4 Minute Read

What You Don’t Know Can Definitely Hurt You. One of the more insidious aspects of modern day industrial espionage is the fact that many of the threats to a company’s IP can be extremely difficult to detect; as a result, IP theft is frequently detected too late, after-the-fact…or not at all. Given the nature of threats to your company’s intellectual property (IP), and the severe consequences of IP loss, what you don’t know definitely can hurt you.

IP Theft as “Invisible Looting”

To fully appreciate the severity of the invisible threats to IP, one should think in terms of invisible looting. Mention of the word looting usually conjures up images of opportunistic criminals smashing store windows, kicking in doors, and entering businesses to steal whatever goods they can grab. Thieves brazenly walk out of the victim business with armfuls of merchandise, replaced by other thieves eager to rush in and take their turn. Looting is a catastrophic event. Now just imagine if looters could come and steal your company’s most valuable data – and remain invisible in the process.

Invisible Threats to IP Have Visible Consequences

Over the past two decades, US defense contractors have become painfully aware that not only the intelligence services of China and Russia, but also other nefarious actors have engaged in systematic efforts to steal sensitive, defense-related IP from US firms. Given this awareness, one might then expect that U.S. defense contractor firms are now among the world’s most competent enterprises when it comes to safeguarding their IP. One would especially imagine this to be true in the case of a defense contractor once headed by a former CIA director, and which also later had the Pentagon’s highest-ranking intelligence official as a division chief. One might imagine that – and be absolutely wrong. In early 2013, the American subsidiary of a major British defense firm was shocked to discover that they had been thoroughly victimized by at least one, and likely two, known Chinese government hacker groups. Cyber investigators discovered hackers had gained access to nearly every aspect of the company’s operations, to include production facilities and engineering labs. Over the course of several years, those hackers systematically pilfered sensitive company IP pertaining to drones, satellites, the US Army’s combat helicopter fleet, and military robots. A subsequent investigation revealed that not only the Chinese, but also Russian hackers had been stealing data from the company for several years. Ironically, much of the information about this defense contractor’s staggering IP losses first became public after the group Anonymous hacked the security firm that had been hired by the defense contractor to investigate its IP losses. No Security Measure Too Small How could a major defense contractor, a company that should have known better, fall victim to such widespread theft of its intellectual property? A number of seemingly small-scale security problems all contributed to a perfect storm that enabled multiple hacker groups to steal terabytes of data over the course of years. A few of the numerous factors contributing to these IP thefts include the following: • The company failed to correct an IT security flaw identified months before – enabling hackers to gain access to the network and steal over 10,000 individual passwords. • The company ignored the recommendation of a security firm and did not implement two-factor authentication for employees who were legitimately accessing company servers from remote work locations. • The company had at least one unsecured WiFi connection that was accessible from the company’s parking lot.

Painful Lessons Learned

In this case, the victim firm knew, at least on a conceptual level, that they were at risk of being targeted by outside groups desirous of their IP. However, the firm failed to adequately understand the threats or properly protect itself. This firm’s experience illustrates three key takeaways regarding potential invisible IP threats that all companies should consider: • Just because you do not see a threat to your company’s IP does not mean that a threat does not exist, is not currently underway, or has not already been perpetrated. • In order to detect threats to your company’s IP, you must know what the threats are, what you’re looking for, where to look, and how to recognize the indicators. • Successful detection of threats to your company’s IP requires knowledge, awareness, and vigilance.

How to Successfully Defend Against Invisible Threats to IP

The key to successfully defending against often-invisible threats to IP is to adopt a systematic approach based on the acronym KASS-TV: Knowledge What intellectual property do we have that we cannot afford to have compromised or stolen? What would be the impact to us of that IP being stolen? Who in the company legitimately requires access to that IP? How could access be gained to that IP? How do we currently protect that IP? Awareness Who, inside or outside the firm, might be motivated to steal that IP? What are the various means by which someone could conceivably gain access to that IP? Given the threats, is that protection adequate? Strategy What is our strategy for safeguarding our various IP? Who is responsible for developing our IP protection strategy? What policies and procedures are necessary to implement our IP protection strategy? Systems What IT systems could be used to access our IP? What other systems (security, communications, logistics, etc) should be assessed when contemplating risks to our IP? Training What training needs to be conducted to make staff aware of threats to our IP, and how to detect those threats? Who is responsible for developing and providing that IP protection training for our employees? Verification What mechanisms can be instituted to verify that our strategy, training, policies and procedures are working?   Cipher is an innovative boutique consultancy focused on providing strategy consulting services and intelligence technology solutions that help clients make smarter, faster decisions. Our consulting services include IP Protection, Operations Consulting, War Games & Scenario Planning, and CI and Counter-CI Training. Cipher’s Integrated IP Asset Protection Solution is a risk-based, coordinated approach to securing critical IP. Our experience has taught us that successful IP protection strategies are built on the solid foundation of a “Culture of Awareness” within your organization. Our security awareness and counter-intelligence training solutions sensitize employees to the threat, provide them with tools to successfully recognize potential threats, and teach them how—and to whom—those issues should be reported.