In the coming years, nation states’ intelligence services will combine forces with commercial organizations to launch a new wave of industrial espionage. Organizations developing strategically important, next generation technologies will be systematically targeted as national and commercial interests blur.
Business models will unravel as data is compromised by nation state-backed attackers aiming to steal secrets and disrupt development. Strategic plans, IP and other trade secrets regarding the next generation of technologies will become a prime target for nation states aiming to get ahead in the race for economic and military superiority.
While the concept of espionage is not new, the digital realm has widened the attack surface. Cyber spies will optimize existing tools and develop new ones to launch espionage attacks on a grand scale. Targeted organizations should expect to face sustained and well-funded attacks, involving a range of techniques such as drone surveillance, zero-day exploits, DDoS attacks and advanced persistent threats. This will be amplified by concerted attempts to infiltrate organizations and coerce existing employees.
The first nation state to develop technologies such as AI, 5G, robotics and quantum computing will gain unparalleled economic, social and military advantage over rivals. Organizations involved in their development will become highly enticing targets for nation state-backed espionage.
What is the Justification for This Threat
Nation states have fought for supremacy throughout history by racing to develop strategic technologies. In recent history this race has involved targeted espionage on nuclear, space, information and now smart technologies, such as IoT. Traditionally, when expectations around next generation technology ramps up, a period of significant espionage ensues.
IP theft accounts for more than 25% of the annual $600bn global cost of cyber-crime, with the cost of cyber-crime expected to rise year on year. Nation states are going to drive growth in IP theft, with reports that some have already resumed espionage in the high-tech industry.
A global retreat into protectionism, increased trade tariffs and embargos will dramatically reduce the opportunity to collaborate on the development of strategically important technology. Indicators of fractured geopolitical relationships have been evident throughout 2018, demonstrated by the developing trade war between the US and China, and the uncertain relationship between the UK and the rest of the EU. For example, in December 2018 the UK pulled out of the Galileo satellite-defense program after being denied a central role in the project post-Brexit, highlighting a decrease in international collaboration.
Regulatory tit-for-tat battles will manifest across nation states in the form of ‘mandatory technology standards', forcing organizations to disclose IP to domestic rivals. For example, there is already considerable ambiguity over whether foreign companies doing business in China must share sensitive IP if they wish to continue operating there. Organizations will struggle to implement a consistent global approach to controls that help to protect IP across multiple regions of the world, adding another dimension to the difficulties of protecting against espionage.
How Should Your Organization Prepare?
Organizations that use or develop next generation technologies will need to take proactive steps to secure IP or take legal steps to mitigate the impact of espionage.
In the short term, organizations should deploy physical security controls, such as turnstiles, blackout blinds or airlocks and increase vetting of staff with access to high-value IP. They should also adopt proactive counter-espionage techniques, such as honeypots, perform a specialized cyber security exercise simulating espionage and adopt a low-profile approach to R&D to avoid becoming a target for espionage.
In the long term, organizations should adopt a data-centric security posture by extending a data leakage prevention implementation to cover a wider range of data and attack vectors and implementing digital rights management for high-value IP. They should also legally protect high-value IP, e.g. via copyright, trademark or patent and take out cyber security insurance against competitor espionage or IP theft.
About the Author
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security, digitalization and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.