IBM Employee, Linux Kernel Hacker, Charged with Spying for China
The U.S. Department of Justice filed charges against a 30 year-old IBM employee who absconded with source code IBM uses to manage cloud software.
Six months after arresting an IBM employee on suspicion of committing economic espionage, the U.S. government unveiled a six count indictment against Xu Jiaqiang, saying the 30 year old intended to sell the software to a government agency of the People’s Republic of China.
The expanded charges against Xu Jiaqiang were announced on Tuesday by Assistant Attorney General for National Security John P. Carlin and U.S. Attorney Preet Bharara of the Southern District of New York following his arrest on Dec. 7, 2015 on a single charge of “theft of trade secrets.”
According to reports, Xu worked for IBM from November 2010 to May 2014 as a system software developer for IBM’s General Parallel File System (GPFS), a high-performance file system used mainly in clustered cloud hosting environments and with supercomputers.
According to a statement released by the Justice Department, Xu was one of a small number of employees within IBM who was given access to the source code of GPFS and was required to acknowledge that it was proprietary information. Nevertheless, the developer made his own copy of the code and then modified it to obscure the origin of the software.
Xu then resigned from IBM in May 2014 and began communicating with undercover FBI agents who he believed to be financial investors aiming to start a large-data storage technology company. Xu offered to further modify the software to conceal its origins, and claimed to have done so for a number of other companies he had sold the software to.
Subsequent meetings had Xu showing the agents copies of the IBM source code on his own laptop and acknowledging that the underlying code was stolen.
“Xu allegedly stole proprietary information from his former employer for his own profit and the benefit of the Chinese government,” said Assistant Attorney General Carlin. “Those who steal America’s trade secrets for the benefit of foreign nations pose a threat to our economic and national security interests. The National Security Division will continue to work tirelessly to identify, pursue and prosecute any individual who attempts to harm American businesses by robbing them of their valuable intellectual property.”
A profile on the social networking website LinkedIn that appears to belong to Xu lists him as a resident of Beijing, China and a 2007 graduate of Huazhong University of Science and Technology in China as well as a 2009 graduate of University of Delaware, where he received a Master of Science. Xu worked for IBM from November, 2010 to July, 2014 on the GPFS platform and describes himself as a “Linux kernel hacker” who worked on a variety of aspects of the GPFS system including kernel memory management.
According to the DOJ, however, Xu was working for the benefit of China’s National Health and Family Planning Commission, a government agency that oversees health services, family planning and health education.
Xu faces three counts of economic espionage, which each carry a maximum sentence of 15 years in prison. He was also charged with three counts of theft of a trade secret, which each carry a maximum sentence of 10 years in prison, the DOJ indicated.
The theft of trade secrets has become a major point of contention between the U.S. and China, articulated at the highest level of government. In September, 2015, the two countries reached an agreement to stop engaging in economic espionage in cyberspace, though allegations that such activity continues have persisted.
Paul F. Roberts is the Editor in Chief of The Security Ledger and Founder of The Security of Things Forum, a one-day security and Internet of Things event that takes place on September 22 in Cambridge, MA.