According to a May 2013 report of the Commission on the Theft of American Intellectual Property – an independent, bipartisan initiative of U.S. representatives from both the private and public sectors – the theft of intellectual assets is estimated to cost U.S. businesses more than $300 billion annually. Increasingly, U.S. companies are not only facing persistent threats to the integrity of their business activities, but also grappling with the need to stem the erosion of their companies’ values caused by commercial espionage carried out by both foreign and domestic actors.
In addition to the harm caused to the businesses directly affected, such thefts also contribute to a significant loss of U.S. jobs and a corresponding decline of the national economy in terms of a reduced gross domestic product. In some cases, the thefts also have resulted in the loss of U.S. ingenuity to rivals who are not only stealing intellectual property but also counterfeiting and/or otherwise adapting that property to foreign markets by focusing on low-cost positioning and mass consumption – both of which subsequently evolve into market disruptions in their own right.
These challenges have been not only costly but also fairly consistent in recent years. According to the 2012 Cost of Cyber Crime Study of 56 U.S.-based companies (many of them multinational corporations) – sponsored by Hewlett-Packard and carried out by the independent research group Ponemon Institute – cyber espionage attacks have increased by an average of 38 percent from 2010 to 2011. The average annual cost for the companies included in the 2012 study amounted to approximately $8.9 million. Moreover, the World Intellectual Property Organization headquartered in Geneva, Switzerland, estimated that, “In 1998, intangible assets constituted 80% of the value of Fortune 500 companies.” Obviously, the potential for truly extraordinary losses in the foreseeable future is not only evident but also probable.
Protecting U.S. Companies From Cyber Threats
Although investments in protective measures such as firewalls and/or anti-virus solutions are popular options, they are insufficient in isolation. In an age of sophisticated and frequent attacks, particularly as related to the state-sponsorship of intellectual property theft through cyber and insider threats, private firms – the U.S. government as well – must ensure that security investments are diversified throughout their entire business plans and operations.
Diversification does not necessarily mean, though, that security investments in specific components of an enterprise do not provide protection. They certainly can, and often do. The problem is that securing individual components does not secure the business as a whole. Some software vendors may purport to sell their products as the one and only “cure-all” needed for total security and protection. But new technology added to a company’s existing security infrastructure creates additional complexity. One likely result is that at least some of the company’s data may not be properly analyzed and correlated with other data that the same firm creates.
Application behavior, system performance, user actions, and deceptive activity are all critical data streams that can serve as invaluable intelligence in any post-incident investigation – or, preferably, pre-incident assessment. However, if such information is not used properly, and in conjunction with other data, an organization may find significant losses related to its product designs, research and development (R&D) operations, competitive processes, patents, and other intellectual property.
For other enterprise-specific issues such as information technology (IT), the outsourcing to IT risk consultants can offer well-known approaches for understanding a firm’s ability to fend off attacks. However, the expertise of those consultants often focuses primarily on risks within the IT structure – despite the fact that there are many other potential areas of risk that must be taken into account to fully protect a company’s intellectual property.
For companies that rely on in-house personnel to meet their security needs, the basic problem remains the same. Although some organizations often prefer this solution – usually for fear of not wanting to reveal vulnerabilities to outsiders – company personnel frequently focus their attention primarily on diagnostics, forensics, and basic security monitoring. Often, because of the nature of their employment, staff members: (a) may not be able to offer an objective assessment; and/or (b) do not necessarily possess a high enough level of expertise, and the investigative skills also required, to carry out a truly comprehensive analysis of the company as a whole.
Rather than focusing on security solutions in only one component of a firm’s operations, a holistic intelligence program would diversify the collection of information across the entire enterprise. Use of this broader approach usually will help protect the intellectual assets of public- and private-sector organizations in the current age of sophisticated threats.
Holistic Security: A Deeper Look
Holistic security encompasses all of the functional units of a business enterprise: IT, human resources, legal, R&D, security, and many others. Such security is based on the premise that so-called “isolated incidents” occurring in one particular department should be juxtaposed with other data to: (a) corroborate the existence of possible vulnerabilities; and (b) help identify other negative trends. The following four examples demonstrate how various isolated incidents, when interpreted holistically, can help skilled investigators understand the nature of a possible threat directed against a company’s key value drivers.
Isolated Incident No. 1. A member of a company’s IT Department observes Employee A trying to gain access to a folder for which the employee does not have permission to access. This folder contains sensitive information on a prototype development not yet introduced to the market. A week later, the same employee was found running a scan of the company’s internal network. When IT staff noticed this activity, they confronted the employee, who offered what the staff considered to be a plausible explanation. No subsequent action was taken; and the information was not shared with any other department within the company.
Isolated Incident No. 2. The office manager has noticed Employee A working late hours – an irregular and seemingly unnecessary activity. Late one evening, Employee A attempted to leave the building with a bag containing folders labeled “proprietary.” When the office manager questioned the employee, the latter responded with a frantic apology and offered a plausible explanation. Accepting the response as legitimate, the office manager did not share this information with anyone else in the company.
Isolated Incident No. 3. A different employee (Employee B) recently traveled overseas to attend a meeting with a foreign partner on a joint venture opportunity. During the trip, the employee traveled with not only his smartphone but also a company laptop – both of which contained proprietary information. Moreover, on more than one occasion, Employee B had accessed the U.S. company’s network from the joint venture partner’s internal network. Apparently not thinking anything of it, Employee B did not, after his return, mention those actions to any of his colleagues.
Isolated Incident No. 4. At lunch on a Monday morning, colleagues learned that Employee A had just returned from a weekend trip overseas. When asked for details about the trip, the employee offered a hurried and somewhat confusing explanation about a “weekend getaway” that appeared to be in conflict with his/her established lifestyle pattern. Later that day, colleagues learned that Employee A had traveled with numerous company thumb-drives and disks – also rather unusual behavior for a traveler supposedly on a vacation. Moreover, over a longer period of time, colleagues started to notice some unexplained affluence on the part of Employee A – driving a brand new car, for example, rather than the more modest vehicle Employee A previously drove. When queried by a colleague, Employee A stated somewhat awkwardly that the car had been a gift from a distant relative. Without additional information confirming the suspicions already aroused, however, the issue was dropped; and the information already developed was not shared with anybody else inside the company.
Share, Study, Assess & Confirm
As individual data points, the preceding incidents may seem mundane and/or ordinary to those who witnessed the various actions mentioned. But if those incidents had been documented, and not only correlated but also analyzed with the information collected from the other departments, certain patterns might well have emerged that would confirm the incidents as potential evidence pointing to a targeted campaign to steal the company’s intellectual property.
In an era of increasingly sophisticated threats, the protection of intellectual assets may best be served through adoption of a holistic approach to security using both trusted intelligence methodologies and properly trained personnel. To do anything less, in fact, could have disastrous consequences. The failure “to address the challenge of trade secret theft costs industry billions of dollars each year,” said Pamela Passman, president and chief executive officer of CREATe.org, a leading nonprofit dedicated to helping companies, suppliers, and business partners reduce piracy, counterfeiting, and trade secret theft. Moreover, she added, such thefts “can have devastating reputational, financial, and legal impacts … [not only] for individual companies … [but also for] the global economy as a whole.”
Armond Caglar is a security solutions consultant at Tailored Solutions and Consulting (TSC), an enterprise risk consultancy based in Washington, D.C. Prior to establishing himself in his current position, he served in the U.S. government for more than seven years conducting worldwide operations in support of sensitive national-level priorities. He holds both a Master’s degree from Tufts University and a Bachelor of Arts degree from the University of New Hampshire.