From the AEGIS e-Journal, Volume 6 Number 10, October 2003
Sticky Fingers: Managing the Global Risk of Economic Espionage Steven Fink Dearborn Trade Publishing ISBN: 0-7931-4827-8 368 pages $26.00 http://www.dearborntrade.com/ 1-312-836-4400 Before we started reading Sticky Fingers we though it was a book about economic espionage. Although anyone dealing with this issue of economic espionage should read this book, it is really more about crisis management after the fact than about economic espionage per se. Fink takes an interesting historical view of the Economic Espionage Act of 1996. The EEA was written in that unhappy period that came between the fall of the Soviet Union, which took away a lot of the justification for many agencies’ existence, and the attacks of 9/11, which was arguably the best thing to ever happen to most agencies. Overseas, intelligence agencies were re-tooling their spies to steal commercial secrets rather than retiring them (bureaucracies don’t willingly cut staff or close their doors), and in the U.S. the FBI was casting about for some way to use its people once the Red Menace disappeared (bureaucracies don’t willingly cut staff or close their doors). And so, according to Fink, the EEA was born. ÆGIS, OCTOBER 2003 12 His discussion of his involvement with the Avery Dennison trial is instructive on many levels, not least of which is bringing up the question of whether you should go to the Feds if you are the victim of espionage, or just accept your losses. Why would you not go to the Feds? • The publicity won’t do you a lot of good: There is little way you can escape looking foolish. • The FBI has its agenda, which will not be the same as yours. • You will lose all control of the investigative, prosecutorial, and public relations process. • If the country conducting the espionage is an important trading or military partner, the likelihood of the Feds choosing to create an international incident to protect your profits is, er, low. • While the FBI is the best in the world at many things, it is not clear that going to trial over theft of intellectual property is one of them. Going to the Feds or not going to the Feds is not an easy decision to make, but it is one that you should make well before a crisis hits you. And, in fact, there are a lot of decisions relating to the management of an economic espionage incident that are better made before the fact rather than after the fact. This book will help you make these decisions, as well as help you plan in advance for many of the things that will happen as a result of being the public victim of this crime. Steven Fink has a lot of hard-won experience as a crisis manager, and it is always better to learn from someone else’s experience rather than learning from your own mistakes. Microsoft Security Notification Service Microsoft http://register.microsoft.com/regsys/pic.asp Whenever a major worm or virus sweeps through the world, it usually turns out that the offending vulnerability (usually a Windows vulnerability) has been known for a relatively long period of time, and that there were available patches from Microsoft to deal with the problem, and prevent it from actually becoming a problem. ÆGIS, OCTOBER 2003 13 While the updates are posted at sites such as http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/, many people don’t know about this site, and, frankly won’t bother to look at it in any case. For those who would like to make the effort to keep the security of at least their own systems current, Microsoft will cheerfully send you, for free, an e-mail whenever there is a security update. You can sign up for this service at http://register.microsoft.com/regsys/pic.asp. What does this mean in practical terms? It means that whenever there is a patch available to address a vulnerability, you will know about it, and have the option to apply it within hours of its release, before it is a danger, rather than waiting until after it makes the headlines, or you find strange things happening on your computer. Be aware that bad people send out notices purporting to be from Microsoft: We got one claiming to be from “MS Customer Services” which contained a virus, according to our virus scan. How can you be sure that the document you get is from Microsoft? The security bulletins come as PGP signed documents. You can download the signature from http://www.microsoft.com/technet/security/notify.asp and import it into your PGP key ring. This way you can validate the document as being actually sent from Microsoft. If computer security is a concern to you, you should sign up for this free service from Microsoft. 7. Free-Subscription/Unsubscription/Copyright Information •• ÆGIS e-journal is supported and maintained by voluntary efforts. This publication is owned, published, and copyright © 2003 by The LUBRINCO Group Ltd, Inc. and Financial Examinations and Evaluations, Inc. It is edited jointly by Richard Isaacs (RBIsaacs@lubrinco.com) and L. Burke Files (LBFiles@lubrinco.com). The LUBRINCO Group provides services in three high-threat areas, too specialized to be dealt-with in-house, that can adversely affect domestic and international bottom lines. • Protection of trade secrets and intellectual assets. o Anti-economic espionage. o OPSEC: The identification and protection of information that would give your competitors and adversaries an advantage. ÆGIS, OCTOBER 2003 14 • International financial investigations and due diligence consulting. o Location and recovery of missing and hidden assets. o Establishing business relationships and strategic partnerships in Central and Eastern Europe, the offshore financial centers, Beijing and Shanghai, Central Asia, and Latin America and the Caribbean. o Anti-money laundering and financial fraud requirements under the International Money Laundering Abatement and Anti-Terrorist Financing Act of 2003 and the EU Revised Money Laundering Directive of 2003. • Protection of management, staff, and families. o In the high-threat environments of Latin America, Africa, the Mid- East, and Southeast Asia. o When traveling and living overseas. o When transporting items of substantial value. LUBRINCO identifies and quantifies threats and vulnerabilities, and their associated risk, then manages the vulnerabilities so you can transfer or live with the residual risk. We prevent disastrous financial loss to your company, and physical harm to you, your family, and your staff. For information on The LUBRINCO Group and its services, or for the archive of all past issues of ÆGIS e-journal in PDF format, please go to http://www.lubrinco.com/. To sign up for a complimentary subscription to ÆGIS e-journal or the ÆGIS e- journal PDF notification list, go to http://lb.bcentral.com/ex/manage/subscriberprefs?customerid=7768 or send an email to ejournal@lubrinco.com. To subscribe to our AvantGo channel, go to http://avantgo.com/channels/_add_channel.pl?cha_id=1773 To be removed from the subscription list, follow the instructions on the mailing you received, or send an e-mail to ejournal@lubrinco.com. If you know of anyone else who should be receiving ÆGIS e-journal, please send their e-mail address to ejournal@lubrinco.com. If there is a topic that you would like to know more about, send it to ejournal@lubrinco.com and the editors will consider it as the topic for an article in an upcoming issue. ÆGIS, OCTOBER 2003 15 If you would like to submit an article for publication in ÆGIS e-journal, send it as an attachment to an e-mail to ejournal@lubrinco.com. Submission of an article certifies that (a) all information in the article is in the public record, or (b) that you are authorized to release any personal or corporate proprietary information contained in the article, and (c) that none of the article has previously been copyrighted. The submission of materials for publication in ÆGIS e-journal constitutes a license to The LUBRINCO Group Ltd, Inc., and/or Financial Examinations and Evaluations, Inc, their assigns, associates, or affiliates, to abridge and/or edit said submission, and to copyright and publish/republish any submitted materials in whatever written and/or electronic form they may choose. If you would like to go beyond normal fair-use in reproducing articles from this issue of ÆGIS e-journal, you may do so freely as long as appropriate source, copyright, accreditation, and link to the LUBRINCO website is included. This should be in the form
Article Title, from the October 2003 ÆGIS e-journal (© 2003 LUBRINCO & FEE), to be found at http://www.lubrinco.com/. ÆGIS e-journal is a forum for the exchange of information, ideas, operating styles, theories, and related topics for corporate managers who make decisions about threats typically outside the expertise available in-house, yet which have the potential to affect their company’s domestic and international bottom lines. Nothing appearing in ÆGIS e-journal should be construed as legal advice. The information provided is “general information,” not “specific advice.” The solution to any problem is highly dependent upon the precise facts involved. Thus, before making any reliance upon anything said here, you should consult with an appropriately skilled professional. Opinions expressed by contributors are not necessarily endorsed by the publisher, and may be presented to encourage a dialogue among subscribers. The publisher and any re-publisher cannot be held responsible for any loss incurred as a result of the application of any information published in ÆGIS e-journal. Please be safe, and be smart.