Friday, September 19, 2008

Cost of Intellectual Property Theft

I liked the following excerpt from Tim Wilson's story Experts: US Is Not Prepared to Handle Cyber Attacks:

If the bad guys launched a coordinated cyber attack on the United States tomorrow, neither government nor industry would be able to stop it, experts warned legislators yesterday.

At a hearing held by the House Permanent Select Committee on Intelligence, cyber defense experts testified that government agencies are insufficiently coordinated to handle an attack, and that efforts to build a defense have not adequately addressed issues in the private sector...

[Paul] Kurtz [a partner with Good Harbor Consulting and a member of the Center for Strategic and International Studies's (CSIS) Commission on Cybersecurity] registered concerns about the theft of intellectual property from U.S. companies, which he said is occurring at a rate of $200 billion a year. "American industry and government are spending billions of dollars to develop new products and technology that are being stolen at little to no cost by our adversaries," he said. "Nothing is off limits -- pharmaceuticals, biotech, IT, engine design, weapons design."

Why spend money on research and development if you can steal the product from someone else? The long-term foundation of this country's power is economic, not military. When our competitiveness is systematically eroded by foreign nation-states, action must be taken. A year ago I wrote US Needs Cyber NORAD:

We often hear that the private sector should protect itself, since the private sector owns most of the country's critical infrastructure. Using the same reasoning, I guess that's the reason why Ford defends the airspace over Dearborn, MI; Google protects Mountain View, CA, and so on.

Industry needs help, and we need it now.


Danny said...

while not a silver bullet by any means, airgapping your r&d network from anything even remotely internet connected and having a strongly enforced removable media policy would fix the majority of reasons this happens.

well, that and not hiring so many foreign nationals to do the work.

Kevin Rowney said...

We can all agree that, like many complex risks, there's no one simple solution that mitigates all problems.

Air-gapping your R&D network is a pretty extreme measure though and usually isn't practical. Large scale commercial R&D facilities don't often choose this option because of its impracticality.

A more practical approach: watch for (or even conditionally block) the exposure of sensitive data via the network, removable media, and storage devices.

Our customers have done numerous "diving catches" on attempted IP breaches using DLP software. It won't solve all problems, but it certainly does stop many of the primary threat models.

Using DLP, you manage the risk without resorting to a productivity compromise for your R&D lab. Hard to expect today's commercial researchers to be productive without Internet access.

Kevin Rowney
Founder, DLP Division of Symantec

Anonymous said...

Enforcement Enforcement Enforcement!


Anti-cybercrime legislation sent to president
By Marcia Savage, Features Editor, Information Security magazine
18 Sep 2008 |

Legislation to crack down on cybercrime was sent to the president this week for his signature.

Provisions of the Identity Theft Enforcement and Restitution Act, S. 2168, were included in H.R. 5938, a bill that extends Secret Service protection to former vice presidents. The U.S. House of Representatives passed H.R. 5938 Monday and sent it to the president.

"The key anti-cybercrime provisions that are included in this legislation will close existing gaps in our criminal law to keep up with the cunning and ingenuity of today's identity thieves," Sen. Patrick Leahy (D-Vt.), sponsor of S. 2168, said in a prepared statement.

The legislation gives identity theft victims the ability to seek restitution in federal court for the loss of time and money spent restoring their credit. It also enables federal prosecution of cybercrime not involving interstate or foreign communication, and eliminates the requirement that damage to a computer exceed $5,000 before charges can be brought for unauthorized access to a computer. Leahy said the bill protects innocent people from "frivolous prosecutions" by clarifying that the elimination of the $5,000 threshold only applies to criminal cases.

In addition, the bill tackles the botnet problem by making it a felony to use spyware or keyloggers to damage 10 or more computers, regardless of the total amount of damage caused.

The legislation also makes it a crime to threaten to steal data from a computer. This provision expands current law, which only allows prosecution of criminals who try to extort companies by threatening to shut down or damage a computer.

Robert Holleyman, president and CEO of the Business Software Alliance, applauded the cybercrime provisions. In a prepared statement, he said the legislation would "lead to stronger, more aggressive enforcement action against a variety of cyber threats, such as botnets."

The bill will give law enforcement more tools to fight today's cybercrime, he said. "For too long, cybercriminals have taken advantage of legal loopholes to evade prosecution and rob consumers of their financial security," Holleyman said.

Davi Ottenheimer said...

where did he get that $200 billion number?

the US Dept of Commerce for years has said the number is much higher.

"Using DLP, you manage the risk..."

excellent point.

i read statements like that and think "using loss prevention you can prevent loss", which sounds great but means virtually nothing.

show us how DLP has reduced the US Dept of Commerce estimates. and if the numbers are going up, explain why this does not mean DLP is failing.

Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...
This comment has been removed by a blog administrator.