Thursday, November 20, 2008

Intellectual Property: Develop or Steal

I found the article Internet thieves make big money stealing corporate info in USA Today to be very interesting.

In the past year, cybercriminals have begun to infiltrate corporate tech systems as never before. Knowing that some governments and companies will pay handsomely for industrial secrets, data thieves are harvesting as much corporate data as they can, in anticipation of rising demand...

Elite cybergangs can no longer make great money stealing and selling personal identity data. Thousands of small-time, copycat data thieves have oversaturated the market, driving prices to commodity levels. Credit card account numbers that once fetched $100 or more, for instance, can be had for $10 or less, says Gunter Ollmann, chief security strategist at IBM ISS, IBM's tech security division.

Who buys stolen business data? Brett Kingstone, founder of Super Vision International (now Nexxus Lighting), an Orlando-based industrial lighting manufacturer, knows the answer all too well. In 2000, an intruder breached Super Vision's public-facing website and probed deep enough to snatch secrets behind the company's patented fiber-optic technology.

That intelligence made its way into the hands of a Chinese entrepreneur, Samson Wu. In his book, The Real War Against America, Kingstone recounts how Wu obtained Super Vision's detailed business plans, built a new Chinese factory from scratch and began mass marketing low-priced counterfeit lighting fixtures, complete with warranties referring complaints to Super Vision.

"They had an entire clone of our manufacturing facility," says Kingstone, who won a civil judgment against Wu. "What took us $10 million and 10 years to develop, they were able to do for $1.4 million in six months..."

In the past nine months, data thieves have stepped up attacks against any corporation with weak Internet defenses. The goal: harvest wide swaths of data, with no specific buyer yet in mind, according to security firm Finjan...

"Cybercriminals are focusing on data that can be easily obtained, managed and controlled in order to get the maximum profit in a minimum amount of time," says Ben-Itzhak.

Researchers at RSA, the security division of tech systems supplier EMC, have been monitoring deals on criminal message boards. One recent solicitation came from a buyer offering $50 each for e-mail addresses for top executives at U.S. corporations...

Meanwhile, corporations make it all too easy, say tech security experts and law enforcement officials.
(emphasis added)

We know amateurs study cryptography; professionals study economics, and this explains why. $1.4 million over six months vs $10 million over 10 years makes theft the more attractive proposition for those outside the law.

I'm often asked how we should think about "winning" our current cyber conflicts. I like to consider two metrics.

  1. Information assurance is winning, in a broad sense, when the cost of stealing intellectual property via any means is more expensive than developing that intellectual property independently.

  2. Information assurance is winning, in a narrow sense, when the cost of stealing intellectual property via digital means is more expensive than stealing that data via nontechnical means (such as human agents placed inside the organization).


Number 1 is preferred when you consider your organization as a whole. Number 2 is preferred if you only care about making IP theft the problem of your physical security organization! Obviously I prefer number 1 if possible, but achieving number 2 is more achievable in the medium to long term.

This echoes the comment I made in Ten Themes from Recent Conferences:

We can not stop intruders, only raise their costs. Enterprises stay dirty because we can not stop intruders, but we can make their lives more difficult. I've heard of some organizations trying to raise the $ per MB that the adversary must spend in order to exfiltrate/degrade/deny information.‏


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

5 comments:

Richard said...

Dave has a great blog post on economy vs. information security. It has the similar and deeper dive on this topic at: http://1raindrop.typepad.com/1_raindrop/2008/11/the-economics-of-finding-and-fixing-vulnerabilities-in-distributed-systems-.html?cid=139804254#comments

Richard

jbmoore said...

You don't even have to steal data from the company itself. Every day, a firm I monitor, sends out confidential and proprietary documents such as marketing projections and analysis to mail.yahoo.com and mail.google.com. Instead of the firm fixing the classification scheme and enforcing policy, we were told to stop monitoring and ticketing such cases.

z said...

@jbmoore:
Sounds like a job for the auditors. It speaks right to the issue too: if the concern isn't supported by policy or regulation, the financial people should still understand the risk.

Rob Lewis said...
This comment has been removed by a blog administrator.
G said...

Perhaps more cynically we could a suggest a third metric:

Information assurance is winning, in a broad sense, when the cost of stealing your organization's [company's / government's / military's] intellectual property via any means is more expensive than just stealing it from someone else.

Practically speaking, isn't that what it comes down to?