The Threat Intellectual Property Faces Due To Cyber Attack

By Jessica Ojala

Over the past couple of decades, the cyber domain has expanded to the forefront of the United States’ national security policy. This expansion created room for a significant number of offenses and defenses to develop in cyberspace.

While cyber-attacks usually pertain to data privacy, the threat of a cyber-attack has grown to include a threat to intellectual property. The threat to intellectual property affects individuals, companies, and countries. By defining key terms in the cyber domain, intellectual property, public policy, and examining the backgrounds in each area, one can determine that the cyber threat presented to intellectual property will only continue to be a victim of globalization.

As the victimization continues, there needs to be a multinational, comprehensive strategy formed to include better cybersecurity infrastructure. This strategy would reduce economic loss, protect innovation, strengthen international relations, and secure global supply chains.

DEFINITIONS

To understand the background information provided on the threat cyber -attacks pose to intellectual property, definitions are provided below. These definitions are split into the cyber domain, intellectual property, and international governance/public policy sections.

Cyber 

The cyber domain covers an association with the elements of cyberspace. These aspects can be tangible and intangible, but overall encompass the information technology structure, electronic information, and data processing.[i]

The tangible aspects include but are not limited to the Internet, computers, and networks. Cyberspace also has many intangibles, such as information and software, and how different cyberspace elements connect.[ii]

Including the tangibles and intangibles, the cyber realm is divided into the following five functions: identify, protect, detect, respond, and recover. Within these functions there are also five standard asset classes: devices, apps, networks, data, and users.[iii]

To prevent attacks, a section of cyber, cybersecurity, contains technologies, processes, and policies addressing this issue. Cybersecurity is the “defense of computers and servers, mobile devices, electronic systems, networks, and data from malicious attacks.”[iv]

Two infiltrations commonly used are cyber exploitations and cyberattacks. Cyber exploitation “intends to exfiltrate digitally stored information that should be kept away from unauthorized parties that should not access it,” and a cyberattack is “an action designed to cause a denial of service or damage to or destroy information stored in or transiting through an information technology system or network.”[v]

The final definition important to cyber regards access. Access paths to a target include “remote access, in which the intruder is at some distance from the adversary computer or network of interest; close access, in which the penetration of a system or network takes place through the local installation of hardware or software functionality by seemingly friendly parties near the computer or network of interest, and social access, where an intruder can gain access by taking advantage of existing trust relationships between people.”[vi]

Intellectual Property

Essential definitions of intellectual property include copyright, patents, and trademarks. Copyright “protects original works of authorship, including literary, dramatic, musical, and artistic works, such as poetry, novels, movies, songs, computer software, and architecture.” Patents are an “exclusive right granted for an invention – a product or process that provides a new way of doing something or offers a new technical solution to a problem.”

Trademarks, “a type of intellectual property consisting of a recognizable sign, design, or expression that identifies products or services of a particular source from others, although trademarks used to identify services are usually called service marks.” Other intellectual property rights are granted to designs, geographical indications.[vii]

International Governance/Public Policy

In the international environment of the Internet, “Internet governance” is not a well-defined term. A more expansive definition of Internet governance, “would include matters such as controlling spam; dealing with the use of the Internet for illegal purposes; resolving the “digital divide” between developed and developing countries; protecting intellectual property other than domain names; protecting privacy and freedom of expression, and facilitating and regulating e-commerce.”[viii]

Public policy concerns about the effects of inadequate cybersecurity and internet governance are often lumped into several categories. These categories include cybercrime, loss of privacy, activism, misappropriation of intellectual property, espionage, and denial or disruption of service.[ix]

Cybercrime relates to actions that would be regarded as criminal if they happened in person. They can broadly be characterized as the use of the Internet and IT to steal valuable assets (e.g., money) from their rightful owners.[x]

Activism is often defined as nongovernmental efforts to promote, block, or protest the social or political change. “Compromises in cybersecurity have been used in some activist efforts in cyberspace, wherein activists may compromise the cybersecurity of an installation in an attempt to make a political statement or to call attention to a cause, for example, by improperly obtaining classified documents for subsequent release or by defacing a public-facing Web site.”[xi]

Misappropriation of intellectual property includes proprietary software, R&D work, blueprints, trade secrets, and other product information being taken away from the rightful owner. Alternatively, espionage refers to “one nation’s attempts to gather intelligence on other countries, where intelligence information includes information related to national security and foreign affairs.”[xii]

Another public policy concern is the destruction or damage to physical property, which falls into three categories. These categories include individual cyber-physical systems, critical infrastructure, and public confidence.

Individual cyber-physical systems include “automobiles, airliners, and medical devices”, whereas critical infrastructure includes “multiple facilities for electric power generation and transmission, telecommunications, banking and finance, transportation, oil and gas production and storage, and water supply; and public confidence.”[xiii]

Finally, transparency and confidence-building measures (TCBMs) have promoted stability and mutual understanding when kinetic weapons are involved. “Some possible TCBMs in cyberspace include (but are not limited to): incident notification, joint exercises, a publication of declaratory policies or doctrine about how a nation intends to use cyber capabilities, notification of relevant countries regarding certain activities that might be viewed as hostile or escalatory, direct communication with counterparts during times of tension or crisis, cooperation on matters related to securing cyberspace, and imposing on nation-states an obligation to assist in the investigation and mitigation of cyber intrusions emanating from their territories.”[xiv]

BACKGROUND

Cyber

Cybersecurity and the industry, innovation, and issues it generates are profoundly transformative and intensely critical at every level and many social, corporate, and government functions. Cybersecurity legal issues cover a vast range: cyber warfare; national security; critical infrastructure defense; Internet access and freedom; data privacy and security; trusted software development and deployment; law firms’ protection of patent application, bank, and other confidential information; “hacking back” and other active cyber defense measures; information sharing by cyberattacked organizations; and more.[xv]

The Threat

Globalization is changing the rate at which information flows, especially through the cyber domain. Touching almost every aspect of the economy and almost every person in some shape or form from government agencies, financial institutions, businesses, and professional organizations, the Internet is acting as an information superhighway.[xvi]

About a decade ago, national security threats in the United States began including intellectual property. The threat broadly includes hacking, trade secret theft, and file sharing. In each case, “the United States’ national security is claimed to be at risk, not just its economic competitiveness.”[xvii]

Why it Happens

Compared to previous decades, “computing and communications technologies are found and will be more likely to be found in places where they are practically invisible to everyday view: in cars, wallets, clothing, refrigerators, keys, cabinets, watches, doorbells, medicine bottles, walls, paint, structural beams, roads, dishwashers, identification cards, telephones, and medical devices (including some embedded in human beings).”[xviii]

Issues arise in the cyber domain because of three factors taken together. “First, we live in a world in which some parties will act in deliberately hostile or antisocial ways—parties that would do us harm or separate us from our money or violate our privacy or steal our ideas; second, we rely on IT for a large and growing number of societal functions; third, IT systems, no matter how well constructed, inevitably have vulnerabilities that the bad guys can take advantage of.”[xix]

Two other factors compound the inherent vulnerabilities of information technology. “First, the costs of an adversarial cyber operation are usually small compared to defending against it. Second, modern information technology systems are complex entities who’s proper (secure) process requires many actors to behave correctly and appropriately and continue to do so in the future.”[xx]

“Examples of vulnerability include an accidentally introduced design or implementation flaw (common), an intentionally submitted design or implementation flaw (less common), or a configuration error in the target such as a default setting that leaves system protections turned off.”[xxi]

Economic Impact

Attempting to analyze the cost of cyberattacks globally is a complicated matter, partially due to the lack of data and common definitions mentioned earlier. “The actual economic impact of cyberattacks is unknown, but contested estimates range from $400 billion to more than $2 trillion (a figure larger than estimates for the global illegal drugs market).”[xxii]

“Despite the attention paid to the dangers of economic espionage and trade secrets theft, many nations pay little if any attention to this aspect of the multifaceted cyber threat in their national cybersecurity strategies. However, eleven countries (32%) did discuss the importance of intellectual property protection more generally, while four nations (12%) referenced patents.”[xxiii]

“As for the causes of intellectual property theft, sixteen nations (47%) referenced the threat that espionage poses to their national economies (compared to 68% that discuss cybercrime, perhaps owing to the sometimes-opaquer nature of espionage). Only four nations (12%) explicitly used the phrase ‘economic espionage’.”[xxiv]

Public Policy debates have intertwined economics and cybersecurity, as they are both affected when cyber exploitations happen, as well as the “the effects of economics on the vendor and end-user investments in the scope and nature of vendor and end-user investments cybersecurity.”[xxv]

Public Policy

Cybersecurity is only one of several significant public policy issues—and measures are taken to improve cybersecurity potentially have adverse effects in these other areas. Some of the most critical conflicts arise concerning:

“Economics. The costs of action to improve cybersecurity beyond an individual organization’s immediate needs are high and not necessary.

Innovation. The private sector is continuously trying to bring forward new applications and technologies that improve old ways of performing certain functions and offer useful new functions. But attention to security can slow bringing new products and services to market.

Civil liberties. Some measures proposed to improve cybersecurity for the nation potentially infringe on civil rights, such as privacy, anonymity, due process, freedom of association, free speech, and due process.

International relations and national security. Because of the worldwide Internet and a global supply chain in which essential elements of information technology are created, manufactured, and sold worldwide, cyberspace does not have physical national borders.”[xxvi]

As for the globalized supply chain, “users of the components provide some strategies, sometimes in concert with each other: using trusted suppliers, diversifying suppliers, reducing the time between choosing a supplier and taking possession of the components provided, and testing components.”[xxvii]

Current Framework

There are three needs that determine national cybersecurity strategies. “First, cybersecurity requires flexible adaptations beyond traditional security theory transposed to cyberspace; second, a cybersecurity strategy is a political act; it creates expectations and raises awareness among businesses and civil society; third, trust and “fair” governance must be strengthened such as by promoting impartiality, reflexivity, and proximity; cybersecurity may be seen as a factor impairing the openness of the Internet if incentives are not aligned.”[xxviii]

“President Obama issued an executive order that, expanded public-private information sharing and established a framework comprised partly of private-sector best practices that companies could adopt to better secure critical infrastructure. The strategy recognizes cyberspace as an essential domain for the German state, economy, and society, and emphasizes the protection of critical infrastructure as a core cybersecurity policy priority.”[xxix]

ANALYSIS

Over the past couple of decades, as the world has become more fluid and as technology has advanced, the cyber domain has become increasingly prevalent. This growth has prompted more attacks, and a larger threat has emerged to intellectual property.

Economically, as the costs to improve cybersecurity continues to be high and not always necessary, the holders of intellectual property are going to continue to be at risk. Although the cost of cyber-attacks can be roughly calculated at the international and country levels, it cannot be calculated for every individual.

In addition the cost of an idea or process cannot be calculated. Resulting in the price of the intellectual property lost due to these attacks unfathomable and ultimately, priceless.

To reduce the potential economic loss, countries need to form a multinational, comprehensive strategy encompassing the need for better cybersecurity infrastructures. Better infrastructure would not only have the potential to reduce the number of successful attacks, but also reduce economic loss.

In terms of innovation, intellectual property will continue to be at risk as well. As private companies continue to bring forward new applications and technologies, the copyrights, trademarks, patents, and designs will be at risk without proper cybersecurity functions.

In addition if someone has not had the opportunity to obtain the intellectual property protections, a cyberattack could steal these ideas without any compensation to the victim. This only furthers the need for innovators to have standardized defenses.

The need for a better cybersecurity infrastructure not only includes countries, but also companies and individuals. If companies and individuals are able to innovate freely, without worrying about their ideas being stolen, there is a possibility that the arena of innovation will only grow larger.

International relations and national security are at risk due to the cyber domain’s growing importance. Because elements of information technology are created, manufactured, and sold worldwide, cyberspace does not have physical national borders, resulting in a coalition of countries needing to agree on a set standard of cybersecurity measures and intellectual property protections.

With countries coming together to fight a common issue, one which they could all benefit from solving, current partnerships would strengthen. While some countries, companies, and individuals currently benefit from stealing this information, the act of working together to reduce stolen property would be beneficial politically, economically, and socially.

Finally, the global supply chain encompasses countries all over the world, with many pieces involving the cyber domain. The need for standardized cybersecurity infrastructure and intellectual property protection practices would potentially increase the efficiency of the global supply chain. The proposed strategy outlined below would have the potential to protect the supply chains across the world, not just in one country or the another.

Robert Smallwood, IT security consultant and author of Safeguarding Critical E- c documents, recommends six steps for protecting IP. These include: “identifying confidential e-documents, determining where they are created, who needs access to them, and when, developing information governance (IG) policies to manage and control access to sensitive documents, enforcing IG policies with electronic document security (EDS) technologies, which may include information rights management, data loss prevention, digital signature technology document analytics, or encryption, testing and auditing the IG program, and refining policies and continue to evaluate deploying new cybersecurity and EDS technologies.” [xxx]

Overall, the current cyber threats and cybersecurity infrastructure pose a large threat to intellectual property. Without a multinational, unified strategy, every country and individual is at risk for having intellectual property stolen. Based on this information, a proposed eight-piece cybersecurity and intellectual property strategy is outlined below.

PROPOSED STRATEGY

First, the United States should use current relationships and partnerships to create a baseline cybersecurity infrastructure. This infrastructure could include similar verbiage in strategies, minimum requirements for technologies and could evolve into joint practices and exercises.

Creating a baseline infrastructure with existing partners, resulting in countries and companies feeling more secure, could reduce the economic loss, increase innovation, strengthen international relationships, and better protect the global supply chains. However, for a baseline infrastructure to work, all countries need to agree and have the resources and technologies to implement the infrastructures. If this condition cannot be met, those countries will be at risk of being exploited.

Second, more governing authority would need to be granted to the World Intellectual Property Organization to enforce standards. Intellectual Property protections are granted and monitored within each country. While countries should have their governing bodies and act with their best judgment, there needs to be a unified standard policy and process within the global community to enforce these standards and deal with violations.

Third, more narrow scope on limitations and exceptions should be provided. Limitations and expectations for intellectual property protections are enforced and judged within each country’s judicial and legislative branches.[xxxi] This allows each government to act under a broad definition.

A more narrow scope regarding limitations and expectations is essential to reduce intellectual property violations while also allowing countries to act within their governing bodies. This would include definitions in the limitations and expectations.

Forth, the forum for discussing intellectual property discussions needs to include multinational corporations in the decision-making process. As globalization continues and multinational corporations continue to operate worldwide, they need to be included in making decisions for two reasons.

The first reason is that multinational corporations have an enormous impact on the global economy. Without considering all pieces affected by the economic loss of intellectual property, the solutions would likely fail to work.

The second reason is that they are affected by the different standards in different countries. By including these corporations into the decision-making process, it is possible that countries could standardize practices, ultimately making the global supply chain more efficient.

Fifth, intellectual property protection policies or statements should be included in all of the United Nations Specialized Agencies. While the World Intellectual Property Organization exists, policies and statements need to be included in all specialized agencies to provide continuity and consistency.

Creating these statements and policies reinforces the seriousness of the issue while actively trying to reduce the potential loss. Another possible effect of this step is growing innovation because people and organizations would know the specialized agencies are committed to protecting their ideas.

Sixth, standardize cyber practices in terms of intellectual property. Like the standardized infrastructure, countries would need to work with existing partners to standardize their cyber practices.

Offensively, this would include not conducting cyber-attacks to steal intellectual property. While getting all parties involved to agree to this would be difficult, countries agreeing to this practice would potentially reduce economic loss.

Defensively, the agreement could include similar strategies, operations, tactics, and joint exercises. While potentially reducing economic loss, standard defense practices and activities could positively impact existing and new international relationships.

Seventh, increase country and company training on proper cyber practices. This step differs from the previous step for three reasons.

First, the seventh step includes company training. Second, it focuses on the problem on a national scale, and third, it can bring the problem down to the individual. By educating and practicing proper cyber techniques and practice at the individual level, the general public will be less at risk of having intellectual property stolen.

The eighth and final piece to the strategy is to create an international environment that fosters international collaboration and innovation. This piece is essential to incorporate the rest of the strategy and be implemented on the individual, national, and international levels.

While this eight-point strategy could be significant in theory, there are things the plan does not take into account as well. The main barrier to implementing this strategy is all countries would need to be in consensus for the method to work

In the rare instance that all countries agree, the strategy operates on an international and national level. Ultimately not taking into account individuals conducting cyber-attacks.

CONCLUSION

Overall, the risk of losing intellectual property to a cyberattack is growing and will continue to grow as the cyber domain becomes more prevalent. To combat the growing threat, the United States and the countries worldwide need to form standard cybersecurity policies and intellectual property protections.

This strategy would include common definition, standards, policies, and practices, unifying countries to combat a shared problem. While the strategy does not account for individual actors, the overall impact of the strategy has the potential to reduce the current economic loss due to cyberattacks, increase innovation through intellectual property protections, strengthen international relations through a common goal, and protect and increase efficiency in global supply chains.

 

Citations

[i] Jessica C Ojala, Uniting the Cyber Domain Stakeholders Small Wars Journal (2020), https://smallwarsjournal.com/index.php/jrnl/art/uniting-cyber-domain-stakeholders (last visited Jan 23, 2021).

 

[ii] David Clark, Thomas Berson & Herbert S Lin, At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues National Center for Biotechnology Information (2016), https://pubmed.ncbi.nlm.nih.gov/25057698/ (last visited Jan 23, 2021).

 

[iii] Ojala, Uniting the Cyber Domain Stakeholders Small Wars Journal (2020).

 

[iv] Clark, At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues National Center for Biotechnology Information (2016).

 

[v] Ibid.

 

[vi] Ibid.

 

[vii]  Catherine Seville, Intellectual Property, 60 The International and Comparative Law Quarterly 1039–1055 (2011), https://www.jstor.org/stable/41350125?Search=yes&resultItemClick=true&searchText=intellectual+property&searchUri=%2Faction%2FdoBasicSearch%3FQuery%3Dintellectual%2Bproperty%26acc%3Don%26wc%3Don%26fc%3Doff%26group%3Dnone&ab_segments=0%2Fbasic_search_solr_cloud%2Fcontrol&refreqid=fastly-default%3A9d5e394c52e9a58f8ad6cef8d3976f8a&seq=1 (last visited Jan 23, 2021).

 

[viii] Clark, At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues National Center for Biotechnology Information (2016).

 

[ix] Ibid.

 

[x] Ibid.

 

[xi] Ibid.

 

[xii] Ibid.

 

[xiii] Ibid.

 

[xiv] Ibid.

 

[xv]  Emile Loza De Siles, Cybersecurity and Cybercrime: Intellectual Property and Innovation, 8 SSRN Electronic Journal(2015), https://www.researchgate.net/publication/313479091_Cybersecurity_and_Cybercrime_Intellectual_Property_and_Innovation (last visited Jan 23, 2021).

 

[xvi]  Alan D. Smith & William T. Rupp, Issues in cybersecurity; understanding the potential risks associated with hackers/crackers Information Management & Computer Security (2002), https://www.emerald.com/insight/content/doi/10.1108/09685220210436976/full/html (last visited Jan 23, 2021).

 

[xvii]  Debora Halbert, Intellectual property theft and national security: Agendas and assumptions Taylor & Francis Online (2016), https://www.tandfonline.com/doi/abs/10.1080/01972243.2016.1177762?casa_token=1uoZT0nddzUAAAAA%3ACp3rN52pO97qBWZq9u_eQUfESra6DV9Wvp6tmgKI-r03QghOpTNiaA4WAQdSRy13Bflkhf-CfA (last visited Jan 23, 2021).

 

[xviii] Clark, At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues National Center for Biotechnology Information (2016).

 

[xix] Ibid.

 

[xx] Ibid.

 

[xxi] Ibid.

 

[xxii]  Scott J Shackelford, Protecting Intellectual Property and Privacy in the Digital Age: The Use of National Cybersecurity Strategies to Mitigate Cyber Risk, 19 Chapman Law Review (2016), https://digitalcommons.chapman.edu/cgi/viewcontent.cgi?article=1376&context=chapman-law-review (last visited Jan 23, 2021).

 

[xxiii] Ibid.

 

[xxiv] Ibid.

 

[xxv] Clark, At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues National Center for Biotechnology Information (2016).

 

[xxvi] Ibid.

 

[xxvii] Ibid.

 

[xxviii] Shackelford, Protecting Intellectual Property and Privacy in the Digital Age: The Use of National Cybersecurity Strategies to Mitigate Cyber Risk, 19 Chapman Law Review (2016).

 

[xxix] Ibid.

 

[xxx]  Cybersecurity: Keeping IP Under Lock and Key, The Institute of Internal Auditors: Tone at the Top (2014), https://global.theiia.org/knowledge/Public%20Documents/TAT_February_2014.pdf (last visited Jan 23, 2021).

 

[xxxi] WIPO Intellectual Property Handbook, World Intellectual Property Organization, https://www.wipo.int/edocs/pubdocs/en/intproperty/489/wipo_pub_489.pdf (last visited Jan 23, 2021).