My last post illustrated the different facets of cybercrime and cyber espionage. Today, we dig deeper into the innovation costs associated with the theft of intellectual property.
The most important area for loss is in the theft of intellectual property and business-confidential information—economic espionage. It is difficult, however, to precisely estimate these losses. This is in part because cyber spying is not a zero-sum game. Stolen information is not really gone. Corporate espionage could result in the theft of an organisation’s product plans, its research results, and its customer information. That information may not be lost, the organisation will still have the information and they may not even know that it no longer has control over that information and someone else may also be using the same information. In certain scenarios this could leave the targeted organisation liable for information they don’t know is being used outside their infrastructure.
There are many ways to determine the value of intellectual property, but it is very hard to measure. One approach is to estimate what it would fetch on the market if offered for sale or for licensing. Companies can value their intellectual property by determining the income streams it produces and is expected to produce in the future.
Companies can also estimate what it would cost to replace intellectual property as a means of estimating its value, although a reliance on inputs for estimating value can be very misleading. The actual value of intellectual property can be quite different from the research and development costs incurred in creating it. If a company spends a billion dollars on a product that fails in the market, and a foreign power or competitor steals the plans, the loss is not a billion dollars but zero— the invention’s market value.
However, if the competitor that illegally acquired the intellectual property is unable to develop a competing product, the theft does not create additional risk for the victim. To suffer loss, the acquiring company would have to use the IP in a way that harms the victim, by offering a competing product or by improving their bottom line through reduced R&D costs.
Making high tech products requires ‘know-how’ as much as unique intellectual property and ideas no one in the industry has though of—knowing how to run a manufacturing process, where to buy the cheapest inputs, which customers are most interested, what designs actually move product, etc. If a company who steals ideas from other companies can ask each time they hit a roadblock, “How did the victim get over this barrier?” and then go back find the answer in the victim’s files, then they can quickly acquire the practical know how to use the stolen IP.
In 2013, Telenor, a Norwegian telecoms firm reported a case of cyber espionage to the Norwegian Police Nor-CERT and Norway’s cyber defense unit Cyberforsvaret. It was claimed at the time the attack originated from India. In these attacks senior executives were targeted and Telenor confirmed data was lost in what was called a “sophisticated and well organised attack”. Could this information have been used to gain competitive advantage through theft of valuable intellectual property?
Historically, state sponsored commercial espionage has focused on areas of great interest to governments, such as military and advanced technologies. More recently, some countries seem to use cyber espionage as a normal part of business. Cyber espionage by nation states to benefit their companies is a kind of state aid to those companies that is cheaper than traditional subsidies.
This privatized espionage can be deployed against a much broader swath of companies. One interview with intelligence officials told of a US furniture company being hacked and losing its IP, only to see furniture made from its designs being offered online to wholesalers.
There are similar stories involving efforts to use cyber techniques in attempts to acquire breakfast cereal recipes, running shoe designs, automobile part technologies, and soft drink formulas. These are not ‘strategic industries’, but their losses from cyber espionage can still be significant. Companies and markets could still register losses in profitability. Communities could still lose jobs.
The victim company still has access to the intellectual property. It has not lost the ability to make the product; what has in fact happened is that it now faces a new competitor. The risk of this competition is increased if the new foreign competitor has access to other government subsidies that allow it to sell at a lower price or if it is supported in its domestic market by barriers that hamper outside companies from competing.
In 2012, a former senior systems security advisor at Nortel said during an interview with CBC’s program As It Happens that spying by hackers was a considerable factor for the demise of Nortel. He went on to say “when they see what your business plans are, that’s a huge advantage. It’s unfair business practices that really bring down a company of this size”. During an interview with the Wall Street Journal, Shields stated that the attackers “had access to everything”, and that the attacker had plenty of time to figure out what they wanted downloading everything from business plans, to research and employee information. Nortel filed for bankruptcy in 2009.
Any assessment of the cost of cyber espionage must put the crime in the larger context of national economic and trade policy to understand the possible consequences.
My next post will delve into the theft of business confidential information.