December 1989 FBI 1. THEFT OF COMPUTER SOFTWARE: A NATIONAL SECURITY THREAT By William J. Cook Assistant U.S. Attorney Chicago, IL -- Between July and September 1987, a Chicago youth attacked AT&T computers at Bell Labs in Illinois and New Jersey, at a NATO missile support site in North Carolina, and at Robbins Air Force Base in Georgia, stealing software worth $1.2 million and causing $174,000 worth of damage. (1) -- In October 1988, Scotland Yard arrested an English attacker who had broken into over 200 military, corporate, and university computers in the United States and Europe. The indication was that he planned to extort money from one of the victim corporations. (2) -- In November 1988, a college undergraduate planted a computer virus that temporarily disabled 6,000 computers on the U. S. Army research computer network (ARPANET). (3) As evident by these accounts of computer piracy, computer-aided attacks on Government and corporate networks are becoming more numerous and sophisticated. While estimates vary, computer industry sources indicate that computer-related crime (including software theft) annually costs U.S. companies as much as $5 billion per year, with each incident costing approximately $450,000. (4) More importantly, however, the infiltration and theft of computer files is a growing Federal crime problem, since many such actions jeopardize the security and defense of the United States. This article gives a brief overview of the theft and illegal export of computer software. It also details steps taken by the U.S. Government to protect national security and defense information with the intent of curtailing and hopefully eliminating the occurrence of such actions in the future. INTERNATIONAL COMPUTER HACKERS While most computer attacks are committed by hackers who are not agents of foreign government, the growing attention of Eastern Bloc governments to hackers indicates that these nations clearly recognize the benefits of using them to expose openings in U.S. computer networks. In March 1989, it was disclosed that West German hackers sponsored by Eastern Bloc intelligence agencies had been systematically searching for classified information on Government computers throughout the United States through a weakness in a computer network at a California university. (5) The following month, Canada expelled 19 Soviet diplomats for wide-ranging espionage operations to obtain Canadian defense contractor information for military and commercial purposes. (6) And in December 1988, a search warrant filed by U.S. Customs agents in Chicago disclosed that a confederate of the Yugoslav Consul- General in Chicago was using a hacker to attack defense contractors by remote access in order to steal computerized information. According to the affidavit, the information obtained by the hacker was subsequently smuggled out of the United States in diplomatic pouches with the help of the Counsel- General. Public access information and published reports reflect that Soviet efforts to obtain technical information are not an illusion. A major daily newspaper reported that the Soviet Union was actively fostering hacker-to-hacker ties between the Soviet international computer club and computer firms and hackers in the United States, Britain, and France. (7) Another newspaper account told of the Soviet Union setting up programmers in Hungary and India for the purpose of translating and converting U.S. origin software to the format of Soviet and Warsaw Pact country machines. (8) Then in March 1989, a member of the Soviet military mission in Washington, DC, was arrested and expelled from the United States for attempting to obtain technical information about how U.S. Government classified information is secured in computers. (9) The Soviet's main targets are U.S. Government agencies, defense contractors, and high-tech companies and are purportedly backed by a $1.5 billion annual "procurement" budget. Further, Soviet satellite countries have become very active in the Soviet high technology procurement effort. For the past several years, Hungarian, Bulgarian, Yugoslavian, and Polish intelligence officers and their agents have participated in the high-tech theft effort, along with agents from Vietnam, North Korea, and India. (10) Also, Cuban and Nicaraguan intelligence officers are using front companies in Panama to obtain U.S. technology. (11) News accounts suggest that these efforts are successful; 60-70% of the technology is obtained, while 90% of nonclassified high technology data is acquired. More than 60% of the stolen technology comes from the United States. (12) As a result, the U.S. technological "lead" over the Soviets has gone from 10-12 years in 1975 to 4-6 years in 1985. (13) And the savings to the Soviets has been impressive. In 1978 it has been estimated that the Soviet Union saved $22 million in research and development costs by stealing U.S. technology; the following year, they saved $50 million. (14) Between 1976 and 1980, the Soviet aviation industry alone saved $256 million in research and development because of stolen U.S. technology. (15) More significantly, much of the stolen technology is critical to the national security and defense of the United States. PROTECTING TECHNICAL DATA In 1984, the U.S. Department of Commerce placed expanded export controls on computer software as part of its general protection of technical data deemed vital to the national defense and security of the United States. However, export control in this realm is an enormous challenge since modern technology allows the criminal to steal restricted software stored on Government and corporate computers by remote access from a personal computer anywhere in the world. Literally, an international border becomes established where a telephone line plugs into the computer modem. OBSERVATIONS Several observations can be reached from this mosaic. Obviously, U.S. taxpayers are subsidizing the modernization of the Soviet military establishment. And it is more economical for the Soviets to steal U.S. technology than to fund and develop their own research and development capabilities. More importantly, however, the United States needs to do a better job protecting its technology. As noted previously, in response to the Soviet "tech-threat," the United States and other countries expanded controls on high-technology computer software by placing them on the Commodity Control List or Munitions List. Commerce Department and State Department licensing officers require that validated export licenses and end-user assurances are obtained before software named on these lists are exported. Both the Commerce and State Departments routinely call in Defense Department personnel to analyze these export requests. Prosecution for illegally exporting computer data and software can be brought under several sections of the U.S. Code. (16) However, before prosecution under these sections can be successful, several areas must be developed in the computer industry and the law enforcement community. o Corporations should consider placing export control warnings on sensitive software programs, which would clearly assist U.S. efforts to enforce national export laws that require defendants have specific knowledge of export restrictions when they export the computer data. o Federal agents need to become oriented to the computer industry and computers to overcome computerphobia. o Corporate and Government hiring must be done with great care when the employees will have access to computer networks or trash from computer centers. o Computer security specialists and systems administrators must be alert to internal unauthorized access and external hacker attacks and the potential ramifications of activities. They must also be aware that the modem plug-in on one of their computers could be the international border in the export violation and that computerized log records may be the only evidence of espionage of "tech-theft." o Federal agents and computer security professionals must recognize the need for rapid mutual cooperation and communication, with security professionals providing background information on the attacked computer network and assisting with Federal investigations and search warrant efforts. CONCLUSION It is folly to assume that U.S. industry can continue to make sufficient research and development advances each year to ensure that the United States keeps an edge on Warsaw Pact countries. These countries continue to rob the United States of advanced technological information critical to the defense and security of this country. The taxpayers and consumers writing the checks for Government and private sector technological research and development deserve a coordinated Federal law enforcement and computer industry response that recognizes software and computer-related engineering as one of our country's greatest resources. FOOTNOTES (1) ComputerWorld, February 20, 1989. (2) Sunday Telegraph, October 23, 1988. (3) The Boston Globe, November 14, 1988. (4) ComputerWorld, April 3, 1989. (5) Hamburg Ard Television Network, March 2, 1989; see also, Cliff Stoll, "Stalking the Wiley Hacker," Communications of the ACM, May 1988. (6) Reuters, June 28, 1988. (7) The Washington Post, January 2, 1989. (8) The New York Times, January 29, 1988. (9) Reuters, March 9, 1989. (10) "Soviet Acquisition of Militarily Significant Western Technology: An Update," published by the Central Intelligence Agency, 1985. (11) The Los Angeles Times, November 21, 1988. (12) Supra note 10. (13) Ibid. (14) Ibid. (15) Ibid. (16) 118 U.S.C. sec. 1029 (fraudulent activity in connection with using accessing devices in interstate commerce); 18 U.S.C. sec. 1030 (remote access with intent to defraud in connection with Federal interest computers and/or Government-owned computers); 18 U.S.C. sec. 1343 (use of interstate communications systems to further a scheme to defraud); 18 U.S.C. sec. 2512 (making, distributing, possessing, and advertising communication interception devices and equipment); 18 U.S.C. sec. 2314 (interstate transportation of stolen property valued at over $5,000); 17 U.S.C. sec. 506 (Copyright infringement violations); 22 U.S.C. sec 2778 (illegal export of Department of Defense controlled software); 18 U.S.C. sec. 793 (espionage, including obtaining and/or copying information concerning telegraph, wireless, or signal station, building, office, research laboratory or stations for a foreign government or to injure the United States); 18 U.S.C. sec. 2701 (unlawful access to electronically stored information); 18 U.S.C. sec. 1362 (malicious mischief involving the willful interference with military communications systems); 18 U.S.C. sec. 1962 (RICO--20 years/$25,000/forfeiture of property for committing two violations of wire fraud and/or transportation of stolen property). ================================================================ The EPIC Project, a nonprofit public benifit corporation founded last year by a handful of college students, is advising the Chairman of the American Bar Association Technology and the Courts (Sundevil) Subcommittee looking into federal court rule changes. These proposed rule changes are a direct result of actions taken by the Seceret Service, FBI and other enforcement agents in Operation Sun Devil. Rules of evidence, warrants, et al, are in drastic need of change to address the constitutional and civil rights issues at odds with technology. I would very much like to hear from anyone with constructive input or suggestions for needed changes. 9-18-90 Jeff Aldrich Fax: (707) 425-9811 The EPIC Project Voice: (707) 425-6813 P.O. Box 5080-341 Data: 1:212/105@fido.org Fairfield, CA 94533 jefrich@well.sf.ca.us