Popular Computing Magazine
DIRTY BUSINESS IN SILICON VALLEY
Theft and espionage are mushrooming as competition in the industry grows
Clyde Barrow, leader of the infamous Barrow gang immortalized in Bonnie and Clyde, was one asked why he robbed banks. "Because that's where they keep the money," he replied. If Clyde Barrow were still around, he'd probably be doing business in the Silicon Valley of Santa Clara County, California. That's where the money is these days. But the thieves in the valley aren't driving cars up to the front doors of banks with their guns drawn and eyes steeled to intimidate the tellers.
Instead, they're sneaking through the back windows of more than 1300 computer plants to liberate easily fenced microprocessor chips, or they're transferring trade secrets to tape and selling them to the competitor across the street, or they're compromising key engineers with cocaine and sex to pry loose secrets that are passed eventually to Eastern bloc countries.
There's money aplenty to be made in the valley, and plenty of modern-day Clyde Barrows have focused their sights on the technological wealth concentrated here. But with the increasing diversity of the computer industry and its expansion into other "Silicon Valleys" throughout the country, the problem of theft threatens to reach proportions and profits that would have boggled Clyde Barrow's head for figures. In California's Silicon Valley alone, local authorities estimate that $20 to $100 million in chips, circuit boards, and other components are stolen each year. And Douglas K. Southard, a Santa Clara County district attorney who specializes in theft within the computer industry, predicts that 1984 will be a record-setting year for thefts.
Component thefts, theft of secrets, and international resale of restricted material are the major types of crime, and each of these areas has its own criminal element, from minimum-wage earners to international playboys. All in all, it makes for intriguing times and changing tactics in the temperate, sunny valley that 20 years ago specialized in growing apricots.
GET YOUR HOT CHIPS HERE
Theft of computer parts is brand new, and law enforcement officials find they're often unprepared to deal with this new type of crime or even recognize the stolen parts. Joe Chiaramonte, an FBI special agent for computer crime working out of San Jose, tells this story about law enforcement officials in Eugene, Oregon, near Portland, where a miniature Silicon Valley is growing up. "It was kind of funny," Chiaramonte says. "They stopped a trailer truck, a rental. They were so ignorant of what they were looking for that they went into the trailer and were walking around it, looking around, and all these square little flakes were getting caught on their shoes. They were walking over thousands of microprocessor chips. It was only after they talked to someone who knew about computer technology that they realized what a catch they'd made. But they just don't have the training yet," Chiaramonte says.
Despite its newness, theft of computer parts is done by time-proven methods. Fifty years ago, a lumberyard employee would drive his truck into the yard while it was closed on a Sunday, load the truck with 2 by 4s, and drive off to sell the wood "that nobody'll miss" to friends and acquaintances at a slightly reduced cost. It is not much different today, though computer thefts are easier to pull off. Chips, for instance, are small and highly portable-and they're a lot more valuable than 2 by 4s.
According to both FBI agent Chiaramonte and deputy district attorney Southard, the typical theft at the originating end of a hot-chips chain is a blue-collar worker not too unlike the lumberyard employee. The FBI has found that 90 to 95 percent of the time, a company's own employees are responsible, usually lower-level employees such as security guards, shift workers, or custodians who purposely leave doors open or walk out with chips in their pockets, pants legs, or mouths.
Both the FBI and the district attorney's office recall that when they first became involved in fighting computer crime, plant security was somewhat lax. In 1977 and 1978, the FBI got the impression that the industry didn't care about thefts. Everyone was making so much money that a million-dollar loss seemed trivial. But when the recession hit in the early 1980s, companies began to tighten their belts. They looked more closely at inventory control and tighter security measures.
When asked about security against theft, many of the once-lax companies are now as silent as monks on vigil. Gary E. Simpson, vice-president for corporate communications for Varian Associates in Palo Alto, refused to discuss his firm's security measures because of their highly sensitive nature. Similarly, IBM routed the request for information from its Palo Alto offices to its offices in Los Angeles and from there to its headquarters in Armonk, New York. Even then, program manager of corporate information Ken W. Sayers was as closemouthed as his Varian colleague.
But despite increasingly stringent security, thieves still manage to smuggle out chips and other components. What happens to the goods once a thief manages to make off with a thousand chips? The loot finds its way into what law enforcement officers refer to as the "gray market," a shadowland between legitimate business (the white market) and outright illegitimate business (the black market). Deputy district attorney Southard describes the gray market as an operation characterized by the movement of parts through many hands until the parts find their best market for that day.
In the white market, manufacturers sell their products either to authorized and franchised distributors or to original equipment manufacturers (OEMs). The franchises distribute the parts to OEMs or to brokers who in turn sell to other brokers, until the parts get to an OEM.
The term gray market refers to the independent broker market. One source of quasi-legal chips for the gray market is scrappers who buy scrap chips in order to reclaim gold and other precious metals from them. Sometimes, however, instead of reclaiming these metals, a scrapper sells the chips to a broker who in turn sells them to an OEM as good or salvageable.
A second source of chips for the gray market is OEM surplus. "Suppose the market is the way it is now; you can't get anything," says Southard. "You really need 10,000 of these widgets a month to keep up with your production, but you're on allotment from the manufacturer, and you're not sure he'll be able to keep up with your needs. So you order 20,000 a month, in hopes of getting 10,000. And a month comes along when the manufacturer does send you 20,000. What do you do? You turn the extra 10,000 over to a broker, who finds some other OEM who'll take them. In other cases, a broke has a buddy working for an OEM where the audit controls aren't very good, and they'll strike a deal where the OEM just happens to end up with a surplus that the broker can buy up for 10 cents on the dollar.
"Most of the gray market," continues Southard, "is legitimate, some of it is questionable, some of it is outright thievery-dealing in stolen property. And some of the gray market brokers, albeit very few, are honest-to-God stolen-property fences. Fortunately they're few and far between."
TRACKING DOWN STOLEN GOODS
Theft cases become increasingly difficult to follow when the stolen parts pass through many hands. In a 1979 Intel case, for example, 10,000 chips (valued at $100 each on the legitimate market) were stolen off the production line before they got to the testing stage (after which those that test out are stamped with Intel's name). The thief, John Jackson, also stole some printing plates from Intel and put the company's name on each 2732 chip.
The 10,000 chips passed through several companies in the U.S. and in Europe, ending up in the inventory of a German customer of Intel's that used the chips in teletype machines. Chips have a fallout rate of about 30 percent at testing, meaning that 30 out of every 100 don't pass the test and are scrapped. Naturally, 3000 of 10,000 stolen chips failed in the teletype machines and the German company attempted to make warranty claims against Intel. Intel asked to see the chips, checked its records, and found it hadn't sold the German firm any of the 2732s from the lot number used in the teletypes. Intel then did forensic tests on the chips and worked backwards to discover the tortuous course that the hot chips had followed.
But getting rid of stolen chips can be difficult. In the largest known chip theft in the Silicon Valley, Monolithic Memory was hit for $3,500,000 worth of chips. The theft wiped out 20 percent of Monolithic's inventory, causing havoc with the company's supply lines to its customers. The culprits transported the chips to Stateline, California, a little south of Lake Tahoe near the Nevada border. The theft was so well publicized and there was such a shortage of chips that the thieves had to sit on their booty until it cooled. They managed to make only one shipment to Texas while they were waiting, and most of the chips were recovered.
A number of pipelines have been set up to get the chips out of Santa Clara County. The pipelines east toward the Sierra Mountains are minor compared to the sluiceway that runs to Los Angeles, where a majority of original equipment manufacturers are located. Southard says that L.A. is also a shipping point for parts that go to Texas, the East Coast, Europe, and Southeast Asia. Many stolen parts "end up in Hong Kong or Taiwan and get fabricated into cheap-o copies of Apple computers that are then sent back here, complete with copyright violation, hot chips, and no warranty for the customer," says Southard. "Ironically, some of them end up right back here in Silicon Valley."
Cases of international theft are particularly difficult to unravel. Last year, security personnel of Signetics Inc. (a Sunnyvale, California, manufacturer or advanced design chips) and Los Angeles Police Department officers conducted the largest sting operation ever pulled off in the Silicon Valley. The setup involved a million dollars' worth of chips and took undercover officers from Signetics' manufacturing plant in Bangkok to a bogus electronics parts distribution business in Beverly Hills. Ray Vaden, corporate manager of safety and security for Signetics, thought the successful sting would probably slow down component theft a bi because such operations make potential thieves paranoid. "They don't know who's a copy and who's not," Vaden said.
But the thefts won't stop as long as increased orders for computers lead to shortages that invoke the old law of supply and demand. A chip can reach three or four times its normal market value if it's the only part that's holding up a manufacturer's shipment of computers. Then it's apt to be a case of cash on the barrel head, no questions asked.
COMPETITION OR CRIME?
Theft of computer components amounts to petty thievery compared to industrial espionage within the computer industry. A successful company on the brink of announcing a new product can literally be destroyed if a competitor has gotten behind its doors and slunk off with its research.
Certainly, stealing industrial secrets is nothing new. The practice is an inevitable spinoff of industrial competition and in today's computer industry, the stakes are high. A month's edge can mean the difference between ecstatic stockholders and Chapter 11 bankruptcy proceedings. Suppose, for instance, that International Widgets has worked for three years to develop an Apple IIe-compatible that features 64K bytes of memory, comes with a built-in dual disk drive, and sells for $200 less than an Apple with a single disk drive. The company will make a big splash on the market, especially if it comes up with a cute and marketable name like Crabapple.
But think about what would happen if, two months before the unveiling, Universal-Gimble Associates, across the way, comes up with an Apple Ie-compatible machine that has dual disk drives, costs $200 less than the Apple IIe starter outfit, features space-age design, including a 3-D monitor shaped like an inverted fishbowl, comes with 128K bytes of memory, and also has a cute name: Gumball XL. Just by coincidence, the innards of the Gumball are almost identical to the Crabapple, save for the additional memory. And also by coincidence, Universal's R&D department has three engineers who just happened to work for International Widgets a mere two years ago. Which computer would you buy? What would happen to International Widgets stock? How would the company recover all the money it spent in R&D? Wouldn't the firm tend to be a little ticked off over the whole affair?
Some people do not like to call this theft. They prefer to call it competition. "If the law were to crack down on every idea that's left one Silicon Valley company and gone to another, we'd have to close the doors to the whole valley," says one wag who asked for anonymity. "That's where the ideas that make this valley run and grow come from. We're more inbred than a hillbilly family, and it's better if we stay that way."
But others disagree, and anyone trying to stop industrial espionage in the Silicon Valley faces a number of obstacles, especially because what people are stealing is less tangible and more easily transportable then computer components.
There is no doubt that the physical setup of Silicon Valley encourages the movement of personnel and secrets. In Palo Alto, to cite a single example, an employee of Varian can stand on Varian property and throw a Frisbee across the street to a vice-president of Hewlett-Packard who is standing in the front lawn of H-P's world headquarters. There's nothing to stop that Varian employee from taping the blueprints of a new Varian circuit board to the underside of the Frisbee before he sails it.
But a more common method of transporting secrets is simply to go to work for another company. In the Silicon Valley, opportunities for engineers are nearly boundless. Roughly 1300 electronics and computer companies operate in the valley, and the number will be substantially higher by the time you read this. During some periods 10 to 15 companies start up each month. The first thing a start-up company does, even before renting a building, is hire its corps of engineers, offering them more pay, more autonomy, and a chance to see their products produced. Talented engineers, especially if they're frustrated by slow-moving bureaucrats in the larger, more established firms, bounce around a lot and rarely stay with a company more than three years. Invariably, they leave with some secrets sticking to them.
With so much creative activity in such close geographical confines, the line between competition and plain old-fashioned theft gets hazy. It is inevitable that several people will have similar ideas and similar methods to realize them. It is difficult to prove that two similar ideas weren't just that, since trade secrets usually do not involve hard evidence, nor can they be copyrighted. "Whether designs themselves should be copyrightable has been a source of a lot of industry debate over the years," deputy district attorney Southard says. "In 1979 a House committee decided that they were not going to extend copyright protection to integrated circuit designs. That seems to be shifting a little bit, but that's a policy matter."
An added complication comes with reverse engineering, the strictly legal and common practice of buying the other guy's chip and tracing back just how he did it, adding your own twists, and making your own version. Reverse engineering is legal, Doug Southard explains, because "there's a substantive different between somebody who enters your company without permission, takes your completed designs, and then immediately goes into production versus somebody who buys your chip on the open marketplace." In the latter case, he says, "you already had the lead in the market. They copy it, but it takes time and money to do it."
CATCHING THE THIEVES
Even when outright theft is involved, it isn't always worth following up. Some thieves are just disgruntled employees, according to Southard, who may have some grandiose notion of using the information but no real capacity for doing so. These unsophisticated thieves tend to be people not otherwise criminally involved, so law officers tend to be easy on them. As Southard says, "We don't ship them off to prison; prisons are for real criminals."
Some of the perpetrators who get caught are prosecuted, of course, but the thieves are hard to catch and the crimes difficult to prove. "Smarter crooks, no physical evidence, no trials," Southard explains.
FBI agent Chiaramonte also points up the potential frustration of tracking down and prosecuting a computer thief. He cites a case where an employee had been working for one of the major companies, then left and started his own company, only to be accused by his former employer of taking the technology with him. Months of investigation and court time revealed that he was authorized to have the information he had, and the charges were dropped. And even in cases that seem firm, prosecution can take years and the outcome be uncertain.
Not one law enforcement official contacted will attempt to guess the dollar value of the secretes that are stolen or that move around from company to company when employees change jobs in the Silicon Valley. Some companies are taking it upon themselves to protect their secrets from such piracy.
In the vanguard is IBM, a juggernaut within the industry. IBM has more than 350,000 employees, has spent more than $7.9 billion in R&D in a six-year period, and has factories and offices worldwide where information could easily get into the wrong hands. Yet despite its size and seeming vulnerability, IBM loses little. In a 1982 interview with the Wall Street Journal, Jack Bologna, head of a computer security consulting firm, put it this way: "Anyone in that position is going to get clipped once in a while, but IBM does a better job of protecting its assets than anyone making commercial computer equipment."
IBM uses a procedure it calls "selective protection of assets" to guard its secrets. Under this procedure, IBM managers concentrate on guarding the assets of greatest importance while at the same time maintaining reasonable vigilance over less sensitive material. One reason the system works is that IBM manages to instill a sense of loyalty in its employees so that they end up feeling that theft from the company would be an affront to themselves. The results sometimes seem extreme, the same Wall Street Journal article that quotes Bologna also cites an instance where an employee of IBM turned in his son-in-law as a potential industrial spy. IBM investigated but declined to take any action; the son-in-law claimed that he had used only legal means of gathering information.
IBM's principal concern is to prevent leakage of classified information by former employees who go to work for other computer companies. The company keeps a list of such employees and their present whereabouts. IBM also expects an employee leaving the company to sign a statement certifying that all classified documents have been returned. Many employees admit that they take the statements seriously when they sign it because they were trained that way when they worked for Big Blue.
When IBM has reason to suspect espionage, its willingness to prosecute is legendary; the company once sued a small computer company because 66 of its 150 employees were former IBM people. IBM's case, eventually settled out of court, rested on the allegation that the small company had hired the 66 people just for their IBM secrets.
But not every engineer is a potential industrial spy waiting for the right offer. Despite the huge amounts of money readily available for the right secrets, most engineers are loyal and decent. "We've had cases where employees got hired by another company and innocently came across some designs that they knew definitely came from another company," Joe Chiaramonte says. "They've called us. Most of our tips come that way. When you look at the incredible potential for trade-secret theft, it is encouraging to find that there are still plenty of honest, concerned citizens out there in the industry. Out job would be impossible without them."
Most of us receive our education on international counterintelligence from the movies. A typical spy-versus-spy film is From Russia, With Love, in which James "007" Bond attempts to recover a stolen decoder while he tries to figure out whether it's SPECTRE agents or the KGB making the next attempt on his life. All the while, Bond is fighting to extricate himself from the crumpled sheets wrapped around him and the beautiful Russian spy who has been lured into this dangerous life by threats upon her family.
In reality, counterintelligence is much more like work: everything from spending hours in a library making Xerox copies of published research to shuffling papers to trying to get equipment past customs officers by disguising it as spare tractor parts.
The part of From Russia, With Love about the secret decoder is probably all that is accurate: much of U.S. counterintelligence these days does revolve around the theft of electronic goodies. And most of the goodies foreign powers and industrialists want are present in abundance in Silicon Valley.
What do foreign agents want, anyway? They want almost anything they can get their hands on--commercial computers that are a generation or two old (so that they can be taken apart and studied in order to bring a country's engineers up to date); information on military applications of computer networks developed by Lockheed or Fairchild; a new chip that would bring international competitors into the marketplace it time to take advantage of its release; a common 30K-byte chip that isn't yet in production in other countries.
Foreign agents use several standard methods to secure information or hardware and get it back to their homelands. Believe it or not, says FBI special agent George Mozingo, "a popular method available to gain technology is just the massive examination of publicly available material here in the United States." As an example, a 30K-byte chip that is on the Commerce Department's list of embargoed technology can be bought in any Radio Shack store for just a few dollars.
Additionally, many scientific conferences are sponsored by industry and the military at which state-of-the-art information can be gathered under the guise of scientific exchange of information. At such conferences, some industry spokesmen contend, a Soviet scientist can pick up technology information that goes far beyond the hardware his country has.
Foreign powers are also adept at recruiting agents within the U.S. military or industry. Recruitment usually involves the basic enticements of money, sex, and drugs, but some schemes are more complex. Under the counterintelligence practice of "false flag," Soviet agents, for example, pass themselves off as U.S. agents, approach a U.S. engineer, and convince him that they want to use him in a counterintelligence operation.
Perhaps the easiest method for a foreign power to get the goods is through high-tech transfer. In this technique, a foreign power that is on the restricted list of the U.S. Commerce Department contacts an unscrupulous businessman (often in West Germany) and offers to pay him well if he'll order certain hardware and then pass it through to the restricted country.
The Soviet Union relies heavily on reverse engineering to catch up with the U.S. To do this, it must acquire technology to examine, copy, and integrate into its designs. The U.S. can-and does-refuse to sell the materials to the Soviets, but they manage to get the technology by buying it from our allies Europe or by buying it from European or American businessmen willing to ignore the embargoes set up by the U.S. Commerce Department.
The Export Administration Act of 1979 spells out what can and cannot be exported. Enforcement of this act falls under the jurisdiction of the Office of Export Enforcement (OEE) within the Department of Commerce. The OEE lacks certain law enforcement capabilities, so the U.S. Customs Service, through its Project Exodus, usually serves the warrants and makes arrests.
The export laws are sometimes comical, as in the case of the restricted 30K-byte chip that any 15-year-old can buy at Radio Shack. In a classic instance of overreacting to a potential danger, Project Exodus impounded Belle, a computer that plays chess. Kenneth Thompson, a scientist at Bell Labs and belle's inventor, was taking the computer to the U.S.S.R. in June 1982. Belle had won the world computer chess championship in Linz, Austria, two years before. Thompson wanted only to display the computer in Moscow and had no intention of leaving it there, but it was confiscated because he had no export license for it. (The computer was later released; Bell Labs paid an $800 fine to get it out of the slammer.) Thompson stated that the only way the computer could be used militarily would be "to drop it out of an airplane. You might kill somebody that way."
Technology sales to Communist bloc countries must be approved by COCOM, a committee made up of NATO countries. Unfortunately for the U.S., the other COCOM member countries don't always see eye-to-eye with the U.S. when it comes to keeping hardware out of the hands of Communist bloc countries. A French computer company, for example, might get COCOM's approval for a big, fat computer order that the U.S. is too stubborn to let an American company fill.
A more interesting problem develops when COCOM members agree on a sale and a free-lancer waltzes in and closes the deal by pulling a high-tech transfer. A small knot of mostly German businessmen specializes in such scams.
Perhaps the best-known and most-sought-after of the transfer experts is Werner Bruchausen, who has been operating since 1979 through nearly 50 dummy and semi-dummy companies that order American computer hardware and then launder it through one company after the other until is reaches the Communists. The practice is a juggling act; all the transfers have been made by the time the investigators unravel the various leads, and the companies leading to Bruchausen may have already been dismantled and reassembled under different names in other countries.
Not all international computer espionage involves the Communist bloc countries, however. Caught with their hands in the Silicon Valley cookie jar in June 1982 were two of Japan's industrial giants, Hitachi and Mitsubishi. Among their targets was the IBM 3081 processor, which has the ability to process 40 percent faster than previous chips and thus effectively bypasses the need for add-on circuit cards.
The FBI said that both companies were working independently of each other. Both contacted a legitimate company to acquire information on the chip, and that company put them in touch with a computer consulting firm in Santa Clara that had been set up by the FBI t field such inquiries and turn them around.
The FBI worked with IBM, which provided secrets that the FBI could sell to the Japanese in order to set them up. The FBI collected $622,000 from Hitachi and $28,000 from Mitsubishi before closing the net. The FBI asserted that the sting in no way involved the Japanese government, nor did it involve high-ranking officials of Hitachi and Mitsubishi. It did, however, reveal the extent to which foreign competitors-even traditionally proper Japanese businessmen-are willing to go to get an advantage.
In the wake of the FBI/Hitachi case, many Silicon Valley officials are willing to admit that spying is widespread. "Industrial espionage is as common as jaywalking. More than 80 percent of all high-technology companies are being victimized every day," says Ira Somerson, an official of the American Society for Industrial Security.
FBI agent Mozingo thinks that as the industry grows, the problem of keeping foreign powers from getting access to what they want will increase. He sees the problem being compounded by the expansion of American manufacturing overseas, where counterintelligence is less pervasive. "It is easier for the Soviet services and their surrogates, as well as other services, to operate in third[-world] countries," Mozingo asserts. "Americans who work overseas are attractive targets for recruitment by foreign powers."
Where does all this leave the American high-tech companies in protecting their secrets?
THE MUSHROOM EFFECT
There is wide debate over whether the Silicon Valley, with assistance from local law enforcement officials, the FBI, and the Commerce Department, can protect what it owns as that technology becomes more and more valuable.
One question involves the greater vulnerability of computer parts and completed units once they leave the manufacturing plants and go out on the highways of the United States. During an interview earlier this year FBI special agent Joe Chiaramonte commented that mob-controlled hijacking was a growing possibility as computer companies become more common in the Northeast, where organized crime has a strong foothold. Even in California, which traditionally has not had problems with organized crime, Chiaramonte thought that hijacking might become increasingly common. As a safeguard, he noted, many California computer companies are now "wise enough to send dummy truckloads through."
Still, such precautions are not enough. Less than two weeks after the interview with Chiaramonte, a San Francisco news program reported that local police and FBI agents had arrested five Silicon Valley individuals who were selling stolen computer parts. The parts had been hijacked from a tractor trailer three months before and hidden away.
Even if individual companies can manage to thwart thievery within the Silicon Valley, the computer industry will be hard pressed to protect itself as it spreads beyond the geographical confines of the valley. There may simply be too many targets.