Countries have been stealing intellectual property from one another since the dawn of time. But cyberespionage has pushed intellectual property (IP) theft to levels never imagined, which now is helping to fuel an all-out global trade war. One of the primary justifications President Trump gave for imposing $50 billion in trade sanctions on China was theft of intellectual property valued in the billions of dollars.
Not too long ago, an investigation by the U.S. Trade representative concluded that China’s IP theft costs between $225 billion and $600 billion annually. A separate investigation by the Commission on the Theft of American Intellectual Property estimated that intellectual property theft, mostly perpetrated by China, amounts to $1.2 trillion in damages.
Of course, there’s often a lot of nuance in terms of what exactly constitutes theft. The United States and European Union have both lodged complaints with the World Trade Organization (WHO) that allege a Chinese government requirement requiring foreign companies which do business in China must share intellectual property with local subsidiaries amounts to IP theft.
Clearly, not every theft of intellectual property involves cyberespionage. But there’s enough of it occurring to raise some serious questions about the efforts organizations are making to defend their intellectual property.
Arguably, valuable intellectual property should not be connected to internet. Widely known as the “air gap” defense, the assumption is that things that are not connected to internet are a lot more secure than things that are. The U.S. military has been employing air defense gaps for decades, and there’s a good reason why the formula for Coca-Cola or the secret recipe used by Kentucky Fried Chicken remain a secret.
Air gap defenses are not perfect. Employees still can be fooled using cyberengineering techniques into, for example, inserting a USB drive into a system not connected to the internet. Or digital cameras that are installed where these systems are housed and connected to the internet might be hacked. But those attack vectors can be contained.
However, far too many organizations are more than a little slipshod when it comes to protecting intellectual property. Copies of documents and files containing critical secrets are strewn across the extended enterprise. The more copies that exist of something, the more probable it will one day fall into the wrong hands.
Naturally, not all intellectual property is created equal. There will always be some some residing on a system connected to the internet. Organizations need to classify the economic value of that intellectual property, which in turn will determine the level of cybersecurity defense that should be applied. Every military officer is taught that trying to defend everything results in an ability to defend nothing.
In the meantime, the next time someone in the organization questions that value of investing in cybersecurity, it might be worth noting there is a direct correlation between trade wars involving billions of dollars of sanctions on goods and services and the amount of cybersecurity being applied by the organizations impacted by those penalties.