China’s hand caught in the cookie jar

China’s hand in the cookie jar? Nation state or corporate espionage? Some themes change and others stay the same, this theme continues to morph as the China, its state-owned enterprises and conglomerates with ties to the government continue to vacuum up global technologies.

Why? Obtaining the fruits of the labors of other’s research and development via subterfuge and skulduggery is much more cost efficient than conducting principal research directly. China’s efforts over the past 30 years have been extraordinarily effective, some might opine, textbook perfect.

So, how’s China doing? The most recent incident involves Siemens Netherlands.

Siemens is the latest Chinese victim. In early April 2017, Dutch police arrested a 65-year old Siemens Netherlands employee as he was heading to China. The gent’s luggage, workplace and home were searched and physical files and digital storage devices were seized.

Siemens Netherlands confirmed one of its employees was arrested, but declined to identify the employee by name or area of specialization.

The Dutch Public Prosecutor shared, “He is suspected of leaking corporate secrets, including patent rights, to a competitor in China in exchange for money.”

The engineer was an employee within the engineering division, working at the Siemens Netherlands office near Hengelo, within Twente (near the German border). According to the Siemen’s website, the division’s multiple product groups, including smart grid, renewable energy and fossil power generation.

How did Siemen’s discover the insider who had broken trust? Siemens compliance office received a tip via their company-wide whistleblower system. The system allows any Siemen’s employee to provide information on illegal or corrupt activities anonymously.

The Dutch authorities were subsequently alerted by Siemens directly that their intellectual property was being purloined.

The back story on China’s nation state and corporate espionage efforts

In March 2017, Chinese President Xi gave the People’s Liberation Army (PLA) a kick in the pants. According to the official web portal of the PLA, Xi told the PLA, “We must have a greater sense of urgency to push for sci-tech innovation and advancement with greater determination and efforts.” He went on to admonish the PLA to promote military-civilian cooperation and technology adoption and adaption. The Communist Party of China (CPC) Central Committee established a central commission to “integrate military and civilian development.”

As Yogi Berra famously noted, “It’s déjà vu all over again.”

In 1986, China hit the gas on their technology acquisition efforts with their infamous Project-863. The purpose of Project 863, according to the Chinese Ministry of Science and Technology (MOST), was to “meet the global challenges of new technology revolution and competition.” MOST continues, “in order to gain a foothold in the world arena; to strive to achieve breakthroughs in key technical fields that concern the national economic lifeline and national security; and to achieve ‘leap-frog’ development in key high-tech fields”

China’s foot continues to be on the accelerator. 

Security awareness works

Those who have poo-pooed the efficacy of security awareness programs, should take heed.

Siemens did not detect the theft of the intellectual property via sophisticated data loss prevention technologies. They may have used those technologies to verify the employee’s activities, but it was one employee noting something was not quite right and reporting it in an appropriate and actionable manner. Self-policing at its best.

If an employee does not exceed their professional brief, that is their normal and natural access necessary to conduct their duties, it is near impossible to detect their having broken trust with their employer, except through their non-technical behavior, which is observable by colleagues. (Also read: ” 9 tips, tricks and must-haves for security awareness programs.”)

Does one need more evidence of the importance of educating one’s workforce and empowering them to say something when they see something. Make sure your security awareness program includes a clear pathway for your employees/colleagues to report suspicious activity. This may be the most important part of every insider threat program.