Corporate espionage is one of the least understood and most downplayed elements of cyber security. Most people focus on massive breaches involving personal or financial data and that the majority of these breaches are discovered by someone other than the victim organizations. The reason this happens is because the personal data is often sold on illicit marketplaces. Would we ever know the breaches occurred if the information was not sold on the open market? This is the situation that exists in the case of corporate espionage.
According to a recent study commissioned by Bromium unveiled at RSA Conference 2018, cyber crime generates $1.5 trillion per year. If cyber crime were a country, it would have the 13th highest GDP in the world. Based on media coverage and regulations being passed around the world, you would think that regulated data would make up the majority of that revenue, but you would be wrong. Theft of trade secrets and intellectual property accounted for $500 billion dollars or a full third of overall cyber crime, while regulated information accounted for $160 billion or just over 10%.
Back in 2004, a study unveiled at the London Infosecurity Summit indicated that, “more than 70% of people would reveal their computer password in exchange for a bar of chocolate”. The world has changed since then, and most employees are more aware of security in general. Assuming your organization has an access control and entitlement review process, and knows where every copy of critical data is stored, you would not grant access to someone who would trade their password for a candy bar. What if the stakes were much higher? Would your employees trade your secrets for $1 million or $10 million? What if they weren’t asked to actually deliver information or give away their password? What if they were told to simply click on a phishing email and plead ignorance?
A Lack of Awareness
Most organizations use regulation compliance to fund their data security initiatives. Therefore, most programs have an outsized focus on compliance initiatives rather than objectively valuing the data their organization holds. They don’t perform a risk assessment against that data and prioritize security based on that risk assessment. If theft of trade secrets and intellectual property is three times more economically impactful each year than theft of regulated data, why are organizations so much more concerned with protecting regulated information than intellectual property?
There are likely many reasons for this, beginning with the simple lack of awareness. Most intellectual property thefts are conducted in secret with a buyer or state sponsor identified before the theft occurs. Stolen regulated data is often sold on a marketplace and there are far fewer requirements of an organization to publicly disclose the theft of intellectual property. Regardless of the reasoning, this lack of awareness helps to drive increased intellectual property theft as this information is simply not as well protected as regulated data. In the last seven years I’ve noticed most organizations fund their initiatives through a compliance need and many programs begin with protecting data even when significantly valuable intellectual property is owned by the organization. Many organizations never shift from regulated data protection to intellectual property protection, resulting in more theft of intellectual property.
In actuality, if compliance is the driver for security spending in an organization, that organization’s security team has ceded their organization’s cyber security strategy to lawmakers. That is a truly scary proposition. Lawmakers, in most countries, are not cyber security experts. This is not an indictment of lawmakers. Most of them did something else before they were in government. If you were a doctor and a lawyer who won an election and were suddenly expected to be an expert setting public policy on technology and cyber security, you would likely struggle to become an expert over night as well. Therefore, developing a security strategy driven by compliance means an organization will always be behind the curve and likely unprotected.
Sophisticated Actors and Insiders
Regulated data is generally stolen using commoditized tools and by criminal organizations that range from unsophisticated actors to reasonably sophisticated actors. However, intellectual property is often stolen by well-funded and sophisticated actors who often leverage insiders to bypass externally-facing corporate defenses. Firewalls and deception systems, while very good at making it difficult for a true external actor to find what they are looking for, do not help address the insider threat. Insiders generally know exactly where the data they are looking for is located and, by definition, must be able to access it in order to do their jobs. In order to address the threat posed by these actors it is imperative that organizations monitor the movement of the data itself as well as the behavior of users. Advanced endpoint protection platforms employing machine learning to detect advanced malware are similarly useless against an insider as that person is not likely to deploy malicious code to steal data. The truth is many of the products CISOs are spending their budgets on and their time pursuing are useless against one of the most common tactics used to generate 1/3 of cyber crime’s overall revenue.
The insider threat is an inconvenient truth, we’ve all heard of it and know it exists, but no one wants to believe their friend or colleague is going to act maliciously. The truth is people do. There have been recent high profile cases that illustrate this concept such as Waymo vs. Uber, but it stands to reason that there are many others that are not discovered or never reported. This is certainly not the first time Uber has been accused of stealing intellectual property from their competitors. In fact, a recent article from Marketwatch reports that, according to a lawsuit, “Uber Technologies Inc. operated a clandestine unit dedicated to stealing trade secrets.”
Another article in CNN Money details the story of American Semiconductor. American Semiconductor is a company based in Massachusetts who recently won a lawsuit against its former Chinese partner Sinovel, which was convicted of stealing American trade secrets in a US Federal Court. The short version of the story is that American Semiconductor began doing business in China with Sinovel as a supplier of components to run wind turbines in 2007. In 2011, Sinovel did not pay American Semiconductor outstanding invoices and canceled orders that were ready to be shipped. Upon investigation, it was revealed that an employee at an American Semiconductor subsidiary was offered $2 million to turn over American Semiconductor’s source code for its wind turbine control software. There were even Skype conversations uncovered between the bribed employee and Sinovel telling Sinovel that once they had this source code that they could separate from American Semiconductor. American Semiconductor had a stronger than average security program to protect against attacks from the outside, however, the failure to monitor user behavior and data with respect to trusted insiders, nearly cost them their company.
Think of all of the people inside your organization who have access to critical intellectual property and trade secrets. Not just the few in the middle of the inner circle, but every person involved in storing, processing, or transmitting that information. Assuming the concepts of least privilege and need to know are enforced, this is still likely to be at least ten people. Most organizations would probably admit that they do not implement least privilege well and very few CISOs would stake their reputation on a bet that there are not overly permissive systems and file shares in their environment. As a result, in most organizations, there are more users that can access information than there are users that absolutely must in order to perform their job functions. As a result, privilege misuse, or users accessing data they have no legitimate need to access and then leaking that data, is the second most common incident type in Verizon’s 2018 Data Breach Investigations Report. It accounted for over 20% of total incidents in 2017 and is therefore the most common method through which data is breached, ahead of more publicized incident types like crimeware (#3) or payment card skimmers, which are often talked about, but are by far responsible for the fewest incidents. Due to the fact that most organizations do not implement and maintain stringent access control policies, and most organizations employ relatively flat, non-segmented networks, think of the number of people in your organization who could potentially access such critical information.
Fredrik Lindstrom, Manager CIO Advisory at KPMG, was quoted in a CIO magazine article saying, “Network segmentation, or splitting a network into sub networks, is the best way to phase out outdated security approaches. Unfortunately, it is also one of the most neglected parts of a cyber security program, because most organizations believe network segmentation is too complex and cumbersome.”
In the face of these odds, how can an organization possibly protect themselves? They could start by monitoring the data that matters most and also analyze the behavior of users and credentials against baseline behavior. No data theft can happen without a change in behavior of the data and the user. This is true whether the threat is external, a zero-day exploit, or a trusted insider. The problem is, this requires an organization to admit that the insider threat is real, could affect them, and commit to the hard work required to protect their critical data assets. People naturally gravitate to easy solutions such as technologies that can be deployed with little thought or attention. Fewer people want to do the hard work of building a program to protect critical data and address insider threats.
While it is unpopular to admit that your friends and neighbors may be the people most likely to put critical data at risk, and far more difficult and time consuming to build a security program that takes critical data assets and user behavior monitoring and analytics into account, the consequences for not doing so can be catastrophic. American Semiconductor is not alone, there are many other cases like it that never end up in court and never publicly disclosed. This silence is part of the problem with awareness about these types of challenges. There is hope, however. I have many stories that I cannot share due to confidentiality agreements where properly built and maintained security programs thwarted similar attempts to steal and capitalize on intellectual property theft. These things are happening. Don’t ignore the facts. It’s time to protect your organization. You don’t need to wait for the government to tell you that you must.