Cracking the Code on Protecting Code

Goldman Sachs, UBS and Société Générale all have been involved in the last year in high-profile cases involving alleged thefts of computer code used in their algorithmic trading strategies for their clients and their own objectives.

The lesson: Even the biggest and best of breed in high-speed, complex electronic trading need to review the procedures they have in place for securing their source code-as well as other valuable trade secrets.

“The sophisticated technology that’s allowed these types of trading strategies to proliferate has also made it much more complicated to keep that type of intellectual property from leaving the four walls of financial institutions,” said Kevin McPartland, an analyst at research firm Tabb Group, based in Westborough, Mass.

The departures don’t always take sophisticated hacking skills. In the Société Générale case in April, an employee allegedly copied part of the software into a Microsoft Word document last summer, then came in on a Saturday to print out hundreds of pages, prosecutors said. The employee, who was arrested on a charge of trading in sensitive code, was captured on surveillance cameras stuffing the printouts into his backpack.

If he had been less clumsy, could he have gotten away with it? Maybe. It’s almost impossible to tell that another company has had a peek at your secrets, unless somebody rats them out.

“Some cases are dealt with privately, quietly and with the public never catching on,” McPartland said.

Not all code theft cases are instances of deliberate malfeasance, he notes.

“When you create something in your job-whether a program or a PowerPoint-people tend to feel attached to what they created,” he said.

In the case of UBS, three employees walked off with 25,000 lines of “trade secret algorithmic trading programs,” according to papers filed by the firm last year, with plans to take them to rival firm Jefferies & Company. FINRA arbitrators ruled against UBS this past February, however, without providing any information about the rationale for their decisions. This is one reason why firms normally prefer to settle the cases privately.

“When companies go to the authorities in these matters, there’s a risk that the company can lose control,” said Brent Cossrow, an attorney in the employee defection and trade secrets practice group of Fisher & Phillips, a national employment law firm headquartered in Atlanta.

UBS declined to comment for this story, spokesman Doug Morris said.

In the case of Goldman Sachs, which did not respond to requests for comment, a programmer allegedly stole 32 megabytes worth of trade secrets, according to court documents. He was arrested by the FBI last summer as he tried to leave the country, and was indicted in February.

According to the indictment, he stole the code by first encrypting the files, then transferring them via the internet to a server in Germany on his last day on the job. Then he tried to erase the evidence of what he did by deleting the history of his actions on his computer. On previous occasions, he had also emailed files to himself at home, and stored copies of the code on PCs, a flash drive and other storage devices.

Société Générale seemed to have done everything right. According to court documents, the code had been divided into small pieces, although SG declines to describe the structure. Employees were only allowed to see the pieces they needed for their jobs. The code was also locked, so that it couldn’t be downloaded to the small storage devices known as thumb drives that slip into the USB ports of different types of portable computers.

“SG vigorously protects its proprietary information and intellectual property, and strives to ensure both that it employs robust physical and technical security measures to do so,” Jim Galvin, head of U.S. media relations for Société Générale Securities Services, told Securities Industry News. “SG also is committed to ensuring that any misappropriation of its intellectual property is pursued aggressively to the fullest extent of the law.”

Galvin declined to provide more details about the breach or how the company will protect against similar breaches in the future. One hint, however, may be in a recent vendor announcement, in which the firm chose SailPoint IdentityIQ from Austin-based identity governance software vendor SailPoint. The product allows firms to track who has access to what applications, data and IT systems and automate the process by which employees get user accounts to access applications.

In fact, automating manual processes is a key step toward improving security. The issue may even be larger than the media reports would suggest, Celent analyst Jacob Jegher said.

“We don’t hear a lot about it in the press, and the reason is simple,” he said. “Banks don’t like to publicize it, and there’s no reason for them to publicize it unless individual accounts have been affected.”

Jegher said he believes in formal policies, enforcement processes and behavior analysis software.

Firms need to have clear policies in place and agreed to by employees, have monitoring systems running on the most sensitive information at the minimum, close off common data-theft avenues like access to personal email accounts or file-sharing programs and portable storage devices, monitor outbound internet traffic for keywords or large encrypted attachments, and react quickly when potential violations are flagged.

In addition, the largest or most-cutting-edge firms can roll out behavior analysis software, to track common usage patterns and spot unusual behaviors. But there’s a limit to how much security a company can roll out, Jegher adds.

“You can imagine an employee loading something up on the screen,” he said. “He’s not allowed to save, print or email it-and he takes a picture of it with his digital camera or cell phone.

Behavior analysis software might be able to detect a problem if he is taking pictures of screen after screen after screen of code, and pulls the files in an atypical manner, he said.

The way these applications work is they track an employee’s behavior over time and determine a baseline of behavior-how much time a programmer normally takes on a particular task, for example. If the employee spends less time than normal per page and pulls up an unusually large number of pages, during a time when he’s not normally at his desk, the software would send an alert to a manager or security officer.

It all starts with the management, said Scott Giordano, head of product marketing for Mitratech, a Los Angeles provider of legal process automation software.

Typically, corporate policies should include confidentiality and nondisclosure statements, policies concerning the use of corporate computers and email systems, and protocols for handling terminated employees, said Fisher & Phillips’ Cossrow.

Technology can be used to manage the entire threat process, from policy inception to execution, and to track and review what’s working and what’s not working, Giordano said.

Most important, it would also track responses to security incidents and allow companies to do after-the-fact investigations in a consistent way, he said.

PROTECTING SECRETS

Background checks on new employees

According to Ed Powers, a background check will not necessarily catch every potential criminal, but it will at least keep known criminals out of the company.

Identify risky data and employees

Not all data requires the most stringent security precautions. And not all data poses the same risks to the company if exposed.

Set data-protection policies and get ­signatures from employees

All contracts with both employees and contractors should contain clauses and indicate the ownership of all the intellectual property that they develop while working for the firm, Powers said.

Lock down or monitor information flows: USB ports, email, and file-sharing sites

Create a counterthreat unit

The cyberthreat units also look at behavior patterns of employees and try to predict if someone is about to do something risky, he added.