Inteligencia y Seguridad Frente Externo En Profundidad Economia y Finanzas Transparencia
  En Parrilla Medio Ambiente Sociedad High Tech Contacto
Inteligencia y Seguridad  
31/01/2009 | Putting A Price On Cyberspying

Andy Greenberg

In the murky world of cyber espionage, the spied-upon are often just as silent as the spies. Even as governments publicize the problem of intellectual property theft by digital intruders, few companies' chief information officers will admit they've been targeted.


But question those CIOs anonymously, and their candid answers begin to sketch the size of the problem: A hemorrhaging breach in research and development secrets that, in the last year, may have added up to roughly $4.6 million in lost or stolen intellectual property per company.

That's the number released Thursday in a study performed by Purdue's Krannert School of Management and funded by security software firm McAfee. The study queried nearly 800 CIOs about the value of their IP lost to hackers and insider thieves in 2008.

Of those surveyed, more than 119 respondents said they'd had intellectual property, including research and development or other strategic data, stolen. And the estimated value of those victims' lost data added up to nearly $559 million over the last year, or $4.6 million per company, with 3% of the firms reporting stolen data worth $50 million or more.

Purdue's results shed some light on a dark corner of information security: While practically every U.S. state has passed a law forcing companies to disclose data spillage incidents involving customer or employee data that could lead to identity theft, other types of data loss have been far less scrutinized.

The stealing of trade secrets or other strategic intellectual property is rarely reported, as executives worry that publicizing a breach could attract more cyberspies looking for network vulnerabilities or even lead to shareholder lawsuits.

Purdue's estimate of that lost IP's value is only a vague outline of the problem, admits Karthik Kannan, a professor in Purdue's Center for Education and Research in Information Assurance and Security. But it's a start. "Because companies don't disclose any of this information publicly, we don't have precise information," Kannan says. "But it's at least an approximate value that you can put your finger on. Even if it were half of this, it would be a huge number in terms of intellectual property lost in a single year."

In fact, the real value of stolen IP worldwide may be far higher, says Scott Borg, director and chief economist at the U.S. Cyber Consequences Unit (USCCU), a nonprofit organization that communicates between the private sector and government on cybersecurity issues.

"When companies think of intellectual property, they're thinking only of things they hire lawyers to protect," says Borg. "But all kinds of other information, from e-mails to engineering techniques, is being stolen, and it takes a lot of efficient analysis to determine the real size of the problem."

The consequences of all that data leakage could reach far beyond any single company, potentially affecting entire national economies, Borg says. "A new processing plant in Southeast Asia can, on day one, have a level of sophistication that it took a U.S. company six years to gain," he says. "That's making a huge difference economically."

Borg says his organization has been tracking cyberspying against private companies since around 2004, when his group's investigation into potential cyberwarfare targets revealed what seemed to be digital snooping in the networks of U.S. utilities. (Borg declined to name any specific targets.)

Since then, others have sounded the same alarm bell: In September 2007, Alan Paller, the director of the SANS Institute, told that each of the top 10 U.S. defense contractors--including Boeing, Lockheed Martin, Northrup Grumman and Raytheon--had been hacked.

Two months later, the British intelligence group MI-5 sent a note to 300 British companies warning them about Chinese cyberspying against Western companies.

Purdue's study, which surveyed companies globally, didn't deal with the source of the spying incidents. But it did address CIOs' perceptions of which countries represented an information security threat as an outsourcing destination.

Russia, Pakistan and China ranked lowest in terms of trust as IT contractors, with 26% of respondents reporting that they'd avoid giving sensitive information to a Chinese firm and 27% percent distrusting Pakistani contractors.

CIOs also reported a growing fear of IP theft as a result of the global recession, as laid off employees carry proprietary data to sell to competitors or to offer to companies in a bid to make themselves more employable. Forty-two percent of the survey's respondents said they felt their company faced an increased threat from those insider thefts as a result of the economic downturn.

In the better-understood world of customer or employee data breaches, there's evidence that those insider threats are rising. During 2008, employee-perpetrated information theft incidents accounted for more than 15% of all reported cases of personal data spills, double the proportion in 2007. And those documented employee theft cases were most prevalent in the financial services industry, where layoffs have hit especially hard. (See: "Banking's Data Security Crisis.")

One such insider espionage incident may have gone public in September, when former Intel engineer Biswahoman Pani was indicted by the Federal Bureau of Investigation for downloading files containing CAD drawings of a processor under development with the intent of giving the files to his new employer, Advanced Micro Devices.

Pani had received a "below expectations" rating in his most recent evaluation at Intel, according to an FBI affidavit--a sign that recession-fueled job pressure may have contributed to the attempted IP espionage.

Domestic espionage incidents like those, says USCCU's Borg, may not shift the balance of intellectual power worldwide, but they undermine the U.S. economy nonetheless. "Even if it's just domestic, this takes resources away from the companies that develop the information and gives it to those whose capability is willingness to steal," says Borg. "You want to reward companies that create data, not the ones that steal it."

Forbes (Estados Unidos)


Otras Notas del Autor

ver + notas
Center for the Study of the Presidency
Freedom House