As a person in the IT field, I typically consider the Silicon corporate giants to be on the razor edge in terms of the technology and tools they’re using on their networks; however, all too often I find that I am seriously mistaken in that assumption.
Disruptive Driving
On my drive in to the office this morning, I heard about a new corporate lawsuit between Waymo (a spin-off company of Google under the Alphabet umbrella) and Uber. I was really curious, so I did some research. The suit stems from the recent Uber acquisition of a small start-up company (Otto-Motto) that was supposed to boost Uber’s slice of the self-driving/autonomous car market. Prior to the acquisition, Uber appeared to be about 5-8 years behind other companies that had been in this market for several years, but after Uber bought Otto, a new self-driving car project was launched and was able to essentially catch up to the rest of the field within nine months. Field tests were soon underway, and experts in the industry were stunned at the pace Uber was setting. Then, one of Uber’s vendors for components of the cars’ LiDAR (Light Detection and Ranging) system sent an e-mail that started to raise some serious questions about how Uber managed to go from research and development to field testing models within nine months. The system allows self-driving cars to use lasers to create a 3D map of the environment around them and is an essential part of any self-driving car.
HOW STRONG ARE YOUR CONTROLS AGAINST CYBERSECUrItY THREATS? DON’T WAIT UNTIL IT’S TOO LATE TO FIND OUT. Contact OUR RISK ADVISORY SERVICES TEAM
The vendor’s e-mail was sent to a group of engineers in Uber’s Autonomous Vehicle Unit asking some questions about the attached schematic of a confidential design for the LiDAR circuit board used in Uber’s self-driving cars. Unfortunately, the vendor included an engineer at Waymo on the e-mail, and that’s when things went downhill. The engineer at Waymo recognized the design of the circuit board as almost identical to Waymo’s own LiDAR system circuit board that happened to be designed in large part by an ex-employee who had left to start his own company (Otto-Motto). That employee was Anthony Levandowski, who took over as the head of Uber’s Autonomous Vehicle Unit when Uber bought his company. After that discovery, Waymo invested in some serious forensics work and determined that prior to leaving the company; Levandowski had downloaded about 14,000 files (about 10GB worth) to his company-owned laptop including the designs and schematics for Waymo’s LiDAR technology. He then plugged in an external hard drive and moved the files over to that before wiping and re-imaging his laptop. Once he left the company, he poached several other staffers that also took additional sensitive company information about suppliers and vendors related to the LiDAR technology. Based on the information resulting from the investigation, Waymo filed suit against Uber yesterday accusing the company of violation of the CA Unfair Competition Law, the Uniform Trade Secrets Act – CA, the Defense of Trade Secrets Act, and Patent Infringement. At least three of those carry hefty possible damages if Uber is found guilty.
Hindsight’s 20-20
The story is fascinating, but I keep going back to the thought that if Waymo had some sort of data loss prevention tool in place at least the magnitude of lost trade secrets could possibly have been prevented. Levandowski almost certainly had access to the share file/drive where the LiDAR information was kept, so this wasn’t a user access issue, but the fact that he could plug in an external hard drive and drop thousands of files on it is pretty incredible. In this instance, a simple end point protection tool (configured to prevent employees from accessing jump drives or external hard drives on their workstations) could have been effective. In addition to that, Waymo could have also controlled what sensitive information could be transferred or downloaded to workstations using a data-loss prevention (DLP) solution. These solutions are designed to be scalable from small companies to giant organizations and are a more nuanced way of determining what actions can be taken for different types of information. The field includes some really big names along with some up-and-coming names: Symantec, McAfee (Intel Security), EMC/RSA DLP, CheckPoint, Microsoft, Sophos, Carbon Black (Bit9), and Code Green Networks.
I’m not saying a technical solution alone could prevent an information theft. There is the argument that if someone wants to steal company data, they will find a way to do it. My answer to that, though, is why should we make it easy for them?
Laura is a Manager with YHB and serves on the Risk Advisory Services Team. Laura focuses on assisting organizations in a variety of industries with IT-related audit and consulting services.