Intellectual Property Theft and the Unmeasurable Loss

October 1, 2015 |
Intellectual Property Theft and the Unmeasurable Loss (iStock/PointImages)

Right now, we’re seeing a very high level of public awareness around cyberattacks that target personal information. The hacking of JPMorgan Chase, Anthem and United Airlines, for example, have attracted significant media attention, and been at the center of high-profile follow-up investigations.

But what if there was another, potentially more damaging kind of cyberattack on the rise? One without mandatory disclosure laws, and that most victims would prefer to keep hidden? How great could the unmeasurable cost be to the US economy?

What I’m describing is the theft of intellectual property (IP), particularly technology – an area in which corporate America currently faces some very serious and well-equipped adversaries.

The Threat from China

Last year, a grand jury in the Western District of Pennsylvania indicted five Chinese military officers for the hacking of six US companies between 2006 and 2014. The victims had been involved in negotiation or litigation with their state-owned counterparts in the PRC, and the defendants – members of PLA Unit 61398 – had stolen IP relating to nuclear power, alternative energy and high-tech manufacturing.

Essentially, the Chinese had entered business discussions with the full strength of their military intelligence service behind them, and stolen technologies and trade secrets that would be of direct benefit to their own economy.

With the lack of disclosure laws, we have no way of knowing how often this happens. Any number of negotiations between US and Chinese companies may have taken place on similar terms, and the Chinese have the advantage because they can effectively divide and conquer. No private enterprise will accuse the PRC of hacking for fear of losing business, and their inaction prevents them from acting collectively against the threat.

We’re potentially looking at a steady exsanguination of corporate America, and one we have no way to measure and mitigate. When our business leaders make deals with the Chinese, they may well think they’re only negotiating with the person at the other end of the table. In reality, as the six companies appearing in the indictment learned, they’re negotiating with a vast and highly capable military intelligence service.

What’s a ‘Common Understanding’, Exactly?

The US government is, of course, aware of the threat from China, and IP theft was a topic of discussion during President Xi Jinping’s first official visit to the States last month. In fact, he and President Obama announced that they have come to a ‘common understanding’ on the issue and agreed not to ‘knowingly’ support commercially motivated cybercrime.

There are flaws in this agreement, however. Firstly, no country ever admits to spying, even when caught red-handed; the inclusion of ‘knowingly’ is effectively an escape clause. Secondly, the agreement is unenforceable: even if one side were to uncover a serious violation, the threatened imposition of sanctions would lead to retaliation and damage to both sides. Thirdly, the attribution of cyberattacks is increasingly difficult as hacking tools and tactics evolve.

In reality, the impressive-sounding agreement is carefully crafted to have multiple meanings. The US sees it as an admission by China of past transgressions and a commitment to stop, which contrasts with a statement made by the Chinese foreign ministry after the 2014 indictment that its government, military and their personnel “have never engaged or participated in cyber theft of trade secrets”. To China, meanwhile, it vindicates a counter-accusation that the US is engaged in cyber espionage against its “government departments, institutions, companies, universities and individuals”.

More generally, it’s undermined by the fact that while the US makes a distinction between the hacking of government and military networks and private enterprises, the Chinese do not. In his speech in Seattle on September 22nd, President Xi stated: “Both commercial cyber theft and hacking against government networks are crimes that must be punished in accordance with law and relevant international treaties.” Until that happens, China has no reason to drop what it sees as another useful tactic to further its power on the global stage.

My prediction is that not much will change in light of the agreement, other than the PLA honing its craft to make it even harder for the US to find proof of commercially motivated cybercrime.

How Should Companies Respond?

Obviously, not many enterprises are likely to eschew business relationships with foreign powers for fear of IP theft alone. For companies holding data on sensitive and economically important technology, however, entering such a discussion should be seen as a risk that requires careful forethought.

It could also be seen as an opportunity to improve IT security and mitigate that risk. The hacking techniques used by Unit 61398 aren’t particularly sophisticated – mostly, they rely on spear-phishing to get inside their targets’ networks. The recent cyberattacks on Anthem and United Airlines may even have been attempts to bolster this capability, which could potentially be undermined by stronger network security and access controls.

We don’t know how much IP theft costs corporate America. We do know, however, that China’s long-term economic plan is dependent on technologies being developed in the US and elsewhere, and that it’ll use any means necessary to achieve its goals.

Surely it makes sense for US companies to do everything they can to level the playing field?

Read about how Cryptzone’s secure access and data security solutions help to ensure IP, the lifeblood of your business, remains in your hands and not your supposed business partner’s.

Image:Intellectual Property Theft and the Unmeasurable Loss (iStock/PointImages)

Back to Blog Home

Leo Taddeo

Leo Taddeo
Chief Security Officer
www.cryptzone.com

Leo Taddeo is the Chief Security Officer (CSO) for Cryptzone, a provider of dynamic, context-aware network, application and content security solutions. Taddeo, former Special Agent in Charge of the Special Operations/Cyber Division of the FBI’s New York Office, is responsible for analyzing the cybersecurity market to help shape Cryptzone’s vision for security solutions. Taddeo provides deep domain insight into the techniques, tactics and procedures used by cybercriminals, to help Cryptzone continue to develop disruptive solutions that enable customers to defend against advanced threats and breaches.

Prior to Cryptzone, Taddeo led more than 400 agents and professional support staff in cyber investigations, surveillance operations, information technology support and crisis management for the FBI. He oversaw high profile cases, including Silk Road, Blackshades and JP Morgan.

Previously, Taddeo served as a Section Chief in the International Operations Division, where he managed FBI operations in Africa, Asia and the Middle East. Taddeo has held various roles of increasing responsibilities in the field, including supervising a joint FBI/New York City Police Department Joint Terrorism Task Force and serving as the Legal Attaché in Rome, Italy.

After receiving his degree in applied physics from Rensselaer Polytechnic Institute in 1987, Taddeo served as a tank officer in the U.S. Marine Corps. In 1991, he was awarded a Purple Heart and Bronze Star Medal for valor for service in the Gulf War. Taddeo then earned a Juris Doctor from St. John’s University and joined the New York law firm of Mound, Cotton & Wollan, where he practiced civil litigation until entering the FBI.

Taddeo is a graduate of the CISO Executive Program at Carnegie Mellon University. He also maintains the Certified Information Systems Security Professional (CISSP) and GIAC Certified Incident Handler certifications.

Leave a Reply

Your email address will not be published. Required fields are marked *