FORENSIC IDENTIFICATION AND ANALYSIS OF TECHNICAL SURVEILLANCE DEVICES

It was one sentence among hundreds in a transcription of a dull congressional hearing on the environment, a statement anyone might have missed: Bristol-Myers Squibb Co. was looking to increase its harvest of the Pacific yew, a protected tree. But, the competitive intelligence (CI) officer at arch rival SmithKline Beecham (SKB) Corp., happened to catch it, thanks to a routine search of competitors’ activities on the Web.

The intelligence officer sprang into action. He knew Bristol-Myers’ (BM) researchers had been testing a substance in the tree’s bark as an experimental agent against breast cancer. But why was BM suddenly seeking to cut down 200 times as many yews? Was it ready to put its planned anticancer drug, Taxol, into production? Back at SmithKline headquarters in Philadelphia, the news was enough to trigger serious nail-biting in the boardroom. SKB was developing its own anticancer drug, Hycamtin, but it wouldn’t be ready for another 18 months. Would it beat Bristol-Myers’ drug to market? Or would SmithKline Beecham have to speed up its production schedule—and if so, by how much?

The intelligence officer’s team wasted no time. It immediately began canvassing conferences and scouring on-line resources for clues. It tapped into Web sources on the environment and got staffers to work the phones, gathering names of researchers working for Bristol-Myers. It even zeroed in on cities where BM had sponsored experimental trials of the substance.

Sure enough, BM had had been taking out recruitment ads in those areas’ newspapers for cancer researchers—a sure sign that Bristol-Myers was stepping up its hiring of oncologists specializing in breast cancer. The next clue? From data discovered on financial Web sites and in the comments of Wall Street analysts, the intelligence officer’s team discovered that BM was increasing its spending on its oncology group.

That was all intelligence officer needed to hear: Senior R&D managers were ordered to speed things up, and ended up rushing Hycamtin to market in six months instead of 18—preserving SKB some $50 million in market share and millions in drug development costs. The CIA, the National Security Agency, and England’s M15 used a form of CI to figure out what the Russians were doing. SKB used it too.

SmithKline Beecham’s tale of how competitive intelligence saved a company millions is no longer unusual. Indeed, one of corporate America’s worst-kept secrets these days is that more and more companies, from Burger King to Nutrasweet to MCI, are spying—and have in-house operations to keep tabs on rivals. The number of large corporations with CI units has tripled since 1995, and spending on CI is estimated to be around $14 billion annually—nearly double the amount spent just five years ago.

To be sure, data-diving isn’t new. As far back as the 1970s, in a now-famous example of excess zeal, The Boeing Company discovered that a Russian delegation visiting one of its manufacturing plants was wearing crepe-soled shoes that would surreptitiously pick up metal shavings off the factory floor to determine the type of exotic metal alloys Boeing was using in its planes. And at Motorola Inc., the former chief of competitive intelligence used to work for the CIA.

But now, thanks to the Net and its ever-growing, low-cost reach and speed, nearly everybody’s spying. In a May 2001 survey by marketing firm TR Cutler, Inc., 55% of U.S. manufacturing companies with fewer than 1,000 employees admitted to spying on competitors during the previous 12 months, using the Web and posing as potential customers to glean pricing and other competitive tidbits.

Cold War, Revisited

Now, here’s a real secret: Until recently, most corporate gumshoeing was being outsourced to spy companies with 007-sounding names such as WarRoom Research Inc., many of which were founded by ex-CIA, National Security Agency, and Mossad operatives seeking work after the Cold War. Now, though, corporate snooping is increasingly being conducted in-house—and for the first time, Chief Information Officers (CIOs) are being forced to the frontlines. More and more CIOs are gaining responsibility for the intelligence function. And why not? Information is about technology, and information is increasingly a company’s competitive edge.

To be sure, companies without the ability to pluck the juiciest scoops from a growing quagmire of data will increasingly lose market share to those companies that can. This is now a double-edged game. Those who get spied on are now also spying.

Case in point: The CIO of 3COM Corp., makers of Internet switches and hubs, now supplies employees with two toll-free numbers: one to report any intrusions into corporate secrets; the other to report what 3COM’s rivals are up to. You’ve got to take the offensive these days, or you’ll be clobbered in the marketplace. Stiffening competitive pressures of the current economy are only exacerbating the spy-versus-spy mentality.

What is competitive intelligence? Everything from illegal spying and theft of trade secrets to classic intelligence-gathering—whatever it takes to provide executives with a systematic way to collect and analyze public information about rivals and use it to guide strategy. At its best, competitive intelligence borrows tools and methods from strategic planning, which takes a broad view of the market and how a company hopes to position itself, and from market research, which pinpoints customers’ desires. Its goal: to anticipate, with razor-sharp accuracy and speed, a rival’s next move, plot new opportunities, and help avert disasters.

CI is hottest in the pharmaceuticals, telecom, petrochemicals, and consumer products industries, where consumers are the most fickle and where speed and flexibility are especially critical for success. Indeed, some companies, from Burger King to Lucent Technologies Inc., are getting so good at using the new digital tools to sniff out what rivals’ customers are eating this week or paying for long-distance, that it’s enough to rattle even the most rival-savvy marketers—and to push a lot of data, once commonly available, underground.

For example, Wal-Mart Stores Inc. ended a years-long practice of sharing data about its sales of food, beverages, toys, clothing, and over-the-counter medications. Gathered by electronic scanners in checkout aisles, the data had been closely monitored by various parties—from the companies that make products sold in Wal-Mart’s more than 2,600 stores to Wall Street analysts.

Competing at the speed of information can pay off handsomely. NutraSweet estimates its intelligence unit is worth at least $50 million a year in sales gained or revenues not lost. SmithKline Beecham estimates saving more than $100 million and gaining untold protection of market share for any number of products. All information is now being thrown into the digital hopper and sliced and diced for clues and leaks. It’s a CIO’s gold mine.

But what is the real bottom line? The new business-led push to get better competitive data (faster) is also defining new opportunities for CIO leadership at most firms. The CIO who is just responsible for wires, equipment, and software now knows about hacking and penetration. But those responsible for business intelligence activities will really be clued in; companies who have CIOs with competitive leadership abilities will have the competitive edge in the years ahead.

Information Overload

Indeed, the growing information glut makes it critical for CIOs to start thinking about how they can support their company’s CI snoopsters—and, do it with as much zeal and imagination as they already apply to building hacker-proof security systems. In fact, most existing systems and organizations are still ill-equipped to keep pace with the ever-growing amount of information available. Many companies are still stumbling to process and respond to competitive information as fast as it pours in. The result: The key to carving out the leading edge of the knowledge gap in one’s industry (the difference between what you know and what your rival knows) lies in the ability to build IT systems that can scope out the movements of corporate rivals in real time. IT-aided intelligence gathering is so critical that the companies most skilled at snooping will redefine entire industries. Players unable to surmount their bureaucratic inertia will find their existence threatened. And, once intellectual and competitive agility becomes more commonplace, competitive advantage will be both harder to come by and increasingly expensive.

Therefore, it is recommended that you now start recruiting the technology executives who can build systems that will give your company the ability to react in real time to what its rivals are doing. Build such systems, and your company also will be able to respond faster to customers. The goal is to tie technology and business together in a common pursuit of becoming more competitive and responsive to rivals and customers in the marketplace. CI is to a company what radar is to an airplane. Companies are now installing radar in the corporate cockpit, and that’s where the CIO comes in.

At minimum, CIOs should start helping executives to monitor the Web more effectively. The Internet is opening up whole new ways to snoop, giving companies access to material that used to take months or years and millions of dollars to unearth, from satellite photos of rival plant sites, to the inside skinny on a rival CEO’s off-work activities. And it’s legal. For example: The London-based consumer products firm Unilever plc was looking to go into China with a new product. But, Dollens And Associates’ (Chicago-based) Chief Technology Officer (CTO), by going on the Web, discovered that Proctor & Gamble was developing a similar product. Unilever, the CTO’s client, had to decide whether to offer that product at a lower price, add on more features, or simply avoid the Chinese market entirely. How did Unilever get wind of P&G’s plans? The CTO found P&G’s new product report on P&G’s own corporate intranet—access to which Unilever was able to get through the CTO and a common supplier. Without this information, Unilever would have gone into China blind.

But it takes far more than watching Web sites to get smart about CI. Compaq Computer Corp. gets it. Because of the increased role of technology in information gathering, Compaq has established an intranet communications system in which a salesman in Egypt, for example (when told by a potential client that Compaq needs to team with another vendor to get a job done), can instantly obtain information about that other vendor and then report back what he or she learns, so other salesmen can benefit from the data. Recently, one of Compaq’s clients was allowed to increase a deal from $1 million to $25 million—simply by ferreting information about the client’s key rivals and their technology plans.

At Royal Dutch/Shell Group, the CIO is part of the CI team and is in charge of helping corporate snoopers gather and distribute key bits of information about rivals to company executives. Shell’s CI office provides benchmarks on competitors to the CIO, and the CIO then develops customized search software to help the CI team sift through files. At Shell, the CI is all about aiding the decision-making process. It’s a mix of technology and people. Ideally, the CIO should be the hub for CI throughout the company.

To be sure, most CIOs are still far more likely to be shopping for technology than actively participating in CI tag teams and strategy sessions. But increasingly, companies like P&G are realizing they cannot move forward on CI without asking CIOs to help tag and distribute priority data to the people inside the company who most need to know.

Companies that ignore the CIO do so at their peril. Recently, that happened to a large telecom equipment maker with 10,000 home pages on its supply-chain intranet. Several hundred of the home pages were dedicated to the competition. But, there was no coordination between home pages. This was a situation where the CIO could have taken charge and made sure the information was in one spot. How many tens of millions of dollars were thrown at that intranet and wasted annually in inefficient man-hours?

Where to begin? Ideally, CIOs can help marketing and sales strategies turn on a dime. CI teams should spend one-third of their time gathering information on a project, one-third in analysis, and one-third discussing their findings. Instead, many companies spend 80% of their CI time on collection, most of the rest on analysis, and very little on communication that reaches everyone. CIOs can step in and devise ways to improve the ability of executives to focus on information that really matters to them, with filters that take out the junk nobody needs to be looking at.

CIOs also can help determine what the company considers junk. Often the best competitive information does not appear as highly structured data, such as financial information. More likely, it’s something like an offhand comment in a press release, a photograph in a rival’s advertisement, or a soundbite from a television news show.

Once the best data is tagged for collection, who gets access to it? If you search for data involving a two-in-one laundry soap and fabric softener, what terms do you classify, and which do you let everyone see? CIOs can help companies figure out how to tag, gather, store, and distribute a wide range of competitive data with differing levels of access and indexing—and with standards that are consistent throughout the company, domestically and abroad. Most companies are sloppy about this. They haven’t marked documents as confidential. And nobody beyond a certain level knows what, specifically, they’re trying to find. They just know they want something, and fast. And with a proliferation of business relationships these days (joint ventures, M&As, supply-chain collaborations, and so forth) you really need to do an information audit to make sure you know what you have and what you need.

Building Teams

You need to build teams with diverse membership. People who understand the concept of organizing information and indexing it could be paired with someone who understands different technology capabilities, such as a relational database showing connections between different terms or items. As managers, CIOs have to amass different strengths on a CI project so you don’t have an abundance of hammer holders who look only for nails.

But, don’t get carried away on the technology. A study conducted by Fuld & Company^[i] found flaws with many of the 170 software packages with potential CI applications. None of them were able to take companies through the process of data identification, discovery, distribution, and analysis. Each did some part of the process, but not the whole thing. The thinking machine has not yet arrived. No company should buy a software package in the hope it will build an intelligence process for the corporation. CIOs need to help build that. It won’t come off the shelf.

Still not convinced? CIOs confident that their rivals’ intranet data is too safe to even try prying open should take a ride down Virginia’s Dulles Corridor, a throughway outside Washington, D.C., which is lined with high-tech firms. If you have a laptop, slip a wireless card^[ii] into it and drive down Route 7. You can actually pick up one wireless network after another, including the networks of a major credit clearinghouse; as well as Department of Defense contractors that store classified data on their servers. Instead of hacking from the Internet, people can hack from inside on the intranet, albeit from the road, and probably get to the accounting server or worse. Imagine the kind of damage that a terrorist organization could do!

But, for all the digital dumpster-diving out there, don’t forget that even the most high-tech firms are still using plenty of old-fashioned snooping. For example, when Oracle Corp. got caught (in the summer of 2000) hiring a Washington, D.C.-based detective group to dig into the dealings of organizations sympathetic to Microsoft Corp., it didn’t use even a byte of cybersleuthing. It did it the old-fashioned way—rummaging through the dumpsters of one of those groups by bribing janitors at its Washington office.

In other words, in this business, you need to be aggressive. Take the offensive. And always recall the words of ancient Chinese general Sun Tzu (6^th–5^th century B.C.): “Be so subtle that you are invisible, be so mysterious that you are intangible; then you will control your rival’s fate.”

Finally, let’s look at the concept of Strategic Cyber Defense as it relates to data identification. This is a complex and broad-ranging concept. Yet, despite this complexity, you can make some progress in developing your understanding by focusing on a few key elements of any good defensive strategy. This last part of the chapter will specifically focus on the long-recognized value of deterrence, through threat of retaliation, as an effective means of defense. The means for enabling deterrence in the cyber realm will be introduced briefly here. A much more detailed discussion of cyber realm deterrence is found in Chapters 12 through 18 of Part IV: “Countermeasures: Information Warfare.”

Deterrence Through Attacker Identification

Deterrence is a fundamental element of defensive strategy. However, for deterrence to be effective, potential antagonists must be convinced that they will be identified, and punished swiftly and severely. This is the essence of the three key causal variables of the General Deterrence Theory: certainty, severity, and celerity. Unfortunately, although the methods for identifying perpetrators of crimes in the law enforcement and military contexts are well developed, similar capabilities do not currently exist for the networked cyber realm. Thus, although deterrence is recognized as a highly effective defensive strategy, its applicability to defense against attacks on our nation’s information infrastructures has not been clear, mainly due to the inability to link attackers with attacks.

A conceptual tool that can help to visualize and understand the problem is to think of a thread, or sequence, of steps (with requisite technologies) necessary to effect a deterrent capability. As with the weak link and picket fence analogies, if any one of these steps is missing or ineffective, the ability to achieve the desired result is compromised.

Looking at this thread, you can see that current intrusion detection technology is focused primarily on the first element in the sequence. Any response is generally limited to logging, reporting, and isolating or reconfiguring. What is missing is the ability to accurately identify and locate attackers, and develop the evidentiary support for military, legal, or other responses selected by decision makers. Although defensive techniques are important, it’s critical not to stovepipe in such a way that you can’t effectively link with the offensive component of an overall Strategic Cyber Defense.

In addition to detecting the attacks, perhaps you should also be developing a forensic, or identification of data capability, to pass the necessary targeting data on to the offensive components of the force, regardless of whether the response is through physical or cyber means. Such a capability is critical if your cyber defenses are to transcend beyond a merely reactive posture to one in which both offensive and defensive techniques can be effectively applied in tandem. This is in line with the established principles of war, which suggest that an offensive (and, therefore, deterrent) spirit must be inherent in the conduct of all defensive operations. Forensics could help to provide the bridge between the defensive and offensive elements of an overall cyber defense strategy. Accurate and timely forensic techniques would also enable the effective use of the three elements of deterrence. Otherwise, attackers can act with impunity, feeling confident that they need not fear the consequences of their actions.

Forensics is a promising area of research that could help to provide the identification and evidence necessary to support an offensive response against attacks on our information infrastructure, regardless of whether that response is executed through physical, information warfare (IW), or other means. Although forensic techniques are highly developed for investigations in the physical realm (and are being developed for application to computer crime), what is needed is an analogous capability for real-time distributed network-based forensic analysis in the cyber realm. It would seem appropriate to incorporate the collection of forensic data with the intrusion detection and response types of technologies currently being developed. Critical supporting technologies include those needed for correlation and fusion of evidence data, as well as automated damage assessment.

The importance of solid identification and evidence linking an attacker with an attack will be critical in the increasing complexity of the networked information environment. Cyber attacks against the United States and its allies may not have the obvious visual cues and physical impact typically associated with attacks in the physical realm. In these cases, the available courses of action will be heavily influenced by various political, legal, economic, and other factors. Depending on the situation, it may be necessary to have irrefutable proof of the source of the attack, the kind of proof typically developed through forensic types of methods.

For example, the RAND Corporation^{[iii ]}has recently recommended to DARPA some approaches that are both similar and complementary to those suggested in this part of the chapter, based on the results of its “Day after in Cyberspace” exercise. One suggested concept is for a cyberspace hot pursuit capability, to aid in the back-tracing of incidents to discover perpetrators. They also point out that use of such a capability implies the need for laws specifying authorization to conduct cyberspace pursuits, and cooperative agreements with foreign governments and organizations. A second suggestion is for the development of a tamperproof, aircraft-like black box recording device to ensure that when an incident occurs and is not detected in real time, the trail back to the perpetrator does not become lost.

Extending the aircraft analogy further, the need for effective identification during cyberspace pursuits, and for coordinating offensive IW response actions through intermediary friendly networks, may necessitate a type of network IFF capability, just as the introduction of fast-moving aircraft in the physical realm necessitated the need for secure Identification Friend or Foe (IFF). Although the need for IFF has traditionally been a concern at the tactical level of warfare, the failure to effectively deal with such issues could certainly have strategic implications.

One issue of concern at the strategic level of information warfare is the distinction between the military and private sector information infrastructures. It is clearly not feasible to require the private sector to secure its systems to the level required for military networks. The approach suggested in this part of the chapter may be applicable regardless of whether the networks attacked belong to the military. For example, in the physical realm today, if a civilian target is struck, the FBI and other Federal agencies are called in to assist and investigate the incident; when the identity of the attackers is determined, appropriate legal, political, or military actions are taken in response. From an organizational perspective, efforts are under way to develop the necessary coordination structures, such as the National Infrastructure Protection Center, between the private and commercial sectors. From a technical perspective, major elements of the commercial infrastructure could participate in a national-level monitoring system, whereas private entities could maintain their own in-house capabilities with the ability to provide necessary data to national authorities following an incident, just as would be the case with the FBI being called in to investigate a crime.

Another fundamental concern the suggested approach may help to address is the problem of malicious insiders. The security paradigm of enclaves separated by boundary controllers is most effective against attacks from the outside. Attacks initiated from within the enclave, possibly even by a trusted insider, have traditionally been much harder to defend against. Cyber forensics techniques may provide the type of capability needed to deal with this problem, which simply cannot be addressed by traditional security techniques based on privileges. These systems simply check whether a user is acting within the prescribed privileges, while remaining in complete oblivion regarding the abuse of these privileges.

^[i]Fuld & Company Inc., 126 Charles Street, Cambridge, MA 02141, 2002.

^[ii]John R. Vacca, Wireless Broadband Networks Handbook: 3G, LMDS and Wireless Internet, McGraw-Hill Professional Book Group, 2001.

^{[iii ]}RAND Corporation, 177 Whitmore Road, Unit #8, Woodbridge, Ontario, Canada, L4L6A6, 2002.