The recent unsealing of a 14-count indictment by the U.S. District Court for the Northern District of New York accuses Zheng Xiaoping, a former GE senior engineer for steam turbine design in Schenectady, NY and Zhang Zhaoxi, a Chinese national of conspiring to steal GE’s proprietary design models and data, engineering drawings and material specifications for gas and steam turbines, configuration files and other turbine technology trade secret information. Zheng is accused of emailing and transferring files to his business partner in China to advance their personal business interests in two Chinese companies that develop turbine parts. According to U.S.-China Economic and Security Review Commission member, Michael Wessel, “This is one of the most significant indictments involving China’s alleged theft of technology. The technologies involved in the indictment go the heart of China’s deficit in turbine technology.”
While economic espionage counts carry a maximum sentence of 15 years in prison and fines up to $5 million dollars, and trade secret theft counts carry a maximum of 10 years in prison and fine of up to $250,000, this does not account for the “millions of dollars” worth of compromised trade secrets that are now in the hands of competitors nor GE’s eventual loss of competitive edge in this industry. As the old adage goes, you can’t put the toothpaste back in the tube. The damage is done.
This sends a signal to companies who are trying to protect their trade secrets and like so many other incidents, provides some lessons learned in the end. GE was not lackadaisical in its security approach. It required employees to sign proprietary information agreements and disclose inventions derived from working at GE, limited access to company systems and exercised monitoring, limited authorization to access systems containing proprietary data, restricted access to company property and required visitors to register, wear badges and be escorted, prohibited use of USB drives, established a security perimeter, and educated employees on proprietary information requirements via training, employee handbooks, and various postings. What “sophisticated” (as described by the indictment) techniques were used by Zheng to fly under the radar and hide theft? Zheng used steganography to implant trade secret data in the image of a sunset named “New Year.jpg” and transmitted the file to his personal Hotmail account and is accused of transferring files to Zhang. Additionally he used encrypted text and audio messages to inform Zhang of the use of GE’s trade secrets.
Zheng first came to GE’s attention in 2014 when it was thought that 19,000 files had been copied. The content of the files couldn’t be determined in the investigation, and Zheng disclosed during interviews that he had deleted them, which GE could not confirm. In 2017, 400 encrypted files were saved on Zheng’s work computer, resulting in GE’s monitoring of his computers and the eventual discovery of the photograph. Potential conflicts of interest were also investigated by GE regarding Zheng’s aviation parts company in China, which he claimed was owned by him and his brothers. According to the affidavit, there was cause for conflict of interest but “GE did not instruct Zheng that his interest in the Chinese company was unacceptable and Zheng was permitted to retain his GE employment.” Additionally, Zheng’s passport indicates that he traveled to China five times over two years.
This case highlights the importance of connecting the dots not only across a company’s ecosystem but during an employee’s lifecycle. In addition to breaking out the cyber magnifying glass to detect unusual activity on systems, the human element must also be closely monitored. For example, what types of hiring practices are utilized for candidates who will be involved with the company’s intellectual property? Are affiliations, both personal and business related looked at prior to hire and again during the course of employment? What types of due diligence do companies perform, if any? Does a company have policies in place to disclose foreign travel? Does proprietary data reside on the electronics that individuals travel with overseas? Are risk assessments conducted across an organization’s ecosystem on an annual basis, at minimum? While each incident on its own may not necessarily indicate an actual insider threat situation, collecting various data points of behavior may paint a different picture.