Online Thieves Steal America’s Intellectual Property
In the cloak-and-dagger days before the digital age, foreign spies needed the skills of a cat burglar to slip into offices undetected and steal files or sabotage systems. These days? All it takes is the click of a mouse, and it occurs with alarming frequency.
Cyber thieves from foreign countries—mainly China and Russia—infiltrate corporate offices and walk out the digital door with billions of dollars worth of intellectual property: source codes, innovative product designs, proprietary research and confidential information on bids for properties.
“What we’re seeing is a systemic transfer of wealth taking place from the U.S. and other developed countries to countries that don’t necessarily have the same level of respect or laws around intellectual property,” says George Kurtz, the chief executive officer of security technology company CrowdStrike.
It’s not just credit card data these hackers want. They’re seeking to gain an edge in the global marketplace by stealing the intellectual property that is the lifeblood of America’s private sector. Where manufacturing once drove the U.S. economy, now it’s research and development, innovation and ideas. Those ideas are almost entirely in digital form stored on corporate networks, and they are often vulnerable to the viruses and worms deployed by foreign corporate rivals or governments.
“The scope of the attack has changed for corporations from individual hackers and organized crime groups to nation states attacking their core corporate assets to get not just financial gain but intellectual property,” says Joe Tedesco, managing partner of Maryland Cyber Investment Partners, which has been working with businesses that have expertise in protecting the government against cyber attacks. Those cyber businesses are now bringing that expertise to private industry.
A 2011 report to Congress from the Office of the National Counterintelligence Executive, titled “Foreign Spies Stealing U.S. Economic Secrets in Cyberspace,” makes clear the severity of the problem. Economic espionage is “a quiet menace to our economy,” National Counterintelligence Executive Robert “Bear” Bryant said in a statement accompanying the report, adding he sees almost daily examples of “incursions on very, very significant information.”
One of the big wakeup calls was an attack on Google. In January 2010, the Internet search giant disclosed that it had been the target of a cyber attack that originated from China and resulted in the theft of intellectual property. Kurtz, who was then the chief technology officer at McAfee, said that the hackers had gotten away with some of Google’s source code.
Another troubling case: In March 2011, the RSA security division of EMC Corp. revealed it had been the target of an attack that resulted in the theft of data that could have compromised its SecurID tokens. The widely used tokens provide a randomized code that users must enter in addition to the username and password to log onto a computer system or application.
Security professionals also worry about cyber attacks on physical infrastructure. In May, the Department of Homeland Security said that the nation’s natural gas pipeline operators had been targeted in a series of cyber attacks over several months.
In another headline-grabbing case, a highly destructive computer worm known as Stuxnet targeted the Natanz nuclear facility in Iran. The worm, discovered in 2010, was so unusual and advanced that security experts believed it was the work of state-backed professionals. This case has raised concerns about the potential for escalation, with a “son of Stuxnet” perhaps targeting U.S. infrastructure facilities in the future.
“There definitely have been some reasonably sophisticated attacks that are…targeted in such a way that it really does suggest state sponsorship of some kind,” says Robert Richardson, editorial director at Black Hat, which runs one of the nation’s leading security conferences.
The United States has become increasingly concerned that the pace of these attacks is accelerating. On the corporate front, the attacks have been pervasive. Kurtz says that just about every Fortune 1000 company has been compromised. Some of the companies know they’ve been hit. Others just haven’t figured it out yet.
These targeted attacks come at a high price. The FBI estimates that cyber attacks have cost U.S. businesses more than $13 billion in recent years. At the same time, the theft of trade secrets undermines the corporate sector’s ability to create jobs, generate revenue and foster innovation.
While the losses are huge, it is difficult to put a value on intellectual property. Proprietary technologies can cost millions to develop and represent tens or hundreds of millions in potential profits.
In one case cited by the Office of the National Counterintelligence Executive, an employee of the paint company Valspar unlawfully downloaded proprietary paint formulas valued at $20 million, which he intended to take to a new job in China. This theft represented about one eighth of Valspar’s reported profits in 2009, the year the employee was arrested.
New disclosure guidelines from the Securities and Exchange Commission may provide more insight into the scope of the problem. The guidelines, issued in October 2011, make clear that publicly traded companies must report significant instances of cyber theft or attack, or even when they are at material risk of such an event.
“The fact that the SEC put out the guidance on cyber security breaches being material, that is probably going to cause a lot of boardrooms to say, ‘We probably need to insure against this,’” says Bill Wansley, a senior vice president at management and technology consulting firm Booz Allen Hamilton.
Insurance for Cyber Attacks
A number of carriers provide insurance for cyber risks. There are some 29 sources of insurance that make up the core of the cyber risk insurance market, according to the June 2011 Cyber/Privacy/Media Liability Survey from The Betterley Report.
Coverage for privacy exposures falls into three categories, according to Betterley:
- Liability—defense and settlement costs for the liability of the insured arising out of its failure to properly care for private data
- Remediation—response costs following a data breach, including investigation, public relations, customer notification and credit monitoring
- Fines and penalties—the cost to investigate and defend data breaches and settle the fines and penalties that may be assessed. (Most carriers do not provide this coverage, although there can be coverage for the legal cost to respond to the investigation.)
“The insurance market remains very robust for that,” says Robert Parisi, national leader of the network security and privacy practice at Marsh’s FinPro unit. “New carriers are getting into the space almost every quarter, and the existing carriers continue to be very innovative in how they approach the risk.
“They are getting much better at being innovative for the Main Street, mom-and-pop-sized companies,” he says, noting that they are able to offer coverage at a realistic premium for those companies.
While coverage for privacy exposures is widely available, insurance to protect against the loss of intellectual property is very limited.
“There has been, since day one of cyber coverage in 1999 or 2000, the ability to manuscript or endorse on trade secret coverage,” Parisi says.
But for several reasons, he says, there have been few buyers. One reason is that companies are reluctant to disclose their secrets, even to a broker. Carriers also have a hard time understanding how to value trade secrets.
“It’s certainly something there is demand for,” Parisi says. “It’s difficult to underwrite, and it’s difficult to price. Anything that’s difficult to price, the carriers, not surprisingly, will charge more money rather than less, and they’re going to ask more questions rather than less. So they are going to underwrite with an abundance of caution. If there was an efficient way to do so, people would buy this.”
Any business whose networks contain customer credit card information or other personal data, such as Social Security numbers, is at risk of a data breach. But the cyber spies are often seeking other kinds of information, according to the Office of the National Counterintelligence Executive.
Areas of greatest interest include:
- Information and communications technology
- Business information that pertains to supplies of scarce natural resources or that provides foreign actors an edge in negotiations with U.S. businesses or the U.S. government
- Military technologies, particularly marine systems, unmanned aerial vehicles and other aerospace and aeronautic technologies
- Civilian and dual-use technologies in sectors likely to experience fast growth, such as clean energy and healthcare/pharmaceuticals.
Financial institutions, especially large banks, have been prime targets for data breaches because of the wealth of consumer data they keep, such as bank account information and Social Security numbers.
“Financial institutions take it very seriously and already invest quite a bit in cyber security—at least at the big banks,” Wansley says.
Asymmetric Economic Warfare
As corporate America begins to grasp the magnitude of the threat, more companies recognize that many standard security practices are simply inadequate. Kurtz calls it “asymmetric warfare” in which the adversaries (often state-sponsored) have endless time and money at their disposal. Corporate America, meanwhile, is besieged, and businesses do not have the economic resources or technological capability to fight a country, Tedesco says. Only about 10%-15% of companies are actively defending themselves and “thinking like a hacker,” he says. The remaining 85%-90% are doing what’s required of them. But “the basics of compliance are not nearly good enough,” Tedesco says.
One of the keys is for companies to change the paradigm, and if they’re not going to go on the offense, then at least they need to be more strategic about their defense, Kurtz says. It is important, he says, to know who is behind these attacks and what they are after.
Attackers typically fall into several categories. They include organized crime; individuals and hacktivist groups like Anonymous and Lulzsec; and private sector companies, academic and research institutions, intelligence services, and other professionals that are often backed by nation states.
Many of the attacks are still fairly low-tech. In some cases, it’s an insider who already has access to information and steals it to bring to a rival foreign company.
Insider threats, Wansley says, consist of the “witting and the unwitting.” The witting are the insiders who were planted or bought off. In 2006, a Ford engineer copied 4,000 documents to an external hard drive just before he was to start work with a rival company in China, according to the Office of the National Counterintelligence Executive.
The unwitting are those who are tricked by other methods.
“You’d be surprised at what still works. What it boils down to is that a lot of things that shouldn’t work, do. Some of the most effective stuff right now is a complicated version of asking nicely for the password,” Richardson says.
Socially engineered “phishing” scams are a common method. Hackers gather personal information about their targets from social media sites such as Facebook or LinkedIn so that their emails will look as if they are coming from someone the targets know.
Or they will craft the email so that it looks as if it is coming from a trusted vendor. The goal is to get the target to open the email or its attachment, which then launches malware that can reside undetected on the system.
Threats Go Mobile
While security professionals expect cyber attacks to continue, they say the nature of the threat will evolve. Two of the big security issues on the horizon are the potential for attacks on mobile devices and on cloud computing systems.
Underlying this is a cultural shift. People want the freedom to use their own devices and access information anywhere at any time, but this increases the risk of theft of intellectual property via cyberspace. So far, however, attacks on mobile devices are in the “proof of concept” stage, Richardson says.
“For the time being, mobile is relatively safe,” Richardson says. “But a lot of people are working on it from an attack perspective.”
Among smartphones, BlackBerry devices have a reputation for top-notch security because of their strong encryption technology, which has made them popular for use in government. But more fuller-featured smartphones have rapidly gained market share at BlackBerry’s expense. More than half of the smartphones sold worldwide in the third quarter of 2011 were powered by Google’s Android software, according to research firm Gartner, with Apple’s iPhone taking 15% of the market and BlackBerry 11%. Other mobile devices, such as Apple’s iPad, are also being used increasingly in a business setting.
For businesses, Richardson says, cloud services pose more of an immediate security threat.
“It’s very difficult to say whether a given cloud service is secure,” he says, “and there’s the inherent level of concern about trust that’s built into the fact that you are outsourcing to a cloud provider. This is not to say don’t use the cloud, but to think through who am I relying on and what kind of mistakes could they make and what kind of controls do I have in place to catch those mistakes.”
Security professionals say that, with new threats on the horizon, businesses will have to toughen their defenses and find ways to mitigate the risk. For Richardson, the key is to focus on the nuts and bolts of security.
“It’s really much more about the basics of protecting data—understanding where the data is, who has access to it, having policies in place that keep people from having access to it when they shouldn’t,” Richardson says.
Kurtz, however, sees the need for a more aggressive approach that focuses on protecting the most critical intellectual property and slows the pace of attacks. When it comes to targeted attacks, he says, standard malware and virus protections are of little use.
“What we’re saying is we really need to focus on the adversary and…make it more expensive for them on the human side of how they run their operation,” Kurtz says.
Tedesco recommends companies educate their employees to make sure they understand proper security procedures. Hackers are still having too much success getting critical information from unwitting employees, he says.
But the education process extends to senior management as well, he says. Many do not really grasp the severity of the problem.
Tedesco says he believes requirements to disclose cyber attacks will be a catalyst for change. The scope and severity of the attacks, he says, are shocking, and companies will be forced to improve their security to retain consumer trust. It is still easy for companies to underestimate the severity of the problem because the attacker lurks unnoticed, silently doing damage.
“In the industry, you hear people talk about the digital Pearl Harbor. It hasn’t happened. But when it does, everyone will pay attention.”