by Christina Ayiotis
Only recently has economic security played such an important role in national security. In a knowledge-based, inter-connected, global economy where technology enables productivity without geographical boundaries, information assets and formal intellectual property (IP) take on incredible importance. While the threat of cyber terrorism drives much fear, uncertainty, and doubt, “the largest threat is cyber espionage,” which, along with cybercrime, has incurred costs of approximately half a trillion dollars, or about one percent of global income.
Whether a robot company protecting 500 worldwide patents or a chemical company protecting trade “secrets for cleanly manufacturing the ubiquitous white pigment found in paper and plastics,” a company’s data are its lifeblood. Traditionally, “cyber espionage” has been defined as “[t]he use of computer networks to gain illicit access to confidential information, typically that held by a government or other organization.” Yet in order to protect essential data today, we have to focus on the entire ecosystem, especially the human component.
The multi-billion dollar cyber security industry has focused primarily on technology tools that arguably implement policy. Yet, we must not underestimate the value of the people and process part of the equation. It is usually through human error/animus or through holes in the process that the adversary acquires illicit network access—regardless of whether they intend to steal, disrupt, degrade, or destroy.
In the recent case of Su Bin, charged with hacking into Boeing’s systems and stealing information about U.S. military aircraft and weapons, the FBI agent working the case intimated that access might have been gained through a malicious piece of code sent in an email. Thus, while an organization can build strong defenses technologically, a successful cyber infiltration still almost always requires human activity. While some breaches happen because an employee inadvertently clicks on a link leading to malware, the insider threat by those intending to do harm has also grown precipitously. As Adam Cohen and Ken Zatyko emphasize, “[r]esponding to these threats and attacks requires close coordination among legal, IT and cyber security experts.”
End-to-end information management, coupled with identity and access management, is strategy corporations can use to mitigate some of their information risk and protect IP. Employees should be given access to only what they need to perform their jobs, and information should be secured—whenever feasible—at the data level. Bring-your-own-device, or BYOD policy, complicates the information governance formula, but must be addressed as companies give their employees added flexibility to perform their jobs.
While corporations are beginning to do a better job of collaborating internally to ensure their IP and other information assets and systems are protected, they also now understand that collaboration must also extend beyond the enterprise. Proactive engagement with government and other relevant third parties is essential to a coordinated response against the adversary, whether it be a nation state, cyber criminal, or competitor.
Leaders in government have been clear for some time now that “cyber is the ultimate team sport,” and have made strong efforts to work with the private sector. Several regional and global cyber crime institutions have been established to enable innovation and just plain better sharing. The U.S. government has aggressively pursued Chinese cybercriminals, but thebacklash against U.S. companies continues to reverberate. The National Security Agency’s own activities, brought to light by unauthorized disclosures, have negatively impacted industry. As a result, some work needs to be done in order to reestablish the trust needed for effective collaboration against the actual adversaries.
At this year’s Black Hat hacker convention, In-Q-Tel Chief Information Security Officer Dan Geer—albeit in his individual capacity—acknowledged the prominence of cyber security on the national stage, as well as how ubiquitous its impact can be felt in daily life. Adopting paradigms from public health, such as mandatory reporting, or aviation (near misses), are just a few examples of the types of creative thinking we need to engage in moving forward to mitigate cyber espionage and cyber crime risks. Let’s just hope we can all work together to achieve what is in the long-term best interest of the United States.
About the Author
Christina Ayiotis is a cybersecurity attorney, thought leader, connector, and collaborator. In 2012, she founded and now co-chairs Georgetown’s Cybersecurity Law Institute. Her speaking engagements and leadership in the field include co-chairing the Inaugural Sedona Conference on Cyber Liability (2013), as well as creating and moderating legal panels the last two years at AFCEA International’s Annual Cyber Symposia. Since January 2008, she has taught Information Policy at the Masters level for the Department of Computer Science at The George Washington University. From 2008 to 2011, she served as Deputy General Counsel—Information Governance at CSC (then a $16B global technology and IT services company in 80 countries).