|Topic:||Economic cyber espionage is a threat to the innovation economy|
|Title:||Founder & Chair|
|Organisation:||Centre for International Governance Innovation (CIGI)|
Jim Balsillie (B.Comm. Toronto, FCA Toronto, MBA Harvard) currently chairs the Board of Directors of Sustainable Development Technology Canada. He was appointed to this role by the Government of Canada in 2013. He is a co-founder and former co-CEO of Research in Motion (BlackBerry) and founder of the Centre for International Governance Innovation (CIGI). He is also the founder of the Balsillie School of International Affairs (BSIA), Arctic Research Foundation, and co-founder of Communitech. He was the private sector representative on the UN Secretary General’s High Panel for Sustainability. His awards include: Mobile World Congress Lifetime Achievement Award, India’s Priyadarshni Academy Global Award, Time Magazine World’s 100 Most Influential People, three times Barron’s list of "World’s Top CEOs" and once CNBC's list of 'Worst CEOs'.
The theft of trade secrets and other highly sensitive intellectual property through active persistent threats continues to suck trillions of dollars from the rightful owners and innovators of this intellectual property.
It is almost impossible to pick up a newspaper without seeing a story about a major company being 'hacked’. Yet what the media is reporting and in turn what the public sees is only a tip of an iceberg. The problem with hacking goes much deeper and presents an existential threat to the new innovation economy and to our very way of life. Cyber attacks undermine two critical pillars of the innovation economy: confidence in the security of data including the digital financial system and the ability of businesses to capitalize on their innovation and capture or protect their profits.
Take the economy in North America for example. Mike McConnell, former director of National Intelligence under President George W. Bush, publicly stated this year that the “Chinese have penetrated every major corporation of any consequence in the United States and taken information”. Certainly, the Chinese government is not the only culprit. Their actions represent an emerging pattern of behaviour among governments who condone or actively participate in the theft of data and intellectual property. This pattern of behaviour represents the biggest challenge facing global business in 2015. These attackers are what the cyber experts call “active persistent threats” – and the damage they can inflict on businesses, and correspondingly on the national economy, with a few key strokes can be catastrophic.
The ability of businesses to secure their customers’ data and financial information is vital for customer confidence and online commerce. When there is a data breach not only are there legal consequences, but there are serious reputational and business implications. A few recent cyber attacks against the economy in North America provide ready examples of the impact of cyber infiltration. In late 2013, the retail giant Target was hacked, resulting in the theft of approximately 40 million credit and debit card numbers, shaking confidence in the retail store. In 2014, the bank JP Morgan Chase was infiltrated through a sophisticated cyber attack, with some reports indicating that the action was a Russian retaliation for Western economic sanctions. Home Depot was also hacked, resulting in the theft of over 56 million credit card numbers and 53 million e-mail addresses. These are but a few of the well-publicized cases.
Cyber theft of an organization’s proprietary information and intellectual property may also have a significant macro-economic impact since the ability of a nation to harness innovation, commercialize its intellectual property, and reap the benefit of its ideas is the foundation of the innovation economy. The theft of trade secrets and other highly sensitive intellectual property through active persistent threats continues to suck trillions of dollars from the rightful owners and innovators of this intellectual property.
The magnitude of this problem continues to grow due to a number of factors. First, malicious actors can penetrate secure systems and extract proprietary data with little risk of detection. Second, even when an attack is uncovered it is notoriously difficult to prove who perpetrated the act. This is because many attackers will route their operations through a number of different countries, making digital forensics extremely tricky. Third, and perhaps most importantly, many states view this form of economic cyber espionage as a way to further their geostrategic interests and sometimes they themselves are the perpetrators while at other times they simply turn a blind eye. In this way, states tend to view one another as competitors in the global economy, and stealing information and intellectual property is one mechanism which will allow them to grow their own economy faster at the expense of their competitors.
This is especially troubling because innovation – the core component of the knowledge economy – is encouraged in an environment where intellectual property is respected, and it is undermined when the hard work that is put into developing new ideas and technologies can be stolen with impunity. So what can be done to protect the global knowledge economy? Individuals, companies and governments all have a role.
Universally, Internet and IT security experts will say that individual users are the weakest link in any cyber security system. To help maintain security in cyberspace, individuals need to take steps to protect their devices and think about the implications of visiting a particular site or opening a link in a suspicious email. This will ultimately require better digital security awareness on the part of individuals, especially those that work in companies that may be targeted, because the actions of one negligent employee can put an entire enterprise at risk.
Private companies possess the data and develop the intellectual property that is so tantalizing for the criminally inclined. They spur the economy through electronic commerce and online communication. They are also the main source of the ongoing innovation that is driving the global economy forward. All of this makes private enterprise the clearest target for cyber attacks in the digital age, which exposes a deeper and more nuanced set of problems.
The first problem for business in combating the threat from cyber espionage is that many (if not most) occurrences go undetected. Attackers are utilizing increasingly sophisticated intrusion vectors, leaving victims totally unaware of the intrusion. Additionally, even when an attack is exposed, companies may choose not to share that information with law enforcement or state security agencies (absent a statutory disclosure requirement) because they believe public exposure could jeopardize their reputation, highlight the weakness of their cyber infrastructure or undermine share value. Moreover, publicly accusing either a competitor or their state sponsor of economic cyber espionage can create unwanted media attention for the target corporation and can increase tension in international and transnational relations. But, even with enhanced security measures many private companies are unlikely to be able to adequately protect themselves, given the size and the sophistication of the threat. That is where national governments and global governance institutions can play a role.
Even though some governments view economic cyber espionage as being in their geostrategic interest, the long-term consequence of this behaviour is that it will undermine confidence and trust in the digital financial system and create a drag on the global economy. In order to mitigate these consequences, there needs to be international co-operation to secure the Internet and to shut down cyber thieves. Also, states need to endorse a strong set of norms which prohibit state sponsorship of – or acquiescence toward – acts of economic cyber espionage. The creation of a normative framework which expressly bans economic cyber espionage will allow those that adhere to the norm to more readily identify and expose rogue actors. Given that many private corporations will choose not to publicly accuse foreign governments or competitors of engaging in cyber espionage, a normative framework which encourages or requires the exposure of state sponsors of this activity will be an important first step in curbing a growing trend. This will all be paramount if we are to steer the global economy around the iceberg.