The recent allegations of trade secret theft and trafficking against former Goldman Sachs programmer Sergey Aleynikov raise important questions of corporate security and policy to handle a new generation of attempted economic disruption. According to a deposition given by FBI Agent Michael McSwain, Aleynikov, a former programmer at Goldman Sachs, is purported to have uploaded proprietary trading code from Goldman Sachs’ offices in New York to a server located in Germany.  Regardless of the outcome of the Goldman case, such a potential leak has wider implications for the future of corporate and national security. It is doubtful this was a mere prank. Recent history has shown that economic crime is seldom the product of the actions of a lone individual.
I. Economic Denial of Sustainability (EDoS)
One possibility raised in the deposition is that Goldman’s code could be used by other financial firms to diminish Goldman’s profit-making ability. While it may be argued that the code is useless outside of Goldman Sachs because of Goldman’s use of Slang, a proprietary computer language, and the fact that any institution exploiting the code would become “radioactive”, another possibility exists for potentially malicious use of the code.
Christopher Hoff at Unisys coined a term on his personal website for a new type of cyber-attack – the Economic Denial of Sustainability (EDoS). In an EDoS, an attacker generates a large number of legitimate business requests (that most likely go unfilled) in order to drive the aggregate transactions costs of the victim to an unsustainable level. Another market participant could use knowledge gleaned from Goldman’s code to place temporary bids/asks that drive stock prices off of the average Goldman’s software thinks it can get.
This would potentially decrease arbitrage margins and increase trading costs, affecting both Goldman’s portfolio and its clients. Because an EDoS involves legitimate business, there is presently no law or regulatory framework that can stop or punish an EDoS until it is too late. Civil and criminal law have not kept up with developments in financial and computer technology. A potential EDoS could be stopped if civil suits based on other elements are filed (such as violating a confidentiality agreement), however criminal charges for intellectual property theft are rare.
II. Active Measures
Another possible outcome of the Goldman Sachs leak is that Goldman’s reputation could have been damaged merely by disclosure of the alleged Aleynikov incident. It is not difficult to imagine clients, especially in the current economic climate, withdrawing their accounts and moving to another institution under the belief that compromised code is indicative of future losses. Simply compromising computer code or other trade secrets and publicly disclosing the fact of the compromise could be enough to influence stock prices and cause a panic among clients. Such an outcome shares many of the traits of a disinformation campaign, an espionage technique that is not new nor rare. Furthermore, this topic may be particularly relevant given the U.S. government’s recent concern about the impact of “short selling” on the drastic drop of stock prices last year.
During the time of the Soviet Union, the KGB developed skills to use active measures in espionage and intelligence (we use the KGB only because it had a highly developed active measures program; there is no proof or allegation to date tying the Goldman Sachs case to Russia or Russian entities). U.S. intelligence agencies specialized in passive measures, that is, gathering of data and intelligence. On the other hand, the KGB specialized in active measures, the most notable being the disinformation campaign. The most well-known Soviet disinformation campaign was an attempt to tie the CIA to the Kennedy assassination. While it is known that the CIA-Kennedy rumor was a KGB creation, many people in the mainstream of society believe it to be true.
Disinformation has become a widely used and powerful technique for information management in today’s world. Political adversaries will frequently employ disinformation to cause the public to question their opponents. The lowered standard for defamation (the need to show reckless disregard of truth or falsity) makes disinformation an easy tactic to use in the public sphere. Astroturfing and viral marketing employ tactics similar to classic disinformation campaigns, though these campaigns are usually meant to increase the sponsor’s position, not destroy the position of an opponent. Private entities have more legal tools at their disposal to fight disinformation meant to harm.
The actual theft of code may not be as damaging as appears on first blush. For Goldman’s code to be useable, one would have to have the same access to markets as Goldman Sachs, access to Goldman’s proprietary Slang programming language and the ability to implement the leaked code in secret. It is unlikely that any major bank or trading firm would even want to touch “radioactive” stolen code. So how can theft of trade secrets be valuable? Thefts can be valuable as a disinformation tool to damage reputation.
The easiest way to destroy a financial institution is to destroy its reputation, killing investor and customer confidence. In any kind of panic, it is perception that governs events long before reality sets in. A bank panic is started by the belief that an institution is insolvent, only after the panic ensues is the institution actually insolvent (though the panic may be well justified). Trade secrets are the life-blood of business, without them there is no incentive to innovate and no protection of creativity. The Goldman case could have undermined confidence in the bank. Clients would wonder if the “secret sauce” was now worthless, investors would wonder why clients are leaving, and so on… Goldman’s recent results show that there probably was no mortal damage from the leak, though the actual consequences remain for the courts (and legislators) to sort out.
What is troubling about the Goldman leak is how un-prepared our infrastructure is against active measures. We already have good security practices, defamation laws and laws against market manipulation. What we don’t have is a mechanism for dealing with threats that appear to be minor, but where the resulting disinformation is catastrophic. Growing reliance on technology in finance, as well as emerging technologies such as cloud computing open all businesses and countries up to new and innovative threats that we may perceive as benign.
III. Cybercrime and National Security
The threat from cybercrime (and so-called cyber war) is not the same as the traditional military threat posed by sovereign actors against infrastructure and resources. To date, not one cybercrime or cyber-attack has been definitively tied to a national government or terrorist group, even though it is difficult to imagine large-scale attacks occurring absent state complicity. Attacks against Estonia, Georgia, South Korea and the U.S. have all been the work of individuals and organized gangs. Even the alleged North Korean attack doesn’t appear to have been directly sponsored by North Korea.
It makes sense that governments are not direct actors in cybercrime, since shutting down websites and email is not the same as destroying missile silos or planting improvised explosive devices. If governments are not the main perpetrators of cybercrime, how is cyber war a threat?
Policy makers often confuse national security with military security; this is evident in the U.S. where the Government concentrates its cyber security efforts in the Defense Department and Homeland Security. Instead, policymakers must focus on the intent of cyber war tools like EDoS and active measures. A cyber security department would probably be more appropriately located within the Treasury Department or Department of Commerce, but such department should work closely in conjunction with the U.S. Department of Justice, which has for some time recognized that international economic crime is a major national security concern.
The Goldman case appears to be fading from media view, but the questions it raises will only reappear in the future. Are businesses prepared to monitor and stop EDoS attacks? Could a cyber attack or information breach cause a financial panic and damage an already fragile economy?
One answer lies in re-examining the use of the Racketeer Influenced and Corrupt Organizations Act (RICO). RICO laws can be used to prosecute criminal enterprises. In the case of an EDoS or a disinformation campaign, each individual crime involved may be minor (say multiple small counts of theft or securities fraud), but taken in total, the crimes can be prosecuted under the much tougher RICO statutes.
RICO would also be effective in cases where a government is not directly responsible but remains complicit. In light of the likely cross-border nature of some cyberattacks, the U.N. Convention against Transnational Organized Crime may provide the legal basis for future international cooperation in this area.
The ease with which modern active measures can be used to damage an organization is the elephant in the room of our economy and our national security policy. Goldman Sachs’ leak shows that militarizing cyber security policy provides inadequate protection. The attack vector used in cyber business crime is often no different than the pathway taken by legitimate business, though the outcome is intended to be damaging.
Due to the complexity of technology and industry, we often see active measures as small, nonthreatening discreet events. Cyber security policy may be better served if it is created openly with input from all interested parties such as business, academia and intelligence. The elephant in the room is that we need to develop a new way of thinking about and dealing with cyber crime.
* * * *
 ___S.D.N.Y.___, U.S. v. Aleynikov, Deposition of Michael McSwain, July 4, 2009. Retrieved from http://www.ft.com/cms/5994bb8e-6a5a-11de-ad04-00144feabdc0.pdf.
 Hoff, Christopher. Rational Security “A Couple Of Follow-Ups On The EDoS (Economic Denial Of Sustainability) Concept…” January 29, 2009. Retrieved July 25, 2009 from http://rationalsecurity.typepad.com/blog/edos/.
 Fisher, Dennis. Security Bytes “Russian cyberwar! Yes, no, maybe so?” August 13, 2008. Retrieved on July 25, 2009 from http://itknowledgeexchange.techtarget.com/security-bytes/russian-cyberwar-yes-no-maybe-so/.
 Abrams, Randy. ESET Threat Blog “Cyber war or Cyber hype?” July 10, 2009. Retrieved July 25, 2009 from http://www.eset.com/threat-center/blog/2009/07/10/cyber-war-or-cyber-hype.
 See U.S. Department of Justice, Overview of the Law Enforcement Strategy to Combat International Organized Crime, at http://www.justice.gov/ag/speeches/2009/ioc-strategy-public-overview.pdf
 Racketeer Influenced and Corrupt Organizations, 18 U.S.C. § 1961–1968.
 The UN Convention is available at http://www.uncjin.org/Documents/Conventions/dcatoc/final_documents_2/convention_eng.pdf.
* Messrs. Burger and Gray are Washington, D.C. area attorneys, who specialize in the area of economic crime, particularly as it relates to Russia. Mr. Burger is also an Adjunct Professor at the Georgetown University Law Center, where he gives a course on international economic crime & corruption.