photo Acuentix

« Back to previous page

25 January 2010

Pentura's Giri Sivanesan warns that with the emergence of global markets and global competition, espionage has evolved and taken on a new meaning. Businesses are now the target of espionage, carried out by businesses or states or state-sponsored businesses

In 2009, espionage attacks on private sector business was a dominant feature on information security news wires. In February, the British press reported that a technology house had misplaced a prototype phone, prompting fears that the phone was the target of competitive espionage. In April, an electronic espionage network dubbed 'GhostNet' was reported to have penetrated the networks of hundreds of organisations worldwide. In May, the French newspaper La Tribune reported that a major aircraft manufacturer has uncovered several attempts of espionage at its plant France. By December, both the UK and US governments had voiced their plans to secure national infrastructure from electronic or 'cyber' espionage attacks with the creation of a Office of Cyber Security (OSC) in the UK and a Cyber Security Office in the White House.

The litany of espionage attacks affecting established commercial organisations in 2009 has raised the profile of espionage to new heights. Many people assume the threat of espionage has disappeared. They associate it with the Cold War. They think of novels by John Le Carre and Len Deighton. Of course, the threat has not disappeared. The Director General of MI5 said in a speech a couple of years ago that there were more foreign intelligence officers operating in London now than at any time since the end of the Cold war. With the emergence of global markets and global competition, espionage has evolved and taken on a new meaning.

Businesses are now the target of espionage, carried out by businesses or states or state sponsored businesses.
Even so, businesses will assume that espionage is a threat that does not fit on their risk register. They believe that espionage is about stealing state secrets, information about foreign policy or defence or military research. It is not just about this. For private sector business, the threat of espionage is about protecting intellectual property, business proposals, evidence to support legal activities or other confidential information from competitors.

Espionage might involve covert techniques and sophisticated types of technical and non-technical attacks. The abundance and availability of business and commercial information online or through commercial press sources means that espionage attackers can identify particular networks, computers or individuals, often through aggregating lots of disparate bits of information, to target their attacks on.

There are other challenges too. Some businesses have become so complex that countering the threat of espionage is a challenge in itself; or, the gulf between decision makers and those responsible for looking after the information that their business depends on is too wide. These organisations seem to live in the hope that their business critical information is adequately protected even from sophisticated attackers.

Businesses can be forgiven for thinking they have enough risks to manage without adding another one to the list: flooding, flu, crime, hacking, employees who do not comply with the rules and accidental data loss. It might be right for a business to accept the risk of espionage but it cannot make that decision wisely unless it is aware of the potential threat it faces. As the number of organisations that have been financially impacted by espionage grows, the need to address is becoming ever more acute. Up until now, there has been very little in the way of professional services to help organisations wanting to address espionage proactively; rather, the risk mitigating activities have been reactive and always newsworthy.

Counter-espionage is about identifying the vulnerabilities that might be exploited by a competitor and putting in place controls to mitigate those risks.

Giri Sivanesan, Senior Security Consultant, Pentura, www.pentura.com