Counterintelligence for U.S. Companies Operating Abroad

By Sarah Morningstar

Sarah Morningstar is a senior advisor at Threat Pattern, an intelligence and security company that assists corporations and high-net-worth individuals in countering internal and external threats. Previously, she served as an analyst and manager in CIA's Directorate of Intelligence where she authored a wide range of products—including for the President's Daily Brief. While at the CIA, she was also a counterintelligence analyst focused on techniques for validating sources; particularly in high-conflict areas like the Middle East.

In January, the CEO of American Superconductor publicly detailed how traditional economic espionage methods carried out by a small Chinese firm resulted in over a billion dollars in loss to his company. Since at least 2011, much attention has been given to the rampant cyber espionage threat against U.S. firms, ultimately pushing U.S. businesses to improve their cyber security measures. Yet, global U.S. companies, like American Superconductor, also need to be prepared for non-cyber economic espionage tactics, because they are a relatively easier target given the general lack of legal consequences for this form of spying.

According to the Federal Bureau of Investigation (FBI), the impact of economic espionage on U.S. companies is valued between $200 billion and $1 trillion, and the threat is only growing as foreign companies and countries attempt to obtain information or technologies to increase their market share, build their economies, or modernize their militaries.  

There are numerous tactics used internationally to steal U.S. intellectual property. The following are examples of some of these tactics used in countries where U.S. firms operate:

  • In the American Superconductor case, the Chinese firm, Sinovel, recruited an American Superconductor employee, who was based in Austria and spent a lot of time in China. In exchange for source code, Sinovel offered the employee women, money, an apartment, and a new life.  Chinese authorities refused to investigate the case.
  • Some countries have been able to intercept a company’s telephone calls through state controlled phone companies. In Japan, for example, the Ministry of International Trade and Industry allegedly listens to the phone lines of American firms there under an agreement with the Japanese national phone company.
  • Spies hired by a group associated with a Russian business competitor appealed to a British employee’s sense of patriotism to provide them with sensitive information about a global firm operating in England. The corporate spies suggested they were British intelligence officers and convinced the mid-level accountant that the information he provided was for the British government.
  • In South Africa, a UK based Tobacco company allegedly ran a network of agents to spy on rival organizations.  The spies were able to plant a tracking device on a truck belonging to one of the company’s rivals, accompany South African state agencies’ officials on raids on the premises of competitors, bug the meeting of the Fair Trade Independent Tobacco Association, and gain access to information on the government’s investigation into tobacco company’s activities.

In many other countries, local nationals and domestic businesses are subject to less legal restraints for industrial espionage targeting foreign companies than in the U.S. The U.S. Economic Espionage Act of 1996 criminalizes the misappropriation of trade secrets; however, it is only applicable if the offense is committed in the U.S. or the violator is a U.S. person or organization.

Other countries similarly prohibit economic espionage under national law, but law enforcement confronts difficulties because the offenders include foreign governments. Similarly, using extradition or mutual legal assistance treaties proves ineffective when the requested state is sponsoring the acts. In 1996, for example, Russia adopted a law requiring its intelligence services to “assist the country’s economic development and scientific and technical progress.”

International law bodies relating to espionage issues, such as rules on armed conflict and on diplomatic relations in peacetime, do not prohibit economic espionage.  Additionally, state sponsored economic espionage indicates that these activities do not constitute wrongful acts triggering state responsibility under international law.

The Agreement on Trade-Related Aspects of Intellectual Property Rights of the World Trade Organization (WTO) requires each member to protect intellectual property rights within its territory, yet WTO members have generally not demonstrated a willingness to address economic espionage within the WTO, according to the American Society of International Law.

Economic espionage activities against U.S .corporations operating abroad are expected to accelerate as the number of targets increase, with more U.S .companies moving their headquarters overseas. U.S. firms moving their headquarters abroad have increased by 61 percent over the last decade, according to Bloomberg News and are expected to continue to rise as U.S. firms look to take advantage of cheap labor, expand their market share, and avoid relatively high American corporate tax rates.

Developing holistic counterintelligence (CI) security procedures is critical for mitigating economic espionage threats abroad. There are five strategies global U.S. businesses should consider including in their comprehensive CI program in order to reduce their risk of economic espionage.

  • Controlling Information. Firms operating abroad should take extra precaution when discarding sensitive information since many countries do not have laws to deter dumpster diving. Firms should shred all documents, and items that contain sensitive information should be completely destroyed, such as by burning them in an incinerator, since shredded documents could be recovered by a motivated spy.
  • Compartmentalize Sensitive Information. U.S. firms should consider technological enforcement of their access policies to take away the employees choice about whether to comply. For example, companies could set the appropriate permissions on data files and folders, and set up auditing on files and folders that contain sensitive data. To further limit access, some firms have opted to move their top management’s offices away from other employees, create access control offices, and hold their board meetings in secret locations.
  • Employee Vetting. Procedures for conducting background checks on foreign employees should account for local culture, laws, and regulations. Each country has its own laws and processes to govern what information can be legally obtained, how it can be transmitted, and what information is required to complete a background check. In Hong Kong, for example, employers cannot request a criminal history from government authorities, but applicants can get it for themselves.
  • Employee Monitoring.  U.S. firms should monitor and conduct periodic security evaluations of their employees even after they have initially been vetted. Some firms have taken this a step further and have opted to “test” their employee’s loyalty. For example, in India, corporate espionage is so prevalent that some companies hire “mystery vendors” to meet with their own employees to gauge how workers behave toward outsiders.
  • Reporting Suspicious Behavior. Global firms should have a system for employees to anonymously report suspicious behavior either by their colleagues or local nationals. The FBI has published a list of questionable behaviors that should be reported, because they could indicate an employee is spying and/or methodically stealing from the organization. 

Related Articles