Source code thievery happens, so be prepared

Source code: It's the very marrow of a technology organization--yours and your
vendors'. Planning and forethought are needed to protect it.


Car theft--or the theft of anything solid and tangible--is well understood by law
enforcement authorities. Software, of course, is intangible. It can be reproduced
instantly in another continent yet still remain where it started. As such, software theft
poses an investigative problem.


When Russia became a capitalist nation, companies such as Oracle Corp. were surprised
to find they had a significant installed base in countries where they'd never set foot,
much less opened an office.


But because the Russians were using hopelessly outdated versions of Oracle's database,
many signed legitimate license contracts for new versions, creating a happy ending.


But suppose you are an agency manager responsible for a lot of software. Suppose you
are a software executive or manager of a group of developers. How should you respond to an
even worse nightmare: The suspicion or knowledge that an employee or former employee has
taken your source code or object code?


First, call law enforcement. File a police report. Urge prompt action. Wherever you
are, you are under federal, state and local jurisdiction. The typical U.S. attorney's
office would probably welcome a break in the tedium of frauds and stolen rugs.


Similarly, state prosecutors are quite interested in such cases. Some local law
enforcement agencies, including Montgomery County, Md., have detailed one or two officers
to investigate computer crime.


Law enforcement has big weapons. With enough evidence, the government can seek a
judicial search warrant permitting the search and seizure of the suspect's computer.


This judicial probable-cause standard is actually less than what is needed by a private
party to win civil lawsuit. The beauty of the search warrant is its unexpectedness.
Arrogant thieves often leave the most damning evidence right on the hard drives of their
own PCs.


In 1995, Congress increased federal protection of trade secrets when it passed a new
law making theft of trade secrets by an individual or organization a crime punishable by a
fine of up to $5,000 or 10 years in prison, or both.


The law also makes it a criminal act for an individual or organization to destroy or
alter such information.


And it's now a crime to receive or possess trade secrets when a recipient knows that
such information has been taken without authority.


Last but not least, the new law makes it a criminal act for individuals and
organizations to conspire to misappropriate or destroy trade secrets and perform any act
to affect the misappropriation or destruction of trade secrets that are the object of the
conspiracy.


In addition, most states have statutes that protect trade secrets. For example,
Maryland, Florida, California and many other states have statutes that create important
rights for the owner of trade secrets, some of which permit multiple-damage awards, or
punitive damages and attorney fee recovery.


This is all after the fact. The most important thing you can do is to prevent theft.
Companies, unlike agencies, can file for copyright protection for the software. It gives
them lots of additional protection and permits recovery of attorney's fees against
infringers.


But all organizations can limit programmers' access to source code. Access should occur
only at the work facility and be carefully logged.


If developers are permitted to work at home, they should not be permitted to place the
software on their own PCs but should instead dial up and work on software residing on the
agency's host machine.


All developers should be required to sign strong noncompete and nondisclosure
agreements before they touch any software code.


All internal modem and software fax packages should be prohibited or regulated.


Agencies should also randomly and routinely inspect the files of computers they are
responsible for. Look for someone accessing files they have no business looking at.


Look for someone setting up blocking commands on hard drives. Look for any unnecessary
accumulation of the crown jewels in places they don't need to be.


Both vendors and agencies have a strong interest in protecting software. Too many
resources go into developing it, acquiring it and integrating it into agency systems for
it to be open to simple theft.


Stephen M. Ryan is a partner in the Washington law firm of Brand, Lowell & Ryan. He
has long experience in federal information technology issues. E-mail him at smr@blrlaw.com.


inside gcn

  • cyber hygiene (Lucky Business/Shutterstock.com)

    Cleaning up cyber hygiene

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group