1996 Congressional Hearings
Intelligence and Security
Testimony of Richard J. Hefferman, CPP, President
R. J. Hefferman and Associates, Inc.*
with regard to Economic Espionage before the
Subcommittee on Crime, Committee on the Judiciary
United States House of Representatives
May 9, 1996
Mr. Chairman, I want to thank you for inviting me here today to testify with regard to the extent and severity of economic espionage affecting our nation's interests. More than that, I want to thank you and the members of your Subcommittee for helping to open a public dialogue on this issue. For the greatest danger to our nation today is not, in my opinion, on the military battlefield, but in the complex and shadowy world of economic espionage.
Who is at risk? If you have a competitive advantage over others in the products or services that you develop, manufacture or supply, your business and technical information is at risk from those adversaries who are seeking unearned competitive advantage by the fastest means -- theft of your intellectual property. We are in an era where the national interests of global competitors are increasingly focused on achieving an unearned advantage over their competitors at almost any cost.
In recent months, the United States Senate and the Department of Justice either have introduced or proposed legislation to prohibit economic espionage and to provide for the protection of United States proprietary economic information. I strongly support the stated goals of these bills, and I believe that most other professionals in private security would, as well.
The problem these laws seek to rectify is real. We in the private security management field, who are charged with protecting both tangible and intangible assets of corporations and other institutions, live with it every day. Even so, because incidents of intellectual property theft do not always fall into existing criminal classifications, corporations are limited in their ability to seek legal redress in the courts (i believe that intellectual property losses to U.S. companies constitute a threat, not only to America's economic strength, competitiveness and jobs and standards of living, but to national security as well.)
Until recently, existing criminal statutes were sufficient to prosecute most thefts of corporate property because most corporate property was tangible. Likewise, national security laws were sufficient to prosecute theft of classified government information. The era we entered only recently, however, is one of rapidly and dramatically changed circumstances. A Fortune magazine article published in October, 1995 compared the proportion of tangible and intangible assets of U.S. manufacturing companies between 1982 and 1992.
In one decade, tangible assets dropped from 62 percent of the market value of these companies to only 38 percent. Clearly, intangible assets are a large and increasing part of corporations' market value. I support the view that criminal statutes require modification to prevent and punish the theft of these intangible assets, and that national security laws go beyond the scope of "state secrets" and take into consideration the effect on national security posed by the exposure to foreign pilferage of nearly two-thirds of our corporations' asset base.
Just two months ago, the American Society for Industrial Security, or A.S.I.S., released its third and latest biennial report on "Trends in Intellectual Property Loss." This 1995/96 report was written by Dan T. Swartwood and me, and sponsored by A.S.I.S., with the support of the National Counterintelligence Center (NACIC) and the A.S.I.S. Committee on Safeguarding Proprietary Information.
Its results are based on a survey of the security officers of 325 American-based companies covering almost five percent of American workers and almost nine percent of the nation's $7 trillion gross national product reported for 1994. Among the respondents, which we believe constitute a representative sampling of American businesses in the manufacturing, services and high-technology fields, the incidence of information loss is illustrative and alarming.
- There has been an increase of 323 percent in the number of intellectual property loss incidents reported per month, from an average of 9.9 incidents to an average of 32 incidents, since the 1992 survey.
- The financial impact of the 700 incidents reported by the 325 respondents was valued at $5.1 billion ($731,000 of loss per incident on average). From this, we might extrapolate that potential losses from intellectual property theft for U.S.-based companies are in the range of $24 billion annually. Please understand that this is a crime that is vastly underreported. Queries of corporate legal departments, where incidents of patent, copyright and trademark theft often repose, may result in considerably higher figures.
- Sixty percent of the financial losses came from the loss of strategic plans, R&D and manufacturing process information.
- Now here is a particularly interesting finding. For years, the general
belief has been that the most significant threats to proprietary
information were from external sources. If we follow that conventional
wisdom, we will fail to address our most significant threat, the
"insiders." In three-quarters of the reported incidents, the persons known
or suspected of having caused the information losses were those with a
trusted relationship with the company, such as: employees, ex-employees,
retirees, contractors, temporary hires, vendors, suppliers, consultants and
business partners. As Director Freeh stated in his February 28th testimony,
"An intelligence collector's best source is a trusted person inside a
company or organization whom the collector can task to provide proprietary
or classified information." The remainder of information losses were from a
variety of sources, including: domestic competitors, foreign competitors,
foreign government (intelligence) personnel, computer hackers, information
brokers and the media.
Previous espionage arrests confirm the targeting and use of insiders by foreign interests. From June, 1975 through December, 1991 there were 102 arrests for espionage. Of these, 56 individuals were volunteers for the other side; ten were recruited. All 66 had one thing in common. They were insiders with access to classified and proprietary information.
- Our survey further found that, while 73 percent of incidents took place in the U.S., 47 percent of those taking place overseas were in three countries: England, Canada and Germany.
- The top five foreign nationalities of those persons known to have caused information losses were Chinese, Canadian, French, Indian and Japanese.
Those are the major findings of our survey, and a copy of the complete report has been provided each of you by your Subcommittee staff. I will welcome any questions or comments you have regarding the survey.
In considering legislative approaches to economic espionage, you are breaking new ground in the most figurative sense. For there is little ground here. One commentator once described the Internet as "the ethereal message center." "Ethereal" could well apply to the entire realm of intellectual property in all its forms, as well as the means, resources and techniques being developed daily to steal it. I, and I believe my colleagues in private security, welcome the intent of the Congress in resolving this problem. Measures such as those proposed in the various Senate bills and by the Department of Justice will aid in the deterrence, detection and prosecution of intellectual property crimes by lending shape and substance to what now is a disconcerting and damaging void in policy toward crimes against American creativity and ingenuity.
Appropriate amendments to the National Security Act and Title 18 of the U.S. Code are only part of the answer, however. They will provide the legal framework for combating the industrial espionage threat, but American business must do its part. Espionage is preventable and corporate management has a responsibility to act. It has a fiduciary responsibility to shareholders to take reasonable and prudent steps to safeguard intellectual property assets.
An independent review of a company's Safeguarding Proprietary Information, or S.P.I., Program can help ensure that: current threats are addressed; that legal prerequisites are satisfied concerning due diligence and proprietary and trade secret status; and that corporate officers or managers are fulfilling their responsibilities of providing required care for intellectual property assets. Not only does management have a responsibility to protect these assets for shareholders; it has a responsibility to its employees, customers, suppliers, and the corporation's part of the national economic base. Of course, in the case of many firms whose intellectual property has direct or indirect defense value, corporate management has a share of responsibility for the nation's security. The recent A.S.I.S. report revealed that only three-quarters of the responding companies have formal programs for safeguarding proprietary information. Of those, less than half have written information security policies and procedures; only 40 percent identify, classify and mark proprietary information; and only 15 percent monitor the use of the Internet and networks. Clearly, companies need to better understand evolving threats to information.
The insider issue is one we must not ignore. We need to focus on transforming employees from being part of the insider problem into an integral part of the solution. Employee participation in efforts to preserve their companies' present and future competitive advantage can help create increased job security for themselves and others. Many employees do not readily identify with their companies' financial goals. They do, however, strongly identify with issues affecting continued employment and job security. The link between job security and protection of intellectual property must be explained and emphasized.
Prevention programs must address constantly-evolving threats and collection methods. According to the 1995 Annual Report to Congress on Foreign Economic Collection and Industrial Espionage, specialized technical espionage operations include computer intrusions and telecommunications targeting and intercept. These activities account for the largest portion of economic and industrial information lost by U.S. corporations. The targeting of proprietary information, especially in electronic formats, is increasing daily. There is no limit to the ingenuity that information thieves bring to the task. Some even combine new technology with old-fashioned thievery.
I have warned sales and marketing executives of the targeting of notebook computers during travel and in offices and hotel rooms. "Notebook nabbing" is becoming one of the ways in which thieves are targeting corporate proprietary information. Roughly one in every 14 notebook computers was stolen during 1995, according to insurance industry sources.
Finally, coordination and cooperation between public sector law enforcement and private security is critical. Much improvement has taken place in this area in recent years. The DECA Program, which is an effort of the Federal Bureau of Investigation, is one example. DECA stands for "Development of Espionage, Counter-intelligence and Counterterrorism Awareness." The American Society for Industrial Security has endorsed the program; a number F.B.I. participants have become members of A.S.I.S.; and other A.S.I.S. members actively participate in exchanges of information through DECA. Much to the credit of both these organizations, they have opened a dialogue on certain key issues between those responsible for preventing crimes against our corporations and institutions and those responsible for enforcing the nation's laws. Much more of this needs to be done at all levels.
In combating economic espionage, mutual respect and understanding between the public and private sectors are vital. American businesses and other private institutions must know that the Congress and federal agencies are on their side, that they can report incidents of economic espionage without undue penalties in the courts or in the marketplace, and that the makers and enforcers of laws will be their partners in seeing that justice is served.
Whatever can be done to attain this goal -- to improve public-private cooperation in the fight against economic espionage -- should be done. There must be a partnership between the security managers of corporations and other institutions; representatives of law enforcement and counterintelligence agencies; and you, the Members of Congress. Because you are responsible for our laws, and because economic espionage will take the law, as it has technology, into new areas, your participation in the process is critical.
While I am enthusiastic about the goals of the legislative proposals we have seen thus far, I know the proposals themselves are not perfect. I have noted features in all of them which pose potential problems for U.S. corporations and other owners of proprietary information. The American Society for Industrial Security has analyzed the proposals on behalf of its members and identified the same concerns. Most important, I believe, is that there should be no disincentives in the law to the reporting of incidents of economic espionage.
The two major disincentives relate to disclosure and recovery. If an owner of stolen proprietary economic information believes that information may be disclosed during prosecution of the thief, the owner has a disincentive to initiate that prosecution. The law should allow the owner of the proprietary information to petition for issuance of a protective order.
Furthermore, I believe that the proceeds from the theft or unauthorized use of proprietary economic information should presumptively be the property of the owner, not of the United States Government. If the law does not permit the owner to recover the proceeds derived from the theft, or requires detailed court proceedings to do so, the owner has a disincentive to initiate prosecution. At the same time, any forfeiture provisions should not prejudice the rights of a corporation that has been convicted of economic espionage due to the unauthorized actions of an employee. Nor should a corporation which did not authorize an act of economic espionage by its employee be denied the ability to import and export.
These factors should be carefully considered so that the resulting legislation either does not address the problem by driving it further under the surface or does not have unintended effects which are inimical to the corporations and other institutions it seeks to protect, and therefore the nation's economic well-being. Nonetheless, I applaud the intent of these proposals and the focus of both legislative and executive branch attention on this serious threat to America's future.
With your help, this is a war we can win. Thank you for inviting me to testify here today. I believe I speak for all private security professionals in saying that we look forward to helping you in any way we can as you go about this important work.
Richard J. Hefferman, CPP
Mr. Hefferman is a management consultant for corporations, institutions & government with over 25 years experience. He is the president of R. J. Hefferman Associates Inc. based in Branford, CT. He holds the Certified Protection Professional Designation (CPP). He is a recognized expert in the Prevention of Business Espionage including Technical Surveillance Countermeasures (TSCM) as well as specializing in risk analysis, program design, development and implementation of security solutions concerning the protection of People, Property, Information and Communications.
A member and past chairman of The National Standing Committee of Safeguarding Proprietary Information of the American Society for Industrial Security (ASIS). He is the originator and co-author of three industry surveys including the Trends in Intellectual Property Loss, Special Report (ASIS, March 1996).
He has served as a consultant on National Security Affairs to the FBI National Security Division and as a member of the Industry Council for the National Counterintelligence Center (NACIC). The recipient of several citations and awards including the ASIS Presidents Award, FBI Director Freeh has cited Mr. Hefferman for his continuing work with the intelligence community to improve the security awareness level of senior business executives.
* R. J. Hefferman and Associates, Inc., is a consulting firm in the field of information and communications security. The firm is located at 15 Bear Path Road, Branford, CT 06405. The telephone number is 203-488-2235. On February 28, 1996, The Honorable Louis J. Freeh, Director of the Federal Bureau of Investigation, testified before the Senate Select Committee on Intelligence and the Subcommittee on Terrorism, Technology and Government Information of the Senate Committee on the Judiciary. At that time, he very clearly and accurately assessed the need for action. He said, "There are gaps and inadequacies in existing federal laws which necessitate a federal statute to specifically proscribe the various acts defined by economic espionage and address the national security aspects of this crime."
|Join the GlobalSecurity.org mailing list|