How Airbus built a security system to protect itself from IP theft - that German and US intelligence undermined

Airbus built a comprehensive security auditing programme to protect its intellectual property from theft - yet even that couldn't stop the US and German intelligence agencies from stealing its secrets

Back in 2003, while Airbus was still in the tricky process of designing the A380, the world's largest commercial passenger airliner, its then security auditor Andrew Phillipou stood up at a security conference in London to explain how the organisation intended to keep its trade secrets secret.

Because the A380 was such a vast project, it was involving third-party engineering and technology companies more than ever before in the design of key components, effectively extending its extranet across the whole world. This included suppliers based in Seattle, just a few miles down the road from its main rival Boeing, as well as in India, China and other parts of Asia not necessarily well-renowned for respecting intellectual property.

Before they could join the A380 programme, which promised lucrative returns for companies that got involved, they had to prove that they took computer security seriously. And that's where Phillipou's team came in: it was their task to jet off across the world and security audit prospective suppliers' systems, both in terms of technical IT security, as well as physical security.

It was no box-ticking exercise: Phillipou's team uncovered data centres with great, big holes in the walls and companies with networks lacking even basic security, riddled with viruses and goodness-knows what else - and these were all high-tech companies where the management ought to have known better. His team even uncovered "black boxes" connected to the network of an Airbus satellite office, "with a very active secret service".

At the time when Phillipou was speaking, the automatic assumption would have been that he was referring to China. But following the Edward Snowden revelations, and their fallout, it could equally have been in the UK, US or anywhere in Europe.

Last week, German newspaper Der Spiegel revealed how the German foreign intelligence agency, BND, had helped the US National Security Agency (NSA) use surveillance stations on its territories to spy on technology companies.

"The Americans weren't just interested in terrorism; they also used their technical abilities to spy on companies and agencies in Western Europe. They didn't even shy away from pursuing German targets," revealed the newspaper.

Although the operation was uncovered in 2008, it wasn't until it was all blown into the open by NSA whistleblower Snowden that something was done about it.

And now, Airbus is threatening to sue the German government after a "closed" parliamentary enquiry had heard evidence that BND used its its base in southern Bavaria, which it shares with the NSA, to eavesdrop on Airbus communications - potentially gleaning Airbus intellectual property in the process.

The industrial espionage conducted by US and German intelligence agencies was, according to a secret agreement between the two, focused purely on non-US and non-German companies - meaning that British technology companies, such as ARM, BAE Systems and Dyson, could also have been targeted. But Airbus has implied that it has more than just a vague belief that it may have been targeted.

"We are aware that as a large company in the sector, we are a target and subject of espionage," the company said in a statement to news agency AFP. "However, in this case we are alarmed because there is concrete suspicion of industrial espionage," it added. Furthermore, the German version of the press statement revealed that it had filed a "criminal complaint against persons unknown on suspicion of industry espionage".

According to reports, the US side of the surveillance installation supplied search terms on a weekly basis to their German counterparts, who would then seek out the information they requested. A total of 690,000 phone numbers and 7.8 million IP addresses were surveilled by the BND up until 2013 when Snowden exposed the operation.

As it happens, Airbus never did work out exactly what the black boxes that it discovered connected to the network of one of its satellite offices were doing, nor who planted them there, said Phillipou. However, if Phillipou has kept them as evidence it may soon find out.