We have found two profound misconceptions common among CEOs. One of the great misconceptions is that the threat of economic espionage or trade secret theft is a limited concern—that it is only an issue if you are holding on to something like the formula for Coca-Cola or the design of the next Intel microprocessor. The case studies included here illustrate the fallacy of thinking that this threat is someone else’s problem.

The other great misconception, held by many business leaders who do acknowledge the danger to their trade secrets and other intellectual property, is that the nature of this threat is sufficiently understood and adequately addressed. Often, on closer inspection, the information-protection programs these business leaders rely on are mired in Industrial Age thinking; they have not been adapted to the dynamic and dangerous new environment forged by globalization and the rise of the Information Age.

This article is based on open-source (i.e., not classified) intelligence. There is a compelling lesson in this fact. A decade ago, such stories rarely made it onto the news wire or into the courts. Today, they are commonplace. Unfortunately, the awareness and defenses required to thwart such damaging activities, although economical and effective, are far from commonplace. Our hope is to change that.

To provide a comprehensive overview of the diverse vectors of attack, and how to evaluate whether your enterprise has the necessary defenses in place, we will look at actual cases organized into three broad categories:

• When insiders and competitors target businesses
• When state-sponsored trade secret theft targets businesses
• When counterfeiters, pirates and organized crime target products

And in our conclusion, we have provided some analysis of the economic and geopolitical impact, and a comprehensive checklist of proactive security and intelligence measures.

Part I: When Insiders and Competitors Target Businesses

Economic espionage or intellectual property theft conducted by insiders, competitors or combinations of the two are the most tangible, most common and most destructive threats.

Such an attack can take many forms, like an employee, a member of the management team, a corporate board member, a third-party contract manufacturer or a collaborative partner in a joint venture.

Here are several recent examples, ranging from the sordid to the spectacular:

Lightwave Microsystems

In late 2002, Lightwave Microsystems, a privately held company in California, announced it would cease operations because of financial difficulties. But Lightwave’s inability to turn a profit didn’t mean it was without value. It held patents and had developed saleable trade secrets. It was subsequently bought by NeoPhotonics (San Jose, Calif.), but not before some ugliness.

Brent Woodward held a trusted position at Lightwave. He was its director of information technology. He copied the company’s trade secrets, which had been stored on backup tapes, and then attempted to sell them to a competitor.

No one detected Woodward’s unauthorized activity. As the company’s IT director, he had natural and unencumbered access to the information and, indeed, it was his responsibility to protect it.

Using an alias (“Joe Data”) and a Web-based e-mail account (lightwavedata@yahoo.com), Woodward contacted the chief technology officer for JDS-Uniphase (JDS), and offered to sell Lightwave’s data. But JDS immediately contacted the U.S. Federal Bureau of Investigation (FBI), agreed to cooperate in the investigation and allowed the FBI to monitor its communications with “Joe Data.”

The FBI trace determined that the “Joe Data” messages were originating from an Internet connection within Woodward’s residence. After executing a search warrant, the FBI charged and arrested Woodward on one count of theft of trade secrets.

In August 2005, the U.S. attorney’s office for the Northern District of California announced that Brent Woodward pleaded guilty to the charge and was scheduled to be sentenced in December 2005. Woodward faced the possibility of 10 years imprisonment and a fine of $250,000.

Of course, Woodward was an amateur and was acting by himself, for himself, and thus had no interests other than his own. His methodology was very sophomoric. But even a bumbling amateur can deliver a devastating blow.

Consider what would have happened had Woodward offered the purloined data to a less ethical competitor. Would the value of Lightwave have been jeopardized and its sale to NeoPhotonics canceled if the unethical competitor got to market fast enough? Certainly.

And, if the trade secret theft was revealed only after NeoPhotonics purchased Lightwave, what recourse would NeoPhotonics have had available to it? Little more than a lengthy litigation to protect intellectual property it wasn’t aware had been stolen prior to the purchase.

America Online (AOL)

In April and May 2003, an AOL software engineer named Jason Smathers used a colleague’s access codes to acquire information on 30 million AOL customers. The stolen data, which consisted of 92 million separate records, included e-mail addresses, screen names, ZIP codes, customer credit card types and telephone numbers associated with AOL customer accounts.
Smathers sold the stolen AOL e-mail addresses to Sean Dunaway for US$27,000. Dunaway, a resident of Las Vegas, Nev., utilized the addresses to advertise his own online gambling website, and then resold the AOL data to “spammers” for approximately $52,000.

Smathers’ use of a colleague’s administrative log-in proved to be an effective way to bypass AOL’s internal security controls. (His colleague had the natural access; Smathers didn’t.) AOL knew that it had a problem and was cooperating with law enforcement, but Smathers remained an AOL employee, and unidentified as the culprit, until mid-2004.

The U.S. Department of Justice (DoJ) prosecuted this case under the Controlling the Assault of Non-Solicited Pornography and Marketing (Can-Spam) Act.

In February 2005, Smathers pleaded guilty. In October 2005, he was sentenced to 15 months in prison and fined $84,000, triple what he garnered through the sale of the data. (Smathers clearly knew the data was worth something, but he grossly underestimated the street value of the information.)

Though DoJ recommended that Smathers be barred from the software profession, the judge noted Smathers’ cooperation in the investigation and believed that the cooperation and Smathers’ contrite behavior warranted leniency. Smathers told the court that AOL had said his theft and subsequent sale had cost the company at least $400,000. (Potentially, it cost it millions of dollars.)

But the real damage may still be looming out there in the dark alleys of cyberspace. What costly mischief could e-mail fraudsters (“phishers”) or unscrupulous telemarketers carry out with the collation of those e-mail addresses, user names and user telephone numbers? Such personal information is priceless in the underworld industry of identity theft.

There is also the risk to one’s reputation in such incidents. AOL is advertised as a “family-friendly” environment, one where the customer doesn’t have to be a technological marvel to enjoy the wholesome pleasures of the Internet and not be exposed to its seedier side. AOL admitted that the Smathers caper cost the company at least $400,000; the downside may be much greater as it creates software to mitigate the loss of customer data, while simultaneously working to regain the trust of its customer base.

Casiano Communications Inc.

In mid-October 2005, Casiano Communications Inc. (CCI), the prominent publisher of Caribbean business and travel literature magazines, filed suit against John Bynum, a former employee. CCI alleges that Bynum stole its intellectual property, specifically databases, which Bynum forwarded to his personal e-mail account from CCI’s computers. According to CCI, he stole client and advertiser information, which violates the company’s electronic mail and company resources and equipment policy.

CCI alleged that Bynum had been selling a database of key business contacts in Puerto Rico, to assist companies in marketing their products and services.

The Superior Court of San Juan, Puerto Rico, issued a temporary restraining order against Bynum. It required him to cease and desist from utilizing, transmitting, selling or reproducing any form of database, or other trade secrets obtained during the course of his employment with CCI. The injunction granted CCI the right to seize all of its materials contained in any computers, disks or other information-technology items in the personal possession of the defendant.

Corning Inc.

Jonathan Sanders was an employee of Corning Inc. who worked at the Harrodsburg, Ky., plant. On Oct. 20, 2005, DoJ charged him with the theft of trade secret material belonging to Corning, specifically material pertaining to an overflow downdraw fusion glass-making process used to produce thin filter transistor liquid crystal display (LCD) flat panel glass.

It is alleged that Sanders began his theft of Corning’s intellectual property in December 1999, and that it continued through December 2001. It is also alleged that Sanders subsequently sold the material to PicVue Electronics, a Taiwanese corporation.

In his statement to the FBI, Sanders indicated that he found blueprints containing the Corning trade secrets within a Corning warehouse in 1999. The blueprints were in a container of material awaiting destruction. Sanders took the blueprints home instead of destroying them. He traveled to California and met with Jacob Lin, PicVue’s president, and Yeong C. Lin, a consultant working with PicVue. According to Sanders, he did not actually show them the drawings; he only described the fusion draw process. Subsequently, PicVue allegedly offered him a job, which he declined.

Many months later, in September 2000, PicVue wired US$30,000 to a California bank account. Lin, the consultant, took control of the funds and enlisted a college roommate, Danny Price, to deliver $25,000 of it to Sanders, so as to obfuscate the connection between PicVue and Sanders. In exchange for the money, Sanders gave Price the stolen Corning blueprints.

PicVue’s engineers took digital pictures of the blueprint documents and transferred the images to a digital storage device. The engineers hand-carried the device back to Taiwan. The blueprints were then allegedly destroyed.

In November 2000, engineers from PicVue traveled to Kentucky and met with Sanders to discuss the blueprints he had sold to PicVue.

In September 2001, PicVue representatives traveled to Saint-Gobain Ceramics, a company in Niagara Falls, N.Y., to purchase a part for the fusion process. Because of their prior commercial relationship with Corning, Saint-Gobain personnel recognized the utility of the part as being applicable only to the fusion draw process, and alerted Corning to the possibility that its trade secrets had been compromised. Corning representatives visited Saint-Gobain’s offices, reviewed the specifications provided by PicVue, and concluded that Corning trade secrets were involved.

Corning contacted the FBI, and an investigation commenced in October 2001, which led to Sanders’ arrest and indictment in late 2005. The prosecuting attorney noted that the intellectual property carried a value of $100 million. Sanders pleaded guilty to the charges and was to be sentenced on April 18, 2006. Corning and PicVue were able to arrive at a settlement, with PicVue allegedly having paid Corning $15 million in damages. In April 2006, Sanders was sentenced to four years imprisonment and fined $20,000.

Corning apparently had a set of procedures in place to destroy company confidential documents, but it appears that it had no mechanism to ensure that documents put into the “to be destroyed” bin were, in fact, subsequently destroyed.

This case offers another example of a company being ignorant of the theft of its intellectual property until the recipient of the stolen secrets approached one of the few organizations in the world able to create the parts necessary to make the purloined documents effective in the marketplace. It was the strength of the relationship between Corning and Saint-Gobain that brought the illegal activity to light—certainly not any of Corning’s internal procedures.

Avery Dennison

Avery Dennison, headquartered in Pasadena, Calif., is one of the country’s largest manufacturers of adhesive labels. It spends a great deal of money on research and development of adhesives, and retains the formulas as its intellectual property. The company’s adhesives and methodologies provide it with a significant advantage in the global adhesive label market.

Four Pillars Enterprise, a Taiwanese competitor with market share both in the United States and the Far East, targeted Avery Dennison’s Concord, Ohio, research facility, and stole Avery Dennison’s intellectual property from 1989 through 1997.

The theft is a classic example of a competitor’s methodical harvesting of technological advances and research. Avery Dennison was unaware of the economic espionage until a former Four Pillars employee applying for work with Avery Dennison revealed that an Avery Dennison employee had been supplying Four Pillars with adhesive formulas for the preceding eight years.

The FBI, together with Avery Dennison, contrived a successful sting operation to identify the employee who was working for Four Pillars. The culprit was Ten Hong Lee (a.k.a. “Victor Lee”), a U.S. citizen and a senior research engineer within Avery Dennison’s Concord, Ohio, research facility.

Lee, who received his undergraduate degree at the National University of Taipei, his master’s degree in polymer science from Akron University and his PhD in chemical engineering from Texas Tech, had been invited to visit Taiwan by the Industrial Technology Research Institute to give a lecture. While there, he was invited to present a technical lecture to Four Pillars.

Lee was enticed to enter into a covert relationship with Pin Yen Yang, Four Pillars’ president and CEO, as a “secret consultant,” for which he was paid US$25,000 his first year. Lee, Yang and Yang’s daughter, Hwei Chen Yang, (a.k.a. “Sally Yang”), conspired to obtain Avery Dennison’s intellectual property and business methodologies. In exchange, Lee would be paid substantial sums of money.

Four Pillars had targeted an individual with whom the Yangs could relate on an ethnic basis, leveraging Lee’s desire to help a fellow countryman and pandering to his ego by providing him “recognition” for his intellect. Of course, it also paid him US$150,000 over the years, and deposited the funds with Lee’s relatives in Taiwan to keep his skullduggery out of view of tax authorities, lenders or others who might have questioned the supplemental income.

When confronted, Lee admitted his guilt and was persuaded to act as a cooperative witness for the DoJ, which wanted to prosecute this theft of the intellectual property of a U.S. corporation by a foreign national under the powers of the Economic Espionage Act of 1996.

In September 1997, Lee met with the Yangs at a Holiday Inn in Westlake, Ohio, and provided them with more of Avery Dennison’s intellectual property. The room was under FBI surveillance. Following the meeting, the Yangs were observed using a knife to cut the headers and footers off the documents provided by Lee.

The Yangs were subsequently arrested. In 1999, U.S. District Court Judge Peter C. Economus convicted both Yang and his daughter of stealing trade secrets, and also convicted Four Pillars on economic espionage charges. Yang was sentenced to six months of home confinement and fined US$250,000. His daughter was fined $5,000 and received a year’s probation. Four Pillars was fined $5 million for accepting the pilfered trade secrets. Lee pleaded guilty to wire fraud and defrauding his employer.

Yang’s investment of approximately $150,000 resulted in estimated losses of $30 million to $50 million for Avery Dennison. Four Pillars appealed the conviction to the U.S. Supreme Court, but the convictions were upheld in October 2002.

Toshiba and Lexar Media

In 1994 and 1995, Cirrus and Toshiba were involved in discussions on how Cirrus would collaborate with Toshiba in creating flash memory controllers in support of Toshiba’s preferred flash memory technology. In mid-1996, some Cirrus employees founded Lexar Media. On Dec. 1, 1996, Toshiba, Toshiba America and Toshiba America Electronic Components were given access to Lexar’s intellectual property under a five-year non-disclosure agreement. In 1997, Toshiba invested $3 million in Lexar, and also placed a member of its own on Lexar’s board of directors. Lexar continued to share intellectual property.

In April 1998, Toshiba and Lexar entered into a partnership to compete in the flash memory market. The joint relationship apparently prospered throughout 1998 and most of 1999. But in October 1999, Toshiba entered into a joint agreement to develop and manufacture Gigabit Scale flash memory with SanDisk, Lexar’s main competitor in the flash memory market. Lexar felt that its “partner” had sold it out. Not only had Toshiba been a partner in numerous joint development projects, but Toshiba’s presence on Lexar’s board of directors also provided Toshiba with intimate knowledge of all of its strengths and weaknesses.

Toshiba assured Lexar that the agreement with SanDisk did not involve Lexar technologies, and was between a separate division within Toshiba than that involved with Lexar.

Soon, SanDisk and Toshiba signed a $700 million deal to create a joint fabrication facility in Virginia to produce multilevel cell (MLC) flash memory chips. Lexar believed that its intellectual property, specifically the multipage write technology, was being used, and that without it the MLC flash memory initiative would not be financially viable. But Lexar didn’t have the proof until 2001, when Toshiba published the technical specifications used in its MLC smart memory application.

In late March 2005, a California Superior Court jury found Toshiba guilty of the theft of Lexar Media’s trade secrets, and assessed total damages of $465.4 million, including $84 million in punitive damages. According to Lexar Media, its trade secrets were being utilized in Toshiba products such as NAND flash chips, Compact Flash cards, xD-Picture Cards and Secure Digital cards. In December 2005, the same court agreed to Toshiba’s request for a new trial. The litigation continues; no new trial date has been set.

Particularly noteworthy in this case is Toshiba’s apparent brashness. It had a seat on the board of directors of the company whose intellectual property it allegedly purloined. It also participated in a number of joint development projects, during which Lexar’s intellectual property was fully disclosed to Toshiba, and which Toshiba then apparently leveraged for its own benefit in another product line.

Citroen and SigmaTel

What do Citroen, the French automobile manufacturer, and SigmaTel, a U.S. manufacturer of audio entertainment devices, have in common? Both corporations allege that patented methodologies were misappropriated by Chinese competitors and used in products marketed in China so that, in effect, Citroen and SigmaTel ended up competing against their own product designs. Furthermore, because the Chinese had little or no research costs associated with development, the products were made available at a price considerably lower than the company that owned the patent could possibly afford to offer.

In January 2005, SigmaTel filed suit against Actions Semiconductor Company (Actions Semi) of Zhuhai, Guangdong, China, alleging that integrated circuits inside of Action Semi’s MP3 players infringe upon multiple patents related to SigmaTel’s portable audio devices. In March 2005, it followed up by filing a complaint with the U.S. International Trade Commission (ITC) requesting that the ITC initiate a Section 337 investigation. (According to the International Trade Data System, under Section 337 of the United States Tariff Act of 1930, imported products that allegedly violate U.S. intellectual property rights can be barred from entry into the country. Complaints under Section 337 are made to the ITC, and generally involve allegations of infringement of intellectual property rights, such as patents, trademarks or copyrights. Relief, in the form of an exclusion order (import prohibition of a specific article) or a cease-and-desist order (an order prohibiting a party from importing) or both, may be granted to the successful complainant. In the complaint, SigmaTel identifies the specific patents that it believes have been infringed and requests a permanent exclusion order banning the importation of the products into the U.S. market, and also requests a cease-and-desist order to halt sale of these same products.

Actions Semi claims no infringement of SigmaTel’s patents has occurred. The trial found in favor of SigmaTel and concurred that Actions Semi infringed upon SigmaTel’s patents. SigmaTel prevailed in the ITC trial, and it has protected itself within the United States, one of its prime markets, but the victory will have no effect on the Chinese or European markets.

Citroen alleges that Chinese auto manufacturer Shanghai Maple used Citroen’s core chassis technology in producing a series of Shanghai Maple models. It claims that its patent on “special chassis technology” had already been filed with the world intellectual property rights organization, and had not been licensed to Shanghai Maple. Shanghai Maple, a subsidiary of Geely Automobile, claims no knowledge of any infringement, and that the automobiles are created from its own designs.

The unlicensed use of technology apparently is not an unusual occurrence within the Chinese automotive manufacturing sector. In May 2005, General Motors Daewoo alleged that Cherry QQ copied its “Spark” sedan design, and demanded 80 million yuan (approximately US$10 million) as compensation for patent infringement. Dongfeng Honda and Toyota Auto have also sued Hebei Shuanghuan Auto and Geely Auto for similar reasons.

Zhang Zhenzhi, a deputy engineer within the China Automotive Technology & Research Center, offers a remarkable perspective:

It’s inevitable for domestic automakers to imitate other advanced technologies, no matter from other domestic companies or foreign firms. But in the future, we would be able to better our designs after getting more experience on developing our own autos.

It would appear that loss of intellectual property is expected within the nascent Chinese auto industry, and that “borrowing” of intellectual property should be considered the norm, to be expected of young companies and tolerated by more established firms.

Both Citroen and SigmaTel took all the right steps to protect their intellectual property, including filing patents. And yet, they find themselves caught up in a still-developing legal system, which some have described as a litigation quagmire, where it is almost impossible to effectively litigate patent violations.

Christopher Burgess is a Senior Security Adviser for a Fortune 100 firm, and is a retire of the U.S. Central Intelligence Agency, with 30 years of experience in the clandestine services. He can be reached via e-mail: cburgess@att.net and his website is www.secretsstolen.com

NOTE: Portions of this study were reviewed, and cleared without objection, by the Publication Review Board of the U.S. Central Intelligence Agency. Originally published June 2006 by CSO Magazine – www.csoonline.com.

]]>