For what it's worth... ---------- Forwarded message ---------- Date: Thu, 16 May 96 20:00:38 EDT From: David Jones <djones@insight.dcss.McMaster.CA> To: efc-talk@insight.dcss.McMaster.CA Subject: CSIS: growing threat of economic espionage CSIS warns that Economic Espionage is growing - Strong encryption may be one line of defence - by David Jones OTTAWA -- The Canadian Security Intelligence Service, CSIS, wants Canadian corporations and government departments to be aware of the growing problem of "economic espionage". This is distinct from "industrial espionage", which is just company-on-company spying; "economic espionage" is state-sponsored. I spoke briefly with Ted Flanagan, who is the National Coordinator for Economic Security and Proliferation Issues, for CSIS. After hearing him make his pitch on the TV news, I wanted to ask him about a possible conflict between, on the one hand, Canadian law enforcement, which seems reluctant to see strong encryption become widely used and, on the other hand, CSIS, which seems to be implying that government departments and private companies should take active steps to protect themselves, including the use of strong encryption. Here's a few of his comments, (paraphrased) It's sometimes surprising for people to hear that foreign states do have significant resources and can easily monitor telecommunications, *globally*. Companies have to be mindful of this. Encryption may not be necessary for everything, but for particular aspects of their business communications, such as bid proposals, online transactions, it may be appropriate. Obviously there is a law enforcement concern about criminal activity being shielded by the use of encryption, but encryption is now a commonplace and commercially available fact of life. The technology exists and if individuals are going to use it for illicit purposes, then they're going to use it. The reality, though, is that the Canadian government does have a security policy and they do have encryption requirements. Encryption is the sort of thing that an awful lot of Canadian companies are also using, depending on their resources and needs. We're working with a community who we feel have a legitimate requirement to ensure that proprietary information is protected. There's no way to reverse the trend of having commercially available software for encryption. So the bottom line for cops seems to be: Encryption is here to stay; get used to it. Ted Flanagan also explained CSIS's mandate. It doesn't deal with law enforcement per se, but it is concerned with national security. It advises government departments and alerts private organizations to potential threats. It operates within Canada in a "defensive" capacity. There's been some speculation that Canada needs an "offensive" intelligence agency that would be able to take steps in foreign countries to further our national interests. (Heck, if they're spying on us, maybe we should spy on them!) Don't bother signing up to be the next Canadian James Bond, though. There's no political support for such an agency any time soon. Part of the problem with raising corporate awareness of the threat of espionage is that serious incidents are often hushed up because of the damage that negative publicity would cause to the reputation of a big Canadian company. CSIS tries to work with companies on a confidential basis and keeps a private database of incidents they learn about. So, next time you read a newspaper article about two teenage boys getting busted for running a BBS with pirated software, keep in mind that elsewhere there's *real* cyber-crime that is going down, ... and although you may never hear about it, it's happening on a scale that makes those BBS pirates look like, well, mischievous children. Here's a random excerpt from the CSIS 1995 Annual Report "A foreign government is believed to have tasked its intelligence service to gather specific information. The intelligence service in turn contracted with computer hackers to help meet the objective, in the course of which the hackers penetrated databases of two Canadian companies. These activities resulted in the compromise of the companies' numerous computer systems, passwords, personnel, and research files." URL = http://www.csis-scrs.gc.ca/eng/publicrp/pub1995e.html#economic - -