The CAD/CAM company thought it was protecting itself, having employees of the Indian outsourcing company that was debugging its source code sign non-disclosure agreements. But when a disgruntled outsourcing employee swiped a copy of the code a few years back and tried to sell it to the CAD/CAM vendor's competitors, the vendor found out that the NDAs were of little use when it came to prosecuting the alleged thief in India.
"They weren't worth the paper they were written on," says Nenette Day, an FBI special agent out of Boston who did double duty as both the case agent and undercover agent investigating this crime against software maker SolidWorks. "The employees would have had to sign the agreement with the Indian company, not the American one."
Day, who has worked in computer crime for 8 years and calls herself "a geek with a gun," told attendees at last week's CIO Forum that their companies need to do serious research about the laws of any country to which they outsource work.
CIO Forum is a unique conference during which IT vendors and 300 potential customers unite on a cruise ship out of New York City. (Other discussions at the event focused on topics such as identity theft and biometrics and grid computing.)
A handful of FBI agents were on board to consult with IT pros about cybercrime threats, a topic that FBI agents say companies are often reluctant to talk about.
As for protecting yourself when outsourcing to other countries, Day advises IT executives to assume that you have no legal rights. "It should not start with your understanding of American law," she says.
In India, for example, there is no theft of trade secret law, Day says. India does have an IT act, she says, but it is mainly focused on copyright violations.
Day says that despite the fact that "there was not a shred of evidence that we did not have" against the alleged SolidWorks thief, prosecutors in India have failed to convict the suspect and he continues to work. The FBI initially tried to lure the suspected thief out of India to simplify prosecution, but he was too smart for that, Day says.
Indian police nabbed the suspect in 2002 when he allegedly tried to sell the code to Day while she was undercover (she says he initially tried to sell the code for about $250,000, not realizing it was probably worth $300 million). Fortunately, she says, the original source code was recovered and copies were not believed to have been sold.
In the wake of that case, Indian software developers have formed a lobby to push for stronger intellectual property protection laws, concerned that companies won't outsource to India if they aren't better protected, Day says. Outsourcing firms, like the one SolidWorks worked with, have also tightened their own security policies considerably in recent years, she says.
Another thing to consider when outsourcing to other countries is not just whether there are laws to protect intellectual property, but whether the laws are enforced. "No criminal law exists if the police will not enforce it," she says, noting that the FBI received an unprecedented amount of cooperation from its counterpart in India on the SolidWorks case (after threatening to expose India's laissez-faire attitude toward the case).
Questions companies should ask when outsourcing to other nations, Day says, include the following:
* Can my company risk loss of this data?
* What are my liabilities if I do lose it?
* What are your notification requirements if you lose customer data? (She notes that if your data is encrypted, you might not have to report it missing.)
* Will the company you are outsourcing to go the distance if you need its help to chase down a criminal?
* How long could a prolonged legal battle in a foreign country cost? ("You could lose all your outsourcing savings there," Day says.)
"This is all risk analysis," she says. "We're not saying don't outsource. We're saying learn the risk points and add that to your analysis when choosing the country or company wherever you're outsourcing."
Mobile computing worries
Mobile computing is the other area of networking that has Day very concerned on the cybercrime front. This involves both stolen and lost mobile systems.
"Laptops. I don’t even know how to get on this soapbox and scream loud enough," says Day, citing third-party market research about tens of thousands of cell phones and portable computers being left in Chicago taxis during a six-month period last year.
"Universities, companies, government. Where could I not go and not tell you a story about the laptop that went missing and did not have the information encrypted."
Day points out that even the FBI encrypted its laptops when she joined 8 years ago. "And [at that time we were] behind the curve in every way electronically, except that," she quips.
It's "mind boggling" that information is being kept in the clear on portable devices and that companies aren't being held responsible, Day says. Though she says that companies are starting to pay the price, as a credit card processing company recently settled a compromised data case for big bucks.
Cases so far have mainly been civil ones, though she says criminal charges won't be far behind given the emergence of new data protection laws.
Day also discussed the dangers of cell phones, which she described as potential monitoring devices, given that so many have cameras and audio recording capacity on them. They can also threaten security by being tapped, through techniques such as someone asking to borrow your phone and downloading a tracking program, she says.
The FBI requires members to shed all electronic devices during certain of its top-secret meetings.
"We understand how easy these things are to compromise," Day says. "You might want to consider in your own company a no electronics area."
This includes devices such as iPods, which can be used to swipe info via "pod slurping," a technique that involves simply sticking an iPod into a USB port on a computer. "They don't even need access to the keyboard," she says.
Day urges IT pros to contact the FBI if their intellectual property is stolen, noting that even if criminal charges are brought against someone, civil charges can also be made.