This series of blog entries on foreign economic cyber-espionage arose from a recent government report detailing the source, extent, and threat of cyber-espionage to the U.S. economy.  This entry focuses on the cost of this espionage to the U.S. and global economy.

The National Counterintelligence Executive report finds that the threat of cyber-espionage applies to all U.S. economic activity and technology, but the greatest threats are to:

  • Information and communications technology, which forms the backbone of nearly every other technology.
  • Business information that pertains to supplies of scarce natural resources or that provides foreign actors an edge in negotiations with U.S. businesses or the U.S. Government.
  • Military technologies, particularly marine systems, unmanned aerial vehicles, and other aerospace/aeronautic technologies.
  • Civilian and dual-use technologies in sectors likely to experience fast growth, such as clean energy and healthcare/pharmaceuticals.

With respect to the health care and pharmaceutical industry, the report specifically notes that, “The massive R&D costs for new products in these sectors—up to $1 billion for a single drug—the possibility of earning monopoly profits from a popular new pharmaceutical, and the growing need for medical care by aging populations in China, Russia, and elsewhere are likely to drive interest in collecting valuable U.S. healthcare, pharmaceutical, and related information.”

Cyber-espionage has cost tens or hundreds of millions of dollars in potential profits to U.S. entities, but the report also identifies several factors that affect the cost of cyber-espionage:

  • Many victims of economic espionage are unaware of the crime until years after loss of the information.
  • Even when a company knows its sensitive information has been stolen by an insider or that its computer networks have been penetrated, it may choose not to report the event to the FBI or other law enforcement agencies. No legal requirement to report a loss of sensitive information or a remote computer intrusion exists, and announcing a security breach of this kind could tarnish a company’s reputation and endanger its relationships with investors, bankers, suppliers, customers, and other stakeholders.
  • A company also may not want to publicly accuse a corporate rival or foreign government of stealing its secrets out of fear of offending potential customers or business partners.
  • Finally, it is inherently difficult to assign an economic value to some types of information that are subject to theft. It would, for example, be nearly impossible to estimate the monetary value of talking points for a meeting between officials from a US company and foreign counterparts.

Nicole Perlroth, a reporter for the New York Times Bits column, writes regularly on data privacy and data security issues.  She recently reported on the issue of economic cost of economic cyber-espionage in greater depth.  In an article titled “How Much Have Foreign Hackers Stolen?” she points out that nobody really knows how much has been stolen and, predictably, companies are reluctant to discuss any security breaches they have suffered.  Her research, however, identified Congressional testimony by the Assistant Director of the U.S. Secret Service estimating that in 2010 “cyberthieves abroad stole 867 terabytes of data from the United states, or nearly four times the amount of data collected in the archives of the Library of Congress.”  That amount is now stolen on a daily basis, according to the former Director of National Intelligence.  Any computer system of consequence has been compromised by an advanced persistent threat.

The problem will only get worse as foreign technology improves, more data is moved into “the cloud”, and workers make it easier to steal trade secrets by carrying them around with them on their personal devices.  Ms. Perlroth wrote a separate article called “Traveling Light in a Time of Digital Thievery” that describes the extent to which companies are going to protect their data when their employees travel abroad.  Such measures include bringing loaner devices that are wiped clean before they leave the U.S. and immediately upon return to the U.S., disabling Bluetooth and Wi-Fi when overseas, and copying and pasting passwords from a separate USB thumb drive.  The article is well worth a read for anyone traveling overseas with a mobile device that is used to access corporate data in the United States.

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.