If you don’t think trade secret theft is a security issue that should be near the top of your radar, you aren’t paying attention to the news:
• Michigan couple Yu Qin (Chin) and Shanshan (Shannon) Du were found guilty in December 2012 of stealing trade secrets on hybrid car technology from General Motors to help develop such vehicles in China. The U.S. claimed Du, the ex-GM employee, copied the company’s private information on the motor control of hybrids and provided documents to her husband, Qin. Prosecutors accused Qin of using the data to seek business ventures or employment with GM’s competitors, including the Chinese automaker Chery Automobile Co. GM contended that the secrets are worth more than $40 million, prosecutors said. The defendants face a maximum sentence of 10 years and a $250,000 fine on each of the trade secret theft counts.
• A former senior software engineer pleaded guilty in October 2012 to downloading computer source code and other proprietary information related to the world’s largest derivatives exchange, CME Group’s futures exchange Globex electronic trading platform. Chunlai Yang was developing plans to improve an electronic trading exchange in China.
• Yihao “Ben” Pu was arrested in October 2012 and charged with stealing confidential information related to the Citadel Group’s electronic trading system. After the firm’s IT department questioned the large amount of data stored on his computer, Pu allegedly had a friend dump several hard drives into a sanitary canal. After recovering the computer equipment, investigators also allegedly found Pu’s plans to start a hedge fund in China. Pu has pleaded not guilty.
• In September 2012, Sixing Liu, aka, “Steve Liu,” 49, a citizen of the People’s Republic of China (PRC), was convicted of stealing thousands of electronic files from his employer, L-3 Communications, Space and Navigation Division. The stolen files detailed the performance and design of guidance systems for missiles, rockets, target locators and unmanned aerial vehicles. Liu stole the files to position and prepare himself for future employment in the PRC. As part of that plan, Liu delivered presentations about the technology at several PRC universities, the Chinese Academy of Sciences and conferences organized by PRC government entities. Liu faces up to 45 years in prison and nearly $2 million in fines.
• Hanjuan Jin was convicted in February 2012 of illegally possessing thousands of Motorola’s trade secrets on her computer and in other forms of digital storage. The woman was detained by federal agents as she tried to board a flight to Beijing on a one-way ticket. Prosecutors said Jin, a Chinese-born American, intended to pass the information to the Chinese military.
Whether it’s cars, paints, electronic trading systems or — worst of all — guidance systems for missiles, it seems no market is safe from insiders determined to steal electronic and paper-based secrets. These types of thefts, in many cases, can lead to cheap knock-offs of patented products and ultimately to the eventual dismantling of American companies — especially small businesses that may lack the resolve to fight back.
But these cases are only a drop in the bucket, according to Brett Kingstone, a one-time victim of trade secret theft turned vocal leader in the fight against it. “We are dealing with a situation where you have tens of thousands of wrongdoers every day and very few prosecutions and sentences,” says Kingstone, writer of The Real War Against America (available at Amazon.com), a book that details how his start-up company was crippled by the theft of trade secrets related to LED lighting.
“This is an absolute tidal wave of criminal activity, and we’re not even scratching the surface. We are literally having our nation systematically stolen out from under us,” Kingstone warns.
Kingstone tours the country touting the dangers of trade secret theft — particularly the threat posed by the Chinese. Former FBI agent James Laflin, another participant in Kingstone’s presentations, says that the PRC is “the country responsible for more than 80 percent of all counterfeiting and the likely culprit for most of the trade secret theft in this country.”
“It ‘feels’ as if there is more enforcement going on, and I think the FBI is doing its job, but in terms of actually putting these people in jail, we are falling short,” Kingstone says. “We need to be locking up these Chinese business executives whose companies regularly pirate American products. We should arrest them at trade shows in the United States and start parading them in handcuffs on TV, and trust me, they will get the message that the cost of stealing American intellectual property exceeds the benefits. Right now, they still have everything to gain and about nothing to lose by stealing our technology.”
Trade Secrets Defined
What is a trade secret, exactly? According to the law, a trade secret is information with independent economic value — like blueprints, chemical formulas, research and development, marketing strategies, and manufacturing processes — that the owner has taken reasonable steps to keep confidential.
In 1996, Congress passed the Economic Espionage Act to protect trade secrets from criminals and foreign governments in order to preserve the health and competitiveness of the U.S. economy.
The Theft of Trade Secrets Clarification Act of 2012 amends the Economic Espionage Act to apply the prohibition against the theft of trade secrets intended to be used in interstate commerce. Prior to this amendment, a trade secret was narrowly defined as “related to or included in a product that is produced for or placed in interstate or foreign commerce.”
“Economic espionage robs our businesses and inventors of hard-earned, protected research, and is particularly harmful when the theft of these ideas is meant to benefit a foreign government,” Assistant Attorney General Lanny A. Breuer of the FBI’s Criminal Division said in a statement regarding the General Motors theft case above. “The protection of trade secrets and all intellectual property is vital to the economic success of our country, and our leadership in innovation.”
What can American companies do to prevent this sort of theft? Ray Mislock Jr., former FBI special agent and DuPont CSO turned private consultant, recently outlined strategies to mitigate the risk at an ASIS Intl. educational session.
Mislock warned that, while a majority of cases involve the Chinese, trade secret theft is by no means localized to American multi-national companies. “This is not just about China — Russia and other countries are also involved,” said Mislock, head of Pamir Consulting LLC. “We are only just beginning to feel the first tremors when it comes to trade secret theft. The major earthquake hasn’t hit yet.”
How to Protect Your Trade Secrets
The first goal of creating an organizational policy for protecting trade secret should be to “find and protect the ‘crown jewels’ in an organization,” Mislock explained. The crown jewels can take many forms: it may be a business trade secret, such as a strategic business and marketing plan; it may be a technical trade secret, such as the hybrid car technology mentioned above; however, “not every trade secret is of equal value,” Mislock added.
Thus, the most important information — the most sensitive assets of your organization — must be protected first. To protect trade secrets, an organization needs both a tactical and strategic response, Mislock said. The tactical side comes down to your organization’s internal response to incidents and thefts — this response must include a full investigation, with subsequent litigation and referral to law enforcement. Part of this process involves organizational “due diligence” — that is, performing detailed background checks on partners, contractors, and of course, employees.
“I think we are all knowledgeable and capable of hardening our firewalls and protecting against hackers who are trying to steal customer lists or blueprints off the internet,” Kingstone says. “Obviously, we are all putting locks on our doors — some with keypads, some with swipe cards, some with biometrics — but the thing you really need to protect, the Achilles’ heel of all businesses, is the insider threat.
“Somebody who’s an employee has the keys to the kingdom — the swipe card, the door code, the registered fingerprint — that’s the person, the employee who has not been properly vetted, who can make 10 or 20 times their salary by stealing millions of dollars worth of information from your company,” Kingstone continues. “They can do it simply by putting it on a thumb drive that goes in their front pocket.”
First, organizations must have a detailed vetting process to weed out potential threats. “I hate to say it, but if you get a foreign exchange student who is fresh off the boat, he is working for the Chinese government — he was allowed to come here in the first place because he is working for them,” Kingstone explains. “We are playing politically correct — we don’t want to single out the Chinese. Well, when 80-year-old blue-haired ladies start stealing American technology secrets, I think we should start prosecuting and profiling them too. Instead, we don’t want to make anyone feel uncomfortable, so we put our entire nation at risk.”
Establishing a Program
A strategic response to trade secret theft must start with your organization’s senior leadership, Mislock said. That means getting full support and understanding from the C-suite and the board. From there, you as a security executive should spearhead a full trade secret protection policy — with the goal of educating all employees as to why the policy is needed and important; along with periodic evaluation for continuous policy improvement.
Here are Mislock’s first steps that you as a security executive can take to initiate a strategic trade secret theft mitigation plan:
• Identify the process owner: Who owns this process and will lead it in your organization — is it the CSO, general counsel, CISO or someone else?
• Establish a steering team: Representatives should include key organization departments, including legal, HR, compliance, audit, security, R&D and engineering and any other key company stakeholders.
• Establish senior-level oversight: This is a body of senior organizational executives who the process owner must report to on a regular basis about progress and policy changes as they become relevant.
• Clearly define roles: Every part of the company has a role in enforcing trade secret theft mitigation policies. “Many times companies have good policies and protection standards, but they haven’t really done the basic job of defining who does what,” Mislock said. “Every single person in your company has a role to play, and those definitions should be in writing.”
• Establish trade secret risk managers: Each business unit should have one. “It is imperative that the business leaders of a company understand it is their duty to protect trade secrets,” Mislock said. “If you relegate this to just one area of the company, it will not get done.” You need managers who are educated in what to look for, because they are the first people who will notice red flags and unusual behavior.
• Identify the crown jewels and protect them first: This was outlined earlier in this article.
• Establish a dedicated investigative team: The group should be aware of all threat analysis, and investigations should not be performed on an ad-hoc basis.
• Educate your employees: Establish a corporate or global-level education program. “There has to be a steady drip of education and awareness training of what is a trade secret and how the organization protects them,” Mislock said.
• Create a written policy: The policy should present an overview of trade secret protection requirements, and it should include crucial information such as: the definition of a trade secret, including how it is classified in the organization; why the policy is important to the organization; employee responsibilities (both incoming and outgoing); visitor management practices; and audit and compliance procedures — at a bare minimum. Most importantly, Mislock said, it should be clearly stated that employee compliance with the policy is a condition of employment.
• Deploy IT protection tools: The FBI warns of “international spies and hackers probing online security systems” as a major vehicle for trade secret theft. There is no ‘silver bullet’ IT tool, but data encryption is a must, Mislock said.
Protecting your company from the risk of trade secret theft is perhaps one of the most difficult tasks you can face as a security executive. All the experts warn that this is a constantly evolving process; thus, your continued vigilance is paramount to keeping it at bay.
Paul Rothman is managing editor of Security Technology Executive magazine. Connect with him on Linkedin at http://bit.ly/PaulRothmanSTE.