Defending Trade Secrets without Stifling Innovation

In this mid-month special issue, guest author Nick Catrantzos discusses espionage costing Genentech over $100m and application of his No Dark Corners approach to mitigating insider threats.

By Nick Catrantzos

Recent reports show how a phony start-up based overseas contrived to make over $100 million by selling generic versions of cancer drugs whose formulas were clandestinely stolen from Genentech. Vital to this scheme were a Genentech insider and her husband.

In a Nutshell

The husband-and-wife team pled guilty to stealing Genentech's cystic fibrosis drug Pulmozyme and cancer drugs Rituxan, Herceptin and Avastin. To Genentech, the cancer drugs alone brought in over $4 billion in revenue. JHL Biotech (rebranded as Eden Biologics), the firm behind the scheme, removed Genentech’s logo from stolen documents and pasted its own logo on top. While prosecutors are also charging JHL’s top executives, the latter are planning for a legal battle. According to the Genentech insider pleading guilty, JHL recruited the Genentech scientist circa 2008, before JHL officially was born in 2012. Then, in 2016, JHL contracted with a French buyer, Sanofi, for hundreds of millions of dollars, after having claimed to have produced these stolen formulas independently.

The multi-million-dollar Sanofi deal was to jointly manufacture and distribute in China, where JHL had established a corporate presence in Wuhan. Both JHL’s chief operating officer and the recruited Genentech scientist are women who appear to share Chinese ethnicity which may have facilitated the former’s recruitment approach. Once indictments surfaced, JHL’s value collapsed, as did the deal.

What is instructive about this case for defending against a similar threat of trade secret theft at the hands of an otherwise trusted insider?

Questioning Reflexive Precautions

Popular wisdom suggests that the scheme might have been nipped in the bud through extreme vetting, invasive monitoring, or both.

As this reasoning goes, the more research scientists are vital to a company’s profitability, the more scrutiny they deserve. An extra failsafe becomes imposing regular, even invasive monitoring, for anyone having access to the equivalent of the Crown Jewels of the enterprise. In theory, such monitoring rapidly detects untoward activities, like copying proprietary formulas.

In practice, both are wrong. Why?

Limits of Background Investigations

To anyone who has been responsible for background screening in the public, private, and consulting worlds, background investigations are part of a larger process which often falls short of its advertised value. As delineated in the 'Insider Threat: Applying No Dark Corners Defenses' chapter of the Springer Reference 'Handbook of Security Science', a background investigation is a snapshot in time that is of limited scope. Not only may it fail to weed out an unreliable or venal applicant, it may also be irrelevant in cases such as the Genentech matter. After all, if the foregoing Justice Department report is accurate, the Genentech scientist was recruited.

What makes this significant? Orchestrators of espionage only recruit people first judged to have the placement and access necessary to serve their needs. In other words, in circumstances such as the foregoing, it is entirely plausible the Genentech scientist began employment without ever having any sinister intentions. No vetting process would have uncovered otherwise by purporting to identify a susceptibility she may not have even had at the point of hire. Moreover, if the Genentech employee had refused recruitment, it is likely the JHL COO would simply have attempted to recruit another more amenable candidate.

Limits of Invasive Monitoring

Invasive monitoring punishes the blameless many to flush out the felonious few, who may not even exist. For example, one of the most common, knee-jerk countermeasures when there is fear of a loss via the enterprise’s network, is to impose more frequent, complicated password changes. However, a routine consequence is employees’ circumventing this burden by recording their passwords where they are exposed to greater compromise than before. Indeed, the more draconian the impositions, the more likely it is that the worst offenders may be the technology titans themselves.

What, then, is an executive to do? Overreach on one hand or abdicate responsibility for trade secret protection on the other?

Deeper Understanding of the Insider Challenge

The insider threat challenge resists easy answers. One explanation suggests an insider threat may be more than a problem; it is a predicament. Problems invite straightforward solutions. When the solutions proposed fail to yield immediate results, problem-solvers increase the dosage before they consider changing the treatment.

Predicaments, by contrast, require interpretive thinking and a capacity for putting a larger frame around the challenge. By framing the insider threat as a predicament, one more readily discerns when proposed solutions are faltering or turning counterproductive. In effect, framing the trade secret case as a predicament facilitates application of insider threat defenses that engage rather than alienate the work force.

Enter the No Dark Corners approach.

Application of the No Dark Corners Approach

Two key features of this approach applicable for defending Genentech’s trade secrets are driving monitoring responsibilities down to the co-worker level and fostering an environment where co-workers function not as informants but as co-pilots taking an active hand in their own protection. After all, employees have a vested interest in safeguarding the company assets responsible for generating revenue and providing those employees with their livelihoods.

The ultimate aim is opportunity denial, i.e., sharply reducing or eliminating ability to exploit common vulnerabilities that constitute the dark corners which an insider abuses to steal the intellectual property worth millions.

One way of portraying the difference in approaches follows here:

Additional Measures

Appendix B from the ASIS Foundation CRISP Report industry study offers eight steps for introducing a No Dark Corners approach to the workplace. Two that may particularly avail in cases like Genentech’s, are:

  • Plan for a co-pilot in every critical cabin. Adopting the co-pilot metaphor, design workplaces to operate with a level of transparency and mutual support that makes it virtually impossible for a single individual to misappropriate or sabotage without some level of co-worker oversight. Make it a team effort, rather than an inquisition.

  • Limit invasive controls to those that really count. Avoid alienating good employees by instituting so many controls that these restrict their ability to do productive work. Maintain a sense of balance that respects the core business without turning every employee into a snoop.

Conclusion

There are no guaranteed defenses against insider threats, especially those backed by organized and well-funded adversaries. However, there are alternatives to a reflexive resort to ill-advised, draconian measures whose implementation is likely to make things worse. The No Dark Corners approach makes things better by providing opportunity denial at the team level. At the very least, it stands in sharp contrast to an overbearing and invasive approach when actual insider threats remain statistically rare and often defeated by applying friction in the right places.

About the Author & The No Dark Corners Approach

Nick Catrantzos started out as an intelligence case officer whose wartime mission was interrogation. He has been a security director, has posed as a college professor, and been called an authority on insider threats. He is also a LIfetime Certified Protection Professional (CPP). Currently a troubleshooter and pracademic for Stratcolab.org, Nick remains a licensed investigator who enjoys writing feature stories for eclectic publications.

First the subject of an award-winning thesis (Naval Postgraduate School thesis), a peer-reviewed journal article (Homeland Security Affairs Journal article), and a security industry research study (ASIS Foundation CRISP Report), the No Dark Corners approach ultimately surfaced in Nick's textbook ('Managing the Insider Threat: No Dark Corners'). This research also undergirded the aforementioned 'Insider Threat: Applying No Dark Corners Defenses' chapter of the Springer Reference 'Handbook of Security Science'.

iThreat and Mike Gips thank Nick for sharing his time, approach, and insights in authoring this article for the Insider Signal and Insider Signal Plus newsletters.

Story Sources


We Want Your Feedback!

How are we doing? Are you enjoying our content and insights? Are there specific stories you’d like us to cover? We would love your feedback via insidersignalplus@ithreat.com. With your permission, we may even publish it!