Tag Archives: Espionage

Australia’s economic espionage laws: what this means for ‘trade secrets’ protection after 2018

Posted on by

Author: Paul Curwell

Are Australian’s culturally reluctant to take steps to protect our Intellectual Property?

Throughout my career, I have worked with businesses, R&D intensive organisations and universities which make a living commercialising their Intellectual Property (IP). As an undergraduate biotechnology student, I completed a number of internships with research laboratories in Australia and the United States, before working out that wasn’t the right career for me. Later, as a Master of Technology Management student at business school in Brisbane, I wrote my thesis on the protection of IP. I then moved on to a mix of consulting and industry roles, mostly in financial services. Unfortunately, wherever I go in Australia I regularly encounter situations involving IP and trade secrets theft. For example:

  • A departing employee who blatantly stole IP from their employer, only to find in-house counsel couldn’t be bothered to take action either against the employee or their new employer (where they were using the stolen assets) as they didn’t consider IP theft a real issue
  • Another company not only failed to terminate the IT accounts for multiple employees who had left at the same time for a direct competitor, but also stole their former employer’s laptop and used it and their login credentials to login to their former employer’s IT network from their new employer’s offices to steal the IP they hadn’t already taken, as well as commercial material such as pricing which had been updated since they left
  • An employee who had a lucrative contract with a foreign third party to supply the research paid for by their primary employer to the third party, without the knowledge of the primary employer and in breach of their employment contract and fiduciary duty
Photo by Polina Tankilevitch on Pexels.com

Based on my experience, I am comfortable saying the culture of IP protection, and the maturity of associated IP protection programs in Australia is low. Australian businesses are overly reliant on legal measures to protect our IP, at the expense of adequate security and insider threat programs. Unfortunately, once your IP is gone, it is very expensive and time consuming to get it back. Having spent almost 20 years working in the fraud and security field I am still amazed at the way in which we protect our confidential information and IP in Australia and the almost complete disregard we show for both protecting these intangible assets and responding when something goes wrong: This is in complete contrast to that of the US and other R&D intensive nations. Slowly, finally, things are starting to change.

‘Trade secrets’ defined for the first time in Australian legislation

In August 2018, the National Security Legislation Amendment (Espionage and Foreign Interference) Act 2018 recieved royal asset, and now forms part of Australia’s Criminal Code Act 1995 (Cth). Theft of trade secrets and IP is big business globally, and involves both nation states, criminal groups and individuals. The US Trade Representative estimates the cost of trade secrets and IP theft at US$200bn to $600bn annually. When the perpetrator is a nation state, or acting on behalf of a nation state, this is termed ‘economic espionage’ (as opposed to traditional espionage which focuses on theft of national security related information). When the perpetrator is a competitor or private intelligence company, this is termed ‘industrial espionage’. In Australia, economic espionage is considered a form of Foreign Interference.

Foreign interference is activity that is:

  • carried out by, or on behalf of a foreign actor
  • coercive, corrupting, deceptive, clandestine
  • contrary to Australia’s sovereignty, values and national interests

Foreign interference activities go beyond routine diplomatic influence and may take place alongside espionage activities. A range of sectors are targeted:

  • democratic institutions
  • education and research
  • media and communications
  • culturally and linguistically diverse communities
  • critical infrastructure

Most Australian’s don’t believe industrial or economic espionage happens here in fortress Australia, but unfortunately these practices are alive and well, its just they rarely make it to the courts or hit the headlines, and victim companies rarely if ever disclose this fact. So what does this new legislation do? Effectively, it “introduces a new offence targeting theft of trade secrets on behalf of a foreign government. This amounts to economic espionage and can severely damage Australia’s national security and economic interests. The new offence will apply to dishonest dealings with trade secrets on behalf of a foreign actor“.

92A.1 Division 92A – Theft of Trade Secrets involving a Foreign Government Principal

The penalty for commiting this offence is 15 years imprisonment.

Division 92A does not cover theft of confidential information or trade secrets where there is no involvement of a foreign government – these cases are addressed under other legislation as well as under common law and will be subject to a separate post.

What is a ‘Foreign Government Principal’?

Under section 90.3 of the legisiation, an offence of trade secrets theft requires the perpetrator (e.g. the employee) to be acting on behalf of a ‘foreign government principal’. Note that the legislation also defines a ‘foreign principal’, which is different. A ‘foreign government principal’ is defined as follows:

  • the government of a foreign country or of part of a foreign country;
  • an authority of the government of a foreign country;
  • an authority of the government of part of a foreign country;
  • a foreign local government body or foreign regional government body;
  • a company defined under the Act as a foreign public enterprise;
  • a body or association defined under the Act as a foreign public enterprise;
  • an entity or organisation owned, directed or controlled:
    • by a foreign government principal within the meaning of any other paragraph of this definition; or
    • by 2 or more such foreign government principals that are foreign government principals in relation to the same foreign country.

Importantly, the legislation is written quite broadly so as to encompass many of the typologies typically found with economic espionage, namely the involvement of national as well as state / province and local level government agencies, associations and similar legal entity types.

Section 70.1 of the Criminal Code 1995 provides a comprehensive definition of a ‘foreign public enterprise’ which encompasses both formal control (i.e. in the form of shareholdings) as well as influence (i.e. indirect or coercive control which might be exerted against a company’s key persons by a foreign government to ensure support).

Photo by cottonbro on Pexels.com

Three elements of the offence define expectations of employers – IP Protection programs

In addition to the involvement of a ‘foreign government principal’, a person (e.g. employee, contractor) commits an offence under Division 92A if  the person dishonestly receives, obtains, takes, copies or duplicates, sells, buys or discloses information; and the following three circumstances exist:

  • The information is not generally be known in trade or business, or in that particular trade or business concerned
  • The information has a commercial value that would be, or could reasonably be expected to be, destroyed or diminished if the information were communicated
  • The owner of the information had made reasonable efforts in the circumstances to prevent that information from becoming generally known

The first circumstance is relatively straight forward: if the information is public or in any way considered ‘common knowledge’, it is not a trade secret. Secondly, like all forms of IP, trade secrets must have some form of commercial value, for example, being used to build or do something which creates a saleable asset or generate revenue. Lastly, the owner of the trade secret(s) must have taken reasonable steps to protect that information from unauthorised disclosure – i.e., the implementation of an IP Protection program.

These elements are common to the definitions of a trade secret in other jurisdictions, such as the United States and Canada. Additionally, the legislation does not provide any guidance on what might be considered ‘reasonable efforts’ by a court to protect such information. However, there is a body of industry better practice around what IP Protection programs should look like which can be used by employers and IP Rights holders to inform these decisions. For more information, have a read of my earlier post on this subject.

Further reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

HUMINT cycle and the recruitment of insiders

Posted on by

Author: Paul Curwell

Introduction

Employees are an organisation’s most important asset: they are what enables organisations to generate value, respond to opportunities and threats in the operating environment, and create a positive culture which attracts other would-be employees and potential customers. Employees are also crucial to security: when conditions are right, employees help build a positive security culture which enables management to quickly identify and respond to security threats.

In the same manner that security would not be necessary if people did not exist, a security program cannot be successful without the support and active participation of its employees. It goes without saying then that an employee who ‘goes rogue’ and becomes malicious (i.e. intends to do harm), or an employee who doesn’t care about their employer or its security practices (i.e. a complacent employee) can do real harm if approached by an external individual or group wishing to gain ‘inside access’ to the organisation and its assets.

What is the HUMINT cycle and who uses it?

Human Intelligence, or HUMINT, techniques are an example of the tactics typically deployed in this scenario to exploit human vulnerabilities. HUMINT refers to the collection of intelligence by humans – principally spies and agents using methods that involve 1:1 contact.

The HUMINT cycle involves four main steps (illustrated below) which might commence with a broad scan of all employees at an organisation, for example, but rapidly narrow down to one or more individuals with both (1) the access to the desired assets or information and (2) the personal characteristics or ideological sympathies which make them amenable to recruitment (See Sano, 2015)

Importantly, undertaking HUMINT and the use of HUMINT techniques is not limited to governments, but also commonly employed in business by ‘competitive intelligence’ practitioners or ‘Private Intelligence Collectors’. ‘Private Intelligence Collectors’ and unscrupulous competitive intelligence professionals often use HUMINT techniques, as well as any other intelligence collection mediums in their toolbox, to collect confidential information that will either be sold to another party (such as the highest bidder) on commission, or which is collected under the paid instruction of the intended recipient.

For a classical HUMINT example, consider a woman who seduces a male chemist at a pharmaceutical company to provide, or facilitate access to, details of a new blockbuster drug compound under development by the pharmaceutical company (referred to in the trade as a ‘honey trap‘). Other threat actors who use HUMINT techniques include organised crime groups, issue motivated groups and terrorists.

How can the HUMINT cycle be leveraged for insider threats?

Once the HUMINT collector has identified (spotted) their target, they begin engaging with them to build a rapport and develop a relationship. Importantly with HUMINT, it may not be necessary to actually recruit the target (or someone who has access to the ultimate target) in order to achieve their objectve. In some instances, the required information can be obtained without the need for a formal and risky recruitment pitch.

It is particularly important to incorporate these learnings into any insider threat awareness training, as employees who are aware of steps taken by HUMINT collectors are more likely to be aware to them, and to be able to seek help early. Examples of ways (vectors) HUMINT collectors might obtain the information they require can include:

  • Infiltration – getting an ‘agent’ or sympathiser of the HUMINT collector (or their cause) into the organisation through standard recruitment processes, as a contractor, or via a supplier
  • Elicitation – refers to techniques used by HUMINT collectors to obtain information from a target without them knowing or realising it, which results in them volunteering the information rather than being asked directly
  • Social engineering – involves the use of deception to manipulate someone into disclosing confidential information, either in a business or personal context
  • Spear Phishing and Phishing scams – can involve the use of legitimately-appearing emails (or even SMS messages, in the case of vishing) to introduce malware into an otherwise secure computer network, allowing later exfiltration of that information. Unlike Phishing which is more general, Spear Phishing is highly targeted and focused on an individual with access to the target, such as a senior executive

There are a variety of forums in which HUMINT collectors operate, including via ‘official’ or business-events, and through social personal interaction. These might include:

  • Conferences and trade shows
  • Professional Associations
  • Clubs and social associations
  • Universities
  • Social Media platforms
  • Emails
  • Unsolicited phone calls

When performing any insider threat or security related risk assessments, organisations need to consider what are their most critical assets, who might be interested in them, and how might they obtain them (i.e. what forums, mediums or platforms). Once this is thoroughly understood, awareness training and incident reporting mechanisms can be clearly established and targeted.

What can organisations do to manage this threat vector?

Complacency is a big driver of insider threat incidents, so it is critical that organisations develop a good security culture and that ‘at risk’ employees have a good understanding of the threats and tactics which may be used against them.

The regular use of security awareness training across the organisation as a whole, supported by targeted training for ‘at risk’ teams, is critical to ensuring these threats remain front of mind.

Staff in ‘at risk’ teams, as well as managers, should be familiar with insider threat behavioural indicators which can suggest an employee or contractor is experiencing some difficulty in their personal life, which might make them vulnerable to exploitation. Early identification of these problems, when raised properly (such as through employee wellbeing programs), might mitigate these risks.

Photo by Sora Shimazaki on Pexels.com

Good security culture is also critical for organisations, ensuring employees understand why security is important, what the threats may be to their organisation, and what they can do to help protect their organisation. For employees to play their part, they often also need to feel trusted and engaged with their employer, otherwise complacency may set in and potential threats selectively ignored.

The preceding paragraphs focus on what organisations can do to mitigate insider threats once they are already in the organisation (i.e. employed or contracted), however equally important is the use of employment screening (‘background investigations’ or ‘background checks’) to prevent individuals with vulnerabilities or unwanted character traits joining the organisation in the first place. Any discussion on background checks is an article in itself, and will be addressed through a future post, however readers who want to more detail (including a model process) can read the chapter on ‘due diligence’ in my recent book co-authored with Oliver May.

Further Reading

Sano, J. (2015). The Changing Shape of HUMINT, AFIO’s Intelligencer Journal, Vol. 21, No. 3, Fall/Winter 2015. www.afio.com

DISCLAIMER: All information presented on @ForewarnedBlog is intended for general information purposes only. The content of @ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon @ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

In business, confidential information is a critical asset

Posted on by

Author: Paul Curwell

Intellectual assets are strategically important in business today

Intellectual Assets can exist in a variety of forms, though they are all based upon the generation, capture and protection of valuable knowledge (the ‘information lifecycle’). Their foundation is fragile as it is dependent upon the transition from tacit knowledge possessed by an individual into the organisation with which they are associated. Once transferred, organisations must convert that employee’s tacit knowledge into valuing-creating processes, products or practices. However, a diverse range of criminal and commercial activities threaten the viability of knowledge-intensive companies. 

According to statistics quoted from the US Trade Representative, some aspects of “American IP theft costs between US$225bn – US$600bn annually“. These statistics relate to only one segment of the problem, so the true value is probably higher, highlighting the somewhat ‘hidden’ nature of the problem. As recognised by global accounting standards, information today is an (intangible) asset: it needs to be protected like any other tangible asset or item of value.

Companies in knowledge-intensive industries typically have a heightened awareness of the value of their Intellectual Assets and place greater emphasis on information protection as part of an overall IP strategy. However, in my direct experience Australians still lag somewhat behind our North American, European and Asian peers when acknowledging the magnitude of the threat. Here in fortress Australia, where most people and companies play by the rules, we have a tendency to think the rest of the world is like home. In reality, the border-less nature of crime today means that no-where is safe when it comes to protecting sensitive business information.

Photo by ThisIsEngineering on Pexels.com

What do we mean by confidential information?

There are a range of categories of sensitive information, with sensitivity being determined by factors such as commercial value, regulatory obligations to protect the data, and competitive advantage. In my experience, Australian businesses often overlook the importance of commercially valuable information in lieu of a heightened focus on Personally Identifiable Information as a result of Notifiable Data Breach legislation and increased awareness of Privacy generally. For the purposes of this post, I have outlined three categories of ‘sensitive’ information:

  • Intellectual Property (IP) – predominately in the form of copyright and patents
  • Sensitive Business Information (SBI) – otherwise referred to as ‘proprietary information‘ (US terminology) or ‘confidential information‘, this category is anything with commercial value including strategic plans, customer lists, pricing and ‘trade secrets
  • Personally Identifiable Information (PII) – information must be protected under privacy legislation, comprising any information that can be used to identify an individual
Photo by Donald Tong on Pexels.com

This post focuses on Sensitive Business Information protection.

‘Sensitive information’ exists along a continuum, with information being ‘sensitive’ by virtue of the fact that it is not public or widely known. For example, research data being prepared for submission in a patent by a research institute is sensitive and must be protected from theft, loss or misuse until the point where the patent is published. Upon publication, the information becomes widely known and can be consumed by anyone – noting that profiting from the information in the patent or using it commercially requires a license and payment of royalties. This means it is important to consider the ‘information lifecycle’ when we create information protection programs as security frameworks and controls must reflect the risks and information usage activities which apply at each phase of the lifecycle.

According to the literature, information has its own five-phase lifecycle (Sharma, 2011), as follows:

  • Creation and Receipt – the point from which information is created (origination)
  • Distribution – of the information to end users or recipients
  • Use – where information is applied to a specific purpose
  • Maintenance – includes storage, categorisation, and processing of information
  • Disposition – includes the destruction, archiving or other retention decisions

To further highlight the importance of the lifecycle using the above patent example, research data might start out as ‘sensitive business information’ when it is created, only for it to become Intellectual Property when it is subsequently used (i.e. published as a letter patent). For this example, many security arrangements used to protect the published research data can be relaxed upon patenting, as the protection of data in this form is no longer valuable.

Photo by Valeria Boltneva on Pexels.com

Threat Actors seek to compromise your sensitive information

When we discuss security problems generally Australians like to talk about risks rather than the root cause of the risk. When talking about all types of security or fraud issues, that root cause is human. Whatever their motive, threat actors seek to do or cause harm. I’ve been helping companies and governments identify and mitigate threats from hostile actors of all forms for almost 20 years. My starting point for dealing with threats is to divide them into two categories – internal and external – based on their level of access and influence within the organisation:

  • Internal threats involve ‘trusted insiders‘ – employees and third parties with privileged access to the organisation by virtue of their employment or contractual arrangement
  • External threats – those outside of the organisation, including organised crime, nation states, terrorists, private intelligence collectors, and competitors

External threat actors often work with trusted insiders to compromise sensitive information. This can be complicit, involving some form of collusion (i.e. the insider voluntarily steals information for bribes or some other non-financial advantage), or coercion (e.g. the insider, or their family, is threatened [extorted], or blackmailed to compromise the information).

Further reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.