Embed Size (px)
Citation preview
Industrial Espionage and Information Security
Professor Mark Button
Director of the Centre for Counter Fraud Studies
Outline
• The nature of industrial and economic espionage • The value of trade secrets
• The scale of the problem of industrial and economic espionage• Research on the issue • Focus upon cyber, with particular reference to research from Government’s
annual Cyber Security Breaches Survey • Nature of problem and what organisations doing in the UK• The opportunity for cyber to help
• Conclusions
Defining industrial and economic espionage
• ‘Economic espionage refers to targeting or acquiring trade secrets from domestic companies or government entities to knowingly benefit a foreign state’ and
• ‘Industrial espionage is the same as economic espionage, except that rather than benefiting a foreign government, it benefits another private entity’
• Wagner (2012, p. 1040)
The pursuit of industrial espionage • Open source intelligence (trade shows, reports, publications, social media, photos etc)
• Dumpster diving
• Reverse engineering
• Hiring employees of competitors
• Cultivating insiders• Disgruntled insiders • Luring insiders • Blackmailing insiders• Placing insiders
• Electronic surveillance • Bugs, surveillance etc
• Cyber • Hacking systems • Employees’ devices etc
Human element is the most important element in security failures, with many factors facilitating it in the socio-technical system
The value of intangible assets in many companies is significant• Intangible assets include
brand, intellectual property, trade secrets etc
• Total value increased $19.8 trillion in 2001 to $47.6 trillion in 2016 (Brand Finance Institute, 2017)
Companies with the highest spending on research and development 2017
Ranking of the 20 companies with the highest spending on research and development in 2017 (in billion U.S. dollars)
Source: Bloomberg; Capital IQ ID 265645
Note: Worldwide
16.1
13.9
12.7 12.712.1 12
11.4
10.1 109.6 9.3 9.1
8.1 7.97.3
6.9 6.86.3 6.2 5.9
0
2
4
6
8
10
12
14
16
18
Exp
endi
ture
(in
billi
on U
.S. d
olla
rs)
Further information regarding this statistic can be found on page 8.
How big a problem?
• Criminologists well versed in challenges of measuring crime• ‘Gold standard victim surveys, but non existent for this ‘crime’
and• Many organisations don’t know they are victims • Criminal statistics , have many flaws but useful as barometer?• Many do not report
• Implications for reporting (share price, reputation etc)• Perpetrators abroad/state actors therefore any success unlikely• Criminal justice system perceived to be unlikely to have much
interest
• Many countries no specific offences and other offences used• Making identifying IR/ER cases difficult
• Where civil cases used don’t always reach public domain and/or harder to identify clearly as industrial espionage
• In the UK there have been a handful of successful prosecutions in the last few decades.
USA: Prosecutions under 1995 Economic Espionage Act (Priebe, 2014)
Fireeye Isight(2016)
• (Since 2013) Three years later, we see a threat that is less voluminous but more focused, calculated, and still successful in compromising corporate networks. Rather than viewing the Xi-Obama agreement as a watershed moment, we conclude that the agreement was one point amongst dramatic changes that had been taking place for years. We attribute the changes we have observed among China-based groups to factors including President Xi’s military and political initiatives, the widespread exposure of Chinese cyber operations, and mounting pressure from the U.S. Government. Yet China is not the only actor in transition: we’ve observed multiple state-backed and other well-resourced groups develop and hone their operations against corporate and government networks. The landscape we confront today is far more complex and diverse, less dominated by Chinese activity, and increasingly populated by a range of other criminal and state actors (p 15).
Serious political attention and action in some countries
Costs
• Lots of global and national estimates of varying quality • Cross-over with other means to secure intellectual property
• Cost of counterfeit goods, pirated software, and theft of trade secrets and could be as high as $600 billion(IP Commission, 2017)
• Espionage via hacking costs the US economy $400 billion per year (IP Commission, 2017)
• Trade secret theft costs 1% and 3% of GDP, meaning that the cost to the $18 trillion U.S. economy is between $180 billion and $540 billion (IP Commission, 2017)
• Espionage via cyber $10-$12 billion cost to USA and $50-$60 billion globally (CSIS, 2018)
• An earlier report by CSIS estimated global cost of $445 billion or 1% of global income (Wahsington Post, 2014)
Cost to the UK
• Specific assessment in the UK in found total cost of cyber crime to be £27 billion of which• £7.6 billion attributed to industrial espionage • Specific sectors• £2 billion financial services • £1.2 billion aerospace and defence• £1.6 billion mining • Cabinet Office/Detica (2011)
As a comparison to put in perspective• Home Office last estimated the total cost of crime in
2000• Commercial/public organisations (actual losses,
excluding additional costs)• £1.5 billion theft from shop • £1.3 billion criminal damage• £1.1 billion burglary• Of total of £10.3 billion property stolen/damaged
(Home Office, 2000)
Industrial espionage in the news in the UK
Research on industrial and economic espionage
• Given the scale of the problem and the political interest in this issue (in some countries) there is surprisingly little research
Thin base of ‘dedicated’ rresearch• Robbery 1931• Fraud 5608
• Bribery 869• Denial of service attacks 127
But, there are silos of knowledge
Insider
Cyber Technical
Organisations experiencing cyber breaches
0%
10%
20%
30%
40%
50%
60%
70%
80%
2016 2017 2018
Businesses experiencing cyber security breachin past 12 months
Large firms experiencing cyber security breachin past 12 months
Mean spend on cyber security in last year Mean spend on cyber security in past year
0
50000
100000
150000
200000
250000
300000
350000
400000
450000
2016 2017 2018
Large
Medum
Small
All
Cyber Skills Shortage
• Booz Allen Hamilton (2017) estimate the number of unfilled jobs worldwide will reach 1.8 million by 2022.
• The Centre for Strategic and International Studies (2016) based upon a survey of IT decision-makers in eight countries found 82% of respondents reported a shortage of cyber security skills and that this shortage was worse than for other IT skills.
• The same research identified that 15% of cyber security positions could be unfilled by 2020.
• Booz Allen Hamilton (2017) found two-thirds of organisations surveyed would not have enough cyber security operatives to meet the challenges they face.
• The ISCA (2017) found that a quarter or organisations surveyed took on average six months to fill a position and that competition for such jobs was weak.
Much evidence of human weakness in IT systems• Start of vast majority of cyber-breaches are phishing attacks• Steyn et al (2007) found of 400 randomly selected staff in an
organisation when asked to send their password 53% complied.• Phishme (2016) 40 million simulated emails quarter to fifth
regularly fall• Goel et al (2017) study of students sent 7225 mails of which
27.3% opened, 13.3% clicked on the link embedded in the mail • Kumaraguru et al (2007) 93% of spam email identified and
embedded training increased detection by participants further
Opportunities for big data and other traditional methods to predict insider risks• Extensive research on insider threats • Insiders associated with
• Workplace activities: unusual copying, IT activity, unauthorised storage of sensitive materials, commits security violations
• Workplace attitudes: poor work attitude, stressed, exploitable lifestyle, negative life events
• Psychological profiles (CPNI, 2013) • Gheyas and Abdallah (2016) have identified most
effective algorithims
The human element
• Central to the problem of industrial espionage is the human element
• Central to most cases will be: malicious insider or mistake by insider
• Central to tackling industrial espionage in the future is information security which fuses cyber-technical and human elements to enhance security
Conclusion and further thoughts
• Economic and industrial espionage are significant problems and major risks to intellectual property risk organisations and countries
• Commitment and resources vary in countering the problem
• Lack of research on this very important problem • How much of a problem ‘what gets measured gets done’ • What are organisations doing to counter this problem and what more could be
done?• What works in tackling this problem?
• The information security community has major role to play in tackling this problem
• Developing systems that minimise risks in human element• Developing robust secure systems• Using data to identify good ‘red flags’ to minimise false positives
Thank you
References
• Brand Finance Institute (2017) Global Intangible Finance Tracker 2017 http://brandfinance.com/images/upload/gift_report_2017_bf_version_high_res_version.pdf
• Button, M. (2008) Doing Security. Basingstoke: Palgrave.
• Cabinet Office/Detica (2011)The Cost of Cyber Crime. London: Cabinet Office
• CPNI (2013) CPNI Insider Threat Data Collection Study: Report of Main Findings. https://www.cpni.gov.uk/.../insider-data-collection-study-report-of-main-findings.pdf
• CSIS (2018) Economic Impact of cyber Crime – No Slowing Down. p17
• Fireeye Isight (2016) Redline Drawn. https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-china-espionage.pdf
• Gheyas, I. A., & Abdallah, A. E. (2016). Detection and prediction of insider threats to cyber security: a systematic literature review and meta-analysis. Big Data Analytics, 1(1), 6.
• Goel, S., Williams, K., & Dincelli, E. (2017). Got phished? Internet security and human vulnerability. Journal of the Association for Information Systems, 18(1), 22.
• IP Commission (2017) The theft of American intellectual property: reassessments of the challenge and united states policy.
• Kumaraguru, P., Rhee, Y., Sheng, S., Hasan, S., Acquisti, A., Cranor, L. F., & Hong, J. (2007, October). Getting users to pay attention to anti-phishing education: evaluation of retention and transfer. In Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit (pp. 70-81). ACM.
• Phishme (2016) Enterprise Phishing Susceptibility and Resiliency Report. https://cofense.com/enterprise-phishing-susceptibility-report
• Priebe, M., T. (2014) The Economic Espionage Act of 1996: A 15 Year Review. https://scholarworks.gvsu.edu/cgi/viewcontent.cgi?referer=https://www.google.co.uk/&httpsredir=1&article=1741&context=theses
• Steyn, T., Kruger, H. A., & Drevin, L. (2007, May). Identity theft—Empirical evidence from a Phishing exercise. In IFIP International Information Security Conference (pp. 193-203). Springer, Boston, MA.
• Wagner, R. E. (2012). Bailouts and the Potential for Distortion of Federal Criminal Law: Industrial Espionage and Beyond. Tulane Law Review, 86(5), 1017-1055. Retrieved from: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1923469 [accessed 10 January 2016].
• Washington Post (2014) Report: Cybercrime and espionage costs $445 billion annually. https://www.washingtonpost.com/world/national-security/report-cybercrime-and-espionage-costs-445-billion-annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.html?utm_term=.c83f5761d3a0
