We are living in a new era, with unprecedented industrial scale theft of intellectual property and company secrets. The most recent example is a vast cyber espionage campaign, dubbed Operation Cloud Hopper, made public this April. In this global campaign, a China based group targeted IT service providers, thereby obtaining access to their clients in multiple industrial sectors and enabling them to steal proprietary data belonging to businesses in North America, Western Europe, and East Asia.
Earlier this year, the Swedish National Defence Radio Establishment, the Swedish Security Service, and the Finnish Security Intelligence Service released their annual reports. They all confirm a “new normal” in the Nordic region. Industry is under continuous attack, with state-sponsored actors stealing research and development material and other industrial secrets. According to the Swedish National Defence Radio Establishment (FRA), sophisticated cyber-attacks, with advanced code that can be attributed to states or state-sponsored groups, have increased. Tens of thousands of activities involving malicious code attributable to state actors tracked by the FRA are detected every month.
In 2015, William Evanina, who worked under the U.S. Director of National Intelligence James Clapper, told media that economic espionage through hacking is costing the U.S. economy $400 billion a year. But instead of numeric estimates, let us quote Ginni Rometty, the head of IBM: “We believe that data is the phenomenon of our time. It is the world’s new natural resource. It is the new basis of competitive advantage, and it is transforming every profession and industry. If all of this is true – even inevitable – then cyber crime, by definition, is the greatest threat to every profession, every industry, every company in the world.”
As our digital infrastructure is evolving at an ever-faster pace, so do vulnerabilities and threats. Digitalization enables mass economies of scale for certain business models. Digital service providers can have millions or even billions of customers. As such, security breaches, data leaks, and disinformation can have impacts on an unprecedented scale.
The revolutionary opportunities that have presented themselves to nation states are still relatively new in a historical perspective, resulting in immature and unrestrained behavior. Certain states have developed substantial cyber capacities that they are using not only for regular intelligence gathering, but also much more aggressively. Advanced OECD economies are subject to industrial espionage on an unprecedented scale, likely constituting the greatest theft in history. The damage done is particularly insidious as it continues well into the future, by undermining competitiveness and illegally empowering competitors over the long term.
Certain states however do not stop at stealing intellectual property. Offensive operations, from attacks on critical infrastructure to the leaking of stolen information, combined with information operations to undermine confidence in our societies’ institutions. The DNC hack teaches us that no states should feel immune from attack. If foreign states dare meddle in the presidential election of the world’s greatest democracy, what other countries would they not dare attack?
Although states and state-sponsored groups pose the greatest threats, the proliferation of offensive cyber capabilities will result in both organized crime and terrorist groups obtaining increasingly destructive tools.
While it is critical that we address the revolutionary security challenges posed by digitalization, we must also ensure that our response does not inhibit us from reaping the full benefits posed by the Internet of Things, additive manufacturing, autonomous robots, and other emerging technologies. Rather than excessive regulation, this requires the private sector to take the lead in adopting security standards to pragmatically minimize vulnerabilities to malware, intellectual property theft, and other threats. In many areas, there is strong commercial self-interest to ensure good security for customers.
The state’s role should be to ensure reasonable systemic resilience against the myriad number of known and unknown cyber threats, present and future, while maintaining a sufficient offensive cyber capacity to deter hostile actors. Yet counterproductive statist control instincts must be resisted. Only when markets do not ensure adequate security on their own accord should the state “encourage” appropriate standards, and if that fails, regulate.
Outdated state-centric responses, such as data localization requirements, are not effective. Hackers targeting data do not care about jurisdictions. Data protection rather depends on the security standards of the networks through which data travels. That being said, there are jurisdictions where governments simply cannot be trusted. Rather than “nationalizing” data flows, the more appropriate response would be to keep them global, whilst minimizing data storage in states with untrustworthy governments or inadequate security standards.
There are legitimate national security reasons for which states sometimes wish to break encrypted communications, such as in the pursuit of terrorists. But obliging business to include systemic weaknesses in their products risks making our digital infrastructure even more vulnerable to cyber espionage and crime. European calls to enhance states’ powers to monitor encrypted communications are not surprising, following the spate of terrorist attacks on the continent. But even if we can understand the emotion behind such calls, we must ensure that any solutions to improve our capacities to compromise terrorist communications are balanced, and do not come at the unacceptable price of weakening the security of legitimate communications, which only serves to benefit our strategic adversaries.
Protecting our leading businesses must be a priority, not only to maintain our long-term competitiveness, but also to ensure the integrity of our digital infrastructure. This requires more, not less, cooperation between the leading knowledge economies in Europe, North America, and East Asia. We all stand to benefit from a dynamic global digital market space. We cannot let spoilers destroy this potential. Reverting to an outdated and narrow nationalist perspective will only make us all poorer. Rather, the solution lies in a common front against those who seek to harm us.
Mika Susi is the chief policy adviser for corporate security at the Confederation of Finnish Industries. He has wide experience on security and risk management both from public and private sectors. Susi is a member of several advisory bodies of security related projects.
Nate Olson is director of the Trade in the 21st Century Program at the Stimson Center, where he works to advance policy solutions that better align the global economy’s regulatory frameworks, private sector business models, and the public interest agenda. Olson previously served as director of government relations at the Project on National Security Reform.
