CIO Magazine on IP Theft

CIO magazine, which features an impossible-to-navigate Web site but decent print version, published Hacked: The Rising Threat of Intellectual Property Theft and What You Can Do About It by Stephanie Overby. I liked these excerpts:

“There’s a ceiling on how much money can be made by stealing identities,” says Scott Borg, director and chief economist of the U.S. Cyber Consequences Unit, an independent nonprofit institute set up at the request of the federal government to examine the economic and strategic consequences of cyberattacks. “You can actually steal the business—its processes, its internal negotiating memos, its merchandising plans, all the information it uses to create value. That’s a very large payoff.”

I agree, but what's up with the USCCU Web site? I had to find an archive from February 2006 to see what this group does. Spend a little of that DHS money on a Web site, folks.

CIOs may be less aware of the threat to IP than to their systems, and therefore less prepared to protect the former. “Companies are thinking about worms and viruses, things that will not have very bad consequences and have always been wildly exaggerated,” says Borg. “Or they’re thinking about ID theft, which attracts a lot of attention, even though the number of cases is remarkably low.”

There’s a difference, too, in the systems an intruder looking for corporate secrets may target. IP thieves “won’t necessarily look at obvious financially sensitive areas,” says Borg, thereby escaping detection. “They may be looking at technical data, controls systems, automation software.” And the results of IP theft can be hard to see—a slow degradation of one’s competitive position in the market may easily be attributed to other, noncriminal factors.

Until recently, the most conclusive public evidence that sustained industrial espionage has taken place in cyberspace has come from the military. Titan Rain was “the most systematic and high-quality attack we have seen,” says Ira Winkler, author of, most recently, Zen and the Art of Information Security. Chinese hackers successfully breached hundreds of unclassified networks within the Department of Defense, its contractors and several other federal agencies. One Air Force general admitted at an IT conference last year that China had downloaded 10 to 20 terabytes of data from DoD networks. (emphasis added)

Forget about "slow degradation." In some future war over the Taiwan Straight an American jet fighter is going to dogfight a Chinese plane and lose the battle because some sensitive design or technical data was stolen. This is a constant in warfare as I mentioned in my post FISMA Dogfights.

To defend against targeted attacks, Motorola uses traditional controls such as firewalls, intrusion detection tools, antivirus software and digital forensics—but with a difference. “We’re operating our information security toolkit with a counterintelligence mind-set,” says Boni [Motorola CIO]. Like the military, Boni assumes there’s an enemy looking for an advantage and it’s his job to outwit him. “Putting those tools together with an understanding of what is or could be of greatest interest to competitors allows a more granular focus on the data,” says Boni, “not just on the network.”

Bingo. CI is exactly right.

“The thought process is no longer making sure nothing bad ever happens,” says DuBois [general manager of information security and infrastructure services security for Microsoft]. “There may be a bug in the Cisco code or someone might misconfigure a device. If [attackers] get at that chess piece we left unprotected, what will we do?”...

“If eternal vigilance is the price of freedom,” says Boni, paraphrasing Thomas Jefferson, “continuous monitoring and preparation to respond quickly is the cost associated with global digital commerce.” (emphasis added)

Again, exactly right. Prevention Eventually Fails. Detection. Response. Hopefully more CIOs will pay attention.