[ISN] The spies in the next cube

From: InfoSec News (isn@private)
Date: Mon Apr 25 2005 - 22:50:25 PDT


http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2005/04/25/BUGGLCDPUJ1.DTL

Birgitta Forsberg
Chronicle Staff Writer
April 25, 2005

When Shin-Guo Tsai gave notice of resignation from his job as a design
engineer at the Fremont semiconductor company Volterra on Feb. 15, he
allegedly told his manager that he was returning to Taiwan to get
married and that he didn't have a job lined up.

The story was a smoke screen, according to the FBI. Tsai, the agency
alleges, had downloaded information on Volterra products. The FBI
accuses him of using a private e-mail account to send some of the
information to a Taiwanese startup company that was recruiting him for
a job.

When Tsai announced his resignation, several co-workers told a manager
that he had been downloading company information.

On Feb. 25, Volterra's vice president of design engineering, David
Lidsky, and the FBI confronted Tsai, who allegedly admitted he had
sent proprietary information to the Taiwanese firm. Two days later,
FBI agents turned up at Tsai's home in San Jose late at night and
arrested him. He is out on bail.

Tsai's lawyer, John Robertson of Los Angeles, said his client's
actions did not involve industrial espionage.

"Our intention is to plead not guilty," Robertson said. "We plan to
contest certain of the allegations."

Cases like this are far from unusual. Experts say U.S. companies are
losing billions of dollars as a result of domestic and international
espionage.

When it comes to cross-border theft of trade secrets, there are more
foreigners spying on U.S. corporations than ever, according to Todd
Davis, an FBI supervisor in Sacramento.

"Corporate America ought to be darned worried," Davis said. "If you
are a major corporation with very sensitive technology, you have been
targeted. Somebody is spying on you right now."

When corporate spies come to America, they tend to flock to Silicon
Valley.

"We have prosecuted more theft of trade secret cases than any other
district in the country," said Christopher Sonderby, chief of the
Computer Hacking and Intellectual Property Unit of the U.S. attorney's
office in San Jose.

His computer hacking unit was founded as the country's first such
entity in February 2000. There are now 18 such units in U.S.  
attorneys' offices nationwide.

"Silicon Valley has more than 7,000 technology-based companies. It is
home to the largest concentration of technology expertise in the world
... and there is a substantial temptation for some businesses and
companies to acquire this technology by illegal means," he said.

Many thefts kept quiet

Davis estimates there have been about 20 to 30 cases in the past 10
years, including both domestic and cross-border industrial espionage
incidents. A lot of cases, however, are never reported because many
companies handle the incidents quietly to avoid publicity.

The FBI has a list of about 20 countries that actively spy on U.S.  
companies, according to corporate security consultant John Case, who
does not want to name any countries.

Davis acknowledges there is such a list, but he declined to mention
which countries are on it.

"Certain countries are doing their darnedest to gain economic
superiority, and we are the No. 1 target for all corporate and
international spying," Davis said.

He did mention China, without confirming that it is on the list.

"PRC, the People's Republic of China, has been accused of setting up
small firms" that act as front companies, he said.

In a written statement, the Chinese consulate in San Francisco denied
that the country engages in industrial espionage:

"A few people in the United States stiffly hold on to the Cold War
mentality and drum up the so-called 'China Threat Theory' by
fabricating stories about China stealing technologies from the United
States. All these allegations are baseless with ulterior motives.  
Their purpose is to use this to denigrate China and harm Sino-U.S.  
relations. Facts have proven that such attempts are doomed to fail."

Anne Rogers, vice president of marketing at the Information Systems
Security Association, noted that China is far from the only country
that has been implicated in corporate espionage.

"Some years ago, one of our biggest problems was with the French," she
said.

The French Consulate in San Francisco said its policy is not to
comment on industrial espionage matters.

Many of those charged with corporate espionage allegedly e-mailed
stolen information or stored it on their home computers, as if they
hadn't considered the possibility of detection.

"The Internet facilitates the commission of crimes, but it also
facilitates their investigation and prosecution by creating a robust
trail of electronic evidence," Sonderby said.

Some corporate spies apparently suffer from hubris.

"White-collar crooks have always thought they were smarter than
everyone else. But they'll make a little mistake somewhere, and you
can put a case together," said John Smith, a high-technology
investigator and security consultant.

Many companies take elaborate measures to protect the security of
their trade secrets. For example, Intel, the world's largest
chipmaker, requires employees to sign forms explaining procedures for
handling proprietary information. The company insists spying is not a
problem for it.

"This has not been an issue for us in recent years," spokesman Chuck
Mulloy said. "It is a testament to the controls we have in place,
which we have developed over many years. Companies that are immature
have fewer controls in place."

Pizza man not to blame

Experts say that company insiders are a much bigger problem than
someone hacking into the system from the outside.

"Seventy-five to 85 percent of all theft per se is done by an
insider," said Julie Snyder, president of the Silicon Valley chapter
of the International High Technology Crime Investigation Association.

Smith agrees.

"In all the cases I am aware of, a trade secret theft usually involves
an employee or a contractor or a person who has a legitimate right to
be on the company's premises. They are operating inside the company's
network firewalls, " Smith said.

Among the signals that should raise a red flag, Davis said, are
employees staying late at night, tours and delegations in which
visitors strike up a friendship with insiders, and outsiders who are
found in sensitive areas of a facility, such as network
administration.

"It will not be the pizza deliverer," Davis said. "It's real
engineers, and they infiltrate U.S. technology companies,
pharmaceutical companies and weapons contractors."

International travel raises special problems, experts say.

"Corporate employees who have foreign contacts and make frequent trips
overseas should be closely scrutinized," Davis said. "Some employees
think they can have safe conversations in their hotel room abroad.  
They are not aware that the hotel room is a target for the foreign
government."

Employees should be briefed before attending a symposium, whether at
home or abroad, to warn them of the hazards of disclosing information,
then debriefed when they come back, said Case, the corporate security
consultant.

"Ask them if someone tried to talk to them and what that person
asked," he said.

Background checks key

Most experts mention background checks as key. Not hiring the
potential spy in the first place is the absolute best way to keep out
of trouble.

"Ask their former employer if the persons are re-hirable. If they are
not re-hirable, that is a big clue," said Snyder said of the High
Technology Crime Investigation Association.

The ultimate question is whether trade secrets can truly be protected.  
It's an issue that security pros debate with a fervor that is almost
theological.

"Sure you can if you don't try to classify too much information as
secret and allow too many people in on the secret," Case said. "The
classical example is Coca-Cola with only a handful of people who know
the formula."

But Doron Ben-Atar, a history professor at Fordham University in New
York, disagrees.

"To protect secrets is a human fantasy. People can't protect secrets,"  
he said. "The U.S. was founded on piracy. Every branch of American
industry was pirated."

Ben-Atar argues that protecting a corporation's intellectual property
should be overridden by other concerns.

"The Third World can't let its people pay $20,700 for a drug against
leukemia when they can get it for $2,700," he said. "We shouldn't be
so self- righteous sanctimonious about it."



_________________________________________
InfoSec News v2.0 - Coming Soon!
http://www.infosecnews.org



This archive was generated by hypermail 2.1.3 : Tue Apr 26 2005 - 16:17:39 PDT