Security experts paint a bleak, worst-case scenario for Microsoft, the world's largest software company, in light of a recent attack on its source code. Although no one knows the scope or depth of the break-in, experts say it could have profound consequences for Microsoft--and all companies that use its software.
The incident, which may involve organized crime or software piracy groups, could also shape legal guidelines for international cybercrimes. Theft of computer code and database information is becoming an increasingly global phenomenon, often pitting large software companies in North America and Europe against slick crime rings and sophisticated hackers in Russia, China, Southeast Asia, Israel and elsewhere.
"This could become a major corporate and political issue," said Ira Winkler, president of the Internet Security Advisors Group (ISAG). "How much is the U.S. government going to prosecute this person just because he hacked into Microsoft? Who's going to convince Russia or another country to extradite this person, assuming they're not in the United States? If they just hacked the computer and embarrassed Microsoft, how much of a crime is it and how do you punish the person?"
The Microsoft attack started Oct. 14, when an employee--possibly a temporary or contract worker--received email that automatically installed nefarious software into the corporate system.
The software then gave the hacker access to the employee's computer and its protected passwords--and eventually those of other computers in the network. Invaders may have then been able to tweak Microsoft's original source code for Windows, adding "back doors" or other malicious code that provides easy access for future attacks.
Source code is the basic building block of software--a jealously guarded secret at Microsoft and other technology companies, where key assets are intellectual property.
On Friday, Microsoft CEO Steve Ballmer admitted that hackers had obtained access to key programs, but he denied that they had changed the source code.
Still, company actions suggest greater concern: Executives wasted no time in requesting help from the FBI, and a spokesman declared the incident a "deplorable act of industrial espionage."
Experts agree that Microsoft's actions aren't overkill. The consequences of espionage can be staggering.
No empty threat
According to a study by the American Society for Industrial Security (ASIS) and consulting firm PricewaterhouseCoopers, Fortune 1000 companies sustained losses of more than $45 billion in 1999 from the theft of proprietary information--up from mid-'90s estimates from the FBI that pegged the cost at roughly $24 billion a year.
The average Fortune 1000 company reported 2.45 incidents with an estimated loss per incident in excess of $500,000. More troubling: Of the 97 companies that participated in the ASIS survey, 44 reported a total of more than 1,000 separate incidents of theft.
Tech companies reported the majority of those incidents. The average tech firm reported nearly 67 individual attacks. The average theft was pegged at $15 million in lost business.
As a result of the U.S. Economic Espionage Act of 1996, theft of trade secrets is a federal offense with prison sentences of up to 15 years and fines of up to $500,000 for individuals. Domestic thieves who sing to corporate rivals face fines of up to $250,000 and jail sentences of up to 10 years.
But the law hasn't curbed the broader corporate trends that are fueling espionage, especially in the tech sector.
The increasingly global nature of commerce means that more tech companies are setting up shop in places such as China and Japan. ASIS says the "weakest link" in security is often the small sales office in a foreign country, where employees enjoy easy access to the company intranet but have little face-to-face contact with or loyalty to top executives.
According to ASIS, the top five countries cited as security risks are the United States, China, Japan, France and the United Kingdom. Mexico and Russia have the highest increase in spy activity.
Another factor: The tech industry is increasingly becoming an industry of contractors--hired guns who write software or set up Web sites for three months to a year before moving to the next job, often at a rival company. ASIS found that roughly 20 percent of workers at Fortune 1000 companies are temporary or part-time workers.
Microsoft is renowned for its legions of temps and contractors, who have different-colored badges but often enjoy the security clearance of regular staffers.
Pirates, gangsters, saboteurs?
The Microsoft hackers have not yet been identified. But experts are debating at least three theories about their background.
They may be piracy experts planning to create and sell a bootleg version of Windows.
Software pirates don't need access to source code similar to that stolen from Microsoft; they usually copy the software from off-the-shelf products and try to pass off the copies as new with counterfeit packaging, or include it as preloaded software on new computers. But the newest hackers could be eager to get a jump on new Microsoft products before they hit stores.
Citing figures that one in four pieces of software is pirated, Microsoft has given a high profile to its legal maneuvers against software pirates.
This month, the company filed suits against three businesses in the Atlanta area for distributing counterfeit copies of Office 2000, Windows 98 and NT, and the BackOffice server software. Last month, Microsoft sued a number of California computer resellers for allegedly hawking pirated software.
"We face a great deal of piracy everywhere," Microsoft spokesman Ricardo Adame said. "The success of this company is in creating intellectual property, so it's critical for us that it remains secure and protected."
If the attack was piracy-related, the Microsoft incident could result in international legislation on piracy.
Russia and China have long been atop the list of countries with piracy and hacking problems. Weak copyright-protection enforcement, combined with strong educational programs in computer programming and mathematics, have made these nations ideal labs for unauthorized copying and tinkering.
In China, "gray" box computers, or computers containing pirated software, remain fairly common, noted Roger Kay, an analyst with IDC. The market in China "is pretty guilty of that sort of piracy," he said.
Others speculate that the hackers are not pirates but members of an anti-Microsoft group eager to expose damning information about the company, which is in the midst of an antitrust battle that could cleave it into pieces.
After a 78-day trial, U.S. District Judge Thomas Penfield Jackson ruled in June that Microsoft should be broken into two companies. Jackson concluded Microsoft illegally defended its Windows operating system, among other transgressions, and his order is on hold during the appeal.
Eugene Spafford, professor and director of the Center for Education and Research in Information Assurance and Security at Purdue University, speculated the hackers could be looking for information that could help prove the government's case against the software giant.
"This is an extreme situation, but let's say they find code and comments about how this would make the code incompatible with competitors' products," Spafford said. "That would bolster the case the government has been making all along. That could be very damaging."
Another scenario involves hackers tied to organized crime. According to The Wall Street Journal, the Microsoft hackers had an email address based in St. Petersburg, Russia--a hotbed of activity for the Russian mafia.
"Let's say the parties involved are connected to organized crime. They're downloading to look for security flaws and vulnerabilities they could use to raid all organizations running the software," Spafford said. "That could be really damaging and could even prompt significant lawsuits against Microsoft."
At the very least, the attack is becoming a major embarrassment for Microsoft--long a favorite with hackers who seem to enjoy finding security holes in the world's most popular software. And the attack is likely to embroil management at the company's headquarters in Redmond, Wash., for months as security gurus figure out what harm--if any--the intruders wrought.
News.com's Paul Festa and Michael Kanellos contributed to this report.