Tag Archives: employees

IP theft is becoming the new target for cyberthieves

Antivirus company McAfee and R&D company SAIC recently published a report entitled Underground Economies, a study of corporate IP theft. According to the study, many cyberthieves now see stealing IP as more profitable than credit card theft and identity theft. According to the study:

In the past, cybercriminals targeted personal information such as credit cards and social security numbers, which were then sold on the black market. Now, these criminals understand that there is much greater value in selling a company’s proprietary information to competitors and foreign governments. For example, a company’s legal documents can fetch far more money than a list of customer credit cards.

The cyber underground economy has shifted its focus to the theft of corporate intellectual capital–the new currency of  cybercrime. Intellectual capital encompasses all the value that a company derives from its intellectual property including trade  secrets, marketing plans, research and development findings and even source code. For example, Operation Aurora, a targeted attack on Google and at least 30 other companies, represented a sophisticated attack designed to steal intellectual capital.

Some of the more interesting findings are:

  • Theft of corporate intellectual property is “the new currency of cybercrime.”
  • Some governments support or even conduct theft of trade secrets. Forrester Research estimates that corporate IP is twice as valuable as custodial data such as credit card information and customer and medical data.
  • Cloud-based services are not only a new target for cyber criminals, but also but extensive but inexpensive resources into their hands
    for carrying out cybercrimes.
  • Data breaches, or the credible threat of a data breach, stopped or slowed a merger, acquisition, or new product rollout at one
    fourth of organizations surveyed.
  • Yet only a quarter of organizations conduct forensic analysis after a breach or attempted breach.
  • Organizations reported that IP was most often leaked or stolen by their own employees.

Read the entire study here.

As an ironic side note, the day that this report was released, security researchers announced that McAfee’s own website has serious vulnerabilities. Read that article here.

Is Googling replacing programming?

In the past few years I’ve been interviewing students for job openings at my companies. Some students came from large, well-known universities while other came from small colleges. Some students had bachelor’s degrees in computer science while others had master’s degrees. One thing that many of these recent graduates had in common was that they couldn’t program competently.

I found that these graduating students were adept at finding code on the Internet. When I gave assignments to code a particular algorithm, I was seriously impressed with how quickly they were able to find the code online. When I asked them to modify the algorithm, they struggled. Also, testing and debugging code often seemed beyond their abilities. Many of them were unaware of debugging techniques that allow them to focus in on the problem, such as using breakpoints to isolate chunks of code or forcing conditions that cause certain code paths to be executed.

The art of commenting also seems to have been ignored in most computer science education programs as well as in many companies. In my companies, our coding standard requires that every routine, no matter how small, must have a header comment that describes the functionality of the routine, all input parameters, the output of the routine, and any other information that someone using the routine would need. Yet most programmers out of school, and many working in the industry, produce uncommented code that is difficult to understand, difficult to debug, and very difficult to maintain.

Can you imagine a medical program that didn’t teach how to stitch up a patient after surgery or use the latest CT scanner? University computer science departments need to take a serious look at the skills they’re teaching. At my companies, I now require prospective employees to sit down at a computer and write a program that works correctly according to a written specification, is fully commented, and is completely their own code. I hope that the percentage of graduates passing this test increases in future years.

Software trade secrets

The precise language that legally defines a trade secret varies by jurisdiction, as do the particular types of information that are subject to trade secret protection. In the United States, different states have different trade secret laws. Most states have adopted the Uniform Trade Secrets Act, and those that don’t, have laws that only differ by subtle differences.

There are three factors that are common to all definitions; a trade secret always has these three specific characteristics:

  1. It is not generally known to the public.
  2. It confers some sort of economic benefit on its holder, where the benefit is due to the fact that it is not known to the public.
  3. The owner of the trade secret makes reasonable efforts to maintain its secrecy.

With regard to software trade secrets, algorithms that are known to the public usually cannot be trade secrets, though some jurisdictions require not only that the information be public but that it be “readily ascertainable,” meaning easily to find. For example, a sorting algorithm found in a well known textbook or in an application note on a high traffic website is, or can be, known to the public and easily ascertained.

There must be an economic benefit, so a sorting algorithm that can be easily replaced with a well-known sorting algorithm with comparable results is not a trade secret. Similarly if your company develops a program, perhaps as a side project, but does not sell it or incorporate it in any products, then it’s not a trade secret.

If the owner of the source code allows programmers to share code, or does not put notices of confidentiality in the source code, or does not take reasonable steps to insure that employees do not take the code home with them, then that source code cannot be a trade secret. This third point is a particularly important reason to take precautions to ensure your software does not go somewhere it shouldn’t. Make sure your employees, investors, and partners sign nondisclosure agreements (NDAs). Make sure you have written policies about how to handle source code. And make sure you treat all individuals and companies equally. You don’t want to be in court, defending a trade secret, and have to explain why one “trusted employee” or “trusted friend” was allowed to take home source code while others were not. That doesn’t look like “reasonable efforts to maintain secrecy.”

Just how bad is IP theft, part 2

Last month I talked about a report from McAfee, Inc. that discussed the huge amount of intellectual property that gets stolen from companies. A new report from the Ponemon Institute confirms this data. According to this report, more than half of workers that are let go from their employers take confidential data and intellectual property with them as they head out the door.

Here are some interesting statistics from the report (we all love statistics):

  • 945 individuals who were laid off, fired or quit their jobs in the past 12 months were surveyed.
  • 59% admitted to stealing company data.
  • 67% used their former company’s confidential information to help get a new job.
  • 61% of respondents who disliked their company took data.
  • 26% of those who liked their company still took data.
  • 79% of those who took data rationalized it rather than call it wrong.
  • 24% claimed to still have access to their former employer’s computers after they left.

For more information you can read the Network World article.