Americans are great innovators. Innovation fuels the American economy, our standard of living and our quality of life. The results of that innovation are largely captured as intellectual property, including trade secrets. Not surprisingly, non-public trade secrets are a hot commodity around the globe. Economic espionage and theft of American trade secrets is accelerating according to the Office of the National Counterintelligence Executive, and foreign intelligence agencies are not the only culprits. Foreign businesses, some with ties to their homeland governments, have increased efforts to steal trade secret information from U.S. businesses through the recruitment of current and former employees. Information from U.S. companies, law firms, academia and financial institutions’ electronic information databases are constant targets of cyber intrusions. And nowadays, foreign spies can sit in the security of their own country and steal U.S. economic secrets through the internet and cyber-attacks. Indeed, cyberspace is a treasure trove in the world of economic espionage because it allows someone to collect vast amounts of information with relative anonymity, while masking their geographic location. In light of the increased threat, White House recently released its Plan to fight the loss of U.S. trade secrets.
The strategy outlines a five-pronged attack on cybercrime:
- Focus diplomatic efforts by sending a consistent and coordinated message from all appropriate government agencies to their foreign counterparts where there are regular incidents of trade theft. In addition, the Administration plans to increase internal reporting focus to identify and include countries of concern on government watch lists. “Other governments must recognize that trade secret protection is vital to the success of our economic relationships and that they must take steps to strengthen their enforcement against trade secret theft.” (Plan Page 3.) The Administration will encourage law enforcement cooperation and encourage foreign law enforcement to pursue entities within their boundaries who are stealing trade secrets.
- Promote industry adoption of best practices that encourage taking measures – sometimes measures above and beyond the “reasonable measures” that are required to protect information as a trade secret – in areas such as: information security policies, physical security policies, human resources policies and R&D compartmentalization.
- Enhance domestic law enforcement by coordinating expanded discussions between the intelligence community and the private sector regarding four main aspects of trade secret theft: (1) the number and identity of foreign governments involved in misappropriating trade secrets, (2) the targeted industrial sectors and technologies; (3) the methods used to take information; and (4) the impact felt from the dissemination and use of misappropriated trade secrets.
- Improve domestic legislation, including consideration of adding a private cause of action to the Theft of Trade Secrets Clarification Act of 2012. See Economic Espionage Act of 1996, 18 U.S.C. §§1831-1839.
- Increase public awareness and stakeholder outreach through regional FBI offices and leveraging off of existing resources such as http://www.stopfakes.gov/ and road show trainings by the U.S. Patent and Trademark Office and International Trade Administration.
Hot spots being targeted for economic espionage include:
- Information and communication technologies;
- Military technologies;
- Civilian and dual-use technologies in areas likely to experience fast growth (e.g., clean energy, health care, pharmaceuticals, agricultural technology);
- Information related to supplies of scarce natural resources; and
- Macroeconomic information relating to non-public data on topics such as interest rate policy.
- See Plan Page 8; ONCIX Report Pages 8-10.
Ironically, technologies which have enabled economic growth have created the very environment that makes cyber-hacking easier…and protection of trade secrets stored harder. Indeed, the White House identified the rise of telecommuting employees and the significant increase in data access points—through use of smart phones, mobile devices and cloud computing/storage—as risk factors that increase susceptibility to cyber-attacks and theft of trade secrets.
According to the U.S. Defense Security Service’s 2012 Industry Report, “Targeting U.S. Technologies: A Trend Analysis of Reporting from Defense Industry 2012,” (DSS Report), methods used to effect this brain drain include:
- academic solicitation (e.g., peer or scientific board reviews of academic papers, or requests to study or consult with faculty members);
- acquisition of technology via direct purchase of firms;
- conferences, conventions and trade shows (e.g., taking photos, making sketches, or asking detailed technical questions about technologies on display);
- flat-out criminal theft with no pretense of legitimacy;
- exploitation of relationships (e.g., establishing connections via joint ventures, cultural commonality, etc. to gain access to secrets);
- requests for information (via phone, email, etc. under the guise of a price quote, marketing survey, etc.);
- suspicious network activity (e.g., viruses, malware, acquisition of user names/passwords, etc. to hack into secured networks);
- targeting U.S. travelers overseas (e.g., via airport searches, hotel room incursions, telephone monitoring, accessing computers/smartphones, etc.)
In a report that was influential to the Administration’s strategy (the ONCIX Report), the Office of the National Counterintelligence Executive (ONCIX), ranked the following four factors as “near certainties” that will “accelerate the rate of change in information technology and communications technology in ways that are likely to disrupt security procedures and provide new openings for collection of sensitive US economic and technology information:”
- Technological Shift. There will be a “proliferation in the number of operating systems and endpoints” that are open to attack, while “the underlying hardware and software information systems will become more complex.” (ONCIX Report Page 6.) The ONCIX predicts that the number of devices in use worldwide that can connect to the internet or other networks will increase from approximately 12.5 billion in 2010 to 25 billion in 2015. (ONCIX Report Page 6.)
- Economic Shift. The rise of cloud computing will cause “the movement of data among multiple locations [which] will increase the opportunities for theft or manipulation by malicious actors.” (ONCIX Report Pages 6-7.)
- Cultural Shift. The rise of a U.S.workforce that has different expectations regarding privacy, collaboration and work, will result in workers drawing fewer distinctions between home and work lives. More and more, Americans will expect free access to information from any location. (ONCIX Report Page 7.)
- Geopolitical Shift. Continued globalization of supply chains, and increasingly interconnected IT products, will provide more opportunities to compromise the integrity and security of the electronic devices that proliferate. (ONCIX Report Page 7. See also Technological Shift.)
Meanwhile, ONCIX predicts that China and Russia “will remain aggressive and capable collectors of sensitive US economic information and technologies, particularly in cyberspace.” (ONCIX Report Page 7.) It also notes that the growing role of non-state and non-corporate actors, such as hacktivists and hackers for hire, could be a game-changer. (ONCIX Report Page 10.)
Corporations are not as well-prepared as they should be. ONCIX found that “a key responsibility of the chief executive officers and boards of directors is to ensure that the protection of trade secrets and computer networks is an integral part of all corporate decisions and processes,” yet only 5 percent of companies involve the CFO and only 13 percent having cross-functional cyber risk teams that bridge technical, financial and other elements of the company. (ONCIX Report Page A-2.) Even more surprising is that 65 percent of IT and security professionals do not know what files and data leave their companies, and that email systems are often less protected than databases. (ONCIX Report Page A-3.)
All institutions have competitive information and trade secrets to protect. As an organization, consider practicing a bit of institutional suspicion – if someone is after the keys to your kingdom, how will they get them and break in unnoticed? And then, think about how to protect your data from predictable and foreseeable attacks—mind you, the method of attack may not be obvious, but if you think about it, many methods will be foreseeable or predictable. Develop a strategy to protect your data. Then clearly communicate to all employees why your data needs protection and what they need to do to support your strategy.