A Chinese national who was arrested last year for allegedly stealing trade secrets from a computer software company has been indicted on new charges of economic espionage.
Now federal officials say that Xu Jiaqiang, 30, knew that the People’s Republic of China would benefit when he allegedly stole computer source code from a U.S. company.
Though the company has not been identified in court filings, Xu had worked for International Business Machines Corp. in China. He voluntarily resigned from the Armonk-based company in 2014.
Six months later, federal agents began setting a trap that eventually lured Xu to a White Plains hotel, where he was arrested last year.
Xu received a master’s degree in computer science from the University of Delaware in 2009. He did research at the university’s Verified Software Laboratory, which focuses on complex software systems.
He worked for IBM as a system software developer from November 2010 to July 2014, according to his LinkedIn profile, and worked on IBM’s general parallel file system.
Parallel, or clustered file systems, are networks in which files are stored on several servers. They are designed for large, complex systems used by scientists, governments and corporations. The networks are well suited for applications such as video on demand, digital video surveillance and seismic modeling, where users in many places need to quickly update or access files at the same time.
Xu was accused of stealing source code for a clustered file system.
The victim of the theft, widely believed to be IBM, invests millions of dollars a year on research and development for the software, according to a probable cause affidavit written by FBI counterintelligence agent Joseph Altimari. The company makes tens of millions of dollars a year licensing the software.
The FBI spent more than a year setting up a sting operation that snared Xu.
The agency received a report in 2014 that said an individual in China claimed to have access to proprietary source code from a U.S. company and was using the code in a business venture. The FBI identified Xu as the suspect.
In November 2014, an undercover agent contacted Xu by email, posing as an investor starting a large-data storage company.
Xu allegedly responded that he was interested in working with the investor, and he cited his experience working for the U.S. company on a “large scale parallel storage system used in lots of hyperscale cluster systems in the world.”
In March 2015, a second undercover agent began communicating with Xu, posing as a project manager working for the investor.
Xu sent an email with an attachment of sample code that he described as work he had done for the U.S. company, according to the affidavit.
The FBI showed the sample code to an expert at the U.S. company who confirmed that it included the company’s proprietary material.
In April 2015, the agent-product manager recorded a conversation in which Xu allegedly said he had “all the code.” He acknowledged that the software is not “open source,” that is, not publicly available. He said he had “signed some files there,” which the FBI interpreted as an admission that he had signed a confidentiality agreement.
Companies such as IBM closely guard their source codes. Only a small number of employees can see it, with approval from an official. Employees must agree in writing, when they are hired and when they leave, to never disclose proprietary information.
“You’ll be fully compensated for anything that you can offer to us,” the agent-product manager told Xu. “At the end of the day, the most important thing is, is we just want a, a good product and that is going to satisfy our needs.”
Xu said he had already used the source code at a technology startup company where he was employed, the affidavit says.
In May 2015, Xu allegedly told the agent-project manager that he could remotely install the software on a small computer network for testing.
In August 2015, the government set up the computer network, using Xu’s specifications, the affidavit says, and Xu remotely uploaded files.
The FBI showed a copy of the files to an expert at the U.S. software company, who said they appeared to contain a functioning copy of the company’s software.
The files, however, did not appear to be the actual licensed software and had not been created on the company’s computer system.
The expert concluded that the files were built by someone with access to the company’s source code, but who was not working for the company.
Source code typically is not part of the licensed software product and is not shared with customers.
On the morning of Dec. 7, 2015, the agent-product manager met Xu at a White Plains hotel. Xu stated that he had used the source code to make software for customers, according to the affidavit. He knew that the source code was the product of two decades of work at the U.S. company. He had used it to build the software he had sent to the undercover agents. He said he could write scripts that would conceal the origins of the source code.
They met again in the afternoon, with the agent-investor. Xu showed a portion of the code on his laptop computer, according to the affidavit, indicating that it had originated with the U.S. company and was copyrighted. He allegedly identified multiple customers of software he had created with the source code.
Xu was arrested and placed in the Westchester County Jail.
On Jan. 5, a federal grand jury indicted him on one count of theft of trade secrets. He pleaded not guilty.
In February, U.S. District Judge Kenneth Karas ordered all records produced by the government – such as computer records, emails, recordings, financial records and expert reports – to be treated as confidential information. He put restrictions on how Xu and his attorneys may use or disclose the information.
On June 14, a grand jury indicted him on new charges: two more counts of theft of trade secrets and three counts of economic espionage.
Xu stole the source code for the benefit of China’s National Health and Family Planning Commission, according to the superseding indictment. The indictment does not explain how the commission, known for enforcing China’s one-child policy, is connected to Xu or how it benefited from Xu’s alleged actions.
The indictment also does not say whether a price was discussed or money exchanged for the source code or software.
Xu pleaded not guilty.
If convicted, he could face up to 15 years in prison for each espionage charge and 10 years for each trade secret violation.
Attempts to get comments from Xu’s attorneys at Alston & Bird LLP in Atlanta were unsuccessful. His 2009 faculty adviser at the University of Delaware, as well as classmates from 2007 to 2009, did not respond to email requests for information about Xu’s student years in the U.S. IBM did not respond to a request for comment.
Economic espionage “crushes the spirit of innovation and fair play in the global economy,” U.S. Attorney Preet Bharara said in a press release.
Assistant Attorney General John P. Carlin said in the same press release, “Those who steal America’s trade secrets for the benefit of foreign nations pose a threat to our economic and national security interests.”