Goldman Sachs’ Code and the Elephant in the Room

The recent allegations of trade secret theft and trafficking against former Goldman Sachs programmer Sergey Aleynikov raise important questions of corporate security and policy to handle a new generation of attempted economic disruption. According to a deposition given by FBI Agent Michael McSwain, Aleynikov, a former programmer at Goldman Sachs, is purported to have uploaded proprietary trading code from Goldman Sachs’ offices in New York to a server located in Germany. [1]  Regardless of the outcome of the Goldman case, such a potential leak has wider implications for the future of corporate and national security.  It is doubtful this was a mere prank.  Recent history has shown that economic crime is seldom the product of the actions of a lone individual.

I. Economic Denial of Sustainability (EDoS)

One possibility raised in the deposition is that Goldman’s code could be used by other financial firms to diminish Goldman’s profit-making ability. While it may be argued that the code is useless outside of Goldman Sachs because of Goldman’s use of Slang, a proprietary computer language, and the fact that any institution exploiting the code would become “radioactive”, another possibility exists for potentially malicious use of the code.

Christopher Hoff at Unisys coined a term on his personal website for a new type of cyber-attack – the Economic Denial of Sustainability (EDoS).[2] In an EDoS, an attacker generates a large number of legitimate business requests (that most likely go unfilled) in order to drive the aggregate transactions costs of the victim to an unsustainable level. Another market participant could use knowledge gleaned from Goldman’s code to place temporary bids/asks that drive stock prices off of the average Goldman’s software thinks it can get.

This would potentially decrease arbitrage margins and increase trading costs, affecting both Goldman’s portfolio and its clients. Because an EDoS involves legitimate business, there is presently no law or regulatory framework that can stop or punish an EDoS until it is too late. Civil and criminal law have not kept up with developments in financial and computer technology. A potential EDoS could be stopped if civil suits based on other elements are filed (such as violating a confidentiality agreement), however criminal charges for intellectual property theft are rare.

II. Active Measures

Another possible outcome of the Goldman Sachs leak is that Goldman’s reputation could have been damaged merely by disclosure of the alleged Aleynikov incident. It is not difficult to imagine clients, especially in the current economic climate, withdrawing their accounts and moving to another institution under the belief that compromised code is indicative of future losses. Simply compromising computer code or other trade secrets and publicly disclosing the fact of the compromise could be enough to influence stock prices and cause a panic among clients. Such an outcome shares many of the traits of a disinformation campaign, an espionage technique that is not new nor rare.  Furthermore, this topic may be particularly relevant given the U.S. government’s recent concern about the impact of “short selling” on the drastic drop of stock prices last year.

During the time of the Soviet Union, the KGB developed skills to use active measures in espionage and intelligence (we use the KGB only because it had a highly developed active measures program; there is no proof or allegation to date tying the Goldman Sachs case to Russia or Russian entities). U.S. intelligence agencies specialized in passive measures, that is, gathering of data and intelligence. On the other hand, the KGB specialized in active measures, the most notable being the disinformation campaign. The most well-known Soviet disinformation campaign was an attempt to tie the CIA to the Kennedy assassination. While it is known that the CIA-Kennedy rumor was a KGB creation, many people in the mainstream of society believe it to be true.

Disinformation has become a widely used and powerful technique for information management in today’s world. Political adversaries will frequently employ disinformation to cause the public to question their opponents. The lowered standard for defamation (the need to show reckless disregard of truth or falsity) makes disinformation an easy tactic to use in the public sphere. Astroturfing and viral marketing employ tactics similar to classic disinformation campaigns, though these campaigns are usually meant to increase the sponsor’s position, not destroy the position of an opponent. Private entities have more legal tools at their disposal to fight disinformation meant to harm.

The actual theft of code may not be as damaging as appears on first blush. For Goldman’s code to be useable, one would have to have the same access to markets as Goldman Sachs, access to Goldman’s proprietary Slang programming language and the ability to implement the leaked code in secret. It is unlikely that any major bank or trading firm would even want to touch “radioactive” stolen code. So how can theft of trade secrets be valuable? Thefts can be valuable as a disinformation tool to damage reputation.

The easiest way to destroy a financial institution is to destroy its reputation, killing investor and customer confidence. In any kind of panic, it is perception that governs events long before reality sets in. A bank panic is started by the belief that an institution is insolvent, only after the panic ensues is the institution actually insolvent (though the panic may be well justified). Trade secrets are the life-blood of business, without them there is no incentive to innovate and no protection of creativity. The Goldman case could have undermined confidence in the bank. Clients would wonder if the “secret sauce” was now worthless, investors would wonder why clients are leaving, and so on… Goldman’s recent results show that there probably was no mortal damage from the leak, though the actual consequences remain for the courts (and legislators) to sort out.

What is troubling about the Goldman leak is how un-prepared our infrastructure is against active measures. We already have good security practices, defamation laws and laws against market manipulation. What we don’t have is a mechanism for dealing with threats that appear to be minor, but where the resulting disinformation is catastrophic. Growing reliance on technology in finance, as well as emerging technologies such as cloud computing open all businesses and countries up to new and innovative threats that we may perceive as benign.

III. Cybercrime and National Security

The threat from cybercrime (and so-called cyber war) is not the same as the traditional military threat posed by sovereign actors against infrastructure and resources. To date, not one cybercrime or cyber-attack has been definitively tied to a national government or terrorist group, even though it is difficult to imagine large-scale attacks occurring absent state complicity. Attacks against Estonia, Georgia, South Korea and the U.S. have all been the work of individuals and organized gangs.[3]  Even the alleged North Korean attack doesn’t appear to have been directly sponsored by North Korea.[4]

It makes sense that governments are not direct actors in cybercrime, since shutting down websites and email is not the same as destroying missile silos or planting improvised explosive devices. If governments are not the main perpetrators of cybercrime, how is cyber war a threat?

Policy makers often confuse national security with military security; this is evident in the U.S. where the Government concentrates its cyber security efforts in the Defense Department and Homeland Security. Instead, policymakers must focus on the intent of cyber war tools like EDoS and active measures. A cyber security department would probably be more appropriately located within the Treasury Department or Department of Commerce, but such department should work closely in conjunction with the U.S. Department of Justice, which has for some time recognized that international economic crime is a major national security concern.[5]

The Goldman case appears to be fading from media view, but the questions it raises will only reappear in the future. Are businesses prepared to monitor and stop EDoS attacks? Could a cyber attack or information breach cause a financial panic and damage an already fragile economy?

One answer lies in re-examining the use of the Racketeer Influenced and Corrupt Organizations Act (RICO).[6]  RICO laws can be used to prosecute criminal enterprises. In the case of an EDoS or a disinformation campaign, each individual crime involved may be minor (say multiple small counts of theft or securities fraud), but taken in total, the crimes can be prosecuted under the much tougher RICO statutes.

RICO would also be effective in cases where a government is not directly responsible but remains complicit.  In light of the likely cross-border nature of some cyberattacks, the U.N. Convention against Transnational Organized Crime may provide the legal basis for future international cooperation in this area.[7]

The ease with which modern active measures can be used to damage an organization is the elephant in the room of our economy and our national security policy. Goldman Sachs’ leak shows that militarizing cyber security policy provides inadequate protection. The attack vector used in cyber business crime is often no different than the pathway taken by legitimate business, though the outcome is intended to be damaging.

Due to the complexity of technology and industry, we often see active measures as small, nonthreatening discreet events. Cyber security policy may be better served if it is created openly with input from all interested parties such as business, academia and intelligence. The elephant in the room is that we need to develop a new way of thinking about and dealing with cyber crime.

*   *   *   *

NOTES

[1]  ___S.D.N.Y.___, U.S. v. Aleynikov, Deposition of Michael McSwain, July 4, 2009. Retrieved from http://www.ft.com/cms/5994bb8e-6a5a-11de-ad04-00144feabdc0.pdf.

[2] Hoff, Christopher. Rational Security “A Couple Of Follow-Ups On The EDoS (Economic Denial Of Sustainability) Concept…” January 29, 2009. Retrieved July 25, 2009 from http://rationalsecurity.typepad.com/blog/edos/.

[3] Fisher, Dennis. Security Bytes “Russian cyberwar! Yes, no, maybe so?” August 13, 2008. Retrieved on July 25, 2009 from http://itknowledgeexchange.techtarget.com/security-bytes/russian-cyberwar-yes-no-maybe-so/.

[4] Abrams, Randy. ESET Threat Blog “Cyber war or Cyber hype?” July 10, 2009. Retrieved July 25, 2009 from http://www.eset.com/threat-center/blog/2009/07/10/cyber-war-or-cyber-hype.

[5] See U.S. Department of Justice, Overview of the Law Enforcement Strategy to Combat International Organized Crime, at http://www.justice.gov/ag/speeches/2009/ioc-strategy-public-overview.pdf

[6] Racketeer Influenced and Corrupt Organizations, 18 U.S.C. § 1961–1968.

[7] The UN Convention is available at http://www.uncjin.org/Documents/Conventions/dcatoc/final_documents_2/convention_eng.pdf.

+++++++++++

* Messrs. Burger and Gray are Washington, D.C. area attorneys, who specialize in the area of economic crime, particularly as it relates to Russia.  Mr. Burger is also an Adjunct Professor at the Georgetown University Law Center, where he gives a course on international economic crime & corruption.

5 Responses to "Goldman Sachs’ Code and the Elephant in the Room"

  1. D. Hubb   July 29, 2009 at 1:49 pm

    “Stock Shock” is a movie that explains how the whole naked short selling thing works–and how NSS nearly took us into a second Depression. This movie is worth the DVD price if you are an investor. Amazon has it or stockshockmovie.comInvestors losing money and frustrated with the SEC inaction sent copies of the new movie: “Stock Shock” to their offices and demanded action.

  2. David Ecale   July 30, 2009 at 1:41 pm

    Some notes:1) A programming language is a simplistic construct. It’s just a code that needs to be deciphered. And like any code, the more references & data strings, the more data to cleanly decipher it. Reverse engineering is not impossible, just difficult. (Think differently? Go & read “The Decipherment of Linear B” to see what a clever & determined linguist can do without *any* machine assistance in his part time.)2) The true value of the code is the use of the mathematical algorithms used in the code. These are probably given away by the comments in the source code. Any good group of good mathematitians should be able to recreate these on paper from source & comments & then (with the assistance of good programmers) recreate these in another language.3) The reports state that libraries & etc were also uploaded. These contain key identifiers that will allow a programmer to recreate the driving OS & library set. Binary analysis will also identify the CPU instruction set & thus the type of hardware used. Thus, simply purchase the same type of HW & SW & you have a working starting base.4) The code was on a Linux machine. That would imply the compilers/cross-compilers were also on a Linux machine. … Which would imply YACC (or BISON) & LEX were used to create the compilers. The compiler can probably be recreated from the source. GS probably used massively parallel Intel CPU blade systems running a parallel processing variant of Linux. … There aren’t a lot of these & the libraries will tell which kind in their binaries and the HW type from the executible. OOPS! Just order some from ….5) Don’t forget the chip designer who visited Russia in the early ’80s & was admiring a chip design in a Russian computer when he noticed that ***HIS INITIALS*** were on the chip mask! OOPS! Reverse engineering at it’s finest! Also, don’t forget that great PC called the RED APPLE. Reverse engineering & cloning works.6) The true damage is the loss of the secrecy. Now that the cat’s out of the bag & people know that something can be done, then it can be matched, countered, or defeated. Also, fear of this, itself, also means that the method can no longer be deployed with certainty of success.7) Thus, GS’s “THE FIX IS IN” ain’t no longer so, there will always be doubt for 3 reasons: 1) The code may be used by the competition, or 2) The competition may invent effective counter-measures, or 3) The competition may cease doing business in that puddle & GS’s activity becomes moot & still highly expensive to maintain.8) A true fable: Once upon a time Cray Research, Inc. tried to sell a supercomputer to an India research institute in Bangalore. The US State Dept. said “No!” So, … India created a bunch of PhDs with 1/2 the cash & spent the other 1/2 of the cash & purchased a bunch of SUN SPARC computers & wrote their codes on these systems. … Net result? Those PhDs were available to analyze India’s nuclear tests. THOSE PhDs WOULDN’T HAVE BEEN THERE IF THE COMPUTER EMBARGO HADN’T BEEN IN EFFECT! OOPS! From the WSJ! Go & reaearch it.So, bottom line: 1) People know, 2) They will counter & make the advantage moot, 3) They will turn the tables & bleed GS. … GS is in deep doodoo. … Enjoy.

  3. David Ecale   July 30, 2009 at 1:46 pm

    An added note to decompilation/decipherment:The key to the decipherment of Linear B was when the linguist identified a 3 symbol group placed next to the picture of a tripod. He guessed that the symbols read: Ti-Ri-PODE. The language was an archaic form of Greek. The rest slowly fell into place. (Scholars had been puzzling over Linear B for nearly 50 years. The linguist started as a High School student & it was his hobby.)

  4. Guest   July 30, 2009 at 1:48 pm

    Man, I think you guys (the authors of this article) are a joke. you might as well just be Goldman’s mouth piece…. I’m just surprised to find such an article on this site, makes me doubt the quality of other articles on this site as well, and this is no joke.

  5. jgiesbers   August 1, 2009 at 11:59 pm

    I am all in favor of prosecuting Goldman under the RICO act. It is so obvious that this is a criminal organization. If they did not have their alumni placed throughout the government they would have already been shut down. I guess that makes the government corrupt too. Aren’t you proud of yourself for coming to the defense of poor Goldman Sachs?