When Nation-States Hack the Private Sector for Intellectual Property
Cyber-attacks have become a tool of statecraft in this technology-driven age. Today, nations succeed or fail in large part based on how effectively they develop, implement and protect new technologies.
Last week, the U.S. Department of Justice revealed details of an extensive nation-state cyber espionage campaign targeting non-military entities such as universities, businesses and government agencies. The government alleges that nine hackers associated with Iran’s Islamic Revolutionary Guard Corps accessed and compromised intellectual property (IP) that cost the victim organizations $3.4 billion to develop.
The announcement is the latest acknowledgement that nation-states are targeting organizations in the private sector to obtain IP that will strengthen the competitive position of their national economies, as well as their militaries. Such cyber attacks seek to acquire technical leadership for nations lacking the investments, human talent or other foundational elements associated with technical innovation.
These revelations reinforce the findings of a recent report from the Center for Strategic and International Studies (CSIS) and McAfee, which estimates that IP theft accounts for 25 percent of the cost of cybercrime to the world economy, more than any other category of cybercrime. Furthermore, the report argues that “internet connectivity has opened a vast terrain for cybercrime, and IP theft goes well beyond traditional areas of interest to governments, such as military technologies.”
We tend to associate cyber espionage such as IP theft with events like the theft of the F-35 joint strike fighter’s blueprints by the Chinese military. Just last month, The Associated Press reported a similar event where Russian hackers attacked several U.S. corporations attempting to steal drone technologies used by the U.S. military.
The 2009 Operation Aurora cyber attacks pitted nation-state hackers allegedly tied to China’s People’s Liberation Army against U.S. corporations beyond the aerospace and defense sectors, including IT, chemical, web services and manufacturing firms. A series of similar attacks on Nortel Networks in 2004 allegedly compromised IP, which later was used to strengthen the market position of Chinese telecommunications giant Huawei.
Last month’s Worldwide Threat Assessment of the U.S. Intelligence Community confirmed that a number of nation-state actors are continuing to use cyber attacks to “acquire U.S. intellectual property and proprietary information to advance their own economic and national security objectives.”
A country such as Iran can benefit greatly through IP theft, particularly given that economic sanctions placed on the country restrict the natural market-driven transfer of advanced technologies into the country. With a relatively minimal investment, hackers can steal technologies that ordinarily would take years to develop and require significant expertise across a broad range of industries.
During the 2015 Barack Obama-Xi Jinping summit, the leaders of the United States and China agreed that their intelligence communities would cease to conduct “commercial espionage,” while allowing each nation to engage in military-related espionage appropriate to their respective national security interests. The G20 nations agreed to a similar “no-commercial espionage” pledge later that year. But such agreements require detection, attribution and accountability mechanisms to have real impact.
In the case of detection, there are few incentives for any of the actors to acknowledge cyber espionage attacks. Victim companies don’t wish to acknowledge such security breaches to their business audiences, and attackers don’t wish to publicly expose their criminal activities.
The attribution of such attacks to specific actors is difficult because it requires analysis of both cyber attack forensic data and insights drawn from traditional government intelligence sources. Unfortunately, the evidence used to make such attribution determinations is not easily exposed without potentially revealing the means and methods by which cyber threat researchers and government agencies came by it.
As for accountability, the U.S. government has announced indictments of accused hackers from China, Russia, and, now, Iran for a variety of cybercriminal activities. The administration has also announced tariffs on Chinese imports intended to recoup the economic value of IP stolen by Chinese hackers.
While it is too soon to determine the effectiveness of either effort in deterring the IP theft, the U.S. government is correct to focus on IP theft as a serious threat to the nation’s economy.
At its most basic level, the theft of IP and other business confidential information steals from a nation’s future. It is a theft of future national security, future wealth creation for companies, future tax revenues and future high-paying jobs and standards of living for a nation’s citizens.
Steve Grobman is senior vice president and chief technology officer for McAfee. In this role, Grobman sets the technical strategy and direction to create technologies that protect smart, connected computing devices and infrastructure worldwide. Mr. Grobman's op-ed originally appeared in The Hill on March 31, 2018.
Last week, the U.S. Department of Justice revealed details of an extensive nation-state cyber espionage campaign targeting non-military entities such as universities, businesses and government agencies. The government alleges that nine hackers associated with Iran’s Islamic Revolutionary Guard Corps accessed and compromised intellectual property (IP) that cost the victim organizations $3.4 billion to develop.
The announcement is the latest acknowledgement that nation-states are targeting organizations in the private sector to obtain IP that will strengthen the competitive position of their national economies, as well as their militaries. Such cyber attacks seek to acquire technical leadership for nations lacking the investments, human talent or other foundational elements associated with technical innovation.
These revelations reinforce the findings of a recent report from the Center for Strategic and International Studies (CSIS) and McAfee, which estimates that IP theft accounts for 25 percent of the cost of cybercrime to the world economy, more than any other category of cybercrime. Furthermore, the report argues that “internet connectivity has opened a vast terrain for cybercrime, and IP theft goes well beyond traditional areas of interest to governments, such as military technologies.”
We tend to associate cyber espionage such as IP theft with events like the theft of the F-35 joint strike fighter’s blueprints by the Chinese military. Just last month, The Associated Press reported a similar event where Russian hackers attacked several U.S. corporations attempting to steal drone technologies used by the U.S. military.
The 2009 Operation Aurora cyber attacks pitted nation-state hackers allegedly tied to China’s People’s Liberation Army against U.S. corporations beyond the aerospace and defense sectors, including IT, chemical, web services and manufacturing firms. A series of similar attacks on Nortel Networks in 2004 allegedly compromised IP, which later was used to strengthen the market position of Chinese telecommunications giant Huawei.
Last month’s Worldwide Threat Assessment of the U.S. Intelligence Community confirmed that a number of nation-state actors are continuing to use cyber attacks to “acquire U.S. intellectual property and proprietary information to advance their own economic and national security objectives.”
A country such as Iran can benefit greatly through IP theft, particularly given that economic sanctions placed on the country restrict the natural market-driven transfer of advanced technologies into the country. With a relatively minimal investment, hackers can steal technologies that ordinarily would take years to develop and require significant expertise across a broad range of industries.
During the 2015 Barack Obama-Xi Jinping summit, the leaders of the United States and China agreed that their intelligence communities would cease to conduct “commercial espionage,” while allowing each nation to engage in military-related espionage appropriate to their respective national security interests. The G20 nations agreed to a similar “no-commercial espionage” pledge later that year. But such agreements require detection, attribution and accountability mechanisms to have real impact.
In the case of detection, there are few incentives for any of the actors to acknowledge cyber espionage attacks. Victim companies don’t wish to acknowledge such security breaches to their business audiences, and attackers don’t wish to publicly expose their criminal activities.
The attribution of such attacks to specific actors is difficult because it requires analysis of both cyber attack forensic data and insights drawn from traditional government intelligence sources. Unfortunately, the evidence used to make such attribution determinations is not easily exposed without potentially revealing the means and methods by which cyber threat researchers and government agencies came by it.
As for accountability, the U.S. government has announced indictments of accused hackers from China, Russia, and, now, Iran for a variety of cybercriminal activities. The administration has also announced tariffs on Chinese imports intended to recoup the economic value of IP stolen by Chinese hackers.
While it is too soon to determine the effectiveness of either effort in deterring the IP theft, the U.S. government is correct to focus on IP theft as a serious threat to the nation’s economy.
At its most basic level, the theft of IP and other business confidential information steals from a nation’s future. It is a theft of future national security, future wealth creation for companies, future tax revenues and future high-paying jobs and standards of living for a nation’s citizens.
Steve Grobman is senior vice president and chief technology officer for McAfee. In this role, Grobman sets the technical strategy and direction to create technologies that protect smart, connected computing devices and infrastructure worldwide. Mr. Grobman's op-ed originally appeared in The Hill on March 31, 2018.