Data security in a global market

David Drab, principal for the Information & Content Security group at Xerox, said that companies are increasingly coming to the imaging giant looking for new ways to label sensitive information and track its flow among users in the workplace and throughout their supply chains.

Before joining Xerox, Drab served at the FBI for 27 years and observed, among other things, the flow of former KGB agents in former Soviet states into criminal organizations.

A good number of those intelligence experts were trained in the art of finding holders of sensitive corporate and national defense information and trying to liberate the data, he said, and many are likely employed in efforts to steal whatever plans they can sell to others for a profit today.

"This is why you have Wal-Mart hiring former government intelligence officers. It's not about spying so much as it's about identifying business risk and what is occurring with competitors in the global environment," Drab said. "These companies are creating separate entities from traditional security or IT security to allow management to identify people internally who might have access to high-level information or might be targeted by competitors or foreign entities."

Drab points to the 2001 indictment of two Japanese-born individuals accused of stealing research on Alzheimer's disease from the Lerner Research Institute (LRI) in Cleveland as proof of the need for enterprise counterintelligence.

One of the accused researchers subsequently pled guilty to charges of misleading investigators looking into the situation, while another, who returned to Japan to work for a quasi-government agency working on Alzheimer's research, was unsuccessfully sought for extradition to the U.S. to face trial.

Among the tools developed by Xerox to help trace the use of paper documents, one of the hardest data formats to track, are gloss marks and infrared stamps used to create a trail of evidence as to who might have accessed, printed and walked off with sensitive data when copies of any stolen documents are recovered.

Large companies like financial services institutions have also begun speaking publicly about the problem of international cyber-theft, saying that they are already working to deal with the problem.

At the Usenix Security Symposium held in Boston in August, Jerry Brady, global head of IT security at New York-based financial giant Morgan Stanley, outlined the threat of foreign attack as a current business reality. He specifically cited emerging activity in the Far East as worrisome.

"Sometimes the threats are coming from the governments themselves in different parts of the world," said Brady. "The people who want to harm us drives a lot about how we think of security awareness. We do a lot of monitoring and threat intelligence to tell who our adversaries are today and who they will be tomorrow."

When asked if the government has done enough to help companies like Morgan Stanley deal with the issue, Brady said that the firm's relationship with law enforcement officials has improved over the last several years, specifically around intelligence gathering regarding new threats.

However, he said that companies cannot rely on the government alone to watch out for their interests overseas.

"It's popular to pin this issue on the government, but we in private industry need to play an even bigger role in addressing the problem," said Brady. "Every time we go into a new country we have to do a risk assessment, every country has its own IP protections and concepts and we know that; we know the countries where ex-KGB Soviet Bloc resources have ended up, and where we need to be even more vigilant."