Running head: CYBER-ESPIONAGE AND INTELLECTUAL PROPERTY THEFT

1

Cyber-espionage and Intellectual Property (IP) theft: An overview of the rising threat and the potential responses by both the U. S. Government and U.S. Businesses Matthew Doyal Kennesaw State University Spring 2014 IS 8200 – Legal & Ethical Issues in IS

CYBER-ESPIONAGE AND INTELLECTUAL PROPERTY THEFT Abstract

2

Society and business have become increasingly dependent upon data in the constantly connected world where everything that is said and done online leaves behind a massive ever-growing bread-crumb trail of information. With this ever larger quantity of data being transmitted on a range of devices as well as third party service providers being increasingly relied upon to store it; the threat of loss of confidential and sensitive data continues to expand exponentially (Online Trust Alliance, 2014, p. 3). “Breaches and data loss incidents have become a fact of life for organizations of every size and throughout the public and private sectors” (Online Trust Alliance, 2014, p. 4) making no organization immune. Given the growth of data and, therefore, data breaches the threat to the U.S. economy and individual U.S. businesses from trade secret theft is real and growing, therefore; a multi-pronged approach must be implemented by the public and private sectors alike. “Businesses must do their part to harden their cyber defenses, but the “take-home message here is that protecting IP from ‘them’ is an incomplete and inadequate strategy—understanding that ‘we’ are sometimes our own enemy is important to building good policy and practice for defending the crown jewels” (Verizon DBIR Snapshot, 2012, p. 3). However, to avoid continued, significant and irreversible harm to U.S. companies and the overall economy, robust public policy tools—including in particular trade tools—must also be utilized to raise global standards and enhance deterrence against this growing threat” (Calia et al., 2013, p. 19).

CYBER-ESPIONAGE AND INTELLECTUAL PROPERTY THEFT Cyber-espionage and Intellectual Property (IP) theft: An overview of the rising threat and the potential responses by both the U. S. Government and U.S. Businesses Background: The Explosion of Data and Data Breaches Society and business have become increasingly dependent upon data in the constantly connected world where everything that is said and done online leaves behind a massive evergrowing bread-crumb trail of information. With this ever larger quantity of data being transmitted on a range of devices as well as third party service providers being increasingly relied upon to store it; the threat of loss of confidential and sensitive data continues to expand

3

exponentially (Online Trust Alliance, 2014, p. 3). “Breaches and data loss incidents have become a fact of life for organizations of every size and throughout the public and private sectors” (Online Trust Alliance, 2014, p. 4) making no organization immune. The evidence of this widespread lack of organizational immunity can be seen in the Verizon 2013 Data Breach Investigations Report (DBIR) which “combines the efforts of 19 organizations: law enforcement agencies, national incident-reporting entities, research institutions, and a number of private security firms”(Verizon Executive Summary, 2013, p. 2). The 2013 DBIR analyzed “more than 47,000 reported security incidents and 621 confirmed data breaches” (Verizon Executive Summary, 2013, p. 3) and “found that that 78 percent of initial intrusions into corporate networks were relatively easy” (Westervelt, 2013, para. 4) to carry out with lost or stolen passwords at the core of the majority of breaches. As noted by Westervelt (2014), “organizations are falling asleep at the wheel, failing to proactively monitor or properly configure existing security systems and address common weaknesses being targeted by cybercriminals” (para. 1).

CYBER-ESPIONAGE AND INTELLECTUAL PROPERTY THEFT The rise of Cyber-espionage and Intellectual Property (IP) theft While financial motivation remains one of the main drivers of data breaches by cybercriminals, concerns about cyber-espionage and intellectual property theft have intensified over the past few years, particularly in regards to trade secrets and have begun to account for a significant number of data theft incidents. “While such threats are not new, rapid technological advances resulting in greater connectivity and data storage and more globalized supply chains have increased the opportunity - and potentially, the payoff – to breach corporate networks and acquire sensitive corporate data” (Calia, Fagan, Veroneau, Vetere, Eichensehr, Cilluffo & Bechner, 2013, p. 3). Espionage can take a number of forms, however; this paper will only review and discuss

4

the following two specific forms of espionage – Economic and Corporate/Industrial as they tend to involve the acquisition of a private enterprises’ intellectual property namely in the form of trade secrets. According to Fidler (2013), “economic espionage involves a state’s attempts to acquire covertly trade secrets held by foreign private enterprises and “corporate espionage” or “industrial espionage” describes a company’s illegal acquisition of another company’s trade secrets with no government involvement” (Fidler, 2013, para. 2). Many countries around the globe including the U.S. have considered economic espionage important to national security and economic development and only recently as societies have become increasingly dependent on cyber technologies has economic cyber espionage been identified as a growing threat (Fidler, 2013, paras. 2-3). Fidler (2013) goes on to note, that a controversy erupted in early 2013 after, Mandiant, a U.S. cyber-security firm released a report asserting “that the Chinese military was using cyber technologies to procure trade secrets from foreign companies” (Fidler, 2013, para. 1).

CYBER-ESPIONAGE AND INTELLECTUAL PROPERTY THEFT “Trade secrets comprise an average of two-thirds of the value of firms’ information portfolios, and that percentage rises to 70 to 80% for knowledge-intensive industries, such as manufacturing, information services, and professional, scientific, and technical services” (Calia

5

et al., 2013, p. 3). With this fact in mind, one can see how cyber-espionage has had a devastating economic effect which is estimated to account for annual losses for U. S. companies of $250 to $300 billion (Corbin, 2013, para. 4). In 2012, Verizon began including in the Data Breach Investigations Report (DBIR) information on breaches resulting from state-affiliated cyberespionage attacks which accounted for 20 percent of the data breaches covered by the report that year with over 95 percent originated from China (Constantin, 2103, paras. 3-4). People naturally think that their company and industry should not consider IP theft as a threat. According to Verizon’s research documented in the Threat Landscape Manufacturing, Services, and Technology report 51percent of all IP thefts involve state-affiliated espionage and cover a wide range of industries (Verizon Research Report, 2013, p. 1). Whether malicious or accidental, leveraging insider assistance is common in IP data breaches. Malware and hacking techniques are the most common attack vectors when an attacker cannot get insider assistance (Verizon Research Report, 2013, p. 2). An alarming fact presented in the research report is “62% of these attacks took months — or even years — to detect” allowing thieves plenty of opportunities to snoop around and get what they want. As if the amount of time elapsed between the breach and the detection were not alarming enough, according to the report “79% of IP thefts were only detected by external parties — such as law enforcement, fraud detection or even customers” (Verizon Research Report, 2013, p. 3)

CYBER-ESPIONAGE AND INTELLECTUAL PROPERTY THEFT Potential responses by the U.S. Government and U.S. Businesses “There’s no silver bullet that can guarantee protection against IP theft” (Verizon Research Report, 2013, p. 3). “The diversity, complexity, and ingenuity of tactics preclude a one-size-fits-all solution” (Verizon Research Report, 2013, p. 3), however; given these facts governments and companies must be more proactive in addressing these threats and in doing so should consider implementing the recommendations provided below. For their part, the U.S. government should utilize trade policy tools to elevate the importance of trade secrets protection since it is “more advanced than in most of the rest of the world with both civil and criminal provisions addressing trade secret theft; thereby, raising global standards and promoting more effective deterrence” (Calia et al., 2013, pp. 5-6). For instance, Fidler (2013) notes “some experts have argued that the United States should use international trade law’s protections for intellectual property against countries engaged in economic cyber espionage” (Fidler, 2013, para. 10) as well as “to impose trade sanctions on countries engaged in economic cyber espionage and justify the sanctions under national security exceptions in WTO agreements” (Fidler, 2013, para. 13). In addition to trade policy the U.S. government “should also improve internal coordination among agencies with responsibility for cyber-security and the protection of trade secrets” (Calia et al., 2013, p. 6). “As for U. S. businesses the first line of defense against trade secret theft is a company’s own protection program” (Calia, Covington & Burling LLP, Eichensehr, Fagan, Veroneau & Vetere, 2013, para. 20). “Rather than viewing them as cost centers or burdens on a business,

6

organizations may more appropriately view expenditures on strong security technologies and the adoption of strong security procedures as important investments to preserve and enhance value” (Calia, Covington & Burling LLP, Eichensehr, Fagan, Veroneau & Vetere, 2013, para. 20).

CYBER-ESPIONAGE AND INTELLECTUAL PROPERTY THEFT Given this view, a few recommendations from the Verizon Threat Landscape

7

Manufacturing, Services, and Technology research report are provided below (Verizon Research Report, 2013) 1. “Use pre-employment screening to help reduce the risks of internal problems later. And don’t give users more privileges than they need. 2. “Educate employees about social engineering. We often see users clicking on links they shouldn’t and opening attachments received from unidentified senders. Consider rewarding users to create the incentives necessary for vigilance. 3. “Implement time-of-use rules and “last logon” banners. 4. “Consider two-factor authentication, IP blacklisting, and restricting administrative connections (e.g., only from specific internal sources). 5. “Monitor and filter network egress traffic. By understanding and controlling outbound traffic you will greatly increase your chances of mitigating malicious activity. 6. “Enable application and network logs and monitor them. All too often, evidence of events leading to breaches was available but it was neither noticed nor acted upon. 7. “Identify what’s critical and what constitutes normal behavior, and then put mechanisms in place to sound the alarm upon deviations from expected norms. 8. “Focus on the obvious things rather than the minutiae. A simple script that counts log file length and alerts administrators to exceptions can be pretty effective and save time, effort and money” (p. 3).

CYBER-ESPIONAGE AND INTELLECTUAL PROPERTY THEFT Another important step that businesses can take is ensuring they know what information within the organization constitutes Intellectual Property (IP), where in the organization it is stored, and how it’s protected. “At a basic level, this may involve taking an inventory of information assets and estimating their value while reviewing what an organization's incident

8

response plan would involve to help determine a simple approach for estimating breach clean-up costs” (Shey, 2013, para. 8). “At an advanced level, an analysis of the value of an organization's information assets via the estimated benefits derived from, and costs associated with, the loss of an asset will provide a more disciplined approach and framework for prioritizing security spending as the goal of this exercise is to identify the value of an information asset, and then determine if the current effort and costs to protect it are adequate given its value to the organization” (Shey, 2013, para. 9). Verizon’s basic advice is to “learn what threats and failures most often affect organizations like yours, adopt a common sense, evidence-based approach to managing security and then make sure your security posture puts you in a position to thwart them” (Verizon DBIR Snapshot, 2012, p. 7). Conclusion As noted by the Online Trust Alliance (2014), “worldwide we are becoming a data-driven society and with the explosive growth of big data, mobile devices and reliance of cloud service providers, it is vital that business leaders focus on data stewardship as a key corporate priority and responsibility” (Online Trust Alliance, 2014, p. 25). Since “data loss incidents can occur in businesses of all sizes, non-profits, educational institutions and government organizations it is prudent to assume that over time, all businesses will suffer a breach or loss of data” (Online Trust Alliance, 2014, p. 25). Given the growth of data and, therefore, data breaches the threat to the U.S. economy and individual U.S. businesses from trade secret theft is real and growing, therefore; a multi-pronged approach must be implemented by the public and private sectors alike.

CYBER-ESPIONAGE AND INTELLECTUAL PROPERTY THEFT “Businesses must do their part to harden their cyber defenses, but the “take-home message here is that protecting IP from ‘them’ is an incomplete and inadequate strategy—understanding that ‘we’ are sometimes our own enemy is important to building good policy and practice for defending the crown jewels” (Verizon DBIR Snapshot, 2012, p. 3). However, to avoid continued, significant and irreversible harm to U.S. companies and the overall economy, robust public policy tools—including in particular trade tools—must also be utilized to raise global standards and enhance deterrence against this growing threat” (Calia et al., 2013, p. 19).

9

CYBER-ESPIONAGE AND INTELLECTUAL PROPERTY THEFT References

10

Calia, K., Covington & Burling LLP, , Eichensehr, K., Fagan, D., Veroneau, J., & Vetere, G. Law360, (2013). What Gov'ts and Cos. Can Do To Fight Cyberespionage. Retrieved from Portfolio Media, Inc website: http://www.cov.com/files/Publication/86d1282f-917c407d-91bb-037421a55a1c/Presentation/PublicationAttachment/5798d4cf-3f1c-447c907e-0995d4eab1eb/What_Govts_And_Cos_Can_Do_To_Fight_Cyberespionage.pdf Calia, K., Fagan, D., Veroneau, J., Vetere, G., Eichensehr, K., Cilluffo, F., & Bechner, C. (2013). Economic Espionage and Trade Secret Theft: An Overview of the Legal Landscape and Policy Responses. Retrieved from http://www.gwumc.edu/hspi/policy/Economic Espionage and Trade Secret Theft - September 2013.pdf Constantin, L. (2013, April 23). Verizon: One in Five Data Breaches are the Result of Cyberespionage. PCWorld, Retrieved from http://www.pcworld.com/article/2036177/one-in-five-data-breaches-are-the-result-ofcyberespionage-verizon-says.html Corbin, K. (2013, July 10). Economic Impact of Cyber Espionage and IP Theft Hits U.S. Businesses Hard. CIO, Retrieved from http://www.cio.com/article/736132/Economic_Impact_of_Cyber_Espionage_and_IP_The ft_Hits_U.S._Businesses_Hard Fidler, D. (2013, March 20). Economic Cyber Espionage and International Law: Controversies Involving Government Acquisition of Trade Secrets through Cyber Technologies. American Society of International Law Insights, 17(10), Retrieved from http://www.asil.org/insights/volume/17/issue/10/economic-cyber-espionage-andinternational-law-controversies-involving Online Trust Alliance (OTA). (2014). 2014 Data Protection & Breach Readiness Guide. Retrieved from Online Trust Alliance website: http://www.otalliance.org/resources/incident/2014OTADataBreachGuide.pdf Shey, H. (2013, March 21). Protect Intellectual Property with Data Breach Prep, Cost Analysis. TechTarget, Retrieved from http://searchsecurity.techtarget.com/tip/Protect-intellectualproperty-with-data-breach-prep-cost-analysis Verizon. Verizon Enterprise Solutions, Verizon RISK Team. (2012). DBIR Snapshot: Intellectual Property Theft. Retrieved from Verizon website: http://www.verizonenterprise.com/resources/reports/rp_dbir-industry-snapshotintellectual-property-theft_en_xg.pdf Verizon. Verizon Enterprise Solutions, Verizon RISK Team. (2013). Executive Summary 2013 Data Breach Investigation Report (ES15581). Retrieved from Verizon website: http://www.verizonenterprise.com/resources/reports/es_data-breach-investigationsreport-2013_en_xg.pdf

CYBER-ESPIONAGE AND INTELLECTUAL PROPERTY THEFT

11

Verizon. Verizon Enterprise Solutions, Verizon RISK Team. (2013). Research Report Threat Landscape Manufacturing, Services and Technology. Retrieved from Verizon website: http://www.verizonenterprise.com/resources/factsheets/fs_dbir-industries-manufacturingservices-technology-threat-landscape_en_xg.pdf Westervelt, R. (2013, April 22). Verizon Data Breach Report Finds Employees At Core Of Most Attacks. Retrieved from http://www.crn.com/news/security/240153344/verizon-databreach-report-finds-employees-at-core-of-most-attacks.htm Westervelt, R. (2014, February 26). Verizon 2014 Data Breach Report: The bad guys are winning. Retrieved from http://www.crn.com/news/security/300071871/verizon-2014data-breach-report-the-bad-guys-are-winning.htm/pgno/0/1?itc=nextpage