It is often easy to categorize data thieves as individual criminals seeking to steal personally identifiable information in order to commit financial or identity fraud. Lately, many breaches have been the result of a concerted ideological campaign perpetrated by hacktivist groups. However, it cannot be forgotten that American companies now find themselves in the midst of cyber-war, often sponsored by countries seeking to improve their own competitive posture by stealing corporate secrets. An intelligence report released by the United States in 2011 publicly accused Russia and China of actively stealing US corporate secrets. Specifically the report states, “We judge that the governments of China and Russia will remain aggressive and capable collectors of sensitive US economic information and technologies, particularly in cyberspace.”
Although external network intrusion is certainly a major risk with respect to cyber warfare, trusted insiders are posing an increasing threat. In 2009, Dongfan Chung was convicted of possessing sensitive documents for the benefit of China. Chung was employed as an engineer at Boeing and was found to be in possession of more than 300,000 sensitive documents related to a fuel system for a booster rocket. He had worked at Boeing and Rockwell Industries for 30 years and had apparently been misappropriating corporate secrets for at least five of those years. Additional recent stories involving trusted insiders include David Yen Lee, a chemist for Valspar; Meng Hong, a research chemist at DuPont; Mike Yu, a product engineer at Ford. Reports put the cost of corporate cyber-espionage at more than $400 Billion USD, and reports that one company lost one-eighth of its annual profit to Chinese cyber-criminals. Given this information, it is advisable for companies to take serious the threat of economic espionage.
Some may feel that certain companies are not at risk because of the industry in which it operates or the products it produces. The data demonstrates, however, that companies in any industry can be at risk. The goal of cyberwar is not simply to steal weapons or military data. It is to disrupt the economics of the target country. One of the companies discussed Valspar, a paint company, was the target of Chinese cyber-espionage. A paint company would not seem to be, at first blush, an attractive target for cyber-espionage, but the company lost a significant portion of its annual profit. By disrupting companies to such a degree, the Chinese state is seeking to unsettle the whole of the US economy. Therefore, it must be understood that any company can be a target. Once that idea becomes clear, companies can begin to seriously devise data protection strategies for their secrets.
Another major paradigm shift for many companies is the notion that the “trusted insider” cannot be assumed to exist. Protections and access controls must be in place, enforced, and robust for all levels of access and regardless of who the employee in question might be. According to Symantec’s December 2011 report, “Subjects take the data they know, work with and often feel entitled to in some way. In fact, 75% of insiders stole material they were authorized to access.”
Using the Federal Bureau of Investigation’s six steps to protecting corporate secrets, one can evaluate the current cyber-war environment.
- Recognize there is an insider and outsider threat to your company – Insiders are accounting for an increasing percentage of corporate thefts. In today’s global environment, outsiders are aggressively targeting insiders with access to corporate secrets. This development, coupled with the rapid advancement of malware and Trojan technology can pose significant risks to any company. For that reason, the use of robust access controls, strong encryption and unified encryption key management are critical weapons in the data protection arsenal.
- Identify and valuate trade secrets – A major deficiency in protecting key trade secrets is found in not be able to accurately identify those secrets or know what their worth might be. It is of vital importance to know exactly what is considered a trade secret by the company and take appropriate actions to protect that information. Oftentimes, risk assessments are conducted to determine the damage to the company should the data be lost. In order to do this, the company should know an approximate value of those secrets. Only then can one put in place protections that are commensurate with the risk.
- Implement a proactive plan for safeguarding trade secrets – Thanks to an increase in government and industry regulation around the protection of customer data, companies are taking a more proactive stance in the protection of personally identifiable information. Increasingly, companies are transferring that same proactive approach to safeguarding company information. Such an approach can be very useful, and at the same time, leveraging controls and technologies that are already in place around customer data can help make the protection of corporate data more efficient.
- Secure physical and electronic versions of your trade secrets – Obviously, policies and procedures are not enough to ensure the security of corporate secrets. Electronic versions of data should be protected with strong encryption and key management. In that same vein, companies are advised to ensure that hard copy data is protected. This includes ensuring documents are secured in locked cabinets or drawers, enforcing “clean desk” policies, and appropriate information disposal processes, among other practices.
- Confine intellectual knowledge on a "need-to-know" basis – The importance of access controls cannot be overstated. It is important to ensure that only those individuals that must access information in order to complete his or her job functions are granted access to the data. Further, all access should be monitored and strange or analogous behavior should produce alerts to the Information Security Team.
- Provide training to employees about your company's intellectual property plan and security – In order to protect data, is important that all company employees understand their obligations to the company are with respect to confidentiality. The Symantec report indicates that, “most insider IP theft was discovered by non-technical versus technical employees. For example, coworkers reported suspicious behaviors, the former employee was noticed marketing a product or service similar to his former project, or a customer notified the business that they had been approached by the former employee Sometimes the company involved was unaware of the theft until law enforcement notified them after discovering it during a related investigation “ Ensuring that employees have adequate training and awareness can help alert companies to potential IP theft incidents.
It’s unfortunate that corporate espionage and cyber-war are a fact of business today. While it is not possible to eradicate the threat completely, companies can take steps to increase their protections against cyber-espionage. Whether the result of state-sponsored cyber-war or simply the result of a disgruntled employee, the impact of intellectual property threat can be devastating. Taking appropriate steps to protect that data can not only have an impact on the business, but on the economic health of the country as a whole.