At Advisen’s recent Asia-Pacific cyber conference in Singapore, panelists dodged the topic of intellectual property (IP) theft.
Several said they were uncomfortable with a discussion that inevitably would lead to China, the country most frequently implicated in IP theft.
But even among Advisen’s North America and Europe audiences, the topic tends to be brushed aside in favor of discussions about privacy regulations and the theft of customer data. People in cyber risk management and insurance seem reluctant to tackle the issue of IP theft head-on.
Of course, privacy-law violations and theft of customer and employee data are serious issues, but they arguably pale in significance when compared to the destructive potential of IP theft. Some security experts fear the US risks losing its competitive edge in world markets, with serious implications for the US economy.
“Every major company in the United States has already been penetrated by China,” according to Richard Clarke, a former cyber security and cyber terrorism advisor for the White House in an often-quoted Smithsonian interview. “My greatest fear is that… we lose our competitiveness by having all of our research and development stolen by the Chinese.”
The Commission on the Theft of American Intellectual Property (the IP Commission) agrees: “The scale of international theft of American intellectual property is unprecedented—hundreds of billions of dollars per year, on the order of the size of U.S. exports to Asia,” according to its report published by the National Bureau of Asian Research. “Illegal theft of intellectual property is undermining both the means and the incentive for entrepreneurs to innovate, which will slow the development of new inventions and industries.”
Residents of China and other East Asian nations were implicated 49 percent of the time in espionage incidents, but Eastern European countries, especially Russian-speaking nations, were identified as the source of 21 percent of breaches, according toVerizon’s 2014 Data Breach Investigations Report.
Thus far, the insurance industry has offered little to protect against IP theft. This is understandable – it is highly difficult to quantify the value of IP, especially research and development that has not yet been productized. Additionally, if Clarke is correct and every major US company has been hacked by the Chinese, insurers would essentially be underwriting the cyber equivalent of a burning building.
Since little is available in insurance protection, loss prevention is especially critical. The IP Commission claim the US government has “made important strides in protecting intellectual property,” and former National Security Advisor Tom Donilon has stated that “the United States will do all it must to protect our national networks, critical infrastructure, and our valuable public and private sector property.” American businesses, however, cannot wait for legal, political or diplomatic solutions.
Vulnerability mitigation technologies – firewalls, passwords, etc. – are necessary, but they won’t solve the problem. In fact, “vulnerability-mitigation measures have proved largely ineffective in defending against targeted hackers, who are hired specifically to pursue American corporations’ intellectual property,” according to the IP Commission.
Rather, “a different concept for security, known as threat-based deterrence, has been identified as a means to protect the most important information in corporate or government networks.” Threat-based deterrence deploys “countermeasures against targeted hackers to the point that they decide it is no longer worth making the attacks in the first place.” The IP Commission notes, however, that “conceptual thinking about and effective tools for threat-based deterrence are in their infancy.”
From a more pragmatic perspective, companies can take action today to help reduce the risk of IP theft. According to a report by Lockton’s Ben Beeson, beyond technological defenses, security measures can include prioritizing data, segregating the most sensitive data for special treatment, establishing company-wide security policies and procedures, educating employees, and monitoring networks.
Verizon notes that employees – typically viewed as a security weak link – also can potentially be a powerful asset in cyber defense. “Users have discovered more breaches than any other internal process or technology,” according to Verizon. “It’s not all about prevention; arm them with the knowledge and skills they need to recognize and report potential incidents quickly.”