion euros. And, as Hervé Guillou, Chairman of Trust and Security Industries Council (France) noted in an interview given to ParisTech Review, these figures only relate to “direct losses,” adding that “Sony Corp., for example, suffered a theft of some 1.5 million credit card ID data, worth 150 million euros in direct value. But Sony then claimed 1.3 billion $US compensation from its insurance company to cover the complete shut-down of its server, infested with criminal e-trade operations, for modification of the data processing system and the public relations campaign the company had to organize to restore trust.”
Information carries the same value whether it is expressed in content or in support. Hackers are showing interest in industrial secrets and simple data stores where ransom money can be demanded to restore access. Sensitive information in any format and whatever the objects/processes involved must be protected physically and legally via appropriate software applications.
But any law has its limits. As Hervé Guillou puts it, “even if you want to attribute a cyber-attack, you do not have the legal means to prosecute since there are practically no international laws that apply to the Internet. One of the rare international treaties in the field, the Budapest Treaty, refers to Internet in the fight against paedophilia. This is nowhere near the volumes of texts that regulate air traffic, space exploration or the seas and oceans. Victims today are in the same sort of situation as Spanish galleons in yesteryears. More and more wealth is being transported over the Net. Private persons ‘reveal’ their banking data. Design offices exchange their intellectual property. Industrialists even have their production tools on the net, with interconnected factories and suppliers connected via the e-supply chain and e-storage, their clients through e-commerce, manpower resources are managed via e-Manpower packages. Victims are static and try to make themselves known with an attractive portal web site! For the assailants the number of doors before them is growing exponentially.”
While international jurisdictions have limited powers and scope, the local authorities nonetheless still have some leeway to take action. Firstly, they can invest in cyber-security. In 2011, the British Government, for example, moved ahead, earmarking close to 1 billion dollars to reinforce protective measures for existing information processing systems; a special Scotland Yard cyber-crime squad and a platform for counter-measure information exchanges were set up.
The American Government is also viewing cyber-crime as a major issue demanding federal attention. While closely monitoring the levels of security protecting sensitive infrastructures, President Obama, February 12, 2013, signed a presidential order, called Improving Critical Infrastructure Cybersecurity... widening access for the private sector to information related to potential threats to US national interests and strongly encouraging government agencies to create and implement a set of standards.
In France, a draft law, proposed by MP Bernard Carayon, on protection of sensitive information, was almost voted in 2012. Initially the draft was a right wing proposal, approved and seconded by the parliamentary left wing, thus assuring consensus of both sides of the House. However, the draft bill is still bogged down in the Upper House (Senate) because of the sheer legal complexity involved. Solicitor Olivier de Maison Rouge explained to Les Echos (a daily newspaper) that “industrial espionage is not per se a legal qualifier inasmuch as there is at present no related, legally framed text in the French Penal Code of Law or in the Code of Intellectual Property Rights.”
And yet a law of this nature represents a strong expectation of any industrialist working in the so-called sensitive sectors. “It could act as an important deterrent to cyber-criminals” says Régis Poincelet, Director of System Security at the French [energy-water utility] GDF-Suez, “and, above all other considerations, it would force enterprises to ask themselves to identify what sensitive data should be protected, and how should they go about it. If only this happens, it will be a good thing to have such a law voted!”
Over and above energy-related activities, sensitive as they are in their own rights, GDF-Suez has a subsidiary Cofely Ineo and, to be more specific, the company Ineo Defense. The latter, which designs and produces radio and radar equipment, is especially aware of data security issues, as a subject that lies their own interests and more so for their client companies and the country’s armed forces. Thomas Peaucelle, Deputy CEO for Cofely Ineo, explains: “As specialist of the ICT world, we are particularly conscious of the fact that information is a strategic asset, the value of which depends largely on the time it takes to transmit/forward it to the correct addressee(s). This intrinsic feature become totally relevant in a military context, but can also be seen as valid for an entrepreneurial application.” This is a fairly logical stance for a company that “is an active operator in all Homeland Security components” reported the Video Surveillance site.
The French aeronautics corporation, Dassault is highly involved in cyber-security via its subsidiary Dassault Systems who also adopt this holistic vision of security questions. As Jean-François Bacherot – in charge of security measures at Dassault citation – puts it: “Defending our systems against malevolent intruders is the structuring logic […]. Our areas of application are the physical assets of the company, naturally, and also the immaterial, moral or other, assets and our work-force (manpower resources). […] Controlling security-intensive data depends above all else on a dual competence: assessing the value of information and knowing the characteristics of possible cyber-threats”. In enterprises faced with similar challenges, protecting the “information business” focuses on the information processing systems and networks, plus the set of risks associated with “cloud computing” and storage. For the time being, the advantages in setting up sufficient protection outweigh the inconvenience of doing so: it is difficult to lose or to have documents stolen when they are only accessible on a single sufficiently protected server. In contradistinction, once an intruder has gained access, there is a ‘serious’ risk of access to all sorts of information, unless they are separated by internal server firewalls
The oil company Total reviewed and rebuilt its data processing systems concomitant with the merger between Total, Elf and Petrofina. “Two factors”, explains Patrick Hereng, Director of the Data processing and Telecoms systems at Total, “led to the transformation of our security infrastructures: on one hand, there was the professional mobility of our staff and their need to be able to access the data bases from anywhere, via any device; on the other hand, the concept of the extended company, with its ‘dematerialized’ data flow and a growing traffic between the processing sites and machines between customers and suppliers. All of this tended to make the frontier between “inside” and “outside” increasingly difficult to define and for these reasons we re-thought the entire systems architecture and the associate security devices and measures.”
The systems security manager for Dassault Aviation summarizes best the current situation: “The challenge is simple; it is called competiveness and it is a timely state of affairs, all the more so that the word itself is trendy today.” Although we have taken too much time to become fully aware of the situation, it is never too late to learn … and act accordingly.