One thing that CME Group, the company that runs the Chicago Mercantile Exchange, wants to make perfectly clear is that it places a “high value on protecting its intellectual property and trade secrets.” That was the clear message from CME following the arrest of an employee for stealing company secrets.
But the details of the criminal complaint filed against 49 year-old Chunlai Yang, a CME Group employee, suggest that the firm – like so many before it – may have failed to translate that concept of a “high value” into concrete policies that actually protect its intellectual property. CME, the criminal complaint suggests, had only the barest internal controls over its core intellectual property and poor supervision of the access that developers like Yang had to the sensitive code and algorithms that were the crown jewels of its CME’s electronic trading operation.
The revelations are a stark reminder that, behind industry buzz about “advanced persistent adversaries” and “sophisticated, nation-backed attacks” is a lot of bad security: loose practices and ineffective tools that makes even the most sensitive intellectual property low hanging fruit for determined adversaries and rogue insiders.
As Threatpost reported on July 7,Yang, 49, downloaded “thousands of files” containing “source code and proprietary algorithms” used by CME to run its trading systems. The files were downloaded from a computer source code repository, IBM’s Rational ClearCase, that was maintained by CME and copied to removable “thumb” drives or, in at least one case, emailed to Yang’s co-conspirators in China.
CME began observing Yang’s activity in May and, with the help of the FBI, had terminated the man’s employment and had him arrested by late June. In a conversation with Threatpost, CME spokesperson Laurie Bischel declined to comment on why the company began monitoring Yang’s activity – whether as a result of an internal audit or after a warning from an external source. Its also unclear how long the malicious activity may have been going on.
What is clear from reading the complaint is that internal controls at CME were inadequate to keep Yang away from “thousands” of sensitive documents unrelated to his work for CME.
Of course, the June 30 complaint, signed by FBI Special Agent Joanne Cullinan doesn’t say that. To the contrary, Cullinan goes out of her way to depict CME as an employer that took extra steps to secure its intellectual property from thieves and rogue employees like Yang. The company used a source code repository (ClearCase) that added “an extra layer of security.” (Translation: you had to enter your Windows password again.)
We also learn that CME flashed a warning message when its users logged on, reminding them that their system was to be used for business purposes only” and that their activities could be monitored. The company deployed layered security of a sort: multiple, written policies that employees would have to read and agree to each year. Those policies specifically outlawed the kinds of things Yang was up to. One, the Employee’s Code of Conduct, told employees not to disseminate confidential company information. Another, the Information Security Acceptable Use Policy, specified that all internal documents should be considered confidential and prohibited them from violating CME’s copyrights, trade secrets, patents or other intellectual property rights. Yang, we’re told, read and signed his consent to those policies every year. Phew!
That must have been comforting to CME. Unfortunately, what was missing at the $20 billion firm were actual controls that would have actually stopped him from stealing the documents if he wanted to. Yang’s work as a senior software engineer for the Front End Systems Technology Department in CME’s Technology & Enterprise Computing Division, gave him access to the company’s ClearCase server, but did not require him to have access to the sensitive application code and algorithms he stole.
Yang, nevertheless had legitimate access to all the files on ClearCase that he stole, though the CIO at CME admitted to the FBI that “he did not need access to them for his job performance.” True – keeping track of the permissions of one lone developer might have been difficult for IT staff at CME because, as we also learn from reading the complaint, fully one third of all CME’s employees had access to the ClearCase system – that’s almost 700 people. But CME would be stretching the truth if it said it couldn’t imagine an incident like this occurring – knowing, as the company must have, that ClearCase users had, more or less, free reign on its source code repository.
Admittedly, the company probably would have faced an uphill battle even if it wanted to implement more granular access policies for its users. Many source code management systems have roots that stretch back long before the advent of the public Internet, and long before “advanced persistent threats” and “rogue insiders” were the terms du jour.
ClearCase itself, which is now part of IBM’s Rational family of products, has a code base that dates back almost twenty years – Atria Software first released it as a Unix based product in 1992. The consequence: these systems can be difficult to manage and secure, especially across a development team as large as CME’s, say security experts.
“RCS (revision control system) privileges are a pain to maintain, especially for large teams,” wrote HD Moore, chief security officer at Rapid7 and Chief Architect of the Metasploit Framework, a penetration testing product. “But ClearCase seems even more of a bitch to configure properly,” he wrote.
Some systems are better than others, Moore wrote, but many get difficult or impossible to manage across large teams, with overlapping directories and complicate, fine-tuned access policies, he said.
CME, it turns out, put a lot of weigh on Yang’s signature, indicating that he had reviewed company policy and consented to it, to keep him away from its core intellectual property. But, as we now know, Yang had no such loyalty to the company or his word. In fact, evidence presented in the complaint, including e-mail messages, suggest that Yang – a naturalized U.S. citizen who was born and educated in China – was preparing to leave CME and set up a new company, East China Technology Innovation Park Co. Ltd.” in mainland China, with himself and two other individuals listed as sole directors and shareholders. The purpose of the company, according to e-mail messages obtained by the FBI, was to increase the trading volume at the Zhangjiagang chemical electronic trading market and build a futures exchange using software provided by Yang’s new company.
In other words, CME’s policies – designed mostly to prevent good employees from doing stupid things – were utterly ineffective against a rogue employee interested in being CEO of a China-based competitor to U.S. trading giant, using products based on CME’s own code.
As Threatpost’s Editor in Chief Dennis Fisher wrote last week, the lesson of this incident isn’t that “all is lost” when it comes to security.Rather, cases such as Yang’s are an opportunity for all of us to do damage assessment and also to identify what’s not working. What’s clear in this case is that CME – whose whole business rests on its innovative trading platforms – failed to accurately assess its own risk and vulnerability. Simply put: giving 700 employees access to your source code repository, and allowing some(or all) of those users unfettered access to files and projects that bear no relation to their jobs is a recipe for disaster.
Hardly a “black swan,” Yang’s case would fit neatly with many others on Threatpost’s list of Ten Infamous Insiders, including Yonggang “Gary” Min at DuPont, Xiaodong Sheldon Meng at Quantum3D or Xiang Dong Yu at Ford Motor Company. All were accused – and found guilty- of stealing sensitive corporate trade secrets and passing them along to competing firms in China.
There’s no doubt that U.S. and European firms face a daunting adversary in the form of China and mainland companies that are looking to jump start their entry into markets that have traditionally been dominated by Western firms. Easy as it may be to rail against the Chinese for wanting what we’ve worked for decades to develop, private sector firms and the government need to be willing to look hard at their own failure to understand their risks and take prudent steps to mitigate them.