For DuPont, Gary Min may have seemed a model employee. A research chemist at DuPont’s research laboratory in Circleville, Ohio, Min was a naturalized U.S. citizen with a doctorate from the University of Pennsylvania who had worked for DuPont for 10 years, even earning a business degree from Ohio State University with help from his employer. During that time, he had moved up the ranks within the company, taking on various responsibilities on research and development projects within its Electronic Technologies business unit. He specialized in the company’s Kapton line of high-performance films, which are used, among other places, in NASA’s Mars Rover.
But Min’s veneer of respectability began to crack on Dec. 12, 2005, when he told his employer he would be leaving his job. According to a civil complaint filed by DuPont against Min, a company search the next day revealed that Min had recently been an avid user of the company’s electronic document library, accessing almost 23,000 documents between May and December 2005, including more than 7,300 records in the two weeks prior to his giving notice. Alarmingly, Min had strayed from his area of specialization, rummaging through sensitive documents related to Declar, a DuPont polymer that competed directly with PEEK, a product made by Min’s future employer, Victrex.
With Min indicating he would relocate to a Shanghai office of Victrex, DuPont appealed to both law enforcement and the civil courts that it was worried its former researcher was absconding with a treasure trove of trade secrets for Victrex and perhaps other Chinese companies.
DuPont is not alone. The broad outlines of the Min case — his Chinese nationality, his links to companies operating in that country, and the broad scope of his attempted intellectual-property heist from DuPont — are in keeping with what the FBI says is an epidemic of state-sponsored economic espionage. By one estimate, there are as many as 3,000 front companies in the United States whose sole purpose is to steal secrets and acquire technology for China’s booming economy.
Welcome to the brave new world of enterprise security, circa 2007. It’s a world where the troubles of yesteryear — loud and stupid Internet worms and viruses such as MSBlaster, Sobig, or SQL Slammer — seem trivial. In their place are rogue insiders with legitimate credentials, armed with Trojans and rootkits controlled from afar that may lurk for years without detection, bleeding companies of sensitive information. It’s a world in which premeditated plunder of specific data, rather than the mere breaching of the perimeter, is the point of network intrusions. And that means companies, more than ever, must monitor and secure data to prevent it from falling into the wrong hands.
Higher value, freer flow
“This is a problem of the evolving value of data,” says Marv Goldschmitt, vice president of business development at Tizor, a data auditing and protection firm. “Data has taken on a value beyond what it originally had, and individuals don’t know how to deal with that,” he says. Moreover, the migration of almost all intellectual property and critical data to purely digital form, as well as the interconnectedness of corporate networks with each other and the Internet, stand in the way of discovering when data has been pilfered or that anything has gone awry, Goldschmitt says.
Security experts are painfully aware that clamping down on insider threats and data leaks is an order of magnitude more difficult than stopping malware. And while recognition of the data-security problem is spreading fast within enterprises, very few have taken steps to lock down their sensitive data and intellectual property.