For your crown jewels, you must control access as if the life of your business depended on it. Because it does.
It was late 2010. The technician, an American in northwestern China, was performing a software check on a wind turbine when he noticed something strange. After the diagnostic program finished running, the turbine was supposed to stop. But this time the blades kept spinning. The same thing happened at the next turbine at the wind farm. And the next, and the next.
Back at the headquarters of American Superconductor Corporation near Boston, the news confirmed executives’ worst fears. Their biggest customer, Sinovel, a Chinese wind farm company financed in part by the government, had recently refused to pay an outstanding bill and had canceled all future orders, citing what it claimed as poor quality and performance of AMSC’s software. That software had supplied the brains for Sinovel’s massive turbines, enabling an efficient flow of electricity into China’s electric power grid. But Sinovel had decided to build its own controller software and had already begun to install it.
The relationship had started out so well just four years before. Following the enactment of China’s first clean energy law, Sinovel had been launched to supply wind power to vast stretches of the country, and ultimately abroad. AMSC, originally formed to apply futuristic superconductor technology to high voltage transmission networks, had pivoted to the more mundane but still complex and profitable business of wind turbine controllers. Their agreement was heralded by the companies in a joint announcement as an“example of Sino-U.S. cooperation in the new energy area,” and both companies became wildly successful in a very short time.
As happens so often, the bilateral enthusiasm was overtaken by greed as Sinovel found a way to eliminate its partner from the business. AMSC had sent a team to China to help support Sinovel. Among them was a programmer named Dejan Karabasevic, a Croatian from AMSC’s Austrian subsidiary. Recently demoted from the design group, Karabasevic was unhappy – and vulnerable.
Sinovel encouraged him to leave AMSC, promising to pay him a million dollars over five years (along with an apartment, and, reportedly, a prostitute). His advance was only 15,000 euros, but it did the trick. Karabasevic resigned, but his supervisor asked him to stay on for a while, with full access to the company’s systems. This allowed him time to create a bootleg version of the AMSC controller software, and to transfer it to his future employer in China.
This was the software that evaded the AMSC technicians’ diagnostic tools and allowed the windmills to keep turning when they should have turned off. It would be some months before the company learned about their former employee’s treachery, but in the meantime it had lost almost 90% of its revenue, shed a billion dollars in shareholder equity, and had to lay off 700 employees.
A flurry of lawsuits followed, in China, the U.S. and Austria. Karabasevic quickly confessed and spent a year in jail but cooperated in AMSC’s pursuit of Sinovel.
In 2013 the Department of Justice joined in, indicting Sinovel and two of its Chinese employees. On January 24, 2018, after an 11-day jury trial, the defendants were convicted in Wisconsin federal court of conspiracy, wire fraud and theft of trade secrets under the Economic Espionage Act. On July 3 AMSC and Sinovel announced a settlement totaling $57.5 million, including a license for Sinovel to use the AMSC technology in its current model turbines. Within a week the judge sentenced Sinovel to a year’s probation, on condition that it pay the agreed amount.
Analysts have pointed out that Sinovel’s available cash had dwindled to less than $100 million, so the outcome was probably a good deal for AMSC under the circumstances. But after six years of litigation and proven losses of over $550 million, this was a “victory” only in a very relative sense.
What lessons can be drawn from AMSC’s experience dealing with a business partner that stole its most valuable information assets? The most obvious is probably not to let enthusiasm mask obvious risks when relying on one customer, particularly in a foreign country. When you are that exposed, your trade secret protection systems need to be proportionately robust.
Of course, you can also reduce risk of theft by continuous improvement of your technology, proving to your customer the futility of trying to compete. But for your crown jewels, you must control access as if the life of your business depended on it. Because it does.
Always remember that insiders (employees, embedded contractors and temporary workers) account for 90% of information loss. Be aware of circumstances that could turn their loyalty around, and manage accordingly. Don’t keep people on after they resign without carefully assessing the risk of their maintaining access to your systems and what you can do to mitigate that risk. More broadly, use data loss prevention software that can alert you to potential problems through real-time analysis of unusual behavior by those with trusted access.
And if you suspect actual espionage, call the FBI. There’s nothing to concentrate the mind like possible jail time.
Image Source: Deposit Photos.