With the demise of the Soviet Union, the dissolution of the Warsaw Pact, the moves towards democratizing those countries, and the unification of Germany, there has been significant re-targeting of foreign intelligence service assets to focus on economic intelligence. Likewise, there has been a significant expansion in the number of firms engaged in business intelligence and competitive analysis using ethical and legal methods as well as some resorting to unethical and even illegal approaches for collecting information. This paper examines the threat to corporate secrets and highlights the legal definition of a trade secret and associated key elements as an initial step toward identifying critical information. It suggests an Operations Security (OPSEC) like process for determining a corporation's counter-competitor posture and the required measures for protecting its trade secrets and other proprietary information. The paper concludes with an outline of the components necessary for establishing an effective and comprehensive corporate information protection program.

There is a threat focussed on exploiting corporate secrets. It ranges from the simple to the highly sophisticated. This threat may be looking to capitalize on a corporation's ideas. their technology, and their understanding of the market÷the purpose: to improve their own bottom line. The threat may include foreign governments and their intelligence services. The threat also may include other corporations÷competitors, foreign and domestic÷who want to get ahead legally or, for some of them, to get ahead not so legally. It may also include radical and anti-business activist groups.

There are formal instructional courses which are open to anyone who pays the tuition on how to obtain and analyze information available from public sources. There are "how to" books and a plethora of articles on competitive analysis or competitor intelligence. They provide insights on what might be available on a firm and describe sources to use in searching for that information. These texts include how to: find company intelligence in Federal documents: ... in State documents: ...in libraries: ...on-line. There are newsletters that provide current tips on where to find the latest company intelligence and the suggestions are all perfectly legal. Also, there is a Society of Competitive Intelligence Professionals (SCIP) for further networking and an exchange of ideas on how to ethically gather competitor information of value. Various sources on competitor intelligence and competitive analysis point out the difference between illicit techniques associated with industrial espionage and legal approaches. SCIP subscribes to a rigorous code of ethics. But, others do not have such restraints or reservations.

If a competitor does not want to do the collection and analytical work with corporate employees, there are many firms available for hire that specialize in business intelligence and competitive analysis as well as others called information brokers. There are firms which engage in the burgeoning field of literature intelligence (LITINT). The point is that legally or illegally, morally or immorally, ethically or unethically, there are people literally around the world who are ready, willing and able to take a corporation's competitive edge away, if they are permitted to do so.

There are foreign intelligence services (FIS) looking to capitalize on corporate secrets, especially those of hi-tech firms. U.S. citizens were made well aware of the spy threat during 1985 which was ' the year of the spy" that turned the 1 980's into the decade of the spy with the arrest of more than 45 people for espionage in that ten year period. These arrests were more than those made in the preceding 40 years and those arrested were not all spying on behalf of the former Soviet Union. The 1990's likely will see more efforts by intelligence services to gather economic intelligence notwithstanding current geo-political changes and the demise of the Soviet Union, the unification of Germany and the reformation of most Eastern European countries. This decade has shifted from a relatively simple bipolar, East vs. West world, to infinitely more complex multipolar relationships. And, during this period, penetrating commercial activities will be high on the FIS target lists of many countries.

The threat, once seen in more clear, unambiguous terms, is rapidly giving way to new arrangements and hence new security concerns. All nations÷new and old÷are, or certainly will be, seeking for themselves some competitive advantage. Economic security is receiving added emphasis with technological development supporting the struggle to modernize or strengthen positions relative to others. Fields of battle increasingly seem to be shifting to board rooms and ministries of trade and commerce.

Clearly the military and political rivalry between what was the Soviet Union is over but does that put their intelligence collection activities out of business? Both William Sessions and Robert Gates, respectively Director of the FBI and the then Director of Central Intelligence, advised that Russian spying was still much in evidence when testifying before the Judiciary Committee (April 1992). A former KGB major who defected to the U. S., Stanislaw Levchenko, in a Washington Times (May 28, 1992) article, warned that while the secret police elements of the former KGB were significantly reduced under Russian President Yeltsin, the overseas espionage arm was not suffering the same consequences. The 'elite former First Chief Directorate...did not experience cuts or restructuring," Levchenko said. This independent organization operates as the Russian Foreign Intelligence Service (SVRR) and, according to Levchenko, "for the first time in ...history..., high tech, industrial and economic espionage has become the most important priority...." He advised that "Russian leaders do not have the resources. or the time, to modernize obsolete industries. To survive, they will steal proprietary secrets of foreign countries." Levchenko predicted that other former Soviet republics will conduct their own high-technology intelligence gathering activities with the U.S. as the principal target and they 'most assuredly will coordinate their work." Interestingly, International Business (July 1992) reports on a Department of Commerce program which "hopes to place some 300 executives from Russia, Ukraine and other members of the former Soviet Union with U.S. manufacturers over the next few months to learn the fundamentals of capitalism." The interns will spend six months with the participating U.S. company. The Commerce Department is still committed to this program as their newsletter BISNIS Bulletin advises.

Other countries still ideologically hostile to the U.S. also continue to use their intelligence services to pursue their objectives. The People's Republic of China continues to collect commercial and military information targeting as sources, for example, Chinese-American scientists with the plea "please help China modernize.'

But the SVRR, the other republics, and nations who are still hostile, are not the only services to be watched. The leadership of both the FBI and the CIA cautioned that we must be concerned with all foreign intelligence services even those that we consider friendly or allied. Apparently, the analysis offered by Mr. Sessions, in October 1990 is still operative "...we can no longer focus our counterintelligence efforts exclusively on these [ traditional threat] countries,...we have to be concerned about non-traditional...threats...as well." This realization led to the development by the FBI of a new guidance document for applying counter-intelligence resources÷"The National Security Threat List (NSTL)." It was promulgated in March 1992.

All foreign intelligence services are looking to establish a national competitive edge for their countries. Friends and allies of the U.S. also covet secrets U.S. corporations are not wise enough to adequately protect and they use a full arsenal of techniques, both legal and not, to obtain the information they need. Their targets are not only government classified secrets but corporate trade secrets too. NBC's Expose on September 13, 1991. was instructive. It certainly should have raised issues of concern to businessmen who fly Air France with secrets they want to keep that way. Reportedly, the plane is bugged and is staffed with intelligence agents serving as certain members of the crew. (Air France denies the allegation.) According to the program, the French Secret Service has a dedicated unit with an industrial espionage role. The former Director of the French Secret Service, Pierre Marion, interviewed on the program was proud of the fact that he established a 20-agent element dedicated to collecting industrial secrets. He says that France came out ahead in many transactions because of the information made available to French firms by his agents.

Expose mentioned three U.S. firms with offices in Paris who fired employees allegedly working for the French Secret Service: IBM, Texas Instruments, and Corning Glass (for advanced fiber optics). The French are U.S. military allies but Mr. Marion sees economic competition as a different playing field and operating under a different set of rules. Economic/ industrial intelligence is fair game and any nation the target. The FBI currently advises U.S. business people to be wary when they travel and to protect their proprietary information. Rooms are not safe from unauthorized entry and access to privileged documents. Phones, even restaurant tables may be bugged.

Other friends are out there gathering economic secrets too. The Japanese intelligence service reportedly devotes 85 percent to 90 percent of its collection operations to economic intelligence. Businessmen also are actively engaged and some 400 graduate annually from a four month course in business intelligence collection taught at the Institute for Industrial Protection. The Institute was founded in 1962 and run by former military intelligence officers. Japanese economic intelligence efforts, however, might better be described as a system rather than a single intelligence service approach. As has become traditional in the Japanese quest for economic superiority, the government-industry approach is much in evidence. Corporate giants and trading companies such as Mitsubishi. Mitsui, Sumitomo, Hitachi, Matsuchita and others devote substantial resources to collecting information and its analysis. "Indeed, the effective use of business intelligence by the trading companies is one key reason Japanese industry has done so well in the past couple of decades," says Herbert E. Meyer, a business intelligence consultant and formerly Vice Chairman of the ClA's National Intelligence Council. Mr. Meyer further advises that the corporations have established " vast overseas data collection networks..." and as an example that "the Mitsubishi intelligence staff in New York takes up two entire floors of a Manhattan skyscraper." According to author Peter Schweizer, it is the Ministry for International Trade and Industry (MITI) "that serves as the hub of the [economic intelligence! network," with involvement of the quasi-official Japanese External Trade Organization as well as a small division of the prime minister's Cabinet Research Office.'

Forbes magazine (November 12, 1990) quoting Thomas Zengage, a partner in a Tokyo-based research firm leaves us with this comforting thought "The Japanese are information barracudas...."

The head of the FBI's foreign counter-intelligence office in the San Francisco Bay area believes that nearly 100 nations are running industrial espionage operations in the Silicon Valley. Included arc Japan, France, Israel, Syria, India, Pakistan, Egypt. Korea, PRC, and Taiwan.

Except for the U.S. and as a matter of policy÷some call it a mandate- most foreign intelligence services provide a great deal of the information they collect on technology to their respective industrial sectors. What they obtain potentially can select the U.S. corporate bottom line and also may affect national security.

The Chairman of the Judiciary Committee, Jack Brooks, noted (April 1992) that "U.S. industry and government may have lost billions of dollars through the theft of trade secrets and other proprietary information by foreign government and business interests.

Foreign intelligence services might use a variety of collection assets to focus on a particular intelligence requirement. Using a sophisticated model, these assets might include one or more of the following traditional collection disciplines: Human Intelligence (HUMINT): Signal Intelligence (SIGINT); and/or, Imagery Intelligence (IMINT). One INT or source of information may not furnish the answers required to an intelligence agency. But, a combination of INTs and sources might provide sufficient strands which woven together give necessary insights to an intelligence analyst and hence his decision makers.

Each INT may use different methods to collect intelligence information. For example, SIGINT might collect electronic emissions, telemetry or communications (fax, phone, radio, computers, etc.) using, as appropriate, ground sites, airborne collectors, or satellites. Imagery might likewise be obtained using similar platforms and consist of infrared, radar, or photographic images. HUMINT might employ clandestine collectors (spies). HUMINT probably would employ individuals to openly observe, photograph, elicit from others, and gather data available to the public (such as found in publications). Public domain data is receiving increased emphasis in the collection of information. Mr. Gates observed in his Judiciary Committee testimony that "... most intelligence services ÷ including those in former communist countries÷have begun to place a higher premium on open source collection." He added that this was due. in part, to the greater capabilities of computers as well as the fact that open source collection is less politically risky.

The various INTs and all-source approaches to the collection of information are not, of course, the exclusive province of foreign intelligence services. Indeed, Spytech has migrated to the commercial world. In fact, even a toy company has picked up on the theme and up on the technologies by introducing several "toys" with that name to include a long distance microphone and secret writing materials. Sophisticated techniques and technologies are available to both foreign and domestic corporations willing to pay and use them, take for example, the SPOT Earth-resources satellite. The September 1990 issue of Defense Electronics and Computing showed a detailed photograph of the U.S. Navy Base at Norfolk. It was taken by the SPOT satellite with the image enhanced by computer. The quality was such that even a non-professional photo interpreter would be capable of deriving valuable intelligence. You do not, of course, need to go to space to obtain photos. Aerial photos using high resolution cameras will do the job nicely as may hand held cameras. Communication intercept equipment is easy to obtain through many commercial vendors and one can establish a relatively sophisticated communication intelligence site for less than $10,000. `'Spy stores" sell an abundance of recording equipment (miniaturized, built into attache cases, and even into the proverbial martini olive) which could be used by insiders or penetration agents. Hi-tech catalogues advertise long-range microphones. There are miniature lenses, as well, which work effectively with television recording devices. And, of course, people simply can carry away 750 pages of information in the form of one pocket-sized computer diskette as another HUMINT way of obtaining corporate secrets.

The Department of Defense still evidences concern over the issue of transfers of technology to foreign countries. It now requires that during the process of acquiring weapons and other critical systems that a "Technology Assessment/Control Plan" be prepared by program managers. The DoD still identifies militarily critical technologies requiring protection and participates in the program which establishes export controls over these technologies and other material with military potential. Of course, debate continues on what should / should not be exported. Concerns are raised of whether restrictions accomplish objectives or just adversely impact on the ability of U.S. companies to make sales and effectively compete in overseas markets. The debate has led to significant changes and a more liberal approach. Such liberalization is even more reason for U.S. firms to ensure they are protected from potential copy cats looking to replicate their products or processes. The Washington Post (December 2, l 990) advised that the piracy of patented products alone cost U.S. firms some $60 billion a year in lost sales.

In an acknowledgement of how intelligence analyses are produced by foreign intelligence services, the U.S. government established a category of protection in addition to classified national security information designated Confidential, Secret, and Top Secret. Intelligence analysis includes the use of bits and pieces of information collected over time that may individually seem unclassified, but when integrated in an analytical product may disclose secrets. Thus, in 1986, federal policy began requiring safeguarding this sensitive but unclassified information. The nature of this sensitive information is such that the disclosure, loss, misuse, alteration or destruction could adversely affect national security or other federal government interests.

Such government concern about this indirect approach to their secrets should signal the need for corporate awareness of this analytical approach to corporate secrets. It also should increase the need for doing something to prevent such exploitation.

The press reported some years ago, that firms commercially available (and, of course, unclassified) on-line electronic data bases were visited by Federal officials requesting they limit foreign access and reveal the identity of foreign clients. The resulting furor which centered on privacy and first amendment rights, obscured the grounds for this request. The reason was the extensive nature of these data bases and their potential use as analytical tools for piecing together sensitive information. For example, one such data base, Mead Data Central's Nexis provides an analyst with considerable capability. This data base alone contains full text newspaper articles, magazines and newsletters÷reportedly more than 50 million documents÷with easy to use search protocols. Nexis is only one of many commercial and public data bases available. There are gateway services that provide users centralized access up to several hundred data bases. While estimates vary, there are probably in excess of 6000 data bases commercially available covering a myriad of subjects. Additionally, there are probably in excess of some 10,000 electronic bulletin boards whose specialized forums also provide a lucrative source of information on specific topics. A corporation searching these data bases with itself as the target may be unpleasantly surprised.

An even earlier government signal suggesting the need for additional protective measures was sent to industry in September 1984 with the issuance from the White House of an unclassified version of National Security Decision Directive (NSDD) 145÷National Policy on Telecommunications and Automated Information Systems Security. NSDD 145 made it clear that communications and computers are highly susceptible to interception, unauthorized electronic access and related forms of technical exploitation. Then, as well as today, technology for the exploitation of computers and computer networks is widespread and used by foreign nations and available for use by criminal elements. The government is a target but NSDD 145 likewise advised that private or proprietary information of U.S. persons and businesses can become targets for foreign exploitation. As the press has pointed out frequently, the situation highlighted in the 1984 NSDD has not changed and probably has gotten worse. Unprotected computers and telecommunications are highly susceptible to exploitation through non-technical means and a wide array of technologies. Of course, this widespread technology is available (see a local electronics store) to the unscrupulous individual or corporation anxious to tap into corporate secrets. If there is no other possible way a company's secrets could have gotten out to a competitor (to include the analytical bits and pieces approach mentioned above)÷the way the company communicates with their offices and how they use their computers should be checked.

The U. S. government evidenced further concern with what the government felt were failures in what they called Operations Security (OPSEC). In January 1988, this led to adoption of a National Operations Security Program (NSDD 298) as U.S. Government policy. The NSDD provides a protection concept which is useful in varying working environments to include day-to-day activities and long term operations or programs. Its application is a must for research and development, systems acquisition, and technology based functions which require critical information be protected from unauthorized personnel.

OPSEC is a process by which potential adversaries can be denied information about capabilities and intentions by identifying, controlling, and protecting generally unclassified evidence of the planning and execution of sensitive activities. While the NSDD concept is a mandate for the U.S. Government and its supporting contractors, it clearly has application to private sector companies seeking to protect trade secrets and other proprietary information from their competitors.

While both of the cited NSDDs were written with the then Soviet threat in mind, the concepts they embody are still relevant. As noted, the former Soviet Union land the current Republics) are not the only nations who have or can access sophisticated intelligence collection technologies. Indeed, as already mentioned, these technologies also are available in the commercial world for use by commercial customers.

The FBI's Washington Metropolitan Field Office in a March 9, 1992 memo concerning the National Security Threat List (NSTL) advised: ' As the leading superpower, the United States is a natural priority target of many foreign intelligence services....The ...acquisition of U.S. critical technology, will continue to be the primary focus of foreign intelligence services within the U.S. and a broad." The NSTL identifies -strategic issues" upon which the FBI will focus and establishes priorities for FBI counterintelligence efforts. Two of these issues are foreign intelligence service attempts at actively obtaining information relating to "Core (Critical) Technology (classified or unclassified)" as noted in the National Critical Technology List (NCTL); and, "Proprietary Economic Information."

On March 22, 1991, William D. Phillips, Chairman, National Critical Technologies Panel, submitted the first biennial report describing "22 technologies considered essential for the U.S. to develop in the interests of the Nation's long-term security and economic prosperity" -- the NCTL. For the most part these are dual-use technologies÷of value in the civil sector and in national defense. While the report is intended to highlight the importance of the technologies presented for public and private sector investment and action, it also serves to highlight what requires some degree of protection as they are developed. Further, it provides a virtual shopping list for others as targets for their exploitation as they become aware of efforts to develop the listed critical technologies. The panel observes, "in an environment of intensifying global competition, deployment of technology is becoming the strategic battlefield of the international marketplace."

While the government clearly has a role in the protection of national critical technologies and in supporting efforts to secure proprietary information and trade secrets, effective protection can only be realized with the full participation of industry. The facts are these: there are not sufficient government resources to do the job. The government can help, but the responsibility for protecting corporate technologies, applications, processes, and other proprietary information falls to the individual corporations. In this world of fast paced change where development and application of technology will be a basis for being recognized as a superpower, commercial enterprises must become better at keeping their secrets secret.

Not only does the potential and the capability exist for people to get corporate secrets, there is smoking gun evidence that the various pathways to company secrets are being used. A Study of Trade Secrets Theft in High-Technology Industries (May 1988) provides some insights of what should be of concern to those interested in protecting their company secrets. "Findings show that theft victimization was very extensive among the large, high-technology companies surveyed. Of the 150 companies responding..., 48 percent reported that they had been victims of trade secrets theft some time in the past .... More than 90 percent reported incidents in the last ten years and over 80 percent... in the last five years.... Over half reported at least two thefts during this (latter) period and over twelve percent had experienced more than five. " Research and technology information were most frequently (86%) targeted for theft although customer lists (28.8%), financial data (21.2%) and program plans (24.2%) also were high on the list.

Similar surveys with a focus on technology theft were conducted by the American Society of Industrial Security (ASIS) Committee on Safeguarding Proprietary Information in 1991 and in 1992. In the 1991 study 165 firms responded (of some 1700 questionnaires sent) 37 percent indicated that their company had experienced a theft or attempted theft. The survey indicated that incidents had been increasing over the past few years with most incidents occurring in the U. S.. Forty percent of the incidents involved outsiders (including former employees), 12 percent insiders, and 48 percent outsiders and insiders acting together. The methods used to obtain information included: removal of information from offices; theft of customer lists; theft of technical data; theft of trash; installing eavesdropping transmitters and microphones: unauthorized reproduction of documents; bribery; interception of fax and telephone communications: replacement of foreign workers to be trained in the U.S. with engineers who looted materials and information; theft by former employees who took information when leaving the company and then contacted competitors: break-ins; and, theft of executives" luggage.

The 1992 survey with its expanded question list showed similar results. The 246 responding companies (from 5,000 surveys mailed), "...reported 589 misappropriation attempts targeting U.S. technology, trade secrets, and business plans. The combined losses of the companies reporting exact figures are $ 1.8 billion. " The average number of incidents with foreign involvement has risen steadily from a low of .16 prior to 1980 to 2.8 in 1991 to 1992.

While these surveys show that there is active industrial espionage, they do not attempt to assess the impact of open/ public domain sources used in the acquisition of trade secret/ proprietary information. This approach is probably more pervasive than spying with some estimates from long time intelligence professionals ranging from a low of 75 percent to a high of 90 percent using this low risk approach. As an indicator of interest in and the success of open source collection, note that the Society of Competitive Intelligence Professionals (SCIP) which promotes the ethical collection of information and its analysis has grown significantly. It was organized in 1986 and as of January 1992 had 1587 members.

Notwithstanding various surveys, it is difficult to get details of specific incidents. Firms are loath to let it be known that they have been compromised and how. Usually incidents are disclosed only when there is litigation involved or when parties can maintain their anonymity. The authors of the 1992 ASIS study, for example, did not know which companies provided the information on the survey forms they received.

Some examples of assaults on company secrets noted by the press over the past two years (there are more from earlier years) include:

÷In September 1992, computer software companies Borland and Symantec engaged in a trade secrets dispute. Symantic reportedly is the target of a criminal investigation because a former Borland employee who joined Symantec allegedly brought trade secret information with him. A civil lawsuit also is pending.

÷In December 1991, Norton Company lost a law suit which alleged a former employee and a competitor stole secrets of a $20 million product line. The defendants countered that the items were available to the general public through another company.

÷In October 1991, a former scientist of Warner-Lambert Company's Parke-Davis unit pled guilty to selling data on two of the firm's drugs to a generic drug maker for $14.000.

÷In September 1991, Quotron Systems accused a competitor of stealing its computer trade secrets and attempting to grab a major client.

÷In September 1991, a competitor settled a lawsuit in which Bear Stearns Company accused it of stealing confidential client information÷terms of settlement not disclosed.

÷In September 1991, Metro Traffic Control, Inc. sued a rival charging it with theft of trade secrets for allegedly eavesdropping on Metro radio communications to obtain traffic reports which it later broadcast as its own.

÷In March 1991, Mary Kay Corporation and Avon Products, Inc. agreed to an injunction in a Mary Kay lawsuit claiming that Avon and two private investigative agencies had illegally taken documents from a dumpster used by a Mary Kay affiliate.

÷In March 1991, two scientists were convicted of conspiring to sell trade secrets of Merck and of Schering-Plough.

÷In February 1991. a woman pled guilty of trying to sell marketing secrets of Smith-Kline Beecham to a competitor.

÷In November 1990, a TV rating service former employee received five years probation for stealing confidential equipment and documents and giving them anonymously to a chief competitor in hopes of becoming a "consultant."

÷In October 1990, a GM contract employee was charged with stealing confidential sketches and pictures of future car models. GM claimed hundreds of millions of dollars in trade secret damage.

The examples cited above do not even consider the activities of foreign intelligence services. As noted by the Directors of the CIA and the FBI, the Russians and many countries use their foreign intelligence services as a cost effective approach to minimize the risks inherent in technological development, industrial processes, and business related activities. In a speech to the Washington Metro Chapter of the OPSEC Professionals Society (OPS) (June 1992), Mr. David Major of the FBI advised that 94 of 171 countries studied÷excluding former Warsaw Pact countries÷do some targeting of U.S. corporate or government secrets. They do it under the guise of 'technological protectionism' or for economic reasons," he said.

Information on the Foreign Intelligence Threat is available from the FBI (DECA÷Development of Espionage and Counter-intelligence Awareness). For other threat information there are a variety of sources: local police; law libraries; security newsletters and magazines; newspapers and other periodicals. Further smoking guns can be added to the list. As suggested by the surveys above, many firms have direct evidence or some pretty solid suspicions that their company's secrets are falling into the hands of the competition, foreign and/or domestic.

Conclusion: there is a real threat. There is motive (big dollars) to exploit sources both legal and not legal to gain another's secrets. There is plenty of opportunity to exploit those sources and a wide variety of exploitation methods abound and are available. All the elements are present to entice action by a firm's competitors÷in the U.S. and abroad÷directed at another's secrets, if they have little, ineffective, or no protection.

A key element of protecting a corporation's secrets is the deterrent nature of legal recourse available to a firm whose secrets have been appropriated by a business competitor. While this may not interrupt the information collection and analysis cycle, it does offer an action to prevent the unlawful use or gain that might be realized from improperly developed competitor intelligence. With the increased involvement, however, of foreign intelligence services, this recourse may not easily provide sought after relief. Having a sound protection program, therefore, is the first line of defense.

"The general difference between trade secrets and federal enforced copyrights and patents is that trade secrets maintain their value and identity as trade secrets as long as they are not disclosed, while patents and copyrights require disclosure in order to 'promote the Progress of Science and useful arts,'" states George Washington Professor of Law, James P. Chandler.

In 1979. the Uniform Trade Secrets Act was approved by the National Conference of Commissioners on Uniform State Laws as a model for state adoption. Under this recommended act "Trade secret means information, including a formula, pattern, compilation, program, device, method, technique, or process, that: (i) derives independent economic value, actual or potential, from not being generally known to, and not readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and (ii) is the subject of efforts that are all reasonable under the circumstances to maintain secrecy." These criteria provide the basis for identifying corporate critical information.

Thirty-nine U.S. states have enacted laws designed to protect trade secrets÷a version of the Uniform Trade Secrets Act, with slight variations. These states recognize the need to offer specific protection of the law to proprietary information such as customer lists and manufacturing techniques and processes. Eleven other states with a strong common law background on the subject apparently believe they have no need to enact specific legislation. On the federal level, there is some discussion and debate about enacting trade secrets/proprietary information statutes.

When viewing information as property, the law becomes more defuse. "All states have criminal theft statutes," advises Professor Chandler. "Fourteen states have special theft statutes only for trade secrets; nine states have expressly listed trade secrets as a form of property which is covered by their basic theft statutes; one state uses similar wording such as "scientific information: ' and twenty-five states leave it entirely to the courts to find trade secrets covered by their general property theft statutes, most of which define property as "something of value." Professor Chandler observes that criminal prosecution is not common for trade secret theft. He suggests one reason "is that local law enforcement agencies generally do not have the resources to investigate commercial crimes....Until public policy and the resources behind it support protection of trade secrets more strongly, it will remain uncommon

The burden for protecting corporate secrets falls upon a corporation with secrets to protect. The first step, of course, is to determine the secrets requiring protection and the Uniform Trade Secrets Act gives a basis for making that determination. Trade secrets must have independent economic value, not be generally known or ascertainable by proper means, and subject to reasonable efforts to maintain secrecy. This usually does not mean total secrecy but it must fit the circumstances, it must be prudent. What is disclosed to insiders must be controlled as well as measures instituted to protect the information from outsiders.

Common sense would appear to provide the incentive for corporations to develop sound information protection programs. On the one hand, a good program will decrease the likelihood of exposing a company's secrets while on the other it gives a firm's lawyers a strong basis for seeking legal remedies if the secrets are improperly acquired by others. Legal foundation for or a chance to be successful in litigation is significantly weakened if there was slight to no effort taken to protect what the firm believed to be trade secret information. This is true for states that have enacted a trade secrets law as well as under common law provisions.

As recognized by a past president of the Operations Security Professionals Society, Howard Ferrill, "Factors in the equation of business survival include quality, fiscal restraint, management innovation, service, and the ability to walk a tightrope." The tightrope Mr. Ferrill identifies is one of maintaining profits while at the same time maintaining a competitive edge. He goes on to say. "As the level of competition increases in the international marketplace, Corporate America will be forced to enter into partnerships (domestic and international) to survive." And, these partnerships be they joint-ventures, licensing agreements, co-production or other similar arrangements, will be 'a major challenge." Corporations will face a "dilemma...between sharing the information needed to make a profit, and retaining the control essential to keeping la] competitive edge. Failure to maintain this delicate balance. can quickly change [a] partner into [a] direct competitor. A key to solving this dilemma is to employ a tool which highlights the criticality of the information requiring protection. An effective information protection program cannot be established without clearly identifying information requiring protection.

The approach outlined below emphasizes a series of logically linked analyses. It is value and threat driven÷value driven from the perspective of clearly specifying the value of the information requiring protection and threat driven by specifying the threat capable of exploiting vulnerabilities which reveal that information. It is based on concepts associated with the proven Operations Security (OPSEC) ''five step process used by the U.S. Government. The approach suggested provides the basis for developing a comprehensive information protection program. It is a structured approach to evaluations designed to expose strengths and weaknesses of current information protection programs. It also serves as a base for establishing a program where none existed before.

Application of the approach which follows can be very labor intensive and does require the cooperation of personnel throughout the corporation. The structure, however, should be viewed as a flexible tool which can be applied to varying depths and degrees based on resource and time availability. While the approach can accommodate quantitative inputs (such as specific cost/benefit analyses, annual loss expectancy (ALE) methods!, its basis is interaction with people. Managers, decision makers, legal, public affairs and other staff and line, security and non-security personnel, all who operate within and around the critical/sensitive corporate information should be involved in making inputs and qualitative judgments.

1. Critical Information Analysis: determine what information requires protection÷establish the importance and value of specific information and classes of information and associated business operations.

The objective in this initial step is to understand what information might be a target by gaining an appreciation of why the information element under analysis might be singled out for exploitation by a competitor. Since bits and pieces of information when linked analytically can reveal what a corporation is seeking to protect, "secrets" also must be looked at by their discrete information components (indicators) as well (see step 3). Criticality will be determined on the basis of value÷the damage to the corporation that would occur should information loss be realized. Trade secret information is by definition critical information.

Sensitive information a component (analytical indicator) of critical information. Criticality/sensitivity should be determined from both a corporate and a competitor's perspective. Establishing the perishability of information is another key component of this step. How does the passage of time affect the value of the information? If a competitor cannot react and gain an advantage from the information collected, it may not be critical or sensitive because of its high degree of perishability. Input from both line and staff personnel forms the basis of this step especially the creators of critical/sensitive information (e.g., R&D) and custodians of such information (e.g., those charged with primary interest in or use of the information).

2. Threat Analysis: identify the possible competitor threats (other firms, foreign intelligence, activists, terrorists) to the firm's critical or sensitive information and the methods used by competitors or their agents for accessing or exploiting that information. A competitor threat to corporate information/operations is manifested by someone using a specific technique or methodology to access what the target seeks to protect. Threats (exploitation techniques) may be based on actual experience or may be "postulated" based on an assumed, common sense, threat capability.

3. Vulnerability Analysis: identify possible weaknesses existing in how the firm currently protects its critical/ sensitive information and operations (derived from step 1).

1). This analysis will develop an appreciation of sources which can be exploited by the threats identified in step

2). Develop a collection strategy, from a competitor's viewpoint, for accessing critical/ sensitive information. Implementation of this competitor threat strategy would enable a competitor's analytical team to profile the target operation or activity and to determine through use of intelligence analysis techniques the secrets they seek. A firm's counter-Competitor Intelligence analyst, by making such analyses, can define specific vulnerabilities and the threat (competitor) collection techniques which might be directed toward the exploitation of those vulnerabilities. See the attachment for a listing of some sources÷ legal and not, ethical and not÷subject to exploitation.

4. Risk Assessment: integrate the analyses made in steps 1 through 3. It is here that the interaction of critical information requiring protection, the specific source/ threat and vulnerabilities are examined. The objective of this step is to establish the relative order of importance of the combined factors identified in steps 1-3. The value of critical information can vary, Threats differ in the order of their severity and some vulnerabilities are subject to easier exploitation than others. The product of this step shows the relationships among critical/sensitive information, threat, and vulnerability and rank risks in decreasing order of severity.

Estimates of severity and likelihood of occurrence are determined and priority rankings established in accordance with the degree of unacceptability of the risk. Significant interaction with and input from various organizational levels within the corporation are required to establish this ranking.

5. Identification of Security Controls and Cost: in this step specific security controls and their known or estimated costs are determined. Various protection concepts (safeguards in depth. deterrence, detection, delay, interception, containment, avoidance, recovery, correction and prediction and so forth) should be examined as they apply to the importance of the information requiring protection. controls include technical. physical, personnel, and procedural safeguards.

6. Management Decision: analytical techniques (qualitative or quantitative) appropriate to a corporation's decision making process are used to recommend and select those security controls which are most effective for the corporate operational and management environment. Implementation priorities also are set by corporate decision makers during this step based on the analysis completed in step 4 and the resource implications identified in step 5. Residual risk should be identified as well i.e., vulnerabilities not satisfactorily fixed or fixed at all should be noted and plans made to correct these deficiencies when appropriate (e.g., when resources or new technologies permit).

7. Security Controls Implementation: develop and execute a plan to implement selected controls. Action plans are required with milestones, responsibilities and authority clearly defined.. Of course, a key implementation feature is the promulgation of an information protection program such as one outlined in the next section.

8. Effectiveness Review: conduct a periodic review of the effectiveness of security controls. Once controls are in place, a test and evaluation plan should be developed and implemented to assess the effectiveness of the controls. The purpose of this review is to determine if safeguards do what are intended, have not created additional vulnerabilities over time, and account for new corporate initiatives and technologies as well as a changing threat. This review provides the basis for again initiating the analytical steps outlined above if significant questions or concerns are raised. Protecting trade secrets and proprietary information is a dynamic process.

With the above analyses completed and with information protection decisions made, an information protection program for a corporation can be developed or revised and distributed to those affected. Components of such a program as a minimum should include:

á A policy statement from the CEO. Interest in protecting company secrets must begin at the top. Describe the program's purpose and importance. Employees must understand their role as the key players in keeping the company's secrets secret.

á Establishing an Information Protection Policy Committee (IPPC). The IPPC is responsible for establishing corporate information policies and overseeing their implementation. Subcommittees. as necessary, are formed to address specific issues (such as secrecy agreements! and to review proposed public releases which may reveal or relate to company trade secrets/proprietary information such as papers for symposia, trade journals, public filings' etc.. This review function is necessary to ensure that corporate secrets are not disclosed a piece-at-a-time thus subjecting them to disclosure through competitive analysis. While company security should facilitate the operation of the lPPC and any subcommittees (possibly fill the role of executive secretary), a corporate officer with decision authority should be its chair. Committee members should be drawn from line and staff personnel and include subject matter experts, legal, public affairs, and human resources

á Defining what information needs protection (proprietary information÷trade secrets). This may be determined as part of a counter-competitor Intelligence Survey (as outlined in the preceding section).

á Establishing levels of information importance Not more than three levels are recommended (two are probably better) and perhaps an additional one for privacy material. Use these levels as a basis for restricting access.

á Developing guides so people know what to protect and at what level of protection (its relative importance). Describe the corporation's general and specific policies on what to protect. Cite principles (e.g., reasoned judgment, specific guides, duration of importance) for assigning protection levels based on the importance of the information

á Specifying to whom the program applies to include current employees, prospective employees, departing and departed employees, vendors, suppliers, license holders, and others with access to your trade secrets.

á Preparing and signing secrecy and associated agreements such as no competition, no raiding, and invention covenants.

á Establishing a network of non-security department coordinators throughout the organization. Appoint administrative coordinators. They worry about any of the paperwork necessary to run and manage the protection system. They also provide immediate advice and assistance and a local point-of-contact for security.

á Appointing Data Custodians. Users and creators of information must understand their roles. These appointments establish substantive responsibility for corporate critical information, usually in the originating department.

á Defining what constitutes a compromise and the procedures to be followed upon discovery as well as the penalties if a compromise occurs.

á Establishing procedures for the control of information under a variety of conditions e.g., such as while communicating (phones, faxes, PCs, LAN, WAN, etc.), in document form, where it can be observed (at test sites, displays, exhibits, plant tours, etc.). Marking, safekeeping, storage, dissemination, transmittal, accountability, control (who has access to what), copying (set controls!. and disposal and destruction of documents/electronic media also should be established.

á Maintaining relevant and realist/c security education and awareness programs (classes, media presentations, circulars, bulletin boards, with pay raises, with promotions, pre and post hiring, terminations, etc.) Conduct new employee orientations, periodic refreshers for all employees, and exit interviews with departing employees. Personnel scheduled for foreign travel should be briefed on potential threats as well as those attending symposia, external training, preparing papers for publication, etc.. Training sessions should emphasize that bits and pieces of information which taken alone may not compromise trade secrets/proprietary information may do so when pieced together. Security awareness and training are the backbone of any protection program. Protection personnel cannot do the job alone.

á Management of the program. Establish who is in charge, authority and specific responsibilities throughout the organization (not just corporate security). Specify who does surveys, inspections, and audits, who reviews/revises protect/on policies (e.g.. IPPC).

Of course a protection program is only as good as its implementation. Efforts to make information protect/on quickly and easily understood should be made÷training is the keystone. Above all, a common sense approach is necessary.

Competitors seeking an edge abound and they may be seeking a corporation's secrets to establish that edge. They may be foreign or domestic, governments and other corporations and they may use legal or illegal means to acquire those secrets. A protection professional and those they support must understand the threat, determine what secrets competitors seek and implement protection policies and control measures designed to prevent the exploitation of corporate secrets. A key ingredient in this and in any similar endeavor is the ability of protection personnel to communicate with and convince senior management that protecting information has a positive impact on the corporate bottom line.

Company secrets -- are they?

÷Annual Reports -- Press Releases -- Speeches -- Conferences÷ Seminars -- Trade Shows -- Financial Reports and Filings÷ Securities Analysts -- Commercial Data Bases -- Libraries -- Business Publications -- National Tech Info Center -- FOIA -- National/State/Local Government Agencies -- Phone Books -Organizational Charts -- Academic Institutions÷Research Papers -- Grant Proposals÷Public Records÷ Tours÷Advertising÷Marketing Personnel÷Suppliers÷Acquisitions÷Joint Ventures÷Visitors÷Licensees÷ Customers÷Sub -Contractors÷Mergers÷Reverse Engineering÷Indiscreet Employees÷Deliberate Employee Disclosure÷Unwary Phone Conversation -- job Searching Employees÷Employees Hired Away -- Recruiters -- job Interviews÷E-Mail÷Survey Questionnaires÷Photos÷Unauthorized Photocopies Clerical Personnel÷Chair People÷Trash and Scraps÷Undercover Operatives÷Unprotected Computers and Media÷Phone and Other Electronic Penetration÷Observation÷Tax Filings÷ Environmental Impact Statements÷Fax÷Computer Networks and Bulletin Boards÷Contract Proposals÷Requests for Proposals or Bid -- Contracts -- Employee Rosters -Employment Agreements -- Performance Appraisals -- Employee Bulletin Boards and Publications÷ Unions -- Activist Groups -Stock Holders -- Board of Directors -- Banks.