For espionage of the cloak-and-dagger variety, it is hard to beat the pages of John le Carré or Ian Fleming. But the world of corporate spying has plenty of drama of its own. Take the alleged skulduggery in a recent court case involving two American software firms. In May a jury awarded Appian, whose headquarters are in McLean, Virginia, a whopping $2bn in damages after it had accused Massachusetts-based Pegasystems of illegally snooping on it to gain a competitive edge. The trial revealed that Pegasystems executives had referred to a contractor hired to obtain some of the ingredients of Appian’s secret sauce as “our spy” in internal documents, and had dubbed the overall spying effort “Project Crush”. Pegasystems, whose stock plummeted after the ruling, and which is set to face a barrage of class-action suits from disgruntled investors, has vowed to appeal against the “unjust” decision.
The episode illustrates how interest in business espionage, and learning how to foil it, has broadened. Snooping is no longer mostly centred on a few “sensitive” industries that have long been vulnerable, such as defence and pharmaceuticals. It is increasingly used to target smaller companies in surprising sectors, including education and agriculture. It has, in short, become more of a general business risk. Just as the cold war may have been the heyday of great-power spookery, at least in the popular imagination, corporate espionage may now be entering its golden age.
There are two, closely intertwined reasons for this. The first is the inexorable growth of the intangible economy; intellectual property (ip) is increasingly the currency of business. The second is the growing sophistication of online hackers. ceos should be worried when they see their firms’ secrets being hawked on the dark web: one new marketplace, Industrial Spy, flogs stolen data and documents to “legitimate” businesses. Information is sold in packets ranging from a few dollars to millions. Keeping ip safely locked in the digital vault can be devilishly difficult.
When they hear about ip, most people think of patents. Securing patents can reduce the risk, but this has become more difficult, in America at least, since a pair of Supreme Court rulings in the past decade chipped away at, respectively, protection for “business methods” and “abstract ideas” (which many software-based inventions are).
This has left companies more reliant on developing and safeguarding an equally valuable type of ip: trade secrets. These can be anything from algorithms and client lists to chemical processes and marketing plans. Among the most famous trade secrets are Coca-Cola’s recipe and the formulation for wd-40. Most are more mundane: recent legal battles have involved industrial-baking agents and floor-resin formulas. Patents offer stronger protections, but trade secrets last for ever—if they are well kept.
Snoopers’ grand adventure
Christine Streatfeild of Baker McKenzie, a law firm, talks of a “pivot” in the past five years, as more companies in more industries wake up to the need to protect their secrets. She points to stepped-up efforts in consumer goods, steel and even cannabis. Baker McKenzie has advised legal marijuana-growers in America on steps they can take to curb rivals’ access to information about their cultivation techniques, soil recipes, extract flavouring and so on.
Digitisation is making the problem thornier. As more established industries, from carmaking to education, increase investment in software-related technologies, they have more bits and bytes worth stealing. Industries with lots of startups are particularly vulnerable, says Sidhardha Kamaraju of Pryor Cashman, another law firm, because they combine lots of new tech with mobile employees who hop between up-and-coming firms. In 2018 Alphabet’s Waymo self-driving unit won a $245m settlement from Uber after alleging that one of Waymo’s former engineers took trade secrets along with his office bric-a-brac when he left for the ride-hailing firm.
The good news for firms is that legislative protections for trade secrets have grown stronger. A turning point in America was the Defend Trade Secrets Act, passed in 2016, which greatly expanded the type and number of secrets covered by federal law—and whose passage led to a 30% jump in cases filed, says Tim Londergan of Tangibly, an ip-management firm.
The bad news is that many firms are surprisingly poor managers of such secrets. It is not enough to make reasonable efforts to keep the information confidential. The secret also has to be clearly articulated. Failure to do this has been exposed in a number of cases that have gone to trial in recent years. In one, Mallet, a baking-products firm, failed to block an upstart rival from using release agents (which allow loaves and buns to be more easily removed from pans) similar to its own, after an American appeals court ruled, in effect, that Mallet hadn’t adequately described and documented its secret formula.
Such rulings have encouraged more corporate leaders to demand “ip audits” and use the results to improve their safeguarding of valuable secrets. This, in turn, has fuelled the growth of a cottage industry of trade-secrets consultants and software-solutions firms. Lawyers, too, are in demand. “There are plenty of patent lawyers, but not enough who really understand trade secrets, and they tend to focus on litigation, once the problem has already arisen,” says Mr Londergan. “Companies need help earlier.”
They also need to focus more on risks emanating from corporate partners, for instance in joint ventures. This is often “an afterthought” even among multinationals, Mr Londergan suggests. He points to tsmc, a Taiwanese chipmaker, as one of the few globally active companies that come close to best practice in how they articulate and manage their trade secrets.
tsmc has good reason to want to get it right. It operates in a highly sensitive industry chock-full of proprietary information that rivals would love to get hold of. On its doorstep is China, which bears Taiwan ill will and is widely acknowledged as the world leader in ip theft (having been its victim in the 18th century, when Jesuit priests were sent from Europe to nick Chinese trade secrets in porcelain-making). Taiwanese authorities say that in recent months they have uncovered several attempts by China to poach semiconductor engineers using Chinese firms that registered on the island unlawfully by obfuscating their origins. In May Taiwan’s parliament passed a law that punishes anyone who obtains or uses designated “core” technologies for the benefit of “external entities” with up to 12 years in prison.
America, too, has cracked down with China in mind. According to America’s Department of Justice, roughly four-fifths of all economic-spying cases it brings “allege conduct that would benefit the Chinese state”. The best-known case of suspected espionage by China, involving Huawei, a telecoms-gear maker, is the tip of a large iceberg.
As big a threat as China is, it is not alone. Ostensibly friendly states spy, too. Israel has been known to snoop on American firms for the benefit of its tech and military industries. And it is not always helpful to think of the threats posed by different kinds of actors—company insiders, corporate rivals or governments—as discrete. Sometimes several of them are at work simultaneously. Take the recent sentencing of You Xiaorong, a former chemist at Coca-Cola, to 14 years at Uncle Sam’s pleasure. Ms You was convicted of stealing trade secrets relating to coatings on the inside of beverage cans. She used the filched formula to set up her own company in China, with backing from a local partner. Their venture was backed with grants from the Chinese government. Whether or not Chinese officials were aware of the theft is unclear.
The case highlights another challenge for companies trying to keep a lid on secrets. They can spend as much as they like on beefing up their it systems, but they still need to watch out for older, more analogue forms of exfiltration. Operatives for Procter & Gamble (p&g) were once caught diving in dumpsters outside a Unilever office in Chicago in search of information about its consumer-goods rival’s marketing strategy. Ms You apparently used her phone to take pictures of sensitive documents to bypass Coke’s security measures. People use smartphones in offices all the time. How to tell if it is for nefarious reasons?
Moreover, much corporate spying can be—from the point of view of those being spied on—frustratingly fuzzy. Some snooping is perfectly legal. Many hedge funds specialise in watching activity in factories, using foot-soldiers or satellite imagery, to gauge output and bet accordingly on stocks. At the other extreme is stuff that no ceo in their right mind would countenance: p&g’s top brass were so appalled when they learned of their lower-downs’ trash-rummaging at Unilever that they shopped their own company, resulting in a $10m fine.
Corporate Bonds
In between is a large grey area in which operatives “ride the ragged edge” of morality and the law, according to Eamon Javers in his book on corporate spying, “Broker, Trader, Lawyer, Spy”. Many of these work for outfits hired by companies to do their dirty work, sometimes to give them plausible deniability.
The corporate-intelligence industry came of age in the vicious takeover battles of the 1980s and has since grown at breakneck speed. Its well-known names, such as Kroll and Control Risks, are at the top of a pyramid containing thousands of mostly small firms. Most such work is legal and quite dull—for instance, performing due diligence on clients’ prospective business partners. But there are cases of firms undertaking dubious activity, from wiretapping to impersonation. In the 19th century, the grandfather of the industry, Allan Pinkerton, laid out (and largely followed) a strict code of conduct. Mr Javers worries that some of Pinkerton’s modern day counterparts routinely violate many of his gentlemanly commandments.
None of this is going away. Employee mobility is at or near an all-time high. Companies, and the tactics they use, get more desperate in downturns. And the geopolitical backdrop is growing frostier, increasing incentives for underhand activity by states or their proxies. “Casino Royale” it may not be, but the spectre of surging economic espionage is real. ■