On January 31, 2013, the New York Times announced that it was a victim of a Chinese hacking operation in which the intruders had been on the news organization’s network for at least four months. A day later, the Wall Street Journal made a similar announcement. Papers carried the story with ominous warnings about the Chinese hacking menace and the threat it presented to US businesses.
Less than a month later, the cyber security company Mandiant released a report identifying a Chinese military unit as a major source for numerous hacks on US business networks, thus adding to the feverish reporting on the Chinese hacking threat.
In actuality, hacking of this type – where foreign hackers penetrate networks and stay there for long periods of time – is old news to the cyber security community.
For a number of years, leading experts have warned of this type of hacking, often referred to as Advanced Persistent Threats. APTs use zero-day exploits or malware that has yet to be discovered by anti-virus vendors, thereby making their detection using conventional means extremely difficult.
The Real Threat
Are APTs and other forms of hacking a serious threat to companies’ trade secrets and proprietary data? No question. But are they the largest such threat that companies face? The answer remains “no.”
Company insiders, not outside hackers, are involved in more than two-thirds of all cyber cases involving theft of intellectual property. Moreover, when there is intentional and malicious destruction of data, a corporate insider is frequently responsible.
Whether driven by opportunism, greed, a desire for revenge, or a combination of all three, these insiders exploit their positions of trust to obtain access to their organization’s most valued digital assets. Moles, opportunists, contractors and disgruntled IT and other employees – all currently pose a greater risk to corporate intellectual property than state-sponsored hacking and APTs, both in frequency and in damage caused.
Statistics only go so far in describing the severity of risk caused by this particular type of cyber threat. Real-life examples paint a more complete and persuasive picture. In the US, the Federal Bureau of Investigation (FBI) has doubled the number of trade-secret arrests in the last four years, and the overwhelming majority of those prosecutions involved insiders.
The Malicious Spy
On December 21, 2011, in the US District Court for the District of Indiana, defendant Kexue Huang was sentenced to seven years and three months’ imprisonment after his conviction on charges of economic espionage and theft of trade secrets.
The charges principally concerned the theft of trade secrets related to a commercial insecticide developed by Dow Chemical Co. in Indiana, where Huang, a Canadian national, worked as a research scientist from 2003 to 2008, when he was fired.
He admitted to stealing US$300 million worth of Dow trade secrets and delivering them to the People’s Republic of China and Germany through an intermediary. He used the trade secrets to conduct unauthorized research with the intent to benefit foreign universities that were instrumentalities of the PRC government.
Huang also admitted that, after he was fired by Dow, he went to work as a biotechnologist for grain distributor Cargill. Again, while employed by Cargill, he stole a trade secret involving a key component of a new Cargill food product, which he then gave to a student at Hunan Normal University in China. If there is such a thing as a serial malicious insider, Huang fits the bill.
At the time of Huang’s guilty plea, the head of the FBI’s field office in Indiana stated: “Among the various economic espionage and theft of trade secret cases that the FBI has investigated in Indiana, the vast majority involve an inside employee with legitimate access who is stealing in order to benefit another organization or country. This type of threat, which the FBI refers to as the Insider Threat, often causes the most damage.”
On August 29, 2012, Hanjuan Jin was sentenced to four years’ imprisonment for stealing Motorola trade secrets. She had been a software engineer at Motorola from 1998 through February 2007.
While on medical leave in 2006, Jin accepted employment with a Chinese competitor company, Sun Kaisens. She then returned to work at Motorola. At various times from February 26-27, 2007, Jin downloaded from Motorola’s secure internal computer network numerous proprietary technical documents and removed several documents and other materials from the company’s offices.
Also on February 27, Jin e-mailed her manager to give notice that she would be leaving Motorola immediately. The following day, she was arrested at Chicago’s O’Hare Airport after purchasing a one-way ticket to China. Police found her in possession of more than 1,000 electronic and paper documents belonging to Motorola.
In February 2010, Greg Chung, a former Rockwell and Boeing engineer, was sentenced to more than 15 years’ imprisonment for acting as an agent of the PRC and stealing trade secrets about the Space Shuttle, the Delta IV rocket, and the C-17 military cargo jet for the benefit of the Chinese government.
In a September 2006 search of Chung’s residence, FBI and NASA agents found more than 250,000 pages of documents from Boeing, Rockwell, and other defense contractors inside the house and in a crawl space underneath the house.
Among the documents were scores of binders containing decades’ worth of stress analysis reports, test results, and design information for the Space Shuttle. Chung also sent numerous engineering manuals to the PRC, including 24 manuals relating to the B-1 bomber that Rockwell had prohibited from disclosure outside the company and select federal agencies.
In March 2010, Michael Mitchell was sentenced to 18 months in prison and ordered to pay his former employer more than US$187,000. Mitchell had soured on his job at DuPont as a Kevlar® marketing executive, and ultimately he was fired for poor performance.
Before leaving, he downloaded numerous computer files with DuPont trade secrets and gave them to Kolon Industries, a South Korean competitor of DuPont’s Kevlar products with which Mitchell entered into a consultant agreement.
In this case, however, there may yet be a happy ending for the victim – or, at least, a not-so-unhappy ending. On September 14, 2011, a jury in the U.S. District Court for the Eastern District of Virginia awarded DuPont damages in the amount of US$919.9 million. That civil judgment is on appeal.
On October 18, 2012, the U.S. Department of Justice indicted Kolon Industries and several of its executives and employees for engaging in a multi-year campaign to steal trade secrets related to DuPont’s Kevlar products. The indictment seeks forfeiture of at least US$225 million in illicit proceeds.
The news is not all bad. A 2012 insider threat study by Carnegie Mellon University’s Software Engineering Institute examined fraud and illicit cyber activity in the US financial services sector. Among other findings, the study concluded that an average of 32 months elapsed between the beginning of the fraud and its detection by the victim organization and that the insiders’ means were not especially sophisticated
These findings suggest that companies are not particularly good at monitoring illicit cyber activity within their own networks, and that this deficiency is not due to the cyber skills of the malicious insiders. Thus, there is reason for optimism: If the insider cyber threat receives appropriate priority within an organization’s security and compliance hierarchy, there appears to be ample room for improved detection and prevention.
More practically speaking, what steps can companies take to reduce the risk of insider cybercrime? For a start, they can get better at profiling those employees most likely to commit such crimes.
According to CSO Magazine’s 2012 CyberSecurity Watch Survey, organizations that experienced cybercrime by an insider in the previous 12 months reported that 51% of those insiders violated IT security policies while 19% were flagged by a manager for behavior/performance issues.
Closer monitoring of employees exhibiting either of these two characteristics might thus help companies prevent or more quickly detect up to 70% of insider cybercrimes.
The FBI’s website provides a longer list of at-risk behavioral traits, including:
- unreported foreign trips
- seeking proprietary or classified information unrelated to work duties
- paranoia about being investigated
- disproportionate anger over career disappointments
Reducing the Risks
What can companies do? Here are some security suggestions:
- When an employee leaves an organization, voluntarily or involuntarily, strict termination procedures should be in place to ensure that all network access privileges are terminated immediately. While that may seem self-evident, it is remarkable how often it is overlooked or addressed too late.
- Detection and prevention efforts should not rely solely on monitoring at-risk employees. Companies also need effective, internal monitoring of their networks so as to better identify unusual or suspicious user patterns when they occur.
- Among other measures, IT security should use centralized, system-wide logging to track data access and transference generally, and implement strict access controls for all files and data centers containing trade secrets or other sensitive or proprietary data. Such logging is important not only to real-time monitoring, but also to historical investigations after an incident occurred.
- Log retention policies should ensure accessibility for a meaningful length of time (e.g., one month of logs immediately accessible and two years archived). Without the digital footprints provided by network logs, it can be virtually impossible for even the most skilled forensics investigator to reconstruct what happened and identify the real cause.
- All network logging devices should be configured to transmit to a centralized, secure location where the logs can be preserved, backed up, and securely archived. Rather than collecting logs from hundreds of network devices in different locations on a network, an investigator can instead go to one location where all the key data is collected and securely maintained.
This list of security suggestions is hardly exhaustive, and its intent is simply to provide a bit of practical advice for companies on how to minimize risk from malicious insiders. While hacking crimes involving China and other nations will continue to receive press coverage, organizations should not lose sight of the fact that insiders, not outside hackers, still pose the greatest risk for theft of intellectual property and other proprietary data on their networks.
About the Author
Michael DuBose is a Managing Director and Cyber Investigations Practice Leader for Kroll Advisory Solutions. This article was originally published as a white paper entitled “The Insider Threat” and was re-edited for clarity and conciseness.