Economic espionage -- sometimes called industrial espionage -- is the theft of a company's intellectual property,...
know-how or trade secrets. The loss of industrial information and IP through cyberespionage constitutes the "greatest unwilling transfer of wealth in history," Gen. Keith Alexander, formerly commander of the military's Cyber Command, told the Senate Armed Services Committee in 2013.
The global information footprint is growing at a speed never seen before, making it increasingly hard to protect intellectual property. There are thousands of exabytes of new data created every year and information volumes are growing exponentially.
Compounding matters, some organizations fallaciously believe that because storage is relatively cheap, they can -- and even should -- keep everything forever. Sound familiar?
How big is the problem?
In recent years, the misappropriation of U.S. companies' trade secrets has also grown uncontrollably. According to the Department of Commerce in an update to its 2012 report "Intellectual Property and the U.S. Economy: Industries in Focus," IP accounted for $6.6 trillion in value added in 2014, or 38.2% of U.S. GDP.
Stolen trade secrets cost the U.S. between $225 billion and $600 billion per year, the National Bureau of Asian Research estimated in its 2017 update to its "IP Commission Report." IP alone accounts for more than 45 million U.S. jobs and more than 50% of all U.S. exports, according to the U.S. Patent and Trademark Office's "Intellectual Property and the U.S. Economy: 2016 Update." As of 2016 , the number of FBI investigations into possible economic espionage of U.S. businesses had increased by 53% within the previous year, according to Randall Coleman, formerly the executive assistant director of the FBI's criminal, cyber, response and services branch and now CSO at Caterpillar, as cited in GovCon Wire.
National Bureau of Asian Research
There are typically two ways company IP is stolen. First, an employee or other insider with access to company information misappropriates it. Measures to protect intellectual property from this type of theft include limiting access, enforcing credentials, applying more robust digital rights management, compartmentalization of information and training, among other things.
The second and more prevalent way IP is being stolen is by cybercriminals exploiting chinks in the IT armor and stealing private information. Fixing this problem requires not only keeping the bad guys out through enhanced IT security and content control -- perhaps through encryption or other technologies -- but also engaging IT security and other technology pros in new ways as discussed in the following sections.
What can you do?
Mitigate risk by making a smaller pie. Contrary to popular belief, more is not always merrier, and that's especially true when trying to protect intellectual property. The bigger the data pile is, the greater the privacy, security and litigation risk.
Privacy laws generally require organizations keep less information for shorter periods of time (see Storage magazine's February 2018 feature on complying with the General Data Protection Regulation). Information security realities similarly advance the notion that more information is tougher to lock down and secure, thereby increasing risk of loss. If your organization has been involved in a lawsuit, you know that large information troves mean more work, effort, money and risk when unearthing everything that's potentially relevant. They also may force settlement to pre-empt discovery, because the process would be so disruptive and expensive.
The following are two things that can help solve the problem:
- Limit the creation of new data piles by developing and applying rules upfront to new IT applications that will promote proper destruction of information. For example, a rule might dictate that data in a particular system is non-record, and that data will be automatically purged after a specified date.
- Clean up data piles through defensible destruction and rightsizing your information footprint. Defensible destruction of information requires assessing legal requirements and business needs of that information. Analytics and classification technology can be helpful in making decisions about what to destroy, though human evaluation also is essential in augmenting destruction.
Clear and defensible policies. Policies tell employees what's expected of them. They also tell the outside world you care enough about a topic to seek to regulate it. If you're going to be able to take action against employees misappropriating company trade secrets, you must have clear policies prohibiting theft. They will only work against employees or insiders who steal and likely won't stop a state actor or other cybercriminals with whom your organization has no connection. But they should be in place nonetheless.
Share to win. Companies don't like to talk about getting hacked and having their information stolen for good reason; it draws negative attention from customers, media and regulators. IT security failures raise questions about management not doing its job or IT leadership failing to keep the bad guys out. They also tell other bad guys about inadequate security, which could invite further cyberattacks.
That needs to change, however, and this may help: On Dec. 18, 2015, the Cyber Information Sharing Act became law. Legislators designed the law to create a voluntary cybersecurity information sharing processes to encourage public and private entities to share cyberthreat information while protecting classified information, intelligence sources, privacy and more. Serious consideration should be given to sharing and learning from the failures and successes of others.
What is trade secret theft?
The Economic Espionage Act of 1996, as provided by the Legal Information Institute, details the legal framework for theft of trade secrets:
Theft of trade secrets
(a) Whoever, with intent to convert a trade secret, that is related to a product or service used in or intended for use in interstate or foreign commerce, to the economic benefit of anyone other than the owner thereof, and intending or knowing that the offense will, injure any owner of that trade secret, knowingly --
(1) steals, or without authorization appropriates, takes, carries away, or conceals, or by fraud, artifice, or deception obtains such information;
(2) without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys such information;
(3) receives, buys, or possesses such information, knowing the same to have been stolen or appropriated, obtained, or converted without authorization;
(4) attempts to commit any offense described in paragraphs (1) through (3); or
(5) conspires with one or more other persons to commit any offense described in paragraphs (1) through (3), and one or more of such persons do any act to effect the object of the conspiracy,
shall, except as provided in subsection (b), be fined under this title or imprisoned not more than 10 years, or both.
(b) Any organization that commits any offense described in subsection (a) shall be fined not more than the greater of $5,000,000 or 3 times the value of the stolen trade secret to the organization, including expenses for research and design and other costs of reproducing the trade secret that the organization has thereby avoided.
Perform risk assessments. When corporate IP is at issue, it's prudent to assess the risk and mitigate the issues that create the greatest risk. For example, if your organization hires IT personnel from abroad, doing deep background checks is essential. Some companies refrain from hiring from select countries where the risk of bad actors is higher.
If you're moving data to the Cloud, then you need to select functionality-rich and secure providers. If third parties have access to company data, then you must assess their management practices and mitigate deficiencies. To properly assess risk, companies should research and document all risks and develop a roadmap to systematically fix issues.
Take care with new tech. Social media, communications technologies, the internet of things (IoT) and other newer technologies that have internet connectivity and collect and transmit information -- sometimes without your knowledge -- pose a challenging risk. While promoting connectivity and accessibility, they may provide limited security and make information more vulnerable to cyberattack. For instance, cybersecurity company Darktrace's "Global Threat Report 2017" cited an example of a casino's smart fish tank being hacked and used to steal data.
With predictions of greater future use and reliance on these technologies, increased vigilance through training and audits may help limit data theft.
Watch out for data volume. More data is fitting in smaller storage devices, which makes data theft that much easier. Both Edward Snowden and Chelsea Manning's ability to steal huge volumes of U.S. intelligence data wouldn't have been possible in the days of paper records. As such, thefts of those magnitudes would have required trucks full of paper.
Exfiltrating data outside the firewall via email or an IoT device has also been an effective tool of IP theft. Indeed, Snowden walked away with a treasure trove of state secrets stored on thumb drives.
Technology and vigilance can limit exfiltration of large volumes of company data through the internet. Limiting where information can be stored -- no cloud storage for certain classes of information or mandating the use of select storage locations -- as well as limiting the use of USB and other devices to store company data can help. Clear directives and enforcement about where data can be properly stored and how it can be moved outside the company's control can help.
Apply information security (infosec) classification rules. In order to protect intellectual property, know-how, trade secrets and such, information must be properly classified. Developing and applying security classification rules that delineate data that's a trade secret, confidential or privileged from what doesn't need protection is essential. Such classification helps deal with the reality that information isn't equal in value and allows for greater time and effort to be spent protecting more valuable data. Therefore, effort should be undertaken to reinvigorate existing, albeit underutilized, classification regimes, develop and apply new ones and store information needing more protection commensurate with its value.
Encrypt early and often. Most companies have policies that require encryption of trade secret information and protection of confidential data sent outside the firewall. But too often, information travels freely without protection or encryption. Organizations should make sure encryption technology is available and being used. If it can be applied without employee involvement, that's an even better approach.
Defensibly dispose of outdated data. Properly disposing of outdated and unnecessary information promotes business efficiency, cuts storage costs, mitigates privacy and infosec risks and reduces discovery costs. Storage pros working with business and legal folks can help cull the unneeded mountain of content. Making the pile smaller demands that content is destroyed when law and policy allow. Information that's needed for an audit, litigation or investigation must be preserved for the duration of the issue. However, records retention schedules should be used as a way for companies to legally dispose of information when it's no longer needed.
Double your authentication pleasure. Keep information locked down and limit access through better authentication techniques. There's some confusion about different authentication factors:
- One-factor authentication is a unique something the employee knows, like a strong password.
- Two-factor authentication is the one factor plus something the employee possesses, like a company ID card, security code or a security fob that generates a unique code.
- Three-factor authentication is the first two plus something that's unique to the employee, such as a voice scan, fingerprint or eye scan.
Two-factor authentication is the least companies with valuable information should use. Passwords alone aren't sufficient. Further, good passwords are about concepts or ideas not words. So instead of using "Fluffy123," the better password is "MyLastDogAte5$Shoes." But, still, that's only the first layer and not enough by itself. Every archive containing trade secrets must have at least two-factor authentication.
Economic espionage and data theft cost U.S. business hundreds of billions of dollars and tens of millions of jobs a year. While government is trying to address the problem, companies are well-served to take the threat seriously and do what they can to protect intellectual property and other valuable information. What that means for IT, storage and information security professionals is doing away with old thinking that it isn't your problem.
Work to make the piles of existing data smaller and limit what you keep. Determine which information is the most likely target, classify it and lock it down commensurate with its value. Share issues and fixes with other similarly situated companies. For some, the economic espionage threat is small, and for others, it's existential. Like it or not, IT, infosec and storage professionals are now the front line in a company's financial well-being.