FBI Director Talks Cyber Espionage: Chinese Like “Drunk Burglar”

FBI

“[T]here are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese” -FBI Director

The pervasive threat that cyber espionage poses to American business is not a new topic on this blog — we have been talking about it for a few years. But you do not have to take my word for it; there is a “higher authority” on the subject. No, not that high! But the Director of the FBI is pretty high.

Here is the transcript of what FBI Director James Comey had to say about the Chinese cyber espionage efforts. If you follow the link at the bottom, you can watch the video of his interview:

“What countries are attacking the United States as we sit here in cyberspace?”

“Well, I don’t want to give you a complete list. But the top of the list is the Chinese. As we have demonstrated with the charges we brought earlier this year against five members of the People’s Liberation Army. They are extremely aggressive and widespread in their efforts to break into American systems to steal information that would benefit their industry,” said FBI director Comey.

“What are they trying to get?”

“Information that’s useful to them so they don’t have to invent. They can copy or steal to learn about how a company might approach negotiations with a Chinese company, all manner of things,” said Comey.

“How many hits from China do we take in a day?”

“Many, many, many. I mean, there are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese,” said Comey.

“The Chinese are that good?”

“Actually,” the FBI director replied, “not that good. I liken them a bit to a drunk burglar. They’re kicking in the front door, knocking over the vase, while they’re walking out with your television set. They’re just prolific. Their strategy seems to be: We’ll just be everywhere all the time. And there’s no way they can stop us.”

via FBI Director: Chinese Like ‘Drunk Burglar’ | The Weekly Standard.

 

What is Corporate Espionage, Industrial Espionage, Cyber Espionage, and Economic Espionage? The DOJ Explains …

Cyber Espionage - fact or fiction?

Cyber Espionage – fact or fiction?

What is Cyber Espionage?

Corporate espionage, industrial espionage, and cyber espionage all generally mean the same thing: (1) intentionally targeting or acquiring trade secrets of companies to benefit any foreign government, foreign instrumentality, or foreign agent, (FBI) which means, in simpler terms, (2) espionage conducted to gain a commercial advantage (Wikipedia).

What is this not? This is not espionage to gain a national security advantage — it is to gain economic advantage. Of course, it could be argued that this is a distinction without a difference as an economic advantage could certainly help on national security matters as well, but that is going down too deep into the weeds. You need to understand the distinction.

I have been writing about cyber espionage for a while,

And, I have spoken about it at seminars where many people probably thought I was making that stuff up — you know, about the big bad conspiracy by foreign governments to steal valuable intellectual property from US businesses to give their countries’ businesses a competitive advantage.

But I have to admit, it is really nice to have validation from a reputable source — the United States Department of Justice.

An Example of Cyber Espionage

This week the news is abuzz about a lawsuit brought by the United States Department of Justice in the United States District Court for the Western District of Pennsylvania against five officers of the Chinese People’s Liberation Army: Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu and Gu Chunhui.

The Indictment charges the Chinese officers with six offenses:

  1. Conspiring to commit computer fraud and abuse (Computer Fraud and Abuse Act, 18 U.S.C. § 1030(b));
  2. Wrongful access of a protected computer for financial gain (Computer Fraud and Abuse Act, 18 U.S.C. §§ 1030(a)(2)(C), 1030(c)(2)(B)(i)-(iii), and 2);
  3. Wrongful transmission to damage a protected computer (Computer Fraud and Abuse Act, 18 U.S.C. §§ 1030(a)(5)(A), 1030(c)(4)(B), and 2);
  4. Aggravated identity theft (Identity Theft Act, 18 U.S.C. §§ 1028A(a)(1), (b), (c)(4), and 2);
  5. Economic espionage (Economic Espionage Act, 18 U.S.C. §§ 1831(a)(2), (a)(4), and 2); and
  6. Trade secret theft (Trade Secrets Act, 18 U.S.C. §§ 1832(a)(2), (a)(4), and 2).

The Indictment, based off of an FBI investigation, alleges that from 2006 to 2014 the officers actions targeted six US companies (Westinghouse Electric Co. (Westinghouse), U.S. subsidiaries of SolarWorld AG (SolarWorld), United States Steel Corp. (U.S. Steel), Allegheny Technologies Inc. (ATI), the United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union (USW) and Alcoa Inc.) with hacking into the computer systems of the companies and engaging in the following conduct (see DOJ Summary):

Westinghouse

In 2010, while Westinghouse was building four AP1000 power plants in China and negotiating other terms of the construction with a Chinese SOE (SOE-1), including technology transfers, Sun stole confidential and proprietary technical and design specifications for pipes, pipe supports, and pipe routing within the AP1000 plant buildings.

Additionally, in 2010 and 2011, while Westinghouse was exploring other business ventures with SOE-1, Sun stole sensitive, non-public, and deliberative e-mails belonging to senior decision-makers responsible for Westinghouse’s business relationship with SOE-1.

Solarworld

In 2012, at about the same time the Commerce Department found that Chinese solar product manufacturers had “dumped” products into U.S. markets at prices below fair value, Wen and at least one other, unidentified co-conspirator stole thousands of files including information about SolarWorld’s cash flow, manufacturing metrics, production line information, costs, and privileged attorney-client communications relating to ongoing trade litigation, among other things.  Such information would have enabled a Chinese competitor to target SolarWorld’s business operations aggressively from a variety of angles.

U.S. Steel

In 2010, U.S. Steel was participating in trade cases with Chinese steel companies, including one particular state-owned enterprise (SOE-2). Shortly before the scheduled release of a preliminary determination in one such litigation, Sun sent spearphishing e-mails to U.S. Steel employees, some of whom were in a division associated with the litigation. Some of these e-mails resulted in the installation of malware on U.S. Steel computers. Three days later, Wang stole hostnames and descriptions of U.S. Steel computers (including those that controlled physical access to company facilities and mobile device access to company networks). Wang thereafter took steps to identify and exploit vulnerable servers on that list.

ATI

In 2012, ATI was engaged in a joint venture with SOE-2, competed with SOE-2, and was involved in a trade dispute with SOE-2. In April of that year, Wen gained access to ATI’s network and stole network credentials for virtually every ATI employee.

USW

In 2012, USW was involved in public disputes over Chinese trade practices in at least two industries. At or about the time USW issued public statements regarding those trade disputes and related legislative proposals, Wen stole e-mails from senior USW employees containing sensitive, non-public, and deliberative information about USW strategies, including strategies related to pending trade disputes. USW’s computers continued to beacon to the conspiracy’s infrastructure until at least early 2013.

Alcoa

About three weeks after Alcoa announced a partnership with a Chinese state-owned enterprise (SOE-3) in February 2008, Sun sent a spearphishing e-mail to Alcoa. Thereafter, in or about June 2008, unidentified individuals stole thousands of e-mail messages and attachments from Alcoa’s computers, including internal discussions concerning that transaction.

Does Your Business Have Trade Secrets?

If your business has trade secrets (and it does), you must protect them. To do this you need to take affirmative steps to identify those trade secrets and implement policies and procedures to protect them from disclosure, whether intentionally or unintentionally, by insiders and outsiders alike. I have made it easy for you to get started.

All you need to do is use this free guide that I prepared to walk you through the process and, of course, feel free to let me know if you have any questions along the way: Texas Business Guide: Identifying and Protecting Trade Secrets Under the (New) Texas Uniform Trade Secrets Act

 

 


About the author

Shawn Tuma is a lawyer who is experienced in advising clients on digital business risk which includes complex digital information law and intellectual property issues. This includes things such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act; helping companies with data security issues from assessing their data security strengths and vulnerabilities, helping them implement policies and procedures for better securing their data, preparing data breach incident response plans, leading them through responses to a data breach, and litigating disputes that have arisen from data breaches. Shawn is a partner at BrittonTuma, a boutique business law firm with offices near the border of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as throughout the nation pro hac vice). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.

Corporate Espionage: Hacking A Company Through A Chinese Restaurant Takeout Menu

Photo Credit: country_boy_shane via Compfight cc

Photo Credit: country_boy_shane via Compfight cc

Corporate espionage (industrial espionage) is a favorite topic of mine. I have written and presented on the subject quite a bit and, while I am never sure how my readers react when I write about this, I do carefully watch the look on my audience members’ faces when I first mention the issue. The story their eyes tell is interesting.

The story of “why should I care about this?”

At first they usually have a glazed over look with no emotion or reaction — as if they are thinking “this is just another lawyer using fancy lawyer words but whatever he is talking about, it doesn’t apply to anything that I do” and they politely sit there feigning paying attention.

And then, I tell them about the cases where Chinese state-sponsored groups had “insiders” planted in companies like Motorola or DuPont to steal their proprietary trade secrets. Their reaction does not change — as if they are thinking “yeah, ok, whatever, my company is not Motorola or DuPont or anything like it — we are a small shop and nobody cares that much about what we have.”

And then, trying to get their attention with something they have heard about, I mention Target and the massive and expensive Target breach. Their reaction does not change — as if they are thinking “dude, why are you telling me this? My company is nothing like Target — we could barely even be a supplier to Target, why would anyone care about us?”

And then, I ask them if they have ever heard of Fazio Mechanical Services — knowing they have no idea of who that is.

Blank stares.

So I ask them to raise their hands if they’ve ever heard of Fazio Mechanical Services — and usually no one raises their hands but at least now they are listening …

So I go on to explain that

  • Fazio Mechanical Services is (or should I say was) a vendor to Target and that it was a breach of Fazio’s computer system through an email spear phishing attack that ultimately allowed the hackers to breach the Target system;
  • While no one may have cared about getting Fazio’s information, Fazio’s system was very valuable to the hackers because it provided an intrusion point into the Target system — which made attacking Fazio very valuable, strategically, to the hackers;
  • Hackers are smart and very strategic and now that they have seen a great example of how effective using indirect methods, such as third party vendors, to attack their primary target has been and they will likely do it again;
  • Even if they do not believe their company is a high value target to hackers, if one of their suppliers, vendors, or other business associates may be, it could be their system that is used to become that intrusion point to reach the high value target, and
  • If that were to happen, their business would likely be the next Fazio and they would probably be looking for new employment.

What does this have to do with hacking through a Chinese Restaurant Takeout Menu (website)?

This usually brings the abstract notion of “corporate espionage” to reality for them. I was reminded of this when I read a recent article in the New York Times titled Hackers Lurking in Vents and Soda Machines that provides a great explanation of how hackers use this indirect method of attack on their primary targets. Here are a few poignant quotes but you should read the whole article:

Unable to breach the computer network at a big oil company, hackers infected with malware the online menu of a Chinese restaurant that was popular with employees. When the workers browsed the menu, they inadvertently downloaded code that gave the attackers a foothold in the business’s vast computer network.

*   *   *

Hackers in the recent Target payment card breach gained access to the retailer’s records through its heating and cooling system. In other cases, hackers have used printers, thermostats and videoconferencing equipment.

Companies have always needed to be diligent in keeping ahead of hackers — email and leaky employee devices are an old problem — but the situation has grown increasingly complex and urgent as countless third parties are granted remote access to corporate systems. This access comes through software controlling all kinds of services a company needs: heating, ventilation and air-conditioning; billing, expense and human-resources management systems; graphics and data analytics functions; health insurance providers; and even vending machines.

Full Article: http://www.nytimes.com/2014/04/08/technology/the-spy-in-the-soda-machine.html?ref=technology&_r=0.

This is a serious problem — even your company needs to pay attention to it, even if no one in your company likes Chinese takeout.


 

About the author

Shawn Tuma is a lawyer who is experienced in advising clients on complex digital information law and intellectual property issues. These issues include things such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act; helping companies with data security issues from assessing their data security strengths and vulnerabilities, helping them implement policies and procedures for better securing their data, preparing data breach incident response plans, leading them through responses to a data breach, and litigating disputes that have arisen from data breaches. Shawn is a partner at BrittonTuma, a boutique business law firm with offices near the border of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as throughout the nation pro hac vice). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.

Why is PNC Bank Accusing Morgan Stanley of Corporate Espionage and Trade Secret Theft?

You No Let Me Download

©2011 Braydon Fuller

I often write about corporate espionage and trade secrets but I bet some of you may still be trying to imagine real-world scenarios that demonstrate exactly what those terms mean and how they apply. Let me tell you a story and see if it helps it make more sense.

Let’s Talk About Your Business

Let’s say you have a business and you have some really valuable information that your employees use when they are working for your business — the most important of which is the list of your customers and all of the background information you have compiled on those customers. Because you know how valuable this information is, you have had your company’s IT department implement certain technological limits to keep people from downloading that information to USB drives, Dropbox, or emailing it to their Gmail account. You’re really thinking ahead of the curve in trying to safeguard your trade secret information and you’re feeling pretty proud of yourself. And, you should, because most businesses don’t go to such efforts to protect their valuable trade secret information.

Zig Ziglar had a saying about dishonest employees: “If a person is dishonest, I hope he is dumb. I’d hate to have a smart crook working for me.

You, however, hired smart …

Now let’s imagine you had pretty senior and high ranking person in your company decide to leave to go work for one of your competitors where having your customer list (with all the extra information included) would be a great asset to them. And, you later come to believe, the competitor was actively trying to hire your employees and was trying to get them to take your trade secret information and bring it with them. You, however, have thrown a kink in their plans with your on-the-ball IT department’s information security practices. Or so you think.

Before telling you of her intentions to leave your company, this soon-to-be former employee still has access to your trade secret customer list from her computer and decides to access it on the system and pull it up for one last look. Can you imagine what she does next?

She whips out the trusty little smart phone and takes picture after picture after picture of all of the information on her computer monitor! She didn’t download it — she couldn’t. But she has it in several digital images on her mobile phone and when she goes out the door of your company, so too do your highly valuable trade secret customer lists.

Here Is The Real Life Case

This is a storified version of the allegations made by PNC Bank against its former employee, Eileen Daly, and her new employer Morgan Stanley in the case PNC Financial Services Group, Inc. v. Daly and Morgan Stanley, Inc. (Complaint) filed in the United States District Court for the Western District of Pennsylvania on March 14, 2014.

What makes this case (as alleged, anyway) a case of corporate espionage? Simple. It is one company trying to steal the valuable information of another company. It happens all the time. In this case it just so happened to be by an “insider” — a departing employee.

This is Clearly a Trade Secrets Case — But Could it Also Be a CFAA?

PNC sued the defendants for several causes of action, including misappropriation of trade secrets and unfair competition — exactly what you would expect in a case like this, right? It did not, however, sue them for “unauthorized access” in violation of the Computer Fraud and Abuse Act and, while I can think of several reasons why PNC may not have done so, it did get me to wondering if they could have. I mean after all, there have been much weaker CFAA cases filed in Pennsylvania District Courts.

What Does the Statute Say?

To violate the Computer Fraud and Abuse Act  under the most lenient part of the statute, the defendant must “intentionally access[] a computer without authorization or exceed[] authorized access, and thereby obtain[] … information from any protected computer;” 18 U.S.C. § 1030(a)(2)(C). And here, the information could not be downloaded, even though attempted, sooooo …..

Was There an Access?

Maybe so. She did have to access the computer system to retrieve the information and pull it up on her computer monitor. The question of whether her access was unauthorized or exceeded authorized access has not been conclusively determined by the Third Circuit, however, the bulk of the district court cases tend to follow the Strict Access Theory of the Ninth and Fourth Circuits, under which it probably would not have been improper, though in the Fifth and Eleventh Circuits under the Intended Use Theory, it may very well have been.

Was Information Obtained?

Yes, it was. The defendant took pictures of the trade secret customer lists — information — and kept those pictures on her smart phone. That sounds like the obtaining of information to me.

Was There a Loss?

I don’t think so. Without the “loss” there is no civil case unless there is “damage,” which is not very common. For the difference between the two, see Loss and Damage Are Not Interchangeable Under CFAA–District Court Blows Right Past CFAA’s “Loss” Requirement in Sysco Corp. v. Katz

The federal district courts in Pennsylvania are extremely strict when it comes to calculating the loss under 18 U.S.C. § 1030(g). Last year I handled the defense of a civil CFAA case in the Eastern District of Pennsylvania and thoroughly briefed two motions to dismiss that were heavily premised on the Pennsylvania district courts’ strict loss jurisprudence. (Here are the motions: Motion to Dismiss and Motion to Dismiss Amended Complaint) I convinced the plaintiff to dismiss the claims against my client with prejudice before the plaintiff filed a response or the court ruled on the motions, however, I remain very confident that the positions asserted in the motions were consistent with the courts’ standards on this issue and would have been successful. 

Under these standards, I cannot imagine how investigating the taking of pictures of a computer monitor could qualify as a “loss” or “damage” such to get the case past 18 U.S.C. 1030(g) and survive a motion to dismiss. I haven’t put a lot of thought into this, and am not saying it can’t happen, I just haven’t thought of how it would.

My guess is this is why the attorneys representing PNC didn’t bother throwing in a claim for violating the CFAA — well that, and, they probably didn’t see a need for it since they were already in federal court on diversity jurisdiction!

About the author

Shawn Tuma is a lawyer who is experienced in advising clients on complex digital information law and intellectual property issues such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act. He is a partner at BrittonTuma, a boutique business law firm with offices near the border of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as across the nation pro hac vice ). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.

Read this explanation of cyber espionage and how it impacts YOUR company

www.shawnetuma.com

ThisCombating Corporate Espionage

This morning I read an article that I am sharing because it is, in essence, a very high-level overview of the theme of the presentations that Jarrett Kolthoff, David Major, and I recently delivered at the Combating Corporate Espionage: Protecting Your Organization From “hackers, insiders & fraudster” seminar. The article is Blame game: Cyber espionage from SC Magazine and it is well worth reading. This stuff is real and you should be paying attention. Read the article.

We are planning to do another similar seminar early in 2014 so if you are interested in these issues–and you should be–please let me know and I will make sure you get an invite.

Here is my original post on the seminar that also contains a link to the Prezi slides: Combating Corporate Espionage Seminar – Prezi and a few thoughts

Combating Corporate Espionage Seminar – Prezi and a few thoughts

www.shawnetuma.com

Combating Corporate Espionage

Today I had the honor of speaking at the Combating Corporate Espionage: Protecting Your Organization From “hackers, insiders & fraudster” seminar with Jarrett Kolthoff and David Major. Jarrett is the CEO of SpearTip Cyber Counterintelligence; he and I have worked together quite a bit so he first impressed me long ago with the depth of his knowledge and abilities in the area of cyber security, intelligence, and counterintelligence. The work that he and his company do are truly amazing.

This was, however, the first time I met David Major in to say that I was impressed by him would be a major understatement. He has been in the cyber intelligence/cyber espionage arena for decades and was Pres. Ronald Reagan’s chief advisor on these issues. What is more impressive, however, is that instead of fading off into the sunset he has stayed engaged for all of these years and continued to build upon his body of knowledge and expertise– you just don’t find people like this every day. #respect

David’s company, Ci Centre maintain the database Spypedia and it is one of the most comprehensive and up to the minute accurate resources of information on cyber espionage that is available anywhere in the world. If you are truly interested in this space, you need to check it out because the information available is second to none.

Anyway, to the point – here is a link to the Prezi from my presentation on several digital information law issues dealing with corporate espionage and computer fraud, i.e., fraud 2.0: Combating Corporate Espionage – Data Breach! (and the law)  — as always, if you have any questions, please do not hesitate to let me know and, more importantly, if you see ways in which I can make this presentation better and more effective, please let me know because I will be speaking on this issue several times in the coming months.

Tomorrow I will again have the pleasure of sharing the stage with Jarrett and David while speaking on these issues at the 2nd Annual Dallas Institute of Internal Auditors Super Conference and I am really looking forward to it. What a week!