A new cybercrime study estimates that UK companies are losing £16,8 billion a year from the theft of corporate secrets and intellectual property. The study highlights the fact that this is the most costly form of IT-based crime, accounting for almost 60% of all cybercrime losses in the UK. And it certainly challenges conventional perceptions of where most of the damage is being done by cybercriminals
Published in February 2011, The Cost of Cybercrime by Detica and the UK Government’s Office of Cyber Security & Information Assurance estimates that cybercrime cost the country £27 billion in 2010.
It shows that losses from the theft of secrets are over four times higher than the £4 billion lost to UK cybercrimes involving identity theft, online fraud and theft of customer data.
And yet these three forms of IT crime probably receive the highest amount of publicity. We regularly hear about examples of phishing, illicit EFT payments and customer records being breached.
In contrast, it is rare to hear of commercial secrets being stolen even though it seems that this is where the top villains are focusing and where the vast majority of cybercrime losses are occurring.
What type of information is being stolen?
Although the study distinguishes between losses from industrial espionage and losses from theft of intellectual property, the net result is the same: information that companies want to keep to themselves is apparently being stolen on an astonishing scale.
The study defines industrial espionage as illegally accessing confidential information to gain competitive or strategic advantage. As examples, it cites information relating to bid-prices for contracts or tenders and details of possible M&A deals.
IP theft is considered to be more related to operational information – trade secrets – such as designs, formulae, product specifications and processes. It is a body of knowledge that underpins a company’s ability to produce products and services that compete successfully in their markets.
Who is being hit hardest?
Software and computer services top the list, losing £2,5 billion, followed by financial services at £2,3bn; pharmaceuticals and biotech at £1,8bn; electronics and electrical equipment at £1,7bn; and mining at some £1,6bn.
For South Africa, that last one is of obvious interest. A clear implication from the study is that mining companies are particularly vulnerable to the theft of corporate information as opposed to operational information. The difference perhaps being not how you dig but where you are planning to dig and who is going to be digging with you.
Mining companies based in the UK lost £1,6 billion through the theft of corporate information, apparently due to the “increasing market value of raw minerals and the high level of mergers in this sector at present.” In comparison, their loss of IP was almost non-existent. What is striking about the figures is that in the mining sector, the value of stolen corporate information is over double that lost by software and computer services companies whose major losses are coming from stolen trade secrets.
What is also surprising is the high level of spying within financial services. At £2 billion, the sector’s exposure to espionage forms some 90% of their cybercrime losses, with the balance made up of a pretty even split between IP theft and online fraud. Can this be true? Surely the widely held assumption is that IT-based fraud and identity theft represent by far the most likely source of crime related losses within the financial services sector? Apparently not.
Stolen secrets
In 2010, both Ernst & Young and Deloitte published overviews on cybercrime, emphasising that commercial secrets are increasingly the number one target for the most sophisticated cybercriminals: the theft of secrets creates the biggest cyber risks for corporates and the biggest rewards for criminals.
This unequivocal message was reinforced in a landmark cybercrime speech last October when Iain Lobban, director of GCHQ (UK Government Communications Headquarters), came out from the shadows of the UK’s intelligence services to say that: “It is true that we have seen theft of intellectual property on a massive scale, some of it not just sensitive to the commercial enterprises in question but of national security concern too.
“The growth of e-crime is disturbing. Accurate estimates for the overall costs to the economy are quite difficult to pin down but a figure well into the billions seems credible.”
He went on to say, “At a more comprehensible level, hundreds of hacking forums exist. On them, thousands of stolen UK credit card details are available for sale online for about two US dollars per set. Just one botnet is believed to have stolen credit card and online banking details from up to 12,7 million victims worldwide.”
Lobban’s comments about the value of card details are significant: Verizon reported last year that the market for stolen card details is so saturated that corporate secrets are now seen as a much more valuable commodity and therefore a more lucrative, attractive target for cybercriminals.
Paul Wood, a senior analyst at IT security group, Symantec, told the Financial Times earlier this year about the rise in carefully orchestrated and sophisticated, targeted attacks on companies over the last few years.
He said that while they are still just a fraction of overall recorded attacks on computers, they are potentially far more dangerous and that the theft of intellectual property is growing, with the defence, pharmaceuticals, automotive and software sectors being particularly prone to this kind of attack: “When we first started tracking this five or six years ago, there would be one or two of these types of attacks a week, then it was one or two a day – in 2010, there were 77 a day.”
Who are the cybercriminals?
The Detica study splits the villains into four categories, pretty much graded according to their levels of expertise, access to the necessary IT resources and the losses they can cause:
* Foreign intelligence services.
* Large organised crime networks.
* Disreputable but legitimate organisations.
* Opportunistic cyber criminals.
Foreign intelligence services are rated as being the best financed and organised of the four categories. IP is attractive since it allows a rapid accumulation of knowledge to advance foreign industries and economies at a fraction of the normal development costs. Other targets could include stealing information to ensure that their preferred bidder wins internationally competed contracts.
Large organised crime networks are increasingly focused on cybercrime because it offers attractive rewards for minimal investment and low risk. The study says: “It seems likely that less-sophisticated gangs will focus on online theft from businesses and large-scale online scams. For the more sophisticated networks, with global contacts, industrial espionage can be lucrative, for example, if they combine stolen insider information, such as M&A details, with targeted stock market deals.”
Disreputable but legitimate organisations are likely to respond to increasing global competition by stealing the opposition’s secrets: “Some large or under-pressure organisations may believe that the ends justify the means, especially if they are assisted by foreign intelligence services. Alternatively, in an attempt to distance themselves from the crime, disreputable organisations may hire a third party to undertake the cyber crime on their behalf.”
Opportunistic cyber criminals are regarded as individuals or small groups involved in identity fraud, customer-data theft, small-scale online scams, scareware, fiscal fraud and extortion. The study suggests that they do not represent much of a threat to corporate secrets.
How accurate are the figures?
The fact is, nobody knows what the loss of secrets is costing. There is no consensus on what to measure or how to measure it.
However, a common theme within discussions of stolen secrets is that organisations frequently do not even know if they are a victim. As Donald Rumsfeld put it: “There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we do not know. But there are also unknown unknowns. There are things we do not know we do not know.”
If an organisation does not know it is a victim, how can it count the cost? We are then into the realm of unknown unknowns.
Equally, it is generally acknowledged that organisations do not routinely publicise the fact that their secrets may have been stolen – that is a secret for a different set of reasons and presumably falls into the realm of unknown knowns…
But it is easy to be sidetracked into questions about how long is a piece of string – as shown by the commentators who have already scoffed at the Detica study. Professor Peter Sommer of the London School of Economics views it as an, “unfortunate item of British Aerospace puffery”, on the basis that Detica is owned by BAE Systems, is involved in intelligence analysis for the UK Government and sells data security products.
“Pretending they have got reliable figures out of this is nonsense,” Sommer told IT magazine Information Age. “It is a great pity the government has allied themselves to a grubby piece of puffery.”
Of course, this ‘vested interest’ argument could also be used to counter the assertions about cybercrime made by the likes of Deloitte, Verizon and Ernst & Young who all have a more or less commercial interest in IT security. What such arguments do not do is add any credibility to an assessment of what organisations are losing through the cyber theft of their secrets.
Given the nature of the beast, perhaps this may never be possible. The big unanswered question: who is creating the market for all these secrets?
The Detica study says that foreign states are heavily involved in the theft of corporate secrets – old fashioned cloak and dagger stuff that has matured into the cyber age.
Aside from state-sponsored theft with clear motives, we are left with a rather delicate question: who else is buying all this incredibly valuable information? If the top cyber villains are targeting corporate secrets, who are they selling them to? For example, if mining companies are so heavily targeted for their corporate info – where they are planning to dig rather than how they are going to do it, then surely the implication has to be that the buyers have an interest in mining.
One thing does seem certain: the boardrooms of some organisations must be awash with stolen secrets.
The full Detica study is available at http://www.cabinetoffice.gov.uk/resource-library/cost-of-cyber-crime .
For more information contact Supervision Biometric Systems, +27 (0)82 463 3060, www.supervision.co.za
© Technews Publishing (Pty) Ltd. | All Rights Reserved.