Start your day with intelligence. Get The OODA Daily Pulse.
A recent article suggests that legitimate businesses have lost the fight against cyber-crime, applied defensives and cyber security strategies have ultimately failed to secure networks, and prevent the loss of sensitive information. The piece goes on to suggest that, while organizations would focus on the attack to improve remediation, hostile actors sought to develop their tactics, techniques, and procedures. These individuals and gangs sought to continually enhance their capabilities while organizational targets merely tried to survive the storm.
By any measure, this has not been a winning solution. Since there early beginnings, cyber-crime has only evolved: perfecting its multi-dimensional ecosystem and becoming more organized. In terms of competing with other groups, the criminals are more professional: offering services that mimic, legitimate business practices – complete with customer support, marketing strategies, and competitive pricing. What’s more, is that these criminal organizations are not just about stealing sensitive and financial data as creating their own brands.
These professional criminal groups are no longer opportunistic as much as they are entrepreneurial. While any bit of stolen information can be monetized, truly sensitive data such as intellectual property (IP) and research and development (R&D) have risen to the top as prime targets for theft. This type of data is worth a tremendous amount of money in the global marketplace. Legitimate business competitors and nation-state actors (who use cyber espionage for commercial advantage for their own companies) continue to target IP and R&D accounting for billion dollars in losses for U.S. businesses.
The United States Commission on the theft of American Intellectual Property estimated the cost of IP theft at approximately USD 600 billion annually. According to the Congressional Joint Economic Committee, an estimate found that the average company suffered USD 101.9 million in revenue and incurred an average cost of USD 1.4 million in “identification and enforcement of intellectual property rights.”
While the Commission cited China as a primary perpetrator of this type of activity, Beijing didn’t account for all the losses, indicating a growing appetite for IP and R&D theft by other entities (including both private enterprises and state actors). According to Microsoft, several state actors aggressively targeted organizations involved in the COVID-19 vaccine and treatment research. As one University study revealed, the average cost of bringing a new drug to market was approximately USD 2.5 billion, though the costs to actually manufacture it were but a fraction of that amount. In this case, an argument can be made that nation-states wanted to be able to get a jump on creating vaccines for their own populations. Nevertheless, even if this goal was their primary intent, their companies would be able to sell vaccines to others, making profits based on research in which they didn’t invest economic, material, or human resources.
According to a legal site that tracks IP statistics, 38.2 percent of the U.S. Gross Domestic Product came from IP intensive industries. The 2019 World Intellectual Property Indicators report revealed that the United States was the second topmost filer of patents in the world. U.S. innovation and ingenuity still lead global developments in multiple industries. And this is possibly why, when then-President Obama engaged his Chinese counterpart in 2015 to agree to not engage in cyber espionage for commercial advantage, and why China continues to engage in it. Per the FBI Director in 2020, there were more than 1,000 pending IP cases against China.
IP theft is not just the sole providence of China, however. In its 301 Report, the U.S. Trade Representative identified 33 trading partners that raised significant concerns regarding IP rights. While some of these states are cyber capable, the cybercrime underground allows for any state or company to purchase services to steal such IP and R&D information. When looking at how ransomware operators have developed their businesses, they moved from just encrypting data to stealing it and encrypting it. Under this model, it is easily seen how IP theft can be concealed under the auspices of simple extortion with an added cost benefit to ransomware operators if demands are paid.
While incidents perpetrated by foreign governments garner headlines, IP theft has impacted all industries – as evidenced in an article showing that this crime is not just a state-driven crime but one committed by companies looking to get ahead. The one thing enterprising cyber-criminal gangs have shown is that providing services to any customer is a lucrative endeavor, regardless of if they are a government, a company, or another criminal. Moreover, the sheer profit of IP theft suggests that the benefit outweighs any consequence: arrest and conviction of these individuals is not a common occurrence. The global economy, including developed and developing nations alike, is being promulgated via innovation with IP playing an instrumental role in driving economic growth. It stands to reason that companies looking to achieve a presence or emerge as leaders in these geographic areas will try to gain advantage where they can, using any means at their disposal, including engaging in unscrupulous business practices.
Protecting the “crown jewels” of a business has been a clarion call from security professionals for several years. But this warning has primarily focused on how businesses should concentrate their security efforts on protecting what’s vital to their operations and less about the people trying to steal them. Perhaps it’s time for businesses to rethink how they view IP theft, as it’s an activity that’s not limited by time, scope, or actor. As the original article suggests, though the war against cyber-crime may be over (spoiler alert, we lost), the battle is ongoing. And because of this fact, organizations may need to look at those perpetrating IP theft not so much as criminals, but as competitors and competitive business strategies, that employ similar mechanisms to stay ahead of rivals in addition to executing rigorous cyber hygiene and risk management solutions.
In the past, network defenders and cyber security practitioners have been caught flat-footed underestimating cyber adversaries, how they have operated, and for whom. This is because the lines demarcating their identification have become increasingly blurry, resisting facile categorization. It’s time network defenders start reframing how they approach cyber security. And this starts by recognizing the continuing evolution of the cyber-criminal ecosystem and looking past them to understand they may be the tools used by another’s hands.
All of this exponential disruption means we must make focused efforts to gain advantage. Stay informed on a variety of these critical issues at OODAloop.com and during our monthly OODA Network meetings and Salons.
Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis
The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking
OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking
This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking
From the very beginning of the pandemic we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily daily intelligence as well as pointers to reputable information from other sites. See: OODA COVID-19 Sensemaking Page.
A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking
OODA is one of the few independent research sources with experience in due diligence on quantum computing and quantum security companies and capabilities. Our practitioner’s lens on insights ensures our research is grounded in reality. See: Quantum Computing Sensemaking.
In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast