return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ Why steal COTS products or processes? ]

Why steal COTS products or processes?


Building on What are they stealing now? 

"Foreign collectors most likely settled for commercial products after learning that their [clandestine] collection efforts failed and were not worth pursuing."

Targeting countries appear to wait for a successful US commercial application of a technology before seeking to acquire it as the kernel of capability for military use is often contained in the commercial variant. An airborne IR sensor is a good example that applies to all dual-use technologies.

I would stress that "failed" applies to collectors' time horizon and that the early securing of a commercial variant will act as a "gap filler" in both their defense and commercial posture and will act as a development seed in their research institutions.

As developed countries suffer legacy drag as we do, preferring not to change computer systems when an upgrade is needed, they target absorbable enhancements. Not so encumbered developing countries will attempt quantum leaps in capacity by acquiring newer, more advanced systems.

Everything is at risk to someone. In the early 80s I went to the Pentagon to make a deposition as to how the Soviets were buying English PCB (printed circuit board) CAD systems en masse in order to make LSI (Large Scale Integration) chips.  The military attendees were stunned when I described a simple sectoring process in which a chip's logic could be broken up in segments absorbable by the PCB systems and then stitched together.  The "commercial loss" of silicon was unimportant in comparison to the ability to achieve high density chip architecture.  That was a year after I watched the Shanghai Institute of Metallurgy hand-tape (manually apply pull-off and paste decals to represent components) its first 1K RAM chip.  The attendees were not aware of that either.

At times, the collection attempts are not directly military (but will ultimately have a military bump) as even moderately capable nations want to stay apace of the US, avoid dependency on external contractors, lower their maintenance costs, improve availability, and embed capacity in their local production.

  1. Complimentary and redundant set of attack vectors are common. Acquisition attempts vary from simple, passive info requests to sophisticated multi-spectrum collection efforts, but it is rare to receive a single attack vector. At a previous firm, we used to joke that, "The Indians are the greatest paper collectors on the planet."
  2. It is more common for your firm (but not you) to receive multiple probes, the responses from which tailor or redirect the probes that follow. Japanese firms with whom I had previously worked peppered my company from programmer to senior executive -- often six or seven requests on the same day on the same issue. There was great distress when I stipulated that all messages came to me for a single integrated, controlled reply -- and then distributed the reply internally as the 'rule.'
  3. Every nation has a pattern or preference that, while it will change over time, has very recognizable characteristics through the medium term. Technical ability, culture, polity, and business practices merge with need and so help paint any country's attack profile. (The Chinese affection for humint is a good example.)
  4. Collection plans seek the greatest ROI and the greatest OpSec (operational security) for the collectors' assets and means.

Next we'll look at why a country gets on the FBI's New Security Threat List, and then who gets on this porous, ostensibly classified list, and who gets left off for reasons of political sensitivity.

Gordon Housworth

InfoT Public  Intellectual Property Theft Public  Strategic Risk Public  


  discuss this article

<<  |  May 2020  |  >>
view our rss feed