If the cyber theft of intellectual property attacks an organization’s ability to innovate, theft of business confidential information attacks its ability to execute as a business.
Verizon’s 2014 Data Breach Investigations Report (DBIR) found that 22 percent of breaches are the result of cyber espionage attacks, and that the victims were in the public, professional services (law firms, investment banks, accounting and tax services), manufacturing, transportation, and mining sectors. These are industries where a great deal of financial value is at stake across millions of digital files, from accounting data, manufacturing and delivery schedule, business plans, and legal contracts.
While it may take years for stolen IP to show up in a competing product, there is no delay in monetising stolen confidential business information. Theft of oil exploration data, sensitive business negotiation data, or even, insider stock trading information can be used immediately by the acquirer.
Back in 2009, the former CEO of mining giant BHP Billiton Marius Kloppers was claimed to have told a US diplomat he was worried about espionage from his largest competitors and from nation states in a leaked cable released by Wikileaks. It was also reported that an unnamed senior BHP Billiton executive told the Australian current affairs program Four Corners about several attacks during the company’s bid to take over Rio Tinto in 2008 and that its network security was regularly upgraded to counter these attacks.
Earlier this year, Australia’s cyber threat support agency, CERT released a report that found computer-based security attacks on business are on the rise, and the reason appear to be competitors seeking commercial information. George Brandis, Australia’s Attorney General and Minister for the Arts, stated “the main motivation for cyber-attacks is considered to be competitors seeking commercial advantage,” he said “This aligns with the cyber threat of most concern to businesses, which is theft or breach of confidential information or intellectual property.
Cyber espionage motivated by economic advantage is typically carried out by targeting specific individuals within an organisation. It is common for the adversary carrying out the attack to send specific people within the organisation a number of spear fishing emails with links or attachments designed to compromise their PC. This allows the attacker to use malware as a tool to facilitate the retrieval of company information, to obtain login information as well as capture more information about key individuals within the organisation to allow them to find more ways to attack their target.
Earlier this year the U.S. Federal Bureau of Investigations and U.S. Attorneys revealed detailed information on attacks targeting U.S. Steel, Westinghouse and ALCOA among others. They called the cyber espionage “21st century burglary”. In these attacks there was significant theft of business critical information, communication between employees as well as customer data.
The damage to individual companies can be great. Measuring this category of loss is very difficult since the victim may not know the reason they were underbid, a negotiation went badly, or a contract was lost. This is another example of the difficulty in estimating the impact and economic cost of espionage.
A more insidious form of hacking is the equivalent of insider trading. In this case, the individual extracting non-public information about a future financial transaction is not an insider, but the effect is the same. Insider trading, or its hacking equivalent, may look like a victimless crime but it reduces social welfare and harm financial markets. An astute hacker may manipulate stock prices or automated trading systems, putting out false news that could affect a price or the market.
The effect may be short lived, but a hacker could execute trades planned in advance. In the case of stock manipulation, the cybercrime resembles insider trading which can be notoriously difficult to detect. The information acquired could be used to make trades on another exchange, complicating enforcement efforts.
As is the case with intellectual property theft, these factors may be quantifiable, but they rest on assumptions about the utility of illicitly acquired data and the accuracy of reported losses from cyber espionage.
Calculating a single figure for such crimes is unattainable. However, further analysis into whether companies consider cybercrime a tolerable cost of business, and if a dollar cost for losses is an accurate measure of the effect of cyber espionage , or whether it undervalues intangible costs, including international trust and military power, will help to reveal and more precise understanding of the true cost of cyber espionage.
In one significantly high profile claim, Jonathan Evans, MI5’s Director-General stated that the amount of hostile activity is being generated by foreign states in cyber space. He said that State-sponsored cyberattacks against the computer systems of a major listed British company cost it £800m in lost potential revenues, the head of Britain’s domestic Security Service MI5 said on Monday, highlighting the huge threat that UK business faces from Internet based espionage.
At the heart of the matter is the effect on trade, technology, and competitiveness. While the cost of cyber espionage to the global economy is undoubtedly billions of dollars every year, the dollar amount, large as it is likely to be, may not fully reflect the true damage to the global economy. Cyber espionage may slow the pace of innovation, distort trade, and create social costs from job loss.