Tuesday, April 16, 2013

WI med researcher originally accused of espionage (for stealing cancer drug), now indicted under CFAA (full complaint & indictment)

Hua Jun Zhao has been indicted by a grand jury in the Eastern District of Wisconsin for a violation of the CFAA, namely deleting files from a server without authorization. The violation (per the indictment) is of 18 USC 1030(a)(5)(a), 1030(b), and 1030(c)(4)(B). The relevant statutory provisions are:
18 USC § 1030 - Fraud and related activity in connection with computers
(a) Whoever—
        (A) knowingly causes the transmission of a program, information, code, or command,               and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; 
(b) Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section. 
(c) The punishment for an offense under subsection (a) or (b) of this section is—
          (B) except as provided in subparagraphs (E) and (F), a fine under this title, imprisonment for not more than 10 years, or both, in the case of—
                (i) an offense under subsection (a)(5)(A), which does not occur after a conviction for another offense under this section, if the offense caused (or, in the case of an attempted offense, would, if completed, have caused) a harm provided in subclauses (I) through (VI) of subparagraph (A)(i); or
               (ii) an attempt to commit an offense punishable under this subparagraph;
 He was also indicted for making materially false statements to a federal agent. The CFAA charge is interesting because the original crime accused in the criminal complaint was economic espionage. (Perhaps, at this time, the CFAA charge was all they could make stick). A summary of the full story is available from multiple media outlets. From the Journal Sentinel in Milwaukee (Medical College of Wisconsin researcher charged with economic espionage: Feds allege anti-cancer compound was stolen for China):
A researcher at the Medical College of Wisconsin has been charged with stealing a possible cancer-fighting compound and research data that led to its development, all to benefit a Chinese university. 
Huajun Zhao, 42, faces a single count of economic espionage, according to a federal criminal complaint, an offense punishable by up to 15 years in prison and a $500,000 fine. 
According to the complaint, Zhao worked as an associate researcher at the college, assisting professor Marshall Anderson by conducting experiments in pharmacology. 
On Feb. 22, Anderson set down three pill bottle-size containers of a cancer research compound called C-25, and later noticed they were missing from his desk. After searching extensively for the bottles, he reported them lost or stolen on Feb. 26. 
On March 1, Zhao met with Anderson, college security and the FBI to go over his computer, hard drive and flash drive, where 384 items related to Anderson's C-25 research were discovered and deleted. He also had some research from another professor in the Hematology/Oncology department, without permission. 
Among Zhao's paperwork, investigators found more C-25 research and a grant application, written in Mandarin, claiming he had discovered the compound and seeking more Chinese funding to continue research. 
Anderson observed the application was identical to one he had submitted years earlier, in English. 
During the same March 1 review, college security informed the FBI that after his suspension on Feb. 27, Zhao had remotely accessed the Medical College servers and deleted Anderson's raw data from the C-25 research, information the college was later able to restore. 
The Journal Sentinel's follow up story on the indictment can be found here: Medical College of Wisconsin researcher indicted, avoids espionage charge.

A few observations: This was a security fail by the Medical College of Wisconsin. While their employees did everything right in seizing the laptop, digging deeper, reviewing surveillance, and getting law enforcement involved, they failed to do one important thing: cut off Zhao's access to particular servers. Thus, after he was escorted off the campus, his login credentials were still viable, and he was able to delete files related to the research and probably files incriminating himself. This will become an important question under the CFAA, since technically Zhao was still "authorized" (because his account was still active). One could convincingly argue that the failure of the college to secure its own files isn't a computer crime, but negligence on the college's part. It'll be interesting to see how this plays out.

Quick Reference to Documents:
1. Complaint
2. Indictment


Post a Comment