Invisible Loot

Cadence Design Systems Inc. is trying to recover $1.2 billion from former employees it says stole its intellectual property to build up the product line of a competing company, Avant! Corp., Fremont, Calif. Some telling pieces of evidence, according to a search warrant filed in Santa Clara County Superior Court, include electronic footprints that show an employee e-mailed six megabytes of source code to his private account before quitting to join Avant! Later, that source code, including typographical errors, appeared in a similar product marketed by Avant! "That source code is the central nervous system for every other product and service we put out. It took hundreds and hundreds of engineering hours and years to develop," says Smith McKeithen, senior vice president and general counsel for Cadence, a San Jose-based developer of chipmaking software. An Avant! spokesperson shrugged the suit off as a "marketing campaign" by Cadence over "nonproprietary" technology, adding, "We no longer sell that product anyway." Julias Finkelstein, Santa Clara County district attorney, filed a criminal case against Avant! last year. Cadence, he says, "is the case everyone in industry is watching in terms of domestic industrial espionage." The case drives home what intelligence and defense agencies, hackers, law enforcement, and security consultants have been shouting for years: High-tech espionage is a serious and growing threat to American businesses. More often than not, victim companies dont even know theyve been hit, says Charles Palmer, manager of network security services, IBM Corp.s Watson Research Lab, Yorktown Heights, N.Y. When businesses do catch intruders in their networks, they rarely report them. "When we do security audits for our clients, very few even realize were tinkering around with their system. We could be changing root passwords, sending messages to the system operator, scouring databases, and accessing mainframes, but no one in the technology departments says a word," he says. Recent developments in law enforcement offer clues as to where whitecollar crime is headed. The FBI, Secret Service, and metropolitan police forces are rolling out high-tech-crimes units at breakneck speed. A number of cooperative, multiagency groups such as the New York Area Electronic Crimes Task Force, headed by the New York office of the Secret Service, are springing up. And cases of industrial espionage now are being tried under a first-of-its-kind Economic Espionage Act enacted in October 1996. The private sector is just as busy. Counter-espionage storefronts such as Quark Electronic Inc. now grace Manhattans Third Ave. The technical-security-services market is growing 25.8% annually, from $3.7 billion last year to $7.3 billion by year 2000, according to International Data Corp., a Framingham, Mass.-based market research firm. Even the major accounting firms now peddle technical-security evaluations. "Information has gone from paper to computers. The basic technology behind operating systems was never intended to be secure," says Michael Anderson, president and CEO of New Technologies Inc., a corporate-security and computer-forensics training firm in Gresham, Oreg. "Now, combine this with the Internet, which was developed with information access, not security, in mind, and you open up this insecure computer to an insecure worldwide network. Its the ideal environment to steal secrets." In an era when time to market means everything, some manufacturers, particularly those overseas, are not above stealing valuable R&D, says Tim Gladora, acting chief of the FBIs Economic Counter Intelligence Unit. Although he declined to name them, Gladora says his unit has identified 23 countries that have engaged in economic espionage against U.S. businesses, 12 of which are most active. The American Society of Industrial Security (ASIS) identifies China, Japan, France, Canada, Mexico, and England as the top foreign threats. Fortunately, American business leaders appear more aware of the threat. The ASIS survey found that 63% of respondents reported that they have some form of information-security policy in place. Unfortunately, many business leaders still are ill-prepared to protect their intellectual property, says Jeff Van, author of a 1997 report, The Looting of America: Economic Security in the Information Age, and spokesperson for the Arlington, Va.-based Chemical Manufacturers Assn. (CMA). "American businesses are incredibly open with their information," he says. "Let me say this: U.S. businesses spend over $70 billion in R&D each year. The chemical industry spent $18.7 billion of that last year. That makes us a pretty rich target." According to ASIS, high tech is the most frequent industry targeted, followed by manufacturing, then service industries with a total intellectual property drain among them amounting to $250 billion annually. Not surprisingly, one of the most open sources of information turns out to be the Web, a worry that sorely nags members of the CMA, according to Van. He says members of his organization are especially concerned about a proposal by the Environmental Protection Agency to place information that could include operating data of chemical manufacturers on a public Web site sometime next year. "While were not actually talking about trade secrets per se, we are talking about sensitive business information that can include production processes. As an industry, weve spent millions of dollars developing innovative and creative ways of making our products," he says. "Giving away this information over the Web" gives away competitive advantage. Last year, Internet connections surpassed all other points of vulnerability to data security, according to a recent joint report issued by the Computer Security Institute (CSI) and the FBI. This puts businesses in a quandary because the Internet also has become a valuable marketing and networking tool that most organizations cant afford not to use. In the newly deregulated, $400 billion energy industry the key differentiation is level of service. The Internet is the only way to deliver, says Scott Gebhardt, president and CEO of PG&E Energy Services, (PG&EES), the San Francisco-based deregulated spinoff of Pacific Gas & Electric Co. So PG&EES now is giving business customers Web access to their energy-usage reports so their clients can evaluate their own energy consumption and locate inefficiencies. "In terms of the Internet, theres no going back," Gebhardt says. But the Internet has Debra Domeyer, PG&EES chief information officer, worried about the integrity of online customer accounts and, more importantly, internal systems. Customers also are worried -- and for good reason. Data stored in the internal systems are even more valuable than usage reports on the Web because they house highly detailed plant and operating information on every one of PG&EES business clients, many of whom compete with each other. "It goes beyond the confidentiality agreements of yesterday. Our clients are talking about firewalls and asking us how were going to protect their information stored in our systems. Thats why we have to wrap client information like this in a data safe," Gebhardt explains. Because customers are more savvy about information security, security policy also has become an important competitive tool. Technology -- firewalls, virus scanners, encryption, and intrusion detection tools (all part of a comprehensive security software tool set) -- is only part of a strong security package. Protecting data from insiders -- disgruntled employees, contract workers, and intruders -- is just as important and should be covered in written policy. "The biggest exposure to any organization is from what I call the knowledgeable insider -- anybody from a janitor to a vendor or an active or ex-employee," explains Steve Dougherty, director of information security for the Folsom, Calif.-based Independent System Operator, which controls Californias largest power grid. Many investigations into security breaches are startlingly similar to the Avant!/Cadence case, explains Bill Boni, director of information-protection services at PricewaterhouseCoopers LLP (PwC). This summer, for example, he investigated an incident in which a high-tech company lost critical development information on its next generation of product to a competitor at an estimated loss of $100 million. Secrets were carried out by employees on disks and hard drives, but theyd left an e-mail trail that Bonis team followed back to the competitor. Technologists and management of the victimized company "failed to identify their most valuable information assets -- the linkage between those new products and production processes," Boni explains. "There were no information-security measures to protect these." With information spread out over thousands of databases, desktop personal computers, laptops, workstations, and servers its impossible to protect everything. So when developing security policy, Boni says, "Companies need to identify their crown jewels -- their most valuable information -- and wrap strong security around them." Employees stealing secrets while employed or divulging secrets at future jobs make up the two greatest risks to intellectual property, experts say. But how can such data be protected from employees in an R&D environment without squelching creativity? In the Cadence case, for example, the R&D employees who left for Avant! had signed nondisclosure agreements. Yet, says Cadences McKeithen, open access to product information and collaboration with other engineers was a necessity if they were to do their jobs. Before Gebhardt took the helm at PG&EES this year, he worked for PG&EES strongest competitor, Enron Inc. Gebhardt says he and others like him follow a gentlemens agreement not to divulge competitive information. As for his own employees, whom he calls "associates," Gebhardt says hed rather err on the side of trusting them. "Every company I have worked with has had issues with employees taking competitive information with them when they leave," he explains. "But, to me, its unpalatable to put our associates in a cloak-and-dagger environment. We need to keep the free flow of information to keep innovation alive." Most information-security breaches boil down to thought-less human error -- passwords taped under keyboards or employees succumbing to "social engineers" who con them out of passwords, says Michael Guidry, a former state trooper and founder of the Houston-based security consulting firm Guidry Group. For example, Guidry discovered that one of his clients had nearly lost an acquisition because the chief financial officers computer monitor faced an outside window on the ground floor. "Getting ahold of corporate secrets is so easy," Guidry says. "All you have to do is look sincere and ask the right questions. Most people are so very honest, they dont stop to think you arent like them." He and PwCs Boni say a security policy should be drafted and regularly reviewed by a number of departments -- human resources, operations, building guards, information technology, even a member of the board. Empty conference rooms may contain live Ethernet jacks (direct connections into the network), some of which Gary Loveland, manager of PwCs Enterprise Security Solutions division, found completely unguarded in a clients conference room that opened to the street during renovations. The guards, he says, were not at fault, because all they saw was an empty room. As staff director of security awareness and training, Jenean Paschilidas serves as liaison between the Federal Reserve Bank of New Yorks many departments. She has learned she cant tell building security staff that Ethernet jacks are "hot" without getting a blank stare. "So I equate it to something they know, like protecting the gold in the vault," she explains. "Then I tell them that if a large transaction were interrupted electronically, its just like stealing gold from the vault. Then they get it." Chuck Best, director of learning systems for American Protective Services, a large contract guard service based in Oakland, sees the problem clearly. "How do you get someone whos paid $8 an hour to be savvy enough to catch a sophisticated cyber criminal? If a guard sees someone plugging into an Ethernet jack, they think, Well, they know what theyre doing, and they dont ask questions," he explains. "Were writing scenarios like this into our training programs." Law-enforcement agencies also would like to see procedures for reporting information theft added to overall information-security policy. However, for obvious reasons of shareholder confidence and public image, most cases are not reported, says Christopher Malinowski, who heads the computer-crimes squad of the New York Police Dept. "Right now," he says, "were trying to gain the trust of businesses so they feel comfortable reporting to us." The FBI preaches a similar sermon. Only 22% of respondents to the CSI/FBI computer-crime survey have written policies for preserving electronic evidence, only 16% have conducted downstream-liability-risk analysis, and only 9% have a corporate Economic Espionage Act compliance program in place. In spite of these bleak statistics, Tim Gladura, acting chief of the FBIs counterintelligence unit, believes reporting may become more common, thanks to a recent court decision. In a case being tried in Eastern District Court, Philadelphia, under the Economic Espionage Act, three Taiwanese defendants accused of trying to steal the formula to Taxol (a cancer-fighting formula belonging to Bristol-Myers Squibb Co.) will not be granted discovery that would reveal Taxols formulation. In a preemptive move, assistant district attorney Richard Goldberg had filed a protective order to keep the material secret, which was upheld by the Third Circuit Court of Appeals.