Chapter 3. Insider Theft of Intellectual Property

Insider theft of intellectual property (IP): an insider’s use of IT to steal proprietary information from the organization. This category includes industrial espionage involving insiders.

Intellectual property: intangible assets created and owned by an organization that are critical to achieving its mission.¹

1. While IP does not generally include individuals’ Personally Identifiable Information (PII), which an organization does not own, it could include a database that the organization developed that contains PII.

What if one of your scientists or engineers walked away with your most valuable trade secrets? Or a contract programmer whose contract ended took your source code with him—source code for your premier product line? What if one of your business people or salespeople took your strategic plans with him to start his own competing business? And possibly worst of all, what if one of them gave your intellectual property to a foreign government or organization? Once your IP leaves the United States it’s extremely difficult, often impossible, to get it back.

Those are the types of crimes we will examine in this chapter. Organizations in almost every critical infrastructure sector have been victims of insider theft of IP.

In one case of insider theft of IP, an engineer and an accomplice stole trade secrets from four different high-tech companies they worked for, with the intention of using them in a new company they had created with funding from a foreign country. In another, a company discovered that an employee had copied trade secrets worth $40 million to removable media,² and was using the information in a side business she had started with her husband. In yet another, a large IT organization didn’t realize that it had been victimized until it happened to see a former employee at a trade show selling a product that was remarkably similar to the organization’s!

2. Removable media: computer storage media that is designed to be removed from the computer without powering the computer off. Examples include CDs, USB flash drives, and external hard disk drives.

When we began examining the theft of IP cases in our database we surmised that insiders probably stole IP for financial reasons. We were very wrong about that! We found that quite the opposite is true: Very few insiders steal intellectual property in order to sell it. Instead, they steal it for a business advantage: either to take with them to a new job, to start their own competing business, or to take to a foreign government or organization.

Another misconception about theft of IP is that system administrators are the biggest threat, since they hold “the keys to the kingdom.” Not according to our data! We don’t have a single case in our database in which a system administrator stole intellectual property, although we do have a few cases involving other IT staff members. However, keep in mind that we only have cases in which the perpetrator was discovered and caught; it is possible that system administrators are stealing IP and are simply getting away with it.

In fact, the insiders who steal IP are usually current employees who are scientists, engineers, programmers, or salespeople. Most of them are male. We checked the U.S. Bureau of Labor Statistics to determine if most of those types of positions are held by men, but the results, listed here for 2010, were inconsistent.

• 12.9% of all architectural and engineering positions were held by women.

• 45.8% of all biological scientists were women.

• 33.5% of all chemists and materials scientists were women.

• 26.2% of all environmental scientists and geoscientists were women.

• 39.5% of all other physical scientists were women.

• 49.9% of all sales and related occupations were held by women.³

3. ftp://ftp.bls.gov/pub/special.requests/lf/aat11.txt

We are not suggesting that you assume men are more likely than women to commit these types of crimes. On the contrary, we suggest that rather than focusing on demographic characteristics, you should focus on the following:

• Understanding the positions at risk for these crimes

• Recognizing the patterns and organizational factors that typically surround insider theft of IP incidents

• Implementing mitigation strategies based on those patterns

These types of crimes are very difficult to detect because we found that these insiders steal information for which they already have authorized access, and usually steal it at work during normal business hours. In fact, they steal the same information that they access in the course of their normal job. Therefore, it can be very difficult to distinguish illicit access from legitimate access.

Fortunately, we have come up with some good strategies based on our MERIT model of insider theft of intellectual property that we will detail in this chapter. The first half of this chapter describes the model at a high level. In the second half of the chapter we will dig deeper into the technical methods used in committing these crimes and mitigation strategies that you should consider based on all of this information.

The MERIT model describes the profile of insider theft of IP by identifying common patterns in the evolution of the incidents over time. These patterns are strikingly similar across the cases in our database. Unfortunately, we were not quite as lucky in creating our theft of IP model as we were in creating our insider IT sabotage model. While we found one very distinct pattern that was exhibited in almost every IT sabotage case, we could not identify a single pattern for theft of IP. Instead, we ended up identifying two overlapping models.

• Entitled Independent: an insider acting primarily alone to steal information to take to a new job or to his⁴ own side business

4. Most of the insiders who stole IT property were male. Therefore, male gender is used to describe the generic insider in this chapter.

• Ambitious Leader: a leader of an insider crime who recruits insiders to steal information for some larger purpose

The cases in our database break up just about 50/50 between the two models. In addition, the models have different but overlapping patterns; the Ambitious Leader model builds from the Entitled Independent model. This is good news, as our suggested mitigation strategies apply to both models.

In this chapter we will describe the patterns identified in both models, and will present mitigation strategies that use those patterns to your advantage.⁵ These techniques include a combination of automated and manual countermeasures. In addition, some are focused on protection of your most valuable information assets, while others are targeted at specific employees triggered by indicators that could suggest an increased risk of attack.

5. Material in this chapter includes portions of previously published works. Specifically, the insider theft of intellectual property modeling work was published by Andrew Moore, Dawn Cappelli, Dr. Eric Shaw, Thomas Caron, Derrick Spooner, and Randy Trzeciak in the Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications [Moore 2011a]. An earlier version of the model was published by the same authors in [Moore 2009].

For example, if you can identify your most critical assets, technical solutions such as digital watermarking,⁶ digital rights management,⁷ and data loss prevention systems⁸ can be implemented to prevent those assets from leaving your network. There are several drawbacks to these technical solutions, however. First of all, most organizations can’t or haven’t identified and located all of their most critical computer files. This can be an overwhelming task, particularly in a large organization. In addition, many of you have trusted business partners that legitimately move your critical files back and forth from their own networks to yours. Those types of environments can complicate use of those types of technologies.

6. Digital watermarking: the process of embedding information into a digital signal that may be used to verify its authenticity or the identity of its owners, in the same manner as paper bearing a watermark for visible identification (Wikipedia).

7. Digital rights management (DRM): a term for access control technologies that are used by hardware manufacturers, publishers, copyright holders, and individuals to limit the use of digital content and devices.

8. Data loss prevention (DLP) systems: refers to systems designed to detect and prevent unauthorized use and transmission of confidential information (Wikipedia). Also commonly called data leakage tools.

Because of the complexity of implementing a purely technical solution focused on critical assets, we also suggest targeted monitoring of employees or contractors who are leaving your organization. We found that most insiders steal intellectual property as they are leaving the organization, suggesting that it could be beneficial to watch their actions more closely, specifically those involving removable media, email, and other methods used in exfiltrating information.

We will provide suggested countermeasures throughout this chapter, and detailed technical information for the theft of IP cases in the section Mitigation Strategies for All Theft of Intellectual Property Cases at the end of the chapter. The bottom line is that unlike IT sabotage, where the goal is to catch the insider as he is setting up his attack—planting malicious code or creating a backdoor account—you cannot really detect theft of IP until the information is actually in the process of being stolen—as it is being copied to removable media or emailed off of the network. In other words, your window of opportunity can be quite small, and therefore you need to pay close attention when you see potential indicators of heightened risk of insider theft of IP.

We have some “good-news” cases that indicate that it is possible to detect theft of IP using technical measures in time to prevent disastrous consequences.

• An organization detected IP emailed from a contractor’s email account at work to a personal email account, investigated, and discovered significant data exfiltration by the contractor. The organization found the contractor was working with a former employee to steal information to start a competing business. Obviously, the stolen IP was extremely valuable, as the contractor was arrested, convicted, ordered to pay a fine of $850,000, and sentenced to 26 years in prison!

• After a researcher resigned and started a new job, his former employer noticed that he had downloaded a significant number of proprietary documents prior to his departure. This led to his arrest before he could transfer the information to his new employer’s network. The information was valued at $400 million.

• During an organization’s routine auditing of HTTPS traffic⁹ it discovered that an employee who had turned in his resignation had exfiltrated proprietary source code on four separate occasions to a server located outside the United States. Although the employee claimed the transfer was accidental, and that he had only uploaded open source information, he was arrested.

9. HTTPS traffic: network traffic that is encrypted via the Secure Sockets Layer protocol.