CORPORATE AND INDUSTRIAL ESPIONAGE AND THEIR EFFECTS ON AMERICAN
COMPETITIVENESS
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON
INTERNATIONAL ECONOMIC POLICY AND TRADE
OF THE
COMMITTEE ON
INTERNATIONAL RELATIONS
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTH CONGRESS
SECOND SESSION
__________
SEPTEMBER 13, 2000
__________
Serial No. 106-180
__________
Printed for the use of the Committee on International Relations
Available via the World Wide Web: http://www.house.gov/
international--relations
__________
U.S. GOVERNMENT PRINTING OFFICE
68-684 WASHINGTON : 2000
______
COMMITTEE ON INTERNATIONAL RELATIONS
BENJAMIN A. GILMAN, New York, Chairman
WILLIAM F. GOODLING, Pennsylvania SAM GEJDENSON, Connecticut
JAMES A. LEACH, Iowa TOM LANTOS, California
HENRY J. HYDE, Illinois HOWARD L. BERMAN, California
DOUG BEREUTER, Nebraska GARY L. ACKERMAN, New York
CHRISTOPHER H. SMITH, New Jersey ENI F.H. FALEOMAVAEGA, American
DAN BURTON, Indiana Samoa
ELTON GALLEGLY, California DONALD M. PAYNE, New Jersey
ILEANA ROS-LEHTINEN, Florida ROBERT MENENDEZ, New Jersey
CASS BALLENGER, North Carolina SHERROD BROWN, Ohio
DANA ROHRABACHER, California CYNTHIA A. McKINNEY, Georgia
DONALD A. MANZULLO, Illinois ALCEE L. HASTINGS, Florida
EDWARD R. ROYCE, California PAT DANNER, Missouri
PETER T. KING, New York EARL F. HILLIARD, Alabama
STEVEN J. CHABOT, Ohio BRAD SHERMAN, California
MARSHALL ``MARK'' SANFORD, South ROBERT WEXLER, Florida
Carolina STEVEN R. ROTHMAN, New Jersey
MATT SALMON, Arizona JIM DAVIS, Florida
AMO HOUGHTON, New York EARL POMEROY, North Dakota
TOM CAMPBELL, California WILLIAM D. DELAHUNT, Massachusetts
JOHN M. McHUGH, New York GREGORY W. MEEKS, New York
KEVIN BRADY, Texas BARBARA LEE, California
RICHARD BURR, North Carolina JOSEPH CROWLEY, New York
PAUL E. GILLMOR, Ohio JOSEPH M. HOEFFEL, Pennsylvania
GEORGE RADAVANOVICH, Califorina [VACANCY]
JOHN COOKSEY, Louisiana
THOMAS G. TANCREDO, Colorado
Richard J. Garon, Chief of Staff
Kathleen Bertelsen Moazed, Democratic Chief of Staff
John P. Mackey, Republican Investigative Counsel
------
Subcommittee on International Economic Policy and Trade
ILEANA ROS-LEHTINEN, Florida, Chairman
DONALD A. MANZULLO, Illinois ROBERT MENENDEZ, New Jersey
STEVEN J. CHABOT, Ohio PAT DANNER, Missouri
KEVIN BRADY, Texas EARL F. HILLIARD, Alabama
GEORGE RADANOVICH, California BRAD SHERMAN, California
JOHN COOKSEY, Louisiana STEVEN R. ROTHMAN, New Jersey
DOUG BEREUTER, Nebraska WILLIAM D. DELAHUNT, Massachusetts
DANA ROHRABACHER, California JOSEPH CROWLEY, New York
TOM CAMPBELL, California JOSEPH M. HOEFFEL, Pennsylvania
RICHARD BURR, North Carolina
Mauricio Tamargo, Subcommittee Staff Director
Jodi Christiansen, Democratic Professional Staff Member
Yleem Poblete, Professional Staff Member
Victor Maldonado, Staff Associate
C O N T E N T S
----------
WITNESSES
Page
Sheila W. Horan, Deputy Assistant Director for Counter
Intelligence, National Security Division, Federal Bureau of
Investigation.................................................. 3
Dan Swartwood, Corporate Information Security Manager, Compaq
Computer Corporation........................................... 12
Scott Charney, Partner, PricewaterhouseCoopers................... 14
Austin J. McGuigan, Senior Partner, Rome, McGuigan, and Sabanosh,
P.C............................................................ 16
APPENDIX
Prepared statements:
The Honorable Ileana Ros-Lehtinen, a Representative in Congress
from Florida and Chair, Subcommittee on International Economic
Policy and Trade............................................... 26
Sheila W. Horan.................................................. 29
Dan Swartwood.................................................... 40
Scott Charney.................................................... 48
Austin J. McGuigan............................................... 51
CORPORATE AND INDUSTRIAL ESPIONAGE AND THEIR EFFECTS ON AMERICAN
COMPETITIVENESS
----------
WEDNESDAY, SEPTEMBER 13, 2000
House of Representatives,
Subcommittee on International Economic
Policy and Trade,
Committee on International Relations,
Washington, DC.
The Subcommittee met, pursuant to notice, at 2:09 p.m. in
room 2200, Rayburn House Office Building, Hon. Ileana Ros-
Lehtinen (chairman of the Subcommittee) presiding.
Ms. Ros-Lehtinen. The Subcommittee will come to order.
The past decade has brought profound changes, yet some of
the characteristics of the old world order continue to live on
today, with some of the darker impulses of yesteryears adapting
to fit a new time and a new set of standards and requirements.
The front line is no longer the one which divides East and
West, but the one defined by technological innovations. The
battle lines lie in research and development. Resources
designed and previously used exclusively for military
intelligence gathering are now being expanded to gather
intelligence on mergers, investments and other financial
transactions. The generals are being replaced with CEOs, and
the bottom line is not ideological, but financial.
The threat of economic and industrial espionage looms over
the horizon of the business world like a gray cloud threatening
a placid sea. Those who develop a competitive advantage over
their rivals stand to make millions from their innovations.
That profit is enough for some to seek an unearned advantage of
their own by indulging in corporate espionage as a quick fix
solution to their creative deficiencies and their inability to
remain competitive in their field.
In a survey of Fortune 500 companies, the American Society
for Industrial Security estimated that last year U.S.
corporations sustained losses of more than $45 billion from the
theft of trade secrets. Companies reported that on average,
each had suffered 2.5 incidents of unauthorized appropriation
of proprietary information. The average estimated loss per
incident was calculated to be over $500,000, with most
incidents occurring in the high technology and service sectors.
In another study, Pacific Northwest National Laboratory,
under contract by the FBI, developed an economic loss model in
an attempt to assess economic losses resulting from
intellectual property theft. This model determined that the
misappropriation of intellectual property resulted in over $600
million in lost sales and the direct loss of 2,600 full-time
jobs per year.
The same technology which has propelled our economy to
unparalleled heights is also the mechanism which allows for
those practicing corporate espionage to more easily sneak into
a corporation's files, gather sensitive information and escape
without a trace. However, industrial espionage is a crime which
continues to be best accomplished through low tech means and is
not necessarily dependent upon high tech gadgetry.
A vast majority of corporate espionage crimes do not occur
in cyberspace, but rather in person, face to face. For example,
key employees within a given corporation might be sought by a
rival company for information or recruited by spies posing as
consultants or headhunters at trade shows.
Competitors often examine a company's own internet home
page, where key technical employees are often listed, and craft
strategies on how to lure that employee away from that firm.
This is done because information can be meaningless without the
help of trained employees who understand how a particular
technology is used.
A critical step was taken in 1996 with the passage of the
Economic Espionage Act. Since its enactment, the U.S.
Government has prosecuted 18 cases of corporate or industrial
espionage, yet these crimes and the threat they pose to U.S.
economic security continues to escalate.
Some would argue that this is because we are the leading
target of these crimes due to our position in the global
marketplace and our technological leadership. The United States
produces the majority of the world's intellectual property
capital, including patented inventions, copyrighted material
and proprietary economic information. Factor in the incredible
ingenuity and inventiveness of the American worker, and one can
easily see why this problem is so pronounced in the American
workplace.
Other observers contend that if the punitive portions of
the Economic Espionage Act were strengthened to make it more
costly for corporations and governments to engage in industrial
espionage against the United States, the desired deterrent
effect would be achieved. Many have raised export restrictions
as a strong option for the United States to take, and have
underscored the need to secure binding commitments from our
allies in the Organization for Economic Cooperation and
Development and other international forums.
We hope to examine these and other pertinent issues during
the course of today's hearing and look forward to the
recommendations of our panelists on the steps that Congress can
take to help curtail the proliferation of economic espionage.
I would like to yield to the Ranking Member of our
Subcommittee, Mr. Bob Menendez of New Jersey.
Mr. Menendez. Thank you, Madam Chairlady. I appreciate your
hearing today. This is an important subject, one that warrants
and receives increasing attention. As our witnesses have
pointed out in the past and will again today, opportunities to
steal trade secrets are on the rise, particularly as society
relies more and more on computers and the internet for the
development, storage and communication of ideas and designs.
For the purposes of this hearing, of course, we really
should distinguish between legal and illegal spying or
corporate intelligence, as legitimate gathering of company data
is called, and as we are the International Relations Committee
we must, of course, distinguish as well between domestic and
foreign theft.
Only a fraction of the problem is actually foreign theft of
U.S. trade secrets. According to the American Society for
Industrial Security, more than three of every four thieves are
employees or contractors. Another 6 percent or more are
domestic competitors. Only 7 percent steal secrets on behalf of
a foreign company or government. Still, this amount of foreign
theft of U.S. trade secrets amounts to possibly billions of
dollars annually, and ease of access to computers and internet
and intranet sites will make foreign theft much easier and much
more common.
I realize that much of the testimony today will focus on
the problem as a whole, on the threats from employees, on the
need to educate businesses about the risks and how to protect
themselves, on the need to inform the public and policymakers
about what is acceptable and not within the bounds of corporate
intelligence, but I do hope also that we can focus to the
extent possible on what exactly are the threats from abroad and
how government can best work to prevent corporate espionage
that will threaten the United States' competitiveness.
I know that our witnesses will make some specific
recommendations for new and improved legislation, and we look
forward to exploring those with you. We look forward to the
responses of the Administration as to some of those and to the
testimony here today.
Thank you.
Ms. Ros-Lehtinen. Thank you so much, Mr. Menendez.
It is a pleasure to have with us our first Administration
witness who will share with us her views on the effects which
corporate and industrial espionage have American
competitiveness. It is our pleasure to introduce Sheila Horan,
Deputy Assistant Director on Counter Intelligence for the
Federal Bureau of Investigation.
A special agent of the FBI since 1973, Ms. Horan has held a
number of positions within the Bureau, including Assistant
Special Agent in Charge for Administration in the New York
office and the Associate Special Agent in Charge in
Philadelphia. In 1998, Ms. Horan was transferred to her current
position as Deputy Assistant Director for Counter Intelligence
with the National Security Division at FBI headquarters.
We thank you, Sheila, for being here today. We will include
your entire testimony for the record, and feel free to abridge
your comments.
[The prepared statement of Ms. Ros-Lehtinen appears in the
appendix.]
STATEMENT OF SHEILA HORAN, DEPUTY ASSISTANT DIRECTOR FOR
COUNTER INTELLIGENCE, FEDERAL BUREAU OF INVESTIGATION
Ms. Horan. Thank you very much, Madam Chairman. I am
gratified to see that you are anxious and willing to engage
with us in grappling with the immense problem facing us today
with regard to the protection of sensitive information,
proprietary information, security, economic competitiveness and
economic security in this----
Ms. Ros-Lehtinen. Ms. Horan, if I could interrupt you?
Ms. Horan. Yes?
Ms. Ros-Lehtinen. I am so sorry, Mr. Burr. I should have
looked back. I have these funny glasses on today. I apologize.
Mr. Burr. The gentlelady is awfully kind to stop, but I
would rather hear from our witnesses. I thank the Chair.
Ms. Ros-Lehtinen. Thank you. I am so sorry.
Ms. Horan. Thank you, sir.
So you have my statement, and rather than regurgitating
that now I will just make some points, and then we can get on
to the questions if you would like.
The Attorney General essentially defines economic espionage
as the unlawful or clandestine targeting and acquisition of
sensitive financial, trade or economic policy information,
proprietary economic information or critical technology.
In today's environment, intellectual property and economic
information in general have become the most important and
sought after commodity by all nations of the world. No question
about it. I would say that because of our unique position in
the world as a target rich nation for natural resources,
intellectual property, just general overall wealth, that we are
the No. 1 target in the world for economic espionage and the
stealing of that information and secrets.
Why are we the most sought after commodity? The United
States, that is. It is a pretty complex situation actually, but
three reasons sort of come to the fore. The first is the
collapse of the Soviet Union and the tremendous relief that
that has brought throughout the world.
There were essentially, and not to be overly simplistic,
but two large camps in the world, and various countries in the
world devoted their natural resources, their personnel
resources and their general overall wealth toward supporting
their position either with the west or with the Soviet empire.
When the empire fell, they found themselves looking around
and saying look, we have got to redefine what is our national
security. It is no longer aligning ourselves with the Soviet
Union or the west. It is we have to have a piece of the
economic pie. We want to do this. We want to have wealth as
well. So the intelligence services, as well as the governments
themselves, said who has the most, and the answer is the United
States has the most.
Second, allies, military allies, who were--as well as
ideological allies--during that last 50 years of our history
are now aggressive economic competitors. We are faced with
former friends I do not want to say attacking, but certainly
working against us very aggressively in order to get again a
piece of the pie.
Third, rapid globalization of the world economy defines
national security not so much in how many tanks you have
deployed or how many soldiers you have on the field
necessarily, but instead their strength is measured in terms of
the nation's economic capability.
So the nations of the world, as well as our own, and
President Clinton underscored this point I think back in 1991
by saying now we should realize very strongly that national
security equals economic security. That is an extremely
important point I think for us to keep in mind in terms of our
war or our fight against economic espionage.
What are the targets? Very briefly, they come in sort of
two flavors, if I could be a little bit flip there. We are
still facing the threat and the attempted threat on classified
military defense related national information. There is no
doubt about that. There is still ongoing, and we are always
battling espionage cases on that basis.
Coming out of classified information, however, and related
to classified information is cutting edge technologies, dual
technologies, sensitive information that may not reach the
classified level and, hence, would not be subject to an
espionage case, but certainly would be fodder for economic
espionage cases and our inspection of those kinds of cases.
The other flavor, if you will, is the non-sensitive area
and theft of our non-high tech products and services. It is
very important to realize that the way we approach economic
espionage investigations. It does not have to be high tech for
us to take an interest in something. A trade secret can be just
as valuable in many instances as more sensitive or classified
information.
So that is how we approach that, and the way we approach it
is through the Economic Espionage Act, which you have already
indicated that is out there. Prior to 1996, there was only
state laws and some civil remedies for companies and
individuals and entities to pursue theft of their trade secrets
or theft of their proprietary information.
In 1996, the law gave us an overarch or gave the Federal
Government the ability with the Federal law to approach the
theft of trade secrets offering stiffer penalties and other
advantages that were not available to us and to business and
industry to pursue these cases. We have prosecuted you
mentioned 18. Actually up to date there are 20 in which we have
successfully prosecuted over the last 4 years.
Interestingly enough, the Department of Justice or Congress
actually, not the Department of Justice, was concerned that we
would take this law in 1996 and profligately investigate all
sorts of smaller issues and inappropriate crimes under this
umbrella. I think that you can be well served and proud that in
the 4-years the Bureau and the Department of Justice have
carefully looked at these cases and have had what I consider a
tremendous success in the 20 cases that we have prosecuted.
We are truly faced with a problem that because of the Cold
War and our 50 years' involvement in that perhaps did not allow
us to focus as we should have as an intelligence community, as
a government, on this problem. It is not a new problem. It has
been around for years and years and years, but our government
was focused on the Cold War issues and realities and perhaps
did not have enough time to pursue this as aggressively as we
are trying to do today.
Let me stop there, Madam Chairman, and engage with you and
your fellow Members any issues that you might want to pursue.
[The prepared statement of Ms. Horan appears in the
appendix.]
Ros-Lehtinen. Thank you so much for your testimony.
Mr. Burr, in order to make up for it I would like to
recognize you first for the questions.
Mr. Burr. The gentlelady is awfully kind.
Let me ask you, if I can. Can you give us some type of
percentage as to what you see that would be the classified part
that the theft is going after versus the non-classified?
Ms. Horan. Let me answer that, Mr. Burr, by saying that
there are two provisions in the Economic Espionage Act. One is
1831, which deals with economic espionage attempted and
conducted by a foreign entity, that is to say a foreign
intelligence service, a foreign government, a foreign
organization linked to the actual government.
The other provision is 1832, which, generally speaking, you
could characterize as a theft of trade secrets and would be
aligned with possibly white collar crime violations, theft of
essentially trade secrets, as I said.
The vast majority--well, of the 20 prosecutions that I
mentioned to the Chairwoman that we have pursued, none of them
fall in the former category of the foreign power based or
supported category. All 20 have been in the 1832, which is the
trade secrets.
In terms of how many cases, actual cases we are pursuing
that fall into the two camps, I would say that the percentage
is at this stage highly weighted in the trade secrets or the
non-classified versus the classified, although we have a
number, and I would prefer not to get into actual numbers in
this open forum, but we do have a goodly number in the other
category, the foreign based category.
Mr. Burr. And is there any dollar amount that the Bureau
has put on the current economic espionage that exists for the
U.S. economy?
Ms. Horan. We have not. As the Madam Chairperson has
mentioned, there were two, at least two, studies conducted.
ASIS did one and PNNL conducted another one in which they
projected. The PNNL case projected out of an actual trade
secret prosecuted or trade secret case. They projected out even
to tax loss, job loss, as well as monetary loss to the company
itself.
While that is illustrative to us, as is the American
Society for Industrial Security study, both of them are very
illustrative of what the actual loss is and magnificent
essentially. It is huge.
Mr. Burr. I thank you and yield back to the Chairman.
Ms. Ros-Lehtinen. Thank you so much.
Ms. Horan. OK.
Ms. Ros-Lehtinen. Thank you.
Mr. Menendez. I know we have a vote.
Mr. Menendez. I have one question or two actually. Maybe
just by joining together you can answer them together.
Ms. Horan. Sure.
Mr. Menendez. I understand there are, you said, about 20
cases or so that have been prosecuted under the EEA. I
understand that this is in part due to an agreement or an
understanding or a pledge by the Attorney General not to
prosecute cases or not to have the government pursue charges
without first having obtained the Attorney General's personal
approval to proceed and that there are 800 cases now being
considered for prosecution. Is that a correct number, and would
we expect the amount of prosecutions to go up after the 5-year
waiting period?
No. 2, is the suggestion that closing--from some of the
other witnesses we will hear about closing the loophole that
prevents prosecution for theft of their product before it is
placed into interstate or foreign commerce and the creation of
a private cause of action under the EEA, are those items that
the Department has considered or has----
Ms. Horan. I am not aware of the Department's view on the
latter issue, but on the former issue----
Mr. Menendez. If you would have the Department give us a
written response to that?
Ms. Horan. Yes, certainly I would. By all means, Mr.
Menendez.
Your first question, though, would we expect an up tick, so
to speak, in the number of prosecutions, and also you asked
about the figure 800 and whether that is accurate. I would say
that is not accurate at this time. We have about as of today,
because I checked thinking you might want to know this. We have
about 400 cases open today.
Mr. Menendez. Four hundred?
Ms. Horan. Four hundred. Because of the education efforts
that we are engaging in and trying to get the word out about
this, you must understand that industry and business are
somewhat loathe and reticent in engaging with us, but the more
they hear about the cases, the more they see the results, we
anticipate that those cases are going to raise exponentially
and in fact have raised over the years heretofore. Have
increased I should say, so, yes, definitely.
Mr. Menendez. I really look forward to the Department's
response.
Ms. Ros-Lehtinen. Thank you, and I am pleased to recognize
Mr. Manzullo, who will take over for us. Thank you.
Mr. Manzullo [presiding]. This is like musical chairs.
Ms. Ros-Lehtinen. Thank you.
Mr. Manzullo. Thank you.
I get to ask you the questions, yet I have not even heard
your testimony.
Ms. Horan. Well, I will be happy to hand it to you right
now.
Mr. Manzullo. I have it right here. Forgive me if I ask
this question----
Ms. Horan. That is quite all right.
Mr. Manzullo. What is the line beyond which inquiry or
gathering information becomes a violation of the Economic
Espionage Act?
Ms. Horan. Let me try and answer that question this way.
There are a number of ways that we look at and approach
economic espionage in the FBI and intelligence community wide.
We are not doing this ourselves. We are enjoined with the
Department of Defense, the Central Intelligence Agency,
Commerce, Customs, etc. This is not an FBI unilateral
responsibility, but we sort of coordinate it.
One of the main ways we do that is utilizing the Economic
Espionage Act of 1996, which I think is what you are referring
to. We also have a responsibility under our counterintelligence
mandate and apart from any criminal mandate to gather
information and collect and disseminate information with regard
to foreign targeting of our infrastructure, of our government,
of our business academia, business and industry, etc., with the
idea that using investigative steps, which I probably will not
get into here, but trying to stem that, avoid it, prevent it
and get around it, stop it before it actually happens.
It is a huge analytical effort, and that is one whole
aspect that we probably will not talk about today, but that is
one area that we have a lot of effort in.
With respect to when does an individual or a member of a
foreign government step over the line, I would have to say that
it is a case by case situation. You have to really look at the
circumstance, the totality of circumstances involved in each
situation, but what the law does not want us to do, and this is
part of that line, is to say to diplomats and legitimate
government or personal envoys from abroad or from within our
own country that they cannot collect open source information,
economic information that is out there on whether it be the
internet, whether it be libraries, wherever it lies.
So we are not trying to impact or stop that kind of
activity. Where we would like to have an impact and where many
of the 20 cases that have been prosecuted so far have led us is
where a foreign or a domestic, a foreign or a non-foreign,
entity is attempting to rip away some element of our economic
competitiveness, generally speaking, in the business world
here, in the business industry.
Mr. Manzullo. Can you----
Ms. Horan. I am sorry.
Mr. Manzullo. In the context of that answer, can you give
us an example of someone who you have prosecuted----
Ms. Horan. Sure.
Mr. Manzullo [continuing]. That is a matter of open record?
Ms. Horan. Sure.
Mr. Manzullo. Thank you.
Ms. Horan. As I say, there are 20. I will--probably the
most widely known one and one that you may be aware of is the
Bristol-Myers Squibb Taxol case, which was resolved a couple of
years ago, Taxol being a very, very popular cancer fighting
drug, and it was the subject of theft from a Taiwanese company
who sent employees here to attempt to steal that. We prevented
that thankfully. They went through the court process and
arrests were made, and it was prosecuted successfully.
That is one of them, but let me, I think, to give you an
idea, I will just quickly tell you some of the--and this goes
to a comment that I made that it need not--our prosecutions and
our interests need not be only in cutting edge, dual use
technology, sensitive, proprietary information, but can be non-
high tech. I do not think you were here for this part; non-high
tech issues, trade secret issues that we are very interested
in, too.
For instance, the Joy Mining Machining Company in
Pittsburgh, PA. Technical coal mining equipment was being
targeted. Deloitte & Touche was the victim of one case, and a
proprietary software program was targeted. Gillette Company was
the victim in another case. A new shaving system was the
target.
Mr. Manzullo. How many ways----
Ms. Horan. On and on.
Mr. Manzullo [continuing]. Can you use to cut whiskers?
Ms. Horan. Well, they evidently had a new one. I do not
know what it was.
Mr. Manzullo. I do not want to use the word watchdog, but
obviously you got involved at a point where the company owning
the patent or the trade secret had some kind of an indication
that somebody was trying to steal it?
Ms. Horan. That is correct.
Mr. Manzullo. That would be the normal way?
Ms. Horan. It can be two ways. Either they detect this,
which is frequently the case, or we get information that
something is amiss.
This brings up an interesting point. I am glad you made
that point that companies are sometimes reluctant to come to
the Federal Government and the Federal Bureau of Investigation
for these kinds of investigations, No. 1, because they are
largely ignorant of how we do them, and we are trying to
successfully overcome that by an education program, but they do
not want their trade secrets to be aired. They do not want
their shareholders to know there are problems in the company.
These kinds of bottom line issues are very difficult to
overcome when a company comes and finds out information like
this.
Just this very morning we were in contact with one of the
major oil companies in the United States who phoned in and
wanted--the director of security phoned in and said look, we
found that we have information that someone is trying to steal
XYZ from us, and I am going to make a presentation--I am the
director of security--to the CEO about whether we should
involve the FBI or not, so these kinds of problems are plaguing
us right now because it is a new law and people do not know,
but we think we will overcome this as time goes on hopefully
with some good, high level, highly publicized deterrent
factors.
Mr. Manzullo. This is a good segue to these questions that
the Chairlady had circled, which I will ask now.
One of the witnesses on the second panel will state that
since the value of trade secrets is not well established,
safeguarding efforts are often given lower priority when
limited resources are allocated. The question here is do you
agree with this assessment?
Is there a wide gap between the value of lost assets and
resources allocated to investigation, enforcement, prosecution
of economic espionage? How do you establish a clear value for
the assets? This goes right to the heart of your work at the
FBI, does it not?
Ms. Horan. It does.
Mr. Manzullo. It is obviously high priority for you because
this is your mission, is it not?
Ms. Horan. Pardon me, please. Yes, it is a high priority
for us and will continue to be one I think in the coming years
because of the escalating costs that it is----
Mr. Manzullo. And you focus your career almost entirely on
this, is that correct, in the FBI?
Ms. Horan. Me myself?
Mr. Manzullo. Yes.
Ms. Horan. Personally? It is one of the responsibilities. I
am in charge of counterintelligence for the Bureau, so this
would be one aspect of it----
Mr. Manzullo. OK.
Ms. Horan [continuing]. But certainly one growing and very
important one, but I would say to you in answer to your comment
there that if you go out to major corporations in the United
States and look at their security departments, you are going to
find that generally, generally speaking, the heads of the
security departments are not first line executive, and by that
I mean it is not a particular company's first mission,
security.
Mr. Manzullo. They are not trained in it?
Ms. Horan. Well, Delta Airlines take for instance. Their
mission is to fly planes. The director of security at Delta
Airlines, and this is multiplied across the country, is a drain
on company resources because that person wants to say,
``listen, in order to prevent bombs from going on the plane, in
order to prevent luggage from being stolen, in order to prevent
our executives from being kidnapped, this is what I need. This
is how much money I need.''
They are not, generally speaking, welcomed, euphemistically
speaking. Not literally, but they are not always the most
favorite person at the party, so to speak, so again it is an
education process.
Mr. Manzullo. Do you mean within the company?
Ms. Horan. Exactly right, so resources, and I think this is
what you were getting at. Resources in private industry devoted
to security issues are much less than probably they should be
in many instances.
Mr. Manzullo. I do not know if this question was aimed at
the belief that there is a low priority within the FBI or
within the company itself. That is why I said----
Ms. Horan. Not a low priority with us.
Mr. Manzullo [continuing]. Based upon your testimony----
Ms. Horan. No.
Mr. Manzullo [continuing]. I do not think it is a low
priority.
Ms. Horan. Not at all, no, but my response was to private
industry.
Mr. Manzullo. Do you think the big problem is that there is
so much snooping going on that people just cannot fathom the
sophisticated means of doing it and the extent to which people
would actually steal the product, their patent or something
like that?
Ms. Horan. Yes. I do not think people expect it.
Mr. Manzullo. And they get blindsided?
Ms. Horan. That is exactly right. Some of the methods used
to do this are fairly innocuous and not geared toward raising
anyone's hackles unless you happen to be a security person or
an investigator or something who is well schooled in this
spotting and assessing, for instance, an individual in a
company who might be near to a particular technology, getting
to know that person, building up a relationship. These are some
of the methods that are used.
Additionally, what you see more and more are unsolicited
requests to businesses from--either domestically or
internationally in which hundreds of thousands of E-mails are
sent around the world asking for particular information from,
you know, someone who is interested in getting it.
It is an information gathering technique that a foreign
entity can use to just send to all our countries--pardon me.
All companies that deal with a particular technology that they
are involved in. So they send out 1,000 E-mails. They may get
back two, but they are getting back information very cheaply.
Mr. Manzullo. Do you mean just enough to know that somebody
has something there that they want?
Ms. Horan. Oh, yes. Yes. Visits to U.S. facilities, the
visitor programs, DOD, DOE, NASA. All these government entities
and quasi government entities have hundreds of thousands of
visitors who come to their doors each year on legitimate
business, but they are also collectors, and they bring that
back to their home country.
Is that something that we should be concerned about? I
would say absolutely.
Mr. Manzullo. Los Alamos?
Ms. Horan. Los Alamos is an extremely good example.
Mr. Manzullo. Do you or people that work under you at the
FBI put on seminars for companies on----
Ms. Horan. Yes.
Mr. Manzullo. Do you do seminars like that? The biggest
city in the congressional district I represent has over 1,500
industries.
Ms. Horan. What is that city, sir?
Mr. Manzullo. Rockford, IL.
Ms. Horan. Oh, yes.
Mr. Manzullo. It serves some aerospace fasteners. Of
course, it is anything that is kept secret, so I am sitting
here thinking that perhaps you or somebody might be interested
in having a seminar on how to keep your secrets from being
stolen.
Ms. Horan. Well, our Chicago field office would have what
is called, as all field offices have, an answer program.
Mr. Manzullo. OK. I really appreciate your coming here. I
did not hear your testimony, and I am sorry, but I will read
that.
We will be in contact with your Chicago office to see if
the chambers perhaps would have, even if it is a half dozen
industries. Would that be sufficient to have an agent come out?
Ms. Horan. One industry would be enough.
Mr. Manzullo. One industry?
Ms. Horan. We do them to 1 or 200. It does not matter.
Mr. Manzullo. Fine. Thank you for coming.
Ms. Horan. You are very welcome, sir.
Mr. Manzullo. I really appreciate it. I am sorry about the
interruption with the bells, but----
Ms. Horan. Not at all. Very understandable.
Mr. Manzullo [continuing]. We live by this. Thanks again.
Ms. Horan. Thank you for your attention.
Mr. Manzullo. If we could impanel the second panel? If we
could impanel the second panel before the bell starts again,
and I guess it is obvious that they are not interested in
televising your testimony, so I hope you do not feel too badly
about that.
To complement the expertise of our first witness, we would
like to introduce three gentlemen who not only understand this
issue, but have dedicated a significant amount of their
professional lives to dealing with this problem.
First, Dan Swartwood, corporate information security
manager with Compaq Computer Corporation and primary author of
``Trends in Intellectual Property Loss Survey Report.'' Dan is
a retired U.S. Army counterintelligence officer and
contributing consultant to an independent assessment of the
White House security program for U.S. Secret Service.
He is a 14-year member of the American Society for
Industrial Security, an 8-year member of a standing committee
on safeguarding proprietary information and an avid reader of
James Bond novels.
I threw that in. Next, I would like to introduce Scott
Charney, a partner with PricewaterhouseCoopers. Scott is a
former chief of the Computer Crime and Intellectual Property
Section, Criminal Division, at the Department of Justice. Under
his watch, his division investigated and prosecuted cases of
national and international computer hacking, cases of economic
espionage and violations of Federal criminal copyright and
trademark laws.
A former U.S. Attorney and Assistant District Attorney,
Scott is a published author who has written widely on the
subject of protection of proprietary information.
Finally, I would like to introduce Mr. Austin McGuigan, a
senior partner--is that correct?
Mr. McGuigan. Correct, sir.
Mr. Manzullo. That is an Irish name like Manzullo.
A senior partner at Rome, McGuigan and Sabanosh. He is a
former Chief State's Attorney for the State of Connecticut, as
well as a former adjunct professor at the University of New
Haven. He is the co-author of a number of articles, including
``How to Use the Economic Espionage Act to Protect Your
Corporate Assets.''
Well, this is pretty impressive. Dan, we will start with
you. I am going to put on a 5-minute clock here and try to
stick to it a little bit generally.
Mr. Swartwood. I will make every effort.
Mr. Manzullo. This is pretty sophisticated. I do not know
if I can operate it.
OK. Go ahead.
STATEMENT OF DAN SWARTWOOD, CORPORATE INFORMATION SECURITY
MANAGER, COMPAQ COMPUTER CORPORATION, AND CO-AUTHOR OF TRENDS
IN INTELLECTUAL PROPERTY LOSS SURVEY REPORT
Mr. Swartwood. Mr. Chairman, I want to thank you for the
opportunity to discuss a topic that often is addressed only as
a subplot in movies and occasional sensational headlines.
Mr. Manzullo. And James Bond novels.
Mr. Swartwood. That topic is economic espionage and its
impact on American competitiveness.
For over 20 years, I have worked in a variety of government
and civilian positions that have helped qualify me to discuss
this topic. I have also been actively involved, as mentioned,
in the American Society for Industrial Security international
survey efforts to assess the impact of intellectual property
loss for almost 10 years.
These surveys have continued to indicate that the issue of
intellectual property loss is growing in both scope and impact.
As mentioned, the 1999 survey mentioned that direct revenue
losses were estimated to be as high as $45 billion and there
were almost 1,000 incidents of loss reported by 45 companies
alone.
For the last 5 years I have been the corporate information
security manager at Compaq Computer, and during that time
Compaq has grown into the 20th largest American corporation and
75th largest in the world. Compaq's work force globally exceeds
100,000 people, and we, along with other major corporations,
face the challenge of information loss.
I mentioned earlier that this topic tends to make the
headlines. Unfortunately, there was just a major incident this
week. On Monday, it was widely reported that part of the
Western Union website had been cracked, and 15,000 users'
credit card information had been stolen. From my perspective,
the interesting aspect is how this theft occurred.
It was reported that the site administrators, while
conducting routine maintenance, had removed security measures
protecting the site. This is anecdotal, but does support the
premise discussed in my prepared statement, which is the
majority of corporate information loss occurred because of one
of three causes.
One, a lack of training for and mistakes made by authorized
members of your work force. Two, the failure on the part of
administrators to implement and maintain security measures,
and, three, disgruntled and/or disaffected individuals working
in your corporation. These issues can cause up to 85 percent of
all corporate information loss.
A primary consideration determining how this issue is
addressed in any corporation is the priority that senior
management gives it. In any corporation, there are a myriad of
competing priorities on a constant basis. Security issues tend
to be addressed as a reaction to unfortunate events. The lack
of adequate security and training resources can create an
environment where the question is not if losses will occur. The
question is when they will occur.
The surveys indicate that less than 3 percent of all IT and
security dollars are spent protecting or safeguarding
electronic or hard copy proprietary information. The vast
majority of these dollars are spent on physical and electronic
measures designed to keep outsiders from penetrating corporate
spaces or networks. These are absolutely essential measures in
any corporation, but it must be noted, however, that they do
little to protect information from either the untrained or
disgruntled insider.
Few American corporations have the resources to deal with
economic espionage sponsored by either nations or foreign
corporations. The Federal Bureau of Investigation and Justice
Department are actively building a capability to investigate
such activities, and we welcome the interest and efforts they
have made to address economic and industrial espionage.
Corporate espionage, defined as outsiders penetrating
corporate offices or networks, does occur and can be very
damaging, but because of my experience and results of the four
nationwide surveys on intellectual property loss I have been a
part of, I feel that it is an issue to be addressed, but is not
the primary concern of corporate America.
Because the threat to business information is not primarily
foreign or caused by outsiders does not make it less real or
less destructive. When a corporation is denied the full benefit
of their trade secret or innovations, their business suffers,
and our economy is weakened.
For the last 4 years, the Federal Government has been
instrumental in engaging corporate America on the issue of
infrastructure protection. These efforts are designed to
protect information and networks of several critical
infrastructure industries. A similar engagement addressing the
larger issue of intellectual property loss might cause similar
improvements in how corporations view this issue and improve
our competitiveness in the global marketplace.
I want to thank you for the opportunity to address you
today and would be pleased to answer any questions you might
have after the speakers are done.
[The prepared statement of Mr. Swartwood appears in the
appendix.]
Ms. Ros-Lehtinen [presiding]. Thank you so much.
Mr. Charney.
STATEMENT OF SCOTT CHARNEY, PARTNER, PRICEWATERHOUSECOOPERS
Mr. Charney. Thank you, Madam Chairperson. Being mindful of
Mr. Menendez's comments that you have our written testimony and
we should feel a little bit free to deviate, I am going to do
just that.
In my career I have now been both on the government side at
the Justice Department responsible for economic espionage, and
now at PricewaterhouseCoopers I have clients that want economic
espionage or hacking cases investigated.
Building on what was said before when the FBI was present,
there is certainly a reluctance by some industry members to go
to law enforcement. That has to do with several reasons, but
the biggest one I see is that for a private victim if they go
to the government they lose control over the case.
That is, as a private company that is being victimized they
can control the investigation, decide how many resources to put
toward it and call it quits if they choose to do so, whereas
when you report it to law enforcement then the subpoenas come
and other kinds of compulsory process, and you have to go
forward. Most companies do not want to lose that control.
Having said that, I also want to highlight a few other
points. I mean, it is absolutely clear that digital information
is great property of value in the information age. I remember
many years ago, as far back as 1992, a reporter was asking
Europeans about the fall of the Soviet Union and what it meant
that the United States was the world's sole superpower.
The response of most Europeans was in the new economy it is
not military power, but economic power that is going to rule,
and so if Willy Sutton says I go to banks because that is where
the money is, then competitors are going to say we are going to
computers because that is where the digital resource is.
If you look at the surveys that have come out that have
been referenced in almost all the testimony, both the American
Society for Industrial Security [ASIS] and surveys by the
Computer Security Institute, it is clear that the losses are
mounting. The number of cases is increasing.
In the Computer Security Institute survey, for example,
about 20 percent of the respondents out of 585 said that they
were victims of trade secret information theft, and in terms of
sheer dollar losses the survey found that the most serious
losses from all the types of criminal activity listed from
hacking to other kinds of abuse, the theft of trade secret
information was the most expensive crime for U.S. businesses
with 66 respondents reporting over $66 million in losses.
I would point out, too, that these surveys probably
represent only the tip of the iceberg because most computer
crime is neither detected nor reported, so to the extent that
people are stealing data from computer systems that is
valuable, it is probably not detected.
The reason for that is the nature of electronic theft. If I
steal your car you know because it is gone, but if I steal your
customer list or a design plan, you still have it and so unless
you have detected that abuse you will not know that I have it,
and you will remain comfortable.
To show just how bad that is, one of the difficulties has
always been that when you have a supposition, such as most
computer crimes are neither detected nor reported, how do you
prove what you do not know? The answer is you do a controlled
study.
The Defense Department did just that. They attacked 38,000
of their own machines. They penetrated security 24,700 times or
65 percent. Then they went to the system administrators and
said OK, how many intrusions have you detected, and their
answer was 988, only 4 percent. Then they went to DISA, the
Defense Information Systems Agency, and said how many reports
have you gotten, and the answer was 267 or 27 percent, so it is
absolutely clear that most of these crimes are probably not
detected in the first instance, and then they are not reported
to anyone.
I would like to conclude by focusing particularly on the
international aspects of this problem, and I think that there
are some critical questions that the committee needs to think
about when thinking about international economic espionage in
particular. The first is what actually constitutes
international espionage in the new world order. Is Chrysler an
American company or a foreign company?
With all the globalization of businesses, to the extent
laws and governments are concerned, as rightly they should be,
about allegiances and whether this is foreign or domestic, I
think that line is getting increasingly blurry. It is hard to
tell. That is one problem.
The second problem is with the growth of the internet,
particularly with now approximately 165 countries connected, it
is going to be increasingly difficult to identify the
perpetrators of these crimes. The reason for that is the
internet has global connectivity. Hackers have shown the
ability to weave between countries to hide their tracks.
In addition to that, there is no authentication or
traceability on the internet, which means if you know your
machines are being attacked and people are taking sensitive
data, it is extremely, extremely hard to find the source.
[The prepared statement of Mr. Charney appears in the
appendix.]
Ms. Ros-Lehtinen. Thank you, Mr. Charney.
Mr. McGuigan.
Mr. McGuigan. McGuigan.
Ms. Ros-Lehtinen. McGuigan. Close enough.
Mr. McGuigan. Thank you, Madam Chairperson. McGuigan.
Ms. Ros-Lehtinen. All right. All right.
Mr. McGuigan. Thank you, Madam Chairperson.
Ms. Ros-Lehtinen. Congresswoman Johnson and Congressman
Shays send their best to you. I saw them there on the Floor.
Actually, they asked me to ask you really hard questions.
Mr. McGuigan. I understand at least from Congressman Shays
why he would say that.
STATEMENT OF AUSTIN J. McGUIGAN, SENIOR PARTNER, ROME, McGUIGAN
AND SABANOSH, P.C. AND CO-AUTHOR OF HOW TO USE THE ECONOMIC
ESPIONAGE ACT TO PROTECT YOUR CORPORATE ASSETS
Mr. McGuigan. A little bit about my background. I was the
chief prosecutor in Connecticut from 1977 to 1985. For 4 years
I was chief of the organized crime task force, and prior to
that I had 3 years as a special agent in military intelligence.
For the last 11 years, I have been a plaintiff in many
uniform trade secret actions throughout the United States, at
least eight or nine states, so I come from this both as a
government prosecutor and as an attorney who is prosecuting the
cases.
I have written a number of articles about the Economic
Espionage Act. I assume that everybody agrees that America's
technological prowess is its real capital and that the reason
for federalizing this area of criminal activity was that we
needed that type of protection and expected results.
I would suggest to the Committee that there has been a
disquieting dichotomy between the numbers that have been
provided on estimated losses, $45 billion in 1999, $24 billion
in another study, and I have cited these studies from time to
time in the absence of cases.
Twenty cases, I think only nine of which resulted in any
incarceration, not significant fines, not a single case under
1831 which deals with foreign entities, and truly if you call
it the Economic Espionage Act it seemed it was in the first
instance directed at foreign espionage.
There is not a single case that has been developed that
deals with foreign espionage of all the 20 cases that are
cited, one of which I believe was dismissed, so that when one
looks at the record against the alleged losses, one must ask
why? What is going on? Of course, the reasons are people are
learning how to do these cases, etc.
Understandably, the Attorney General agreed to limit the
number of cases to 50 in the first 5 years, but at this point
it does not look like they are going to challenge the agreed
upon limitation so that the number of cases reflects and the
types of cases that have been taken reflects that so far
whatever the allocation of resources, and I do not know what
the government has allocated for resources under the Economic
Espionage Act, but it does not seem to be returning the kind of
bang for the buck that one might expect.
As normally not a fan of the federalization of criminal
law, recognizing as a former chief state prosecutor that many
of the federalizations of crimes does not exactly enhance the
law enforcement activities, but, in any event, this law I felt
was a law that was needed.
It was needed because this was truly a national/
international problem, but I could say this. I would doubt
there is any significant deterrent effect that has come out of
the passage of this Act in the last 4 years. The number of
cases simply would not augur that people are living in fear of
being caught stealing trade secrets.
I have suggested in the material prepared for the Committee
that at this point it would be something to seriously consider
creating a private cause of action for individuals and
companies under the Economic Espionage Act. The Uniform Trade
Secret Act is presently in force in 38 states, and I believe
that almost every state has common law trade secret, which
would be equivalent to the Uniform Trade Secret Act, so there
are trade secret causes of action in all the states.
The question is why federalize? Federalizing would direct
court power in three areas in which it is needed. One is in the
enforcement of injunctions. Let me explain, having had a number
of these cases. If one is to get an injunction in say the State
of Connecticut against an individual who has misappropriated
trade secrets and that individual moves to Montana, enforcing
that injunction in Montana is not as simple as one would think
so that we have to discuss with companies the fact that unless
we are lucky enough to have diversity, which allows us to have
Federal jurisdiction, when we have injunctive power of the
Court we may have problems getting enforcement in a foreign
jurisdiction.
Second, I think it would provide for much easier discovery,
and discovery in uniform trade secret cases, and I take
economic espionage cases through investigation, is absolutely
essential, so I would suggest that for that reason a Federal
cause of action is warranted.
The third is executing of judgments, execution of judgments
when people leave states. Although we have uniform execution, a
judgment is simply not that simple. If one is trying to seize
assets, once one has a Federal judgment they are in much better
shape in trying to enforce it.
The fourth reason. I would suggest that when and if someone
considers a cause of action that they consider having some type
of pre-suit discovery orders. In other words, one of the
problems in developing these cases, while one realizes in a
company that the technology has been taken to a different
company because they have developed something and show no
pattern of having worked on it, one is not able to file an
action based on the fact that they must have stolen it, so I
would suggest that similar to the Copyright Act, and I have put
it in my prepared remarks, that you consider some type of pre-
suit discovery.
The conclusion is that given the paucity of prosecutions
that you have, that while criminalization of economic espionage
may have provided some merit, the real battle is going to have
to be fought by the people who are losing technology. The
people who are suffering the losses are going to have to
finance the war through private causes of action, and that, I
suggest, would give us better deterrent effect and better
protect America's technological prowess.
Thank you.
[The prepared statement of Mr. McGuigan appears in the
appendix.]
Ms. Ros-Lehtinen. Thank you. Those are very good
recommendations.
Following up on improvements that we could make to the
Economic Espionage Act, and I would like to ask all three
panelists. The Act allows for a protective order preserving the
confidentiality of a trade secret only if the prosecution
requests it.
Does this afford, do you believe, sufficient protection
against disclosure during legal proceedings? How would you
propose that this section of the law be improved?
Mr. McGuigan. Well, I would say, and it was pointed out,
that companies are afraid they lose control over cases when
they have the government prosecuting a case and are afraid that
their trade secret will be disclosed in the case itself so that
they may in effect win the battle and lose the war.
I would suggest that the law be amended so that companies--
the government is required to seek the input of the company,
and if a company is forced to give up the very thing for which
it was trying in the first instance to protect in order to
proceed with the prosecution, it should have a say in having
the prosecution stopped, similar to when the government decides
that giving up an intelligence informant, they do not wish to
go further with the case.
Ms. Ros-Lehtinen. Thank you.
Mr. Charney.
Mr. McGuigan. I believe Mr. Charney had also----
Mr. Charney. Yes. From my days as chief of the computer
crime section, we grappled with this problem. You have to look
at this a bit logically, though.
If the trade secret has already been stolen, the defendant
has it. If the trade secret has not been stolen or has been
stolen and not yet used as far as you can tell and you want to
prohibit its introduction in court, there is a problem with the
sixth amendment because under the right of confrontation and
the right to challenge the government's evidence, he has a
right to challenge the trade secret.
I will tell you that we had a case where we charged
attempted theft of a trade secret. The defense asked for the
trade secret, and we took it up, and we won on the theory that
since the defendant was only charged with attempt, whether it
was actually a trade secret was irrelevant, and, therefore,
there was no need to disclose it.
The Appellate Court agreed and so we did not have to
disclose it, but I would just caution the Subcommittee that if
you are looking at that issue, remember that to some extent the
defendant has a right to see what he has been accused of
stealing for purposes of litigating for his defense.
Ms. Ros-Lehtinen. Thank you.
Do you have anything to add? Thank you, Mr. Swartwood.
Mr. Swartwood. I would comment that as the only person on
this panel that actually works in a corporation, this is a very
difficult issue. Often not only is it very difficult to make a
determination that you have lost something, but then after you
have made that determination or you feel you are comfortable
that that has occurred, getting that information pushed up into
the management of the organization and having a reaction, a
positive reaction to that, is also somewhat problematic.
It is very difficult with all the concerns that major
corporations have unless you are talking about some absolutely
seminal piece of information or something that is considered so
super critical. It is very difficult sometimes to get any mind
space with the senior management to address these issues in any
constructive way.
Ms. Ros-Lehtinen. Thank you.
I wanted to ask about the territorial scope of the law
relating to conduct occurring outside of the United States.
Some suggest that there are problems with it. They suggest that
the measure ought to be whether the espionage act committed
overseas had a substantial effect within the United States.
Would you disagree or agree with that recommendation, and
how would you define substantial effect?
Mr. Charney. I think it is a difficult issue. The law
already has some extra territorial provisions, as you know, and
also when there is any conduct in the United States you get
venue in the United States and so I guess my question would be
are we looking at cases, for example, where a foreign company
steals a secret in that country, but it somehow has an impact
upon the United States.
I think if the United States were to exercise jurisdiction
in those kinds of cases we would probably get resistance from
foreign states about the reach of our law--if that is the
scenario we are thinking about.
If, for example, a French company took data from IBM in
France and because IBM is an American company we said well,
that has an impact on IBM's corporate profits and earnings, I
think we would get resistance. That is just my sense.
Ms. Ros-Lehtinen. Austin.
Mr. McGuigan. I do not know whose proposition this is a
problem because I know of no case under 1831 that has even been
attempted, and I cannot comment on whether or not there is a
stumbling block because I simply do not see it as a stumbling
block, and I have not seen a case where someone has planned out
how it could become a stumbling block. I do not know what
testimony there is to that effect. I do not know.
Ms. Ros-Lehtinen. OK. Does the prospect of litigation, the
threat of litigation or prosecution serve as a true deterrent
for corporate spies? Are the fines that are levied under this
Act, the Economic Espionage Act, a true deterrent? How can
industrial espionage be made less appealing? Do you think more
prosecution or heavier fines would serve as deterrents?
For example, should violator companies be sanctioned
internationally whereby they cannot reap any benefits from the
stolen information? Should the United States impose duties on
products from such companies or impose other import or export
restrictions? What steps can be taken?
Mr. McGuigan. The fine so far, and I hate to keep taking
the table. The fine so far is simply in looking through I
provided a table of all the cases.
Ms. Ros-Lehtinen. Yes. We have it. Thank you.
Mr. McGuigan. Simply no one could suggest that the types of
fines that have been proposed could act as a deterrent----
Ms. Ros-Lehtinen. Correct.
Mr. McGuigan [continuing]. If the problem is $45 billion.
It is simply not--it does not make any sense.
The only large fine is really a restitution I believe that
is in the Gillette case where the gentleman sold, I believe,
the new design for the Mach III razor before it came out. I
believe it has something to do with that, but that is the only
large one, and that is really a restitution so there does not
seem to be any fines.
I would think that the threat of incarceration is more
serious for corporations than money, and putting individuals in
jail is the best deterrent.
Mr. Manzullo. Yes, but they do not give you razors in jail.
Mr. McGuigan. I understand that, but I think that----
Ms. Ros-Lehtinen. Not the Mach III anyway.
Mr. McGuigan [continuing]. Incarceration is a much better
deterrent. For foreign companies obviously, fines are going to
have to be more seriously considered, substantial ones, because
incarceration is not real.
Ms. Ros-Lehtinen. Thank you.
Mr. Swartwood.
Mr. Swartwood. I think another consideration is that it
would be difficult I think to try to prove that something was
taken with the full knowledge and agreement of say the CEO of
any major corporation.
My experience in information loss indicates that even the
perpetrators of such crimes for the most part are acting as
individuals and not acting necessarily at the behest of another
corporation. They are doing it for their own personal reasons.
They are doing it for either personal gain or for some type of
retribution, etc., and once again I am talking mostly on the
insiders.
In external situations, my feeling is that even when
corporations, if they were involved, it would be at a level of
the corporation that would not necessarily be considered
corporate. I mean, you might have someone in a division trying
to get a short-term gain in an area, and so, I mean, I think
proving that it would be a corporate level issue could be very
difficult, especially in a criminal venue.
Ms. Ros-Lehtinen. Yes?
Mr. McGuigan. I think my experience has been the opposite.
In many of the cases I have taken, upper management has been
involved in the misappropriation, and it has been my experience
in the criminal law that when one prosecutes low level
individuals they are able to get those individuals to give up
the names of the people otherwise involved.
So absent again incarceration and seriously doing that, I
do not see how you are going to get to the bottom of who in the
company is involved.
Ms. Ros-Lehtinen. Thank you.
Mr. Manzullo.
Mr. Manzullo. This is very fascinating. I see two roads
here. Maybe I am wrong, and you can correct me-- one is an
inference that says because there have been only 18
prosecutions, the FBI or Department of Justice is not
sufficiently and aggressively prosecuting these types of cases.
Then, on the other hand there is this natural reticence of the
companies. They would rather take the hit than give a Federal
agent the opportunity to take a peek at the secret.
The testimony of the Assistant Director was pretty obvious
that they have to struggle with companies. She said she would
put on a seminar for one company just to be able to peak their
level of inquiry that the FBI is indeed interested.
Did you want to comment on that, Mr. McGuigan, because you
seem to draw the----
Mr. McGuigan. We in Connecticut have incarcerated at state
court individuals. There are no Federal prosecutions in
Connecticut, but have had the local gendarmerie prosecute
individuals and actually incarcerate individuals for
misappropriation of propriety drawings from one of our
companies.
I think that the reasons for the dichotomy I think need to
be explored between the losses and the lack of cases, but,
second, I think that it should be longer incarceration because
summarily dealing with some people is an object lesson for
others.
What I am saying is that when you have a case I think you
have to prosecute it very, very vigorously, and you have to--
when you get substantial time, you will find out who else is
involved, and that can have a salutary effect on a number of
other individuals contemplating similar conduct.
Mr. Manzullo. Yes?
Mr. Charney. I would just like to build on this question a
moment because when I was chief of the computer crime section,
I can tell you that prosecutors salivate over cases like these.
You know, the first case out of the box was the Four
Pillars case, which went to trial. We convicted the president
of a corporation from Taiwan for stealing secrets from Avery
Dennison. These are good cases with sex appeal. That is not the
problem.
If you look at the Computer Security Institute's surveys,
however, they have done surveys on computer crime from 1996 to
the year 2000, and in the year 2000 survey what they said was
one of the most remarkable statistics on computer crime--not
just trade secrets, but computer crime--was the rapid increase
in the number of companies willing to report to law
enforcement. It had gone all the way up to 32 percent.
You know, one victim out of three was now willing to report
to law enforcement, up from 17 percent the year before, so if
you have between one and two, you know, in every 100 cases you
have roughly 17 reported. That is not a very high statistic.
I think there is a lot of difficulty within the corporate
environment in making the determination about whether you
handle this civilly, whether you cut your losses, remediate and
get your business up and running again and seek damages through
civil action or whether you go to law enforcement.
That is a tough call because when you go to law enforcement
you get far more publicity than you might want. Then you have
to worry about shareholders and investors and public relations.
Mr. Manzullo. Loss of confidence.
Mr. Charney. Loss of confidence. It is a hard call for a
CEO whose primary responsibility is to protect the assets of
the corporation and not to----
Mr. Manzullo. Especially in light of the fact that the
penalties are so minimal. That goes back to what you were
saying. Do companies then opt for civil action, or do they just
take it on the chin?
Mr. Charney. No. I am actually now on the private side, and
the cases that we have been investigating for companies is for
civil suit purposes, not to go to law enforcement.
Mr. Manzullo. Are these very difficult cases to try and
prove?
Mr. Charney. Like everything else, it is so dependent on
the evidence. I mean, the Four Pillars case we had someone in
the company who was being paid off. We flipped him. We put him
in a hotel room. We had a camera. The president of the foreign
company was going to see the Forest Hills tennis tournament. We
had him stop off in the hotel room, and he traded documents for
money.
The best part of the case, the documents actually said
Confidential, and he took scissors and told our informant to
cut out the word Confidential and throw it away where it would
not be found.
That is a great case to try, but in most cases it is far
more difficult, especially electronic cases because it is very
hard to trace back to the source, and even if you can trace
back to the source machine, it does not tell you who is the
person sitting at the keyboard. If that machine is in another
country, now you have to figure out if that country has similar
laws.
Mr. Manzullo. We just had that. Was it Indonesia where
the----
Mr. Swartwood. Philippines.
Mr. Manzullo. In the Philippines. That shows obviously a
lack of legal coverage, but only a Philippine law could apply
there.
Mr. Charney. That is correct. In fact, there are groups.
There are three international organizations looking at some of
these issues. One is the G8, and I used to chair the G8
subgroup of high tech crime, one is the United Nations, and the
other is the Council of Europe.
There is a push internationally to harmonize criminal laws
in the new economy area, but it is slow. It takes a lot of
work. Many countries do not quite see the threat. Indeed, we
have only been waking up to it.
Mr. Manzullo. Where do you draw the line? When I asked the
Assistant Director, at what point does something become
espionage? You earnestly recruit people that are with other
companies. That goes on all the time. At what point do you
cross the line? At what point is a crime committed?
Mr. Charney. I mean, generally we would look at the
statutory elements first and foremost, and then I hate to say
this, but it is a little like paraphrasing Potter Stewart on
obscenity, which is I know it when I see it.
Most of the cases that were brought to our attention were
egregious cases where, for example, people, companies, will not
come to law enforcement and report we had an employee. He got
hired away by another company. We want you to go investigate.
In fact, the government would probably say that is a
perfect civil suit, not a criminal one, because you are in a
situation where there is going to be a lot of dispute over the
facts, a lot of questions about whether it is an employment
dispute or----
Mr. Manzullo. Scott, let me followup on that. If you have
an individual that works for one company and is hired away by a
competitor, how much of his mind has to stop?
Mr. Charney. Well, the answer is it does not. I mean,
general knowledge does not have to stop, but specific does. In
fact, I have seen cases where individuals who have created
proprietary information then go to another company and recreate
proprietary information.
I can tell you in those cases companies are looking at
civil suits over that issue. They think that crosses the line
because the second company is producing now the same unique
product that the first company had and gave them a competitive
edge in the market.
Mr. McGuigan. Generally you have a non-disclosure agreement
in the first place with any high level employee creating that
type of information so if he breaches the contract in the first
instance.
Mr. Manzullo. A non-competitive agreement.
Mr. McGuigan. Second, if he were claiming it was simply in
his head, in many cases now there is what is known as
inevitable disclosure. He is inevitably using the proprietary
data that he got in the first instance to develop the data for
another company, so those cases are prosecuted civilly.
I have been involved in them. I had someone who developed
software for machinery and then when to work for another
company 5 years later and developed the same software. We
successfully sued them and prevented them from doing that.
Even though he claimed he did not take any of the
information with him when he left, he had the process by which
the flow charts for the computer software, which allowed him to
essentially create it.
Mr. Manzullo. I have one last question if you do not mind,
regarding the four suggestions that you made. Mr. McGuigan, you
mentioned the fact that there is no subject matter
jurisdiction, that you have to have diversity in order to get
the Act involved.
Mr. McGuigan. Correct. You do not have a Federal Economic
Espionage Act, so you sue in the states. If you were suing a
citizen of another state and you get diversity, you can----
Mr. Manzullo. Do you mean if there is no Federal Act?
Mr. McGuigan. There is no Federal Act now. There is only a
Federal criminal Act.
What I am suggesting is they should make the Economic
Espionage Act and create a civil cause of action under the
Economic Espionage Act and allow the companies to spend the
resources to prosecute the cases because they will do it, and
they will do it when they are confident that they can do it,
and they will no longer be afraid they are going to lose
control of the case and the government is going to----
Mr. Manzullo. So do you think that is one of the problems
is that there is no Federal cause of action?
Mr. McGuigan. I think it is clear to me. I never thought as
a state prosecutor I would be arguing for an expansion of
Federal jurisdiction, but it is clear to me in this particular
case.
Mr. Manzullo. You have come to your senses. OK.
Mr. McGuigan. It is clear to me.
Mr. Manzullo. We are moving with electronic commerce that
moves like that across state lines. That is a little bit
different.
Mr. McGuigan. I have come to the conclusion that creating a
Federal cause of action is really the way to go, and I think
almost everything was pointed out here today.
Mr. Manzullo. Which could be tried in a state court. You
could actually try that case in a state court if the law----
Mr. McGuigan. You should not have preemption. You should
have it you can file a Federal cause of action or a state cause
of action. In other words, you should be allowed to file
either.
I do not think there should be a preemption of state
uniform trade secrets law as has happened in some other areas,
so I am not suggesting that, and I am not talking about it in
expansive approaches in the RICO Act. I am just talking about
creating a cause of action.
Ms. Ros-Lehtinen. Those are good recommendations.
Mr. Manzullo. Yes. I appreciate that very much. Thank you.
Ms. Ros-Lehtinen. I think we will move on that. Thank you
so much for your excellent testimony. We appreciate it, and we
will be checking back with you. I am sure as we move on this,
on these recommendations. Thank you.
The Subcommittee is now adjourned.
[Whereupon, at 3:27 p.m. the Subcommittee was adjourned.]
=======================================================================
A P P E N D I X
September 13, 2000
=======================================================================
[GRAPHIC] [TIFF OMITTED] T8684.001
[GRAPHIC] [TIFF OMITTED] T8684.002
[GRAPHIC] [TIFF OMITTED] T8684.003
[GRAPHIC] [TIFF OMITTED] T8684.004
[GRAPHIC] [TIFF OMITTED] T8684.005
[GRAPHIC] [TIFF OMITTED] T8684.006
[GRAPHIC] [TIFF OMITTED] T8684.007
[GRAPHIC] [TIFF OMITTED] T8684.008
[GRAPHIC] [TIFF OMITTED] T8684.009
[GRAPHIC] [TIFF OMITTED] T8684.010
[GRAPHIC] [TIFF OMITTED] T8684.011
[GRAPHIC] [TIFF OMITTED] T8684.012
[GRAPHIC] [TIFF OMITTED] T8684.013
[GRAPHIC] [TIFF OMITTED] T8684.014
[GRAPHIC] [TIFF OMITTED] T8684.015
[GRAPHIC] [TIFF OMITTED] T8684.016
[GRAPHIC] [TIFF OMITTED] T8684.017
[GRAPHIC] [TIFF OMITTED] T8684.018
[GRAPHIC] [TIFF OMITTED] T8684.019
[GRAPHIC] [TIFF OMITTED] T8684.020
[GRAPHIC] [TIFF OMITTED] T8684.021
[GRAPHIC] [TIFF OMITTED] T8684.022
[GRAPHIC] [TIFF OMITTED] T8684.023
[GRAPHIC] [TIFF OMITTED] T8684.024
[GRAPHIC] [TIFF OMITTED] T8684.025
[GRAPHIC] [TIFF OMITTED] T8684.026
[GRAPHIC] [TIFF OMITTED] T8684.027
[GRAPHIC] [TIFF OMITTED] T8684.028
[GRAPHIC] [TIFF OMITTED] T8684.029
[GRAPHIC] [TIFF OMITTED] T8684.030
[GRAPHIC] [TIFF OMITTED] T8684.031
[GRAPHIC] [TIFF OMITTED] T8684.032
[GRAPHIC] [TIFF OMITTED] T8684.033
