Source: Mark Chaplin, Principal, ISF
16 May 2019
Don’t forget to delete – These were specific and unambiguous instructions discovered in one of many email messages exchanged between co-conspirators in a two-year campaign to steal trade secrets from the global conglomerate General Electric
Details revealed in an unsealed indictment, by the US Department of Justice in April 2019, describe the activities of a Zheng Xiaoqing (a former GE engineer) and Zhang Zhaoxi (a business partner) during the period March 2016 to August 2018. The indictment includes 14 counts of economic espionage and charges both with stealing GE trade secrets relating to the design and manufacture of gas and steam turbines.
The indictment provides a fascinating insight into the intentional planning and execution of intellectual property theft and demonstrates what is at stake for many enterprises competing on the global stage.
Stolen IP referenced in the indictment include different categories of trade secret associated with every stage of GE’s gas and steam turbine operations, including specification, design, build, test and manufacture. In particular, the charges reference the unauthorised disclosure of technology and material specifications; design and equipment drawings; technical data and schematics; process specifications; manufacturing methods; testing/inspection parameters; test machine drawings; test rig designs; finishing parameters; and quality standards.
The charged individuals appeared to apply textbook methods of espionage, in an attempt to conceal activity from GE and hide information being stolen. These methods included:
- downloading information containing IP to a local computer
- encrypting information (using unapproved encryption software)
- storing information in a staging area (e.g. a temporary folder)
- compressing files multiple times (e.g. zip.zip files)
- sending encrypted information to a personal email (and then transferring to email accounts hosted abroad)
- removing digital files from the organisation using physical means via portable storage media (e.g. USB sticks).
One less-common and advanced technique used to avoid detection was steganography. This technique, and one worthy of a John le Carré novel, involves hiding information within a file to bypass basic security controls. In this case, the proprietary code was encrypted and then embedded in a digital photograph (NewYear.jpg), before being sent as an email attachment. Steganography is extremely difficult and costly to detect, representing a major challenge for organisations with significant amounts of secret and proprietary information.
The investigation also revealed details relating to the recording of secret information in handwritten notes, photographs of documentation, setting up of companies, obtaining funding, gaining support from foreign government officials (including individuals with political influence), and even arranging visits to GE facilities.
Significant investment in research and design, development and production and the subsequent protection of trade secrets can reach billions of dollars for global enterprises. In the case of GE, their annual R&D spend over the last decade has averaged approximately $5 billion. Economic and corporate espionage puts this investment and subsequent revenue at great risk, only for organisations to lose out to a competitor or nation when going to market. According to the US Commission on the Theft of American Intellectual Property, theft of trade secrets could be as high as $600 billion.
Details of this case demonstrate the value of intellectual property to enterprises like GE and highlight some of the steps they take to manage such risks. Motivated and highly capable adversaries, who are intent on stealing high-value information assets, will use every technique possible, making it very difficult for organisations to detect and prevent. Where protection of intellectual property fails, an organisation’s final measure is incident containment and recovery.
A great deal of media coverage and governmental concerns continue to focus on Chinese-based espionage (such as the IP Commission reports, recent statements made by FBI Director Christopher Wray and an executive order, issued President Trump, aimed at banning the use of Huawei equipment in US networks). Despite this attention, business leaders who are competing in a global market, need to take note. The reality of economic and corporate espionage is that the threat can emerge much closer to home, whether from organisations operating in a similar region or in the same industry sector.
Trade secrets provide organisations with independent economic value, meaning a competitive advantage is gained through restricting such information to a very limited number of people. To achieve this, greater levels of protection are vital if organisations are to remain competitive and successful.
While much of the attention given to cyber threats is focused on personal information and financial transactions, business leaders must not overlook the value and security requirements of their organisation’s high-value information assets.
“There is an increasing sense of urgency to protect the enterprise crown jewels.” – Financial Institution
Here are four critical steps for the board and 10 priority actions for the CISO, to tackle economic and corporate espionage and protect intellectual property.
Four critical steps every board needs to take today to tackle economic and corporate espionage
- Set direction and lead by example – Demonstrate the leadership’s position on the protection of intellectual property
- Support the CISO – Drive introductions and connections to ensure an organisation-wide and collaborative approach to intellectual property protection
- Promote a risk-based approach – Foster the use of proven and effective methods of managing intellectual property risk
- Demand assurance – that intellectual property risk is protected adequately.
The Information Security Forum provides a range of guidance and best practice for effective risk management, protection of technology and planning for future threat scenarios. Examples include:
- Threat Horizon 2021
- Securing Mobile Apps
- Managing BYOD Risk
- Protecting the Crown Jewels
- The Standard of Good Practice for Information Security 2018
Read more on the EU and nation-state attacks here.