You’re working in Security Operations for a major chemical company and the General Counsel shows up at your desk and asks you to provide the following information about the company’s next generation space-aged polymer, commonly known as “transparent aluminum:”
- All documents accessed by a specific employee, “Allen Carey”
- Any documents that contain the name of a chemical compound known only by its code name, “transparent aluminum”
- A list of email messages that:
- were sent by “Allen Carey”
- include in the email subject field the words “transparent” or “aluminum”
- include any attachments that were sent by “Allen”
- include the names of the recipients that Allen communicated with
- include how these email messages were sent, i.e. via Outlook Web Access, the Outlook client, etc.
- A list of the permissions that Allen has had on all relevant systems since the development of the “transparent aluminum” began in 2010, including
- Windows File Servers
- Unix Development Servers
- Exchange Email Servers
- SharePoint Servers
- A list of all locations where documents or email messages which contain the word “transparent aluminum” were transmitted or taken
- A list of the permissions of the recipients of the messages Allen has sent and what they have done with the information they received from him
The General Counsel goes on to say that the company’s financial future depends on it. He doesn’t give you any other information, but apparently Allen Carey is suspected of selling the formula for this polymer to a group of individuals with ties to organized computer crime. He seemed like such a nice guy…
Before we get into the forensic requirements of these scenarios, it’s important to understand why protecting trade secrets is different than protecting normal business data. As most Security Administrators know, the protection of electronic data is a challenge for most companies. Protection of trade secrets presents even more of a challenge. While Security Administrators are usually very good at protecting ordinary business data, they usually don’t have either the forensic tools to proactively address discovery requests for information about trade secrets or to determine that a trade secret has been compromised. In addition, trade secrets are typically the result of years of research, marketing efforts and development and usually incur a high cost. Examples of commercial trade secrets could be the formula for your favorite beer or the design schematics for the next generation iPhone. Federal trade secrets might include the plans for a new military intelligence device or a chemical compound used in the creation of a new aircraft.
From a legal perspective, in the United States trade secrets are protected by Federal laws and regulations. For example, the Economics Espionage Act of 1996 governs industrial espionage and trade secret theft. These laws were developed to promote economic security and protect innovation so that companies can develop products with the assurance that the government will intervene if important intellectual property is compromised. According to the Economic Espionage Act, a trade secret, has three parts to it: 1. information, 2. reasonable measures taken to protect the information, and 3. something which derives independent economic value from not being known. While the courts are busy trying to interpret what the second component, “reasonable measures” actually means, Security Administrators must develop an electronic forensics, entitlement management, and control plans, and architect their security instrumentation accordingly.
Basically, the General Counsel wants a digital play-by-play for Allen Carey, reviewing every step that Allen took during his journey into computer crime. Although this scenario has been painted as hypothetical, it does and has actually occurred in a number of trade secret theft cases, including those identified below. Although the information included with each example is brief, the message is clear: trade secrets are a challenge to protect and instrumentation must be available to monitor when trade secret theft is occurring. Some examples:
- United States v. Jin – In this case, while on Company A’s internal network, defendant Jin downloaded over 200 technical documents belonging to Company A.
- United States v. Pani – Pani, the defendant in this case, was employed by both Intel and AMD. Pani allegedly used his Intel issued laptop computer to download 13 Intel documents which were classified as “Top Secret.” Pani then copied the downloaded files to his external hard drive.
- United States v. Roberts and Howley – In this case, the defendant allegedly used his mobile phone to take 7 photographs of “Goodyear’s roll over ply-down device.” He then allegedly downloaded the 7 pictures to his personal email account and emailed the pictures to his work email account. The defendants then transmitted the photographs to other Wyco employees to be used to assist Wyco in constructing their own roll over ply-down device so that they (Wyco) could complete a contract with a Chinese tire manufacturing company.
- United States v. Zeng – The defendant, Zeng, was a chemist for International Paint. He had access to an epoxy-based intumescent fireproofing material . He allegedly downloaded the formula for this material, printed it out. He also emailed people in China with the goal of forming a chemical company to develop and sell chemicals, including the identified fireproofing material.
Based on these actual cases, it’s clear that Security Administrators cannot rely solely on native tools or on products which provide a false sense of security about preventing data theft. Theft occurs via email, printing, mobile phones, cameras, and external media – no product alone will provide absolute prevention.
So, with these cards clearly stacked against the IT department, what should companies do to protect the most valued of valuable data, specifically their trade secrets? How should Coke protect the formula for Coke? How should McDonalds protect their special sauce? How should Apple protect their designs for their new iPod or iPad? How should your company protect what it considers the most important data that it owns? This type of data theft affects the brand and ultimately results in economic loss to the company.
In my next blog I’ll address the General Counsel’s requirements and demonstrate how forensics investigations are easily achieved using Varonis DatAdvantage and DataPrivilege.