Counter-Economic Espionage for Corporations | CloseProtectionHire

In November 2018, the US Department of Justice indicted two members of China’s People’s Liberation Army (PLA) Unit 61398 on charges including economic espionage targeting US aerospace and satellite technology companies. It was not the first such indictment – the 2014 indictment of five PLA officers for economic espionage against Westinghouse, US Steel, and others had established the legal framework. What these cases made clear was that state-sponsored economic espionage against private corporations was not a theoretical risk. It was a systematic, resourced, and continuing programme.

In the United Kingdom, the equivalent picture was laid out by MI5 Director General Ken McCallum in an unprecedented joint press conference with FBI Director Christopher Wray in July 2022. McCallum described China’s economic espionage programme as the “most enduring” threat to UK economic security and named the technology, advanced manufacturing, artificial intelligence, quantum computing, and synthetic biology sectors as primary targets.

Economic espionage is not primarily a concern for defence contractors. It is a concern for any company whose commercial advantage rests on information that a competitor – or a competitor’s state sponsor – would find valuable.

The Legal Framework

United Kingdom

UK law addresses economic espionage through several instruments rather than a single statute:

Trade Secrets (Enforcement, etc.) Regulations 2018: Implementing EU Directive 2016/943 into UK law, these regulations define trade secrets, establish the conditions for lawful protection, and create civil remedies for unlawful acquisition, use, or disclosure. They do not create criminal offences.

Theft Act 1968: Information itself is not property under the Theft Act (Oxford v Moss [1979] 68 Cr App R 183), meaning a person who memorises confidential information and passes it to a competitor has not committed theft of the information. However, the physical or electronic medium containing the information – documents, files, storage devices – can be stolen. Computer misuse, where applicable, is addressed separately.

Computer Misuse Act 1990: Unauthorised access to computer systems and unauthorised modification of data are criminal offences under the CMA. Cyber-enabled economic espionage – accessing a target’s systems to extract trade secrets – falls squarely within Section 1 and Section 3 of the Act.

National Security Act 2023: The NSA 2023 created new offences including foreign interference (Section 13), which covers acts intended to interfere with the economic activity of a UK person or organisation where those acts are carried out for, or on behalf of, a foreign power. This extends the criminal framework beyond the Official Secrets Acts’ focus on classified government information.

United States

The US Economic Espionage Act 1996 (18 U.S.C. §§ 1831-1839) creates federal criminal offences for trade secret theft, with enhanced penalties where the theft benefits a foreign government or foreign instrumentality. Penalties include fines of up to USD 5 million per count and imprisonment. The Act has been used in over 100 prosecutions since 1996, with a significant acceleration from 2010 onwards as Chinese state-linked targeting of US technology companies became operationally documented.

The DEFEND Trade Secrets Act 2016 added a federal civil remedy for trade secret misappropriation, enabling companies to seek injunctive relief and damages in federal court without relying solely on state trade secret law.

State-Sponsored Vectors

Cyber Intrusion

NCSC’s Annual Review 2023 identified cyber intrusion as the dominant delivery mechanism for state-sponsored economic espionage against UK businesses. Specific techniques documented in NCSC and CISA joint advisories:

Spear phishing: Targeted emails designed to compromise specific individuals with system access. The FBI’s Internet Crime Complaint Center (IC3) reported that business email compromise and spear phishing accounted for the largest economic losses in its 2023 report.

Supply chain compromise: Targeting a less-secure supplier or technology partner to gain access to the primary target. The SolarWinds compromise (2020, attributed to Russian SVR by NCSC, CISA, NSA, and FBI in joint advisory April 2021) demonstrated the scale of access possible through a single supply chain entry point.

Living off the land: Using legitimate tools already present in the target’s environment rather than deploying detectable malware. NCSC’s advisory on Volt Typhoon (May 2023, joint with CISA, NSA, and others) described this technique in detail in the context of Chinese state cyber operations against critical infrastructure.

Insider Recruitment

The CPNI published analysis in 2020 showing that across 200 significant IP theft cases reported to it over five years, approximately 65% involved an insider – either a current or former employee or contractor. Of those, roughly a third involved recruitment by a foreign intelligence service, with the remainder being opportunistic self-motivated theft.

Recruitment typically follows a pattern:

1. Identification of the target through publicly available information (LinkedIn, conference presentations, publications)
2. Initial contact through a plausible cover (academic collaboration, consulting offer, conference introduction)
3. Development of the relationship over time, establishing trust before making an explicit request
4. The request, framed as low-risk (“just check if this information is available”, “can you confirm whether the specification has changed”)
5. Progressive escalation of demands, sometimes supported by compromising material gathered during the cultivation

The CPNI’s “Know the Risk, Raise Your Shield” campaign materials include case studies drawn from documented recruitment operations that illustrate this pattern.

Academic and Research Exploitation

NCSC’s joint advisory with the FBI, CISA, and allied partners (2021) identified the academic and research sector as a primary vector for technology theft. Specific methods:

Visiting researchers and students: Placement of visiting researchers in university or corporate research environments to access pre-publication data. The NCSC’s guidance for universities and research institutions specifically addresses vetting obligations for visiting researchers from state-risk countries.

Joint research programmes: Research collaboration agreements that provide access to ongoing research data as a condition of funding. NCSC has advised UK universities to implement security reviews of joint research proposals with entities linked to state-risk countries.

Technology transfer and licensing: Technology licensing agreements that provide access to underlying research or IP beyond what is explicitly licensed. Due diligence on the licensing counterpart and careful scoping of information access are required.

Counter-Espionage Measures

Trade Secret Audit

A company that does not know what its trade secrets are cannot protect them or detect their theft. A trade secret audit covers:

• Identification of information that meets the legal definition of a trade secret (confidential information with commercial value derived from its confidentiality)
• Mapping of where that information is held (systems, documents, personnel knowledge)
• Assessment of who currently has access and whether that access is necessary
• Documentation of existing protections (access controls, NDAs, confidentiality obligations)
• Identification of gaps

The audit creates the baseline for a counter-espionage programme and, in the event of a theft, provides the evidentiary foundation for a civil or criminal case.

Personnel Security

The National Security Act 2023 and the NPSA’s personnel security guidance both identify pre-employment screening as the primary counter-measure against insider threat. BS 7858:2019 (Screening of Individuals Working in a Secure Environment) provides the standard.

For roles with access to the company’s most sensitive information, enhanced vetting – equivalent to the government’s Developed Vetting (DV) standard – may be warranted. This includes in-depth interviews, financial checks, and third-party character references beyond the standard employment screening.

Ongoing personnel security – behavioural observation, financial stress indicators, unusual access patterns – is as important as pre-employment screening. The NPSA’s “Insider Risk” e-learning programme is available to UK businesses and covers the indicators and reporting protocols.

Access Control to Sensitive Information

Need-to-know access controls – ensuring that sensitive information is accessible only to those with a genuine operational need – are the primary information security measure. Over-broad access (granting all senior staff access to all sensitive systems because “they might need it”) is a consistent feature of organisations that suffer significant IP theft.

Technical measures include: role-based access control on sensitive systems, logging of access to high-value information, data loss prevention tools that alert on bulk copying or external transfer of sensitive files, and encryption at rest and in transit.

Legal measures include: robust NDAs with specific identification of what constitutes confidential information, exit interviews and enforceable post-termination restrictions on use of information, and prompt revocation of system access on termination.

Reporting and Response

If a company suspects it is the target of economic espionage:

NCSC: For cyber-enabled espionage, the NCSC’s incident reporting portal (available at ncsc.gov.uk) provides a channel for reporting. The NCSC’s Industry 100 programme embeds NCSC personnel in organisations to support cyber security. NCSC also operates a confidential advisory service for organisations with concerns about state-sponsored targeting.

MI5: MI5’s business advisory service (available through contact channels on the MI5 website) provides guidance to organisations that may be targeted by state intelligence services. The service is confidential.

Legal counsel: Before conducting any internal investigation, legal counsel should be briefed. An internal investigation that notifies the suspected actor, destroys evidence, or prejudices a subsequent criminal investigation is a common mistake with significant consequences.

For related coverage, see protective intelligence for executives and deception and social engineering security.

For state-sponsored research theft targeting academic institutions – NCSC/FBI/ASD/CCCS joint advisory 2021, NSI Act 2021 sensitive sector obligations, export control deemed export principles, and the campus security architecture that protects high-value pre-publication research – see our education and campus security guide.