Security Threatens Our Industry
by Paul McGoldrick
My colleague, Lee Goldberg, and I were driving through Mountain View a few
months ago and I pointed out a state secret to him: So out in the open that
few people would spot it for what it was. A few miles away the Port of Redwood
City housed the first "stealth" boat under the eyes of an unknowing
public for quite some time. A local bar was known as a hangout for both
engineers and people who spoke English with Eastern European accents, and
many of the buildings that people worked in had strange basements, large
flat marble slabs, and rooms in the middle of the buildings that more closely
resembled strongrooms -- which is what they were.
Although there have been a couple of high-profile treason cases in the last couple of years, we are told that the days of military intelligence secrets being sought or purloined by the former Soviet Union have mostly ceased. At the end of the Cold War the FBI gutted counterintelligence positions, even though it was well known that Russian spying continued in the form of industrial espionage. And communism is not yet dead, and the threats from the People's Republic of China are ever-increasing, as the case of Katrina Leung testifies. Using an affair with an active Special Agent (and, as it turned out, also with an ex-Agent who had been appointed head of security at Lawrence Livermore Labs) she allegedly passed intelligence information to Beijing while also being considered an FBI asset.
But this is nothing new. Some years ago my CEO/boss, of Chinese extraction, was interviewed by the "authorities" to test his loyalty to the US. And one has to assume that every visiting business person, student and even tourist from the PRC may have been given instructions to look out for "things" during their visit: We certainly were asked to do so in the UK when we visited the Soviet Union to fulfill contracts, and there is no reason to suppose that such requests are not made of foreign nationals visiting these shores.
Last year, at a major conference where I was moderating a panel, I was approached during a coffee break by a man who was obviously in the wrong place. He asked loaded questions about Asian participants in a couple of panels and what their companies were up to. Fortunately I didn't know the people anyway and he shuffled away but I later saw him talking to others who were on panels. He was obviously government but from which branch I know not.
The FBI recently announced that it was beefing up counterintelligence positions again, specifically to address threats from the PRC. They also announced that they believed there were upwards of 3000 "front" companies in the US that were used to direct spying activities.
We know that the semiconductor industry is a major target of intelligence gatherers and the PRC is actively growing their own industry based on whatever IP they can buy, copy, or steal. But we have no way of knowing who is going to pass on the secrets that they are looking for. We cannot assume that every person of Chinese extraction is a potential spy -- that would be going back to the evils that this country perpetrated in treating all people of Japanese extraction as dangerous after Pearl Harbor -- and it would be invalid anyway because the most likely sources of intelligence will be a complete surprise: People spy for reasons other than patriotism: From the vicarious thrill that it gives the spy, or sex, or money, or a combination. Blackmail was always a good way to recruit as well: Lead the victim on to increasingly bolder/blacker deeds until they had gone too far to be able to extract themselves. And, of course, there are good old-fashioned electronic surveillance methods.
So what can we do as an industry? Protecting your IP and processes is not that easy in a society where we value the sharing of knowledge on a professional level. Conferences have always been a favorite place to pick up information that would otherwise not be publicly available and it is fairly easy to predict many companies' corporate directions from the papers presented at events such as ISSCC, events where the attendees are encouraged to share and question so the whole industry can further itself. It should probably be mandatory now for all professional papers to be vetted by people who can read and excise matter that the company should not reveal. The same is probably the case for the questions that should not be answered at the end of a paper's presentation.
In the process arena there should be need-to-know items identified, with the exact data of how something is done severely restricted to as few people as possible. A little paranoia goes a long way in preventing leaks. In the same way some companies should consider new forms of security, way beyond just employing people to check badges are being worn and that the building is properly locked at night. There are a couple of businesses in the Valley that I know of, for example, where the connection of a PC or other smart device to an outside telephone line results in immediate dismissal.
There are also information storage systems that should be considered as accessible by surveillance and the idea of having at least a few Tempest proof computers should be seriously on the table. Also, and against our very own instincts, consider whether filing patents is always a wise thing to do. Patent protection is only a benefit with people who are generally honest and fair-minded, but the publication of a patent is about as open as you can get with your IP.
But as open a secret as the one we saw in Mountain View, is the fact
that people love to talk, and a couple of free drinks from someone who seems
really interested in you and what you do, can be very effective in developing
the bigger picture…or the tiny crumb of information that completes
it.