There are less sophisticated, but still effective methods for stealing information. Espionage could
involve breaking into buildings and offices to steal the desired information. Industrial spies will
go through locked and unlocked office spaces, search file cabinets, examine unprotected
computer systems, etc. If a person knows where the targeted information is located, it could be
extremely profitable for them to commit a simple break in. Spies will also go through trash
dumpsters and other garbage containers to gather information. While many people think that this
is ridiculous, it is extremely effective [4, 8].
If a company has people that travel frequently, it is very possible that their travelers could be the
subject of sophisticated surveillance efforts. U.S. executives have reported that their hotel rooms
appear to have been searched, that their telephone calls have been monitored, etc [7]. The value
of the information that they know, ultimately drives their risk of being watched by adversary
organizations.
I have left the discussion of technical collection methods for last, not because it is unimportant,
but because the focus on technical countermeasures causes major security vulnerabilities with
regards to the other information security disciplines. Industrial spies can collect information by
computer hacking, tapping telephones, sophisticated cryptanalysis efforts, etc. There should be
dozens of other papers at this conference describing technical intrusion methods in detail.
Industrial spies use all known methods of technical information collection. Due to the
effectiveness of currently known methods, it is unlikely that they have to develop any new
methods.
Clearly, computer intrusions can yield a tremendous amount of sensitive information, however it
is the goal of this paper to stress that it does not matter how much information an industrial spy
ring obtains, but what information they obtain. A single document can be worth billions of
dollars, and it does not matter if the information is found in a computer or in the garbage [4, 8].
In many cases acquiring terabytes of data can hinder the collection of a single document, because
of the difficulty of data reduction.
Preventing Industrial Espionage
Since the methods used by industrial spies are the same as those used by traditional spies, the
countermeasures used to prevent traditional espionage can prevent industrial espionage [7].
There is a great deal that commercial organizations can learn from Department of Defense
security practices. While I am not advocating total adherence to DoD standards, companies must
employ a level of countermeasures that are justified by the potential losses that the company can
suffer. For many firms, the potential losses can easily be valued in the billions of dollars.
Information security efforts must therefore address comprehensive countermeasures, that are as
comprehensive as the methods employed against them. There are four parts of a comprehensive
security effort that enhance and support each other: Technical, Operational, Physical, and
Personnel Security. This paper introduces the concept of comprehensive security. It is strongly
recommended that other papers follow up on the following concepts.